Skip to Content
avatar image
Former Member

How to provision the abap roles properly

Hi, all

I am new to IDM and struggling to setup a task to provision abap role to the users via IDM.

I have copied task "Assign User Membership to ABAP" from plugins folde of the provisioning framework. The source is "MX_PERSON". The assignment of the role actually works, but the problem is that it wipes out all the existing roles from the user, even though these roles(or privileges in the identity sotre) are supposed to be there. What is wrong? I thought this is suppoed to be "easy" but I don't know why IDM makes everything so hard.

Please help. Is there any step by step guide for ABAP provisioning? What is the technique to synchronize the privilege in the identity store with the su01 in the ABAP system? I can see this is going to be a major risk.

Thanks,

Jonathan.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    avatar image
    Former Member
    Mar 11, 2013 at 10:51 PM

    IDM does a replace on the current roles.  This means that all the roles in the target system need to exist as privileges and be assigned to the user.  Otherwise it will remove those that don't exist.

    Peter

    Add comment
    10|10000 characters needed characters exceeded

  • Mar 10, 2013 at 11:49 PM

    I too wish if there is a guide on ABAP Provisioning. Just letting you know (in case you are not aware of it) that IdM would overwrite what ever roles are in SU01 with the existing assignments in Identity Store. If, in IdM you have assigned one privileges to the already existing 3 privileges for the user, you should find 4 technical roles assigned to this user in ABAP.

    Note 1626816  ABAP Connector Delta Handling for Role Profile Assignments

    I am also keen to hear from others on the best approach.

    Cheers

    Murali

    Add comment
    10|10000 characters needed characters exceeded

    • I am not sure why things are going so wrong. I also don't have much of idea on SetABAPRole&ProfileForUser job.

      I have done the following and seen things working.

      In the ABAP system repository > Event Task tab > provision > I maintain the task "ProvisionABAP" (This is available in the framework).

      See how it goes.

      Cheers,

      Murali.

  • Mar 12, 2013 at 01:54 PM

    Hi,

    Please check the link below. I've tried to cover some of the issues you might have.

    If you have questions don't hesitate to contact me.

    SAP IDM - How to handle SAP roles

    Best Regards,

    Ivan

    Add comment
    10|10000 characters needed characters exceeded