cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IDM autoprovisioning does not execute searchRequest befor addRequest

Former Member

on ‎03-13-2009 3:13 PM

0 Kudos

In the CUP interface, under Configuration->Workflow->Auto Provisioning->By System, one configures the autoprovisioning for the IDM system.

There is an option labeled "Create If User Does Not Exist". When this option is set to "Yes" and I approve a user account modification request, GRC does not send the searchRequest, it simply sends an addRequest for the already-existing user (which fails in eDirectory, since the user does exist).

When the option is set to "No" GRC does send the searchRequest (malformed).

Perhaps the UI wording is incorrect, or perhaps I misunderstand what this option is supposed to control, but it seems to me that the boolean sense of the option is reversed. I would expect "Yes" to cause the searchRequest to be sent. (It doesn't seem to be a problem in translation...auf Deutsch: "Anlegen, falls Benutzer nich vorliegt"

Is there somebody who can explain that to me?

- Holger

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

hkaur
Advisor
Advisor
‎03-22-2009 3:24 PM
0 Kudos

I am afraid not ..there is very less documentation available around IDM integration. You can send feedback to the author of this document to include more info in this doc itself.

Regards

Harleen

SAP GRC RIG

Show replies
Show replies
hkaur
Advisor
Advisor
‎03-17-2009 12:50 PM
0 Kudos

Hi Holger,

The issue might have been in the Search Criteria or other Search parameters defined in the Connector of CUP. It could be that the search request was failing earlier due to incorrect parameters set in the connector. But this option (if set to YES)searches for user first and only if the user does not exist it creates the user.

Hope this helps

Regards

Harleen

Show replies
Show replies
Former Member
‎03-18-2009 7:50 PM
0 Kudos

Harleen,

'search_criteria' is the right track. We meanwhile figured out, that we missed the SEARCH:_CRITERIA in the IDM connector definition. After adding it, the soap request does look much better.

We used the 'GRC-AC-IDM Web Service.pdf' document for the configuration. But this document does miss some parameters, as they are described in https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b0da2dba-0480-2b10-a7ae-f055ab6e....

Some of the parameters described their are specific to NetWeaver IDM integration, but some aren't described very well.

Do you have a better source for the parameter description?

Thanks

Holger

hkaur
Advisor
Advisor
‎03-16-2009 7:30 AM
0 Kudos

Hi Holger,

Can you make sure that your "Change Account" request type does not have CREATE_USER action assigned to it.

It should have only CHANGE_USER and ASSIGN_ROLES actions assigned .

This should resolve the issue.

Regards

Harleen

Show replies
Show replies
Former Member
‎03-17-2009 6:54 AM
0 Kudos

Harleen,

these options are set. Meanwhile I defined a new IDM connection and with this it does work as I would expect it.

I don't know, what the difference is yet, so I will have a look at this further.

Thanks

Holger

Former Member
‎03-13-2009 3:47 PM
0 Kudos

Holger,

Your understanding is correct and that is how this option works for SAP systems. I have not tried it for IDM and as IDM is latest addition, there might be some issue with it.

Did you open a message with SAP and see what the response is?

Regards,

Alpesh

Show replies
Show replies
Former Member
‎03-13-2009 4:01 PM
0 Kudos

Alpesh,

yes, I meanwhile opened a service call at SAP. I don't have a answer so far.

Thanks

Holger

Ask a Question