Skip to Content

IDM role provisioning through TO CUSTOM pass

Hello All,

Please let me know if there is a way to provision roles through IDM to users in ABAP using To custom pass without touching identity store. We have tried it but this will remove the existing roles and will assign only the roles which was passed.

We want to add these roles along with the existing roles which were already present. Please let me know if anyone is has answers for this.



Add comment
10|10000 characters needed characters exceeded

  • Hello Steffi,

    Actually in our landscape Identity store is not configured properly. And we were assigning roles bypassing identity store and roles of ABAP system are not in sync with IDM. Hence we wanted to know if there is any way for assigning roles by passing the identity store.

    If above mentioned thing is not possible can you suggest any links for fresh identity store configuration for user creation, deletion and role assignment. So that we can perform new configuration of Identity store.



  • Steffi Warnecke Vinay Sathyanarayana Murthy

    Hello Vinay,

    if the IDM is not configured properly, I guess you need to start fresh. So just follow the standard documentation for the implementation. At the moment you are not really using what IDM is meant for, so you make your lifes a lot harder and complicated.




  • Vinay, I have to agree with Steffi. One of the central purposes of IDM is SAP Role Management. You are losing all of the benefits of IDM this way.

    If your organization has an incomplete role model, then it makes sense to begin or finish that effort before loading things into IDM.


  • Get RSS Feed

1 Answer

  • Mar 05, 2018 at 11:29 AM

    Hi Vinay,

    Did you create any non provisioning job and trying to push roles to backend SAP system? If yes, then pass the values as below in the roles attribute.

    Attribute  	Value
    logonuid  	%BNAME% 
    roles  		role1|role2|role3


    • User has 2 privileges assigned in IDM (PRIV:ROLE:REP1:ROLE_A, PRIV:ROLE:REP1:ROLE_B assigned in IDM) and also in SAP system (ROLE_A, ROLE_B is assigned in SAP system).
    • Need to assign ROLE_C to user directly in SAP System, but via IDM.

    Now if you want to assign additional role to user in SAP system via IDM without using IDM provisioning framework, (privilege is not assigned in IDM but directly in SAP system. This is not best practice, always ensure the roles assignments are in sync between IDM and Target system) then pass the roles as below in the non provisioning job.

    Attribute  Value
    logonuid   %BNAME% (hope you retrieving this value from a table using an SQL query in the source tab)
    changetype  modify
    roles       ROLE_A|ROLE_B|ROLE_C



    Add comment
    10|10000 characters needed characters exceeded