1 2 3 12 Previous Next

SAP Identity Management

174 Posts

There is a security track which covers SAP’s security products as well as standard security features, capabilities, and recommendations. It includes sessions on the SAP Cloud Identity service, our new single sign-on offering for the cloud, as well as our extensive SAP Single Sign-On solution for your on-premise landscapes. In addition, we will show how to detect and prevent attacks with SAP Enterprise Threat Detection, and improve the quality of your custom code with our add-on solution for code vulnerability analysis. SAP Identity Management and SAP Access Control offer a combined solution for compliant identity administration across heterogeneous environments. These products are complemented by comprehensive capabilities for authorization, encryption, read access logging, and configuration options for detailed security policies.

Register for SAP TechEd 2015 at the following locations:


Here is a list of related sessions from which you can choose:

SEC101 – Best Practices for IAM Across Cloud and On-Premise Solutions

SEC106 - The Cloud Solution for Authentication, Single Sign-On and User Management

SEC163 - Single Sign-On for Cloud Applications with SAP Cloud Identity Service - 2h hands-on

SEC201 - What's new with IDM 8.0

SEC261 - Experience New Features in SAP Identity Management 8.0 - 2h hands-on

SEC262 - SAP Runs SAP – How to Upgrade to SAP Identity Management 8.0 - 2h hands-on

SEC263 - Risk-Based Authentication for SAP Fiori and SAP Portal - 2h hands-on

TEC102 - Security Strategy Overview


We would be happy to meet with people from the community and exchange thoughts.

Here is an easy way to maintain the users UI access(display/edit/create access control).

  1. Create a custom privilege for the UI Display tasks & UI Edit tasks:
    • PRIV:ROLE:TestUI_Edit
    • PRIV:ROLE:TestUI_Display


Note: for each UI task(display/edit/create) add the needed privilege.


   2.    Create a custom job to maintain the users access

    • You can use a csv file, based  on this file you can grant the needed access(PRIV:ROLE:TestUI_Display/ PRIV:ROLE:TestUI_Edit) to the users
    • Then you will have one FromASCII file pass to read the scv file and create a custom table
    • Second To Identity Store pass to update the users



Hope you like it

Simona Lincheva

Hi community,


As you know, it is possible to enter a validity when assigning roles and privileges through the SAP Identity Management UI based on a date. With this, e.g. the assignments will be valid at the beginning of the day.


But, it is also possible to assign roles and privileges on a more fine granular base with a timestamp. You are able to supply hour, minute, and, if you want to push it further, also seconds and millis.


In a ToIdentity Store Pass, select Entry Type MX_PERSON, and add following lines in order to assign a role on 2015/08/21 on 18:15 (6:15 pm).






You could also use following timestamp to supply millis, but I do not think you need that



Same is true for the VALIDFROM link attribute.


Cheers, Jannis

We are ready with our next release of SAP Identity Management 8.0 SP1

The essential new features in this release are:

  • SAP Identity Management now supports SAP Adaptive Server Enterprise (ASE) database system
  • New Java-based IBM Lotus Domino connector
  • Developer Studio Eclipse plug-in is supported on MAC OS X and Linux.
  • Improved privilege grouping concept
  • Some improvements of the UI based on customers' feedback
  • Enhanced SuccessFactors Connector

After receiving a lot of feedback and requests from customers we made SAP Identity Management now run on an SAP database - SAP Adaptive Server Enterprise (ASE) database system. This will give our customers simplified licensing and optimization of costs of ownership of their SAP solutions.

The new Java-based IBM Lotus Domino connector will address the need of larger customer group and it can run on any platform Java can run. The connector is delivered as a separate package in the Provisioning framework for SAP Identity Management 8.0. To make yourself familiar with the set of supported scenarios and prerequisites see the SAP Identity Management Connector Overview and the respective documentation.

To further expand the platform coverage of SAP Identity Management 8.0 with SP1, the Developer Studio Eclipse plug-in is supported on MAC OS X and Linux.

With the  improved integration between SAP Identity Management and GRC Access Control now the privilege grouping concept allows SAP Identity Management to trigger an assignment of a business role or GRC request only if the business role and its children are already evaluated by the dispatcher and the privileges are grouped into one group. This will ensure that the whole content of the business role (the privileges) will be sent together to the target (GRC AC) system.


Based on input from several customers we did several enhancements in the UIs of Identity Management 7.2 SP10 and also in 8.0 SP1

  • Added some configurability and improved layout of Assignment Details dialog
  • In To Do tab now we show Display name instead of Operation name
  • Usability in Manage tab and made number of favorites configurable
  • Some usability improvements with assignments


SuccessFactors connector now supports update back to SuccessFactors Emplyee Central of the username and email attributes as they are normally generated outside of this system.


Also in parallel we improved the upgrade experience from 7.2 SP9 to 8.0 and 8.0 SP1.

Here you can find also slides about What's New in 8.0 SP1: https://scn.sap.com/docs/DOC-65925

This tool can provide an option to manage the external users, which are neither HR relevant, nor in any other way connected to the sources systems currently used within IdM.

The logic can be separated in three parts:

  • SAP WD UI - for managing the external users information
  • Back-end logic for UI search and validations
  • SAP IdM logic(after the external users are created/changed the master data is updated in IdM and provisioned to the back-end systems)

1. WD UI - External users UI:


Note: in case the HR system can't be use to manage the user's source information

2. Tool functionalities:

  • Complex search criteria to find exactly the people you are looking for.
  • Mechanism for storing new users in IdM if the system is currently busy processing other tasks with higher priority.
  • Easy extendable and transparent for maintenance.
  • Auto generation of user ids (following a certain logic).
  • Permission based access to certain functions.

3. IdM customizations:

  • custom UI tasks for the rest calls
      • UI task for Create
      • UI task for Edit
      • UI task for Display
  • custom repository for managing the users


Note: as there is no back-end, system we need only the Master privilege to trigger the needed workflow in IdM

  • custom job - managing the auto generation of user IDs

Note: on initial load of the users, the custom table should be updated accordingly(as we use for the auto generation of the user IDs)

Hope you like it

Simona Lincheva

As all may know, managing the Business Roles in IdM is not an easy thing to do, especially if the client wants to update them each month/week for a business reasons. In that case we have to manage to provide an easy way for him not only to update the BRs, but to update the user's access accordingly and to have some trace back for the made changes.

First thing that comes to mind is something like that - How to do mass population of a Business Roles with privileges using txt file , but here we are more or less restricted and we don't have any real information, about the changes we made or any validations for the BRs.

So we decided to extend the standard IdM functionality by creating a custom tool for managing the BRs - Authorization Matrix.

The Authorization Matrix allows you to control the BRs within IdM. This tool provides validation rules, easily roll back to a previous version and automatic user access update after BR modification. IdM processes the submitted Matrix and updates the changed business roles, after that the user’s access is updated according the new Matrix. Back-end systems are updated.

1. First we started by separating the logic in three parts:

  • SAPUI5/WD UIs with validation rules
  • Back-end logic for UI validations(access validations, custom tables for managing the data)
  • SAP IdM logic(processing the submitted matrix and updating the user access, creating automatic requests for history review of the user access, with custom Entry Type for the Matrix)

Note: more than one uploads can be executed by a number of users, as we have implemented a custom queue for managing the submitted matrix.

2. SAPUI5 UI - Authorization Matrix:

    • main UI:


    • the rest of the UIs:


3. WD UI - Authorization Matrix:


Note: not only we have the ability to monitor the changes directly from IdM, but we can load previous version of the Matrix and from there we can check the changes or re-submit the old version.

4. IdM customizations:

  • custom Entry Type _Matrix
  • custom job - managing the submitted matrix and managing the queue(more than one matrix can be submitted)
  • custom IdM UI - displaying the requested created for the users(after the access is changed)
  • custom javascript-s managing the logic
  • custom UI tasks for the Matrix

Hope you like it

Simona Lincheva

Here is a way to make IdM Notification process more flexible and easier to work with.

1. First we started by separating the logic in two parts:

  • SAP IdM custom table for storing the notifications(receivers, test, subject...)
  • SAP IdM logic(custom Entry type with some javascript/java logic for managing the notification process and customer logic)


2. IdM custom entry type:

    N 1.png

3. IdM tasks for sending the created notifications:

    N 2.png

4. IdM custom table is created for the notifications, where all of the email information is stored(subject, To, CC, text, Country…..). When a new location/notification is needed the table can be updated with the new e-mail notifications by simple .csv file.:

     N 4.png

Note: the final notification(example):

N 5.png

E-mail can be send for:

  • Specific action(crate/terminate/position change/Manager change/On error……)
  • Specific country(all local languages are supported)
  • Depending on the notification specify To/CC will be set

Overview: A custom entry type used to send e-mail Notifications, which allows:

  •   Easy maintenance (if needed all notifications can be modified and new one are easily added) with a simple .csv file
  •   Flexibility:

  -  each subject and body of the email can be specific

  -  all languages are supported (for each e-mail a subject/text with a default and native language can be sent)

  -  for all of the needed actions a different e-mail can be sent

  -  To/CC depends of the settings into the notification table(specific To/CC)

  -  on any case of error an e-mail can be sent

Note: link for the updated version - SAP IdM Custom Add-on for Notifications management - on WD&SAPUI5

Hope you like it

Simona Lincheva

This tool can be used as a replacement for other ways time consuming actions like:

    • mass assign/un-assign of user access
    • mass lock/unlock users
    • to partially terminate users across the systems(remove access only from one or two of the available systems)

Note: with input data validations.

For example: we have 100 - users and we want to assign 10-SAP roles for each of them. The time used to do so via the standard IdM UI will be very long and boring, but the same case will take only a couple of minutes using the Mass Upload UI.

The logic can be separated in three parts:

  • SAP WD UI - for exporting/importing the data(using scv files)
  • Back-end logic for UI validations(users and access validations)
  • SAP IdM logic(after the mass upload is submitted in IdM are created custom requests for each user/system)

Note: more than one uploads can be executed by a number of users, as we have implemented a custom queue for managing the created mass uploads.


1. WD UI - Mass Upload UI:


   1.1. Supported mass actions:

Add/Remove - roles/privileges

Add(create)/Remove(terminate) - users

Lock/Unlock - users

  1.2. UI supported operations:


Export template

Validate (only validates the data,without further actions)

Submit (internal validations )

Add single record

Delete multiple records

2. IdM customizations:

  • custom Entry Type _Mass_Upload
  • custom job - managing the submitted mass uploads and managing the queue(more than one mass uploads can be submitted)

             mu 2.png

  • custom IdM UI - displaying the requested created for the users(after the access is changed)

          mu 3.png

  • custom javascript-s managing the logic
  • custom UI tasks for the M*** Upload

Hope you like it

Simona Lincheva

In addition to the standard IdM functionality we added this tool, that can run a reports between all available systems in IdM and IdM itself, as well the report can be made across two or more systems(depends on the customers needs).

We started by separating the logic in two parts:

  • SAPUI5/IdM UI reports
  • SAP IdM logic(custom Entry type with some javascript logic for managing the reports and addition tasks/jobs for executing the report)

Note: no back-end needed for this add-on(only standard rest calls directly to IdM).


1. Custom friendly and easy for configuration UI, enabling the end user to perform identities integrity check across the systems.

    • Main UI:

                  IC 1.png

    • UI after selecting one of the generated reports:           

                  IC 2.png

    • on the next step a detail information can be seen, if a user is selected from the generated report:

                    ic 3.png


2.The integrity check report can be executed couple of times in a day(depending on the customers needs - setting in the job responsible for generation the reports).


Hope you like it

Simona Lincheva


As we all know the standard Notification process in IdM is not very flexible.

In order to have an easier way for our customers to manage the standard SAP IdM notification process, we have developed a custom add-on for IdM notifications. So here is what this add-on provides:

    • User friendly UIs for SAP IdM notification management
    • Easy UI capabilities for notification update
    • Import/export of notifications
    • UI data validations

1. First we started by separating the logic in three parts:

  • SAPUI5/WD IdM notification administration UI / Back-end validations
  • SAP IdM logic(custom Notification repository with some javascript/java logic for managing the notification process and customer logic)
  • User notifications


2. The UI-s:

     2.1. SAPUI5 Notification UIs:


    • Language/Organization UI:


    • Receiver UI:


    • Translation UI:


     2.2 SAP WD Notification UIs:




3. In addition, we have implemented an easier way for UI customization :

  • Additional validations can be easily added into the back-end, if needed
  • System data visible into the UIs, as Repository, can be changed easily with the system description(ACTIVE_DIRECTORY -> Sys: Active Directory), if needed
  • The systems visible into the UI can be predefined(if the customer needs, not all systems to be shown into the Notification UI)
  • IdM logic can be easily changed according to customer needs


Note: here is a link to a simpler version - SAP IdM  Custom Add-on for Notifications management - based on custom table


Hope you like it

Simona Lincheva

It has been about 7 years since SAP NW IdM 7.1 was released to customers and since then many companies used the product to benefit from centralized identity management to lower risk and manage user access. Keep operations running efficiently and affordably, while protecting applications and data, to provide user access according to current business roles, manage passwords with self-service capabilities and approval workflows.



Following the product lifecycle, at given point of time we will retire the product. At the end of the year (31.12.2015) we’ll reach the end of mainstream maintenance. In order to plan better your future activities, I would like to notify you about that fact and also encourage you to get familiar with the new versions of SAP IdM.


There are few publications that explain some of the capabilities of the IdM 8.0:

SAP IdM 8.0 highlights

SAP IdM 8.0 developer studio Eclipse plug-in

SAP IdM 8.0 SuccessFactors connector

SAP IdM 8.0 documentation

SAP IdM 8.0 video – basic synchronization

SAP IdM 8.0 Installation and upgrade information

Often searching for a solution to a problem in IdM can mean trying to find an old SCN thread or SAP Note. There is also an additional resource that is available (setup by the IdM development team)  for quickly finding solutions to common issues that are reported through SAP Service Marketplace - the

SAP Netweaver Identity Management Troubleshooting Guide


Currently it covers release 7.1 and 7.2 but is always evolving and will be updated with release 8.0 troubleshooting tips in time. As it is wiki anyone can add content that they feel will be helpful to other IdM administrators.


idm troubleshooting guide .PNG

From working some time on the IdM topics there are some basic activities that can help performance of the system if you are new to IdM.


The first good source of information is the 'SAP Netweaver Identity Management Solution Operation Guide' found at this link


Section 4.6 of this guide covers Analysing Statement Execution if you need to identify any long running SQL statements in the system. Via the IdM administration UI such statements can be traced based on a minimum runtime threshold as detailed below


statement execution UI.PNG


For more detailed analysis of SQL statements see Per Krabsetsves' excellent blog at this link


Section '5.6.7 Rebuilding database indexes' advises

With heavy usage of the system, the database indexes will become fragmented, which may
decrease performance.
For further information regarding fragmented indexes and rebuilding the indexes, please refer to
the documentation for you database system.


Most often if your system is suffering this issue you will see system wide performance issues. The UI, jobs and tasks will all perform more slowly than normal or the system could in most severe cases come to a standstill. Keeping the indexes refreshed is essential as much of the processing in the IdM application occurs at database level.


Performance Issues in the UI


If you have a reference attribute assigned to a UI tasks and this takes a long time to open then there maybe an issue in loading all the reference attributes. In the MMC there is the option 'List Entries on Load' which can speed up the loading of the UI task until the root cause of the performance issue can be determined. This checkbox when unchecked means all the attributes will not be loaded automatically in the UI rather the user must search them after the UI opens


List Entries on Load.png

Secondly complex access controls on UI tasks are a common cause of performance degredation in the UI. Check the SQL statement used in the access control and see if it can refined anyway to make it faster.



Using No Lock on queries MSSQL queries


If you need to read a large dataset from a MSSQL database then (nolock) hint should be used in the SQL statement e.g.


select * from idmv_link_ext with (nolock) where ..........


In addition remember that storing such data to the IdM database involves making numerous updates therefore if the read from the database takes X time it is not that the case that the update to IdM will also take the same time. The same stands for other databases.



Long running Jobs 'Cookie Does not Match'



If a job runs for a long time it may abort with the error message "Cookie does not match" which means that the Identity Center

does not have this job in its list of active jobs. When the runtime starts running an action task, it will "check out" the job from the Identity Center.

While the job is running, the runtime will periodically signal the Identity Center that it's still active and running.  At this point the Identity Center can
return a status code to force the job to stop running.  In this case the runtime will do a controlled exit. such an issue may arise for example where you are running an initial load from an ABAP system that has many abap roles and profiles. It can take some time to read all these into IdM and thi saction can timeout.


There are 2 timeouts for running jobs, The "Start timeout" and the "Idle timeout".  The values are configured in the MMC, on the
Identity Center node, in the "Options" panel:


The "Start timeout" is the maximum time allowed from the job starts running, until it has processed the first entry.


The "Idle timeout" is the maximum time allowed between each time the runtime signals the Identity Center that it's still active and running.


Top try and resolve this the below settings should be considered



1. The Idle timeout has to be large enough to handle the maximum system load, when there can be a large number of queued jobs.

2. The Start timeout has to be larger then the time it takes to initialize the connector + the time it takes to process the first entry.

3. The Execution timeout has to be larger then the maximum time spent processing one entry.


These are just some small steps that can fix issues that cause severe impact on the running of the IdM application in your organization. I'd welcome any other hints other people have learned over the years of working with IdM ;-)



Best of Luck



You are bored of removing  the  "Copy of" prefixes after you have copied identity center drawers with huge content?


The SQL statements below are a quick way.





use mxmc_db

update mc_Group

set Group_Name= right(Group_Name, len(Group_Name)-8)

where Group_Name like 'Copy of %'




use mxmc_db

update MXP_Tasks

set Taskname= right(Taskname, len(Taskname)-8)

where taskname like 'Copy of %'




use mxmc_db

update MC_Jobs

set name= right(name, len(name)-8)

where name like 'Copy of %'


The statements work on SAP IdM 7.1 and 7.2. I am not sure for SAP IdM 8.0.

Jai Suryan


Posted by Jai Suryan Jul 9, 2015

Recently I have been working on IDM 7.2 - AD integration so thought to share some information on uLDAPGetEntry() that might help someone who is doing AD integration.


As we know, AD connector is not smart as SAP connectors. IDM will set status "Failed" if it tries to create/assign access to users if the user/assignment already exists in AD. So, I was implementing a solution where IDM checks if user already exists in AD.. if so, then do nothing (Status will be set to 'OK').. If not, then create the user.


I was using uLDAPGetEntry() to check if the user exists.. Contradicting the help documentation, uLDAPGetEntry did not return "NULL" if the user is not found. It returned error as below




ERROR - {err_category=ERROR, err_where=uLDAPGetEntry(ldaps://1xxxx:636/cn=TEST_JAI1,OU=Users,OU=X,DC=XDev,DC=com,DC=au?CN?BASE?(objectclass=person)), err_exception=javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:'OU=Users,OU=X ,DC=XDev,DC=com,DC=au']; remaining name ''}



Hence my script kept failing as I was checking for NULL value. SAP needs to update the code for uLDAPGetEntry() user function or update the help documentation. I do not have authorization to raise an incident to SAP so posting here. Hope someone from SAP takes note of this.


Also, I was using LDAP url,



and I kept getting error as below.

javax.naming.ServiceUnavailableException: XXX:636; socket closed..



After some Googling, figured that I should use LDAPS url as below,




It would be nice if SAP adds a note about LDAPS url over LDAP url to establish secure connection while using uLDAPGetEntry.


Hope it helps someone.





Filter Blog

By author:
By date:
By tag: