The problem occurs under the following circumstances:
ConfigParm "TargetSystem\SAPR3\KeepRedundantProfiles" is ON.
There is a single role that is in a composite role.
If a person gets both by inheritance (via an org or purchase order), then both are also created in SAPUserInSAPRole (due to the "KeepRedundantProfiles").
However, if both memberships have identical ValidFrom's and ValidTo's, the membership in the single role is ignored by SAP, because it already comes through the composite role.
SAP only allows single role membership if the scope of validity is different.
As a result, membership in the single role is set to outstanding by SAP Sync.
If a type of "auto-publish" is used, this membership is written back to SAP and the next sync sets it to outstanding again, and so on.
The task "SAP-K-SAPUserInSAPRole" must prevent identical memberships, even if "KeepRedundantProfiles" is on.
This is a product defect (33244).
WORKAROUND:
None.
STATUS:
This will be fixed in a future release of the product. If you require this immediately corrected, please contact support for a hotfix referencing the defect ID 33244.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Conditions d’utilisation Confidentialité Cookie Preference Center