Hi Experts,
A user has unexpectedly lost all her roles due to some background jobs which I donot know (since looking at a new ID store) .I do not wish to check each job logs since there are many, is there a way to view the records of assignments against her ID for a particular time frame which can lead me to the reason behind her losing the access in IDM?
Hello everyone,
I am a newbie and I am trying to install the SAP IDM 7.2 on windows server 2008 x64 and Oracle 11.2.0.4. The JVM and the oracle client are 64bit. All components are installed on the same server.
In the first step "adding an identity store", the oracle provider for OLE is missing from the list. I have been through many discussions regarding the 32/64-bit oracle client issue with the Identity store. Is there any hope to solve this issue without installing a 32-bit oracle client version?
Thank you
Basel
Hey guys, I need another set of eyes (or something)
I'm having some issues with the uDecrypt function from the Identity Store MX_ENCRYPTED_PASSWORD attribute. When I try to decrypt it (sending a notification to a manager that the new account and password that was requested is now available.
When I test the task, I get:
Error Exception initializing Triple DES:mjava.lang.Throwable: Non hex character found: '.' (-1) at offset 32
Warning User: 9BW00041 has been created!
Warning Encrypted: {DES3CBC}1:4a0681d708743198-22a1df873bbc71777fc66efae663863e.
Warning Password: null.
So you see, I am passing what appears to be a valid encrypted password.
Here's the script I'm using. As you will see it's a place holder for the eventual email notificaition:
// Main function: zPlaceholder
function zPlaceholder(Par){
var pwd = Par.get ("MX_ENCRYPTED_PASSWORD");
var password = uDecrypt(pwd);
uWarning (" User: " + Par.get ("MSKEYVALUE") + " has been created!");
uWarning ("Encrypted: " + pwd);
uWarning (" Password: " + password + ".");
uWarning ("This is not a notification =)");
}
It's just not that complicated, which is what's driving me batty.
Now just for grins, I created this script, which I ran in a job and it works PERFECTLY! (Again making me wonder about my sanity)
// Main function: test
function test(Par){
var test = "this is a test"
var encr = uEncrypt(test);
var decr = uDecrypt(encr);
uWarning ("test: " + test);
uWarning ("encr: " + encr);
uWarning ("decr: " + decr);
}
Both are running in "To Generic" passes. I'm using 7.2 SP9 P1, and the encryption option is set to DES/CBC.
Thanks!
Matt
Hello Guru,
We have IDM 7.2 SP9 on Oracle11.
We want to use IDM REST API v2 (http://host:port/idmrestapi/v2/service).
How external system can connect to IDM REST service without authentication (as anonymous or guest, as example)?
I can't find any documentation about how to use anonymous logon for Netweaver Java applications, only "Using Anonymous Logon to Access the Portal".
Could you please help me?
Best regards,
Natalia.
Hello,
we got
SAP NetWeaver Identity Management 7.2 SP9
IDENTITY CENTER DESIGNTIME 7.2 SP9 patch 7
IDENTITY CENTER RUNTIME 7.2 SP9 patch 5
VIRTUAL DIRECTORY SERVER 7.2 SP9 patch 3
In the admin UI I use register "Message Templates" I create and maintain message templates e.g. for approvals (Template Category: MX_APPROVALS).
And here I use HTML with stylesheets.
While I put following HTML code in
<tr style="vertical-align: top;">
<td>URL:</td>
<td>http://support.sap.com/swdc</td>
</tr>
the text starting with http:// including the next tag (here </td>) dissappears.
So following insufficient HTML code is left:
<tr style="vertical-align: top;">
<td>URL:</td>
<td>
</tr>
Similar if I try to add a reference to a link like
All other cases <a href="http://company.appl.net/Home?OpenPage">call COMPANY IT Service Desk</a> / open an incident at <a href="https://serviceportal.company.com/Services.aspx">COMPANY IT Service Desk Portal.</a>
all what is left after saving is:
All other cases <a href="">call COMPANY IT Service Desk</a> / open an incident at <a href="">COMPANY IT Service Desk Portal.</a>
Has anybody seen something similar?
Is there a workaround?
Isn't it supported that I put http:// or https:// to the HTML code of the message template?
with kind regards
Michael Schäfer
Hello Experts,
We have an web UI developed for the end users to request roles or request to create account in IDM 7.2.
the web application is built on sap UI 5. While navigating through web pages frequently we would be receiving navigation error message.
No contact with the server: could not get the REST data for
The above error message is defined in our rest api loader java script file idmrestloader.js.
var Path = "$expand=entry&timeStamp="+new Date().getTime();
this.doRESTGet(Path, fnSucces, fnError);
function(oError) {
Navigation.gotoErrorPage({error: "No contact with the server: could not get the REST data with: "+Path });
}
My question is why this error is appearing every time.
Is it because of the way we are passing the code.
var param = ["$select=ID,"+"value,name,displayname"+""+"JOB_ID,COMPANY_ID","$expand=OWNER"];
or like
var params = ["$select=ID,DISPLAYNAME,DESCRIPTION"];
Can some one kindly please help me?
Regards,
DP
Hi,
In the current IDM sizing tool we are using a formula to calculate the vCPUs, memory and disk.
While this approach gives a result, we are thinking to further improve it by using sizing empirical data - to enter the real life size configuration data from customer installations and map them to T-Shirt sizes.
I'm asking IDM consultants and experts who have field data to contribute to gather enough statistical data.
You can publish here or send to me:
- either simple set of [Number of identities, vCPUs, Memory, Disk, System Type (DB/Runtime,UI, VDS)]
- or extended one like the table bellow
| Variable | Description | Sample Figures |
| ANT | Average Number of action Tasks towards target systems (including the identity store).Typically 5. | 5 |
| APE | Audit per Entry. (Average Size in KB of the audit log for one user. The audit log includes information about tasks executed on the user. Typically 1 KB). | 1 |
| MKA | Months to Keep Audit | 100 |
| NCM | Number of Changes per Month | 10 000 000 |
| NIO | Peak Number of Operations per Hour on Identity Store | 1 000 |
| NOE | Number of Entries | 1 000 000 |
| NOR | Number of Revisions of historical user data | 5 |
| NOS | Number of Connected Systems | 75 |
| NPO | Peak Number of updates (per hour) to the identity store leading to Provisioning. Updates can come from the Identity Management User Interface, a job and an action task. | 280 |
| NPPE | Peak number of Entries to be Processed in Parallel (per hour).If one user is provisioned into two different systems, this counts as two operations.Note that this number does not take into account the time spent on the system being provisioned to. | 180 |
| SCE | Size of Content per Entry in MB. This number may vary depending on which attributes are stored on each entry. The number will be higher when including for instance pictures or other binary attributes. (MB) | 0.500 |
| TEPH | Peak Task Executions per Hour | 110 000 |
| SAPS | 100 SAPS is defined as the computing power to handle 2,000 fully business processed order line items per hour. In technical terms, this throughput is achieved by processing 6,000 dialog steps (screen changes), 2,000 postings per hour in the SD Benchmark, or 2,400 SAP transactions. | 46 200 |
Or from your experience with sizing IDM - anything you can share in this discussion.
Best wishes,
Fedya
Dear All,
I have SAP Identity Management 7.2 SP09 latest patch and I have observed the following issue:
When updating the validity dates of a Business Role (MXREF_MX_ROLE) with child back-end privileges, there are no events triggered to update the assignment in the back-end system.
I have set the Global Constant MX_PRIV_MODIFY_POLICY to 3 and have added MXREF_MX_PRIVILEGE and MXREF_MX_ROLE to the MX_MODIFYTASK_ATTR attribute and on the Repository I have added a task to the Modify validity task.
I see on the UI and in the database that the role including the privileges validity dates are changed but the system doesn't trigger any updates to update the assignment in the target system.
Any idea?
Regards,
Ridouan
Dear experts,
For integrating SAP IDM 7.2 SP09 to GRC 10.1 system, GRC initial Load Commons job throwing below error.
Can please help me to fix this issue.
Regards,
Jaya
Hi all
I'm new to sap , I'm uscing the SAP NetWeaver 2004s UME as ABAP for datasource, and testing create user via spml protocol from third part IDM platform. I followed the api link here : https://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/668e6629-0701-0010-7ca0-994cb7dec5a3&overridelayout=true
I can create user with normal simple fields successfully, but cannot create user with role assigned.
the request is as below and the response show success, the user is created, but actually the role is not assigned.
<spml:addRequest xmlns:spml='urn:oasis:names:tc:SPML:1:0' xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core' requestID='add-1423979403419'>
<spml:attributes>
<dsml:attr name='objectclass'>
<dsml:value>sapuser</dsml:value>
</dsml:attr>
<dsml:attr name='allassignedroles'>
<dsml:value>ROLE.UME_ROLE_PERSISTENCE.un:Everyone</dsml:value>
</dsml:attr>
<dsml:attr name='assignedroles'>
<dsml:value></dsml:value>
</dsml:attr>
<dsml:attr name='logonname'>
<dsml:value>Test126</dsml:value>
</dsml:attr>
<dsml:attr name='lastname'>
<dsml:value>Li</dsml:value>
</dsml:attr>
<dsml:attr name='firstname'>
<dsml:value>Test124</dsml:value>
</dsml:attr>
<dsml:attr name='password'>
<dsml:value>Abcd!234</dsml:value>
</dsml:attr>
</spml:attributes>
</spml:addRequest>
and I check the schema "SAPprincipals", didn't found the attribute "assignedroles" and "allassignedroles" fro sapuser objectclass
what do I need to do to assign user with role via spml calling from thirdpart IDM platform ?
Thanks.
Hello Experts,
We need your help in resolving below issue :
When we are trying to assign the GRC role in IDM UI, we are getting below error. Please find the scrrenshot.
Thanks
Lokesh
Hi Everyone,
There is a use case where I'm trying to modify one of the attributes for an entry in Idstore via VDS Extension Class.
I'm using the Class MICUtil and the following method MVDOperationResultto achieve this but so far have been unsuccessful:
MVDOperationResult modify(java.lang.String aDatabaseConnString, java.lang.String is_id, java.lang.String aID, java.lang.String aAttrValue, java.util.Vector aValues, boolean cacheConnections)
Modify entry in MIC Idstore
Parameters:
aDatabaseConnString - JDBC Connection string
is_id - Idstore ID
aID - attrname (and see below) of the entry to modify
aAttrValue - attrname to modify
aValues - Vector of MVDModAttrValues
cacheConnections - If true, cache the connection to the database
My code looks like the following where I set all the Parameters:
//Database, idstore casheconnection have already set
String Attribute = "Z_ATTRIBUTE"
Int setAttribute = 1;
String MSKEYVALUE = "TEST123"
Vector myVector = new Vector();
myVector.addElement(new Integer(setAttribute).toString());
MVDLogger.Debug("Updating Z_Attribute to : " + myVector.get(0));
MVDOperationResult resetcounter = MICUtil.modify(dsdatabase,idstore,MSKEYVALUE,Attribute,myVector, cacheconnection);
Does anyone know on how the Vector should look like for the method MVDOperationResult modify?
Or is there another way to modify an attribute for an entry in MIC Idstore via the extension class???
Any help would be appreciated.
Thank you,
KV
Hi there,
I have a requirement that as part of the deprovisioning process, to remove all AD Group memberships except for Domain Users.
Has anyone done this before? All of my attempts on this have failed.
Thanks,
Matt
Hello Experts,
SAP IDM 7.2 SP8.
I have query on event task being defined on SYSTEM PRIVILEGE (PRIV:SYSTEM:<REPO_NAME>).
I believe IDM should not trigger provisioning tasks(ex. HOOK TASK 4) due to removal or addition of SYSTEM privilege.
Only removal/addition of ACCOUNT PRIVILEGE (PRIV:<REPO_NAME>:ONLY) should
trigger of provisioning tasks which also remove/add of system privilege for the user as defined in provisioning framework.
So, How Event tasks should be defined for system privileges ?
I think it should be empty (NONE).
Below screenshots shows the current configuration being done for system privileges in my client's IDM system.
This results in trigger of HOOK TASK 4 when SYSTEM privilege is removed/added from the user which causes errors which I know happen because of defining event tasks on SYSTEM PRIVILEGES.
Your help is appreciated.
Thanks & Regards,
Pradeep
Hi All,
As per my design, IDM is sending user access request to GRC via webservice for provisioning to target system. Request is successfully logged in GRC and executed successfully as per defined GRC workflow. We are also able to see the user account in the target system after GRC provisioning. But IDM is showing role status FAILED. It is happening when approval of request in GRC is taking time. If I approve the request in GRC immediately then role status in IDM is showing OK. I think AC Poling....Read Status.... is doing something wrong due to late response from GRC.
Could you please tell me where (on which task) I have to increase retry count or execution time?
Thanks,
Dhiman Paul.
Hello experts,
I am new to idm.
How modify triggers can be removed/disabled for system privileges from each repository?
Regards,
Deva
Hi Experts,
Could you please guide me the simplest way of undeploying .EAR file as a part of implementing an extension framework on NWDS 7.3. I had found issues with code snippet after deploying and would like to roll back for changes and redeploy. And would also wish to know if there is any process of testing the program before deploying it?
Thanks
Rimesh
Hi Experts,
We are trying to use email templates, to trigger emails for role requests on Approval task as below.
As if we raised request to the role, It is triggering the Notification Task, executing the Log Notification task in Provisioning frame work, but not triggering Email, From notification switch task, it is going to Else statement as Unknown notification type instead of Email.
When I checked the table mxpv_audit_variables with the request audit id, no entry created.
Can please suggest how to fix this,
Many Thanks,
Jaya
Hello experts,
I would like to delete the reports generated by the jobs from the particular folder after certain amount of days the reports being created.
Kindly please help me on how to create a job which deletes the reports created 5 days ago from the folder.
Regards,
DP
Hi All,
One basic question is coming again and again due to overlapping features of SAP IDM and SAP GRC. Why SAP IDM is required when all most all use cases can be fulfilled by SAP GRC? Is there any document available which can tell me why customer can choose IDM when he already has GRC?
1. SAP IDM and GRC both can accomplish access request and provisioning.
2. SAP IDM and GRC both has capability of risk management.
Then why SAP IDM is required?
Thanks,
Dhiman Paul.