This chapter is divided into the following sections:
The following are known issues associated with this release of the connector:
Bug 14152765
If the size of the violation details obtained from SAP BusinessObjects AC target system is more than 4000 characters, then you must update the Length of the SODCheckViolation field as per the expected size of the violation data.
Bug 14391414
The ICF-based SAP User Management connector and the legacy SAP ER connector do not work together with Oracle Identity Manager because ICF uses a different class loader for each connector bundle. When both the connectors are installed, the connector bundle that creates the first connection will work. When the second bundle tries to create a connection, it will try to register the data provider that is already registered by first bundle. Then, it throws an error, "DestinationDataProvider already registered".
As a work around, to use both the SAP User Management connector and the legacy SAP ER connector, deploy the SAP UM connector in a connector server and deploy the SAP ER connector in Oracle Identity Manager.
Bug 19683143
Before upgrading the connector, the lookup default decode values of Lookup.SAPAC10ABAP.Configuration and Lookup.SAPABAP.Configuration are upgraded with target configuration values.
Once the connector is upgraded, it generates duplicate entries with decode default values.
As a work around, manually delete each instance of the duplicate entries with decode default values.
Bug 23559285
In Access Request Management (AC) flow, if you trigger a revoke account in OIG and reject the revoke request for the same account in GRC, then the account is still active in the SAP ECC system (backend ABAP system) and you cannot modify the account details in OIG.
There is no workaround for this issue.
Enh 11835752
If application server is not restarted whenever any JAR is updated or modified, then it throws the following error:
java.lang.UnsatisfiedLinkError: Native Library
/usr/local/jco/libsapjco3.sojava.lang.UnsatisfiedLinkError: Native Library
/usr/local/jco/libsapjco3.dllIt is a limitation from SAP JCO. Whenever any JAR is updated or modified, the application server tries to register SAP destination data provider (SAP JCO) even though it is already registered. Therefore the application server throws an error.
Workaround is to restart the application server if any JAR is updated or modified in the Oracle Identity Governance server.
You can refer the following FAQs as guidelines and to troubleshoot connector issues:
What is the cause of "Class Definition not found" error while running lookup schedulers or provisioning a user for the first time after installing and configuring the connector successfully?
Answer: The class path of SapJCo.jar may not be detected. Mention its path in the startWebLogic.cmd file located in DOMAIN_HOME/bin. For more information, refer to Step 4 of Downloading and Installing the SAP JCo.
Can I simultaneously use the SAP ER and the SAP UM connectors in the same Oracle Identity Manager environment?
Answer: Yes, but it is possible only if you have one connector configured as connector server and the other connector installed directly in the same Oracle Identity Manager. Refer to Bug 14391414 in Known Issues for more information.
I have decided to use the SAP UM connector directly without configuring the Access Request Management feature. The default process form has AC fields in it. How do I remove these AC fields from the form?
Answer: See Removing SAP BusinessObjects AC Access Request Management Attributes from Process Form for the procedure.
I have changed the system property for SOD as XL.SoDCheckRequired = TRUE. Is it now possible to use two SAP connectors in the same OIM environment having one connector configured for SOD analysis and the other connector configured without SOD analysis?
Answer: No, the system property is common in OIM. Hence, the property applies to all the connectors installed in that OIM.
I have configured the connector for Access Request Management and would like to see the Audit trail details. Where can I get these details?
Answer: To get the Audit trail details, you need to enable the logs specific to AC for the connector. The Audit trail details can be viewed in the log file along with the connector logs.
Here are a few formatted samples of the Audit trial:
Create User
Audit Trial: {Result=[Createdate:20130409,
Priority: HIGH,
Requestedby:, johndoe (JOHNDOE),
Requestnumber: 9000001341,
Status: Decision pending,
Submittedby:, johndoe (JOHNDOE),
auditlogData:{,ID:000C290FC2851ED2A899DA29DAA1B1E2,
Description:,
Display String: Request 9000001341 of type New Account Submitted by johndoe ( JOHNDOE ) for JK1APRIL9 JK1APRIL9 ( JK1APRIL9 ) with Priority HIGH}],
Status=0_Data Populated successfully}
Request Status
Audit Trial: {Result=[Createdate:20130409,
Priority:HIGH,
Requestedby:,johndoe (JOHNDOE),
Requestnumber: 9000001341,
Status: Approved,
Submittedby:, johndoe (JOHNDOE),
auditlogData:{,ID:000C290FC2851ED2A899DA29DAA1B1E2,
Description:,
Display String: Request 9000001341 of type New Account Submitted by johndoe ( JOHNDOE ) for JK1APRIL9 JK1APRIL9 ( JK1APRIL9 ) with Priority HIGH,
ID: 000C290FC2851ED2A899DAF9961C91E2,Description:,Display String:Request is pending for approval at path GRAC_DEFAULT_PATH stage GRAC_MANAGER,
ID: 000C290FC2851ED2A89A1400B60631E2,
Description:,
Display String: Approved by JOHNDOE at Path GRAC_DEFAULT_PATH and Stage GRAC_MANAGER,
ID: 000C290FC2851ED2A89A150972D091E2,
Description:,
Display String: Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage GRAC_MANAGER,
ID: 000C290FC2851ED2A89A150972D111E2,
Description:,
Display String: Approval path processing is finished, end of path reached,
ID: 000C290FC2851ED2A89A150972D151E2,
Description:,
Display String: Request is closed}],
Status=0_Data Populated successfully}
Modify Request (First Name)
Audit Trial: {Result=[Createdate:20130409,
Priority: HIGH,
Requestedby:, johndoe (JOHNDOE),
Requestnumber: 9000001342,
Status: Decision pending,
Submittedby:,johndoe (JOHNDOE),
auditlogData:{,
ID: 000C290FC2851ED2A89A3ED3B1D7B1E2,
Description:,
Display String: Request 9000001342 of type Change Account Submitted by johndoe ( JOHNDOE ) for JK1FirstName JK1APRIL9 ( JK1APRIL9 ) with Priority HIGH}],
Status=0_Data Populated successfully}
What is the purpose of SAP Roles and SAP Profiles resource objects available with the connector?
Answer: These resource objects must be used only with Oracle Identity Manager 11g Release 1 (11.1.1). They are used in Oracle Identity Manager release 11.1.1 to serve the same purpose as entitlements do in Oracle Identity Manager 11g Release 2 (11.1.2). They are not required in Oracle Identity Manager release 11.1.2.
During a Create User provisioning operation, does the SAP UM AC connector provision attributes that are mapped directly to SAP ECC system without GRC?
Answer: No, for account creation request in GRC, the request is created only with the GRC attributes. Attributes mapped directly to SAP ECC system are not part of the create operation. Once the request is approved and the account is provisioned to the SAP ECC system (backend ABAP system), these attributes (mapped directly to SAP) can be provisioned as part of the update operation.
Why am I not able to add groups when using SAP UM connector for access control?
Answer: This a desired behavior and not a bug. Groups need to be managed on the backend server only.
Which version of the SAP BusinessObjects Access does the connector support?
Answer: As listed in Table 1-1, the connector supports SAP BusinessObjects Access versions 10, 10.1, and 12.
While configuring the connector, if you are using SAP BusinessObjects Access version 10.1 or 12, you need not modify the lookup definition name.
Is the SoD Check Tracking ID field no longer populated with a value during the SoD check?
Answer: From Oracle Identity Manager 11.1.2.x, the SoD Check Tracking ID field no longer populates a value during the SoD check. You can ignore this field as it displays a null value and does not result in functionality loss.