SAP Community - SAP Identity Management

Error Provisioning roles from IdM to HANA repositories - The provided input is not valid design time

2025-08-06T11:12:18.072000+02:00

Hello All,

I have been trying to assign few roles to users from IdM to HANA repositories but received error stating that The provided input is not valid design time role. I can assign the role manually in HANA system.

Could you please check and help me out.

Thank you!!

IAS- Notification for Migrated users from External Sites - Learning only-user

2025-08-28T12:42:12.559000+02:00

Hi I would like to ask: if email notifications are enabled in IAS, when the ReadJob is executed for the users migrated from Learning, will they receive a notification to activate their accounts?

create 2 source system in IAS: SF for user provisioning and ENTRA for Group Provisioning

2025-09-04T08:35:49.801000+02:00

Dear All,
I am seeking assistance with combining multiple sources to a single target, IAS, using automated triggers. Users will be imported from SuccessFactors, and groups will be created and provisioned from ENTRA. However, upon investigation, I have found that the assignment of these groups to users in IAS is not occurring.

Specifically, the groups are being created, but the users are not being assigned to them in IAS. I am curious to know if anyone has encountered this issue before and has any guidance on resolving it.

Best regards,

SAP IDM: Digit change on EntryId causes selection of further data

2025-10-01T13:24:05.257000+02:00

Dear Gurus,

I have a question regarding the SAP IDM Url, why is it possible to see the other entries by changing the digits on the EntryId in the browser, is there a possiblity to mask the EntryId?

Below is the output of my browser when I am logged in as Admin User in our SAP IDM and looked for a colleague to change his values.

http://localhost:50000/webdynpro/dispatcher/sap.com/tc~idm~wd~workflow/EditTask?TaskId=1643&EntryId=43408#

The out put of the Values are Mr. X with the company details etc.

But when I change the last digits of the above url to 9 instead of 8, I am able to see the other entries.

http://localhost:50000/webdynpro/dispatcher/sap.com/tc~idm~wd~workflow/EditTask?TaskId=1643&EntryId=43409#

For a IDM Admin shouldn't be the problem but for other normal users should be limited. Is there a possiblity to limit the view or the access to avoid these kind of view?

Looking forward to hear from you

Business event definition error for MCP task

2025-10-14T07:49:58.432000+02:00

Hi All,

when providing the 'agent of control performance' in the 'requested end' tab of MCP task , there is a binding error as attached. However, when the binding is changed to agent of escalation, there is no binding error.

But the reminder(requested end') should be sent to agent of control performance. please guide as how to

BR, plaban

We have now uploaded the standard ruleset into IAG And able to run an SOD report against S4 Hana

2025-10-30T00:22:43.127000+01:00

We need to now set up MITIGATION CONTROLS for open SODs — meanwhile the business and audit want to see underlying actions and permissions mapped with each Risk Id . How do I provide that information ?

How to check SOD for Digital Manufacturing?

2025-10-30T20:51:16.899000+01:00

We do not have IAG Bridge to connect to SAP GRC. Is there any other way to Implement SOD checks for SAP Digital Manufacturing ?

Any recommedations and tools ?

How can I replicate the passwords defined in SAP IAS to my destination system

2025-11-05T00:22:07.991000+01:00

I'm using IAS as the source and S4HANA on-premise as the target, and I've already implemented user replication.

However, I'm having a problem. I want to use the same password that each user has defined in SAP IAS so they can log into the S4HANA system, but I haven't been able to. The only thing I see in the transformations default code indicates that a random password is created with certain requirements, such as character count, uppercase and lowercase letters, etc.

Does anyone know if this is possible?

If it is, could you guide me on the configuration I should change?

SAP Auth and Security Project work / Implementation

2025-11-17T08:20:27.729000+01:00

Hi Security Team,

I’ve been working as an SAP Authorizations & Security Consultant for the past nine years, primarily supporting ECC environments and managing day-to-day user access operations. I’m now looking to broaden my expertise beyond BAU activities and deepen my knowledge in areas such as:

SAP GRC implementation
Rule set design and optimization
SAP role-build methodologies and best-practice frameworks
Overall project-based security design and governance

If anyone could recommend tools, materials, frameworks, or learning paths that would help strengthen my understanding of these project-focused areas, I would really appreciate it.

Thank you in advance.

IAS User Mail

2025-11-24T23:20:32.916000+01:00

Hello everyone,

some of my users are provisioned from Azure → IAS, while others are created locally in IAS.

What options are available to send activation/verification emails to both types of users (no mail server is configured)?

Many Thanks

Best Regards

SAP BTP Integration Suite Cloud to SAP S4 Private Cloud

2025-11-30T18:21:37.643000+01:00

Dear All,

Good Day!

Is there any documentation/steps to integrate SAP BTP Integration Suite Cloud to SAP S4 Private Cloud via Oauth2.0 Bearer Token.

Am not finding any documentation from SAP.

Thanks and Regards,

Rajesh PS

Error: While connecting from SAP BTP Integration Suite to SAP S4 Cloud Odata

2025-11-30T19:42:29.722000+01:00

Hello Team,

I'm getting below error while connecting from SAP BTP Integration Suite Cloud to SAP S4 Cloud Odata service.

"com.sap.gateway.core.ip.component.odata.exception.OsciException: HTTP Request failed with error : <HOST>: No address associated with hostname, cause: java.net.UnknownHostException: <HOST>: No address associated with hostname"

Thanks and Regards,

Rajesh PS

Add Indexes in SQL DB SAP IDM

2025-12-09T17:31:33.318000+01:00

Simple question here

is it ok or permit to add indexe on some tables like these on sql DB IDM

MXI_link_audit
mxi_entry
MXP_AUDIT
JOB_EXECUTION

SAP IAS Admin Console

2025-12-09T20:09:22.861000+01:00

Hello everyone,

What would be the best way to secure the SAP IAS Administration Console?

Is it a good idea to restrict access to a specific IP range (e.g. only the company network)? I’m concerned about locking myself out in case the IP address changes.

Or would it be better to implement 2FA for an admin group containing all admins? In that case, there’s also the risk of locking myself out.

I would appreciate your experiences and tips!

Many Thanks

Best Regards

SAC SSO: Merging existing users without losing content

2025-12-18T07:38:29.547000+01:00

Hi Experts,

we have IAS configured as a proxy. Users are provisioned from a custom IdP to IAS and then created dynamically in SAC (attribute = User ID) via SSO .

In SAC, there are already manually created users with existing content.
The SSO users and the manually created users in SAC have different User IDs, which is historical.

Our goal is to switch fully to SSO and replace or merge the existing SAC users without losing user content (stories, private objects, settings).

Currently, we face the following issues:

SAC does not allow duplicate email addresses when a new SSO user is created (different User ID, but same email address).
When we assign roles manually in SAC to an SSO user, they are removed at the next login.

Our questions:

What is the recommended approach to dynamically create SSO users in SAC and transfer or replace existing content from the old user to the new SSO user?
Is there a simple or supported way to migrate or merge existing SAC users with the new SSO users?
How are Owner property handled when SSO is activated, and what should be considered to avoid issues with access or content ownership?

Thank you very much for your help and experience.

Best regards

High-skip Audit numbers in Audit table

2026-01-14T04:53:37.784000+01:00

Hi All, in IDM 8 there is a very high increase in Audit numbers in the mxp_audit table. i.e 100000 numbers have been skipped twice. This has happened after the Audit tables were cleaned up due to Audit overflow.

Please suggest as to why this skip has happened

Regards

Plaban

Should Financial Platforms Assume User Understanding — or Technically Prove It Before Execution?

2026-01-16T22:25:49.594000+01:00

Across financial, enterprise, and transactional systems, most platforms still rely on a critical assumption:

That a user’s identity verification and acceptance of terms implies understanding.

From a systems-design perspective, this assumption feels increasingly fragile.

In high-impact workflows — payments, financial commitments, contract execution, irreversible actions — identity alone does not establish comprehension, intent, or informed consent. Yet most platforms treat it as sufficient.

My question is architectural, not philosophical:

• Should platforms remain passive recorders of identity and clicks?
• Or should they actively enforce verified comprehension before allowing execution?
• If so, where should that verification live — UI layer, middleware, or as a system-of-record?
• How would such a model integrate with existing enterprise identity, audit, and compliance frameworks?

I’m interested in how SAP architects and enterprise developers think about this tradeoff as systems move toward higher automation, AI-driven decisions, and irreversible digital actions.

Is “assumed understanding” still defensible at scale — or is it a design gap waiting to be formalized?

Azure name and family name routing

2026-01-20T09:13:52.518000+01:00

Hi,

We have apps deployed to cloud foundy on a global account.
We have apps both in a space and in the HTML 5 repo.
We sometimes use a dedicated approuter and sometimes we deploy our own.

We have app users that connect using an Azure trust configuration in the subaccount.
We also have platform users using SAP's default IDP to login with an S-user.
This means that when a user wants to use an app or login to BTP cockpit he needs to choose which authentication to use, SAP's default identity provider or the Azure connection.

I was asked to allow users to login without having to make this selection.
I setup and IAS trust configuration and inside the IAS I defined the Azure IDP and routing based on email hostname.
Now users are greated by the IAS login and when they input their azure email it redirects them to login using azure and when platform users use their email they login directly through IAS versus the users' creds I defined in the IAS.

The problem:
All our apps get data about the currently logged in user(to the app) via the approuter's /userinfo.
Now after setting up the IAS and the routing, if i log in as an Azure user i see in the devtools im not getting name and family name in the /userinfo any more, only email information.
I tried all orts of manipulations in the IAS but i cant see to get it to display name and family name like it does with a direct azure trust configuration.
Is there any IAS configuration solution to this issue or must we modify all our apps?

Best Practice for Managing Business Role Changes After an Upgrade

2026-01-22T14:03:24.158000+01:00

Dear community,

what is in your opinion the best way to manage the changes after an upgrade in consideration of transports of software collections?

At the moment it seems for me, you have to maintain the changes two times with a 3 landscape system:

1. Update the business roles in Test system to make the changes available for testing the release

2. Update the business roles in Q system again after the release was deploy to Q and Productive System to transport the changes with the software collection to all 3 systems

Is this the correct procedure? Is there a better way which I am missing?

thank you for your inputs,

kind regards

Regina

IAS and Onboarding

2026-01-27T05:40:49.244000+01:00

Hi there

Is there anywhere in SAP documentation that it mentions IAS set up is mandatory for ONB? Or the best practice approach is to enable IAS for Onboarding authentication for external users?

SAP support have provided advice that it is NOT recommended to enable IAS for ONB, which I thought was mandatory for ONB? @Gopinath_Murugaiyan are you able to confirm what is best practice when it comes to ONB and IAS and login method for external hires? Should IAS be enabled for onboarding or should it not (i.e. utilise the standard email in SF ONB Email Services)?

Thanks