Environment
NetIQ Identity Manager 3.6.1
NetIQ Identity Manager 4.0
NetIQ Identity Manager 4.0.1
NetIQ Identity Manager 4.0.2
NetIQ Identity Manager Driver - SAP User Management 3.6.5NetIQ Identity Manager Driver - SAP User Management 4.0.0.0
NetIQ Identity Manager Driver - SAP
NetIQ Identity Manager Driver - SAP
SAP 7.3x
SAP NetWeaver 7.3x
Situation
SAP have released SAP 7.3x which have introduced a number of API changes.
This is causing the NetIQ Identity Manager to stop working.
This is causing the NetIQ Identity Manager to stop working.
Until now we have seen the following issues;
1) iDOC publication
- Only directly affected systems are notified when a change happen in SAP, for example iDOC's are not created when roles are assigned to users.
2) BAPI Interface
- "BAPI_USER_CREATE1 : com.novell.nds.dirxml.driver.sapumshim.BapiException: Company address cannot be selected".
- "BAPI_USER_CHANGE : com.novell.nds.dirxml.driver.sapumshim.BapiException: Language key not defined".
- "BAPI_USERLOCACTGROUP_READ —> Message: System QE1CLNT100 is not part of Central User Administration".
Resolution
These two issues have been fixed in IDM 4.0.2 SAP User Driver Version 4.0.0.0 or later
Cause
iDOC Publication
As per information from SAP on SAP NetWeaver 7.0 HP3 (Infrastructure Changes in User Maintenance (Changed)):
Targeted Use of IDocs in Central User Administration
Previously the system sent IDocs for user data, role assignment, and profile assignment to all systems in a CUA landscape, no matter what kind of change you made to the user. Now, when you make changes to user data, such as a role assignment in a given system, the CUA sends the change information only the role assignment IDoc to only the affected systems in the landscape and not all IDocs to all systems.