Skip to Content
avatar image
Former Member

"Reconciliation" concept in SAP NW IdM 7.2

Hi everyone!

Can anyone suggest a best-practice for doing reconciliation with SAP NW IdM 7.2?

When reading the Release Notes from SAP NW IdM 7.2 SP07 / SP08, I saw that the reconciliation job-templates are now obsolete. This leads me to the question how should I do it then? Reconciliation, as SAP defines it now is just setting a "dirty" flag when a privileg or a role was not provisioned correctly, for whatever reasons.

But what about reconciling attributes?

For exapmle:

I have a MS AD repository. If someone changes a attribute on a AD-User, for which the AD repository is a leading system (master), for example the email-address, what would you do to reconcile this change?

So, what is the basic concept to detect and update changed "master"-attributes from a repository?

Thanks,

Raphael

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

5 Answers

  • Best Answer
    avatar image
    Former Member
    Nov 08, 2013 at 04:30 AM

    There are any number of ways of doing this - it also depends on whether you want it immediately fixed or just reported.

    Essentially, you need to schedule an import and then compare things with the ID store.  If the ID store is different, you can trigger a sync to IDM (or an export to the system if its not authoritative for that data).

    In terms of accomplishing this? SQL / scripts of various flavours will do some or all of the work.

    Similarly, you can write the issues to a file and then email that file to an administrator to resolve.

    Of course, you can just use the import to update the authoritative attributes no matter what so reconciliation isn't really necessary.

    Peter

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Nov 08, 2013 at 06:55 AM

    Hi Raphael,

    If your requirement is till just reporting, you can make use of the reconciliation job templates. I have done this and you can find more details on generating reconciliation reports in my blog.

    http://scn.sap.com/community/netweaver-idm/blog/2013/09/09/reconciliation-reports-in-sap-idm

    If it for fixing immediately, as peter suggested, you have to develop a logic to import the the data from target to IDM temporary table, do a comparison with the identity store data and fix it immediately.

    You can achieve this with a To identity store pass, where in which in the source tab you have to write a query which will compare the data in temporary table with identity store and picks the records which are different and the destination tab will have identity store attributes.

    Thanks,

    Krishna.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Nov 08, 2013 at 10:12 AM

    Hi Raphael,

    The reconciliation job that has been retired is the internal user-role/privilege assignment reconciliation job. This has been moved into the housekeeping function on the dispatcher(s).

    As a quick recap this (and the job before it) only deals with structure changes such as privilege being assigned to a role with many members. When that happens all the members of the affected role are marked "dirty" and a reconciliation of the users is needed to recalculate the hierarchy/inheritence of them. The same when happens when removing a privilege from a role.

    Br,

    Per Christian

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Nov 11, 2013 at 08:30 AM

    Thanks for your helpful answers!

    I guess I have to develop something on my own then..

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Nov 26, 2013 at 08:05 PM

    Hi Raphael,

    from my point of view, the SAP reconciliation concept for target systems in 7.1 causes severe headache, especially when you have to figure out why some situations are not recognized. This is caused by the delta mechanism.

    From my point of view, a real straight-forward approach is to load data from

    1) IDM

    2) targetsystem

    into two tables with the same structure. Then you can do a real easy and fast comparison of the two tables and calculate the required reports and actions.

    Please let me know if you know some additional hints.

    best regards

    Matthias

    Add comment
    10|10000 characters needed characters exceeded