Skip to Content
avatar image
Former Member

Use an other attriubute for WinLogin as the MSKEYVALUE in IDM

Hello,

we have following Problem.

We like to use for SAP the MSKEYVALUE (eg. K12345).

But for our AD (Active Directory) we like to use the old WinAccoount (e.g. Smith)

If i try now to provisioning the AD-Privilege with the IDM to Active Directory the WinAccount=MSKEYVALUE.
This is false it should be: SAPLOGON=MSKEYVALUE and WINACCOUNT=oldWinAccount.


What can i do to solve my Problem?

Thank you very much.

BR

Andreas

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

6 Answers

  • Oct 21, 2016 at 12:48 PM

    Hello Andreas,

    the username which is used to write to each system is stored in the ACCOUN<repName> attribute.

    For the ACCOUNT<SAP system> you can set ti the same as the MSKEYVALUE.

    For the AD the value has to be the Distinguished name nevertheless as this is how the AD provisioning works.

    Hint on the side:

    In IdM 7.1 there used to be a DN<repName> attribute as well. The ACCOUNT<repName> held the Windows samAccountName which can easily be used to read data in nightly jobs (including a script like z_ad_getMSKEYVALUEFromSamAccount). As I need this and think it's superior to the 7.2 mechanism I still use both of them. I use my own hook tasks (who doesn't?) and added the DN<repName> there as the first row.

    Best regards

    Dominik

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 21, 2016 at 12:50 PM

    Hi Andreas,

    If I understand you correctly, you would like to use the same value for MSKEYVALUE and Windows Logon, and your SAP LOGON?

    This is doable, but of course there is some planning involved :)

    If you want to update the user's logon attribute in AD, this would be the sAMAccountName attribute, which could be updated in batch via an IDM job using a To LDAP pass.

    To update the MSKEYVALUE, take a look at this blog, or search elsewhere on SCN, and Google My link is from an older version of IDM, but it all still works.

    The big trick of course is the planning and coordination between multiple parts of your IT organization. Once you have the plan figured out, the technical parts should fall right into place.

    Let us know if you have any questions, as this is a fairly high level look at what needs to be done based on my understanding of your issue.

    Regards,

    Matt

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 24, 2016 at 06:01 AM

    Hello Matt, hello Dominik,

    thank you for your answears.

    No i would lilke to use the MSKEYVALUE (K123454) for SAP Logon.
    For Windows Logon i should be not the MSKEYVALUE but an Attribute like "z_WinLogon".

    I am right that i must Change all MSKEYVALUE-Entries in the AD-Package to z_WinLogon?

    Or is it possible to set (for the ad-package) the attribute z_WinLogin=MSKEYVALUE?

    If yes how can i do this?

    By the way. In IDM we use the MSKEYVALUE (K123454)

    In the Pass "CreateADSUSER":

    Regards,

    Andreas

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 24, 2016 at 08:42 PM

    Hi Andreas,

    Pretty much the same deal I should think, just set up toSAP passes that update the logon, again, there's some planning and testing to be done. You'll probably also need to talk to others in your SAP management such as BASIS, Security, and HR to coordinate everything and work out the details.

    Matt

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 24, 2016 at 08:42 PM

    Hi Andreas,

    Pretty much the same deal I should think, just set up toSAP passes that update the logon, again, there's some planning and testing to be done. You'll probably also need to talk to others in your SAP management such as BASIS, Security, and HR to coordinate everything and work out the details.

    Matt

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Nov 01, 2016 at 05:03 PM

    Hello Matt,

    ok but i will use the K-Number =MSKEYVALUE for SAP.

    And for the other systems which get the logon from ad i will use an other attribute such as "kottea".

    My problem ist, that i don't know which attribute i have to change in the "AD-Package"-Passes.

    Add comment
    10|10000 characters needed characters exceeded