The Business Add-In (BAdI) for Repository object synchronization is a new feature introduced for SAP Access Control 10.0 Support Package 24 and 10.1 Support Package 15. It customizes the way standard Repository object synchronization is executed. You can use this BAdI for all types of connectors, but its main power lies with systems containing a huge amount of data, such as a portal. In a portal system, a minimum of two to three days is required to synchronize the complete data. Companies that are using portal systems are already aware of this pain if they have a huge amount of data. This BAdI can help synchronize partial data based on need, reducing the complete synchronization time.  

Structure of Standard Repository Object Synchronization and Challenges

  The Repository object synchronization program is responsible for user, role, and profile synchronization. Figure 1 displays the standard screen of the Repository object synchronization program. Figure 1 shows the options for a synchronization job for Profile, Role, and User. The selection of the User option leads to the automatic selection of Profile and Role. The selection of Role leads to the automatic selection of Profile. There is no way to remove this dependency so that you could select any of these check boxes individually without affecting others from the screen. However, you can execute the individual programs for these objects: GRAC_ROLEREP_USER_SYNC, GRAC_ROLEREP_ROLE_SYNC, and GRAC_ROLEREP_PROFILE_SYNC.  

Structure of Standard User Synchronization

  The user synchronization program corresponds to the User check box in Figure 1 and consists of the following includes:

1. User synchronization (synchronization of user details)
2. User profile synchronization
3. User pd-profile (structural authorizations) synchronization
4. User role synchronization
5. User org level data synchronization
6. User permissions synchronization

Like the Repository object sync program, there is no way you can skip any of the above includes for user sync. Sometimes, a company might not have organization-level data, user permissions, or user-profile data that needs to be synchronized. In the standard program, even though there is nothing that needs to be synchronized—say user-org-level data—the code is still executed. This is especially the case for a portal system in which a web service is executed to retrieve this data. It is time consuming to make such calls even though they are not needed. To overcome these challenges, SAP developed a BAdI so that users have more flexibility in executing synchronization programs. It allows users to skip some of the pieces (such as user, role, and profile) in the standard Repository object synchronization program that they do not require. This BAdI further provides a customized way to execute a user-synchronization program so that you can skip any of the includes inside the user-synchronization program that you do not need.  

What It Is

  The BAdI for Repository object synchronization (GRAC_REP_OBJ_SYNC_RESTRICT) is a new feature introduced in SAP Access Control 10.0 and 10.1 that is responsible for customizing the way the standard Repository object synchronization program is executed. With the enhancement spot you can add your code in standard ABAP code without the need for an access key, which implies that the standard code is not disturbed. Enhancement spot ENH_GRAC_REP_OBJ_SYNC has been provided for users to implement in their system and to customize the parameters provided with BAdI GRAC_REP_OBJ_SYNC_RESTRICT based on their requirements. These parameters are considered when the BAdI is implemented and the values have been set as needed. Otherwise, standard functionality works. The standard screen does not change and these parameters are effective only when the standard behavior is overridden by using the EV_OVERRIDE parameter provided in the BAdI. This BAdI (GRAC_REP_OBJ_SYNC_RESTRICT) is delivered in Support Package 15 for 10.1 and Support Package 24 for 10.0. Users who have a Support Package equal to those mentioned above have this BAdI in their systems. Users with a Support Package lower than mentioned can get the BAdI by implementing SAP Note 2307792 in their systems.

Options Provided by the BAdI

Figure 2 shows the structure of the BAdI. The following parameters of Boolean type (True/False) have been provided as part of method RESTRICT_REP_SYNC_DATA: CHANGING: CV_USER: Execute/Skip user sync CV_ROLE: Execute/Skip Role sync CV_PROFILE: Execute/Skip Profile sync EXPORTING: EV_USER_ROLE: Execute/skip sync for User-Role relationships EV_USER_PROFILE: Execute/skip sync for User-Profile relationships EV_USER_PDPROFILE: Execute/skip sync for User-Pdprofile relationships EV_USER_ORG: Execute/skip sync for User-Org level data EV_USER_PERMISSIONS: Execute/Skip sync for user permissions EV_OVERRIDE: Used to specify if standard behavior is to be overridden

Additionally, an importing parameter IT_CONNECTOR of type GRFN_T_CCICONNECTOR_RANGE has been provided to store the connector name that is entered by the user on the Repository object synchronization screen. Although the type is connector range, it works for only one system at a time. Ensure that only one connector is passed to make the BAdI work correctly.

Note Be cautious when choosing to run these synchronization programs (User, Role, and Profile) independently of each other as these programs might lead to inconsistencies in the system if they are not executed correctly. For example, if you have a new role in the portal system and you skip Role Synchronization and execute only User Synchronization when the same role is assigned to a user, you end up with inconsistencies in your system. The new role is not in GRC specific tables (GRACRLCONN), but there is an entry in GRACUSERROLE. You can detect this inconsistency by checking the existing assignments for that user in SAP NetWeaver Business Client (NWBC). When you click that Role name in existing assignments, it does not open. Use this BAdI carefully, keeping in mind the required synchronization. If you end up in an inconsistent state, then run a full synchronization by selecting all check boxes (Profile, Role, and User) to bring back the system to its usual consistent state.

Steps to Implement Enhancement Spot ENH_GRAC_REP_OBJ_SYNC

Follow these steps to implement the enhancement spot.

1. Execute transaction code SE19. In the Create Implementation section of the screen the system displays (Figure 3), select the New BAdI radio button. Enter ENH_GRAC_REP_OBJ_SYNC in the Enhancement Spot field. Click the Create Impl. button to open the screen in Figure 4. 2. In Figure 4, enter a name in the Enhancement Implementation field (for example, ZGRAC_REP_OBJ_SYNC_IMPL). In the Short Text field enter a description, such as ‘Implementation of GRAC_REP_OBJ_SYNC_RESTRICT, and confirm by clicking the enter icon (the green checkmark). 3. In the Attributes section of the pop-up dialog screen (Figure 5), specify the name of the development package in the Package field and in the Person Responsible field enter a name for the person responsible for the transport request if you need to transport this BAdI further in the landscape. Click the save icon to display details in Figure 6. 4. In Figure 6 specify:

• The BAdI Implementation name (e.g., ZGRAC_REP_OBJ_SYNC_IMPL)
• The BAdI Implementation Class name (e.g., ZCL_BADI_GRAC_REP_SYNC)

In the BAdI Definition column in Figure 6, select GRAC_REP_OBJ_SYNC_RESTRICT from the drop-down list of options and then click the enter icon. This action opens the screen in Figure 7. 5. In Figure 7, make sure that the Implementation is active check box is selected (selecting this check box tells the system if the BAdI is active or inactive). If needed, you can deactivate the BAdI implementation anytime. It is automatically saved once activated. 6. Click the activate icon in Figure 7 or press Ctrl + F3. This action activates the whole enhancement spot implementation ZGRAC_REP_OBJ_SYNC_IMPL.

How to Use This BAdI

Companies can use the Boolean parameters provided by the BAdI and set the values as per their business need in the implementation class created above inside method IF_BAdI_GRAC_REP_SYNC~RESTRICT_REP_SYNC_DATA. Figure 8 shows sample code for the BAdI implementation. Users can write their own BAdI implementations based on their business requirements.