9 Frequently Asked Questions of the SAP User Management Engine Connector
-
I have installed only the SAP UME connector in my Oracle Identity Governance (OIG) environment. I want to use it with SAP GRC. Is it mandatory to follow the SIL Registration steps to use it with GRC?
Answer: Not mandatory if you are not using the sodgrc topology name for any other connector. The sodgrc topology name is already registered by default and it is mapped to GRC-ITRes IT Resource. So, you must create the IT resource with instance name GRC-ITRes of type GRC-UME if it does not exist already. Specify the GRC details in this instance and use this IT Resource for GRC. To use GRC-ITRes instance, mention sodgrc as the topology name in SAPUME IT Resource.
-
Can I simultaneously use the SAP ER and the SAP UME connectors in the same OIG environment?
Answer: Yes.
-
I have changed the system property for SOD as XL.SoDCheckRequired = TRUE. Is it now possible to use two SAP connectors in the same OIG environment having one connector configured for SOD analysis and the other connector configured without SOD analysis?
Answer: No, the system property is common in OIG. Hence, the property applies to all the connectors installed in that OIG.
-
I have configured the SAP UME connector for SOD analysis. I have multiple GRC systems but have configured this connector to only one system. I have added a set of violated roles but my SOD analysis result shows as Passed without violations. Have I missed any configuration in order to get correct analysis?
Answer: It may be a configuration mistake. Verify the Sod System Key decode value in Lookup.SAPUME.ACxx.Configuration where xx denotes 10 for SAP GRC 10 release. You need to mention the correct system value.
-
I have configured the SAP UME connector for Access Request Management and would like to see the Audit trail details. Where can I get these details?
Answer: To get the Audit trail details, you need to enable the logs specific to AC for the connector. The Audit trail details can be viewed in the log file along with the connector logs.
Here are a few formatted samples of the Audit trial:
-
Create User
Audit Trial: {Result=[Createdate:20130409,
Priority: HIGH,
Requestedby:, johndoe (JOHNDOE),
Requestnumber: 9000001341,
Status: Decision pending,
Submittedby:, johndoe (JOHNDOE),
auditlogData:{,ID:000C290FC2851ED2A899DA29DAA1B1E2,
Description:,
Display String: Request 9000001341 of type New Account Submitted by johndoe ( JOHNDOE ) for JK1APRIL9 JK1APRIL9 ( JK1APRIL9 ) with Priority HIGH}],
Status=0_Data Populated successfully}
-
Request Status
Audit Trial: {Result=[Createdate:20130409,
Priority:HIGH,
Requestedby:,johndoe (JOHNDOE),
Requestnumber: 9000001341,
Status: Approved,
Submittedby:, johndoe (JOHNDOE),
auditlogData:{,ID:000C290FC2851ED2A899DA29DAA1B1E2,
Description:,
Display String: Request 9000001341 of type New Account Submitted by johndoe ( JOHNDOE ) for JK1APRIL9 JK1APRIL9 ( JK1APRIL9 ) with Priority HIGH,
ID: 000C290FC2851ED2A899DAF9961C91E2,Description:,Display String:Request is pending for approval at path GRAC_DEFAULT_PATH stage GRAC_MANAGER,
ID: 000C290FC2851ED2A89A1400B60631E2,
Description:,
Display String: Approved by JOHNDOE at Path GRAC_DEFAULT_PATH and Stage GRAC_MANAGER,
ID: 000C290FC2851ED2A89A150972D091E2,
Description:,
Display String: Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage GRAC_MANAGER,
ID: 000C290FC2851ED2A89A150972D111E2,
Description:,
Display String: Approval path processing is finished, end of path reached,
ID: 000C290FC2851ED2A89A150972D151E2,
Description:,
Display String: Request is closed}],
Status=0_Data Populated successfully}
-
Modify Request (First Name)
Audit Trial: {Result=[Createdate:20130409,
Priority: HIGH,
Requestedby:, johndoe (JOHNDOE),
Requestnumber: 9000001342,
Status: Decision pending,
Submittedby:,johndoe (JOHNDOE),
auditlogData:{,
ID: 000C290FC2851ED2A89A3ED3B1D7B1E2,
Description:,
Display String: Request 9000001342 of type Change Account Submitted by johndoe ( JOHNDOE ) for JK1FirstName JK1APRIL9 ( JK1APRIL9 ) with Priority HIGH}],
Status=0_Data Populated successfully}
-
-
I had configured the SAP UME connector for Access Request Management and have users provisioned through GRC. Now, I have reverted back the connector to the default type without Access Request Management feature. When I try to update an existing user, the task fails. Do I need to run any schedule job before performing any operations on the existing users provisioned through Access Request Management?
Answer: Yes, run a full reconciliation once using the SAP UME Target User Reconciliation job before performing any provisioning operations.
-
I have installed the SAP UME connector in my Oracle Identity Governance environment. I see the following exception while provisioning the user. How do I work around this issue?
Exception : org.identityconnectors.framework.common.exceptions.ConnectorException: The HTTP request is not valid.Answer: Perform the following procedure as a workaround for this issue:
-
Login to the Operation system level of the SAP NW7.4 UME and navigate to the following path:
D:\usr\sap\<SID>\SYS\PROFILE\ -
Edit the DEFAULT.PFL as follows:
#icm/HTTP/mod_0 = PREFIX=/,FILE=$(DIR_GLOBAL)/security/data/icm_filter_rules.txt -
Run configtool.sh from the directory present within the profile directory as shown in the following path:
cd /usr/sap/<SID>/j2ee/configtool./configtool.sh -
In the Configtool GUI, change the value of the
use.spml.http_header_check_activeparameter tofalseif it had been set totrue.
-
-
During a Create User provisioning operation, does the SAP UME AC connector provision attributes that are mapped directly to SAP ECC system without GRC?
Answer: No. For account creation request in GRC, the request is created only with the GRC attributes. Attributes mapped directly to SAP ECC system are not part of the create operation. Once the request is approved and the account is provisioned to the SAP ECC system (backend ABAP system), these attributes (mapped directly to SAP) can be provisioned as part of the update operation.