Reconciliation reports in SAP IDM
With this blog, I want to share my knowledge on how the reconciliation reports can be generated for various ABAP & Java Systems that are integrated with SAP IDM.
In my scenario, we have 5 production clients for which identities & their access is managed from SAP IDM. As a part of audit, my auditors do check the consistency in the identities and their access, between the IDM and the target clients. So, quarterly I have to submit a report which should provide information like
- Users available in target client but not in Identity Store.
- Users available in Identity Store but not in target client.
- Role Assignments available in target client but not in Identity Store.
- Role Assignments available in Identity Store but not in target client.
Then I have made use of the reconciliation jobs that comes with the RDS solution and made my life easy !! 🙂
My solution works like this. Only Auditors & IDM Administrator will have access to the Reconciliation reports folder in IDM UI, from which they can select the target system for which they can generate the reconciliation report themselves. The report will be emailed to requestor’s email ID.
The solution in detail is given below.
I am on IDM 7.2 SP7. I am making use of reconciliation job templates that comes with RDS solution of IDM.
You can get the RDS-solution, from http://service.sap.com/rds-idm but you need SMP login.
The reconciliation job template (ABAP) that comes with RDS looks like below. You can find the reconciliation job for AS JAVA in the AS JAVA folder of the Reconciliation job template.
Create a folder SAPC Reconciliation report and copy the Reconciliation template for the target system. If your target system is ABAP, copy the AS ABAP Reconciliation report template. If Java, copy the AS JAVA Reconciliation report template.
Select the job, go to options tab and configure the repository as shown in the below screenshot.
Similarly do the same for all the reconciliation jobs of the respective repositories. In my case, I have 5 target systems, so I have 5 reconciliation jobs in my SAPC Reconciliation Reports folder as below.
Ensure that the global constant SAPC_PATH_DOWNLOAD is configured and necessary access/sharing permissions are provided on that path. Because, this is the path to which SAP IDM writes the reconciliation report. After the report is generated, the report is selected, emailed and deleted from the path. You can see how the path, where the report is saved is configured in the passes of the reconciliation job in the below screenshot.
Now, the reconciliation jobs are ready !! These jobs can be run now from management console on click of Run Now button in the options button of the tab. This will generate the report and saves it in the path configured.
But I want to let the auditors generate the report themselves. So, we will create an ordered UI task and the attributes are selected as shown below.
In the above screenshot, I have selected one attribute called SAPC_REQ_RECONREPORT which is a custom attribute which will list the jobs that are available in the SAPC Reconciliation reports folder.
The configuration of the attribute is done as below.
I have created a privilege Z_MX_PRIV:RECONCILEREPORT and restricted the access only to this privilege. Users who want access to this reconciliation reports should be assigned with this privilege.
The screenshot for the access control tab of the UI task is given below.
Under the Reconciliation Report UI task, I have configured 3 jobs as shown below.
Job 1: Trigger the reconciliation job – The respective job selected in IDM UI will be triggered and the report is generated and will be saved to path defined the global constant. I have used a custom script Z_SAPC_triggerjob (slightly modified script of sapc_triggerjob). The screenshot of the destination tab of this job is given below.
Job 2: Wait for report creation – This job will make the system to sleep for 2 mins and give time for reconciliation job to be completed. The sleep time can be adjusted based on your requirement. The screenshot of this job is given below and a script sleep60seconds is used to make the system to sleep for 60 seconds so that reconciliation job can complete its execution.
Job 3: Send report via email – This job will attach the html report to the mail and send a mail to the requestor email id. The requestor should have email ID configured in IDM system. In this job, I have used a custom script Z_SendReportMail (slightly modified script of sapc_sendreport)
Ensure that all the jobs and passes are enabled. Dispatchers are configured.
Now let’s have a look at UI !! Following is the screenshot of the Reconciliation report task. In the below screenshot all the available reconciliation reports are listed.
Select the report that has to be executed and click on the Generate report. The report will be emailed to the requestor’s email ID. To be clear, the same has given as a note as highlighted in screenshot.
Check the inbox and you should receive a mail with the report.