Skip to Content

SAP IDM AD Group Mapping to SAP Business Roles

Hi,

We are implementing SAP IDM 8.0 sp3. Our requirement is to Integrate AD with IDM and use the AD Groups as starting point for SAP Access. We will have users in certain AD groups and would like to map the AD groups to the SAP Business roles in IDM and provision to SAP backend based on the AD group membership.

I am successfully able to read the AD users and groups into IDM and also able provision to SAP Backend and stand alone role assignment from IDM. But my provisioning doesnt work when I map the AD group to SAP business role. Please let me know if there is a way around this to make the SAP role provisioning using the AD groups and mapping.

Add comment
10|10000 characters needed characters exceeded

  • I don't know the next steps, because I don't know what you want to achieve. ;)

    If you look at your destination tab of the pass, where you create the groups, don't you have an attribute there, that adds the members to it?

    You could share a screenshot for us to look at, that may be easier. Also of your pass for the roles.

  • Sorry for the delay. I am trying to Write the AD Groups to IDM as Roles with User membership as the AD groups. I have modified the Impost Job as per below screenshots but I see that the AD groups are flowing into IDM as Roles but dont see any user assignment to the roles. Not sure If I am missing anything.

    My Import Job Passes

    The custom Passes For Roles

  • Where does the "userid" come from in the second pass? Can you show us the source tab? Does the log of that pass show errors or anything at all after the job ran?

  • Get RSS Feed

1 Answer

  • Feb 06, 2017 at 08:46 AM

    Hello Pavan,

    Could you please also share the screenshot of Source of the WruteUserToRoleAssignments pass?

    Regards,

    C kumar

    Add comment
    10|10000 characters needed characters exceeded

    • Tried that and still same issue. The assignment is in failed state with No Assigned status. I do see that its reading the group membership to assign the respective role to the users but its "Failed"

      Thanks,

      Pavan