Symantec IGA

 View Only
  • 1.  User-Resource Links Invalid - SAP R3 Endpoint

    Posted Aug 01, 2018 03:37 PM
    Hello Guys,
    We are working on CA Identity Governance v12.6.5 integrated with CA Identity Manager v12.6.8.
    We have a SAP R3 endpoint the we would like to import into CA Governance, currently we are using the default parameter to achieve this, meaning that we are using the default Account Template for SAP Endpoint on Governance. After setting everything up for the import, we run it and it completes successfully. But on the governance log we see a message like the following:
    17:23:32,453 WARN [StringArrayToUserResourceLinkAttributesTransformation] Ignoing invalid User-Resource link, Resource: LMM_MATERIALS_VIEW,SAP R3[EP]SAP_3_Condor,SAPRole[P]SAPRole=LMM_MATERIALS_VIEW,EndPoint=SAP_R3_IM_ENDPOINT,Namesp
    ce=SAP R3,Domain=im,Server=Server is missing
    Checking with the client tool, we ca see that it imports all the SAP users and all SAP resources, BUT they are not linked, on the import logs it shows that it imports the links and after that it shows that no links were created. We are able to see the SAP user with the provisioning manager and it shows the SAP Roles related to the users.
    We did the technically the same with an Active Directory endpoint and all users and resources links were imported sucessfully.
    I'm including some pictures for better illustrations.

  • 2.  Re: User-Resource Links Invalid - SAP R3 Endpoint

    Broadcom Employee
    Posted Aug 01, 2018 03:51 PM

    I don't know your issue, but here are a couple of pointers.

    1.  This connector uses a lot of system RAM on the JCS system.  I suggest giving JCS about 12 GB of RAM when importing from SAP.

    2.  It might be helpful to review the JCS logs.  Also, it is helpful to put JCS in debug mode for logging more details.  Just be sure to remember to switch this back to normal logging levels once you finish troubleshooting.  

    3.  If you are running JBoss 5 in clustered mode, make sure cluster database has plenty of space.  

  • 3.  Re: User-Resource Links Invalid - SAP R3 Endpoint

    Posted Aug 01, 2018 04:06 PM

    It seems the DN "EndPoint=SAP_R3_IM_ENDPOINT,Namespace=SAP R3,Domain=im,Server=Server" is not valid. When integrated with IDM, the last part of DN should be something like "dc=eta" in place of "Server=Server". You may want to check your config again.

  • 4.  Re: User-Resource Links Invalid - SAP R3 Endpoint

    Posted Aug 01, 2018 04:29 PM

    Hello Parveen,


    I found that "Server=Server" weird too then i checked what was the unique ID for my Active Directory reources and it also have this "Server=Server", example:


    ADSGroup=ACD,ADSOrgUnit=XXXX Groups,ADSOrgUnit=User Groups,ADSOrgUnit=Domain Users,EndPoint=XXXX AD0004,Namespace=ActiveDirectory,Domain=im,Server=Server


    In the AD case the links are working properly.

    Is there a way to change how IG assigns the Unique ID to remove this "Server=Server" from the string?



  • 5.  Re: User-Resource Links Invalid - SAP R3 Endpoint

    Posted Oct 08, 2018 11:59 AM

    Hi JeanFranco,


    I ran into same exact situation with SAP and IDM + IG setup. I am unable to get the resources and account link working. Is it fixed for your case? If so, can you give me some pointers?


    Thanks in advance!!



  • 6.  Re: User-Resource Links Invalid - SAP R3 Endpoint
    Best Answer

    Broadcom Employee
    Posted Aug 12, 2018 09:53 AM


    I think at this point it would be better to continue the investigation with support through a support case.