Philip Noah wrote:

When the user runs SAP, the SAP system will "connect" with the Active Directory server to verify the user ID and password.

...and...

I'm only doing the requirements so please don't ask me for the "How-Tos" of it.

This, is not a good omen... 🙂

I thought I might get a broader audience here.  Too broad it seems.

I asked the mods to move it, but for the moment see SAP Note 1694357 -> it can create a big mess because of all the places where the user name is stored.

So it will be a bit like a year end closing in SU01: workflows, approvals, variants, batchjobs, infotype 0105, hardcoded names in programs, transport ownership, master data fields declared as "sensitive" for double-verifications, validations, check tables, org. structure, personalizations, etc... depending on how much of these applications you use which have the user name as a hardwired attribute to using the application.

There is also no way to "bend" the ABAP stack login modules to ask for an AD password. You can only use the local password (which will have to be new) or the SCN API for SSO or trust chains (such as login tickets) from upstream SAP systems.

I can strongly recommend that you get yourself some consulting help for it from someone experienced. SAP has a team specialized in "Landscape optimization" (search for that term or check service.sap.com/slo) which include this as a service. But they will first want to take a look at the systems in the landscape before they commit to anything, as the size of the construction site can vary significantly.

I have also done it once. I can't say that it is fun, but it is very challenging and interesting.

If I had to do it again, then I would not assume that XUBNAME is the only data element to use for verifying user names in custom program check tables and IF SY-UNAME is not the only syntax to compare the logged on user ID to the ZUSER field. Lesson learnt is that you cannot rely on documentation or consistent coding - you must think a lot and do a few dry runs.

Good luck!

Julius

I suspect that Drew wants to head toward unique identities for users (and possibly other identity types in the landscapes), but needs to fix the legacy problems first.

Generally it makes sense to fix design problems and some processes first (eg Roles...), before you implement them in IDM. Otherwise you just pass the buck on to IDM and experience the same problems / complexity there.

I cannot honestly recommend customers to use IDM to map user naming problems to identities. It is best to fix the problem and define data sources for IDM as identities (AD), and then only attributes from HR etc to enrich the business roles.

IMO it is best to first clean / simplify / harmonize the data for IDM, then implement IDM.

Cheers,

Julius

Well, here we are at the crux of the problem where I am currently.  I won't bore you with that so...

No, I would not look to change existing users.  I would say let them stay until the are turned over by attrition.  New users coming in would use their EmpID.  AD and HR would be the 'systems of record', enhancing each other and have the other systems controlled by an IDM using the HR/AD tandem as its source.

Clearly, we have more to do than change a user ID. The overall design needs to be addressed first.  Without clean data to rely on, any change will just carry over the original issues as pointed out by Julius.

I also agree with Martin, despite what our functional teams say, users will get used to numbers instead of alpha IDs.

Thank you both for your replies.