8 Known Issues and Limitations of the SAP User Management Engine Connector
These are the known issues and limitations associated with the SAP UME connector.
This chapter is divided into the following sections:
8.1 Known Issues
These are the known issues and workarounds associated with this release of the connector.
8.1.1 Connector Issues
These are the known issues and workarounds associated with the connector.
8.1.1.1 Error During SoD Check
During SoD check, when the data that is returned from SAP GRC webservices crosses 4000 characters, only the first 4000 characters are displayed.
Workaround: If the size of the violation details obtained from SAP GRC target system is more than 4000 characters, then you must update the Length of the SODCheckViolation field as per the expected size of the violation data.
8.1.1.2 Code Key Values Displayed Instead of Decode Values
After performing user reconciliation on the user form in the Administrative and User Console, the code key values are displayed instead of the decode values in the edit and view form.
Workaround: There is no workaround for this issue.
8.1.1.3 Accessing the Target Server or Running the Connector Server returns an Error
If you configure the connector to communicate with the Connector Server using SSL, including setting the connectorserver.usessl property to true and importing the target system certificate into the Connector Server JDK keystore, an attempt to access the target system or run the Connector Server returns an error.
Workaround: There is no workaround for this issue.
8.1.1.4 Postupgrade Issue
-
Lookup.SAPUME.Configuration
-
Lookup.SAPUME.UM.ProvAttrMap
-
Lookup.SAPUME.UM.ReconAttrMap
-
Lookup.SAPAC10UME.Configuration
-
Lookup. SAPAC10UME.UM.ProvAttrMap
-
Lookup.SAPAC10UME.UM.ReconAttrMap
Table 8-1 Entries in the Lookup.SAPUME.Configuration Lookup Definition
Code | Decode |
---|---|
Bundle Version |
12.3.0 |
SOD Configuration lookup |
Lookup.SAPUME.Configuration |
User Configuration Lookup |
Lookup.SAPUME.UM.Configuration |
Connector Name |
org.identityconnectors.sapume.SAPUMEConnector |
Bundle Name |
org.identityconnectors.sapume |
Role attribute name |
ROLENAME |
RoleAttributeLabel |
Role |
SODSystemKey |
GRCACEP |
Role form names |
UD_UMERC_P;UD_UME_ROLE |
entitlementRiskAnalysisWS |
oracle.iam.grc.sod.scomp.impl.grcsap.util.webservice.sap.ac10.RiskAnalysisWithoutNoentitlementRiskAnalysisAccessURL |
wsdlFilePath |
None |
Group form names |
UD_UME_GRP |
Group attribute name |
GROUPNAME |
ConnectorImplType |
SAPUME |
Table 8-2 Entries in the Lookup.SAPUME.UM.ProvAttrMap Lookup Definition
Code | Decode |
---|---|
City |
city |
Country |
country |
Department |
department |
E-Mail Address |
|
End Date of Account Validity[Date] |
validto |
Fax |
fax |
First Name |
firstname |
Form of Address |
salutation |
Language |
locale |
Last Name |
lastname |
Logon Name |
__NAME__ |
Mobile |
mobile |
Name |
displayname |
Password |
__PASSWORD__ |
Position |
jobtitle |
Security Policy |
securitypolicy |
Start Date of Account Validity[Date] |
validfrom |
State |
state |
Street |
streetaddress |
Telephone |
telephone |
Time Zone |
timezone |
Title |
title |
UD_UME_GRP~Group[Lookup] |
assignedgroups |
UD_UME_ROLE~Role[Lookup] |
assignedroles |
Unique ID |
__UID__ |
User Account Locked |
islocked |
Zip |
zip |
Table 8-3 Entries in the Lookup.SAPUME.UM.ReconAttrMap Lookup Definition
Code | Decode |
---|---|
City |
city |
Country |
country |
Department |
department |
E-Mail Address |
|
End Date of Account Validity[Date] |
validto |
Fax |
fax |
First Name |
firstname |
Form of Address |
salutation |
Groups~Group[Lookup] |
assignedgroups |
Language |
locale |
Last Name |
lastname |
Logon Name |
logonname |
Mobile |
mobile |
Name |
displayname |
Position |
jobtitle |
Roles~Role[Lookup] |
assignedroles |
Security Policy |
securitypolicy |
Start Date of Account Validity[Date] |
validfrom |
State |
state |
Status |
__ENABLE__ |
Street |
streetaddress |
Telephone |
telephone |
Time Zone |
timezone |
Title |
title |
Unique Id |
id |
User Account Locked |
islocked |
Zip |
zip |
Table 8-4 Entries in the Lookup.SAPAC10UME.Configuration Lookup Definition
Code | Decode |
---|---|
appLookupAccessURL |
None |
appLookupWS |
oracle.iam.ws.sap.ac10.SelectApplication |
assignRoleReqType |
002~Change Account~002~006 |
auditLogsAccessURL |
None |
auditLogsWS |
oracle.iam.ws.sap.ac10.AuditLogs |
Bundle Name |
org.identityconnectors.sapacume |
Bundle Version |
12.3.0 |
ConnectorImplType |
SAPUME |
Connector Name |
org.identityconnectors.sapacume.SAPACUMEConnector |
createUserReqType |
001~New Account~001 |
deleteUserReqType |
003~Delete Account~003 |
ignoreOpenStatus |
Yes |
lockUserReqType |
004~Lock Account~004 |
logAuditTrial |
Yes |
modifyUserReqType |
002~Change Account~002 |
otherLookupAccessURL |
None |
otherLookupWS |
oracle.iam.ws.sap.ac10.SearchLookup |
provActionAttrName |
provAction;ReqLineItem |
provItemActionAttrName |
provItemAction;ReqLineItem |
removeRoleReqType |
002~Change Account~002~009 |
requestStatusAccessURL |
None |
requestStatusValue |
OK |
requestStatusWS |
oracle.iam.ws.sap.ac10.RequestStatus |
requestTypeAttrName |
Reqtype;Header |
riskLevel |
High |
roleLookupAccessURL |
None |
roleLookupWS |
oracle.iam.ws.sap.ac10.SearchRoles |
Status Configuration Lookup |
Lookup.SAPACUME.Status.Configuration |
unlockUserReqType |
005~unlock user~005 |
userAccessWS |
oracle.iam.ws.sap.ac10.UserAccess |
User Configuration Lookup |
Lookup.SAPAC10UME.UM.Configuration |
wsdlFilePath |
None |
Table 8-5 Entries in the Lookup.SAPAC10UME.UM.ProvAttrMap Lookup Definition
Code | Decode |
---|---|
AC Business Process[Lookup] |
bproc;Header |
Accounting Number |
accno;UserInfo |
AC Functional Area[Lookup] |
funcarea;Header |
AC Manager |
manager;UserInfo |
AC Manager |
email managerEmail;UserInfo |
AC Manager First Name |
managerFirstname;UserInfo |
AC Manager Last Name |
managerLastname;UserInfo |
AC Priority[Lookup] |
priority;Header |
AC Request Due Date[Date] |
reqDueDate;Header |
AC Request Id[WRITEBACK] |
RequestId |
AC Requestor email |
email;Header |
AC Requestor ID |
requestorId;Header |
AC Request Reason |
requestReason;Header |
AC Request Status[WRITEBACK] |
RequestStatus |
AC Request Type[WRITEBACK] |
RequestType |
AC System[Lookup] |
reqInitSystem;Header |
City |
city |
Country |
country |
Department |
department;UserInfo |
E-Mail Address |
email;UserInfo |
End Date of Account Validity[Date] |
validTo;UserInfo |
Fax |
fax;UserInfo |
First Name |
fname;UserInfo |
Form of Address |
personnelarea;UserInfo |
Language |
logonLang;UserInfo |
Last Name |
lname;UserInfo |
Logon Name |
userId;UserInfo |
Mobile |
personnelno;UserInfo |
Name |
displayname |
Password |
__PASSWORD__ |
Position |
empposition;UserInfo |
Security Policy |
securitypolicy |
Start Date of Account Validity[Date] |
validFrom;UserInfo |
State |
state |
Street |
streetaddress |
Telephone |
telnumber;UserInfo |
Time Zone |
timezone |
UD_ACUMEGRP~Group[Lookup] |
umegroup;itemName;ReqLineItem |
UD_ACUMEROL~Role[Lookup] |
umerole;itemName;ReqLineItem |
Unique ID |
__UID__ |
User Account Locked |
userLock;None |
Zip |
zip |
Table 8-6 Entries in the Lookup.SAPAC10UME.UM.ReconAttrMap Lookup Definition
Code | Decode |
---|---|
City |
city |
Country |
country |
Department |
department;UserInfo |
E-Mail Address |
email;UserInfo |
End Date of Account Validity[Date] |
validTo;UserInfo |
Fax fax; |
UserInfo |
First Name |
fname;UserInfo |
Form of Address |
personnelarea;UserInfo |
Groups~Group[Lookup] |
assignedgroups |
Language |
logonLang;UserInfo |
Last Name |
lname;UserInfo |
Logon Name |
userId;UserInfo |
Mobile |
personnelno;UserInfo |
Name |
displayname |
Position |
empposition;UserInfo |
Roles~Role[Lookup] |
assignedroles |
Security Policy |
securitypolicy |
Start Date of Account Validity[Date] |
validFrom;UserInfo |
State |
state |
Status |
__ENABLE__ |
Street |
streetaddress |
Telephone |
telnumber;UserInfo |
Time Zone |
timezone |
Unique Id |
__UID__ |
User Account Locked |
userLock;None |
Zip |
zip |
Workaround: Delete each instance of the duplicate entries with decode default values.
8.1.1.5 Lookup Data of Timezone, Country, and Locale is not Dynamic
During provisioning and reconciliation, the look up data of timezone, country, and locale can be inconsistent with the target system because the lookup values were generated during the earlier versions of Netweaver.
Workaround: If there is any mismatch in data between target and lookup, customer needs to modify the lookups manually in the OIM design console.
8.1.2 Oracle Identity Governance Issues
These are the issues and workarounds associated with Oracle Identity Governance.
8.1.2.1 Revoke Account Task Rejected and Unable to Update OIG Account
In the Access Request Management (AC) flow, if you trigger a revoke account in OIG and reject the revoke request for the same account in GRC, then the account is still active in the SAP NetWeaver Java Application server (backend Java Stack) and you cannot modify the account details in OIG.
Workaround: There is no workaround for this issue.
8.1.2.2 Date 9999 Issue While Provisioning a User in the Enterprise Portal
While creating a user in the enterprise portal through a GRC access request with valid date on the system set at 31/12/9999, the following error message is encountered:
Exception while creating user: BAPI_USER_CREATE1@GR1CLNT001: TYPE=E, ID=S5, NUMBER=003,
-
SNOTE 2653244
-
SNOTE 2203867
8.2 Limitations Related to Target System Features and Specific Connectors
These are limitations related to target system features and specific connectors.
-
The SPML UME API does not return records for which the Last Modified Date value is greater than a specified date. Therefore, the connector cannot support incremental reconciliation.
-
Configurable batched reconciliation is not supported. The connector performs batched reconciliation implicitly when it first fetches user records with logonname that begin with valid characters allowed in the target system.
In addition, the following sections describe specific connector limitations:
8.2.1 Limitations for AS ABAP Data Source for the Connector
These are the limitations associated with AS ABAP Data source for the connector.
-
Limitation when searching for users
The search considers only actions performed using the AS Java tools. Therefore, the connector cannot search using the last modified timestamp.
-
List of SAP User Management Engine (UME) user attributes
The list of user attributes that can be read from or written to the SAP UME with an AS ABAP data source is fixed and cannot be extended. However, a backend AS ABAP system can have additional attributes, but these attributes are not supported from the SAP UME.
-
Delay in the display of AS ABAP roles in the SAP UME
If you create a new AS ABAP role or change the description of an existing AS ABAP role, these changes might not be visible in the SAP UME for up to 30 minutes. The SAP UME reads this data from the AS ABAP data source every 30 minutes. To force the SAP UME to read the data from the AS ABAP data source, you must restart the AS Java. Therefore, performing a reconciliation operation might lose roles that have been created recently.
-
Limitation in a Central User Administration (CUA) environment
The SAP UME can view only the roles that are present in the central system. Roles in child systems are not visible to the SAP UME. Therefore, you can view and maintain role assignments from the connector only to the central system.
-
The SAP UME does not support maintaining the Form of Address and TimeZone attributes in an AS ABAP data source.
8.2.2 Limitations for Groups That Represent AS ABAP Roles
The SAP UME groups that represent AS ABAP roles on the target system have the following limitations for the connector:
-
You can assign ABAP users only to the SAP UME groups that represent ABAP roles.
-
The SAP UME cannot show a user-group assignment when the current date is outside the validity period of the corresponding user-role assignment in the AS ABAP data source.
-
If you try to assign a SAP UME group to a user when the user is already assigned to the corresponding ABAP role, but the current date is outside the validity period, you will receive an error message.
-
If a role assignment to a user in ABAP is by means of a collective role or organizational management, you cannot unassign the user from the corresponding SAP UME group.
-
If a role assignment to a user in ABAP is by means of an indirect assignment through a reference user (visible in transaction SU01), you cannot unassign the user from the corresponding SAP UME group.
-
If a role assignment to a user in ABAP is by means of direct and indirect assignment simultaneously, you cannot unassign the user from the corresponding SAP UME group.
For example, a user administrator named ADMIN has assigned the user named USER1 to the roles Z_DIRECT and Z_COLLECT. Z_COLLECT is a collective role including the role Z_DIRECT. When ADMIN uses identity management of the AS Java, ADMIN cannot unassign USER1 from the SAP UME group Z_DIRECT because this ABAP role is also assigned indirectly by the ABAP role Z_COLLECT.
-
New groups created with the SAP UME are stored in a local database.
8.2.3 Limitations for Role Management with the Connector
The connector supports the assignment of the following types of roles to users:
-
Roles that define what is displayed in SAP Enterprise Portal
-
Portal roles
These roles are applicable to SAP Enterprise Portal. The connector supports the assignment of these roles to users.
-
-
Roles that define what authorizations a user has in the backend system
-
UME authorization roles
These roles support programmatic authorization checks. The connector supports the assignment of these roles to users.
-
J2EE Security role
These roles support declarative authorization checks. The connector does not support the assignment of these roles to users. These roles need to be managed from the Visual Administrator tool of the J2EE Engine.
-
ABAP authorization role
These roles are applicable when the SAP UME is configured with an ABAP data source. These roles will be displayed as groups in the SAP UME. The SAP UME instance needs to be checked whether it is supported or not. The connector will support the assignment of these roles if the SAP UME instance supports it.
-