8 Known Issues for the SAP User Management Connector
These are the known issues and workarounds associated with this release of the connector.
8.1 Connector Issues
These are the issues and workarounds associated with the connector.
8.1.1 Error During SoD Check
During SoD check, when the data that is returned from SAP GRC webservices crosses 4000 characters, only the first 4000 characters are displayed.
Workaround: If the size of the violation details obtained from SAP GRC target system is more than 4000 characters, then you must update the Length of the SODCheckViolation field as per the expected size of the violation data.
8.1.2 SAP UM 12c Connector and SAP ER 9.x connector Do Not Work
The ICF-based SAP User Management connector and the legacy SAP ER connector do not work together with Oracle Identity Governance because ICF uses a different class loader for each connector bundle. When both the connectors are installed, the connector bundle that creates the first connection works. When the second bundle tries to create a connection, it tries to register the data provider that is already registered by first bundle. Then, it throws an error, "DestinationDataProvider already registered".
Workaround: To use both the SAP User Management connector and the legacy SAP ER connector, deploy the SAP UM connector in a connector server and deploy the SAP ER connector in Oracle Identity Governance.
8.1.3 Postupgrade Issue
Before upgrading the connector, the following lookup default decode values are upgraded with target configuration values:
-
Lookup.SAPABAP.Configuration
-
Lookup.SAPABAP.UM.ProvAttrMap
-
Lookup.SAPABAP.UM.ReconAttrMap
-
Lookup.SAPAC10ABAP.Configuration
-
Lookup.SAPAC10ABAP.UM.ProvAttrMap
-
Lookup.SAPAC10ABAP.UM.ReconAttrMap
Table 8-1 Entries in the Lookup.SAPABAP.Configuration Lookup Definition
Code Key | Decode |
---|---|
CodeKey |
Decode |
aliasUser |
none |
batchSize |
100 |
Bundle Name |
org.identityconnectors.sap |
Bundle Version |
12.3.0 |
changePasswordAtNextLogon |
no |
codePage |
none |
compositeRoles |
no |
Connector Name |
org.identityconnectors.sap.SAPConnector |
cuaChildInitialPasswordChangeFuncModule |
ZXLCBAPI_ZXLCUSR_PW_CHANGE |
cuaChildPasswordChangeFuncModule |
ZXLCBAPI_ZXLCUSR_PASSWORDCHNGE |
disableLockStatus |
64 |
enableCUA |
no |
entitlementRiskAnalysisAccessURL |
|
entitlementRiskAnalysisWS |
oracle.iam.grc.sod.scomp.impl.grcsap.util.webservice.sap.ac10.RiskAnalysisWithoutNo |
gatewayHost |
none |
gatewayService |
none |
getSSO2 |
none |
groups |
GROUPS~USERGROUP |
lCheck |
none |
mySAPSSO2 |
none |
overwriteLink |
no |
parameters |
PARAMETER1~PARID;PARVA |
passwordPropagateToChildSystem |
no |
ProfileAttributeLabel |
Profile Name |
Profile attribute name |
USERPROFILE |
Profile form names |
UD_SPUMPC_P;UD_SPUM_PRO |
profiles |
PROFILES~SUBSYSTEM;PROFILE |
reconcilefuturedatedroles |
yes |
reconcilepastdatedroles |
yes |
repositoryDestination |
none |
repositoryPassword |
none |
repositorySNCMode |
none |
repositoryUser |
none |
riskLevel |
3 |
RoleAttributeLabel |
Role Name |
Role attribute name |
USERROLE |
Role form names |
UD_SPUMRC_P;UD_SAPRL |
roles |
ACTIVITYGROUPS~SUBSYSTEM;AGR_NAME;TO_DAT;FROM_DAT;ORG_FLAG |
sapSystemTimeZone |
IST |
singleRoles |
yes |
SOD Configuration lookup |
Lookup.SAPABAP.Configuration |
tpHost |
none |
tpName |
none |
type |
none |
User Configuration Lookup |
Lookup.SAPABAP.UM.Configuration |
validatePERNR |
no |
wsdlFilePath |
none |
Table 8-2 Entries in the Lookup.SAPABAP.UM.ProvAttrMap
Code Key | Decode Key |
---|---|
Accounting Number |
ACCNT;LOGONDATA;ACCNT;LOGONDATAX |
Alias |
USERALIAS;ALIAS;BAPIALIAS;ALIASX |
Building |
BUILDING_P;ADDRESS;BUILDING_P;ADDRESSX |
Communication Type[Lookup] |
COMM_TYPE;ADDRESS;COMM_TYPE;ADDRESSX |
Company[Lookup] |
COMPANY;COMPANY;COMPANY;COMPANYX |
Contractual User Type[Lookup] |
LIC_TYPE;UCLASS;UCLASS;UCLASSX |
Cost Center |
KOSTL;DEFAULTS;KOSTL;DEFAULTSX |
Date Format[Lookup] |
DATFM;DEFAULTS;DATFM;DEFAULTSX |
Decimal Notation[Lookup] |
DCPFM;DEFAULTS;DCPFM;DEFAULTSX |
Department |
DEPARTMENT;ADDRESS;DEPARTMENT;ADDRESSX |
E Mail |
E_MAIL;ADDRESS;E_MAIL;ADDRESSX |
Fax Extension |
FAX_EXTENS;ADDRESS;FAX_EXTENS;ADDRESSX |
Fax Number |
FAX_NUMBER;ADDRESS;FAX_NUMBER;ADDRESSX |
First Name |
FIRSTNAME;ADDRESS;FIRSTNAME;ADDRESSX |
Floor |
FLOOR_P;ADDRESS;FLOOR_P;ADDRESSX |
Function |
FUNCTION;ADDRESS;FUNCTION;ADDRESSX |
Group Name[Lookup] |
CLASS;LOGONDATA;CLASS;LOGONDATAX |
Language Communication[Lookup] |
LANGU_P;ADDRESS;LANGU_P;ADDRESSX |
Last Name |
LASTNAME;ADDRESS;LASTNAME;ADDRESSX |
Logon Language[Lookup] |
LANGU;DEFAULTS;LANGU;DEFAULTSX |
Password |
__PASSWORD__ |
Personnel Number |
PERNR |
Room Number |
ROOM_NO_P;ADDRESS;ROOM_NO_P;ADDRESSX |
Start Menu |
START_MENU;DEFAULTS;START_MENU;DEFAULTSX |
Telephone Extension |
TEL1_EXT;ADDRESS;TEL1_EXT;ADDRESSX |
Telephone Number |
TEL1_NUMBR;ADDRESS;TEL1_NUMBR;ADDRESSX |
Time Zone[Lookup] |
TZONE;LOGONDATA;TZONE;LOGONDATAX |
Title[Lookup] |
TITLE_P;ADDRESS;TITLE_P;ADDRESSX |
UD_SAP_GP~User Group[Lookup] |
groups~GROUPS~USERGROUP |
UD_SAP_PARA~Parameter ID[Lookup] |
parameters~PARAMETER1~PARID |
UD_SAP_PARA~Parameter Value |
parameters~PARAMETER1~PARVA |
UD_SAPRL~End Date[Date] |
roles~ACTIVITYGROUPS~TO_DAT |
UD_SAPRL~Role Name[Lookup] |
roles~ACTIVITYGROUPS~AGR_NAME |
UD_SAPRL~Start Date[Date] |
roles~ACTIVITYGROUPS~FROM_DAT |
UD_SPUM_PRO~Profile Name[Lookup] |
profiles~PROFILES~PROFILE |
Unique ID |
__UID__ |
User ID |
__NAME__ |
User Lock |
__LOCK_OUT__ |
User Type[Lookup] |
USTYP;LOGONDATA;USTYP;LOGONDATAX |
Valid From[Date] |
GLTGV;LOGONDATA;GLTGV;LOGONDATAX |
Valid Through[Date] |
GLTGB;LOGONDATA;GLTGB;LOGONDATAX |
Table 8-3 Entries in the Lookup.SAPABAP.UM.ReconAttrMap Lookup Definition
Code Key | Decode Key |
---|---|
Accounting Number |
ACCNT;LOGONDATA |
Alias |
USERALIAS;ALIAS |
Building |
BUILDING_P;ADDRESS |
Communication Type[Lookup] |
COMM_TYPE;ADDRESS |
Company[Lookup] |
COMPANY;COMPANY |
Contractual User Type[Lookup] |
LIC_TYPE;UCLASS|UCLASSSYS |
Cost Center |
KOSTL;DEFAULTS |
Date Format[Lookup] |
DATFM;DEFAULTS |
Decimal Notation[Lookup] |
DCPFM;DEFAULTS |
Department |
DEPARTMENT;ADDRESS |
E Mail |
E_MAIL;ADDRESS |
Fax Extension |
FAX_EXTENS;ADDRESS |
Fax Number |
FAX_NUMBER;ADDRESS |
First Name |
FIRSTNAME;ADDRESS |
Floor |
FLOOR_P;ADDRESS |
Function |
FUNCTION;ADDRESS |
Group~User Group[Lookup] |
groups~GROUPS~USERGROUP |
Group Name[Lookup] |
CLASS;LOGONDATA |
Language Communication[Lookup] |
LANGU_P;ADDRESS |
Last Name |
LASTNAME;ADDRESS |
Logon Language[Lookup] |
LANGU;DEFAULTS |
Parameter~Parameter ID[Lookup] |
parameters~PARAMETER1~PARID |
Parameter~Parameter Value |
parameters~PARAMETER1~PARVA |
Profile~Profile Name[Lookup] |
profiles~PROFILES~PROFILE |
Profile~Profile System Name[Lookup] |
profiles~PROFILES~SUBSYSTEM |
Role~End Date[Date] |
roles~ACTIVITYGROUPS~TO_DAT |
Role~Role Name[Lookup] |
roles~ACTIVITYGROUPS~AGR_NAME |
Role~Role System Name[Lookup] |
roles~ACTIVITYGROUPS~SUBSYSTEM |
Role~Start Date[Date] |
roles~ACTIVITYGROUPS~FROM_DAT |
Room Number |
ROOM_NO_P;ADDRESS |
Start Menu |
START_MENU;DEFAULTS |
Status |
__ENABLE__ |
Telephone Extension |
TEL1_EXT;ADDRESS |
Telephone Number |
TEL1_NUMBR;ADDRESS |
Time Zone[Lookup] |
TZONE;LOGONDATA |
Title[Lookup] |
TITLE_P;ADDRESS |
Unique ID |
__UID__ |
User ID |
__UID__ |
User Lock |
__LOCK_OUT__ |
User Type[Lookup] |
USTYP;LOGONDATA |
Valid From[Date] |
GLTGV;LOGONDATA |
Valid Through[Date] |
GLTGB;LOGONDATA |
Table 8-4 Entries in the Lookup.SAPAC10ABAP.Configuration Lookup Definition
Code Key | Decode Key |
---|---|
aliasUser |
none |
appLookupAccessURL |
none |
appLookupWS |
oracle.iam.ws.sap.ac10.SelectApplication |
assignRoleReqType |
002~Change Account~002~006 |
auditLogsAccessURL |
none |
auditLogsWS |
oracle.iam.ws.sap.ac10.AuditLogs |
batchSize |
100 |
Bundle Name |
org.identityconnectors.sapacum |
Bundle Version |
12.3.0 |
changePasswordAtNextLogon |
no |
codePage |
none |
compositeRoles |
no |
Connector Name |
org.identityconnectors.sapacum.SAPACUMConnector |
createUserReqType |
001~New Account~001 |
cuaChildInitialPasswordChangeFuncModule |
ZXLCBAPI_ZXLCUSR_PW_CHANGE |
cuaChildPasswordChangeFuncModule |
ZXLCBAPI_ZXLCUSR_PASSWORDCHNGE |
deleteUserReqType |
003~Delete Account~003 |
disableLockStatus |
64 |
enableCUA |
no |
gatewayHost |
none |
gatewayService |
none |
getSSO2 |
none |
groups |
GROUPS~USERGROUP |
ignoreOpenStatus |
Yes |
lCheck |
none |
lockUserReqType |
004~Lock Account~004 |
logAuditTrial |
Yes |
modifyUserReqType |
002~Change Account~002 |
mySAPSSO2 |
none |
otherLookupAccessURL |
none |
otherLookupWS |
oracle.iam.ws.sap.ac10.SearchLookup |
overwriteLink |
no |
parameters |
PARAMETER1~PARID;PARTXT |
passwordPropagateToChildSystem |
no |
profiles |
PROFILES~SUBSYSTEM;PROFILE |
provActionAttrName |
provAction;ReqLineItem |
provItemActionAttrName |
provItemAction;ReqLineItem |
reconcilefuturedatedroles |
yes |
reconcilepastdatedroles |
yes |
removeRoleReqType |
002~Change Account~002~009 |
repositoryDestination |
none |
repositoryPassword |
none |
repositorySNCMode |
none |
repositoryUser |
none |
requestStatusAccessURL |
none |
requestStatusValue |
OK |
requestStatusWS |
oracle.iam.ws.sap.ac10.RequestStatus |
requestTypeAttrName |
Reqtype;Header |
riskLevel |
High |
roleLookupAccessURL |
none |
roleLookupWS |
oracle.iam.ws.sap.ac10.SearchRoles |
roles |
ACTIVITYGROUPS~SUBSYSTEM;AGR_NAME;TO_DAT;FROM_DAT;ORG_FLAG |
sapSystemTimeZone |
PST |
singleRoles |
yes |
Status Configuration Lookup |
Lookup.SAPACABAP.Status.Configuration |
tpHost |
none |
tpName |
none |
type |
none |
unlockUserReqType |
005~unlock user~005 |
userAccessAccessURL |
none |
userAccessWS |
oracle.iam.ws.sap.ac10.UserAccess |
User Configuration Lookup |
Lookup.SAPAC10ABAP.UM.Configuration |
validatePERNR |
no |
wsdlFilePath |
none |
Table 8-5 Entries in the Lookup.SAPAC10ABAP.UM.ProvAttrMap Lookup Definition
Code Key | Decode Key |
---|---|
AC Business Process[Lookup] |
bproc;Header |
Accounting Number |
accno;UserInfo |
AC Functional Area[Lookup] |
funcarea;Header |
AC Manager |
manager;UserInfo |
AC Manager email |
managerEmail;UserInfo |
AC Manager First Name |
managerFirstname;UserInfo |
AC Manager Last Name |
managerLastname;UserInfo |
AC Priority[Lookup] |
priority;Header |
AC Request Due Date[Date] |
reqDueDate;Header |
AC Request Id[WRITEBACK] |
RequestId |
AC Requestor email |
email;Header |
AC Requestor ID |
requestorId;Header |
AC Request Reason |
requestReason;Header |
AC Request Status[WRITEBACK] |
RequestStatus |
AC Request Type[WRITEBACK] |
RequestType |
AC System[Lookup] |
reqInitSystem;Header |
Alias |
alias;UserInfo |
Building |
BUILDING_P;ADDRESS;BUILDING_P;ADDRESSX |
Communication Type |
commMethod;UserInfo |
Company[Lookup] |
COMPANY;COMPANY;COMPANY;COMPANYX |
Contractual User Type[Lookup] |
LIC_TYPE;UCLASS;UCLASS;UCLASSX |
Cost Center |
costcenter;UserInfo |
Date Format |
dateFormat;UserInfo |
Decimal Notation |
decNotation;UserInfo |
Department |
DEPARTMENT;ADDRESS;DEPARTMENT;ADDRESSX |
E Mail |
email;UserInfo |
Fax Extension |
FAX_EXTENS;ADDRESS;FAX_EXTENS;ADDRESSX |
Fax Number |
fax;UserInfo |
First Name |
fname;UserInfo |
Floor |
FLOOR_P;ADDRESS;FLOOR_P;ADDRESSX |
Function |
FUNCTION;ADDRESS;FUNCTION;ADDRESSX |
Group Name[Lookup] |
CLASS;LOGONDATA;CLASS;LOGONDATAX |
Language Communication[Lookup] |
LANGU_P;ADDRESS;LANGU_P;ADDRESSX |
Last Name |
lname;UserInfo |
Logon Language |
logonLang;UserInfo |
Password |
__PASSWORD__ |
Personnel Number |
PERNR |
Room Number |
ROOM_NO_P;ADDRESS;ROOM_NO_P;ADDRESSX |
Start Menu |
startMenu;UserInfo |
Telephone Extension |
TEL1_EXT;ADDRESS;TEL1_EXT;ADDRESSX |
Telephone Number |
telnumber;UserInfo |
Time Zone[Lookup] |
TZONE;LOGONDATA;TZONE;LOGONDATAX |
Title[Lookup] |
title;UserInfo |
UD_UMAC_GRP~User Group[Lookup] |
userGroup;UserGroup |
UD_UMAC_PRM~Parameter ID[Lookup] |
parameters~PARAMETER1~parameter;Parameter |
UD_UMAC_PRM~Parameter Value |
parameters~PARAMETER1~parameterValue;Parameter |
UD_UMAC_PRO~Profile Name[Lookup] |
profiles~PROFILES~itemName;ReqLineItem |
UD_UMAC_PRO~Profile System Name[Lookup] |
profiles~PROFILES~connector;ReqLineItem |
UD_UMAC_ROL~End Date[Date] |
roles~ACTIVITYGROUPS~ValidTo;ReqLineItem |
UD_UMAC_ROL~Role Name[Lookup] |
roles~ACTIVITYGROUPS~itemName;ReqLineItem |
UD_UMAC_ROL~Role System Name[Lookup] |
roles~ACTIVITYGROUPS~connector;ReqLineItem |
UD_UMAC_ROL~Start Date[Date] |
roles~ACTIVITYGROUPS~validFrom;ReqLineItem |
Unique ID |
__UID__ |
User Group[Lookup] |
userGroup;UserInfo |
User ID |
__NAME__ |
User Lock |
userLock;None |
User Type |
userType;UserInfo |
Valid From[Date] |
validFrom;UserInfo |
Valid Through[Date] |
validTo;UserInfo |
Table 8-6 Entries in the Lookup.SAPAC10ABAP.UM.ReconAttrMap Lookup Definition
Code Key | Decode Key |
---|---|
Accounting Number |
accno;UserInfo |
Alias |
alias;UserInfo |
Building |
BUILDING_P;ADDRESS;BUILDING_P;ADDRESSX |
Communication Type[Lookup] |
commMethod;UserInfo |
Company[Lookup] |
COMPANY;COMPANY;COMPANY;COMPANYX |
Contractual User Type[Lookup] |
LIC_TYPE;UCLASS;UCLASS;UCLASSX |
Cost Center |
costcenter;UserInfo |
Date Format[Lookup] |
dateFormat;UserInfo |
Decimal Notation[Lookup] |
decNotation;UserInfo |
Department |
DEPARTMENT;ADDRESS;DEPARTMENT;ADDRESSX |
E Mail |
email;UserInfo |
Fax Extension |
FAX_EXTENS;ADDRESS;FAX_EXTENS;ADDRESSX |
Fax Number |
fax;UserInfo |
First Name |
fname;UserInfo |
Floor |
FLOOR_P;ADDRESS;FLOOR_P;ADDRESSX |
Function |
FUNCTION;ADDRESS;FUNCTION;ADDRESSX |
Group~User Group[Lookup] |
groups~GROUPS~USERGROUP |
Group Name[Lookup] |
CLASS;LOGONDATA;CLASS;LOGONDATAX |
Language Communication[Lookup] |
LANGU_P;ADDRESS;LANGU_P;ADDRESSX |
Last Name |
lname;UserInfo |
Logon Language[Lookup] |
logonLang;UserInfo |
Parameter~Parameter ID[Lookup] |
parameters~PARAMETER1~parameter;Parameter |
Parameter~Parameter Value |
parameters~PARAMETER1~parameterValue;Parameter |
Profile~Profile Name[Lookup] |
profiles~PROFILES~itemName;ReqLineItem |
Profile~Profile System Name[Lookup] |
profiles~PROFILES~connector;ReqLineItem |
Role~End Date[Date] |
roles~ACTIVITYGROUPS~ValidTo;ReqLineItem |
Role~Role Name[Lookup] |
roles~ACTIVITYGROUPS~itemName;ReqLineItem |
Role~Role System Name[Lookup] |
roles~ACTIVITYGROUPS~connector;ReqLineItem |
Role~Start Date[Date] |
roles~ACTIVITYGROUPS~validFrom;ReqLineItem |
Room Number |
ROOM_NO_P;ADDRESS;ROOM_NO_P;ADDRESSX |
Start Menu |
startMenu;UserInfo |
Status |
__ENABLE__ |
Telephone Extension |
TEL1_EXT;ADDRESS;TEL1_EXT;ADDRESSX |
Telephone Number |
telnumber;UserInfo |
Time Zone[Lookup] |
TZONE;LOGONDATA;TZONE;LOGONDATAX |
Title[Lookup] |
title;UserInfo |
Unique ID |
__UID__ |
User ID |
__NAME__ |
User Lock |
userLock;None |
User Type[Lookup] |
userType;UserInfo |
Valid From[Date] |
validFrom;UserInfo |
Valid Through[Date] |
validTo;UserInfo |
Workaround: Delete each instance of the duplicate entries.
8.2 Oracle Identity Governance Issues
These are issues and workarounds associated with Oracle Identity Governance.
8.2.1 Revoke Account Task Rejected and Unable to Update OIG Account
In Access Request Management (AC) flow, if you trigger a revoke account in OIG and reject the revoke request for the same account in GRC, then the account is still active in the SAP ECC system (backend ABAP system) and you cannot modify the account details in OIG.
Workaround: There is no workaround for this issue.
8.2.2 Application Server Error Whenever a JAR File is Updated or Modified
Whenever a JAR file is updated or modified, the application server tries to register SAP destination data provider (SAP JCO) even though it is already registered. Therefore, the application server throws the following error:
java.lang.UnsatisfiedLinkError: Native Library /usr/local/jco/libsapjco3.sojava.lang.UnsatisfiedLinkError: Native Library /usr/local/jco/libsapjco3.dll
Workaround: Restart the application server if any JAR is updated or modified in the Oracle Identity Governance server.