Reconciliation reports in SAP IDM
With this blog, I want to share my knowledge on how the reconciliation reports can be generated for various ABAP & Java Systems that are integrated with SAP IDM.
In my scenario, we have 5 production clients for which identities & their access is managed from SAP IDM. As a part of audit, my auditors do check the consistency in the identities and their access, between the IDM and the target clients. So, quarterly I have to submit a report which should provide information like
- Users available in target client but not in Identity Store.
- Users available in Identity Store but not in target client.
- Role Assignments available in target client but not in Identity Store.
- Role Assignments available in Identity Store but not in target client.
Then I have made use of the reconciliation jobs that comes with the RDS solution and made my life easy !! 🙂
My solution works like this. Only Auditors & IDM Administrator will have access to the Reconciliation reports folder in IDM UI, from which they can select the target system for which they can generate the reconciliation report themselves. The report will be emailed to requestor’s email ID.
The solution in detail is given below.
I am on IDM 7.2 SP7. I am making use of reconciliation job templates that comes with RDS solution of IDM.
You can get the RDS-solution, from http://service.sap.com/rds-idm but you need SMP login.
The reconciliation job template (ABAP) that comes with RDS looks like below. You can find the reconciliation job for AS JAVA in the AS JAVA folder of the Reconciliation job template.
Create a folder SAPC Reconciliation report and copy the Reconciliation template for the target system. If your target system is ABAP, copy the AS ABAP Reconciliation report template. If Java, copy the AS JAVA Reconciliation report template.
Select the job, go to options tab and configure the repository as shown in the below screenshot.
Similarly do the same for all the reconciliation jobs of the respective repositories. In my case, I have 5 target systems, so I have 5 reconciliation jobs in my SAPC Reconciliation Reports folder as below.
Ensure that the global constant SAPC_PATH_DOWNLOAD is configured and necessary access/sharing permissions are provided on that path. Because, this is the path to which SAP IDM writes the reconciliation report. After the report is generated, the report is selected, emailed and deleted from the path. You can see how the path, where the report is saved is configured in the passes of the reconciliation job in the below screenshot.
Now, the reconciliation jobs are ready !! These jobs can be run now from management console on click of Run Now button in the options button of the tab. This will generate the report and saves it in the path configured.
But I want to let the auditors generate the report themselves. So, we will create an ordered UI task and the attributes are selected as shown below.
In the above screenshot, I have selected one attribute called SAPC_REQ_RECONREPORT which is a custom attribute which will list the jobs that are available in the SAPC Reconciliation reports folder.
The configuration of the attribute is done as below.
I have created a privilege Z_MX_PRIV:RECONCILEREPORT and restricted the access only to this privilege. Users who want access to this reconciliation reports should be assigned with this privilege.
The screenshot for the access control tab of the UI task is given below.
Under the Reconciliation Report UI task, I have configured 3 jobs as shown below.
Job 1: Trigger the reconciliation job – The respective job selected in IDM UI will be triggered and the report is generated and will be saved to path defined the global constant. I have used a custom script Z_SAPC_triggerjob (slightly modified script of sapc_triggerjob). The screenshot of the destination tab of this job is given below.
Job 2: Wait for report creation – This job will make the system to sleep for 2 mins and give time for reconciliation job to be completed. The sleep time can be adjusted based on your requirement. The screenshot of this job is given below and a script sleep60seconds is used to make the system to sleep for 60 seconds so that reconciliation job can complete its execution.
Job 3: Send report via email – This job will attach the html report to the mail and send a mail to the requestor email id. The requestor should have email ID configured in IDM system. In this job, I have used a custom script Z_SendReportMail (slightly modified script of sapc_sendreport)
Ensure that all the jobs and passes are enabled. Dispatchers are configured.
Now let’s have a look at UI !! Following is the screenshot of the Reconciliation report task. In the below screenshot all the available reconciliation reports are listed.
Select the report that has to be executed and click on the Generate report. The report will be emailed to the requestor’s email ID. To be clear, the same has given as a note as highlighted in screenshot.
Check the inbox and you should receive a mail with the report.
THis post is really appreciable. Nicely narrated...
Thanks Dileep 🙂 !!
Thansk a lot for sharing!
Welcome Michael 🙂 !!
As discussed, I started looking into SCN for IdM knowledge. Its very helpful. This blog or urs is really gud.
I tried the same job but the report has all weird results. Users in "Role Assignments available in Identity Store but not in target client" already has that role assigned in SAP. like wise users in "Role Assignments available in target client but not in Identity Store" doesnt have that role in both client and Identity store. Not sure if it is something to do with my database.
In my case eveything is fine. This could be problem with your database.
You must be doing it in your sandbox/development where usually data is messed up.
Clean up the data for the repository and try to run the report and see if it could help.
All the best !!
Check the dates on the roles in SAP vs IDM. I've had issues with the RDC reports where it didn't cope with things like open-ended dates.
Nice document Krishna, does this only work for 7.2 version or also work on earlier versions?
These reports I reused from RDS solution which is released on IDM 7.2 SP4. For the later version of it, it works well.
For the earlier versions of 7.2, i presume it works, if not may be minor errors which can be fixed.
I don't think so if these works for 7.1 as there is change in database schema from 7.1 to 7.2
I would like implement this report in our system but if I follow the link and download the package (50129413) I can not find a mcc-file or another template for import.
Is it still available?
Thanks and best wishes
Take a look at this link:
Krishna, SAP files should only be distributed from SAP, not from any external site without SAP's permission.
thanks a lot. I will check it.