These are the known issues and limitations associated with the SAP UME connector.
This chapter is divided into the following sections:
These are the known issues and workarounds associated with this release of the connector.
The following are known issues associated with this release of the connector:
Bug 14152765
If the size of the violation details obtained from SAP BusinessObjects AC target system is more than 4000 characters, then you must update the Length of the SODCheckViolation field as per the expected size of the violation data.
Bug 13248559
After performing user reconciliation on the user form in the Administrative and User Console, the code key values are displayed instead of the decode values.
Bug 13343976
If you configure the connector to communicate with the Connector Server using SSL, including setting the connectorserver.usessl property to true and importing the target system certificate into the Connector Server JDK keystore, an attempt to access the target system or run the Connector Server returns an error.
There is no workaround for this issue. Do not use SSL to communicate with the Connector Server.
Bug 28217796
While creating a user in the enterprise portal through a GRC access request with valid date on the system set at 31/12/9999, the following error message is encountered:
Exception while creating user:
BAPI_USER_CREATE1@GR1CLNT001:TYPE=E, ID=S5, NUMBER=003,Bug 23342634
Lookup Data of Timezone, Country, and Locale is not Dynamic.
During provisioning and reconciliation, the look up data of timezone, country, and locale can be inconsistent with the target system because the lookup values were generated during the earlier versions of Netweaver.
If there is any mismatch in data between target and lookup, the workaround is for the customer to modify the lookup definitions manually in the Oracle Identity Manager Design console
Bug 23559285
In the Access Request Management (AC) flow, if you trigger a revoke account in OIG and reject the revoke request for the same account in GRC, then the account is still active in the SAP NetWeaver Java Application server (backend Java Stack) and you cannot modify the account details in Oracle Identity Manager.
There is no workaround for this issue.
The following are connector limitations related to features of the target system:
The SPML UME API does not return records for which the Last Modified Date value is greater than a specified date. Therefore, the connector cannot support incremental reconciliation.
Configurable batched reconciliation is not supported. The connector performs batched reconciliation implicitly when it first fetches user records with logonname that begin with valid characters allowed in the target system.
In addition, the following sections describe specific connector limitations:
These are the limitations associated with AS ABAP Data source for the connector.
Limitation when searching for users
The search considers only actions performed using the AS Java tools. Therefore, the connector cannot search using the last modified timestamp.
List of SAP User Management Engine (UME) user attributes
The list of user attributes that can be read from or written to the SAP UME with an AS ABAP data source is fixed and cannot be extended. However, a backend AS ABAP system can have additional attributes, but these attributes are not supported from the SAP UME.
Delay in the display of AS ABAP roles in the SAP UME
If you create a new AS ABAP role or change the description of an existing AS ABAP role, these changes might not be visible in the SAP UME for up to 30 minutes. The SAP UME reads this data from the AS ABAP data source every 30 minutes. To force the SAP UME to read the data from the AS ABAP data source, you must restart the AS Java. Therefore, performing a reconciliation operation might lose roles that have been created recently.
Limitation in a Central User Administration (CUA) environment
The SAP UME can view only the roles that are present in the central system. Roles in child systems are not visible to the SAP UME. Therefore, you can view and maintain role assignments from the connector only to the central system.
The SAP UME does not support maintaining the Form of Address and TimeZone attributes in an AS ABAP data source.
The SAP UME groups that represent AS ABAP roles on the target system have the following limitations for the connector:
You can assign ABAP users only to the SAP UME groups that represent ABAP roles.
The SAP UME cannot show a user-group assignment when the current date is outside the validity period of the corresponding user-role assignment in the AS ABAP data source.
If you try to assign a SAP UME group to a user when the user is already assigned to the corresponding ABAP role, but the current date is outside the validity period, you will receive an error message.
If a role assignment to a user in ABAP is by means of a collective role or organizational management, you cannot unassign the user from the corresponding SAP UME group.
If a role assignment to a user in ABAP is by means of an indirect assignment through a reference user (visible in transaction SU01), you cannot unassign the user from the corresponding SAP UME group.
If a role assignment to a user in ABAP is by means of direct and indirect assignment simultaneously, you cannot unassign the user from the corresponding SAP UME group.
For example, a user administrator named ADMIN has assigned the user named USER1 to the roles Z_DIRECT and Z_COLLECT. Z_COLLECT is a collective role including the role Z_DIRECT. When ADMIN uses identity management of the AS Java, ADMIN cannot unassign USER1 from the SAP UME group Z_DIRECT because this ABAP role is also assigned indirectly by the ABAP role Z_COLLECT.
New groups created with the SAP UME are stored in a local database.
The connector supports the assignment of the following types of roles to users:
Roles that define what is displayed in SAP Enterprise Portal
Portal roles
These roles are applicable to SAP Enterprise Portal. The connector supports the assignment of these roles to users.
Roles that define what authorizations a user has in the backend system
UME authorization roles
These roles support programmatic authorization checks. The connector supports the assignment of these roles to users.
J2EE Security role
These roles support declarative authorization checks. The connector does not support the assignment of these roles to users. These roles need to be managed from the Visual Administrator tool of the J2EE Engine.
ABAP authorization role
These roles are applicable when the SAP UME is configured with an ABAP data source. These roles will be displayed as groups in the SAP UME. The SAP UME instance needs to be checked whether it is supported or not. The connector will support the assignment of these roles if the SAP UME instance supports it.
This chapter provides information on the frequently asked questions about the SAP UM connector.
You can refer the following FAQs as guidelines and to troubleshoot connector issues:
I have installed only the SAP UME connector in my Oracle Identity Governance (OIG) environment. I want to use it with SAP BusinessObjects AC. Is it mandatory to follow the SIL Registration steps to use it with GRC?
Answer: Not mandatory if you are not using the sodgrc topology name for any other connector. The sodgrc topology name is already registered by default and it is mapped to GRC-ITRes IT Resource. So, you must create the IT resource with instance name GRC-ITRes of type GRC-UME if it does not exist already. Specify the GRC details in this instance and use this IT Resource for GRC. To use GRC-ITRes instance, mention sodgrc as the topology name in SAPUME IT Resource.
Can I simultaneously use the SAP ER and the SAP UME connectors in the same OIG environment?
Answer: Yes.
I have decided to use the SAP UME connector directly without configuring the Access Request Management feature. The default process form has AC fields on it. How do I remove these AC fields from the form?
Answer: See Removing SAP BusinessObjects AC Access Request Management Attributes from Process Form for the procedure.
I have changed the system property for SOD as XL.SoDCheckRequired = TRUE. Is it now possible to use two SAP connectors in the same OIG environment having one connector configured for SOD analysis and the other connector configured without SOD analysis?
Answer: No, the system property is common in OIG. Hence, the property applies to all the connectors installed in that OIG.
Suppose I have installed the SAP ER connector and I want to upgrade it to the SAP UME connector. What are the changes that need to be done after upgrading it?
Answer: You need to change the child table name mapping in Add Role, Remove Role, Add Group, and Remove Group tasks in the process definition according to the existing child table names. Similarly, replace all the new child form names with the existing form names in the below mentioned lookup definitions:
Lookup.SAPUME.UM.ProvAttrMap
Lookup.SAPUME.AC10.Configuration
Lookup.SAPUME.AC10.ProvAttrMap
I have configured the SAP UME connector for SOD analysis. I have multiple GRC systems but have configured this connector to only one system. I have added a set of violated roles but my SOD analysis result shows as Passed without violations. Have I missed any configuration in order to get correct analysis?
Answer: It may be a configuration mistake. Verify the Sod System Key decode value in Lookup.SAPUME.ACxx.Configuration where xx denotes 10 for SAP BusinessObjects AC 10 release. You need to mention the correct system value.
I have configured the SAP UME connector for Access Request Management and would like to see the Audit trail details. Where can I get these details?
Answer: To get the Audit trail details, you need to enable the logs specific to AC for the connector. The Audit trail details can be viewed in the log file along with the connector logs.
Here are a few formatted samples of the Audit trial:
Create User
Audit Trial: {Result=[Createdate:20130409,
Priority: HIGH,
Requestedby:, johndoe (JOHNDOE),
Requestnumber: 9000001341,
Status: Decision pending,
Submittedby:, johndoe (JOHNDOE),
auditlogData:{,ID:000C290FC2851ED2A899DA29DAA1B1E2,
Description:,
Display String: Request 9000001341 of type New Account Submitted by johndoe ( JOHNDOE ) for JK1APRIL9 JK1APRIL9 ( JK1APRIL9 ) with Priority HIGH}],
Status=0_Data Populated successfully}
Request Status
Audit Trial: {Result=[Createdate:20130409,
Priority:HIGH,
Requestedby:,johndoe (JOHNDOE),
Requestnumber: 9000001341,
Status: Approved,
Submittedby:, johndoe (JOHNDOE),
auditlogData:{,ID:000C290FC2851ED2A899DA29DAA1B1E2,
Description:,
Display String: Request 9000001341 of type New Account Submitted by johndoe ( JOHNDOE ) for JK1APRIL9 JK1APRIL9 ( JK1APRIL9 ) with Priority HIGH,
ID: 000C290FC2851ED2A899DAF9961C91E2,Description:,Display String:Request is pending for approval at path GRAC_DEFAULT_PATH stage GRAC_MANAGER,
ID: 000C290FC2851ED2A89A1400B60631E2,
Description:,
Display String: Approved by JOHNDOE at Path GRAC_DEFAULT_PATH and Stage GRAC_MANAGER,
ID: 000C290FC2851ED2A89A150972D091E2,
Description:,
Display String: Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage GRAC_MANAGER,
ID: 000C290FC2851ED2A89A150972D111E2,
Description:,
Display String: Approval path processing is finished, end of path reached,
ID: 000C290FC2851ED2A89A150972D151E2,
Description:,
Display String: Request is closed}],
Status=0_Data Populated successfully}
Modify Request (First Name)
Audit Trial: {Result=[Createdate:20130409,
Priority: HIGH,
Requestedby:, johndoe (JOHNDOE),
Requestnumber: 9000001342,
Status: Decision pending,
Submittedby:,johndoe (JOHNDOE),
auditlogData:{,
ID: 000C290FC2851ED2A89A3ED3B1D7B1E2,
Description:,
Display String: Request 9000001342 of type Change Account Submitted by johndoe ( JOHNDOE ) for JK1FirstName JK1APRIL9 ( JK1APRIL9 ) with Priority HIGH}],
Status=0_Data Populated successfully}
What is the purpose of SAP UME Roles resource object available with the connector?
Answer: These resource objects must be used only with Oracle Identity Manager 11g Release 1 (11.1.1). They are used in Oracle Identity Manager release 11.1.1 to serve the same purpose as entitlements do in Oracle Identity Manager 11g Release 2 (11.1.2). They are not required in Oracle Identity Manager release 11.1.2.
After changing the mapped adapter for Delete User Task, the responses within the task are not available in the Responses Tab because of which the task fails or the description of executed task is blank. Should the responses be added manually?
Answer: Yes, only if the responses are not available, you need to add the responses manually after changing the adapter. Add the following responses:
| Response | Description | Status |
|---|---|---|
|
INVALID_CREDENTIAL |
Unauthorized user login |
R |
|
CONNECTION_FAILED |
Cannot make connection to the resource |
R |
|
UNKNOWN_UID |
User does not exist in the target |
R |
|
UNKNOWN |
Unknown |
R |
|
CONNECTOR_EXCEPTION |
User deletion failed |
R |
|
ERROR |
Error occurred during delete user |
R |
|
SUCCESS |
User deletion successful |
C |
I had configured the SAP UME connector for Access Request Management and have users provisioned through GRC. Now, I have reverted back the connector to the default type without Access Request Management feature. When I try to update an existing user, the task fails. Do I need to run any schedule job before performing any operations on the existing users provisioned through Access Request Management?
Answer: Yes, run a full reconciliation once using the SAP UME User Reconciliation schedule job before performing any provisioning operations.
I have installed the SAP UME connector in my Oracle Identity Governance environment. I see the following exception while provisioning the user. How do I work around this issue?
Exception : org.identityconnectors.framework.common.exceptions.ConnectorException: The HTTP request is not valid.
Answer: Perform the following procedure as a workaround for this issue:
Login to the Operation system level of the SAP NW7.4 UME and navigate to the following path:
D:\usr\sap\<SID>\SYS\PROFILE\
Edit the DEFAULT.PFL as follows:
#icm/HTTP/mod_0 = PREFIX=/,FILE=$(DIR_GLOBAL)/security/data/icm_filter_rules.txt
Run configtool.sh from the directory present within the profile directory as shown in the following path:
cd /usr/sap/<SID>/j2ee/configtool
./configtool.sh
Now the Configtool GUI will open and change the value of the use.spml.http_header_check_active parameter to false if it had been set to true.
During a Create User provisioning operation, does the SAP UME AC connector provision attributes that are mapped directly to SAP ECC system without GRC?
Answer: No. For account creation request in GRC, the request is created only with the GRC attributes. Attributes mapped directly to SAP ECC system are not part of the create operation. Once the request is approved and the account is provisioned to the SAP ECC system (backend ABAP system), these attributes (mapped directly to SAP) can be provisioned as part of the update operation.
I am using Oracle Identity Manager 11.1.x and SOD violation is not working in GRC10.1 with NW7.5. Why is it so?
Answer: You must mandatorily apply bug 23582379 one-off fix or BP.