on 04-09-2013 7:50 PM
Hello,
I'm currently having trouble getting the role/privilege assignments for one AS ABAP system to work. I've been assigning roles/privilege through the user interface and while the changes are saved in IDM, they're not being written to the AS ABAP repository. Conversely the 'update ABAP user' changes are working and are being written to the AS ABAP repository.
Here's my setup and what I've complete so far:
I've been checking the job log in the IDM Admin interface and see the following:
As you can see the 'update ABAP user' changes are sent to the R3D100 repository and the role/privilege assignments are sent to the 'notification' repository. I don't understand why this is. Can you help explain this and possible send a link to documentation for future study as well?
I have read through the configuration guide (2013) as well as the provisioning turorial (not helpful for AS ABAP) and didn't see a where the notification repository was mentioned. I do understand the concept of the Pending Value Object, however I don't see the connection between the PVO and notification repository.
Ideally I'd like to understand both why the provisioning of roles/privileges is not working as well as to understand better how to trouble shoot and know where to confirm that my configuration is correct.
Your help is much appreciated.
Paul
Paul,
It appears that the plug-in for Assigning Role to User in ABAP is not being Triggered.
Did you change any of the Hook Tasks or reference to these under R3D100 Repsitory constants.
What is the status of the Role in the IdM UI after you saved the data. Does it say "OK" or "Pending".
I don't think there is any relationship between PVO and Notifications.
NOTIFICATION is a default repository which is available and can be used if you need to send Notification/emails to users when ever an action happens. For example, role being removed, Personal data has been updated etc.. By default, the connection settings to an SMTP server would not be maintained. Hence, there will be no notification which would go out to user. However, in the Provisioning Framework, there are so many references to these Notification related tasks. Hence, you are able to see these reference in your log file.
In the below screen, you can see how when the Standard Provisioning Task is called, it executes a series of step which ends with a Notification task. If you have not maintained any configuration, tehre will be no notifications sent out. But you will always see this in the log.
When you assign a Role to a user, you should see a similar log under Enterprise People > Management > Status. I believe this does not show up for you.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Paul,
As Ian said you should have PRIV:RepositoryName:ONLY attached to the user, so you will be able to triger a provisioning to the target system.
First, for all your automatic repositories you should have a master privilege(PRIV:...:ONLY) set.
You should create that privilege from the initial upload and then in some stage to attache it to the user.
BR,
Simona
Thanks Simona,
I did check that this user does have the PRIV:R3D100:ONLY role assigned.
From your experience, can you tell me how if you copied one of the AS ABAP templates and attached it to the 'assign' User Interface Tasks? (see images below)
For example, I've done this:
- I copied the AS ABAP template job and attached it to the 'assign' task group in the User Interface Tasks folder. Here are two shots:
and I copied it here:
Also, can you confirm that the repository 'Event Tasks' I've set are correct also?
Thanks again.
Hi Paul,
I think you've missed some principals as you don't need to do these steps. In the UI task, all you do is assign the account privilege to the user. The standard framework does everything, you don't need to put any ABAP tasks under the UI tasks explicitly. Have a go through one of the standard identity tasks in CORE part of the standard framework.
Cheers,
Ian
Thanks for this Ian.
I've re-read some of the configuration documentation and resolved a few things, but provisioning to the AS ABAP system is not working. In the IC and UI, the assignment of a priviledge/role does get saved but the notification does not say that a task has been executed.
*I can confirm that this user does have the privilege: PRIV_R3D100_ONLY
Is it possible to identify what's missing by these screenshots? I've spent quite a bit of time re-reading documentation and testing but by going on what you've said above the ABAP task isn't being triggered.
Here are the ABAP repository constants for the repository I'm trying to provision to.
Here are the settings for the repository event tasks:
I'm really not sure what's missing from the above. As Ridouan mentioned below, do I need to set triggers on write jobs?
What does works is:
- creating a new user. This does get sent to the repository
- modifying a users start/end dates. These also get sent to the repository.
Help is much appreciated.
Paul
Hi Paul,
Take off the modify task on the section in the middle and take off the provision and deprovision tasks on the bottom section.
That is the the correct setup (I think), I'll try and send a screenshot when I'm in the office.
If it still doesn't work, assign the account Priv (Priv:<repository name>:only) to a new identity you haven't provisioned before and then send a screenshot of the job log to show what tasks ran.
Cheers,
Ian
Thanks Ian,
I made the changes you listed: removed 'modify' from the 'assignment' section, and removed 'provision/deprovision' from the 'privilege tasks' section.
Here's how it looks now:
Result: still doesn't provision anything to the repository, no tasks executed.
Next, I created a new user and tried to assign the PRIV_R3D100_ONLY, privilege.
Result: in IDM UI, it states the user was created, but failed to assign the PRIV_R3D100_ONLY privilege. Here's a screenshot of the job log:
I have noticed an inconsistency that might have some bearing.
1) when I select the 'choose task' button I'm given these choices, 'Custom Tasks' and 'Identity'.
2) now, if I select 'Assign privileges, roles, groups' from the 'Custom Tasks' drop down I'm taken to the screen to choose roles/privileges to assign. It's here that I see that the new user I created does in fact have the PRIV_R3D100_ONLY privilege assigned.
3) but, if I were to choose the 'identity' drop down for the same choices I see that the PRIV_R3D100_ONLY privilege is not assigned.
4) also, on the user details section, at the bottom of the page that lists all users, I also don't see the PRIV_R3D100_ONLY privilege as I did from the screen mentioned above (#2).
I suspect this has some bearing but I'm unable to piece it together just yet. Thoughts?
Again, thanks for your help.
Paul
After working with Ian Daniel, we were able to understand what was not working and resolve the problem I was having trying to provision roles/privileges to a user in one AS ABAP system.
Here's what happened:
- prior to completing the initial load for this AS ABAP system, I prepared two separate csv files with roles and privileges to upload. This was recommended as a quick way to manage creating a role.
- what I didn't do was to format the privileges correctly. So what got uploaded was missing the repository information needed. Here's a sample:
Incorrect: Z4ECC_ABAP_DISPLAY-Role
Correct: Z4ECC_ABAP_DISPLAY-Role (R3D100)
After the initial load, all users did have the correct privileges assigned, which showed that provisioning was working correctly.
When I went to add a new privilege as a test, I choose one of the incorrectly formatting privileges as they were near the top of the list. After saving the tasks did execute, but since the privilege was missing the respository information it couldn't be assigned.
One way to avoid this problem is to let the initial load manage the creation of properly formatted privileges.
Thanks very much to Ian Daniel, saved us a lot of time.
Paul
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Paul ,
For AS ABAP Provision System would look for Account privilege & System Privilege . So in this case Account Privilege is assigned to the user . But i couldn't find System Privilege assigned or defined at Repository level . Please refer to below mentioned thread also for more details around System Privilege VS Account Privilege & associated set up .
http://scn.sap.com/thread/3331868
I believe once you set System Privilege to user , ABAP Provisioning will work as expected .
Thanks ,
Jerry
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Paul,
Please make sure the triggers on the ABAP privileges are set correctly.
This is the last part of the initial load job.
Advice: Read the Technical Reference Guide to understand how provisioning works in SAP IdM.
Regards,
Ridouan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Paul,
That looks like the modify of the SU01 record is working ok, so if you changed a persons first name for example in idM it would change in SU01.
To assign roles, you should see a different plug-in triggered, something like 'Assign access'.
Can you check that the privileges of the person you are tying to change include one called Priv_r3d_only or something like, as the account privilege is a necessary pre-requisite for provisioning to be triggered.
If you could send a screen shot o the privileges assigned to the user in question from IdM, that would help.
Cheers,
Ian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Ian,
I did check that, with all the test users I was working with. Here's a look at the system account role assigned to this test user:
Can you tell me, should the event task on the repository be the same task as that used in the user interface task folder? I'm trying to understand the linkages between the repository event tasks entries and the AS ABAP job templates that can be used in the user interface task folder.
Thanks for your help.
Paul
User | Count |
---|---|
88 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.