cancel
Showing results for 
Search instead for 
Did you mean: 

Updating User in IDM Does Not Reflect in Connected SAP AS ABAP System

former_member273752
Participant
0 Kudos

Hello Experts,

We are working on a IDM scenario on IDM 7.2. We have done the configuration as per the configuration guide, and successfully done an initial load of the users from a connected SAP ABAP system. From the IDM UI, when we change an user (Via web enabled tasks), the user record gets modified in IDM, but the changes do not get reflected in the connected ABAP system. When we look for system logs or tasks in the Identity Center, we do not find any entries. Can you please guide us in with some pointers, so as to why this behavior might be occurring?

Thanks and Regards,

Sid

Accepted Solutions (0)

Answers (5)

Answers (5)

Former Member
0 Kudos

HI Sid,

Just wondering if you managed a fix to this issue?  We have an almost identical issue whereby we are unable to modify the backend abap systems.

I can confirm the following is in place and checked:

(1) The user has the repository system priv (PRIV:SYSTEM:REP) assigned.

(2) The system priv above has both the modify job inherited from the repository and the relevant attributes ticked as triggers on the task tab.

[Note: We have tried global constant values of both 0 & 3 for MX_PRIV_MODIFY_POLICY]

(3) The hook tasks in the repository appear correct.

(4) All modify jobs, plugins etc are enabled

(5) The jobs are set to dispatch and the dispatchers have no obvious issues ( & been restarted)

(6) We have traced the user with little sucess also.

The result is we get line items in the 'Provisioning Queue' for the modify job and its underlying log and synchronous check, though they are identified as disabled and error states with no further info and no update to the abap system and nothing further in the job log.

Thoughts? Any feedback would be appreciated, as the above (from my understanding) is all the pieces of the puzzle correct, though no result.

Cheers,

Andrew Whitebrook

Former Member
0 Kudos

Sid,

We have just managed to process end to end with updates in our abap system.  The difference seems to be at the job level.  When using a copy of the standard modify job in our namespace, we had no luck, though with the standard job, it worked fine.  So I would suggest following steps 1 - 4 in the post above, set the global constant to either 0 or 3 depending on your requirement and use the standard modify job.

Good luck!

Andrew Whitebrook.

Steffi_Warnecke
Active Contributor
0 Kudos

Hello Avik,

now that's some frustrating issue. Somethings working (the queue fills up) and then... nothing. I hate those, too. ^^

When you go to the Status-overview, where you can see ALL the jobs (should be right at the top under "Management"), sort by state and look for "error". Is there any job like this? Try restarting them (Right klick > Run now).

Also try restarting the dispatcher, that you assigned to this job. Maybe something is stuck there (happens to our system sometimes).

Check the settings of the dispatcher, too to see, if it is allowed to run tasks and jobs. When you klick on "Dispatchers", an overview opens where you can set different settings for the dispatcher like "Tasks", "Approvals", "Jobs" etc.

Regards,

Steffi.

Murali_Shanmu
Active Contributor
0 Kudos

I suspect there is a problem with some tasks in the Provisioning Queue. Apart from the Modify operation which you are performing, is anything else (like assigning a role) flowing to AS ABAP system ?

Cheers,

Murali

0 Kudos

Hi Murali,

Currently nothing is getting reflected in the ABAP system. I suspect we need to assign some task events somewhere but I dont know the details where to assign which event. Currently the web enabled task "Disable Identity" gets called when I disable any user from IDM UI. I need some details on where to assign which which event that would trigger the provision into the target system. Any help would be appreciated.

Many Thanks,

Avik

Former Member
0 Kudos

Hi  Siddhartha,

  You should check if you are set your master privilege on the Repository - master privilege.

Before that check if you have master privilege created for the system PRIV:RepName:ONLY and when you are started, check for PRIV:SYSTEM:RepName..

BR

Simona

former_member273752
Participant
0 Kudos

Hi Simona,

Thank you for the pointer. We have set the master privilege, but the issue persists! 😞

Thanks for sharing this important info, though! 🙂

Best Regards,

Sid

0 Kudos

Hi Simona,

I am working with Sid in the same project, the problem we have is when we select any Web enabled task...like suppose we select Disable Identity from the IDM UI, the web enabled task Disable Identity gets called which can be seen in the provision audit. But we cannot see the changes done in the ABAP side. In the MX_PERSON entry type for the Identity store, in the modify event I have selected 1324/Modify Identity(another web enabled task), so two tasks are initiated, Modify Identity and Disable Identity as can be seen on Provision Audit when I selected Disable identity in IDM UI. But how is the web task going to connect to ABAP system for making the changes, is there any job it should call, any pass need to be defined? We would appreciate if you can help us on this issue.

Former Member
0 Kudos

Hi  Avik,

   If you go in you PRIV:SYSTEM:RepName privilege in tab - Task(you should select for Modify task: Inherited - this way you will inherit the task from you repository - here in the repository tab - Evant tasks you have to select the task, that will be executed for this example: select task from CORE folder task - Modify and from there go in your repository constants - MX_HOOK7_TASK - set a value for MX_HOOK......_TASK - the value should be a task from the connectors folder, the task you set as a value will update the user into the target system). In the list of attributes in your system privilege you should select the attributes, that will triger the modify task. If in your list of attributes you have MX_DISABLED - the change of this attribute will triger Modify task and the your user will be locked in the target system.

BR,

Simona

0 Kudos

Hi Simona,

Sorry I couldn't understand properly. I need little more help on this.

As you wrote,

   "If you go in you PRIV:SYSTEM:RepName privilege in tab - Task" where can I find this privilege PRIV:SYSTEM:CPM100 <CPM100 my ABAP respository> and where can I find the Modify task:Inherited?

Next

"here in the repository tab - Evant tasks you have to select the task, that will be executed for this", I couldnt find repository tab.

MX_HOOK7_TASK=370/7. Disable ABAP User in my system.

MX_DISABLED is there in my Identity store attribute list, in the event task for modify operation, I specified 751/Modify.

I am new to IDM and need some more details, I couldn't find these information in any config guide. Can you attach screenshot as well as it will be easier to understand.

Many Thanks,

Avik 

Former Member
0 Kudos

Hi Avik,

1.  When you do the initial upload you shoul create the system privilege PRIV:SYSTEM:RepName

2.  After you have created this privilege, you can open  PRIV:SYSTEM:RepName and select tab Tasks.

3.  In tab Tasks you cane select for Modify task: Inherited(this way you will inherit the task from your repository)

4.  So here you are still in PRIV:SYSTEM:RepName tab Tasks - here you can select attributes(on change these attributes  will triger user modification in the system)

5.  After you have done the settings in the system privilege, you should go in the target system Repository and there in tab Event tasks for Modify task(select): Modify(this should be a task from CORE folder, after provisioning/deprovisioning - Modify)

BR,

Simona

0 Kudos

Hi Simona,

Thank you so much for the detail information. I followed all the steps that you mentioned, but unfortunately cannot see the changes in the backend ABAP repository yet.

Attaching the provisioning queue screenshot. Check that the queue size is growing enormously and Job status column is empty(should it be empty?)

Above is the screenshot of provisioning audit. Provisioning status shows task initiated ok. Note that two tasks are getting triggered, Disable identity and Modify identity. Any idea where I am going wrong?

Best regards,

Avik

Former Member
0 Kudos

Hi Avik

I would expect that you have a disabled task in there somewhere.  It won't tell you which one, it'll just sit there.

You might also find that something is missing a dispatcher.

Peter

ChrisPS
Contributor
0 Kudos

Hello Sid,

              in such a case the hook task to create an abap user as defined in the repository should be called. Check the job log for this task and see if there is any information. Also ensure that this task is enabled and assigned a dispatcher.

Thanks,

Chris

former_member273752
Participant
0 Kudos

Hello Chris,

Thanks for the reply. We could find from the provisioning queue that the standard task "223/2. Modify ABAP User" gets called when we change the identity in IDM (This is as per our repository configuration, as indicated by image below):

However, the update requests are stuck there in the provisioning queue, and we do not find any log of the task. The "Job Status" column is also empty.

Any pointers as to where we can check why the entries in the provisioning queue are not processed?

Thanks and Regards,

Sid

Former Member
0 Kudos

Hi Siddhartha,

When you have something stuck in your provisioning queue, you should go in you SQL developer and execute this select:

select * from mcmv_audit where auditref= auditID(or something like that);

    - and the result will have the answer, why this task is stuck(if this lead you to another task just take this task auditID and at the end you will see why this task is stuck).

BR,

Simona

0 Kudos

Christopher Leonard wrote:

Hello Sid,

              in such a case the hook task to create an abap user as defined in the repository should be called. Check the job log for this task and see if there is any information. Also ensure that this task is enabled and assigned a dispatcher.

Thanks,

Chris

The hook task MX_HOOK7_TASK is assigned the value 370/7. Disable ABAP User, but unfortunately the task is not getting called when I disable the user in the IDM UI. The task is enabled and the job enderneath it 3258/LockUnlockAbapUser is assigned a dispatcher. Where do I need to assign event task that would trigger this provision?