Hi there,
I'm new to SAP IdM and I'm trying to find some documentation which specifically describes how each connector available from SAP works, configures, maps data, etc. I think such information should be around but I can't find it so far.
Thanks in advance for your help.
Hello Experts,
Looking forward to connect IdM 7.2 sp9 with Success Factor as Data Source System.
Since by default there's no connector available in this version, looking for information about setting up a new connector as to establish the connection.
Advise would be much appreciated.
-thanks
Yogesh
Dear Gurus,
I'm currently despairing of the GRC Provisioning Framework 2 for IDM 7.2 SP9, Patch 11. We're using the centralized provisioning Scenario with AC Validation and AC Polling with the Standard GRC Provisioning Framework 2 and GRC 10.1. This is how the slightly modified provisioning framework looks like:
I just added the Action Tasks "Debug: Context" (1 & 2) which are just throwing out the context variables for the pending value object.
The process itself works fine:
1. Privilege assignment in IDM, Task "AC Validation" ist triggered
2. AC request is sent to GRC: no Errors, request created in GRC, request is approved in GRC
3. Polling starts: Task "AC Polling" reads request Status on GRC system
4. IDM receives Response: AC request is approved in GRC, IDM gets "OK" and starts the Task "Ordered Group"
5. Request Details are fetched from GRC
6. Custom Task "Debug: Context" (2) is executed and throws out following context variables and attributes:
- GRCSTATUS
- GRCROLEIDLIST
- MX_AC_RESULT of the PVO
7. Task "Process Request Details Result" is executed. Execution Log throws out following error (yellow frame):
8. Despite of the error, Task "Await Validation" is triggered and custom Task "Copy of Debug: Context" (1) is executed. When throwing out the context variables, GRCSTATUTS and GRCROLEIDLIST are not existing any more:
9. Task "Process AC Result" is executed. Execution Log throws out following error (yellow frame):
10. Privilege assignment is set to "failed" in IDM.
What bothers me here is that actually everything works fine. IDM gets a Response from GRC, even the context variables are created properly. Nevertheless, I always get an error at Step 7 (Process Request Details Result). This error is only visible in the execution log. Neither in the VDS operations log nor in the IDM Job Log I can see it. Since Step 7 uses a Java Library Method (com.sap.idm.grc.ac.polling.ExtACProcRequestDetailsResult.exec) I cannot - or rather I don't know how - to check what happens when this error occurs.
Also an odd Thing: When throwing out the context variables in step 6, I receive the GRCSTATUS context variable. When throwing it out in step 8, it is gone.
Does anybody know what exactly is happening here or how to solve this issue? Why is the APPROVAL_OPERATION_RESULT missing when it's clearly there in step 6?
Thanks for help,
Christina
Hi Experts,
Need your help in understanding one of the errors in dispatcher logs.
Our dispatcher logs are filled with this error "Interrupted due to invalid semaphore". Now we would like to know if anyone else have got this error and if they have resolved. Our dispatchers are working fine so its not a show stopper. I found a thread on this where Chris suggested to check if there is other dispatcher in same name.
MxDispatcher - EVAL LINKS - Interrupted due to invalid semaphore"
I checked it and we don't have two dispatchers in same name however we have two run times, one for windows and one for java for each dispatcher.
Is that causing the issue? Any info would be helpful.
Kind regards,
Jaisuryan
Hello,
Has anyone implemented the execution of a PowerShell script from SAP NetWeaver Identity Management (7.1, 7.2, 8.0?). Currently implementing 8.0, and our client is looking to kick off PowerShell scripts that would generate Active Directory accounts, Exchange accounts etc.
Thanks!
In Nov. 2014, the PAM (Click Here) had the IdM 7.2 SP10 release date Q1 2015. Today, SAP doesn't offer any window on when IdM 7.2 SP10 will be released.
Our plans where to install IdM 7.2 SP100 with NW AS Java 7.4 in our development environment by now. Per SAP note 2036858, we must update to SP9 or SP10 before upgrading to IdM 8.0. Unfortunately, we are on an earlier patch version on IdM 7.2 SP8 right now.
Questions:
1. When will 7.2 SP10 be released? We are wanting to go with SP10 if SAP will be releasing it soon to stay on the latest version for SAP support reasons.
2. NW AS Java 7.4 will only work with SP10? Has anyone attempted it with SP9? We are wanting to move to NW AS Java 7.4 as all of our other SAP systems are on this version of NW AS Java version.
HI Laurent,
I know this has been posted and answered for some time but reading the documentation on how to upgrade the provisioning framework is not really clear to me what will happen and I am hoping you have the experience now to help me (importing the SAP Provisioning Framework.mcc file).
Reading the documentation it sounds like the whole provisioning framework from SAP should have been disabled and renamed during implementation but all I have done is use the SAP framework and put the custom tasks in a different folder.
In the identity center I have the provisioning framework folder and underneath I have custom tasks, core and connector folders. Do you know if I import the new .mcc file will it overwrite my custom tasks folder and effectively delete it?
Many thanks,
Andy
Hi,
we have a very strange problem. We are using a custom JAVA WebDynpro UI for doing our approval workflows, and are making an upgrade from NW Version 7.0 to 7.31 (finally 
). We have upgraded the DEV System without any troubles everything works fine with NW 7.31.
In the PROD IDM we have this scenario:
We have a Sandbox NW UI that was now upgraded to 7.31 and the PROD UI which still runs on 7.0. Both UIs have the PROD IDM DB linked.
There are several approval steps with a custom Request Object in our workflows.
Some approval steps work without any problems with the 7.31 UI, but in some steps we geht the Error 400 bad request from the REST Interface.
When I approve the same approval with the 7.0 UI it works fine. We also debugged the REST Call, which is sent to the rest service and can't find any differences, it looks like this:
http://<hostsbx>/idmrest/v72alpha/approvals/1568881/entries/545283/tasks/101870?APPROVED=TRUE which does not work
and
http://<hostprd>/idmrest/v72alpha/approvals/1568881/entries/545283/tasks/101870?APPROVED=TRUE which does work
There are other tasks which work with both UIs.
What else could we check?
BR,
Andreas
On Netweaver IdM 7.1, I set up a couple of simple event agents to detect file changes in order to execute an IdM job. These work perfectly, just as expected, except that the services randomly stop on the server on their own. I've had our Basis people investigate and they cannot determine a root cause.
We have tried to configure the services so that they would restart themselves automatically when they go down, but this has not been successful. I've never had any issues with dispatcher services, which are set up in much the same way. Has anyone tried to use these "file change" event handler services and had similar issues?
Thanks,
Keith
Hi All,
Currently I am facing a strange issue with SNC string in SU01 record.
2 jobs are scheduled as per below:
1) RSUSR300 - to update SNC name for users where it is blank
2) IDM Initial load job (scheduled to run after RSUSR300)
Whenever a new user is created, RSUSR300 job will update SNC name for the user.
However IDM initial load job is run later and removes SNC name for user.
IDM initial load job removes SNC only for newly created user (existing users - no change)
We are not able to figure out why the SNC string is overwritten by IDM job.
We have also disabled parameter for SNC name and SNC flag in all "Read user" and "Write user" passes in out Initial load job.
With SNC string overwritten by Intial Load job and making it blank causes us to manually update SNC name everyday 4 times a day.
Any suggestions on rectifying this issue?
Thanks & Regards,
V!
Hi specialists,
I have been a long time reader but this is my first reach out for some advice, so if I am not following the correct rules please be patient.
At the moment I am writing a design document for IDM 8 in an existing SAP landscape but have two questions that I cannot find clarity on in the documentation available:
1) With respect to an IDM landscape I was under the impression that a two tier landscape would be appropriate in a similar way to Solution Manager is used. The proposal I was going to make was to use the development box as both a development and test environment using two identity stores (development and test) and to duplicate the repositories. What I cannot understand is how the user interface would behave with this proposal as there would be just one UI for both identity stores? What is the SAP best practice and what is your experience?
2) Using HCM integration means that HCM is likely to be the leading system for identity creation, with ECC initial loads run second to create system privileges. This approach will result in all existing identities being assigned system privileges that would have to be manually migrated to the new business role design in IDM. How have you approached this task, is it worthwhile not doing the initial loads in existing landscapes and simply assigning new business roles to replace the existing privilege assignments?
Thanks,
Andy
Hello All,
I´m set up SAP IDM 8.0 connecting systems and I´ve noted that the constant to fill password are blocked for any system type(See the picture below).I'm just getting in connecting systems this way:
1- Create a new system.
2- Export
3- Fill de constant password (Notepad)
4- Import the csv file.
Is this correct or there is an error here?
Thanks for helping!!!
Not what you want to see when logging in.
Based on Todor's mention, I've bypassed SSL on my IDM 8 setup. However when I login, I get this message:
I've checked the login that I used, and first it seemed that I had set an non productive password, so I reset it and tried again. Still failed. I then verified that I had the correct password by logging into the UME with these credentials. No problem there.
Here's my com.sap.idm.dev-studio-userinterface.prefs file
CLIENT_LOG_LEVEL=Info
EMSCONFIG=<?xml version\="1.0" encoding\="UTF-8" standalone\="no"?>\r\n<mx\:EMS xmlns\:mx\="http\://www.maxware.com/EMS">\r\n<mx\:EMSDEFS>\r\n<mx\:EMSDB Name\="LocalTest2008">\r\n<ConnectionString/>\r\n<AppServerIp>localhost</AppServerIp>\r\n<AppServerPort>50001</AppServerPort>\r\n<AppName>idmdevstudio</AppName>\r\n<DbAlias>jdbc/IDM_DataSource_DevStudio</DbAlias>\r\n</mx\:EMSDB>\r\n<mx\:EMSDB Name\="Test">\r\n<ConnectionString/>\r\n<AppServerIp>localhost</AppServerIp>\r\n<AppServerPort>50000</AppServerPort>\r\n<AppName>idmdevstudio</AppName>\r\n<DbAlias>jdbc/IDM_DataSource_DevStudio</DbAlias>\r\n</mx\:EMSDB>\r\n</mx\:EMSDEFS>\r\n</mx\:EMS>\r\n
ENABLE_PACKAGE_DIFF=true
ENABLE_PACKAGE_DIFF_JQUERY_LIB=C\:\\jQuery\\jquery-1.11.2.min.js
ENABLE_PACKAGE_VIEW=true
GET_GUID_FUNCTION=true
RESET_LOG_ON_RESTART=true
IS_HTTPS=false
eclipse.preferences.version=1
Any ideas on this?
Thanks,
Matt
Hi Friends,
I found that SAP IDM 8.0 Eclipse Plugin update 8.0.8 is not working and not able to connect with IDM servers after updating.
so i have downgrade it to 8.0.6 and now its working fine.
if anyone know the solution of this error then i'll update it to 8.0.8
Regards,
Mohinder
Hi Experts,
Presently I am working on SAP IDM 7.2 SP9. Need your help to fix one issue.
In my current project there are so many users whose AD privileges status is failed due to CN/DN issue while their account already exist in AD.
Is there any way to find all those users whose AD privileges status is failed in IDM. All these privileges are assigned under the IDM Attribute MXREF_MX_PRIVILEGE.
Could yopu please share the steps to fix these issue. I can not delete those AD account as they are already in use.
Thanks in Advance
Regards,
C Kumar
Hello Gurus,
We are implementing a process for identity termination. SAP security team wants the Id to be deleted from the system as part of the process whereas other applications have requested for removal of groups, change in status etc. The Id termination should be approved by line manager as first level approver.
We are using an action task with "To Identity Store" pass to remove the PRIV:<REPOSITORY>:ONLY privilege for the SAP Id to delete the account from SAP repository.
We need your advice for:
- Is the implementation approach for deletion of SAP ids correct?
- How do we configure the approval task for this process, It seems that it cannot be an assignment approval task in this case.
- There is a task "SetABAPRole&ProfileforUser" in the SAP provisioning framework which is executed following the user deletion. This task fails because it is not able to locate the MSKEY after the user has been deleted. How do we control this task?
Your help in this regard is much appreciated.
Regards,
Subramaniam Iyer
Hi Folks,
I'm making good progress getting IDM 8 set up. Things are finally authenticating and I'm in the UI now.
However when I go to load the PF, the file selection dialog is locked on MCC files and not Package files. I can put *.* in to view the package files, but IDM won't take them.
Anyone out there have a workaround?
Hi Gurus
After recent upgrade from IDM 7.2 SP4 to SP8 we have faced with big issue in our groups management logic. In our regular job when we update members in the group which has inactive user(s) assigned we now receive error during group update operation:
Exception from Modify operation:com.sap.idm.ic.ToPassException: ToIDStore.modEntry failed modifying entry 'GROUP:ADDRESSBOOK:314A33838A0A413CABC3F9AE1EFB62F1'. IDStore returned error message: " Operation not allowed on inactive entry:Attribute: MXMEMBER_MX_PERSON" when storing attribute 'MXMEMBER_MX_PERSON={d}63936'
It means if group has a reference to inactive user we cannot modify members of the group anymore due to the above error.
We assign members to a group in job using the {M} modifier on the MXMEMBER_MX_PERSON attribute. And we always assign only active users here. But the {M} modifier means that IDM tries to delete old group members (that are no longer members) before assigning new members. And in case if the group has any inactive user as a member it seems that IDM tries to remove this outdated reference at first, but it fails to do so with the above error, because this user is not active.
In general as we see the new IDM 7.2 SP8 does not allow to perform update operations on inactive users anymore. I’m just wondering if there is some configuration options in IDM SP8 that we can use to switch off this new validation check regarding inactive users ?
Thank a lot for your help !
Siarhei
Hello IDM Experts,
I am facing one critical issue here. We have connected SAP GRC with SAP IDM for risk analysis and CUP approvals and then once the approvers have approved the requests, IDM assigns these approved roles to users in backend SAP Systems.
We are now facing issue here past 1-month. Before we never faced this issue.
The issue is when the Roles are approved from GRC-CUP AC 5.3, post the approvals, the IDM is pulling the data and some of the roles are not getting assigned in SAP Backend systems. In the 1st and 2nd attempt it is not getting assigned however sometimes in the 3rd attempt it is getting assigned. This kind of weird behavior we have come across first time. Has anyone come across such issues before?
What could be the possible reason for the roles not getting assigned in SAP Backend system from IDM?
We checked everything right from dispatchers, connectors, workflow, SQL Logs, Job logs but we are unable to figure out the reason for this issue.
Do we need to restart the dispatcher or is there any issue with cache memory?
Can anyone help here to resolve this High Priority issue?
Thanks in advance!
Hi,
I had run Hana initial load successfully. When I try to create a user, it gives the below error
"SAP DBTech JDBC: [257] (at 29): sql syntax error: zero-length delimited identifier""": line 1 col 29 (at pos 29)
java.lang.Throwable: SAP DBTech JDBC: [257] (at 29): sql syntax error: zero-length delimited identifier""": line 1 col 29 (at pos 29)
"
Anybody has any idea how to fix it?
Thank you very much.