Additional Blogs by Members
Showing results for 
Search instead for 
Did you mean: 

This document continues the content of the previously created one.

Here we try to use settings that were done for LDAP user and group management.

Part III. Using the settings

User synchronization

Just to remind, we use our ldap field 'pager' as a field for keeping SAP user id.

Before we start you can check table GRACUSER whether it has any records for the connector. Normally, just before the very first synchronization it should not contain any records for the selected LDAP connector.

In the picture you can see that the table already contains 900 entries, that happened because after customizing we ran full synchronization.

Start tcode GRAC_USER_SYNC and select your LDAP connector. For the very first time select 'Full Synch mode', but execute it successfully just once. Full synch mode as I found worked in the following manner: it clear the table for the selected connector and fill it from scratch again. So we used the following

synchronization just once and then use only incremental synchronization on the regular basis.

Afer synchronization in dialog mode you get a log:

The number of entries in the table is changed

The incremental mode works in the following manner: it selects users who were changed since last synchronization. So, if you start it very often the table may not be updated with new entries.

LDAP trace log contains the selected period:

ldap_paged_search_sU(base="your_domain_base", filter="(&(ObjectClass=person)(whenChanged>=20160311132424.0Z)(whenChanged<=2016042814

0244.0Z))", scope=2, pagesize=200)

Role synchronization

AD groups in BRM part of GRC 10.x can be uploaded with files only.

File for uploading looks like this (see attached file)

Then make role import

chose the file location

Then perform role synchronization using tcode GRAC_ROLE_SYNC.

After this the system knows that the role exists in AD

Using the tools for AD management check the work of the group assignment functionality.

As you can see there is no users assigned to the group.

Create a request in AC for the group assignment

Check the group in AD again.

The group has the user among its members.

The only one moment that may confuse you is the information in SLG1 log.

Group assigned to Group. In fact, you can ignore this message if the required functional works.

It seems like a bug, but on the moment of writing the document no notes were released for this topic.


Artem Ivashkin