Quantcast
Channel: SCN : Discussion List - SAP Identity Management
Viewing all 1754 articles
Browse latest View live

User Vs Role Mapping in 7.2

June 15, 2016, 9:58 am
$
0
0

Hi Everybody , I have requirement to create an excel file with all the users and the roles assigned to them in IDM 7.2

I am using below query to obtain the user and role information -

 

select my.mcThisMSKEY as UserMskey,

            my.mcThisMSKEYVALUE as UniqueIdOfUser,

            usr.mcDisplayName as DisplayNmaeOfUser,

            my.mcOtherMSKEY as RoleMskey,

            my.mcOtherMSKEYVALUE as UniqueIdOfRole,

            rle.mcDisplayName as DisplayNameOfRole

                 from idmv_link_ext my, idmv_entry_simple usr, idmv_entry_simple rle

                      where my.mcThisOcName = 'MX_PERSON'

                      and my.mcOtherOcName = 'MX_ROLE'

                      and my.mcAttrName = 'MXREF_MX_ROLE'

                      and my.mcThisMSKEY = usr.mcMSKEY

                      and my.mcOtherMSKEY = rle.mcMSKEY

            order by my.mcThisMSKEY

 

 

The query is working fine, but I am not sure what should be in the output , I mean ATTRIBUTE and VALUE in the destination tab of the "to ASCII pass". As a result when I run the job it is executing but the output file is generated with just some ;; (almost 15000 lines).


I just need userIDs and Role Unique IDs or Role Names


Any help would be appreciated.

Search

No email trigerred to Admin Mail id after a User Request is Failed

May 30, 2016, 8:49 am
$
0
0

Hi Team,

 

We have a notification process when a User request is failed. We need to get a notification email to Admin ID.

 

We have maintained all notification at execute failed task in the configuration and maintained global constraint for debug email.

 

Please refer the attachment.

 

Mail Notification Logs, Error Logs and IDM Logs attached.

 

Kindly help us in resolving the issue.

 

Regards

Chiranjeevi K

VDS Job timed out issue (IDM 8.0)

June 14, 2016, 6:00 pm
$
0
0

All Experts,

 

Where can I extend the "Perform Risk Analyst" job time out period? (This job is between VDS and GRC.)

It always timed out after 60 sec, I would like to extend the time since GRC check the SOD job every 5 min. I updated the Dispatcher housekeeping time but it didn't work

Any idea? Thank you~!!

 

0614a.JPG0614b.JPG0614c.JPG

Audit log of configuration: History of Export/Import?

June 20, 2016, 8:25 am
$
0
0

Hello Experts,

 

Due to audit requirements, our client requested that a log of all changes to the productive system be logged.

We have accomplished this by maintaining a manual log of changes, but this is not a satisfying solution for an audit.

 

We are currently doing all transports by using the MMC Import/Export function, so we do not have any record of the change beside the produced mmc file.

Is there any table were the history of such transport is stored? We would just need to have the date/time of the import and the name of the imported file.

 

We have though of several other options, but each have their own weakness:

  • Using the Task/Job last changed date, we can only have the time of the last change. If the report is done monthly, we could miss a lot of changes. It is also quite difficult to separate the tasks as all task in a hierarchy as marked as changed when importing.
  • Using the Version Control mechanism of IDM, we can have the history of changes. We have not checked if we can import a job that is cheked in, if not we should be able to use this. But we are concerned that this may cause issues during transport if a workflow is partially checked in, and this can only track changes on jobs, not tasks
  • Using only full configuration transport. We can have the full history of when a transport was done, but no details on what exactly changed between version. It would also require a huge change of our current transport workflow to avoid transporting unwanted changes to production and making sure each time that transport is correct.

 

So, did any of you meet this requirement? If so, how did you fulfill it? What information can we use to produce a complete and accurate report of the changes and transport to the productive system, if possible without increasing risk of errors during the transport ?

 

Thanks,

Julien Garagnon

SAP IDM 8:0 on DB2: mc_job_getinfo returned error 0

April 18, 2016, 9:41 am
$
0
0

Dear all,

 

we've encountered a strange problem with IDM 8.0 in DB2:

 

The modification task fails everytime on the first switch (where it checks if a password has been changed) with the error "mc_job_getinfo returned error 0". Further examination reveals that this error can only be raised if the dispatcher thinks it is running on MS SQL (or Sybase for that matter) but never on DB2 (or Oracle).

 

Has somebody seen this error? What is wrong here? How can this be corrected? Is anybody else runnig IDM 8.0 on DB2?

 

Thanks,

Sietze Roorda

SAP IDM 8.0 process flow for provisioning access for users in SAP system

June 23, 2016, 8:37 am
$
0
0

Hi All,

 

My company has taken decision to see the provisioning options into SAP system from SAP IDM 8.0 and I am working on a proof of concept for the same.

 

I have finished with the initial IDM configuration(i.e. packages import,Identity store set up, ABAP system configuration through IDM admin,running initial loads).

 

From now onward I am not sure how to proceed further so my IDM system can take the request from the data source(probably ADLDS) and provision(Create/Modify/Delete) users in back end SAP system.

 

I tried searching the SCN but not found anything which explains me the steps on how to define the process/Jobs for achieving the same.I tried utilizing the standard processes for provisioning but it is giving me Prepare provisioning !Error:TRIGGER_onFAIL while testing in Eclipse.

 

Any help with the basic document to explain the process is appreciated.

 

Thanks

 

Akhil Seth

Unable to Modify Assignment Validity of Existing Role

June 7, 2016, 9:52 am
$
0
0

Hello Gurus,

 

I am trying to modify the Assignment Validity of Existing Role (IDM 7.2 SP10, Oracle DB) with 2 non-overlapping validity period and getting below error.

 

putNextEntry failed storing ABC12345

 

Exception from Add operation:com.sap.idm.ic.ToPassException: ToIDStore.addEntry failed storing entry 'ABC12345'. IDStore returned error message: "Entry already exists" when creating entry

 

Exception from Modify operation:com.sap.idm.ic.ToPassException: ToIDStore.modEntry failed modifying entry 'ABC12345'. IDStore returned error message: " Not allowed to change a current assignment to a future assignment:Attribute: MXREF_MX_ROLE" when storing attribute 'MXREF_MX_ROLE={LINKID=12345!!VALIDFROM=2016-07-01!!VALIDTO=9999-12-31}55555'


Here Role 55555 is assigned to the Identity ABC12345 with validity 01-01-2016 to 31-12-9999 with Link ID (mcUniqueID) =12345.

Now, I wanted to change the assignment validity as 01-01-2016 to 15-06-2016 and then again from 01-07-2016 to 31-12-9999 for the same role to the same user.


As per SAP documents, It seems that it is possible for new assignment.


RoleValidityAdjustment.png


Fedya Toslev: Please confirm that whether it is valid for only role assignment or valid for existing role assignment validity modification too.


In my pass, I am passing LINK ID too along with the Validity Period. I would appreciate if anyone can suggest alternate way to achieve this?


Regards,

C Kumar

sapjcorfc.dll 2.1.10 (2011-05-10) file required

June 24, 2016, 4:48 am
$
0
0

Hi,

 

 

I require an  sapjcorfc.dll  2.1.10 for my sap jco-issue. I am unable to download this in the sap market place and tried wherever possible to get the file but unable to get it. It is required very immediately,jco.png can you please help in this??  

Search

List of Users provisioned through IDM

June 24, 2016, 4:33 am
$
0
0

Hi Team,

 

I need to extract a report those users who have been provisioned from SAP IDM to different SAP Backend system. Can you please guide how can we extract the report.

 

Thank you in advance.

 

Regards

Chiranjeevi K

Role/Privilege Approval History - idmv_linkaudit_ext

June 25, 2016, 7:18 am
$
0
0

After reading previous posts people have suggested that I use the above view to obtain approval history information and so far so good.

 

One of the things I am finding difficult, is that there doesn't appear to be a uniqueid (or this maybe my lack of understanding) to tie all of the different approval stages together from when a role was first requested by the user. For example, if a user requests the same role twice in one year and that role is made up of two privileges, then I want to be able to relate the approval history of the privileges back to the time each role request was submitted.

 

Can anyone suggest if this is possible either by using the above view or another?

IdM reporting tables

June 27, 2016, 9:27 am
$
0
0

Hi,

 

We are looking to pull reports on Joiner/Leavers/Movers that are processed through IdM. I am currently able to get this information from the various tables in IdM, mxi_values, mxp audit etc.....

 

This reporting can get complicated if a user is processed as a Joiner -> Leaver -> Re-Hire (re-activation) -> Leaver etc. We are looking to report on each event, for example all the information when the user was processed as a Joiner in IdM 6 months ago, but some of this data may have changed if we run the report today. (e.g. manager/position/access may have changed since the user joined).

 

I am considering creating customs tables within IdM whereas when a user is processed as a Joiner an entry is put in a Z_Joiner table, similarly when a user is processed as a Leaver an entry is put in the Z_Leaver table, and if they are put through the leaver process multiple times they have multiple entries in the Z_Leaver table. These entries in these tables would not change over the user's lifecycle, so we can run a report at any time and report on the user's exact information and access at that time.

 

Is there any recommended way of handling reporting such as the above? Would there be any reason to "not" set up custom tables for reporting and only use the standard tables. The basis team in my company are reluctant against creating custom tables such as these. Any help would be appreciated.

 

Thanks,

 

Sean

AS Java HTTPs Error opening socket: javax.net.ssl.SSLHandshakeException

June 15, 2016, 4:10 am
$
0
0

In order to encrypt the communication between IDM and AS Java during the Initial load or any other jobs, you may want to use HTTPs instead of HTTP for a JAVA server. However, if you choose the https protocol, you may get an error in Initial Load job. Error message looks like this

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


screen1.png

 

CERT have been imported -> jre/lib/security


someone has similar problems ?


many many thanks

Stefan

IDM 8 SP1 error retreiving Job Log in eclipse

February 29, 2016, 6:32 am
$
0
0

Hello IDM Guru's,

 

We are currently running IDM 8 SP1 on an Oracle db and applied the latest patches to the different components.

 

After the install it is not possible to read the job log anymore from eclipse.

 

ErrorJobLog1.jpg

 

Other logs (execution, ...) are retreivable.

The job log is viewable in the admin UI without any errors.

 

I've been able to find a possible cause in the developer logs but I cannot find out where or how to solve this.

 

Error executing query

[EXCEPTION]

java.sql.SQLSyntaxErrorException: ORA-00904: "L"."JOBGUID": invalid identifier

 

UIErrorJobLog2.jpg

 

Has anyone ever seen something likely and eventually an idea how to solve it.

 

Thx a lot,

 

Laurent

Roles are automatically rejected before even reaching role owners inbox

June 28, 2016, 8:39 pm
$
0
0

Hi,

I am facing an weird issue.

In our landscape we have 2 stage approval 1. manager  2. One Role owner

 

When we submit requests for roles, the requests are flowing to the manager's inbox for his approval, But soon the manager approves the request (approx within 4 mins I have seen) the requests are automatically rejected. The role owners are not getting any request in their inbox.

This is happening for SOME of the business roles but not all though.

 

I have tried to remove the owners, re-add them, check if they have delegated things etc.

 

Any help would be highly appreciated.

IDM UI - ToDo-Tab: Internal Server Error after upgrading IDM 7.2 SP7->SP10

February 22, 2016, 9:55 am
$
0
0

Hi,

 

we have upgraded our IDM 7.2 SP7 installation to SP10.

 

In general the IDM-UI seems to work fine, but we receiving an Internal Server Error on the "Todo-Tab",

each time an approval is accepted or declined.

 

Has anybody experienced this problem too and can provide a solution.

 

 

BR,

Markus

Search

repository n/a in job drop down list

June 30, 2016, 3:29 am
$
0
0

Hi all,

 

hopefully someone knows what to do.. I have a job which should run for several repositories. I can add e.g. all productive SAP systems, also some QA systems to this job. However, some repositories are not shown in the drop down list. If I create a copy of the job, I can add the "missing" repositories, but others are missing again... Within the repository definition there are no differnces between those I can add in job1 and those I cannot add.

 

Is there any limitation I do not know yet? Does the value help for the drop down field work not properly?

 

Regards, Richard

Approved GRC Requests is not reflecting in IDM

June 15, 2016, 2:08 am
$
0
0

Dear Guys,

 

We have integrated GRC 10.1 and IDM 7.2, we are encountering an error on the last part of the process which is kind of weird.

 

There is no actual error, but when we approve a request (this was initiated from IDM as well) in GRC, the status of that privilege in IDM is not reflecting in IDM, it still says "Pending".

 

We have done a scenario where in we rejects the role, surprisingly it is reflecting in IDM.

 

We already checked the execution logs and we found no error relevant to the request. One thing we have noticed is that the last step of the Process AC Result pass is not being generated ("Written to PVO with mskey...") if the status of the GRC Request is approved, but being generated if we reject a request.

 

Hope someone can help us with this issue.

 

Thanks a lot!

 

BR,

Santi Obejero

Connect a web service (wsdl) over VDS with the IDM

March 16, 2016, 7:55 am
$
0
0

Hello SAP IDM colleagues,

 

i've a great problem with my conntection from a web Service (wsdl) with the VDS.

I need the connection because i will send and receive user roles from the webservice.

 

My first question is, can the VDS connect to a web service without smpl?

I tried it with all connectors in the VDS but it doesn't work.

But i'm not sure if i connect it right.

 

 

My second question is, is it the right way?

Can i connect a web Service over VDS to IDM or must i go an other way?

 

 

I don't know what can i do to solve my Problem. In all documents which i found in the SAP-Portal i didn't found a answer.

 

I hope someone can help me with my problem.

 

Best regards

Andreas

Rename an AS JAVA account via IDM 7.2

July 5, 2016, 2:26 pm
$
0
0

Hi everyone,

 

I have a need to change a user's MSKEYVALUE and then have that change reflected in downstream systems.

 

I can certainly set IDM trigger the MODIFY workflow when an ACCOUNT attribute is updated, but the problem is passing the old and new ACCOUNT values.

 

Any thoughts/help on this would be appreciated.

 

Thanks,

Matt

IDM8.0 SQL Statement question

July 6, 2016, 6:27 am
$
0
0

Hi SQL/IDM Experts,

 

What is the SQL statement for the following,

 

     1. All Historical Values Record for user

     2. All Entry Data for user

     3. All Assignment History for user

 

 

Capture.JPG

 

Thank you!!

 

Shunji

Viewing all 1754 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>