Skip to Content
0

SAP IDM AD Group Mapping to SAP Business Roles

Feb 02, 2017 at 03:35 AM

290

avatar image

Hi,

We are implementing SAP IDM 8.0 sp3. Our requirement is to Integrate AD with IDM and use the AD Groups as starting point for SAP Access. We will have users in certain AD groups and would like to map the AD groups to the SAP Business roles in IDM and provision to SAP backend based on the AD group membership.

I am successfully able to read the AD users and groups into IDM and also able provision to SAP Backend and stand alone role assignment from IDM. But my provisioning doesnt work when I map the AD group to SAP business role. Please let me know if there is a way around this to make the SAP role provisioning using the AD groups and mapping.

10 |10000 characters needed characters left characters exceeded

Hello Pavan,

normally business roles are the starting point for provisioning privileges in IDM (AD groups are also privileges for IDM) and not the other way around.

The only possibility that comes to mind is via dynamic groups, but if you have a lot of AD groups then this will become a bit messy.

This would mean:

member in AD group > member in dyn. group > member in business role > member in SAP role

.

I don't know of a way to just go

member in AD group > member in business role > member in SAP role

.

About how many AD groups are we talking here?

.

Regards,

Steffi.

0

Thanks Steffi. I am looking at about 250 AD Groups.

I did see a similar question posed on the forum and the solution proposed was to change the AD Import job to write the roles instead of Groups but I am not sure how to make that change. I am new to SAP IDM and not sure if i am doing anything wrong but though this is a common scenario of reading AD groups into IDM and provisioning to SAP ECC based on mapping between AD group and SAP Role.

Any insight into this will be of great help.

Thanks,

Pavan

0

If you look at that import job, the "to identity store" pass and the "destination" tab of it, you will see that there it's set, that the AD groups are created as privileges (in the header you select the entry type). Business roles would be "MX_ROLE".

You can create a second job and change the destination tab to create roles instead (filter it down to one AD group to test it) and see if this is getting you somewhere.

We don't use that kind of scenario (provisioning privileges on basis of membership to AD groups), but the other way around: added/deleting users from AD group on the base of them having certain SAP accounts. But IDM already has all those information (because SAP accounts are created via IDM).

.

We have a scenario, though, that creates dynamic groups and business roles on the organisation management structure. Org units are read in every night from our HR system and there is a job running every hour that creates a dyn group and business role for every org unit, joins them (so that the dyn. groups fill the members of the business role) and from there we can use this.

Maybe you can twist this a bit and instead of reading from HR you read from AD, but the rest stays. Meaning to create a job that can auto-create the dynamic groups and business roles for you (we use the org unit number as part of the name for both, because that way changing the name of the org unit does not result in renaming the dyn. group and business role). The source tab would just look for every AD group of a certain kind (your ~ 250 groups have probably something in common to filter on).

That would save you a lot of trouble maintaining this later on, when more AD groups are added or some changed.

.

I know, this sounds pretty complicated, but our creation job has only 5 passes:

  • 1 for creating new dyn. groups
  • 1 for deleting obsolete ones
  • 1 for creating new business roles
  • 1 for deleting obsolete ones
  • 1 for recalculation all dyn. groups

The definitions of those passes are pretty straight forward, if you have a look at the attributes of roles and dyn. groups, and not very complicated (speaking from a few years of IDM experience though). The hardest thing will most likely be thinking up the filter of the dyn. group (the SQL query to find the members of a certain AD group and whatever else you want to filter it down by).

.

You already have the job, that reads the AD groups and their members into IDM, so that part is done (of course, you need to update those groups, don’t know if that is already happening).

.

Another thing… with IDM in place and the AD groups already in IDM, have you thought about maintaining the AD groups (or at least those that are used for the SAP provisioning) through IDM itself? That you would not need a job to update the AD groups (load them from AD).

.

Regards,

Steffi.

2

Thanks Steffi, I will need to digest the whole message yet but I wanted to get some clarification on the below note

"Another thing… with IDM in place and the AD groups already in IDM, have you thought about maintaining the AD groups (or at least those that are used for the SAP provisioning) through IDM itself? That you would not need a job to update the AD groups (load them from AD)."

Could you please elaborate on what you mean by maintaining the AD groups through IDM itself?

Thanks,

Pavan

0

I thought so after my wall of text. ^^

Well, I mean adding to and deleting users from those AD groups. You know, instead of doing that in AD directly. Normally you install an IDM to start maintaining accounts (be it SAP, AD or portal for example) through that. AD group memberships can also be provisioned via IDM.

0

I was able to modify the Passes in the AD import job to write Groups and also Roles. But I need further assistance. Please let me know if I can get the AD User assigned to these roles as well as groups. As currently the roles dont show any assignments but groups does show the user assignment. And next I am not sure if I need to map a business SAP role to the AD role. Could you please explain the next steps if you dont mind. I am kind of stuck on this and not able to move forward. If this doesnt work then I will have to pursue a different route as you mentioned before but want to exhaust this option.

Thanks,

Pavan

0
Show more comments

Sorry for the delay. I am trying to Write the AD Groups to IDM as Roles with User membership as the AD groups. I have modified the Impost Job as per below screenshots but I see that the AD groups are flowing into IDM as Roles but dont see any user assignment to the roles. Not sure If I am missing anything.

My Import Job Passes

The custom Passes For Roles

0
Show more comments
* Please Login or Register to Answer, Follow or Comment.

1 Answer

C Kumar Feb 06, 2017 at 08:46 AM
0

Hello Pavan,

Could you please also share the screenshot of Source of the WruteUserToRoleAssignments pass?

Regards,

C kumar

Show 8 Share
10 |10000 characters needed characters left characters exceeded

Added the scrennshot for the source. I just copied the existing pass for User assignment to group and changed the destination.

0

Hi Pavan,

1. Please run the same query in the database and check whether any results it is returning. If no records are returned, then the tables needs to be checked, which are storing at time of user & group creation.

2. kindly use alias names for the column selected and pass these alias names in the destination pass and try it.

Regards,

DP

0

Hello Pavan,

I just checked the source of the WriteusertoGroupAssignments pass and found that it has below query-

SELECT sap%$rep.$NAME%user.userid, sap%$rep.$NAME%groupAssign.refid FROM sap%$rep.$NAME%groupAssign INNER JOIN sap%$rep.$NAME%user ON lower(sap%$rep.$NAME%groupAssign.groupAssignments) = lower(sap%$rep.$NAME%user.dn) and lower(sap%$rep.$NAME%user.dn) not like '%cn=deleted%' and lower(sap%$rep.$NAME%groupAssign.refid) not like '%cn=deleted%'

While you have changed the query and using sap%$rep.$NAME%group.cn instead of sap%$rep.$NAME%groupAssign.refid. Whenever you are making any changes to the query, ensures that the query is working fine and returning the appropriate result.

Note - sap%$rep.$NAME%group table contains all the group name which has been imported from AD to SAP IDM. It doesn't contain the assignment information.

Regards,

C Kumar

idm.jpg (105.6 kB)
0

The reason for the difference is I am using the package from SAP RDS. The query you mentioned is from the SAP package. I have verified and they are different. Also just wanted to clarify that I dont get any errors and I am seeing the user assignment for Groups and Privileges but not roles. Please let me know if anything.

Thanks,

Pavan

0

Ok, did you run your query in the database and verified, whether its returning the proper userid and corresponding group cn?

If this is fine then I would recommend using MX_PERSON as entry type in the Destination tab and then try assigning the Role to the Person using attribute MXREF_MX_ROLE.

Regards,

Ckumar

0

As part of this import.

AD Groups -> Write to IDM as Roles -> Respective Roles are now in IDM

Assign USers to ROles based on AD Group membership -> they are in failed state in IDM

So i see that the users are getting read from AD based on Group membership but they are in failed state when assigning to Roles.

Any insight on how to fix the failed assignments?

Thanks,

Pavan

0

Hello Pavan,

As shared in previous comment, please use MX_PERSON as entry type in the Destination tab of the WriteusertoRoleAssignments and then try assigning the Role to the Person using attribute MXREF_MX_ROLE. It should work.

Regards,

C Kumar

0
Show more comments