on 08-01-2013 7:33 AM
I've applied Peter Wass solution to fix this well known issue, but the imported roles are still removed.
I checked twice, but I don't understand what I did wrong.
So, here are the steps I performed :
1. I've connected a new SAP reporisoty to IDM
2. I've changed the Jscript sap_abap_getNameOfAssignedPendingPrivileges
3. I've modified the Pass : WriteABAPUsersProfilePrivilegeAssigments
4. I've done the initial load for this new repository
When finished, I went to idm web ui, added a role to a existing user and I got the same problem as before.
What did I miss ?
Thx,
Nicolas.
Hi Nicolas
Did you see my update? Reconciliation also kills it - I had to modify the SQL to take into account that reconciliation rewrites the ProcessInfo to Reconcile and thus kills my fix.
Also - make sure that there is nothing after the '/' on each line - your SQL looks like you have a '/' in the middle of the first line
Hope that helps.
Peter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Peter,
Thx for the follow up.
I've removed the spaces after the "/" but it still doesn't work. I probably missed something but I don't know what.
I asked to upgrade to SP8. I hope that will fix this last annoying problem then I will be able to enjoy this great product 🙂
Any experience with SP8 ?
Just got it installed. Haven't had a chance to test the upgrade yet but my reading of the script is its still a problem. Perhaps they've fixed it in the 'write' step to set an audit ID of at least something (-1 would do) but I won't know until I test.
The easiest thing you might find is just ending each string at the '/' and starting a new one. So:
var sql="select blah blah /
blah blah";
becomes
var sql = "select blah blah ";
sql = sql + " blah blah";
That should resolve the issue. I'd also put:
uWarning(sql);
after its finished being built - that will let you see what it is thats being queried (and you can copy and paste it into an sql tool which will give you better error reporting on the SQL).
Peter
Just got it installed. Haven't had a chance to test the upgrade yet but my reading of the script is its still a problem. Perhaps they've fixed it in the 'write' step to set an audit ID of at least something (-1 would do) but I won't know until I test.
The easiest thing you might find is just ending each string at the '/' and starting a new one. So:
var sql="select blah blah /
blah blah";
becomes
var sql = "select blah blah ";
sql = sql + " blah blah";
That should resolve the issue. I'd also put:
uWarning(sql);
after its finished being built - that will let you see what it is thats being queried (and you can copy and paste it into an sql tool which will give you better error reporting on the SQL).
Peter
Just got it installed. Haven't had a chance to test the upgrade yet but my reading of the script is its still a problem. Perhaps they've fixed it in the 'write' step to set an audit ID of at least something (-1 would do) but I won't know until I test.
The easiest thing you might find is just ending each string at the '/' and starting a new one. So:
var sql="select blah blah /
blah blah";
becomes
var sql = "select blah blah ";
sql = sql + " blah blah";
That should resolve the issue. I'd also put:
uWarning(sql);
after its finished being built - that will let you see what it is thats being queried (and you can copy and paste it into an sql tool which will give you better error reporting on the SQL).
Peter
Hi Nicolas
SP8 fixes the problem if my initial tests are correct. Instead of getting mcAddAudit = NULL we now get mcAddAudit = <something>.
What is happening is that during the initial load it assigns the profile and immediately triggers provisioning. That provisioning auditid is used as the audit Id of the profile so that it satisfies the SQL.
What that means is that during initial load the system is writing back to the source system immediately with the updated user. Personally I'd probably pause provisioning during initial load so that it all queues up and you wait for the user to finish being updated before it does the write-back.
Peter
Just go it installed SP8, everything seems to work as before except my issue.
I've noticed that even after installing ICDESIGNTIME08_1-10009681.zip (Basic Component team did the rest of Installation) the Jscript I've modified "sap_abap_getNameOfAssignedPendingPrivileges" has been updated ?
I thought that when we do the upgrade the Jscript, especially that one, would be updated with a issue-free version.
Can someone (Peter for example) tell me why my Jscript is not updated and how to do it to the genuine SAP correct version ?
Thx in advance.
Hi all,
As we applied SP8 and upgrade the Prov. Framework, the issue is freed and current assigned ABAP privileges do not get removed on ABAP side. As the new standard script (sap_abap_getNameOfAssignedPendingPrivileges) include all pending and existing privileges.
However, as I noticed it create a new issue that I am still analyzing and looking for a resolution.
The Function_set is actually executed as many privileges assigned on same role.
As user assigned a role that contain 7 ABAP privileges including one Function_set privilege type, then the Function_set get assigned 7 times and associated implementation get executed 7 times as well.
On our scenario this has cause updating the Email back to the Business Suit system 7 times, by running the BAdI implementation for that Function_set (in my case it is the STUDENT Function_set).
On this case the filter was enabled on the assignment task of the Business Suite Connector to capture any change of communication data and update to source back, but that result on adding multiple entry as many as number assignments the user get.
On each time an ABAP role is assigned to the user it also get the existing Function_set and run the BAdi which result in updating the source system back while communication did not change.
Anyway, the requirement is to just to write-back user/email once onlyat creation and those should never change unless it is a correction case;
So a simple resolution is to enable the filter only on create task of ABAP/Business Suite Connector, and disable it on the assignment task.
The previous resolution is a fast work around temporary on production;
However, after observing and analyzing, It works but has some limitation and required modification on the Function_set Master Privilege.
Other than changing the filter entry; It requires removing the master privilege from the Function_set to get it as pending on the creation task,
The limitation is that Function_set can only be assigned to new user, otherwise assigning it will trigger the assignment task on provisioning Framework and as the filter is disabled on assignment task, the filter and Function_set BAdi will not run.
also, it does not support if user creation is not required and only Function_set is needed for the user.
A more reliable resolution is to modify the standard script and save it as custom “Z” script, and use it on the filter entry only.
The modification include changing to the SQL that get the pending and assigned privileges to only get the pending assignment on case of Function_set.
This will capture only new Function_set assignment and exclude the privilege if it is already assigned.
Note: you need to be careful for any upgrade of the provisioning Framework as it may change the task back to original script (when using custom connector folder, this may happen when re-coping the standard connector to the custom one to apply the upgrade), you may need to preserve customization or re do it after the any upgrade.
Also, you lose the advantage of the standard script in case it is change/enhanced/fixed by SAP on your custom old script.
If SAP release a better solution for this scenario then you may want to change everything back as it is.
See below snap for the modifications:
Standard script SQL (sap_abap_getNameOfAssignedPendingPrivileges😞
Modified script SQL (zsap_abap_getNameOfAssignedPendingPrivileges😞
User | Count |
---|---|
92 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.