Learn about a Business Add-In (BAdI) that is a new feature introduced in SAP Access Control 10.0 (Support Package 24) and 10.1 (Support Package 15) for customizing the way the standard Repository object synchronization program works. Users on lower Support Packages can implement SAP Note 2307792 to have this feature.
Key Concept
The Repository object synchronization program is structured in such a way that it does not provide flexibility to users to execute a partial synchronization—for example, to synchronize for only users, only roles, or only profiles. A Business Add-In (BAdI) provides the flexibility to execute Repository object synchronization in a customized way as per business needs. It is mainly useful for systems with a huge amount of data, such as a portal, for which a synchronization can take days to complete because it is always a full Repository synchronization.
The Business Add-In (BAdI) for Repository object synchronization is a new feature introduced for SAP Access Control 10.0 Support Package 24 and 10.1 Support Package 15. It customizes the way standard Repository object synchronization is executed. You can use this BAdI for all types of connectors, but its main power lies with systems containing a huge amount of data, such as a portal. In a portal system, a minimum of two to three days is required to synchronize the complete data. Companies that are using portal systems are already aware of this pain if they have a huge amount of data. This BAdI can help synchronize partial data based on need, reducing the complete synchronization time.
Structure of Standard Repository Object Synchronization and Challenges
The Repository object synchronization program is responsible for user, role, and profile synchronization.
Figure 1 displays the standard screen of the Repository object synchronization program.
Figure 1
The Repository Object synchronization screen
Figure 1 shows the options for a synchronization job for Profile, Role, and User. The selection of the User option leads to the automatic selection of Profile and Role. The selection of Role leads to the automatic selection of Profile.
There is no way to remove this dependency so that you could select any of these check boxes individually without affecting others from the screen. However, you can execute the individual programs for these objects: GRAC_ROLEREP_USER_SYNC, GRAC_ROLEREP_ROLE_SYNC, and GRAC_ROLEREP_PROFILE_SYNC.
Structure of Standard User Synchronization
The user synchronization program corresponds to the User check box in
Figure 1 and consists of the following includes:
- User synchronization (synchronization of user details)
- User profile synchronization
- User pd-profile (structural authorizations) synchronization
- User role synchronization
- User org level data synchronization
- User permissions synchronization
Like the Repository object sync program, there is no way you can skip any of the above includes for user sync. Sometimes, a company might not have organization-level data, user permissions, or user-profile data that needs to be synchronized.
In the standard program, even though there is nothing that needs to be synchronized—say user-org-level data—the code is still executed. This is especially the case for a portal system in which a web service is executed to retrieve this data. It is time consuming to make such calls even though they are not needed.
To overcome these challenges, SAP developed a BAdI so that users have more flexibility in executing synchronization programs. It allows users to skip some of the pieces (such as user, role, and profile) in the standard Repository object synchronization program that they do not require. This BAdI further provides a customized way to execute a user-synchronization program so that you can skip any of the includes inside the user-synchronization program that you do not need.
What It Is
The BAdI for Repository object synchronization (GRAC_REP_OBJ_SYNC_RESTRICT) is a new feature introduced in SAP Access Control 10.0 and 10.1 that is responsible for customizing the way the standard Repository object synchronization program is executed.
With the enhancement spot you can add your code in standard ABAP code without the need for an access key, which implies that the standard code is not disturbed. Enhancement spot ENH_GRAC_REP_OBJ_SYNC has been provided for users to implement in their system and to customize the parameters provided with BAdI GRAC_REP_OBJ_SYNC_RESTRICT based on their requirements. These parameters are considered when the BAdI is implemented and the values have been set as needed. Otherwise, standard functionality works. The standard screen does not change and these parameters are effective only when the standard behavior is overridden by using the EV_OVERRIDE parameter provided in the BAdI.
This BAdI (GRAC_REP_OBJ_SYNC_RESTRICT) is delivered in Support Package 15 for 10.1 and Support Package 24 for 10.0. Users who have a Support Package equal to those mentioned above have this BAdI in their systems. Users with a Support Package lower than mentioned can get the BAdI by implementing SAP Note 2307792 in their systems.
Options Provided by the BAdI
Figure 2 shows the structure of the BAdI.
Figure 2
The structure of the BAdI
The following parameters of Boolean type (True/False) have been provided as part of method RESTRICT_REP_SYNC_DATA:
CHANGING:
CV_USER: Execute/Skip user sync
CV_ROLE: Execute/Skip Role sync
CV_PROFILE: Execute/Skip Profile sync
EXPORTING:
EV_USER_ROLE: Execute/skip sync for User-Role relationships
EV_USER_PROFILE: Execute/skip sync for User-Profile relationships
EV_USER_PDPROFILE: Execute/skip sync for User-Pdprofile relationships
EV_USER_ORG: Execute/skip sync for User-Org level data
EV_USER_PERMISSIONS: Execute/Skip sync for user permissions
EV_OVERRIDE: Used to specify if standard behavior is to be overridden
Additionally, an importing parameter IT_CONNECTOR of type GRFN_T_CCICONNECTOR_RANGE has been provided to store the connector name that is entered by the user on the Repository object synchronization screen. Although the type is connector range, it works for only one system at a time. Ensure that only one connector is passed to make the BAdI work correctly.
Note
Be cautious when choosing to run these synchronization programs (User,
Role, and Profile) independently of each other as these programs might
lead to inconsistencies in the system if they are not executed
correctly. For example, if you have a new role in the portal system and
you skip Role Synchronization and execute only User Synchronization when
the same role is assigned to a user, you end up with inconsistencies in
your system. The new role is not in GRC specific tables (GRACRLCONN),
but there is an entry in GRACUSERROLE. You can detect this inconsistency
by checking the existing assignments for that user in SAP NetWeaver
Business Client (NWBC). When you click that Role name in existing
assignments, it does not open. Use this BAdI carefully, keeping in mind
the required synchronization. If you end up in an inconsistent state,
then run a full synchronization by selecting all check boxes (Profile,
Role, and User) to bring back the system to its usual consistent state.
Steps to Implement Enhancement Spot ENH_GRAC_REP_OBJ_SYNC
Follow these steps to implement the enhancement spot.
1. Execute transaction code SE19. In the Create Implementation section of the screen the system displays (
Figure 3), select the New BAdI radio button. Enter ENH_GRAC_REP_OBJ_SYNC in the Enhancement Spot field. Click the Create Impl. button to open the screen in
Figure 4.
Figure 3
Complete activities in the initial screen for BAdI implementation
Figure 4
Create an enhancement implementation
2. In
Figure 4, enter a name in the Enhancement Implementation field (for example, ZGRAC_REP_OBJ_SYNC_IMPL). In the Short Text field enter a description, such as ‘Implementation of GRAC_REP_OBJ_SYNC_RESTRICT, and confirm by clicking the enter icon (the green checkmark).
3. In the Attributes section of the pop-up dialog screen (
Figure 5), specify the name of the development package in the Package field and in the Person Responsible field enter a name for the person responsible for the transport request if you need to transport this BAdI further in the landscape. Click the save icon to display details in
Figure 6.
Figure 5
The Create Object Directory Entry screen
Figure 6
Enhancement implementation details
4. In
Figure 6 specify:
- The BAdI Implementation name (e.g., ZGRAC_REP_OBJ_SYNC_IMPL)
- The BAdI Implementation Class name (e.g., ZCL_BADI_GRAC_REP_SYNC)
In the BAdI Definition column in
Figure 6, select GRAC_REP_OBJ_SYNC_RESTRICT from the drop-down list of options and then click the enter icon. This action opens the screen in
Figure 7.
Figure 7
Make the implementation active
5. In
Figure 7, make sure that the Implementation is active check box is selected (selecting this check box tells the system if the BAdI is active or inactive). If needed, you can deactivate the BAdI implementation anytime. It is automatically saved once activated.
6. Click the activate icon in
Figure 7 or press Ctrl + F3. This action activates the whole enhancement spot implementation ZGRAC_REP_OBJ_SYNC_IMPL.
How to Use This BAdI
Companies can use the Boolean parameters provided by the BAdI and set the values as per their business need in the implementation class created above inside method IF_BAdI_GRAC_REP_SYNC~RESTRICT_REP_SYNC_DATA.
Figure 8 shows sample code for the BAdI implementation. Users can write their own BAdI implementations based on their business requirements.
Figure 8
A sample BAdI implementation
Gitu Bijlani
Gitu Bijlani is a senior developer at SAP Labs India Pvt. Ltd. She has more than nine years of experience in SAP systems and has been working with the SAP Application Innovation Services (AIS) team since 2013. She is involved in various phases of development, maintenance, and enhancement of SAP Access Control 5.3, SAP Access Control 10.0, and SAP Access Control 10.1. She has close to five years of experience in SAP Access Control and Portal Integration Concept. Previously, she was part of the SAP BusinessObjects team, where for more than four years she was involved in Java development for the SAP BusinessObjects tool itself.
You may contact the author at
gi.bijlani@sap.com.
If you have comments about this article or publication, or would like to submit an article idea, please contact the
editor.