From SAP, ToSAP pass attributes...?

September 18, 2013, 9:06 pm

≫ Next: Well Done to our top contributors for 2012-2013 !

≪ Previous: Identity Center LDAP view through VDS, how to show assignments validity

Hello IDM peeps,

Just a quick question relating to an area that seems to have little if any documentation.....'Pass types' integrating with the abap back ends.

Essentially I am comfortable with the entire integration from SAP, via the IC and back to SAP....but only with attribute definitions that I can see in the standard ABAP Connectors, as I can then use these and modify the inputs to them any way I see fit via constants and scripts. Does anyone have or know of a comprehensive list of 'Attribute' values that are used in these passes? Any doco suggestions on this? Or alternatively an approach to determine an attribute value for an ABAP field definition?

For example:

The standard IDM pass; Provisioning Framework > Connectors > AS ABAP Tasks > CreateABAPUser

Within the 'Destination' tab of this pass you have defined values as per the screenshot attachment,

The values listed as 'Attribute' in this screenshot are what I am referring to.

For example, on creation of an abap user I am trying to create a 'User Group' value on the Logon Data tab in the abap system via SU01. I cannot find an applicable attribute to use for this. If I had the attribute this would be a doddle, but without it and/or the application processing the update I am flying blind.

There is a 'usergroups' attribute available in the ToSAP pass, though this is applicable to the user group in the 'Groups' tab of the user not the user group for authorisation above.

Any help in identifying either doco or a method of identifying all available attributes would be most appreciated.

Thanks in advance,

Andrew Whitebrook

↧

Well Done to our top contributors for 2012-2013 !

September 20, 2013, 2:39 am

Latest and popular articles on SAP ERP

≫ Next: Delta extraction. HRLDAP_PERNR is not filled when change infotype 2003

≪ Previous: From SAP, ToSAP pass attributes...?

Hi IdM Community,

in case you haven't seen the list of top contributors in SCN has recently been announced

http://scn.sap.com/community/about/blog/2013/09/20/announcing-the-scn-topic-leaders-2012-2013

. For IdM this was

SAP NetWeaver Identity Management (SAP IdM)

Matt Pollicove

Peter Wass

So big congrats to Matt and Peter for contributing so much to the IdM world in the last year :-) Just also a thanks to everyone else who also give their time and knowledge to the community. Without this fantastic resource I think our lives would be a little more more hectic !

Regards,

Chris

(IdM SCN space Moderator)

↧

Delta extraction. HRLDAP_PERNR is not filled when change infotype 2003

November 7, 2013, 3:22 pm

Latest and popular articles on SAP ERP

≫ Next: Pending request deletion

≪ Previous: Well Done to our top contributors for 2012-2013 !

Hello guru!

Could you please help me to solve issue with Delta extraction from HCM to IDM?

I have HCM (NW702, SAP_HRGXX and SAP_HRRXX version - 604-0049).

I want to use option "Delta download" for RPLDAP_EXTRACT_IDM.

I have activated BADI implementations:

BAdI HRPAD00INFTY implementation HR_LDAP_EXTRACT_PA

BAdI HRPAD00INFTYDB implementation HR_LDAP_EXTRACT_PA_ITF

BAdI HRBAS00INFTY implementation HR_LDAP_EXTRACT_PD

When I do any changes in infotype 0001, 0002 or 1000 or many others, report RPLDAP_EXTRACT_IDM with option "Delta download" works correct (entries added to table HRLDAP_PERNR and then can be uploaded to IDM).

But when I do changes in infotype 2003 (Substitutions), unfortutelly, changed personal numbers are not passed to HRLDAP_PERNR. Changes in IT2003 what I did: create, prolong or delete Substitution position or it's period (stard, end), I see all these changes in my query for extraction.

How can I say HCM system to check for IT2003 changes and add them to table HRLDAP_PERNR?

Thanks in advance,

Natalia.

↧

Pending request deletion

November 11, 2013, 5:21 am

Latest and popular articles on SAP ERP

≫ Next: Writing back infotype 0105 to SAP HCM (Cummunication IdM to HCM)

≪ Previous: Delta extraction. HRLDAP_PERNR is not filled when change infotype 2003

Hi All,

I need to delete all pending requests of a deleted user. I want to run a batch job to delete all pending requests of all deleted users (Status = "Active").

Can anyone tell me the query I need to write to fetch the pending requests of a user.

Thanks,

Dhiman Paul.

↧

Writing back infotype 0105 to SAP HCM (Cummunication IdM to HCM)

November 14, 2013, 6:13 am

Latest and popular articles on SAP ERP

≫ Next: After password is reset in windows user gets "MMC has detected an error in snap-in" when opening Identity Center MMC

≪ Previous: Pending request deletion

Hi everyone!

I could not find any information about communication between IdM and HCM (IdM to HCM) in this SAP Help page: http://help.sap.com/erp2005_ehp_04/helpdata/en/34/4d2339476f49bd8fb9769941c48250/content.htm

How is the mentioned BADI called from IdM? Over VDS, over HTTP, over RFC, via a HCM connector in IDM?

The otherway around (HCM to IdM) seems clear to me, this is better documented.

Thx,

Raphael

↧

After password is reset in windows user gets "MMC has detected an error in snap-in" when opening Identity Center MMC

November 13, 2013, 4:31 pm

Latest and popular articles on SAP ERP

≫ Next: SPML Error when doing initial load

≪ Previous: Writing back infotype 0105 to SAP HCM (Cummunication IdM to HCM)

After password is reset in windows user gets "MMC has detected an error in snap-in" when opening Identity Center MMC. Can someone help identify and fix this issue please.

↧

SPML Error when doing initial load

November 14, 2013, 1:40 pm

Latest and popular articles on SAP ERP

≫ Next: SAP IDM - ABAP User Creation

≪ Previous: After password is reset in windows user gets "MMC has detected an error in snap-in" when opening Identity Center MMC

Hi Folks,

I'm trying to do an initial load and I get the following error:

You do not have the permission to perform spml requests

Can you tell me what role needs to be added to the user so they can do this?

Thanks,

Matt

↧

SAP IDM - ABAP User Creation

April 28, 2013, 12:25 pm

Latest and popular articles on SAP ERP

≫ Next: How to skip tasks in a job which is of ordered group

≪ Previous: SPML Error when doing initial load

Experts ,

As part of AS ABAP IDM User - System integration , i am trying to create a new User in IDM by using "Create Identity" Task . When i do system executes job in following flow & got struck at this point.

System execute Provision Job 601 , execute TASK as mentioned above & stop .After this Step when i check DATABASE , i found that ACCOUNT<System ID> Attribute is created for the User . But PRIV:<rep>:ONLY is still in Pending Status . System is not showing up any error , but system is not trying to go to next step like " Update System Privilege (PRIV:SYSTEM:<rep> " or to fix Pending Value Object .

So post this step when we check DB for this user , it was identified that user has account Attribute assigned, but not Account Privilege or System Privilege . Experts can you please provide any guidance on this issue. I have set up repository as shown below :

Since Account Privilege is still in PENDING STATUS , i am not able to do Provisioning .

Please provide any inputs around this issue

Jerry George

↧

How to skip tasks in a job which is of ordered group

November 14, 2013, 5:42 am

Latest and popular articles on SAP ERP

≫ Next: Getting "NAME ALREADY BOUND EXCEPTION" while IDM is trying to recreate the user in AD

≪ Previous: SAP IDM - ABAP User Creation

Hi,

I have a job which is of ordered group. This has 10 tasks which will be executed in order.

I would like to include a new task which willl be the 1st task in this ordered group.

In this task i would like to include a condition, and based on this condition i have to execute remaining 10 tasks in ordered group otherwise i have to skip all the 10 tasks. But this task should not be a conditional task. it should be a provisioning task.

Please guide me to achieve this.

Thanks & Regards

C Kumar

↧

Getting "NAME ALREADY BOUND EXCEPTION" while IDM is trying to recreate the user in AD

November 10, 2013, 9:15 pm

Latest and popular articles on SAP ERP

≫ Next: Virtual directory server setup, not accessing LDAP data source

≪ Previous: How to skip tasks in a job which is of ordered group

Hi,

I pushed some users from AD to SAP IDM 7.2 and after few days i assigned a role to user which also contains privilege to create AD account.

As soon as i assigned the role it throw an error "NAME ALREADY BOUND EXCEPTION" in IDM and after that users data (mail ID and address) appeared in capital letter in IDM.

please help me what should i do to prevent this and what is the root cause of this issue. I have to assign that role to the user and i can't modify the role.

Thanks & Regards,

Chandan Kumar

↧

Virtual directory server setup, not accessing LDAP data source

November 15, 2013, 3:21 pm

Latest and popular articles on SAP ERP

≫ Next: Reconcilation error in IDM 7.2 SP8

≪ Previous: Getting "NAME ALREADY BOUND EXCEPTION" while IDM is trying to recreate the user in AD

Hello,

I've followed the instructions in the document below, to integrate SAP NetWeaver Identity Management's Virtual Directory Server (VDS) and User Management Engine (UME).

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/00db1d7c-b03d-2e10-5a83-efe6ab99af5b?QuickLink=index&overridelayout=true&50843822930403

I have had success in configuring the VDS to connect with the Identity Center using the template mentioned. The VDS did display the tree values of the Identity Center as expected.

However, using JXplorer I wasn't able to successfully perform a search based on the instructions. I did make many changes to see if JXplorer needed some other inputs but no luck.

Even though I didn't successfully complete a search I continue with configuring the data source in the UME. I uploaded the template and configured the LDAP settings, and the connection test was successful.

The next step was to perform a search for users in the UME using the LDAP connection that was just setup. However, as you can see from the screenshot below I'm not given the option of choosing a data source and although it says 'All data sources' none of the LDAP user are returned in the search.

The help I'm hoping to get is to understand how to perform a search using JXplorer, and why I don't get an option to search for LDAP users in the UME?

Thanks, Paul

↧

Reconcilation error in IDM 7.2 SP8

November 13, 2013, 3:45 am

Latest and popular articles on SAP ERP

≫ Next: SAP IDM 7.2 - Role based request

≪ Previous: Virtual directory server setup, not accessing LDAP data source

Hello Guru!

I have IDM 7.2 SP8.

Global constant MX_RECONCILE = FALSE.

In Dispatcher log I see the following error:

procedure = "Reconcile dirty entries" with status = "Scheduled procedure record does not exist".

This error appeared every minute.

How can I find what is wrong with data, how to correct it and what job (?) is calling this procedure?

Please help me!

Best regards,

Natalia.

↧

SAP IDM 7.2 - Role based request

October 24, 2013, 2:01 am

Latest and popular articles on SAP ERP

≫ Next: IDM : Telephone/fax code for country code ZZ is not maintained

≪ Previous: Reconcilation error in IDM 7.2 SP8

Hi All,

I have implemented self service for role based add-on access. I have used guided task "Assignment Request". But user can submit a request even for an existing role. System should not allow user to submit if the requested role is already assigned to him/her.

Any thought how this can be implemented?

Regards,

Dhiman Paul.

↧

IDM : Telephone/fax code for country code ZZ is not maintained

November 19, 2013, 4:00 am

Latest and popular articles on SAP ERP

≫ Next: IDM - GRC Integration

≪ Previous: SAP IDM 7.2 - Role based request

Hello Guru,

I use IDM 7.2 SP8.

I have standart plug-in "UpdateABAPUser" which change many ABAPuser's attributes and one of them is

primaryPhone <--- %MX_PHONE_PRIMARY%

If this attribute is enabled and I run "UpdateABAPUser" plug-in, I got an error:

"Telephone/fax code for country code ZZ is not maintained".

I understand that I can add country ZZ in my ABAP System via

Go to SPRO > IMG > SAP Netviewer > General Setting > Set Countries > Country Code : Telephone

But my country name is Ukraine and code for it is "UA" and both this values are mainteined in SPRO in SAP system.

What I have to change in SAP IDM to use "UA" instead of "ZZ" for telephone numbers?

How can I find from where had I received this value "ZZ" into IDM?

Best regards,

Natalia.

↧

IDM - GRC Integration

November 19, 2013, 8:23 pm

Latest and popular articles on SAP ERP

≫ Next: "Oracle provider for OLE DB" missing in the Data Link Properties

≪ Previous: IDM : Telephone/fax code for country code ZZ is not maintained

Hi All,

My client is looking for IDM - GRC 10 integration. I have following workflows already setup in GRC 10 with proper approval stages and workflows are working fine.

Create User Account
Change User Account
Terminate User Account
Lock/Unlock User Account
Emergency User Access Request

Now if we integrate with IDM solution, first i will be activating the webservices in GRC and they would be used by IDM. My doubt is, whatever workflows working now in GRC will work the same way [Means workflows following all the stages and approvals defined as of now] even if the request gets initiated from IDM or Do i need to make any changes to existing worklfow scenarios in GRC for integrating with IDM.

GRC users will raise GRC request by selecting details from access request form and based on that it will go to available workflows. Will there be a mapping between IDM and AC fields so that requests go to the workflow scenarios already defined in GRC though request gets initiated from IDM.

InitiateRequest in IDM -> Passes Request Parameters to GRC Webservice -> GRC web service processes and sends back the response [Success/Failure]

Regards,

Madhu.

↧

"Oracle provider for OLE DB" missing in the Data Link Properties

June 27, 2013, 6:47 am

Latest and popular articles on SAP ERP

≫ Next: IDM 7.2 sp8 LDAP connector creating user in IDM with pernr instead of userid.

≪ Previous: IDM - GRC Integration

Hello Everyone,

I am a newbie and I am currently doing my first SAP NW Identity Management 7.2 installation. At the moment, I am at the phase where I need to do the initial configuration, but I am stuck at the first step of Identity Center configuration wizard. The reason is that I am missing "Oracle provider for OLE DB" in the Data Link Properties. I know there are several discussions on the topic, which I went through and I did all the suggestions but none of them worked for me. What I have so far is :

Oracle database software installed - Oracle 11g R2 Database 64x
JRE v6 update 34 - 64x
Oracle client - Oracle 11g R2 Client 64x
Environmental variables:
- JAVA_HOME
- PATH
- CLASSPATH to the jdbc driver in the oracle client folder : ojdbc6.jar
I have changed the Java options in the Identity Center Management Console to the java and jdbc driver specified above
Windows Server 2008 R2 64x

I read that Oracle Provider for OLE DB is included as part of the Oracle installation, this is why I searched for ojdbc.jar files in both installation folders for the client(\oracle_client64x) and the database(\oracle). I found several ojdbc5.jar, ojdbc6.jar,ojdbc14.jar, etc. I started changing the path to each of these jdbc drivers in the the Java options in the Identity Center Management Console and testing to see if "Oracle provider for OLE DB" will appear in the Data Link Properties. Unfortunately, none of the steps above worked and now I am clueless how to solve this, so I really need help. I will really appreciate any advice or hint or a solution for my problem.

↧

IDM 7.2 sp8 LDAP connector creating user in IDM with pernr instead of userid.

November 20, 2013, 10:14 am

Latest and popular articles on SAP ERP

≫ Next: Change recipients of workflow mails.

≪ Previous: "Oracle provider for OLE DB" missing in the Data Link Properties

I've followed the other instructions for configuration of the HCM staging area but I'm still getting errors/warnings and personnel number is being created as userid inside IDM instead of SYSUNAME. Below is my configuration from HCM to IDM:

The Data in HCM is in the Query and is being passed to the VDS. This is the employee record I’m testing with.

The data is being passed to the VDS:

The error I’m getting on the HCM Check for SYSUNAME of Employee – script stopped, normally caused by missing ID in IT0105 or personnel record delimited. My record has both.

If I disable the check for SYSUNAME task then the user is created but with pernr as the ID not the SYSUNAME:

Here are my settings for the two tasks:

Any help would be greatly appreciated.

Curtis

↧

Change recipients of workflow mails.

November 21, 2013, 5:18 am

Latest and popular articles on SAP ERP

≫ Next: How to configure VDS to send data to two database tables

≪ Previous: IDM 7.2 sp8 LDAP connector creating user in IDM with pernr instead of userid.

Dear Experts,

Since IDM 7.2 SP4 I think is the “Approval task” under the “Approval tab” adjustable.

I set up an Worklfow triggered by role assignment.

If the Worklfow is approved by the role owner, the “completed notification” message is sent to the user who got the role.

But I don’t want that in this case.

Instead the "completed notification" message should be sent to the employee's supervisor.

How can the recipient of the “completion message” be changed?

The same question I have with the “event started” mails.

PASSWORD_RESET; PASSWORD_CHANGED; CREATE_USER; MODIFY_USER; DELETE_USER; ASSIGN_USER; REVOKE_USER; ENABLE_USER; DISABLE_USER; ROLE_ASSIGNED; ROLE_REVOKED of the

the mails are sent for example if the password of the usere is changed.

The affecteduser gets the the mail.

How can another recipient be determined?

↧

How to configure VDS to send data to two database tables

November 20, 2013, 4:26 am

Latest and popular articles on SAP ERP

≫ Next: Management tasks have status "running"

≪ Previous: Change recipients of workflow mails.

Hello

I'm investigating a possibility for VDS server to redirect input requests (ADD/UPDATE/DELETE) to more than one data source. Basically I need to have a single LDAP virtual branch for the outside world which shall be mapped to multiple database tables in my database. Incoming LDAP request shall send data to two database tables instead of a single one as it's now. So finally I will have two database tables containing identical data.

Thank you a lot for your help!

Siarhei

↧