Add SAP logon Group after endpoint sap configuration
search cancel

Add SAP logon Group after endpoint sap configuration


Article ID: 209476


Updated On:


CA Identity Suite


The Customer needs to add SAP LOGON group in SAP endpoint configuration.

When trying to add it, it is not possible since the "SAP Logon Group" field is not enabled for the change.

What are the options to execute this change?


Release : 14.2, 14.3 

Component : CA IDENTITY Manager


The field SAP Logon Group is not editable through Identity Manager or Provisioning as it is marked as a non-modifiable attribute.     

You can affect a change to the SAP LOGON field by setting up a second endpoint with this information, then using a ldap tool to connect to the provisioning user store and copy manually copy the values from the new to the old endpoint.  

The following steps will allow you to update this value directly in the Directory.  Caution is advised, and it is strongly recommended you have a backup of the directory prior to attempting the following as you will be making changes directly at the LDAP directory level. 


1. Setup a new SAP Endpoint.  Use the same values where possible, the name will obviously need to be different, but otherwise only change or add the specific SAP Logon Group value you need to modify.  You simply need to acquire the endpoint and do not need to explore. 

2. Use 3rd party LDAP Browser such as JXplorer to review the 2 SAP Endpoints.


Base DN: dc=etadb
User DN: eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb
Password: Provisioning Directory Shared Secret

3. Drill down to the two SAP Endpoints, etadb > im > SAP > 

4. Review the information from the old and the new connector and migrate the SAP LOGON GROUP from the New endpoint to the Old endpoint, adding if necessary the additional Attribute and Values.  

5. restart your JCS servers.