Hi forum!
I’m using One Identity Manager 9.1. At the end of the first synchronization of an SAP Environment, I can see that some SAPUSerINSAProle_Delete processes are triggered.
For this SAP Connector I used a custom template I saved from a previous SAP connector configuration. It is a customized version of the Base administration template of SAP Connector. It simply contains some mapping disabled on SAP user and some disabled workflows of synchronization and provisioning.
I checked these Processes and they have been triggered after the user ‘SAP_ZUserInSAPRole’ updated the XIsInEffect field of the objects in SAPUserInSAPRole, setting the field as False.
Only a group of roles have been updated and deleted for a group of user accounts.
I checked these memberships, and the removed ones are ‘redundant’. This happened only for some users.
Example:
User X has 200 role memberships. 10 single roles have been updated with XIsInEffext = ‘FALSE’ after synchronization.
If I check those single roles, they are part of two different composite roles assigned to User X.
So now user has 200 role memberships in One Identity, 10 of them are ineffective and only 190 role memberships are found in target system due to delete processes.
I checked the Config Parameters:
QER\Structures\Inherite\GroupExclusion = 1. No exclusion is defined in SAP Exclusion tables.
TargetSystem\SAPR3\KeepRedundantProfiles = 1. This means that redundant roles are kept and not removed.
Does anyone ever expirenced such a problem?
Thank you,
Enrico.