gdrtx1977 Absent Member.
Absent Member.
83 views

IDM 4.5 SAP-UM forces match/merge on associated objects

I ran across this situation recently in a system that I am looking to better understand. I know IDM 4.5 is out of support but I'm curious if this is an inherent intended behavior of the driver, a bug that was patched in the 4.5 lifecycle, or a bug that was patched with a later version of IDM.

The problem flow is as follows:

I have an SAP-UM driver.
I have an existing user that was previously processed and associated through the SAP-UM driver
I changed the password on the existing, associated user in my vault
The password change is processed to SAP through the SAP-UM driver
------
[04/25/19 19:27:38.549]:SAPCMP ST:Start transaction.
[04/25/19 19:27:38.551]:SAPCMP ST:Processing events for transaction.
[04/25/19 19:27:38.552]:SAPCMP ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.5.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify cached-time="20190426002738.533Z" class-name="User"
event-id="qalidvap016#20190426002738#24#1:536d5a91-6325-4415-66a5-915a6d532563"
qualified-src-dn="O=Grainger\OU=Suppliers\CN=y9jb289"
src-dn="\GISIDV\Grainger\Suppliers\y9jb289" src-entry-id="285072"
timestamp="1556238458#7">
<association state="associated">USdY9JB289</association>
<modify-attr attr-name="nspmDistributionPassword"><!-- content
suppressed -->
</modify-attr>
</modify>
</input>
</nds>
------
At the end of the password sync event in the driver, the SAP-UM driver automatically initiates a merge operation between IDV and SAP
-----
[04/25/19 19:27:39.528]:SAPCMP ST:Password synchronization command
status detected.
[04/25/19 19:27:39.528]:SAPCMP ST:Re-reading associations in case they
were changed by previous event processing
[04/25/19 19:27:39.529]:SAPCMP ST:Subscriber processing add for
\GISIDV\Grainger\Suppliers\y9jb289.
[04/25/19 19:27:39.529]:SAPCMP ST:Password synchronization command detected.
[04/25/19 19:27:39.529]:SAPCMP ST:Already associated with USdY9JB289.
[04/25/19 19:27:39.529]:SAPCMP ST:Merging eDirectory and application values.
[04/25/19 19:27:39.530]:SAPCMP ST:Reading relevant attributes from
\GISIDV\Grainger\Suppliers\y9jb289.
-----
The merge event resets SAP roles in SAP based on data in IDV
SAP revokes access to various SAP modules and then reinstates access
Sometimes this revocation process causes the passwords in the SAP modules to be reset to a default value
Sometimes this revocation process fails in SAP to reprovision access in the SAP modules (shame on SAP but shame on IDV for forcing the merge in the first place...)

I need to keep the ability to perform match/merge operations during true match/merge operations but I do not want the driver forcing a merge of data every time an object is touched. That seems unnecessarily excessive and potentially problematic (as evident in my use case). I thought that was the purpose of the association, to allow the driver to know that an existing account was already discovered in the connected system so IDM would only process the changed data, not the full account data on each transaction. That isn't how the driver is behaving with the association and I need to understand why and if there is a way to resolve it if this isn't the expected or intended behavior.

Thanks in advance for any help or information.
Labels (1)
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.