Quantcast
Channel: SCN : Discussion List - SAP Identity Management
Viewing all 1754 articles
Browse latest View live

Attribute Mapping in IDM 7.1

December 22, 2015, 4:15 am
$
0
0

Hi All,

 

We have a requirement in our current IDM 7.1 set up, where we have to pupulate the User group Field (User Group for Authorization Checks) of users through IDM.

 

I couldn't find any attribute mapping between IDM and ABAP for this particular User group (for authorizatin check).

 

So, I created a custom attribute in IDM, but am not sure what is the corresponding attribute name for this SAP Field.

 

I tried with usergroup, group etc, but it is not working.

 

The other User group (Groups/User Group Assignments) provided by SAP (which is not relevant for authorization check) is mapped as usergroups and IDM attribute for this is MX_USER_CATEGORY.

 

But am not getting any information on User Group for Authorization Check.

 

Any idea???

 

 

Thanks

Aditi

Search

Create new MX_PERSON identity using Rest API

December 22, 2015, 12:57 pm
$
0
0

Hello Experts,

 

We are using a customized UI for SAP IDM 7.2 and we are using REst API V2. We have an approval workflow for creating new identities.

 

Currently how we are creating the new identities is described below.

 

When the new identity page is loaded , then the user who is submitting request to create new identity mskey is considered and his mx_person related attributes and values are retrieved and stored in a old data model and the new user values will be stored in another data model.

 

 

When request is submitted, the new data model values would be replacing with the old data model values using updateRestData method in which we are calling psot method again.

 

updateRESTData = function(task, MsKey, sendData, fnSucces, fnError) {

  var that = this;

 

  

  that.oDataModel.oHeaders["Cache-Control"] = "no-store,no-cache";

 

  that.oDataModel.oHeaders["Content-Type"] = "application/json";

  that.oDataModel.oHeaders["X-HTTP-Method"] = "MERGE";

 

  this.postRESTData(task, MsKey, sendData, fnSucces, fnError);

};

 

I heard that REST API v2 doesn't allow to create new entries. Can you kindly please help me is there any other way to create new identities using PUT

instead of update.

 

Regards,

DP

IDM Logon Access denied, service is down

December 24, 2015, 12:33 am
$
0
0

Hello All,

 

I have an issue with IDM Server , below error message attached

 

IDM Logon Access denied, service is down

 

OS: Windows server 2000

 

DB: SQL server 2008

 

SAP Versions : NW7.4

 

As per the SAP standard document i have configured IDM server, when i was trying to access below URL

 

http:<localhost>:50001/idm

 

Captureggg.PNG

 

 

 

 

Thanks,

Rahul Yedapally

IDM 8.0 and GRC integration - AC Validation not executed

October 16, 2015, 3:00 am
$
0
0

Hello Experts,

 

8.0.0-ORA-2014-11-28

 

Anyone have successfully integrated IDM 8.0 and GRC10?

 

I have performed initial load from one ABAP system

Configured VDS to GRC template (Web services were activated) and tested successfully.

then, ran GRC commons and centralized scenario load jobs.

 

GRC10 repository type has below validate tasks (no custom changes done in grc10 package)

 

Capture.PNG

 

Issue 1: UI is not working and we have raised an Incident with SAP already. So I tried to assign a privilege to user using a job. I see no AC Validation task triggered (nothing in job log or provisioning queue). Hence there was nothing in VDS side too. I checked the role in database and was in pending status (MCEXECSTATE as 512). After sometime, privs are in failed status (MCEXECSTATE as 4)

 

Is it a known issue for 8.0? Not sure why AC validation task is getting triggered. Anything else I should check?

 

The issue seems to be closely related to below note however it is valid for 7.2 SP9 and I can see WAIT_TASKID and WAIT_AUDITID in IDS schema.

 

1994592 - GRC 10.0 PF V2: Issues with execution of AC Validation due to missing attributes

 

 

Issue 2: I see AC_Validation_Add process as type "Add Member Process". Is it correct? I was in assumption this should be "Validate add process"

Capture.PNG

If I change Validate add to some other task e.g. AC_Validation_Risk_Analysis_Only_Add, I couldn't select back to AC_Validation_Add.

 

Kind regards,

Jai

IDM 8.0 Identity Management Database not updated properly

March 20, 2015, 1:07 am
$
0
0

Hi,

 

Yesterday I upgraded successfully my SAP IDM 7.2 instance to 8.0.

After configuring SSL for Eclipse I recieve the error message on Login: Identity Management Database not updated properly

 

Before this message I got the Error message on the idmdevstudio Java Application:


ErrorCode: 0, ErrorMessage: The SELECT permission was denied on the object 'mc_dbschema', database 'mxmc_db', schema 'dbo'.
OpenSQLExceptionCategories: [], CausedBy: 0


I changed the select rights on this table to public (for testcases) and it "worked"

 

I re-run the mxmc_update.cmd script with no success.

The first time I ran the script all Identity Stores where updated successfully (status code 0).

There is the RDS kit installed from 7.2

 

It's a Windows Server 2012 with SQL Server 2012, I installed all on the same machine.

 

I ran the update script with user mxmc_oper and the db connection on netweaver is configured with mxmc_prov.

 

Any Ideas how to debug?

Or any Ideas how to fix?

 

Thanks, Patrick

IDM Job Monitoring by third party tools

December 28, 2015, 9:33 am
$
0
0

Hello,

 

Seasons Greeting and a Happy New Year to everyone!

 

Our current client uses Ctrl-M as a job monitoring tool for all SAP application systems. They would like include monitoring status of IDM jobs through Ctrl-M so that any failures can be observed and communicated by their NOC as per their SLA's.

 

I've not seen any support of tools being able to monitor IDM jobs, perhaps through agents deployed on IDM servers.

 

Does anyone know of any tools that can currently monitor IDM jobs?

 

If such a tool is not available at present, then is there any other way perhaps to achieve this -- just thinking out of the box -- say export the Job Log table to an external location at intervals to a file that can be read by existing tools?

 

Thank you much.

 

Best regards,

 

Ashok Azhagiri

Service Pack Level for IDM 7.2

April 16, 2015, 11:30 pm
$
0
0


Dear All,

 

I have installed a IdM 7.2 in a windows server. I am creating a document for our organization. I came across of a question on how will I able to know what SP Level does my IdM is. I tried searching and checking in the Identity Center > About Identity Center I was able to see System Info. But once I click the System Info button I am receiving an error "System Information is Unavailable at this time".

 

I also checked already in the usr files of the installation but wasnt able to see any logs in the files.

 

Does anyone know any other steps on how to check SP Level?

 

Thank you in advance.

 

Regards,

Santi

List of Role Members?

January 1, 2016, 3:11 pm
$
0
0

Hi Folks, wishing you all the best in 2016!

 

I have what should be a simple question and I think my vacationing mind is just missing the obvious.

 

I can query idmv_link_ext_active and get a list of groups and  privs, but I cannot seem to get a list of Roles.  Does anyone have a query for this?

 

Thanks!

Matt

Search

GRC WS API Call for RiskAnalysis error

January 4, 2016, 3:21 am
$
0
0

Hello Experts,

 

Happy new year 2016.

 

New year, new problems. I'm still struggling my way thru to integrate SAP IDM 8.0 and SAP GRC.

As of now, I have followed steps as per config guide. When I assign a privilege in UI, "Perform Risk Analysis" task is executed but runs into attached error.

 

putNextEntry failed storingcn=IDMTEST01,ou=riskanalysis,o=grc

Exception from Add operation:javax.naming.NamingException: [LDAP: error code 1 - (GRC RiskAnalysis:1:Exception in GRC WS API call:(500)SRT)]; remaining name 'cn=IDMTEST01,ou=riskanalysis,o=grc'

 

Capture.PNG

 

Please point me at right direction to resolve this issue.

 

Kind regards,

Jai

Multiple values for MX_ADMIN_UNIT added to a user

January 5, 2016, 7:54 am
$
0
0

Hello All,

 

First of all best wishes for 2016 :-)

 

We recently have upgraded our IDM to the 8 SP1 version and are running on an Oracle database.

 

While doing some maintenance I've noticed an issue in my user database and more specifically with the MX_ADMIN_UNIT attribute.

Some user mskey's have for some reason which I have not been able to find, several MX_ADMIN_UNIT entries added to their user.

MultipleMXADMINUNIT_01.jpgMultipleMXADMINUNIT_1.jpg

 

The MX_ADMIN_UNIT entries assigned to the same mskey's have the same "VALKEY" but a different "VALLOCAL" .

MultipleMXADMINUNIT_2.jpg

 

This results in errors when trying to modify the usergroup in the UI (Could not execute task Change Identity for entry Enny Bostijn) and also when trying to create the users in ABAP systems.

There are only a small amount of users impacted till now but it is necessary to find out how to clean the entries.

MultipleMXADMINUNIT_3.jpg

 

Can anyone give me some help on this?

 

Thanks a lot,

 

Laurent

Notification on creation issue

January 6, 2016, 1:30 am
$
0
0

Hello experts and best wishes for this new year

 

We're facing an issue on IDM 8.0 and we'd realy appreciate some help on it.


Our workflow is as follow:

 

- a BR is assigned to a user

- After approvals, the request is send to GRC

- if there is no risk, privileges are provisioned to the target application.

 

In standard, notification for account creation are send to the user before the check in GRC. For some reasons, if privileges are not approved in GRC the notification is still send even though the user has no role in the target application.

 

What my customer wants is to have this notification at the end of the workflow, once the first privilege is provisioned.

the problem is that I receive several emails if several privileges are provisioned in parallel (one per privilege).

 

Is there a solution in order to send only one email?

 

Thanks a lot,

 

Clotilde

Issue with IDM Developer Studio

January 6, 2016, 1:35 am
$
0
0

Hi,

 

We are in the middle of IDM 8.0 SP00 upgrade with successfully logged into the Developer Studio. But post upgrade the job folder has been moved to a defunct and unwanted Identity Store and inorder to re-align things up when I check-out and check-in relevant default package created out of upgrade, it throws an error as Check-in failed.

 

Logs from NW -

java.lang.NullPointerException: while trying to invoke the method java.lang.String.trim() of a null object loaded from local variable 'value'

at com.sap.idm.packagetransport.impl.IntegrityCheck.verifyPackageConstants(IntegrityCheck.java:533)

at com.sap.idm.packagetransport.impl.IntegrityCheck.verifyPackageIntegrity(IntegrityCheck.java:126)

at com.sap.idm.packagetransport.impl.Export.writePackages(Export.java:100)

at com.sap.idm.packagetransport.impl.Export.execute(Export.java:66)

at com.sap.idm.packagetransport.impl.Main.export(Main.java:85)

at com.sap.idm.packagetransport.impl.Main.unlockPackage(Main.java:734)

at com.sap.idm.ic.common.dao.PackageDaoImpl.unlock(PackageDaoImpl.java:281)

at com.sap.idm.ic.backgrountasks.adapters.PackageTransportAdapter.doAction(PackageTransportAdapter.java:167)

at com.sap.idm.ic.backgrountasks.TaskExecutorAdapter.run(TaskExecutorAdapter.java:132)

at java.lang.Thread.run(Thread.java:763)

 

Regards,

IDM 8 sp1 prov/deprov/modify has stopped working

January 7, 2016, 6:57 am
$
0
0

Hi Folks,

 

 

Strange behavior! The base install of IDM 8 completed successfully and went through the basic CRUD operations including Pwd reset. Everything worked as expected. Began configuration and testing some jobs. At some point actions from the UI -- pwd reset, enable/disable, role assignment, etc.stopped triggering. The role assignment goes into pending state, no approvals or anything has been configured to block this workflow. Everything worked earlier.

 

 

My investigations found the following -- has anyone seen this and how can I fix this:

 

Capture.JPG

 

It appears the script linked to the plugin jobs are "disabled" -- I say this based on the strike across the icon. I find this across all the plug-ins and as they all use same global "sap_core_executeplugin" script I suspect none of the workflows moves forward.

 

The script tab of the provisioning package lists all the global scripts including this script and it looks fine. The provisioning package has never been checked out.

 

First is how do I get this script link enabled.

 

Second is how did the link get disabled in the first place -- root cause.

 

Thanks much.

 

Regards,

Ashok Azhagiri

How to implement wait for execution of ordered task in sap idm 7.2

January 7, 2016, 5:19 am
$
0
0

Hello experts,

 

Is there any possibility in sap idm 7.2, for an ordered task to wait until one complete cycle (group of tasks included under ordered task) is executed it shouldn't run any other tasks with in the same ordered task.

 

For example consider an ordered task under which 3 tasks are grouped. According to my scenario, until all these 3 tasks are executed completely the ordered task should be executed or process another entry. is this possible?

 

Does the wait for event tasks check box is gonna help for this scenario?

 

 

Regards,

Deva

SAP IDM 7.2, GRC 10, with Business role

January 10, 2016, 11:45 pm
$
0
0

Hello together

 

I am new at this community and i hope someone can help me...

 

We want to implement the grc framework in our idm system (7.2 SP08). All tasks are done (Guide 7.2 revision 8, vds, test connection vds to grc system, implement grc10 framework, import service jobs (centralized), create repository, initial loads)

 

We have create some business roles and added privileges to them (some privileges where grc attributes are set from the initial loads).

 

Now we want to test the functionality between the idm and the grc system (AC Validation - Risk Analysis Only -Step Prepare AC Request). But this step fails with the message:

Error

Missing mandatory parameters


The Script in this Step is called: "sap_grc10_prepareRiskCheckExe"

 

We have added some uWarnings in the script to check, which input is missing. Now we see, that the Parameter "pendingMsKeysAndPrivilegeMsKeys" has no value.  The other thing, that we see is, that the script gets the mskey from the business-role, not from the privilege into it.

 

does someone out has the same problem or has an idea what we do wrong?

 

thank you for your help,

best regards,

Remo

 

Message was edited by: Remo Etter SOLVED: we added the false name of the repository to parameter mx_repository_validate. we added the right name of the repository to the parameter mx_repository_validate and now it works....

Search

GRC to IDM integration : Request creation from GRC

January 13, 2016, 3:21 am
$
0
0

Hi IDM Gurus,

 

Thank you so much for your valuable time sharing your experience during diverse implementations.

 

Please help me in the SAP GRC to SAP IDM integration where we want the Access request creation from GRC UI.

Upon approvals in SAP GRC,the GRC should provision to the target SAP ERP and

SAP IDM should provision to non-ERP systems like AD and Exchange etc.

 

The flow looks like -

1. Create request in SAP GRC.

2. Workflow approvals in SAP GRC.

3. Provisioning to SAP ERP.

4. Request to IDM for Non ERP.

5. Provisioning to non erp systems.

 

Please let me know the sequence of steps to achieve this flow.

 

Peter

MSAD OU Load

January 13, 2016, 8:49 am
$
0
0

Hello, I´ve executed the initial load job for MSAD connector. Now, we need load another specific OU. Could we execute again the initial load job changing the starting point repository parameter? Do we need disable what passes?

 

Thanks

IDM 8.0 and GRC integration - AC Validation not executed

October 16, 2015, 3:00 am
$
0
0

Hello Experts,

 

8.0.0-ORA-2014-11-28

 

Anyone have successfully integrated IDM 8.0 and GRC10?

 

I have performed initial load from one ABAP system

Configured VDS to GRC template (Web services were activated) and tested successfully.

then, ran GRC commons and centralized scenario load jobs.

 

GRC10 repository type has below validate tasks (no custom changes done in grc10 package)

 

Capture.PNG

 

Issue 1: UI is not working and we have raised an Incident with SAP already. So I tried to assign a privilege to user using a job. I see no AC Validation task triggered (nothing in job log or provisioning queue). Hence there was nothing in VDS side too. I checked the role in database and was in pending status (MCEXECSTATE as 512). After sometime, privs are in failed status (MCEXECSTATE as 4)

 

Is it a known issue for 8.0? Not sure why AC validation task is getting triggered. Anything else I should check?

 

The issue seems to be closely related to below note however it is valid for 7.2 SP9 and I can see WAIT_TASKID and WAIT_AUDITID in IDS schema.

 

1994592 - GRC 10.0 PF V2: Issues with execution of AC Validation due to missing attributes

 

 

Issue 2: I see AC_Validation_Add process as type "Add Member Process". Is it correct? I was in assumption this should be "Validate add process"

Capture.PNG

If I change Validate add to some other task e.g. AC_Validation_Risk_Analysis_Only_Add, I couldn't select back to AC_Validation_Add.

 

Kind regards,

Jai

VDS

January 14, 2016, 8:15 am

Link to IDM 8 class

January 14, 2016, 8:34 pm
$
0
0

Hi all,

 

Can anyone share the IDM 8 class information, which posted here weeks ago?

 

it looks SCN only show one month discussions only.

 

regard,

 

dongsu

Viewing all 1754 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>