Hi,
I'm on NW IDM 7.2 sp9 absolute latest patch levels. windows 2012 /ms sql 2012. I have latest SAP Provisioning Framework Version 2 loaded.
In all the documentation I read on the topic of writing back permanent passwords to a NW AS ABAP when a user is newly created in the IDM admin UI it says I need to configure SNC.
For me that is not a straight forward proposition as it appears complex and ambiguous in the docs i find (and I need to be aware that my situation is half-way through an SSO implementation so there is that with the snc/...insecure settings for the NW AS ABAP, but i digress), and I've never done it and have no Security consultant help. But, I'm a long time ago Basis certified person so I know where to look and try some things:-).
So, I tried being lazy and provision a user without the SNC configured between the NW IDM AS JAVA and the NW AS ABAP i am testing with.
Of course the password appears not arrive in the NW AS ABAP, as the doc warns me it won't w/o SNC.
In general my setup (NW IDM on NW AS JAVA <-> NW AS ABAP) works fine, I can get users from the ABAP system, and add and remove them from there by driving this from the IDM by using the privileges and the SAP Provisioning Framework setup.
Here are my questions about this if any of you are game to explain:
- How does the NW IDM AS JAVA know the link is not encrypted with SNC, or does it not?
- How does NW IDM decide not to send a permanent password? (yes, I've done the mods to make that work in IDM and NW AS ABAP authorizations as blogged about in other posts)
- Does that even matter? Is the SNC just a precaution to encrypt the traffic for productive setups, but I could do my testing without it in my lab systems?
- When I fill in the password (twice of course) in the NW IDM Admin UI, and the checkbox in the UI is not ticked for password disabled, does this mean the user record in IDM indeed is not password disabled, or if the user record is, should this checkbox be checked?
- The provisioning step goes and indeed creates the user in the NW AS ABAP, but in there in the SU01 Logon Data tab, it indeed shows password deactivated. In my log it says "sap_abap_handlePasswordDisabled: password could not be activated because there was no password defined for user <xyz>. How can this be, the password is clearly set in the UI?
- Does the UI set encrypted passwords automatically or do I need to modify something somewhere for that to happen?
- I read a lot of posts on this MX_PASSWORD_DISABLED setting. How do I find out which one of my test users has this? Many posts say I need to check, but I didn't read how.
I've also read various posts in this community about turning off the password disabled check in the create and modify abap jobs during initial loads but that seems odd to me, shouldn't the SAP Provisioning Framework just work after all this usage and feedback in the field over the years?
I want to avoid reading an ABAP server user set and then end up disabling passwords when I modify them in IDM, which right now to my uninitiated knowledge seems to be a problem I might have (but I will do some more testing in the lab to see).
