1. Configuring the SAP User Management Application
  2. Known Issues for the SAP User Management Connector

8 Known Issues for the SAP User Management Connector

These are the known issues and workarounds associated with this release of the connector.

8.1 Connector Issues

These are the issues and workarounds associated with the connector.

8.1.1 Error During SoD Check

During SoD check, when the data that is returned from SAP GRC webservices crosses 4000 characters, only the first 4000 characters are displayed.

Workaround: If the size of the violation details obtained from SAP GRC target system is more than 4000 characters, then you must update the Length of the SODCheckViolation field as per the expected size of the violation data.

8.1.2 SAP UM 12c Connector and SAP ER 9.x connector Do Not Work

The ICF-based SAP User Management connector and the legacy SAP ER connector do not work together with Oracle Identity Governance because ICF uses a different class loader for each connector bundle. When both the connectors are installed, the connector bundle that creates the first connection works. When the second bundle tries to create a connection, it tries to register the data provider that is already registered by first bundle. Then, it throws an error, "DestinationDataProvider already registered".

Workaround: To use both the SAP User Management connector and the legacy SAP ER connector, deploy the SAP UM connector in a connector server and deploy the SAP ER connector in Oracle Identity Governance.

8.1.3 Postupgrade Issue

Before upgrading the connector, the following lookup default decode values are upgraded with target configuration values:

  • Lookup.SAPABAP.Configuration

  • Lookup.SAPABAP.UM.ProvAttrMap

  • Lookup.SAPABAP.UM.ReconAttrMap

  • Lookup.SAPAC10ABAP.Configuration

  • Lookup.SAPAC10ABAP.UM.ProvAttrMap

  • Lookup.SAPAC10ABAP.UM.ReconAttrMap

After the connector is upgraded, it generates duplicate entries with decode default values as shown in the following tables:

Table 8-1 Entries in the Lookup.SAPABAP.Configuration Lookup Definition

Code Key Decode

CodeKey

Decode

aliasUser

none

batchSize

100

Bundle Name

org.identityconnectors.sap

Bundle Version

12.3.0

changePasswordAtNextLogon

no

codePage

none

compositeRoles

no

Connector Name

org.identityconnectors.sap.SAPConnector

cuaChildInitialPasswordChangeFuncModule

ZXLCBAPI_ZXLCUSR_PW_CHANGE

cuaChildPasswordChangeFuncModule

ZXLCBAPI_ZXLCUSR_PASSWORDCHNGE

disableLockStatus

64

enableCUA

no

entitlementRiskAnalysisAccessURL

entitlementRiskAnalysisWS

oracle.iam.grc.sod.scomp.impl.grcsap.util.webservice.sap.ac10.RiskAnalysisWithoutNo

gatewayHost

none

gatewayService

none

getSSO2

none

groups

GROUPS~USERGROUP

lCheck

none

mySAPSSO2

none

overwriteLink

no

parameters

PARAMETER1~PARID;PARVA

passwordPropagateToChildSystem

no

ProfileAttributeLabel

Profile Name

Profile attribute name

USERPROFILE

Profile form names

UD_SPUMPC_P;UD_SPUM_PRO

profiles

PROFILES~SUBSYSTEM;PROFILE

reconcilefuturedatedroles

yes

reconcilepastdatedroles

yes

repositoryDestination

none

repositoryPassword

none

repositorySNCMode

none

repositoryUser

none

riskLevel

3

RoleAttributeLabel

Role Name

Role attribute name

USERROLE

Role form names

UD_SPUMRC_P;UD_SAPRL

roles

ACTIVITYGROUPS~SUBSYSTEM;AGR_NAME;TO_DAT;FROM_DAT;ORG_FLAG

sapSystemTimeZone

IST

singleRoles

yes

SOD Configuration lookup

Lookup.SAPABAP.Configuration

tpHost

none

tpName

none

type

none

User Configuration Lookup

Lookup.SAPABAP.UM.Configuration

validatePERNR

no

wsdlFilePath

none
The following table lists the code and decode key of the Lookup.SAPABAP.UM.ProvAttrMap lookup.

Table 8-2 Entries in the Lookup.SAPABAP.UM.ProvAttrMap

Code Key Decode Key

Accounting Number

ACCNT;LOGONDATA;ACCNT;LOGONDATAX

Alias

USERALIAS;ALIAS;BAPIALIAS;ALIASX

Building

BUILDING_P;ADDRESS;BUILDING_P;ADDRESSX

Communication Type[Lookup]

COMM_TYPE;ADDRESS;COMM_TYPE;ADDRESSX

Company[Lookup]

COMPANY;COMPANY;COMPANY;COMPANYX

Contractual User Type[Lookup]

LIC_TYPE;UCLASS;UCLASS;UCLASSX

Cost Center

KOSTL;DEFAULTS;KOSTL;DEFAULTSX

Date Format[Lookup]

DATFM;DEFAULTS;DATFM;DEFAULTSX

Decimal Notation[Lookup]

DCPFM;DEFAULTS;DCPFM;DEFAULTSX

Department

DEPARTMENT;ADDRESS;DEPARTMENT;ADDRESSX

E Mail

E_MAIL;ADDRESS;E_MAIL;ADDRESSX

Fax Extension

FAX_EXTENS;ADDRESS;FAX_EXTENS;ADDRESSX

Fax Number

FAX_NUMBER;ADDRESS;FAX_NUMBER;ADDRESSX

First Name

FIRSTNAME;ADDRESS;FIRSTNAME;ADDRESSX

Floor

FLOOR_P;ADDRESS;FLOOR_P;ADDRESSX

Function

FUNCTION;ADDRESS;FUNCTION;ADDRESSX

Group Name[Lookup]

CLASS;LOGONDATA;CLASS;LOGONDATAX

Language Communication[Lookup]

LANGU_P;ADDRESS;LANGU_P;ADDRESSX

Last Name

LASTNAME;ADDRESS;LASTNAME;ADDRESSX

Logon Language[Lookup]

LANGU;DEFAULTS;LANGU;DEFAULTSX

Password

__PASSWORD__

Personnel Number

PERNR

Room Number

ROOM_NO_P;ADDRESS;ROOM_NO_P;ADDRESSX

Start Menu

START_MENU;DEFAULTS;START_MENU;DEFAULTSX

Telephone Extension

TEL1_EXT;ADDRESS;TEL1_EXT;ADDRESSX

Telephone Number

TEL1_NUMBR;ADDRESS;TEL1_NUMBR;ADDRESSX

Time Zone[Lookup]

TZONE;LOGONDATA;TZONE;LOGONDATAX

Title[Lookup]

TITLE_P;ADDRESS;TITLE_P;ADDRESSX

UD_SAP_GP~User Group[Lookup]

groups~GROUPS~USERGROUP

UD_SAP_PARA~Parameter ID[Lookup]

parameters~PARAMETER1~PARID

UD_SAP_PARA~Parameter Value

parameters~PARAMETER1~PARVA

UD_SAPRL~End Date[Date]

roles~ACTIVITYGROUPS~TO_DAT

UD_SAPRL~Role Name[Lookup]

roles~ACTIVITYGROUPS~AGR_NAME

UD_SAPRL~Start Date[Date]

roles~ACTIVITYGROUPS~FROM_DAT

UD_SPUM_PRO~Profile Name[Lookup]

profiles~PROFILES~PROFILE

Unique ID

__UID__

User ID

__NAME__

User Lock

__LOCK_OUT__

User Type[Lookup]

USTYP;LOGONDATA;USTYP;LOGONDATAX

Valid From[Date]

GLTGV;LOGONDATA;GLTGV;LOGONDATAX

Valid Through[Date]

GLTGB;LOGONDATA;GLTGB;LOGONDATAX
The following table lists the code and decode key of the Lookup.SAPABAP.UM.ReconAttrMap lookup.

Table 8-3 Entries in the Lookup.SAPABAP.UM.ReconAttrMap Lookup Definition

Code Key Decode Key

Accounting Number

ACCNT;LOGONDATA

Alias

USERALIAS;ALIAS

Building

BUILDING_P;ADDRESS

Communication Type[Lookup]

COMM_TYPE;ADDRESS

Company[Lookup]

COMPANY;COMPANY

Contractual User Type[Lookup]

LIC_TYPE;UCLASS|UCLASSSYS

Cost Center

KOSTL;DEFAULTS

Date Format[Lookup]

DATFM;DEFAULTS

Decimal Notation[Lookup]

DCPFM;DEFAULTS

Department

DEPARTMENT;ADDRESS

E Mail

E_MAIL;ADDRESS

Fax Extension

FAX_EXTENS;ADDRESS

Fax Number

FAX_NUMBER;ADDRESS

First Name

FIRSTNAME;ADDRESS

Floor

FLOOR_P;ADDRESS

Function

FUNCTION;ADDRESS

Group~User Group[Lookup]

groups~GROUPS~USERGROUP

Group Name[Lookup]

CLASS;LOGONDATA

Language Communication[Lookup]

LANGU_P;ADDRESS

Last Name

LASTNAME;ADDRESS

Logon Language[Lookup]

LANGU;DEFAULTS

Parameter~Parameter ID[Lookup]

parameters~PARAMETER1~PARID

Parameter~Parameter Value

parameters~PARAMETER1~PARVA

Profile~Profile Name[Lookup]

profiles~PROFILES~PROFILE

Profile~Profile System Name[Lookup]

profiles~PROFILES~SUBSYSTEM

Role~End Date[Date]

roles~ACTIVITYGROUPS~TO_DAT

Role~Role Name[Lookup]

roles~ACTIVITYGROUPS~AGR_NAME

Role~Role System Name[Lookup]

roles~ACTIVITYGROUPS~SUBSYSTEM

Role~Start Date[Date]

roles~ACTIVITYGROUPS~FROM_DAT

Room Number

ROOM_NO_P;ADDRESS

Start Menu

START_MENU;DEFAULTS

Status

__ENABLE__

Telephone Extension

TEL1_EXT;ADDRESS

Telephone Number

TEL1_NUMBR;ADDRESS

Time Zone[Lookup]

TZONE;LOGONDATA

Title[Lookup]

TITLE_P;ADDRESS

Unique ID

__UID__

User ID

__UID__

User Lock

__LOCK_OUT__

User Type[Lookup]

USTYP;LOGONDATA

Valid From[Date]

GLTGV;LOGONDATA

Valid Through[Date]

GLTGB;LOGONDATA
The following table lists the code and decode keys in the Lookup.SAPAC10ABAP.Configuration.

Table 8-4 Entries in the Lookup.SAPAC10ABAP.Configuration Lookup Definition

Code Key Decode Key

aliasUser

none

appLookupAccessURL

none

appLookupWS

oracle.iam.ws.sap.ac10.SelectApplication

assignRoleReqType

002~Change Account~002~006

auditLogsAccessURL

none

auditLogsWS

oracle.iam.ws.sap.ac10.AuditLogs

batchSize

100

Bundle Name

org.identityconnectors.sapacum

Bundle Version

12.3.0

changePasswordAtNextLogon

no

codePage

none

compositeRoles

no

Connector Name

org.identityconnectors.sapacum.SAPACUMConnector

createUserReqType

001~New Account~001

cuaChildInitialPasswordChangeFuncModule

ZXLCBAPI_ZXLCUSR_PW_CHANGE

cuaChildPasswordChangeFuncModule

ZXLCBAPI_ZXLCUSR_PASSWORDCHNGE

deleteUserReqType

003~Delete Account~003

disableLockStatus

64

enableCUA

no

gatewayHost

none

gatewayService

none

getSSO2

none

groups

GROUPS~USERGROUP

ignoreOpenStatus

Yes

lCheck

none

lockUserReqType

004~Lock Account~004

logAuditTrial

Yes

modifyUserReqType

002~Change Account~002

mySAPSSO2

none

otherLookupAccessURL

none

otherLookupWS

oracle.iam.ws.sap.ac10.SearchLookup

overwriteLink

no

parameters

PARAMETER1~PARID;PARTXT

passwordPropagateToChildSystem

no

profiles

PROFILES~SUBSYSTEM;PROFILE

provActionAttrName

provAction;ReqLineItem

provItemActionAttrName

provItemAction;ReqLineItem

reconcilefuturedatedroles

yes

reconcilepastdatedroles

yes

removeRoleReqType

002~Change Account~002~009

repositoryDestination

none

repositoryPassword

none

repositorySNCMode

none

repositoryUser

none

requestStatusAccessURL

none

requestStatusValue

OK

requestStatusWS

oracle.iam.ws.sap.ac10.RequestStatus

requestTypeAttrName

Reqtype;Header

riskLevel

High

roleLookupAccessURL

none

roleLookupWS

oracle.iam.ws.sap.ac10.SearchRoles

roles

ACTIVITYGROUPS~SUBSYSTEM;AGR_NAME;TO_DAT;FROM_DAT;ORG_FLAG

sapSystemTimeZone

PST

singleRoles

yes

Status Configuration Lookup

Lookup.SAPACABAP.Status.Configuration

tpHost

none

tpName

none

type

none

unlockUserReqType

005~unlock user~005

userAccessAccessURL

none

userAccessWS

oracle.iam.ws.sap.ac10.UserAccess

User Configuration Lookup

Lookup.SAPAC10ABAP.UM.Configuration

validatePERNR

no

wsdlFilePath

none
The following table lists the code and decode keys in the Lookup.SAPAC10ABAP.UM.ProvAttrMap lookup.

Table 8-5 Entries in the Lookup.SAPAC10ABAP.UM.ProvAttrMap Lookup Definition

Code Key Decode Key

AC Business Process[Lookup]

bproc;Header

Accounting Number

accno;UserInfo

AC Functional Area[Lookup]

funcarea;Header

AC Manager

manager;UserInfo

AC Manager email

managerEmail;UserInfo

AC Manager First Name

managerFirstname;UserInfo

AC Manager Last Name

managerLastname;UserInfo

AC Priority[Lookup]

priority;Header

AC Request Due Date[Date]

reqDueDate;Header

AC Request Id[WRITEBACK]

RequestId

AC Requestor email

email;Header

AC Requestor ID

requestorId;Header

AC Request Reason

requestReason;Header

AC Request Status[WRITEBACK]

RequestStatus

AC Request Type[WRITEBACK]

RequestType

AC System[Lookup]

reqInitSystem;Header

Alias

alias;UserInfo

Building

BUILDING_P;ADDRESS;BUILDING_P;ADDRESSX

Communication Type

commMethod;UserInfo

Company[Lookup]

COMPANY;COMPANY;COMPANY;COMPANYX

Contractual User Type[Lookup]

LIC_TYPE;UCLASS;UCLASS;UCLASSX

Cost Center

costcenter;UserInfo

Date Format

dateFormat;UserInfo

Decimal Notation

decNotation;UserInfo

Department

DEPARTMENT;ADDRESS;DEPARTMENT;ADDRESSX

E Mail

email;UserInfo

Fax Extension

FAX_EXTENS;ADDRESS;FAX_EXTENS;ADDRESSX

Fax Number

fax;UserInfo

First Name

fname;UserInfo

Floor

FLOOR_P;ADDRESS;FLOOR_P;ADDRESSX

Function

FUNCTION;ADDRESS;FUNCTION;ADDRESSX

Group Name[Lookup]

CLASS;LOGONDATA;CLASS;LOGONDATAX

Language Communication[Lookup]

LANGU_P;ADDRESS;LANGU_P;ADDRESSX

Last Name

lname;UserInfo

Logon Language

logonLang;UserInfo

Password

__PASSWORD__

Personnel Number

PERNR

Room Number

ROOM_NO_P;ADDRESS;ROOM_NO_P;ADDRESSX

Start Menu

startMenu;UserInfo

Telephone Extension

TEL1_EXT;ADDRESS;TEL1_EXT;ADDRESSX

Telephone Number

telnumber;UserInfo

Time Zone[Lookup]

TZONE;LOGONDATA;TZONE;LOGONDATAX

Title[Lookup]

title;UserInfo

UD_UMAC_GRP~User Group[Lookup]

userGroup;UserGroup

UD_UMAC_PRM~Parameter ID[Lookup]

parameters~PARAMETER1~parameter;Parameter

UD_UMAC_PRM~Parameter Value

parameters~PARAMETER1~parameterValue;Parameter

UD_UMAC_PRO~Profile Name[Lookup]

profiles~PROFILES~itemName;ReqLineItem

UD_UMAC_PRO~Profile System Name[Lookup]

profiles~PROFILES~connector;ReqLineItem

UD_UMAC_ROL~End Date[Date]

roles~ACTIVITYGROUPS~ValidTo;ReqLineItem

UD_UMAC_ROL~Role Name[Lookup]

roles~ACTIVITYGROUPS~itemName;ReqLineItem

UD_UMAC_ROL~Role System Name[Lookup]

roles~ACTIVITYGROUPS~connector;ReqLineItem

UD_UMAC_ROL~Start Date[Date]

roles~ACTIVITYGROUPS~validFrom;ReqLineItem

Unique ID

__UID__

User Group[Lookup]

userGroup;UserInfo

User ID

__NAME__

User Lock

userLock;None

User Type

userType;UserInfo

Valid From[Date]

validFrom;UserInfo

Valid Through[Date]

validTo;UserInfo
The following table lists the code and decode keys in the Lookup.SAPAC10ABAP.UM.ReconAttrMap lookup,

Table 8-6 Entries in the Lookup.SAPAC10ABAP.UM.ReconAttrMap Lookup Definition

Code Key Decode Key

Accounting Number

accno;UserInfo

Alias

alias;UserInfo

Building

BUILDING_P;ADDRESS;BUILDING_P;ADDRESSX

Communication Type[Lookup]

commMethod;UserInfo

Company[Lookup]

COMPANY;COMPANY;COMPANY;COMPANYX

Contractual User Type[Lookup]

LIC_TYPE;UCLASS;UCLASS;UCLASSX

Cost Center

costcenter;UserInfo

Date Format[Lookup]

dateFormat;UserInfo

Decimal Notation[Lookup]

decNotation;UserInfo

Department

DEPARTMENT;ADDRESS;DEPARTMENT;ADDRESSX

E Mail

email;UserInfo

Fax Extension

FAX_EXTENS;ADDRESS;FAX_EXTENS;ADDRESSX

Fax Number

fax;UserInfo

First Name

fname;UserInfo

Floor

FLOOR_P;ADDRESS;FLOOR_P;ADDRESSX

Function

FUNCTION;ADDRESS;FUNCTION;ADDRESSX

Group~User Group[Lookup]

groups~GROUPS~USERGROUP

Group Name[Lookup]

CLASS;LOGONDATA;CLASS;LOGONDATAX

Language Communication[Lookup]

LANGU_P;ADDRESS;LANGU_P;ADDRESSX

Last Name

lname;UserInfo

Logon Language[Lookup]

logonLang;UserInfo

Parameter~Parameter ID[Lookup]

parameters~PARAMETER1~parameter;Parameter

Parameter~Parameter Value

parameters~PARAMETER1~parameterValue;Parameter

Profile~Profile Name[Lookup]

profiles~PROFILES~itemName;ReqLineItem

Profile~Profile System Name[Lookup]

profiles~PROFILES~connector;ReqLineItem

Role~End Date[Date]

roles~ACTIVITYGROUPS~ValidTo;ReqLineItem

Role~Role Name[Lookup]

roles~ACTIVITYGROUPS~itemName;ReqLineItem

Role~Role System Name[Lookup]

roles~ACTIVITYGROUPS~connector;ReqLineItem

Role~Start Date[Date]

roles~ACTIVITYGROUPS~validFrom;ReqLineItem

Room Number

ROOM_NO_P;ADDRESS;ROOM_NO_P;ADDRESSX

Start Menu

startMenu;UserInfo

Status

__ENABLE__

Telephone Extension

TEL1_EXT;ADDRESS;TEL1_EXT;ADDRESSX

Telephone Number

telnumber;UserInfo

Time Zone[Lookup]

TZONE;LOGONDATA;TZONE;LOGONDATAX

Title[Lookup]

title;UserInfo

Unique ID

__UID__

User ID

__NAME__

User Lock

userLock;None

User Type[Lookup]

userType;UserInfo

Valid From[Date]

validFrom;UserInfo

Valid Through[Date]

validTo;UserInfo

Workaround: Delete each instance of the duplicate entries.

8.2 Oracle Identity Governance Issues

These are issues and workarounds associated with Oracle Identity Governance.

8.2.1 Revoke Account Task Rejected and Unable to Update OIG Account

In Access Request Management (AC) flow, if you trigger a revoke account in OIG and reject the revoke request for the same account in GRC, then the account is still active in the SAP ECC system (backend ABAP system) and you cannot modify the account details in OIG.

Workaround: There is no workaround for this issue.

8.2.2 Application Server Error Whenever a JAR File is Updated or Modified

Whenever a JAR file is updated or modified, the application server tries to register SAP destination data provider (SAP JCO) even though it is already registered. Therefore, the application server throws the following error:

java.lang.UnsatisfiedLinkError: Native Library /usr/local/jco/libsapjco3.sojava.lang.UnsatisfiedLinkError: Native Library /usr/local/jco/libsapjco3.dll

Workaround: Restart the application server if any JAR is updated or modified in the Oracle Identity Governance server.