cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

provisioning of roles to ABAP system deletes role assignments in backend

Former Member

on ‎01-15-2009 2:16 PM

0 Kudos

Hi all,

following scenario:

user has role A in an ABAP system which is connected to IDM. Assignment of role A to the user is not in the identity store.

Now you assign role B via workflow to the user and IDM provisions this new assignment to the ABAP system.

What will happen is that the user will get role B but assignment of role A will be deleted.

This happens because in the job "SetABAPRole&ProfileForUser" the connector attribute "roles" will only consist the role assignments which are in the identity store. All assignments in the ABAP system which are not yet in the IDS will be overwritten.

This behaviour can be very critical. If you still allow role assignments directly in the backend system and you read these assignments e.g. once a day to the IDS - but in the meantime assignments have been done via workflow - you will lose data.

My customer wants to assign roles both directly in the system and also by workflow. Every night an ABAP update job runs which writes new assignments to the IDS.

Do you have any idea how I could solve this? Is there a way NOT to overwrite assignments with the ABAP connector field "roles"? I tried to use multivalue operator but this didn't do the trick.

I hope I was able to describe my problem properly and you have answers...

Best regards

Jörn Kaplan

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Frank_Buchholz
Product and Topic Expert
Product and Topic Expert
‎01-15-2009 4:42 PM
0 Kudos

No, there is not a way to avoid that IdM replaces the role assignment in ABAP with the current assignments as know by IdM. IdM is the master!

This is not directly an issue of IdM: The standard BAPIs in ABAP (up to release 7.0) offer "replace all role assignments" but not "add role assignment" or "remove role role assignment".

However, there exist an exception: Role assignments in ABAP which are created indirectly by an HR-ORG assignment are not touched by IdM. (There role assignment are viewed in blue in transaction SU01.)

See http://help.sap.com/saphelp_nw70/helpdata/EN/50/e9683c5de8676fe10000000a114084/frameset.htm for details.

Kind regards

Frank Buchholz

Show replies
Show replies
Former Member
‎01-16-2009 7:03 AM
0 Kudos

Hello Frank,

thanks for your answer. As you can imagine this is not the answer I liked to hear.

So I have to find a way that the user is always up to date before you try to assign a role through IDM.

Do you know if it is possible to read specific users from the ABAP system with the ABAP connector. Can I filter which user I want to read? If yes I could read the user before I write the new assignment. I tried to set a Filter in the source parameters in the FromSAP pass but this somehow did not work.

I have some other ideas to handle this issue but this would be one of the best solutions.

Thanks and best regards

Jörn Kaplan

Ask a Question