Skip to Content

Unable to assign privilege from IDM to an ABAP SAP System connected to IDM

Hello Experts,

When i am trying to assign an privilege for an ABAP system i am receiving an error message that user is already exists. and the privilege assignment status is in failed status. When verified the assigned privileges to the user, found that the user is not having any related privilege assigned related to thar abap system. When verified in that sap abap system we found that, the particular privilege which we are trying to add, was already assigned to the user from very long time.  That privilege is not assigned through IDM.

Unable to delete the privilege through IDM as the role is in failed status. We arent givine permission to delete the privilege directly from the sap abap system.

How to make the privileges statu as OK and make sure that privilege is assigned to the user

Regards,

DP

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    avatar image
    Former Member
    Jul 27, 2015 at 08:31 AM

    Hi Deva,

    if you are not able to retry the privilege from the UI you can create a job for fixing such problems by using this functionality:

    but the privilege should be removed from the back-end system first.

    As well you can create a custom script and set it in the tasks for assign membership/remove membership and there you can call the script in case of error(job setting in the tests). So when you have error in case of already assigned/removed privilege you can only set the privilege state in Idm to OK(as in the back-end system the access is already there) - this will be more permanent solution for all users(and you won't have to manually assign/remove the access).

    BR,

    Simona


    u1.png (43.5 kB)
    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Deva Prakash B

      Hi Deva,

      Yes, you can set them with bypass(you can directly read the user assignments from the ABAP system and set them in IdM with BYPASS), so you won''trigger the provisioning to the back-end system. Then when the privileges are assigned in IdM you can trigger de-provisioning and the roles will be remove from IdM&ABAP.

      BR,

      Simona

  • Jul 29, 2015 at 06:26 AM

    Hi Deva,

    Very strange. I checked our system now and I remember from previous instances as well that if the user exists and role assigned already in ABAP system, then IDM wouldn't throw any error. It would just set the status to OK. I know there is a problem with AD connector if user/assignment already exists.

    In which version are you in? Probably it is good to raise with SAP. Also please post the screenshot of your error job log is you still have it. Thanks.

    Kind regards,

    Jai

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jul 27, 2015 at 05:57 AM

    Hi Deva,

    If you already removed the privilege from the ABAP system you can retry the assignment(from the UI - select the user in Modify mode and then you can retry it) and it should pass with no problems.

    BR Simona.

    Add comment
    10|10000 characters needed characters exceeded