1 2 3 12 Previous Next

SAP Identity Management

169 Posts

This tool can provide an option to manage the external users, which are neither HR relevant, nor in any other way connected to the sources systems currently used within IdM.

The logic can be separated in three parts:

  • SAP WD UI - for managing the external users information
  • Back-end logic for UI search and validations
  • SAP IdM logic(after the external users are created/changed the master data is updated in IdM and provisioned to the back-end systems)

Demo of this tool can be seen here - External Users Add on for SAP IdM - YouTube

1. WD UI - External users UI:


Note: in case the HR system can't be use to manage the user's source information

2. Tool functionalities:

  • Complex search criteria to find exactly the people you are looking for.
  • Mechanism for storing new users in IdM if the system is currently busy processing other tasks with higher priority.
  • Easy extendable and transparent for maintenance.
  • Auto generation of user ids (following a certain logic).
  • Permission based access to certain functions.

3. IdM customizations:

  • custom repository for managing the users
  • custom job - managing the auto generation of user IDs

Hope you like it

Simona Lincheva

As all may know, managing the Business Roles in IdM is not an easy thing to do, especially if the client wants to update them each month/week for a business reasons. In that case we have to manage to provide an easy way for him not only to update the BRs, but to update the user's access accordingly and to have some trace back for the made changes.

First thing that comes to mind is something like that - How to do mass population of a Business Roles with privileges using txt file , but here we are more or less restricted and we don't have any real information, about the changes we made or any validations for the BRs.

So we decided to extend the standard IdM functionality by creating a custom tool for managing the BRs - Authorization Matrix.

The Authorization Matrix allows you to control the BRs within IdM. This tool provides validation rules, easily roll back to a previous version and automatic user access update after BR modification. IdM processes the submitted Matrix and updates the changed business roles, after that the user’s access is updated according the new Matrix. Back-end systems are updated.

1. First we started by separating the logic in three parts:

  • SAPUI5/WD UIs with validation rules
  • Back-end logic for UI validations(access validations, custom tables for managing the data)
  • SAP IdM logic(processing the submitted matrix and updating the user access, creating automatic requests for history review of the user access, with custom Entry Type for the Matrix)

Note: more than one uploads can be executed by a number of users, as we have implemented a custom queue for managing the submitted matrix.

Demo of this tool can be seen here -  Authorization Matrix Add on for SAP IdM - YouTube

2. SAPUI5 UI - Authorization Matrix:

    • main UI:


    • the rest of the UIs:


3. WD UI - Authorization Matrix:


Note: not only we have the ability to monitor the changes directly from IdM, but we can load previous version of the Matrix and from there we can check the changes or re-submit the old version.

4. IdM customizations:

  • custom Entry Type _Matrix
  • custom job - managing the submitted matrix and managing the queue(more than one matrix can be submitted)
  • custom IdM UI - displaying the requested created for the users(after the access is changed)
  • custom javascript-s managing the logic
  • custom UI tasks for the Matrix

Hope you like it

Simona Lincheva

Here is a way to make IdM Notification process more flexible and easier to work with.

1. First we started by separating the logic in two parts:

  • SAP IdM custom table for storing the notifications(receivers, test, subject...)
  • SAP IdM logic(custom Entry type with some javascript/java logic for managing the notification process and customer logic)


2. IdM custom entry type:

    N 1.png

3. IdM tasks for sending the created notifications:

    N 2.png

4. IdM custom table is created for the notifications, where all of the email information is stored(subject, To, CC, text, Country…..). When a new location/notification is needed the table can be updated with the new e-mail notifications by simple .csv file.:

     N 4.png

Note: the final notification(example):

N 5.png

E-mail can be send for:

  • Specific action(crate/terminate/position change/Manager change/On error……)
  • Specific country(all local languages are supported)
  • Depending on the notification specify To/CC will be set

Overview: A custom entry type used to send e-mail Notifications, which allows:

  •   Easy maintenance (if needed all notifications can be modified and new one are easily added) with a simple .csv file
  •   Flexibility:

  -  each subject and body of the email can be specific

  -  all languages are supported (for each e-mail a subject/text with a default and native language can be sent)

  -  for all of the needed actions a different e-mail can be sent

  -  To/CC depends of the settings into the notification table(specific To/CC)

  -  on any case of error an e-mail can be sent

Note: link for the updated version - SAP IdM Custom Add-on for Notifications management - on WD&SAPUI5

Hope you like it

Simona Lincheva

This tool can be used as a replacement for other ways time consuming actions like:

    • mass assign/un-assign of user access
    • mass lock/unlock users
    • to partially terminate users across the systems(remove access only from one or two of the available systems)

Note: with input data validations.

For example: we have 100 - users and we want to assign 10-SAP roles for each of them. The time used to do so via the standard IdM UI will be very long and boring, but the same case will take only a couple of minutes using the Mass Upload UI.

The logic can be separated in three parts:

  • SAP WD UI - for exporting/importing the data(using scv files)
  • Back-end logic for UI validations(users and access validations)
  • SAP IdM logic(after the mass upload is submitted in IdM are created custom requests for each user/system)

Note: more than one uploads can be executed by a number of users, as we have implemented a custom queue for managing the created mass uploads.

Demo of this tool can be seen here - Mass Upload Add-on for SAP IdM - YouTube

1. WD UI - Mass Upload UI:


   1.1. Supported mass actions:

Add/Remove - roles/privileges

Add(create)/Remove(terminate) - users

Lock/Unlock - users

  1.2. UI supported operations:


Export template

Validate (only validates the data,without further actions)

Submit (internal validations )

Add single record

Delete multiple records

2. IdM customizations:

  • custom Entry Type _Mass_Upload
  • custom job - managing the submitted mass uploads and managing the queue(more than one mass uploads can be submitted)

             mu 2.png

  • custom IdM UI - displaying the requested created for the users(after the access is changed)

          mu 3.png

  • custom javascript-s managing the logic
  • custom UI tasks for the M*** Upload

Hope you like it

Simona Lincheva

In addition to the standard IdM functionality we added this tool, that can run a reports between all available systems in IdM and IdM itself, as well the report can be made across two or more systems(depends on the customers needs).

We started by separating the logic in two parts:

  • SAPUI5/IdM UI reports
  • SAP IdM logic(custom Entry type with some javascript logic for managing the reports and addition tasks/jobs for executing the report)

Note: no back-end needed for this add-on(only standard rest calls directly to IdM).


1. Custom friendly and easy for configuration UI, enabling the end user to perform identities integrity check across the systems.

    • Main UI:

                  IC 1.png

    • UI after selecting one of the generated reports:           

                  IC 2.png

    • on the next step a detail information can be seen, if a user is selected from the generated report:

                    ic 3.png


2.The integrity check report can be executed couple of times in a day(depending on the customers needs - setting in the job responsible for generation the reports).


Hope you like it

Simona Lincheva


As we all know the standard Notification process in IdM is not very flexible.

In order to have an easier way for our customers to manage the standard SAP IdM notification process, we have developed a custom add-on for IdM notifications. So here is what this add-on provides:

    • User friendly UIs for SAP IdM notification management
    • Easy UI capabilities for notification update
    • Import/export of notifications
    • UI data validations

1. First we started by separating the logic in three parts:

  • SAPUI5/WD IdM notification administration UI / Back-end validations
  • SAP IdM logic(custom Notification repository with some javascript/java logic for managing the notification process and customer logic)
  • User notifications


2. The UI-s:

     2.1. SAPUI5 Notification UIs:


    • Language/Organization UI:


    • Receiver UI:


    • Translation UI:


     2.2 SAP WD Notification UIs:




3. In addition, we have implemented an easier way for UI customization :

  • Additional validations can be easily added into the back-end, if needed
  • System data visible into the UIs, as Repository, can be changed easily with the system description(ACTIVE_DIRECTORY -> Sys: Active Directory), if needed
  • The systems visible into the UI can be predefined(if the customer needs, not all systems to be shown into the Notification UI)
  • IdM logic can be easily changed according to customer needs


Note: here is a link to a simpler version - SAP IdM  Custom Add-on for Notifications management - based on custom table


Hope you like it

Simona Lincheva

It has been about 7 years since SAP NW IdM 7.1 was released to customers and since then many companies used the product to benefit from centralized identity management to lower risk and manage user access. Keep operations running efficiently and affordably, while protecting applications and data, to provide user access according to current business roles, manage passwords with self-service capabilities and approval workflows.



Following the product lifecycle, at given point of time we will retire the product. At the end of the year (31.12.2015) we’ll reach the end of mainstream maintenance. In order to plan better your future activities, I would like to notify you about that fact and also encourage you to get familiar with the new versions of SAP IdM.


There are few publications that explain some of the capabilities of the IdM 8.0:

SAP IdM 8.0 highlights

SAP IdM 8.0 developer studio Eclipse plug-in

SAP IdM 8.0 SuccessFactors connector

SAP IdM 8.0 documentation

SAP IdM 8.0 video – basic synchronization

SAP IdM 8.0 Installation and upgrade information

Often searching for a solution to a problem in IdM can mean trying to find an old SCN thread or SAP Note. There is also an additional resource that is available (setup by the IdM development team)  for quickly finding solutions to common issues that are reported through SAP Service Marketplace - the

SAP Netweaver Identity Management Troubleshooting Guide


Currently it covers release 7.1 and 7.2 but is always evolving and will be updated with release 8.0 troubleshooting tips in time. As it is wiki anyone can add content that they feel will be helpful to other IdM administrators.


idm troubleshooting guide .PNG

From working some time on the IdM topics there are some basic activities that can help performance of the system if you are new to IdM.


The first good source of information is the 'SAP Netweaver Identity Management Solution Operation Guide' found at this link


Section 4.6 of this guide covers Analysing Statement Execution if you need to identify any long running SQL statements in the system. Via the IdM administration UI such statements can be traced based on a minimum runtime threshold as detailed below


statement execution UI.PNG


For more detailed analysis of SQL statements see Per Krabsetsves' excellent blog at this link


Section '5.6.7 Rebuilding database indexes' advises

With heavy usage of the system, the database indexes will become fragmented, which may
decrease performance.
For further information regarding fragmented indexes and rebuilding the indexes, please refer to
the documentation for you database system.


Most often if your system is suffering this issue you will see system wide performance issues. The UI, jobs and tasks will all perform more slowly than normal or the system could in most severe cases come to a standstill. Keeping the indexes refreshed is essential as much of the processing in the IdM application occurs at database level.


Performance Issues in the UI


If you have a reference attribute assigned to a UI tasks and this takes a long time to open then there maybe an issue in loading all the reference attributes. In the MMC there is the option 'List Entries on Load' which can speed up the loading of the UI task until the root cause of the performance issue can be determined. This checkbox when unchecked means all the attributes will not be loaded automatically in the UI rather the user must search them after the UI opens


List Entries on Load.png

Secondly complex access controls on UI tasks are a common cause of performance degredation in the UI. Check the SQL statement used in the access control and see if it can refined anyway to make it faster.



Using No Lock on queries MSSQL queries


If you need to read a large dataset from a MSSQL database then (nolock) hint should be used in the SQL statement e.g.


select * from idmv_link_ext with (nolock) where ..........


In addition remember that storing such data to the IdM database involves making numerous updates therefore if the read from the database takes X time it is not that the case that the update to IdM will also take the same time. The same stands for other databases.



Long running Jobs 'Cookie Does not Match'



If a job runs for a long time it may abort with the error message "Cookie does not match" which means that the Identity Center

does not have this job in its list of active jobs. When the runtime starts running an action task, it will "check out" the job from the Identity Center.

While the job is running, the runtime will periodically signal the Identity Center that it's still active and running.  At this point the Identity Center can
return a status code to force the job to stop running.  In this case the runtime will do a controlled exit. such an issue may arise for example where you are running an initial load from an ABAP system that has many abap roles and profiles. It can take some time to read all these into IdM and thi saction can timeout.


There are 2 timeouts for running jobs, The "Start timeout" and the "Idle timeout".  The values are configured in the MMC, on the
Identity Center node, in the "Options" panel:


The "Start timeout" is the maximum time allowed from the job starts running, until it has processed the first entry.


The "Idle timeout" is the maximum time allowed between each time the runtime signals the Identity Center that it's still active and running.


Top try and resolve this the below settings should be considered



1. The Idle timeout has to be large enough to handle the maximum system load, when there can be a large number of queued jobs.

2. The Start timeout has to be larger then the time it takes to initialize the connector + the time it takes to process the first entry.

3. The Execution timeout has to be larger then the maximum time spent processing one entry.


These are just some small steps that can fix issues that cause severe impact on the running of the IdM application in your organization. I'd welcome any other hints other people have learned over the years of working with IdM ;-)



Best of Luck



You are bored of removing  the  "Copy of" prefixes after you have copied identity center drawers with huge content?


The SQL statements below are a quick way.





use mxmc_db

update mc_Group

set Group_Name= right(Group_Name, len(Group_Name)-8)

where Group_Name like 'Copy of %'




use mxmc_db

update MXP_Tasks

set Taskname= right(Taskname, len(Taskname)-8)

where taskname like 'Copy of %'




use mxmc_db

update MC_Jobs

set name= right(name, len(name)-8)

where name like 'Copy of %'


The statements work on SAP IdM 7.1 and 7.2. I am not sure for SAP IdM 8.0.

Jai Suryan


Posted by Jai Suryan Jul 9, 2015

Recently I have been working on IDM 7.2 - AD integration so thought to share some information on uLDAPGetEntry() that might help someone who is doing AD integration.


As we know, AD connector is not smart as SAP connectors. IDM will set status "Failed" if it tries to create/assign access to users if the user/assignment already exists in AD. So, I was implementing a solution where IDM checks if user already exists in AD.. if so, then do nothing (Status will be set to 'OK').. If not, then create the user.


I was using uLDAPGetEntry() to check if the user exists.. Contradicting the help documentation, uLDAPGetEntry did not return "NULL" if the user is not found. It returned error as below




ERROR - {err_category=ERROR, err_where=uLDAPGetEntry(ldaps://1xxxx:636/cn=TEST_JAI1,OU=Users,OU=X,DC=XDev,DC=com,DC=au?CN?BASE?(objectclass=person)), err_exception=javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:'OU=Users,OU=X ,DC=XDev,DC=com,DC=au']; remaining name ''}



Hence my script kept failing as I was checking for NULL value. SAP needs to update the code for uLDAPGetEntry() user function or update the help documentation. I do not have authorization to raise an incident to SAP so posting here. Hope someone from SAP takes note of this.


Also, I was using LDAP url,



and I kept getting error as below.

javax.naming.ServiceUnavailableException: XXX:636; socket closed..



After some Googling, figured that I should use LDAPS url as below,




It would be nice if SAP adds a note about LDAPS url over LDAP url to establish secure connection while using uLDAPGetEntry.


Hope it helps someone.




Hello all,

here are some useful tips when trying to install IDM on AIX/DB2 combinations.

The following is comming from testing with AIX 7.1 and DB2 10.5


1) Sudo is needed in on AIX in order to complete proper installation


2) The user that is used should be a member of sudoer ( db2inst1 – should be a sudoer)


3) If you get error like “^M:  not found” – make sure you haven’t touched any files and all encodings are in UNIX/Linux format


4) DB2INSTANCE has not been set. Perhaps you are running as wrong user.  -  no DB schema – you should set your default schema for example  (export DB2instance=db2inst1) and you also have to permanently place it in the env path (set /home/user/ environment PATH with the path to the db2start place)


5) EFS frameowrk not installed – you should install this component usually with this command “efsneable – a” (with root)


6) SQL0104N  An unexpected token "IC_db" was found following "<identifier>". Have in mind that the prefix of your DB should be with small letters and onlu 2 chars.


7) Make sure you have enough space in the drive where you are making the installation


8) DB250101E: The command syntax is invalid. An unexpected token '' was found following '='. Expected values include: '<text>' - This problem is fixed with DB2 APAR IT06188 which is part of DB2 V10.5 FP5SAP2 .


9) ./mxmc-install.sh[90]: syntax error at line 25 : `elif' unexpected - possible encoding issues


10) STORAGEPATH must be set in include.sql


11) DB2 does not support more than 8 characters user names, in effect you must restrict your prefix to maximum 2 characters ($prefix+_admin)


12) if [ ${MC_PREFIX} -gt 2 ] ; then  - REMOVE # from prefix


Hope this is useful.


Recently we received from the community the idea to create a downloadable documentation: https://ideas.sap.com/D26309

It is now available in two flavors:

  • PDF documents for each guide so that:
    • you can have it offline
    • it is more usable when you want to search inside. I find this valuable - when I need some information first place to search is the Configuration guide.
  • the whole online content as downloadable DVD

Checkout http://help.sap.com/nwidm80/ to find both versions.

Thanks to Ivelina Kiryakova and Valentina Ivanova

If you like to set user attributes out of your role model then maybe attribute privileges are for you. For instance you want to set automatically for all members of a role the ABAP user group.  Or you plan to deactivate the password for some roles. However, every attribute of the MX_PERSON object can be manipulated by the attribute privileges.


This tutorial shows how to implement attribute privileges. It is based on SAP Identity Management 7.2. If you need help for implementing the tasks on IdM 7.1 contact me.


I assume you know how to use the identity center, i.e. how to create tasks and attributes, etc..  Some scripting is needed as well.


Following steps give an overview of the things to be done:

  1. Create two attributes for the entry type MX_PRIVILEGE. This will be an attribute for the attribute name and one for the attribute value.
  2. Create an add member task, which sets the attribute for an user when the privilege is assigned.
    Create a del member task, which will remove the attribute when the user has lost the privilege.
  3. Create  a user interface task for creating attribute privileges on a comfortable way.

1. Adding attributes to the privilege entry type


In your master identity store add a general text attribute 

  • Entry types tab: link it to MX_PRIVILEGE
  • Presentation tab: use SingleSelect
  • Attribute values tab: select SQL query and the stament
    SELECT DISTINCT attrname FROM MXI_Attributes where is_id=1


The attribute Z_PRIV_AUTO_ATTRIBUTE will contain the name of the attribute to be manipulated. The SQL statement  offers all existing attribute names in your master identity store (check the correct is_id).


Add one more  general text attribute: 

  • Entry types tab: link it to MX_PRIVILEGE
  • Presentation tab: use SingleLine


The attribute Z_PRIV_AUTO_VALUE will contain the value of the attribute to be manipulated.


If you check the entry type MX_PRIVILEGE you will find both added attributes:



2. Adding the AddMember and DelMember tasks


Now, it is time for the core mechanism of the attribute privileges. So add two ordered task groups to your provisioning framework. I use my own sub folders 'Entry Type Tasks' -> 'MX_PRIVILEGE'. Name them 'Add Attribute Privilege' and 'Remove Attribute Privilege'. Note the task id's as we will need them later.


To both tasks you add a 'To Generic' pass.



The tasks will work on pending value objects, which hold the information of the user and the assigned attribute privilege.


On the Destination tab of the 'To generic' pass enter two parameter, one for the user mskey and one for the attribute privilege mskey:




Note: for IdM 7.1 unfortunately you need to check if a user has assigned a privilege or a privilege has got a new member, as the pending value attributes are inverted.


For the Add Attribute Privilege Pass now enter a new local scrip under 'Next data entry' called 'z_setPrivilegeAttribute' and press edit. Here is the source code:


function z_setPrivilegeAttribute(Par){
var mskey=Par.get("MSKEY");
var priv = Par.get("PRIV");
//get Attributename
sql  = "select aValue from idmv_value_basic_active where mskey="+ priv +" and attrname='Z_PRIV_AUTO_ATTRIBUTE'";
var attrname = uSelect(sql);
if(attrname==null || attrname==""){
     var msg="z_setPrivilegeAttribute: Attr Z_PRIV_AUTO_ATTRIBUTE missing for priv="+priv;
     uSkip(2, 2, msg);
//get Attributevalue
sql  = "select aValue from idmv_value_basic_active where mskey="+ priv +" and attrname='Z_PRIV_AUTO_VALUE'";
var value = uSelect(sql);
if(value==null || value==""){
     var msg="z_setPrivilegeAttribute: Attr Z_PRIV_AUTO_VALUE missing for priv="+priv;
     uSkip(2, 2, msg);
//get current value
sql = "select aValue from idmv_value_basic_active where mskey="+ mskey +" \
and attrname='"+ attrname +"' and searchvalue='"+ value +"'";
var currentValue = uSelect(sql);
if(currentValue==null || currentValue==""){
     //set Attribute
     uIS_SetValue(mskey,1, attrname, value, "ATTRIBUTE PRIVILEGE", 0);
     uWarning("z_setPrivilegeAttribute: nothing to be done for user "+mskey+" "+ attrname +"="+value+".");

The script reads the attribute name and value from the attribute privilege and compares it to the current value of the user. If it is not the same or missing the script sets the attribute accordingly.


For the Remove Attribute Privilege pass you do the same like above, except a different name for the script 'z_removePrivilegeAttribute'. The source code looks similar:


function z_removePrivilegeAttribute(Par){
var mskey=Par.get("MSKEY");
var priv =Par.get("PRIV");
//get Attributename
sql  = "select aValue from idmv_value_basic_active where mskey="+ priv +" and attrname='Z_PRIV_AUTO_ATTRIBUTE'";
var attrname = uSelect(sql);
if(attrname==null || attrname==""){
     uError("z_removePrivilegeAttribute: Attr Z_PRIV_AUTO_ATTRIBUTE missing for priv="+priv);
//get Attributevalue
sql  = "select aValue from idmv_value_basic_active where mskey="+ priv +" and attrname='Z_PRIV_AUTO_VALUE'";
var value = uSelect(sql);
if(value==null || value==""){
     uError("z_removePrivilegeAttribute: Attr Z_PRIV_AUTO_VALUE missing for priv="+priv);
//get current value
sql = "select aValue from idmv_value_basic_active where mskey="+ mskey +" \
and attrname='"+ attrname +"' and searchvalue='"+ value +"'";
var currentValue = uSelect(sql);
     //remove Attribute
     uIS_SetValue(mskey,1, attrname, value,"",2);
     uWarning("z_removePrivilegeAttribute: user "+ mskey +" attribute "+attrname+"="+value+" not found.");

The script only removes the attribute from the user, if the user owns the attribute exactly with the same value like the value of the attribute privilege.



3. Adding a User Interface Task for creating attribute Privileges


In your user interface folder create a new ordered task 'new attribute privilege'. Insert a 'To Identity Store" pass.



The ordered tasks group is set to an UI task by simply mark the 'UI task' check box of the Options tab.



Now, it is possible to configure the Attributes tab. Select 'MX_PRIVILEGE' for entry type and mark 'This task creates a new entry'. For the visible attributes select  Z_PRIV_AUTO_ATTRIBUTE and  Z_PRIV_AUTO_VALUE and make them mandatory. Add more attributes to show, if you like.




Down in the 'To Identy store' pass you configure the pass, so it will automatically add the add member and del member tasks to the new privilege. Therefore,  these lines are needed at least:

  • MX_ADD_MEMBER_TASK = (enter the task id of your Add attribute privilege task group )
  • MX_DELL_MEMBER_TASK = (enter the task id of your Remove attribute privilege task group )


Enter some more default settings if needed.



I do not explain how to make a fancy design or administrate the access control list of the UI task. You already know it or you will find out. Finally, it maybe looks like this example:



Here I use the attribute privilege to enable a password access for a sap backend IT0. Every member of this privilege has set the attribute Z_PASSWORD_ENABLED_IT0=1 to allow password access.


Be creative with your new possibilities in your role model!


This is a video tutorial showing you a basic example of how to use SAP Identity Management 8.0, and more specifically, how to synchronize and manage the user data provided by two different data sources. They can be exported from your SAP or non-SAP system. For this example, we use a TXT file, containing the user IDs and emails of the users, and the second data source is a database table containing further information about the same users.



Target group


The video shows a simple, understandable and easy to execute example. It is meant for users who need an introduction to basic synchronization operations in SAP Identity Management.


Purpose of the video


Along with the introduction to the basic synchronization operations, you will get knowledge of the Eclipse-based development environment in SAP Identity Management 8.0 and the new package concept.




Using SAP Identity Management 8.0, we import the information from the file email.txt and the database table HR_Sample into the identity store of the SAP Identity Management 8.0 system. The information from both data sources is merged and uploaded to the identity store.




As a result, the information from both data sources is synchronized and transferred to the identity store of an SAP Identity Management system.


Filter Blog

By author:
By date:
By tag: