After SAP IDM integration with SAP applicationss, the biggest challenge is to import the new roles from SAP systems to IDM on the regular Interval.

This can be easily achieved through a job with 4 passes.

• From Custom pass: ReadNewABAPRoles - Read all the SAP Roles from the SAP systems


• To Generic pass: Enable this pass to interrupt the execution of the job at this point – Stop the Job execution, if enabled


• To Identity store pass: WriteNewABAPRolePrivileges - Write the new SAP Roles to Identity store


• To Identity store pass: AddTriggersToNewABAPRolePrivileges - Add triggers to the newly created SAP Roles

Steps-

1. Create a New Job and rename it.
   


2. Add standard script sap_core_generateDisplayName and sap_core_stopJobExecution from provisioning engine package in the Scripts tabSimilarly, script sap_core_stopJobExecution has been added


3. Add a From Custom pass: Copy the pass ReadABAPRoles from the Initial load job of the ABAP connector package, rename it, add the repository in Genral tab, change the table name (Optional) in Destination tab and enable the delta as per the below screenshot.


4. Add a To Generic pass: copy the pass Enable this pass to interrupt the execution of the job at this point from the Initial load job of the ABAP connector package.


5. Add a To Identity Store pass: Copy the pass WriteABAPRolePrivileges from the Initial load job of the ABAP connector package, rename it and modify the source SQL query table name as per the name given in the ReadNewABAPRoles pass - Destination tab.


6. Add a To Identity Store pass: Copy the pass AddTriggersToABAPRolePrivileges from the Initial load job of the ABAP connector package, rename it and modify the source SQL query table name as per the name given in the ReadNewABAPRoles pass - Destination tab.


7. Once all the passes has been added, run the job. While running the job first time, please  ensure that Enable this pass to interrupt the execution of the job at this point pass is enabled.


8. Observe the job log: Total 794 entries has been added by the job


9. Disable the Enable this pass to interrupt the execution of the job at this point pass and run the job


10. Observe the job log: No any entry has been added/modified/deleted by the job


11. Importing New Roles : Create few roles in the SAP system and Run the JobI have created 4 roles in my SAP system and ran the job again.


12. Observe the Job Log: 8 entry has been added (4 in ReadNewABAPRoles pass and 4 in WriteNewABAPRoles pass), 4 entry has been modified (in AddTriggersToABAPRolePrivileges  pass) and there is No operation on 794 entries.


13. It shows that the jobs successfully created all 4 new SAP roles as privileges in SAP IDM which can be verified from SAP IDM UI or SQL query.


14. Now schedule the job so that it will read the all New SAP roles on the regular interval.

Note – I have set the schedule rule as Midnight, however it could be anytime preferably non-business hours. The above job will not perform any deletion of the privileges from the IDM even any roles has been deleted from SAP system.

System used:

• SAP IDM 8.0 SP4 on Windows server


• MS SQL DB

 

Regards,

C Kumar