Anonymous_User Absent Member.
Absent Member.
436 views

SAP User Management CUA Roles


NetIq Identity Manager 4.0.2 AE / Linux
SAP Solution Manager 7.1 CUA Master
SAP ERP EHP6 CUA CHILD

We are trying to setup the SAP User Management driver with CUA setup and
having trouble with delivering roles for a logical subsystem.

When we try to deliver roles from IDM i get the following error:

..
DirXML: [06/26/14 11:03:58.39]: TRACE: UserLocRolesModify: Invalid CUA
Role specification CLIENTXXX:SAP_ROLE_XXX. Must contain 'AGR_NAME' and
'SUBSYSTEM' component fields and values.
DirXML: [06/26/14 11:03:58.39]: TRACE: UserLocActGroupsAssign: SAP
version: 702
DirXML: [06/26/14 11:03:58.39]: TRACE: UserLocActGroupsAssign:
UserLocActGroupAssign return TYPE: S
DirXML: [06/26/14 11:03:58.39]: TRACE: UserLocActGroupsAssign:
UserLocActGroupAssign return MESSAGE: Role assignment to user USERNAME
changed
DirXML: [06/26/14 11:03:58.39]: TRACE: UserModify: UserLocRolesModify
finished
DirXML: [06/26/14 11:03:58.39]: TRACE: BapiDispatch: m_disableRetry
value: false
DirXML: [06/26/14 11:03:58.39]: TRACE: Remote Loader:
SubscriptionShim.execute() returned:
DirXML: [06/26/14 11:03:58.39]: TRACE: <nds dtdversion="1.0"
ndsversion="8.5">



i'm populating the values in the user attribute "DirXML-sapLocRoles" in
Identity manager as CLIENTXXX:SAP_ROLE_XXX



the driver works okay without CUA configuration.


Any help in that setup would be very helpful from you guys...


Regards,
M.


--
belaie
------------------------------------------------------------------------
belaie's Profile: https://forums.netiq.com/member.php?userid=308
View this thread: https://forums.netiq.com/showthread.php?t=51188

Labels (1)
0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: SAP User Management CUA Roles


ok figuered it out. i had to write a new policy on the driver which
actually converts the string to structure data type on the subscriber
output.


--
belaie
------------------------------------------------------------------------
belaie's Profile: https://forums.netiq.com/member.php?userid=308
View this thread: https://forums.netiq.com/showthread.php?t=51188

0 Likes
Knowledge Partner
Knowledge Partner

Re: SAP User Management CUA Roles

On 6/27/2014 7:30 AM, belaie wrote:
>
> ok figuered it out. i had to write a new policy on the driver which
> actually converts the string to structure data type on the subscriber
> output.


Sample code? What is the structured type?

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SAP User Management CUA Roles


Here you go.. actually it worked when i was placing the roles in
attribute sapRoles in IDM. but i had to deliver the roles to the sap
child systems, then i had to use the another attribute in IDM which is
called DirXML-sapLocRoles.
the data in that attribute should be childsystem:role format, but i
guess the jco api expects it be structured type so on the Subscriber Otp
i had to do the following:




<rule>
<description>Transform LOCACTIVITYGROUPS from String to
Structured</description>
<conditions>
<or/>
</conditions>
<actions>
<do-reformat-op-attr name="LOCACTIVITYGROUPS">
<arg-value type="structured">
<arg-component name="SUBSYSTEM">
<token-xpath expression="substring-before($current-value, ':')"/>
</arg-component>
<arg-component name="AGR_NAME">
<token-xpath expression="substring-after($current-value, ':')"/>
</arg-component>
</arg-value>
</do-reformat-op-attr>
</actions>
</rule>





geoffc;245961 Wrote:
> On 6/27/2014 7:30 AM, belaie wrote:
> >
> > ok figuered it out. i had to write a new policy on the driver which
> > actually converts the string to structure data type on the

> subscriber
> > output.

>
> Sample code? What is the structured type?



--
belaie
------------------------------------------------------------------------
belaie's Profile: https://forums.netiq.com/member.php?userid=308
View this thread: https://forums.netiq.com/showthread.php?t=51188

0 Likes
Knowledge Partner
Knowledge Partner

Re: SAP User Management CUA Roles

On 6/30/2014 4:14 AM, belaie wrote:
>
> Here you go.. actually it worked when i was placing the roles in
> attribute sapRoles in IDM. but i had to deliver the roles to the sap
> child systems, then i had to use the another attribute in IDM which is
> called DirXML-sapLocRoles.
> the data in that attribute should be childsystem:role format, but i
> guess the jco api expects it be structured type so on the Subscriber Otp
> i had to do the following:


It seems incredibly unlikely that the JCO API expects it. The shim
however clearly does. 🙂 (I.e. Structured attributes are vaguely
unique to eDirectory, specifically in how IDM represents them).


>
>
>
>
> <rule>
> <description>Transform LOCACTIVITYGROUPS from String to
> Structured</description>
> <conditions>
> <or/>
> </conditions>
> <actions>
> <do-reformat-op-attr name="LOCACTIVITYGROUPS">
> <arg-value type="structured">
> <arg-component name="SUBSYSTEM">
> <token-xpath expression="substring-before($current-value, ':')"/>
> </arg-component>
> <arg-component name="AGR_NAME">
> <token-xpath expression="substring-after($current-value, ':')"/>
> </arg-component>
> </arg-value>
> </do-reformat-op-attr>
> </actions>
> </rule>
>
>
>
>
>
> geoffc;245961 Wrote:
>> On 6/27/2014 7:30 AM, belaie wrote:
>>>
>>> ok figuered it out. i had to write a new policy on the driver which
>>> actually converts the string to structure data type on the

>> subscriber
>>> output.

>>
>> Sample code? What is the structured type?

>
>


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.