Showing results for 
Search instead for 
Did you mean: 

IdM & Repositories out of sync

0 Kudos

Hey guys,

We're suffering from an issue where some users exist in IdM but don't in the ABAP backend.

The reason why this has happend was solved (what a severe beating isn't good for ) but the impact of it still exists.

Now I have been thinking about this for a while but havent found a good solution to it yet.

Can someone help me with finding a way to make sure that our IdM is the only truth. Meaning, can I have IdM check if a user actually exists in a certain system and if that user doesn't exist have IdM create that user and add the right roles to him?

The problem we're facing with the regular reconsile job is that it checks a certain user, thinks that the user exists in a system and directly goes to the provisioning of roles and other data meaning I just get an error that the user doesn't exist.

Thanks in advance!

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi Jonathan

It should be easy enough to redo the users if you use the initial load from ABAP and stop after reading the users.  Modify the SQL for the write pass (or create an entry script) which skips all users already existing in IdM and for those that don't exist, clears the account attribute.  This will trigger reprovisioning.


Answers (1)

Answers (1)

0 Kudos

Hello Jonathan,

There are many ways to achieve your requirements:

First of all, this could be achieved by running the initial Loads in an update context, in this way all new users in the target systems will be created in SAP IdM. The assigned technical roles will be then applied to the user profile as privileges.

The other way is to design a process and write scripts using the JCO protocol and the available BAPI to check If an identity exists in an SAP backend system. If the identity exists then trigger the update plugin and ensure the ACCOUNT%REPNAME% attribute is populated properly.

If you are using the default Provisioning Framework, then IdM will be the Single Point of Truth as all assigned roles outside IdM will be removed during the identity provisioning. This applies to the SAP ABAP system. Again this process can be part of the Update process (Initial Load).

The script to get data from an SAP system using JCO can also be found in the SAP IdM 7.2 RDS.

Let me know If you have any further doubts?

I will try to reply as soon as I can.