Upload
berniece-cynthia-cannon
View
236
Download
2
Tags:
Embed Size (px)
Citation preview
Configuring Novell® Nsure™ Identity Manager 2 (formerly DirXML®) for Enterprise Applications
Mark WorwetzSenior Software EngineerNovell, [email protected]
© March 9, 2004 Novell Inc.2
one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions.
The one Net vision
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© March 9, 2004 Novell Inc.3
The one Net vision
Novell Nsure solutions take identity management to a whole new level. Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people — securely, efficiently, and best of all, affordably.
Novell Nsure™
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© March 9, 2004 Novell Inc.4
What is an ERP application?
Enterprise Resource Planning
Software that is utilized by most, if not all, organizations in the enterprise
Integrates various software modules into a single system.
High TCO - Very expensive package to purchase, deploy, and administrate
© March 9, 2004 Novell Inc.5
Configuring Nsure Identity Manager 2 for Enterprise Applications
ERP Integration Issues
Driver Functionality
Driver Configuration
Driver Implementation Scenarios
Questions
© March 9, 2004 Novell Inc.6
ERP Integration Issues
What is the goal of the integration?
Why integrate ERP data?
What data should be shared?
How should the data be accessed?
What are the risks of integration?
© March 9, 2004 Novell Inc.7
ERP
Operating
SystemDatab
ase
PBX
Directory
What is the Goal of the Integration?Islands of isolated data
© March 9, 2004 Novell Inc.8
What is the Goal of the Integration?Sharing Data through the Enterprise
ERP
PBX
Directory
OperatingSystem
Database
Identity Manager
© March 9, 2004 Novell Inc.9
What is the Goal of the Integration?Authoritative SourcesERP system — employee and organization data
GroupWise® — e-mail address
Telecom — telephone number
Existing corporate directories — access, legacy resources
Facility database — office/mail-stop
Account Management – System Access rights
Etc.
© March 9, 2004 Novell Inc.10
Why Integrate ERP data?
Contains the most complete set of Identity data
Contains the most authoratative Identity data
Most protected source of data
© March 9, 2004 Novell Inc.11
What does Novell do for ERP?
Help leverage the investment in ERP by:
• Integrating identity data with non-ERP applications
• Provide data conversion opportunities
• Allow access to ERP data outside of the ERP system
• Provide multiple integration options from application-specific to generic interfaces
© March 9, 2004 Novell Inc.12
What Data Should Be Shared?
Only share data that is useful• Data that is duplicated in other applications• Data that is required to process business
workflow• Data that must be accessed by non-ERP
employees• Data that is shared beyond corporate boundary
Do not share sensitive information!• Make sure ERP administrators are involved in the
decision.
© March 9, 2004 Novell Inc.13
How Should the Data be Accessed?It is important that the customer is aware, and comfortable with, the integration access method
• Direct System or Business Object APIs
• Open Standard Protocols (LDAP, JDBC)
• Flat file transfers (XML, CSV)
Make sure ERP administrators are involved in the decision!
Make sure appropriate rights are granted to provide the integration
© March 9, 2004 Novell Inc.14
What are the Risks of Integration?
API access introduces ERP system security concerns
• DirXML Driver acts as an ERP client – what rights should the driver have?
• Are the authentication credentials protected?
Access to underlying data tables introduce data integrity and ERP system support issues.
Flat-file access introduces file-system security and resource issues.
Remote drivers introduce data transmission security issues.
Data integration introduces auditing concerns.
© March 9, 2004 Novell Inc.15
What are the Risks of Integration?Improper planning and insufficient buy-in to the integration solution by all involved personnel is the NUMBER 1 problem in the field!
Always INVOLVE the ERP system administrators in the solution planning!
© March 9, 2004 Novell Inc.16
ERP Integration 'Bottom Line'
The ERP administrators are the only people who really understand the ERP system data and processes – you need their help!
The ERP administrators can make or break the project. Management is very dependent on their opinions – treat them with respect!
The ERP administrators are among the 'best and brightest' people at the customer site – discuss the function of the DirXML driver with them so they are comfortable with it.
© March 9, 2004 Novell Inc.17
Driver FunctionalityDirXML Drivers for SAP HR and PeopleSoft
What is a driver?
What data is shared?
What are the default Policies?
What is the driver design philosophy?
Where does the driver run?
How do the drivers access data?
© March 9, 2004 Novell Inc.18
What is a driver?
A driver is composed of two distinct elements:
Driver Policies•The policies are default configuration information that describe the application connection information, schema mapping, and various data transformation policies•All policies are objects in the Identity Vault•Policies managed using iManager
Driver Shim•The shim is responsible for interfacing with the connected application and implementing policies•The shim is an independent code module
© March 9, 2004 Novell Inc.19
What data is shared?
Both drivers work in a “Publisher primary” mode.• Drivers can Publish all events (Add, Modify, Delete)
• Drivers can Subscribe Modify events only.
Drivers are configured for an HR scenario.• SAP HR driver can only work with HR Master Data records and
methods
• PeopleSoft driver utilizes an HR derived staging table interface by default.
Primary data object is an Employee in the HR system, a User in the Identity Vault
• Personal Data
• Organizational Assignment and Hierarchy Data
• Communication Data
© March 9, 2004 Novell Inc.20
What data is shared?Publisher Channel
homePhonemobilepagerworkforceIDemployeeStatusFull NameGiven NameInitialsmailstopSurnameTelephone NumberPostal CodeS
Physical Delivery Office NameSA
isManagermanagerWorkforceIDOUTitlemanagerdirectReports
CNGroup MembershipPassword Data
© March 9, 2004 Novell Inc.21
What data is shared?Subscriber Channel
CN *Description *Distinguished Name *
Telephone NumberhomePhonemobilepagerInternet EMail Address
workforceID (notify only)
* PeopleSoft only
© March 9, 2004 Novell Inc.22
Default Publisher Policies
Object Matching• Match object with same class and 'workforceID'.
Object Naming• First Initial + Surname, no Suffix, all capitalized
(ie. John Adams = JADAMS)• Duplicates sequentially numbered (JADAMS2)
Object Placement• Active Employees in specified 'Active' container.• Inactive Employees in specified 'Inactive'
container.• 'employeeStatus set to 'A' or 'I' respectively.
© March 9, 2004 Novell Inc.23
Default Publisher Policies
Password• Set to value of 'Surname' attribute
Hierarchy• All managers identified by 'isManager' set to '1'.• Managers have DN of subordinates in 'directReports'
attribute.• Employees have DN of manager in 'manager' attribute• Employees have workforceID of manager in
'managerWorkforceID' attribute.Organizational Data
• OU (Department) attribute must contain text name• Title attribute must contain text name
© March 9, 2004 Novell Inc.24
Maintaining Manager-EmployeeObject Relationships
JackdirectReports = Maria
Mariamanager = JackdirectReports = John
Johnmanager = Maria
© March 9, 2004 Novell Inc.25
Default Subscriber Policies
Object Matching• Match object with same class and 'workforceID'.
© March 9, 2004 Novell Inc.26
DirXML Driver for PeopleSoft
Driver Design Philosophy
Overview
Publisher Channel
Subscriber Channel
Remote Loader Configuration
Driver Configuration
© March 9, 2004 Novell Inc.27
Driver Design PhilosophyDirXML Driver for PeopleSoft
Must work with last 3 supported PeopleTools versions.
Must be certified by PeopleSoft.
Must require no modification of existing business applications.
Must utilize standard PeopleSoft integration technology.
Must guarantee that all PeopleSoft events are processed.
Must process all events in chronological order.
Must satisfy the customer!
© March 9, 2004 Novell Inc.28
Driver Design AccomplishmentsDirXML Driver for PeopleSoft
Must work with last 3 supported PeopleTools versions.
• Drivers work with PeopleTools versions 7.5, 8.1, and 8.4.
Must be certified by PeopleSoft.• Certification received in September 2003.
Must require no modification of existing business applications.
• No extensions or server upgrades required.
© March 9, 2004 Novell Inc.29
Driver Design AccomplishmentsDirXML Driver for PeopleSoft
Must utilize standard PeopleSoft integration technology.
• Message Agent for PeopleTools 7.5 and 8.1• Component Interface for PeopleTools 8.1 and 8.4
Must guarantee that all PeopleSoft events are processed.
• Transaction file processing allows driver to determine which events to process and report the status of processing.
© March 9, 2004 Novell Inc.30
Driver Design AccomplishmentsDirXML Driver for PeopleSoft
Must process all events in chronological order.• Transaction processing in PSA components
provides proper effective date of transactions. Driver processes events on effective date.
© March 9, 2004 Novell Inc.31
Driver Design AccomplishmentsDirXML Driver for PeopleSoft
Must satisfy the customer!• All customers have unique requirements.• The driver can handle most issues via configuration and
policies.• The driver functionality is periodically updated with new
version and TID releases based 100% on real customer feedback.
© March 9, 2004 Novell Inc.32
OverviewDirXML Driver for PeopleSoft
The DirXML Driver for PeopleSoft utilizes technology delivered by PeopleSoft.
• Driver is a PeopleTools driver, not an application driver. Can be used to integrate any desired data.
• Message Agent technology used for 3.6x driver.• Component Interface (CI) technology used for 4.x
driver.• Both drivers are delivered with a PeopleSoft Service
Agent (PSA). This contains pre-defined PeopleSoft components and sample application for simple, non-integrated deployment on PeopleSoft server.
• PSA contains a Transaction interface to facilitate the reporting of application events to the driver.
© March 9, 2004 Novell Inc.33
Overview(continued)
Drivers must have connectivity to PeopleSoft server in order to funtion. Driver acts as an administrative client.
Synchronous interface used for both Publisher and Subscriber channel.
Drivers are 'application-neutral', but do not support 'Add' or 'Delete' operations on the Subscriber channel.
Driver supports Application server connectivity failover.
Transaction model allows multiple drivers to process events.
34
Publishing PeopleSoft Data to Other Applications
Publisher Channel
DirXML RemoteLoader Service
DirXML Driver for
Application N
PeopleSoft Modules
Transactions
PeopleTools
IdentityVault
PeopleSoft Host
PeopleSoft Client
DirXML Remote
Loader Shim
DirXMLEngine
DirXML Remote
Loader Service
Application Host Application Host
Application Server
PeopleSoft Message
Agent or CI
DirXML Driverfor
PeopleSoft
DirXML RemoteLoader Service
DirXML Driver for
Exchange
Data changes from PeopleSoft application modules are logged
Configured to poll on specified intervals for data changes
Driver object containingbusiness policies and connection parameters
Driver Requests Transactions
1
Driver receives data and transforms the relevant information into an XML document
2Application NExchange
The driver updates and retrieves data in the application
6
FIN EPM CRM
HR SCM SA
etc.
DirXML Engine processes data according to business policies
5
XML Doc
SSL Connection
3 DirXML Engine adds or updates the data into Identity Vault
4
© March 9, 2004 Novell Inc.35
Publisher Channel Functionality
To simplify implementation, a synchronous PeopleSoft Interface is utilized.
Access to event information from PeopleSoft is via a Transaction CI. (DIRXML_TRANS)
PeopleSoft code (PeopleCode) in the PSA is used to organize transactions into processing date order. Future-dated events are not processed until date is current or past.
Driver polls the Transaction CI for records indicating “Available” transactions involving Add, Modify, or Disable/Delete of data records. Transaction record contains key of data record affected by transaction.
© March 9, 2004 Novell Inc.36
Publisher Channel Functionality(continued)
Transaction state set to “In Process”. Key to data record and transaction ID is stored.
Access to PeopleSoft data records is via a Data Component Interface (CI). (DIRXML_SCHEMA)
Since the CI is not class specific, the Data CI name is used as the class name for schema mapping.
Driver supports multiple Data CIs to facilitate handling transactions for multiple object types.
© March 9, 2004 Novell Inc.37
Publisher Channel Functionality(continued)
Driver reads current data values of data record and Publishes event.
Event is processed by engine, status is returned to driver.
Transaction CI is utilized to update status in transaction record.
38
Subscribing Application Data to PeopleSoft
PeopleSoft Modules
Transactions
PeopleTools
IdentityVaultPeopleSoft
HostPeopleSoft
Client
DirXML Remote
Loader Shim
DirXMLEngine
DirXML Remote
Loader Service
Application Server
PeopleSoft Message
Agent Interface
DirXML Driverfor
PeopleSoft
FIN EPM CRM
HR SCM SA
etc.
Data from other applications
1
XML Doc
XML Doc
SSL Connection
2Data the
PeopleSoft driver
subscribes to that comes from other
applications through Identity Manager
3Driver posts incoming data to the Staging Table
PeopleSoft configured to
consume data from
the Staging Table
4
Identity Manager Host
Subscriber Channel
Driver object containingbusiness policies and connection parameters
© March 9, 2004 Novell Inc.39
DirXML Driver for PeopleSoft Subscriber Channel-Overview
Driver uses Data CI to access records for Query or Modify events. All other events return “warning” status to indicate they are not supported.
A record “Find” operation preceeds data object “Get” access to avoid database errors.
For Modify events the driver updates a data staging table. PeopleCode transfers modifications to appropriate application tables.
© March 9, 2004 Novell Inc.40
DirXML Driver for PeopleSoft Driver Deployment Notes
By using a “Find” operation to avoid database errors, the driver becomes reliant on primary keys that are unique over their length. If possible, do not use keys that are subsets of other keys. (ie. “AB”, “ABCDE”). The “Find” operation will return a non-unique key warning while searching for “AB”.
Do not remove or modify any fields of the Transaction CI. The driver depends on them. It is OK to add fields.
For Modify events the driver updates a data staging table. PeopleCode transfers modifications to appropriate application tables.
© March 9, 2004 Novell Inc.41
Driver Configuration
DirXML Driver for PeopleSoft
Driver Configuration
© March 9, 2004 Novell Inc.42
Driver Configuration ParametersConnection Parameters
Authentication ID• The name of the PeopleSoft administrative user that will
be used for all read and write operations to the PeopleSoft Application server.
Authentication Context• The DNS name or IP address and JOLT port of the target
PeopleSoft Application server host system. Must be preceeded with '//' and contain a ':' delimiter. Multiple entries allowed for connectivity failover must be separated with ';'(ie. //psofthost:9000;//backuphost:9000)
Application Password•Password of the administrative user.
© March 9, 2004 Novell Inc.43
PeopleSoft Client Library Path• Path to the PeopleSoft client library file 'psapiadapter.dll'.
Schema CI Name•The name of the PeopleSoft Component Interface used to read and write PeopleSoft data records (default: DIRXML_SCHEMA01).
Data Record ID Field• The name of the PeopleSoft application data record primary
key field (default: DIRXML_ASSOC_ID)
Driver Configuration ParametersDriver Implementation Parameters
© March 9, 2004 Novell Inc.44
Transaction CI Name• The name of the Component Interface that is used to read
and update PeopleSoft transaction records. (default: DIRXML_TRANS01)
Driver Subset Identifier• This field is a string used to match the driver to the
transaction records it will process.Queue Poll Interval (seconds)
• The time in seconds that the driver waits between requests for available transactions from the Transaction CI.
Schema Data Processing Mode (0/1)• Data record retrieval methodology utilized by driver• 0 - “Find” used to warn of duplicate keys. Followed by
“Get”• 1 - “Find” used to generate error for duplicate keys.
Followed by “Get” if only 1 instance found.
Driver Configuration ParametersPublisher Implementation Parameters
© March 9, 2004 Novell Inc.45
Implementing Default PolicyExporting Master Data from PeopleSoft
The driver implementation guarantees that all current attributes of an object are obtained during processing of any transaction on that object.
The PeopleSoft component and PeopleCode that implements it are responsible for reporting all data of interest for the object being processed AND for related objects. The sample application includes:
• User's Department name and ID• User's Manager's ID• Flag indicating if User is a manager• User's Employee status• User's Title
© March 9, 2004 Novell Inc.46
Implementing Default Policy
The driver Policies perform the task of maintaining referential relationships between 'Manager' and 'Employee' objects.
• Only Identity Vault queries are required• Relationships maintained using 'manager' and
'directReports' attributes on related User objects.
© March 9, 2004 Novell Inc.47
DirXML Driver for PeopleSoftDefault HR Mapping Rule
DIRXML_SCHEMA01 Attr NameCommonNameDescriptionFullNameFirstNameMiddleNameEmailDeptLongDescrCityPostalStateAddress1LastNameTitleLongDescrStatusManagerMailDropManagerIDAssocID
Identity Vault Attr NameCNDescriptionFull NameGiven NameInitialsInternet EMail AddressOUPhysical Delivery Office NamePostal CodeSSASurnameTitleemployeeStatusisManagermailstopmanagerWorkforceIDworkforceID
© March 9, 2004 Novell Inc.48
DirXML Driver for PeopleSoftRemote Loader Usage
Why use the Remote Loader?• PeopleTools client must run on Win32
• Identity Vault and PeopleSoft may not be on Win32 platform
PeopleSoft with Remote Loader requirements• Host platform supporting JDK/JRE 1.4 or higher
• PeopleTools client installed on host platform
Remote Loader features• SSL connection security
• Bi-directional password handshake
© March 9, 2004 Novell Inc.49
DirXML Driver for SAP HR
Driver Design Philosophy
Overview
Publisher Channel
Subscriber Channel
Remote Loader Configuration
Driver Configuration
© March 9, 2004 Novell Inc.50
Driver Design PhilosophyDirXML Driver for SAP HR
Must work with R/3 version 4.5b and later.
Must be certified by SAP Labs.
Must require no new SAP server extensions or upgrade.
Must utilize standard SAP integration technology.
Must run on standard SAP host platforms.
Must guarantee that all SAP events are processed.
Must process all events in chronological order.
Must process future-dated events.
Must satisfy the customer!
© March 9, 2004 Novell Inc.51
Driver Design AccomplishmentsDirXML Driver for SAP HR
Must work with R/3 version 4.5b and later.• Driver works with SAP R/3 versions 4.5b, 4.6A,
4.6C, and Web AS 6.1 and 6.2.
Must be certified by SAP Labs.• Certification received in September 2001.
Must require no new SAP server extensions or upgrade.
• No extensions or server upgrades required.
© March 9, 2004 Novell Inc.52
Driver Design AccomplishmentsDirXML Driver for SAP HR
Must utilize standard SAP integration technology.• Java Connector (JCO)• Application Link Enabling (ALE)• Intermediate Documents (IDoc - File format)• Business Object API (BAPI)
Must run on standard SAP host platforms.• Pure Java implementation runs anywhere a JVM
and, if desired, JCO can reside.• Linux, Win32, AIX, Solaris, HP-UX, etc.
© March 9, 2004 Novell Inc.53
Driver Design AccomplishmentsDirXML Driver for SAP HR
Must guarantee that all SAP events are processed.• Using IDoc file format guarantees persistant event
delivery regardless of driver status.
Must process all events in chronological order.• IDoc sorting by driver ensures proper event order
processing.
Must process future-dated events.• Driver has 4 modes for handling future-dated
events based on various customer requirements.
© March 9, 2004 Novell Inc.54
Driver Design AccomplishmentsDirXML Driver for SAP HR
Must satisfy the customer!• All customers have unique requirements.• The driver can handle most issues via configuration and
policies.• The driver functionality is periodically updated with new
version and TID releases based 100% on real customer feedback.
© March 9, 2004 Novell Inc.55
OverviewDirXML Driver for SAP HR
The DirXML Driver for SAP HR utilizes technology delivered by SAP. SAP server is configured, not customized.
• Application Link Enabling (ALE) configured to support the Publisher channel.
• Intermediate Document (IDoc) files are created by SAP server and retrieved by the Driver for processing.
• SAP Java Connector (JCO) is used for synchronous connectivity to SAP server.
• Business Object API (BAPI) is used to Query for data in SAP server.
© March 9, 2004 Novell Inc.56
Overview(continued)
BAPI Technology is used to subscribe data into SAP
The Driver must connect to the SAP database on the Subscriber channel. It can utilize a connection on the Publisher channel. It generally connects as a “Communication” or “CPIC” user.
Additional security between SAP and eDirectory servers available via DirXML Remote Loader
57
DirXML RemoteLoader Shim
Data changes from SAP HR application modules are logged
Publisher Channel
SAP Host
SAP R/3HR
Application LinkEnabling (ALE)
Publishing SAP Data to Other Applications
DirXML RemoteLoader Service
DirXML Driver
For SAP/HR
SAP Host
Driver Shim filters relevant data into XML format
21IDoc posted to host file system with client number references
HRMD-A IDocs
C:\IDOCS\0_400_n
XML Doc
SSL Connection
3
Configured to poll the IDocs directory on intervals for docs pertaining to specific client number
IdentityVault
DirXMLEngine
DirXML Engine adds or updates the data into Identity Vault
Identity Manager Host
4DirXML RemoteLoader Service
DirXML Driver for
Application N
APPLICATION HOST
APPLICATION HOST
DirXML RemoteLoader Service
DirXML Driver forExchange
Application NExchange
The driver updates data in application 6
DirXML Engine processes dataaccording to business rules
5
Driver object containing
business rules and connection
parameters
© March 9, 2004 Novell Inc.58
What IsApplication Link Enabling (ALE)?
Application Link Enabling (ALE) technology enables communication between SAP and external systems such as eDirectory.
ALE ensures integration in a distributed environment.
The IDoc acts as the data container.
© March 9, 2004 Novell Inc.59
What is an IDoc?
“IDoc” stands for Intermediate Document
An IDoc is a data container used to exchange data between any two processes that can understand the data.
IDocs are stored in the file system of the SAP system host.
Every IDoc has a unique, incremental number ― the number is unique within a client
© March 9, 2004 Novell Inc.60
What is an IDoc? (cont)
IDocs are created as a result of execution of an ALE process.
IDocs are independent of the direction of data exchange.
• However, the Driver uses only the outbound process.
IDocs can be viewed with a text editor.
© March 9, 2004 Novell Inc.61
IDoc Processing
Only Outbound IDocs for configured client number are consumed
Optional handling of “future-dated” IDoc Infotypes via configuration parameters
Information for multiple objects are handled as separate DirXML events.
Status of each event reflected by IDoc output file name extensions:
.warn
.bad
.proc
.futr
.futp
.done
.fail
© March 9, 2004 Novell Inc.62
IdentityVault
SAP Host
SAP Host
DirXML RemoteLoader Shim
DirXMLEngine
DirXML RemoteLoader Service
DirXML DriverFor
SAP/HR
Identity Manager Host
Driver object containingbusiness policies andconnection parameters
2DirXML Engine adds or updates the data into Identity Vault
SAP R/3HR
Application LinkEnabling (ALE)
BAPI/ JCO
BAPIDoc
4The Driver Shim translates XML Doc into BAPI, the SAPnative API, and adds or updatesthe data in SAP/HR
SSL Connection
XML Doc
3Data the SAP driver subscribes to that comes from other applications through eDirectory
Subscribing Application Data to SAP HR
Subscriber Channel
XML Doc
Data from other applications
1
© March 9, 2004 Novell Inc.63
DirXML Driver for SAP HR Subscriber Channel-Overview
Driver Resembles an SAP Client
Standard SAP Programming Interface
Utilizes SAP BAPIs for HR application (Limited Infotype support)
• Personal Information Infotype (0002)
• Private Address Information Infotype (0006)
• Communication Infotype (0105)
© March 9, 2004 Novell Inc.64
DirXML Driver for SAP HRSubscriber Channel-Overview
The only configuration required within SAP for the subscription channel is setting up a ‘Communication’ (CPIC) user
The driver will log on to SAP as a communication user.
The driver can NOT create or delete employee records!
© March 9, 2004 Novell Inc.65
DirXML Driver for SAP HR Driver Deployment Notes
Why does the driver use IDoc “File” port instead of “TRFC” port?
Why does the Publisher channel generate only <modify> events?
Do I need to have connectivity with the SAP system to use the driver?
If I use 'Publisher only' mode, why does the driver try to read data from my SAP system?
Can I prevent read operations in 'Publisher only' mode?
Why can't the driver read IDocs from a mapped drive?
© March 9, 2004 Novell Inc.66
Driver Configuration
DirXML Driver for SAP HR
Driver Configuration
© March 9, 2004 Novell Inc.67
Driver Configuration ParametersConnection Parameters
Authentication IDThe name of the SAP non-dialog (CPIC) user that will be used for all read and write operations to the SAP HR host system.
Authentication ContextThe DNS name or IP address of the target SAP HR host system
Application PasswordPassword of the CPIC user.
SAP System NumberThe two-digit system number of the SAP server
SAP User Client NumberThe three digit number of the SAP client containing the data to be synchronized.
SAP User Language
The two-character language abbreviation that the client uses.
68
Character Set EncodingThe name of the encoding the driver will use for translating IDoc text data to Java unicode strings.
Metadata File DirectoryThe name of the file system directory from which the driver will read the specified SAP Master HR IDoc definition file.
Master HR IDoc (Optional)The name of the IDoc message type that will be generated by the SAP ALE system when publishing SAP HR database modifications or Master records.
Address Subtype Code (Optional)This is an enumerated configuration parameter that allows an administrator to specify which subtypes of the Private Address infotype the driver will synchronize.
Communication Subtype Code (Optional)
This is an enumerated configuration parameter that allows an administrator to specify which subtypes of the Communication infotype the driver will synchronize.
Poll Interval (seconds)This parameter specifies how often the driver will poll for unprocessed IDocs.
Publisher IDoc DirectoryThis specifies the file system directory from which the publisher will read IDocs published by the SAP ALE system.
Publisher Channel Only?This specifies whether the driver will only perform Publisher channel operations. No SAP connection is required in this mode, but will be used if available.
Future-date Event Handling Option
This parameter determines how future-dated infotype information is to be handled. Four modes supported:0 - All events sent immediately1 – Future events held until future date2 – Future events sent immediately and on future date.3 – Future events sent immediately and daily until future date is reached.
Driver Configuration ParametersImplementation Parameters
© March 9, 2004 Novell Inc.69
What data is shared?Publisher Channel
homePhonemobilepagerworkforceIDemployeeStatusFull NameGiven NameInitialsmailstopSurnameTelephone NumberPostal CodeS
Physical Delivery Office NameSA
isManagermanagerWorkforceIDOUTitlemanagerdirectReports
CNGroup MembershipPassword Data
© March 9, 2004 Novell Inc.70
Implementing Default PolicyExporting Master Data from SAP
It is not possible to remotely Query for information of non-Person objects in SAP.
To enhance the capabilities of the driver it is recommended that Position, Organization, and other desired HR object data be exported to eDirectory.
This is done primarily to obtain the names of Organizational objects and to maintain Object Relationships between objects.
Some organizations may also choose to utilize the structure of the data export for creating their eDirectory tree structure.
© March 9, 2004 Novell Inc.71
Exporting Master Data from SAP
To export data from SAP the instructions for generating an IDoc should be followed
Object Types:
P Person
S Position
C Job
O Organization
Maps to 'User'
Maps to 'Organizational Role'
Maps to 'CommExec'
Maps to 'Organizational Unit'
© March 9, 2004 Novell Inc.72
Exporting Master Data from SAPMaintaining Object Relationships
Driver supports a 'RELATIONSHIPS' Query to allow Policies to request details of various inter-object relationships during IDoc processing.
• Used to determine the hierarchy of SAP 'Position' objects and reflect the relationships on the Identity Vault objects.
– Utilizes 'manager' and 'directReports' schema extensions on 'Organizational Role' objects.
• Can be used to determine the hierarchy of SAP 'Organization' objects to mirror organizational structure in eDirectory.
© March 9, 2004 Novell Inc.73
Exporting Master Data from SAPMaintaining Object Relationships
Position ('S') object '50000010' (Manager) processed.
• Has a top-down relationship with Position '50000020' (Clerk)
• Identity Vault object 'Manager-S50000010' created.
Position ('S') object '50000020' (Clerk) processed.• Has a bottom-up relationship with Position
'50000010' (Manager)• Identity Vault object 'Clerk-S50000020' created.• 'manager' attribute of 'Clerk-S50000020' set to
'Manager-S50000010'• 'directReports attribute of 'Manager-S50000010' set
to include 'Clerk-S50000020'.
© March 9, 2004 Novell Inc.74
Exporting Master Data from SAPMaintaining Object Relationships
Person ('P') object '50000001' (JADAMS) processed.• Has a 'holds' relationship with Position '50000010'
(Manager)• Identity Vault object 'JADAMS' created.• 'Title' attribute of 'JADAMS' set to 'Manager-
S50000010'• 'isManager' attribute of 'JADAMS' set to '1'• 'Role Occupant' attribute of Identity Vault object
'Manager-S50000010' set to 'JADAMS'
© March 9, 2004 Novell Inc.75
Exporting Master Data from SAPMaintaining Object Relationships
Person ('P') object '50000002' (SSMITH) processed.• Has a 'holds' relationship with Position '50000020'
(Clerk)• Identity Vault object 'SSMITH' created.• 'Title' attribute of 'SSMITH' set to 'Clerk-
S50000020'• 'manager' attribute of 'SSMITH' set to 'JADAMS'• 'Role Occupant' attribute of Identity Vault object
'Clerk-S50000020' set to 'JADAMS'• 'directReports' attribute of 'JADAMS' set to include
'SSMITH'.
© March 9, 2004 Novell Inc.76
DirXML Driver for SAP HRMapping Rule (sample)
SAP HR Attribute Name
P0002:VORNA:none:134:25
P0002:NACHN:none:84:25
P0006:ORT01:US01:133:25
P0006:ORT01:1:133:25
P0105:USRID:MAIL:78:30
P0105:USRID:CELL:78:30
P0105:USRID:PAGR:78:30
P0006:TELNR:195:14
Identity Vault Attribute Name
Given Name
Surname
City
Home City
Internet E-Mail Address
Mobile
Pager
Home Phone
© March 9, 2004 Novell Inc.77
DirXML Driver for SAP HRRemote Loader Usage
Why use the Remote Loader?• Identity Vault does not exist for SAP Host Platform
• Identity Vault not allowed on SAP Host Platform
SAP Driver with Remote Loader requirements• Host platform supporting JDK/JRE 1.4 or higher
• SAP JCO client installed on host platform
Remote Loader features• SSL connection security
• Bi-directional password handshake
Question and Answer
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.