Saw an interesting issue recently where we did an initial load from an ECC system to IDM in the DEV environment. After the load was executed the security group received several calls and emails about users who lost their access to various DEV SAP systems.

Needless to say, this had me a little concerned.

Ultimately we found out that role assignments were being re-written for all users and that certain types of roles were being overwritten.

During the postmortem process we discovered that there were some issues with Z* roles and Y* roles, so I put some filters on to make sure that we never processed the Y* roles, which were basically escalated roles that would be conferred through GRC Firefighter. This helped to make sure that we were not trying to “update” them but we still had a few small issues. What it came down to is that we needed to make sure that when we executed the initial load no existing user would be updated.

Fortunately in IDM this is something that is easy to accomplish.

Using the " . " prefix on the WriteABAPUsersProfilePrivilegeAssignments and the WriteABAPUsersRolePriviegeAssignments meant that we would only write IDM privilege information from the initial load for new users only. This would let the IDM/Security team do initial loads to bring in the new Security roles that we needed to access while keeping the accounts of our development team safe from being overwritten.  We will need to create something a little more flexible for Production, but this got us through an important part of the project.