Hi All,

Good day. We are using SAP UM driver for the user/role provisioning to
the SAP UM system (Single non-cua client).

We see a peculiar behavior where the SAP roles are assigned twice for a
user. let me explain below.

Example: User ID: RM0001 Role: UMZ_APP_001

We have an IDM role and a resource attached to it, the resource has the
entitlement value as UMZ_APP_001.

The scenario is:

The user is already present in SAP system and with the role UMZ_APP_001
with start date in the past and end date as 9999/12/31. The user was not
associated to IDM.

So, when we migrate this user from IDM, the driver is associated the
user (without creating the user as the user already exist in the

Now, when we assign the role in IDM, the driver given below warning and
it adds the same role again with the current date as start date.

Driver log:

DirXML Log Event -------------------
Driver: \KMDIDV\system\driverset1\SAPUM
Channel: Subscriber
Object: \KMDIDV\ABC\users\RM0001
Status: Warning
Message: <description> WARNING : Role UMZ_APP_001 already assigned
: Role assignment to user RM0001 not executed completely. Role
UMZ_APP_001 Added Successfully.</description>

It says the role is already assigned but also it says the role is added
successfully. Becoz of this, the user has the same role 2 entries with
different start dates.

Finally, in SAP UM, we see the same role assigned twice, one with old
date and 2nd with current date.

We have the SAP UM driver implementation since 2014 and we have never
faced this issue earlier. We get this issue from the recent past (2
months back started this issue).

I suspect the issue is from the SAP UM side but not sure. Please help if
we can resolve this from IDM side.

thanks in advance.

nvldk's Profile: https://forums.netiq.com/member.php?userid=8443
View this thread: https://forums.netiq.com/showthread.php?t=57379