8 Known Issues and Limitations of the SAP User Management Engine Connector

These are the known issues and limitations associated with the SAP UME connector.

This chapter is divided into the following sections:

• Known Issues

• Limitations Related to Target System Features and Specific Connectors

8.1 Known Issues

These are the known issues and workarounds associated with this release of the connector.

• Connector Issues

• Oracle Identity Governance Issues

8.1.1 Connector Issues

These are the known issues and workarounds associated with the connector.

• Error During SoD Check

• Code Key Values Displayed Instead of Decode Values

• Accessing the Target Server or Running the Connector Server returns an Error

• Postupgrade Issue

• Lookup Data of Timezone, Country, and Locale is not Dynamic

8.1.1.1 Error During SoD Check

During SoD check, when the data that is returned from SAP GRC webservices crosses 4000 characters, only the first 4000 characters are displayed.

Workaround: If the size of the violation details obtained from SAP GRC target system is more than 4000 characters, then you must update the Length of the SODCheckViolation field as per the expected size of the violation data.

8.1.1.2 Code Key Values Displayed Instead of Decode Values

After performing user reconciliation on the user form in the Administrative and User Console, the code key values are displayed instead of the decode values in the edit and view form.

Workaround: There is no workaround for this issue.

8.1.1.3 Accessing the Target Server or Running the Connector Server returns an Error

If you configure the connector to communicate with the Connector Server using SSL, including setting the connectorserver.usessl property to true and importing the target system certificate into the Connector Server JDK keystore, an attempt to access the target system or run the Connector Server returns an error.

Workaround: There is no workaround for this issue.

8.1.1.4 Postupgrade Issue

Before upgrading the connector, the following lookup default decode values are upgraded with target configuration values.

• Lookup.SAPUME.Configuration

• Lookup.SAPUME.UM.ProvAttrMap

• Lookup.SAPUME.UM.ReconAttrMap

• Lookup.SAPAC10UME.Configuration

• Lookup. SAPAC10UME.UM.ProvAttrMap

• Lookup.SAPAC10UME.UM.ReconAttrMap

Once the connector is upgraded, it generates duplicate entries with decode default values as shown in the following tables:

Table 8-1 Entries in the Lookup.SAPUME.Configuration Lookup Definition

Code	Decode
Bundle Version	12.3.0
SOD Configuration lookup	Lookup.SAPUME.Configuration
User Configuration Lookup	Lookup.SAPUME.UM.Configuration
Connector Name	org.identityconnectors.sapume.SAPUMEConnector
Bundle Name	org.identityconnectors.sapume
Role attribute name	ROLENAME
RoleAttributeLabel	Role
SODSystemKey	GRCACEP
Role form names	UD_UMERC_P;UD_UME_ROLE
entitlementRiskAnalysisWS	oracle.iam.grc.sod.scomp.impl.grcsap.util.webservice.sap.ac10.RiskAnalysisWithoutNoentitlementRiskAnalysisAccessURL
wsdlFilePath	None
Group form names	UD_UME_GRP
Group attribute name	GROUPNAME
ConnectorImplType	SAPUME

The following table lists the entries in the Lookup.SAPUME.UM.ProvAttrMap lookup definition.

Table 8-2 Entries in the Lookup.SAPUME.UM.ProvAttrMap Lookup Definition

Code	Decode
City	city
Country	country
Department	department
E-Mail Address	email
End Date of Account Validity[Date]	validto
Fax	fax
First Name	firstname
Form of Address	salutation
Language	locale
Last Name	lastname
Logon Name	__NAME__
Mobile	mobile
Name	displayname
Password	__PASSWORD__
Position	jobtitle
Security Policy	securitypolicy
Start Date of Account Validity[Date]	validfrom
State	state
Street	streetaddress
Telephone	telephone
Time Zone	timezone
Title	title
UD_UME_GRP~Group[Lookup]	assignedgroups
UD_UME_ROLE~Role[Lookup]	assignedroles
Unique ID	__UID__
User Account Locked	islocked
Zip	zip

The following table lists the entries in the Lookup.SAPUME.UM.ReconAttrMap lookup definition.

Table 8-3 Entries in the Lookup.SAPUME.UM.ReconAttrMap Lookup Definition

Code	Decode
City	city
Country	country
Department	department
E-Mail Address	email
End Date of Account Validity[Date]	validto
Fax	fax
First Name	firstname
Form of Address	salutation
Groups~Group[Lookup]	assignedgroups
Language	locale
Last Name	lastname
Logon Name	logonname
Mobile	mobile
Name	displayname
Position	jobtitle
Roles~Role[Lookup]	assignedroles
Security Policy	securitypolicy
Start Date of Account Validity[Date]	validfrom
State	state
Status	__ENABLE__
Street	streetaddress
Telephone	telephone
Time Zone	timezone
Title	title
Unique Id	id
User Account Locked	islocked
Zip	zip

The following table lists the entries in the Lookup.SAPAC10UME.Configuration lookup definition.

Table 8-4 Entries in the Lookup.SAPAC10UME.Configuration Lookup Definition

Code	Decode
appLookupAccessURL	None
appLookupWS	oracle.iam.ws.sap.ac10.SelectApplication
assignRoleReqType	002~Change Account~002~006
auditLogsAccessURL	None
auditLogsWS	oracle.iam.ws.sap.ac10.AuditLogs
Bundle Name	org.identityconnectors.sapacume
Bundle Version	12.3.0
ConnectorImplType	SAPUME
Connector Name	org.identityconnectors.sapacume.SAPACUMEConnector
createUserReqType	001~New Account~001
deleteUserReqType	003~Delete Account~003
ignoreOpenStatus	Yes
lockUserReqType	004~Lock Account~004
logAuditTrial	Yes
modifyUserReqType	002~Change Account~002
otherLookupAccessURL	None
otherLookupWS	oracle.iam.ws.sap.ac10.SearchLookup
provActionAttrName	provAction;ReqLineItem
provItemActionAttrName	provItemAction;ReqLineItem
removeRoleReqType	002~Change Account~002~009
requestStatusAccessURL	None
requestStatusValue	OK
requestStatusWS	oracle.iam.ws.sap.ac10.RequestStatus
requestTypeAttrName	Reqtype;Header
riskLevel	High
roleLookupAccessURL	None
roleLookupWS	oracle.iam.ws.sap.ac10.SearchRoles
Status Configuration Lookup	Lookup.SAPACUME.Status.Configuration
unlockUserReqType	005~unlock user~005
userAccessWS	oracle.iam.ws.sap.ac10.UserAccess
User Configuration Lookup	Lookup.SAPAC10UME.UM.Configuration
wsdlFilePath	None

The following table lists the entries in the Lookup.SAPAC10UME.UM.ProvAttrMap lookup definition.

Table 8-5 Entries in the Lookup.SAPAC10UME.UM.ProvAttrMap Lookup Definition

Code	Decode
AC Business Process[Lookup]	bproc;Header
Accounting Number	accno;UserInfo
AC Functional Area[Lookup]	funcarea;Header
AC Manager	manager;UserInfo
AC Manager	email managerEmail;UserInfo
AC Manager First Name	managerFirstname;UserInfo
AC Manager Last Name	managerLastname;UserInfo
AC Priority[Lookup]	priority;Header
AC Request Due Date[Date]	reqDueDate;Header
AC Request Id[WRITEBACK]	RequestId
AC Requestor email	email;Header
AC Requestor ID	requestorId;Header
AC Request Reason	requestReason;Header
AC Request Status[WRITEBACK]	RequestStatus
AC Request Type[WRITEBACK]	RequestType
AC System[Lookup]	reqInitSystem;Header
City	city
Country	country
Department	department;UserInfo
E-Mail Address	email;UserInfo
End Date of Account Validity[Date]	validTo;UserInfo
Fax	fax;UserInfo
First Name	fname;UserInfo
Form of Address	personnelarea;UserInfo
Language	logonLang;UserInfo
Last Name	lname;UserInfo
Logon Name	userId;UserInfo
Mobile	personnelno;UserInfo
Name	displayname
Password	__PASSWORD__
Position	empposition;UserInfo
Security Policy	securitypolicy
Start Date of Account Validity[Date]	validFrom;UserInfo
State	state
Street	streetaddress
Telephone	telnumber;UserInfo
Time Zone	timezone
UD_ACUMEGRP~Group[Lookup]	umegroup;itemName;ReqLineItem
UD_ACUMEROL~Role[Lookup]	umerole;itemName;ReqLineItem
Unique ID	__UID__
User Account Locked	userLock;None
Zip	zip

The following table lists the entries in the Lookup.SAPAC10UME.UM.ReconAttrMap lookup definition.

Table 8-6 Entries in the Lookup.SAPAC10UME.UM.ReconAttrMap Lookup Definition

Code	Decode
City	city
Country	country
Department	department;UserInfo
E-Mail Address	email;UserInfo
End Date of Account Validity[Date]	validTo;UserInfo
Fax fax;	UserInfo
First Name	fname;UserInfo
Form of Address	personnelarea;UserInfo
Groups~Group[Lookup]	assignedgroups
Language	logonLang;UserInfo
Last Name	lname;UserInfo
Logon Name	userId;UserInfo
Mobile	personnelno;UserInfo
Name	displayname
Position	empposition;UserInfo
Roles~Role[Lookup]	assignedroles
Security Policy	securitypolicy
Start Date of Account Validity[Date]	validFrom;UserInfo
State	state
Status	__ENABLE__
Street	streetaddress
Telephone	telnumber;UserInfo
Time Zone	timezone
Unique Id	__UID__
User Account Locked	userLock;None
Zip	zip

Workaround: Delete each instance of the duplicate entries with decode default values.

8.1.1.5 Lookup Data of Timezone, Country, and Locale is not Dynamic

During provisioning and reconciliation, the look up data of timezone, country, and locale can be inconsistent with the target system because the lookup values were generated during the earlier versions of Netweaver.

Workaround: If there is any mismatch in data between target and lookup, customer needs to modify the lookups manually in the OIM design console.

8.1.2 Oracle Identity Governance Issues

These are the issues and workarounds associated with Oracle Identity Governance.

• Revoke Account Task Rejected and Unable to Update OIG Account

• Date 9999 Issue While Provisioning a User in the Enterprise Portal

8.1.2.1 Revoke Account Task Rejected and Unable to Update OIG Account

In the Access Request Management (AC) flow, if you trigger a revoke account in OIG and reject the revoke request for the same account in GRC, then the account is still active in the SAP NetWeaver Java Application server (backend Java Stack) and you cannot modify the account details in OIG.

Workaround: There is no workaround for this issue.

8.1.2.2 Date 9999 Issue While Provisioning a User in the Enterprise Portal

While creating a user in the enterprise portal through a GRC access request with valid date on the system set at 31/12/9999, the following error message is encountered:

Exception while creating user: BAPI_USER_CREATE1@GR1CLNT001: TYPE=E, ID=S5, NUMBER=003,

Workaround: Apply the following SNOTEs on top of GRCFND_A SP 10:

• SNOTE 2653244

• SNOTE 2203867

8.2 Limitations Related to Target System Features and Specific Connectors

These are limitations related to target system features and specific connectors.

• The SPML UME API does not return records for which the Last Modified Date value is greater than a specified date. Therefore, the connector cannot support incremental reconciliation.

• Configurable batched reconciliation is not supported. The connector performs batched reconciliation implicitly when it first fetches user records with logonname that begin with valid characters allowed in the target system.

In addition, the following sections describe specific connector limitations:

• Limitations for AS ABAP Data Source for the Connector

• Limitations for Groups That Represent AS ABAP Roles

• Limitations for Role Management with the Connector

8.2.1 Limitations for AS ABAP Data Source for the Connector

These are the limitations associated with AS ABAP Data source for the connector.

• Limitation when searching for users

  The search considers only actions performed using the AS Java tools. Therefore, the connector cannot search using the last modified timestamp.

• List of SAP User Management Engine (UME) user attributes

  The list of user attributes that can be read from or written to the SAP UME with an AS ABAP data source is fixed and cannot be extended. However, a backend AS ABAP system can have additional attributes, but these attributes are not supported from the SAP UME.

• Delay in the display of AS ABAP roles in the SAP UME

  If you create a new AS ABAP role or change the description of an existing AS ABAP role, these changes might not be visible in the SAP UME for up to 30 minutes. The SAP UME reads this data from the AS ABAP data source every 30 minutes. To force the SAP UME to read the data from the AS ABAP data source, you must restart the AS Java. Therefore, performing a reconciliation operation might lose roles that have been created recently.

• Limitation in a Central User Administration (CUA) environment

  The SAP UME can view only the roles that are present in the central system. Roles in child systems are not visible to the SAP UME. Therefore, you can view and maintain role assignments from the connector only to the central system.

• The SAP UME does not support maintaining the Form of Address and TimeZone attributes in an AS ABAP data source.

8.2.2 Limitations for Groups That Represent AS ABAP Roles

The SAP UME groups that represent AS ABAP roles on the target system have the following limitations for the connector:

• You can assign ABAP users only to the SAP UME groups that represent ABAP roles.

• The SAP UME cannot show a user-group assignment when the current date is outside the validity period of the corresponding user-role assignment in the AS ABAP data source.

• If you try to assign a SAP UME group to a user when the user is already assigned to the corresponding ABAP role, but the current date is outside the validity period, you will receive an error message.

• If a role assignment to a user in ABAP is by means of a collective role or organizational management, you cannot unassign the user from the corresponding SAP UME group.

• If a role assignment to a user in ABAP is by means of an indirect assignment through a reference user (visible in transaction SU01), you cannot unassign the user from the corresponding SAP UME group.

• If a role assignment to a user in ABAP is by means of direct and indirect assignment simultaneously, you cannot unassign the user from the corresponding SAP UME group.

  For example, a user administrator named ADMIN has assigned the user named USER1 to the roles Z_DIRECT and Z_COLLECT. Z_COLLECT is a collective role including the role Z_DIRECT. When ADMIN uses identity management of the AS Java, ADMIN cannot unassign USER1 from the SAP UME group Z_DIRECT because this ABAP role is also assigned indirectly by the ABAP role Z_COLLECT.

• New groups created with the SAP UME are stored in a local database.

8.2.3 Limitations for Role Management with the Connector

The connector supports the assignment of the following types of roles to users:

• Roles that define what is displayed in SAP Enterprise Portal

  • Portal roles

    These roles are applicable to SAP Enterprise Portal. The connector supports the assignment of these roles to users.

• Roles that define what authorizations a user has in the backend system

  • UME authorization roles

    These roles support programmatic authorization checks. The connector supports the assignment of these roles to users.

  • J2EE Security role

    These roles support declarative authorization checks. The connector does not support the assignment of these roles to users. These roles need to be managed from the Visual Administrator tool of the J2EE Engine.

  • ABAP authorization role

    These roles are applicable when the SAP UME is configured with an ABAP data source. These roles will be displayed as groups in the SAP UME. The SAP UME instance needs to be checked whether it is supported or not. The connector will support the assignment of these roles if the SAP UME instance supports it.