cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to trouble shoot AS ABAP role provisioning not working?

Go to solution
Former Member

on ‎04-09-2013 7:50 PM

0 Kudos

Hello,

I'm currently having trouble getting the role/privilege assignments for one AS ABAP system to work. I've been assigning roles/privilege through the user interface and while the changes are saved in IDM, they're not being written to the AS ABAP repository. Conversely the 'update ABAP user' changes are working and are being written to the AS ABAP repository.

Here's my setup and what I've complete so far:

  • Identity center and user interface are configured.
  • initial load for AS ABAP completed, appears to be successful. Users and ABAP roles were read and then written back to the users in the ABAP system.
  • the ABAP repository event tasks are set to the following. Since the repository was created with a wizard I'd expect these are defaults.

I've been checking the job log in the IDM Admin interface and see the following:

As you can see the 'update ABAP user' changes are sent to the R3D100 repository and the role/privilege assignments are sent to the 'notification' repository. I don't understand why this is. Can you help explain this and possible send a link to documentation for future study as well?

I have read through the configuration guide (2013) as well as the provisioning turorial (not helpful for AS ABAP) and didn't see a where the notification repository was mentioned. I do understand the concept of the Pending Value Object, however I don't see the connection between the PVO and notification repository.

Ideally I'd like to understand both why the provisioning of roles/privileges is not working as well as to understand better how to trouble shoot and know where to confirm that my configuration is correct.

Your help is much appreciated.

Paul

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Murali_Shanmu
Active Contributor
‎04-10-2013 5:09 AM
0 Kudos

Paul,

It appears that the plug-in for Assigning Role to User in ABAP is not being Triggered.

Did you change any of the Hook Tasks or reference to these under R3D100 Repsitory constants.

What is the status of the Role in the IdM UI after you saved the data. Does it say "OK" or "Pending".

I don't think there is any relationship between PVO and Notifications.

NOTIFICATION is a default repository which is available and can be used if you need to send Notification/emails to users when ever an action happens. For example, role being removed, Personal data has been updated etc.. By default, the connection settings to an SMTP server would not be maintained. Hence, there will be no notification which would go out to user. However, in the Provisioning Framework, there are so many references to these Notification related tasks. Hence, you are able to see these reference in your log file.

In the below screen, you can see how when the Standard Provisioning Task is called, it executes a series of step which ends with a Notification task. If you have not maintained any configuration, tehre will be no notifications sent out. But you will always see this in the log.

When you assign a Role to a user, you should see a similar log under Enterprise People > Management > Status. I believe this does not show up for you.

Show replies
Show replies
Former Member
‎04-10-2013 7:14 AM
0 Kudos

Hi Paul,

   As Ian said you should have PRIV:RepositoryName:ONLY attached to the user, so you will be able to triger a provisioning to the target system.

First, for all your automatic repositories you should have a master privilege(PRIV:...:ONLY) set.

You should create that privilege from the initial upload and then in some stage to attache it to the user.

BR,

Simona

Former Member
‎04-11-2013 10:50 PM
0 Kudos

Thanks Simona,

I did check that this user does have the PRIV:R3D100:ONLY role assigned.

From your experience, can you tell me how if you copied one of the AS ABAP templates and attached it to the 'assign' User Interface Tasks? (see images below)

For example, I've done this:

- I copied the AS ABAP template job and attached it to the 'assign' task group in the User Interface Tasks folder. Here are two shots:

and I copied it here:

Also, can you confirm that the repository 'Event Tasks' I've set are correct also?

Thanks again.

Former Member
‎04-12-2013 2:06 PM
0 Kudos

Hi Paul,

I think you've missed some principals as you don't need to do these steps. In the UI task, all you do is assign the account privilege to the user. The standard framework does everything, you don't need to put any ABAP tasks under the UI tasks explicitly. Have a go through one of the standard identity tasks in CORE part of the standard framework.

Cheers,

Ian

Former Member
‎04-12-2013 4:34 PM
0 Kudos

Hi Paul,

  This is net the way you do it.

If you have set correctly PRIV:RepName:ONLY  check in the repository if the HOOK_TASK-s are set(in the value - you should add a link to the task in you connectors folder:SetABAPRole&ProfilForUser).

BR

Simona

Former Member
‎04-25-2013 12:52 AM
0 Kudos

Thanks for this Ian.

I've re-read some of the configuration documentation and resolved a few things, but provisioning to the AS ABAP system is not working. In the IC and UI, the assignment of a priviledge/role does get saved but the notification does not say that a task has been executed.

*I can confirm that this user does have the privilege: PRIV_R3D100_ONLY

Is it possible to identify what's missing by these screenshots? I've spent quite a bit of time re-reading documentation and testing but by going on what you've said above the ABAP task isn't being triggered.

Here are the ABAP repository constants for the repository I'm trying to provision to.

Here are the settings for the repository event tasks:

I'm really not sure what's missing from the above. As Ridouan mentioned below, do I need to set triggers on write jobs?

What does works is:

- creating a new user. This does get sent to the repository

- modifying a users start/end dates. These also get sent to the repository.

Help is much appreciated.

Paul

Former Member
‎04-25-2013 6:08 AM
0 Kudos

Hi Paul,

Take off the modify task on the section in the middle and take off the provision and deprovision tasks on the bottom section.

That is the the correct setup (I think), I'll try and send a screenshot when I'm in the office.

If it still doesn't work, assign the account Priv (Priv:<repository name>:only) to a new identity you haven't provisioned before and then send a screenshot of the job log to show what tasks ran.

Cheers,

Ian

Former Member
‎04-25-2013 7:02 PM
0 Kudos

Thanks Ian,

I made the changes you listed: removed 'modify' from the 'assignment' section, and removed 'provision/deprovision' from the 'privilege tasks' section.

Here's how it looks now:

Result: still doesn't provision anything to the repository, no tasks executed.

Next, I created a new user and tried to assign the PRIV_R3D100_ONLY, privilege.

Result: in IDM UI, it states the user was created, but failed to assign the PRIV_R3D100_ONLY privilege. Here's a screenshot of the job log:

I have noticed an inconsistency that might have some bearing.

1) when I select the 'choose task' button I'm given these choices, 'Custom Tasks' and 'Identity'.

2) now, if I select 'Assign privileges, roles, groups' from the 'Custom Tasks' drop down I'm taken to the screen to choose roles/privileges to assign. It's here that I see that the new user I created does in fact have the PRIV_R3D100_ONLY privilege assigned.

3) but, if I were to choose the 'identity' drop down for the same choices I see that the PRIV_R3D100_ONLY privilege is not assigned.

4) also, on the user details section, at the bottom of the page that lists all users, I also don't see the PRIV_R3D100_ONLY privilege as I did from the screen mentioned above (#2).

I suspect this has some bearing but I'm unable to piece it together just yet. Thoughts?

Again, thanks for your help.

Paul

Former Member
‎04-29-2013 11:04 PM
0 Kudos

Ian,

Did the screenshots I added below make sense? For some reason none of the ABAP connector tasks are being executed when roles/privileges are assigned.

Thanks for your help.

Paul

Former Member
‎04-30-2013 8:48 AM
0 Kudos

Hi Paul,

What about we spend a bit of time on a webex to see if we can get it working for you?

Cheers,

Ian

Former Member
‎04-30-2013 6:13 PM
0 Kudos

Hi Ian,

That sounds good. If you want to let me know what works for you I'll work around that.

Cheers, Paul

Answers (4)

Answers (4)

Former Member
‎05-03-2013 10:26 PM
0 Kudos

After working with Ian Daniel, we were able to understand what was not working and resolve the problem I was having trying to provision roles/privileges to a user in one AS ABAP system.

Here's what happened:

- prior to completing the initial load for this AS ABAP system, I prepared two separate csv files with roles and privileges to upload. This was recommended as a quick way to manage creating a role.

- what I didn't do was to format the privileges correctly. So what got uploaded was missing the repository information needed. Here's a sample:

Incorrect: Z4ECC_ABAP_DISPLAY-Role

Correct: Z4ECC_ABAP_DISPLAY-Role (R3D100)

After the initial load, all users did have the correct privileges assigned, which showed that provisioning was working correctly.

When I went to add a new privilege as a test, I choose one of the incorrectly formatting privileges as they were near the top of the list. After saving the tasks did execute, but since the privilege was missing the respository information it couldn't be assigned.

One way to avoid this problem is to let the initial load manage the creation of properly formatted privileges.

Thanks very much to Ian Daniel, saved us a lot of time.

Paul

Show replies
Show replies
Former Member
‎04-30-2013 2:37 AM
0 Kudos

Hi Paul ,

For AS ABAP Provision System would look for Account privilege & System Privilege . So in this case Account Privilege is assigned to the user . But i couldn't find System Privilege assigned or defined at Repository level . Please refer to below mentioned thread also for more details around System Privilege VS Account Privilege & associated set up .

http://scn.sap.com/thread/3331868

I believe once you set System Privilege to user , ABAP Provisioning will work as expected .

Thanks ,

Jerry

Show replies
Show replies
former_member190695
Participant
‎04-10-2013 11:01 AM
0 Kudos

Hi Paul,

Please make sure the triggers on the ABAP privileges are set correctly.

This is the last part of the initial load job.

Advice: Read the Technical Reference Guide to understand how provisioning works in SAP IdM.

Regards,

Ridouan

Show replies
Show replies
Former Member
‎04-09-2013 11:10 PM
0 Kudos

Hi Paul,

That looks like the modify of the SU01 record is working ok, so if you changed a persons first name for example in idM it would change in SU01.

To assign roles, you should see a different plug-in triggered, something like 'Assign access'.

Can you check that the privileges of the person you are tying to change include one called Priv_r3d_only or something like, as the account privilege is a necessary pre-requisite for provisioning to be triggered.

If you could send a screen shot o the privileges assigned to the user in question from IdM, that would help.

Cheers,

Ian

Show replies
Show replies
Former Member
‎04-10-2013 1:08 AM
0 Kudos

Thanks Ian,

I did check that, with all the test users I was working with. Here's a look at the system account role assigned to this test user:

Can you tell me, should the event task on the repository be the same task as that used in the user interface task folder? I'm trying to understand the linkages between the repository event tasks entries and the AS ABAP job templates that can be used in the user interface task folder.

Thanks for your help.

Paul

Ask a Question