urgent: SAP role provisioning using IDM roles
Hi,
We are working on a POC to demonstrate provioning SAP roles (activity groups) using IDM Roles. The thought is: each IDM role comprises set of(one or many) SAP roles(which are setup as resource attribute value in IDM role). So when we assign an IDM role to the user, the corresponding SAP roles are provisioned onto the SAP system.
I'm having a problem here. I have created an IDM role. Assigined a SAP resource to the IDM role. In the resource attribute "activity groups" for the SAP resource, in the text box I have mentioned a SAP role object as below:
<Object name='SAP Role 1'> <Attribute name='activityGroupName' value='SAP Role1'/> <Attribute name='fromDate' value='06/18/2007'/> <Attribute name='toDate' value='12/31/9999'/></Object>
When I specify a single SAP role object in the resource attribute text box, the provisioning works fine. I'm facing issues while assigning two or more SAP roles to an IDM role.
I specified two SAP role objects in the text box separated by commas. I'm getting the following error:
"com.waveset.util.XmlParseException: XML Error: 1:216: Content is not allowed in trailing section."
When I specify two SAP role objects specified by a comma, then I'm getting the following error: "com.waveset.util.XmlParseException: XML Error: 1:218: The markup in the document following the root element must be well-formed.".
Could anyone how to specify the multiple SAP roe objects in the resource attribute of an IDM role?
Has anyone tried SAP role provisioning before? Is the approach that I'm following correct?
Any lead is highly appreciated.
Thanks,
kIDMan.
[1705 byte] By [
kIDMana] at [2007-11-27 10:46:21]
# 1
I have done this before but in a slightly different manner. We have a predefined list ie Rule where each IdM role was mapped to a set of SAP roles ie Role1 -> {SAP_SOME_ROLE_XD34, SAP_SOME_ROLE_XD34,..etc}. So when you assign Role1 in the backend your express code would do the magic of assigning SAP roles.
In order to successfully assign roles in SAP you need to
1. Generate an Xpress list of Sap roles
2. Package the sap role name and valid from and to dates in a Generic object
3. Pus the gen object to sap where the Adapter will handle the actual role assignment.
About the error , if I understand it right you are gettign that error in teh edit user screen - Attributes tab on the admin user interface. The tabbed user form is not designed well enought to gracefully handle list values. One way to get around is, in your tabbed user form to make the fields with list value as uneditable fields.
Hope this helps. Let me know if you need more info.
# 2
Hi,
Thanks a lot for the response. Regarding the error, I was not updating in the attributes section in the admin interface. I have specified the SAP role in the form of generic object in the text box (in the role form where you specify the attributes corresponding to a particular resource). When I specify a single object (i.e a single SAP role) to an IDM role and assign that IDM role to the user, then it provisions the SAP role successfully. But if I specify two SAP role objects one below the other in the text box of the IDM role then it gives that error.
I have another question for you. Have you tried deprovisioning as well?
That means when you assign an IDM role to the user then it should add the corresponding SAP roles in the SAP resource and when we unassign the IDM role from the user then it should take away only the SAP roles corresponding to that IDM role. If we want to do automatic provisioning and deprovisioning, what is the option that we should select for "How to set" in the role form i.e "merge with value" or " authoritative merge with value" or which is the option that we select?
Thanks again for the response.
> I have done this before but in a slightly different
> manner. We have a predefined list ie Rule where each
> IdM role was mapped to a set of SAP roles ie Role1 ->
> {SAP_SOME_ROLE_XD34, SAP_SOME_ROLE_XD34,..etc}. So
> when you assign Role1 in the backend your express
> code would do the magic of assigning SAP roles.
>
> In order to successfully assign roles in SAP you need
> to
>
> 1. Generate an Xpress list of Sap roles
> 2. Package the sap role name and valid from and to
> dates in a Generic object
> 3. Pus the gen object to sap where the Adapter will
> handle the actual role assignment.
>
> About the error , if I understand it right you are
> gettign that error in teh edit user screen -
> Attributes tab on the admin user interface. The
> tabbed user form is not designed well enought to
> gracefully handle list values. One way to get around
> is, in your tabbed user form to make the fields with
> list value as uneditable fields.
>
> Hope this helps. Let me know if you need more info.
Hi,
Thanks a lot for the response. Regarding
