Skip to Content
0
Former Member
Sep 09, 2010 at 02:44 PM

Privileges not Grouping when Provisioning to ABAP Systems

58 Views

We're using IdM SP5 (7.10.5.0-SQL-2010-05-09).

When we add an ABAP role/privilege to a user in IdM, it starts the ABAP provisioning task, which should provision the user's new role to the ABAP system. What actually happens is that it provisions his whole set of roles to ABAP multiple times (as many times as he has roles).

For example:

Joe Smith has three ABAP privileges. We add a fourth.

Expected result:

SetABAPRole&ProfileForUser runs once and provisions the following role string to the ABAP System:

EXISTINGROLE1|EXISTINGROLE2|EXISTINGROLE3|NEWROLE1

What actually happens:

SetABAPRole&ProfileForUser runs four times, once for each privilege Joe has, and provisions the exact same role string to the ABAP System each time:

EXISTINGROLE1|EXISTINGROLE2|EXISTINGROLE3|NEWROLE1

I've tried turning on Assignment Grouping for the repository and it doesn't seem to make any difference. This is really inefficient and causes a lot of problems, as we have many users with 10-20+ ABAP roles, and when they gain or lose a privilege, it provisions them 10-20+ times. Sometimes this happens to large groups of users, and suddenly we have 5000+ provisioning entries queued up when we should really only have 250 (they take between 2-4 seconds for each call)!

Is there something I'm missing here?