IDM Landscape Config Guide

IdentityManagement for SAPSystem Landscapes:Configuration Guide

Document Version 7.1 Rev 8December 2010

SAP NetWeaver IdentityManagement 7.1 SPS 5/7.2

SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +49/18 05/34 34 24F +49/18 05/34 34 20www.sap.com

© Copyright 2008-2009 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted inany form or for any purpose without the express permission ofSAP AG. The information contained herein may be changedwithout prior notice.

Some software products marketed by SAP AG and its distributorscontain proprietary software components of other softwarevendors.

Microsoft, Windows, Outlook, and PowerPoint are registeredtrademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex,MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries,pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner,WebSphere, Netfinity, Tivoli, and Informix are trademarks orregistered trademarks of IBM Corporation in the United Statesand/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks ofthe Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,VideoFrame, and MultiWin are trademarks or registeredtrademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registeredtrademarks of W3C®, World Wide Web Consortium,Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc.,used under license for technology invented and implemented byNetscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver,and other SAP products and services mentioned herein as well astheir respective logos are trademarks or registered trademarks ofSAP AG in Germany and in several other countries all over theworld. All other product and service names mentioned are thetrademarks of their respective companies. Data contained in thisdocument serves informational purposes only. National productspecifications may vary.

These materials are subject to change without notice. Thesematerials are provided by SAP AG and its affiliated companies("SAP Group") for informational purposesonly, without representation or warranty of any kind, and SAPGroup shall not be liable for errors or omissions with respect tothe materials. The only warranties for SAP Group products andservices are those that are set forth in the express warrantystatements accompanying such products and services, if any.Nothing herein should be construed as constituting an additionalwarranty.

Documentation on SAP Service MarketplaceYou can find this documentation atservice.sap.com/security

http://www.sap.com/

T yp o g r a p h i c C o n v e n t i o n s

Type Style Represents

Example Text Words or characters quoted fromthe screen. These include fieldnames, screen titles,pushbuttons labels, menunames, menu paths, and menuoptions.

Cross-references to otherdocumentation.

Example text Emphasized words or phrases inbody text, graphic titles, andtable titles.

EXAMPLE TEXT Technical names of systemobjects. These include reportnames, program names,transaction codes, table names,and key concepts of aprogramming language whenthey are surrounded by bodytext, for example, SELECT andINCLUDE.

Example text Output on the screen. Thisincludes file and directory namesand their paths, messages,names of variables andparameters, source text, andnames of installation, upgradeand database tools.

Example text Exact user entry. These arewords or characters that youenter in the system exactly asthey appear in thedocumentation.

<Example text> Variable user entry. Anglebrackets indicate that youreplace these words andcharacters with appropriateentries to make entries in thesystem.

EXAMPLE TEXT Keys on the keyboard, forexample, F2 or ENTER.

I c o n s

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

History of Changes

Version Change

7.1 Rev 8 Updated document to reflect validity for Release 7.2.

7.1 Rev 7 Correction made in the support package needed for using the deltamechanism with SAP ERP HCM. The correct support package is SAPERP HCM Release 6.0 SPS 32.

Correction: After importing the SAP HCM staging area identity store, youmust adjust the event handling for the MX_HCM_EMPLOYEE entrytype.

7.1 Rev 6 The following attributes are now supported by the ABAP connector:

LASTMODIFIED (modification date, modification time, modified by)

ADDTTX (teletex address data)

ADDTLZ (telex address data)

ADDRML (remote mail address data)

ADDX400 (X400 address data)

ADDPRT (printer address data)

ADDSSF (SSF address data)

ADDURI (URI address data)

DEFAULTS/TIMEFM (time format)

ARESS/ADR_NOTES (notes about the address)

Minor corrections.

7.1 Rev 5 Update for troubleshooting timeout in initial load.

7.1 Rev 4 Updates for SAP NetWeaver 7.1 SP3.

Minor corrections. The password for the connection to an AS ABAPRelease 4.6C must be entered in upper case.

Adjust the heap size if the system runs out of memory during an initialload.

SAP Netweaver IDM does not support remote roles used by a FederatedPortal Network (FPN) to share content. If you are integrating a FPN withSAP NetWeaver Identity Management, use the Remote Delta Link modeto share content instead.

7.1 Rev 3 Updates for SAP NetWeaver 7.1 SP2.

Corrections regarding value help values. Certain properties must be setfor attributes that support value help before reading the value help datafrom the AS ABAP system.

Corrections to the Web-enabled task for deleting identities.

Minor corrections.

7.1 Rev 2 Minor updates and corrections.

7.1 Rev 1 Revised to version number to reflect the SAP NetWeaver 7.1 release.

Updated Integration with SAP Business Suite. This includes:

Information about event-driven provisioning of SAP HCM identitydata.

A new entry type, MX_HCM_EMPLOYEE that is used tofacilitate the event-driven provisioning.

The manual set up of the HCM staging area has been replacedwith an import of a template.

The query and extraction report to use for exporting identity datafrom the SAP HCM system have been updated.

Included information about how to read value-help from AS ABAPsystems.

Updated the list of supported ABAP attributes.

Included information regarding the templates for Microsoft ActiveDirectory Server (ADS), which are now included with the provisioningframework for SAP systems.

Made adjustments based on the migration of the user interface to WebDynpro for Java. This affects the sections about Workflow andMonitoring.

Minor improvements throughout the document.

1.2 Provided information for connecting dual-stack systems to the IdentityCenter. For this case, connect the dual-stack SAP system to the IdentityCenter using the AS ABAP templates.

Provided information for connecting a central user administration (CUA)to the Identity Center. Connect the CUA system to the Identity Centerusing the AS ABAP templates. Set the repository constantCUA_MASTER. Also see the other considerations that apply.

Provided information about supporting time-dependent ABAP roleassignments. See the considerations and prerequisites that apply.

Provided instructions for updating the provisioning framework from SPS1.

Minor improvements made throughout the document.

1.1 Error fixed in HR attributes P0002-VORNA,SYHR_A_P0000_AF_HIREDATE, andSYHR_A_P0000_AF_HIREDATE.

Changed the recommendation to deactivate the option for automaticallycreating new attributes as this can lead to discrepancies due to minormistakes such as typing errors. Therefore, deactivate this option andcreate the attributes used by the provisioning framework manually.

The ABAP connector does support importing derived roles during theinitial load. Derived roles are read and provisioned the same way asnon-derived ones.

Error fixed in AS Java repository constants for the provisioning,deprovisioning, and modifying user tasks.

Included SNC configuration for connectors to AS ABAP.

Minor improvements made throughout the document.

Changed the title to reflect the content better. Previous title: ProvisioningFramework for SAP Systems: Connectivity.

1.0 Original version

Contents

1 INTRODUCTION ............................................................................................................ 11.1 Prerequisites ......................................................................................................... 21.2 Limitations and Considerations .............................................................................. 3

2 GETTING STARTED WITH THE PROVISIONING FRAMEWORK FOR SAPSYSTEMS ...................................................................................................................... 82.1 Overview ............................................................................................................... 82.2 Rules and Recommendations .............................................................................. 12

3 IMPLEMENTATION PROCESS ................................................................................... 153.1 Importing the Provisioning Framework for SAP Systems ...................................... 153.2 Post Processing Adjusting Constants, Assigning Event Tasks, and Adjusting

the Web-Enabled ................................................................................................. 183.3 Selecting the Use Case to Implement .................................................................. 233.4 Setting up the Landscape .................................................................................... 243.5 Reading Value Help Content................................................................................ 393.6 Performing the Initial Loads ................................................................................. 433.7 Cleaning up the Collected Data ........................................................................... 473.8 Scheduling the Update Jobs ................................................................................ 483.9 Set Up User Interfaces for User Administration (Workflow) ................................... 483.10 Maintaining Business Roles ................................................................................. 493.11 Provisioning ......................................................................................................... 513.12 Next Steps........................................................................................................... 51

APPENDIX A: REPOSITORY CONSTANTS .................................................................. 53

APPENDIX B: MAPPING BETWEEN IDENTITY CENTER AND AS ABAPATTRIBUTES .............................................................................................................. 60

APPENDIX C: ATTRIBUTES THAT SUPPORT VALUE HELP ....................................... 74

APPENDIX D: CONFIGURING THE VIRTUAL DIRECTORY SERVER .......................... 76

APPENDIX E: CONFIGURING THE SAP HCM SYSTEM ................................................ 78E.1 Creating the Query to Use for the Export ............................................................. 78E.2 Specifying the Attribute Mapping Between the HR Fields and LDAP

Synchronization ................................................................................................... 80E.3 Creating an RFC Destination to Use for the LDAP Connector .............................. 81E.4 Configuring the Parameters to Use for the Connection to the VDS ....................... 81E.5 Maintain the Attribute Mappings ........................................................................... 83E.6 Export the Data ................................................................................................... 85

APPENDIX F: CONFIGURING THE ABAP CONNECTOR TO USE SNC ........................ 87F.1 Downloading and Installing the SAP Cryptographic Library .................................. 88

F.2 Creating a Personal Security Environment ........................................................... 89F.3 Creating Credentials ............................................................................................ 91F.4 Exchanging the Public-Key Certificates ................................................................ 92F.4.1 Exporting the Identity Center’s Public-Key Certificate ........................................... 92F.4.2 Importing the Identity Center’s Public-Key Certificate Into the AS ABAP’s SNC

PSE ................................................................................................................. 93F.4.3 Exporting the AS ABAP’s Public-Key Certificate ................................................... 94F.4.4 Importing the AS ABAP’s Public-Key Certificate Into the Identity Center’s PSE .... 94F.5 Setting the SNC parameters ................................................................................ 95F.6 Maintaining the Extended User ACL .................................................................... 96F.7 Testing the Connection ........................................................................................ 96

Identity Management for SAP System Landscapes: Configuration Guide December 2010

1

Identity Management for SAP SystemLandscapes: Configuration Guide

This document is valid for use with SAP NetWeaver Identity ManagementRelease 7.1 or Release 7.2 running in 7.1 compatibility mode (meaning you areusing the provisioning framework from Release 7.1). If you are running SAPNetWeaver Identity Management in pure 7.2 mode, then see the correspondingdocumentation for the provisioning framework for Release 7.2, which is availableon the SAP Developer Network at www.sdn.sap.com/irj/sdn/nw-identitymanagement.

1 IntroductionYou can use SAP NetWeaver Identity Management for processing identity information in avariety of ways, depending on your system landscape. You can use it in homogeneous orheterogeneous landscapes, either with or without SAP systems.

In Identity Management for SAP System Landscapes: Architectural Overview, we described anumber of use cases where you can use SAP NetWeaver Identity Management for identityprovisioning with SAP systems. These use cases are:

SAP Human Capital Management (HCM) Integration

This use case shows how to manage identities when the leading identity source is anSAP HCM system and the identities are provisioned to an LDAP directory server bythe Identity Center.

SAP NetWeaver Portal Environment

This use case shows how to manage identities in an SAP NetWeaver Portalenvironment. In this case, the leading identity source is a corporate directory, and theidentities are provisioned to the portal’s AS Java and the various back-end systems. Inthis example, we show how to provision to an AS ABAP back-end system.

Identity Lifecycle Management

This use case shows how to integrate the first two cases, whereby the identities fromthe SAP HCM use case that have been provisioned to the LDAP directory server arealso used for the portal environment and the corresponding back-end system(s).

Enhanced SAP Business Suite Integration

Another example of a complete system landscape includes the SAP Business Suiteintegration. In this case, additional SAP systems, which may also have specialrequirements, are connected to SAP NetWeaver Identity Management for identityprovisioning. The SAP HCM system is typically the leading system for this use case.

To implement these use cases, we provide a provisioning framework for SAP systems withSAP NetWeaver Identity Management. This framework provides templates for connectingSAP systems to SAP NetWeaver Identity Management and for setting up the correspondingprovisioning jobs.

http://www.sdn.sap.com/irj/sdn/nw-


2

1.1 PrerequisitesRole model

As mentioned in the document Identity Management for SAP System Landscapes:Architectural Overview, a primary prerequisite for the implementation of identitymanagement is a role model. The role model provides a mapping between the user’sbusiness role (for example, EMPLOYEE) to the technical roles or privileges in theback-end system (for example, the ABAP role Z_HCM_EMPLOYEE_ROLE).

Before proceeding, you must set up this role model for all of the systems involved inthe system landscape that you want to manage using SAP NetWeaver IdentityManagement and the provisioning framework for SAP systems.

You are familiar with the SAP NetWeaver Identity Management components. Thesecomprise of the Identity Center and the Virtual Directory Server (VDS).

You have installed the Identity Center, as well as the Web Dynpro applications forworkflow and monitoring.

For the SAP HCM or the SAP Business Suite use cases, you have also installed theVDS component.

When working with the provisioning framework for SAP systems, the systems mustmeet the following system requirements:

SAP NetWeaver Identity Management: Release 7.0 SPS 1 or higher

The following features require Release 7.0 SPS 2:

Support for time-dependent privilege assignments

Support for connecting a central user administration central system

Support for connecting a dual-stack system

The following features require Release 7.1 SPS 0:

Event-driven provisioning for SAP HCM identity data

SAP Business Suite integration

AS ABAP: Release 4.6C or higher

AS Java/Portal: Release 6.40, 7.00, or 7.10

In addition, SPML patches must be deployed on the AS Java as described inSAP Note 1064236.

SAP ERP HCM: Release 6.0 SPS 37

This support package stack is required for provisioning only delta informationfrom the SAP HCM system to SAP NetWeaver Identity Management.

SAP Business Suite 7.0

This release is required for the enhanced SAP Business Suite integration usecase.

You have credentials to use for the connections to the target systems. Thecorresponding authorizations allow for creating and updating entries.


3

1.2 Limitations and Considerations1.2.1 Limitations and Considerations that Apply to Specific

Use Cases

Limitations and Considerations When Using the SAP HCM UseCaseThe following limitations apply when using the SAP HCM use case:

The delta mechanism is not pre-configured when importing the data from the SAPHCM system into the staging area in the Identity Center. A full load is alwaysperformed.

When using the SAP HCM use case, the following options are delivered with theprovisioning framework for SAP systems for determining the user account name:

The SAP HCM system can determine the user account name using the P0105-SYHR_A_P0105_AF_SYSUNAME field. If this field does not contain any data,but other employee data is maintained, then the employee data is first onlywritten to the staging area. Only after this field is filled in the SAP HCM systemis the complete data written to the productive identity store. Data consistency isensured (for example, if you delete the user name from this field) by makingsure a unique personnel number is also specified in the field P0000-PERNR.

The Identity Center can determine the user account name. In this case, it usesthe SAP HCM field P0000-PERNR as input to determine a unique system-wideuser ID. The field P0105-SYHR_A_P0105_AF_SYSUNAME is ignored.

If you have other needs for determine the system-wide user account name, then youmust adjust the tasks and jobs accordingly.

If you have difficulties transferring Unicode characters from the SAP HCM system,then start the system’s LDAP connector using the code page that corresponds to theSAP HCM system. For more information, see SAP Note 539198.

Considerations When Using the SAP NetWeaver PortalSAP Netweaver IDM does not support remote roles used by a Federated Portal Network(FPN) to share content. If you are integrating a FPN with SAP NetWeaver IdentityManagement, use the Remote Delta Link mode to share content instead. For moreinformation, see:

http://help.sap.com/saphelp_nwce10/helpdata/en/43/23fabdcad10d23e10000000a1553f7/frameset.htm

http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/7047

Considerations When Using the Identity Lifecycle ManagementUse CaseWhen using this use case you must ensure that users exist in the LDAP directory serverbefore running jobs or initiating provisioning steps that will assign portal roles to the users.Otherwise, if a user exists in SAP HCM and is assigned to a portal role, and the portal roleassignment is provisioned without the user existing in the LDAP directory server that is usedas a user store for the portal, then you will receive errors. For more information, see page 35.

http://help.sap.com/saphelp_nwce10/helpdata/en/43/23fabdcad10d23e10000000a155

http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/7047


4

Considerations When Using the Enhanced SAP Business SuiteIntegration Use CaseFor this case, note the following:

There is no support for central user administration with this use case.

When integrating SAP NetWeaver Identity Management with the SAP Business Suite,application-specific identity data is also provisioned. To ensure that the correct data isprovisioned based on the systems that are integrated, there are application-specificBusiness Add-Ins (BAdIs) to use for pre- and post-processing. These BAdIs arehandled as privileges in the Identity Center as type FUNCTION_SET. You need toinclude them in the business roles that apply to the corresponding SAP Business Suiteapplications.

By default, the Identity Center also maintains user account data when provisioning. Forcertain applications, you may want to have certain identity data provisioned withouthaving a user account created for the identity, for example, when provisioningbusiness partner data. For this case, create a dedicated repository for the AS ABAPwhere the user account should not be created. For this repository, specify therepository constant NO_USER_ACCOUNT.

1.2.2 Limitations and Considerations that Apply to SpecificConnectors

Limitations that Apply to All ConnectorsThe following limitations apply when using the provisioning framework for SAP systems:

Whenever a user attribute is changed (except for role assignments), all user attributesare provisioned to the selected back-end systems (not only the changed attributes).

After removing all of the privileges from an MX_PERSON entry in the Identity Store,the respective Java or ABAP user is deleted in the corresponding repository. Thesystem attempts to delete the user for each assignment that was removed, therefore, ifthere were several privileges assigned to the user in the repository, the system willalso attempt to delete the user several times. The first deletion will be successful, butthe following attempts will produce error messages because the user was alreadydeleted. You can ignore these error messages.

Whenever a role or group assignment is changed, all role, profile, and groupassignments are provisioned (not only the roles, profiles, or groups). The assignmentsare provisioned to all systems that are affected by the change.

When performing the initial loads, consolidation occurs based on user IDs, meaningthat an identity is created in the identity store for each unique user ID that is read.

When performing the initial load, the script custom_initializePassword is called,which generates initial passwords for the users. By default, the script’s input parameteris set as the last name, however, it is only a placeholder and is not actually used togenerate the password.

You must modify this script to generate passwords for the users based on your needs.


5

The users used for the connections should be technical users that do not have tochange their passwords, for example, service users in AS ABAP or technical users inAS Java.

Since the connections are system-to-system connections that do not have auser interface, if the user is a dialog user and is required to change his or herpassword, for example, if the password is initial, then errors will occur.

Limitations and Considerations for ABAP System ConnectorsAs of Release 7.0 SPS 2, time dependencies for privilege assignments are supported.This means that time-dependent ABAP role assignments are no longer lost in the initialload. The time dependencies are read into the Identity Center with the initial load. Theprivilege assignments are then provisioned to the target systems when they becomeactive.

After the initial load, the time dependencies are stored in the Identity Center andno longer in the AS ABAP. Previous time-dependent assignments are lost in thisstep, therefore, you no longer have a history of such assignments. You also nolonger see future assignments in the AS ABAP.

To improve efficiency, you can execute the report PRGN_COMPRESS_TIMES withthe option Remove Validity Periods That Have Already Expired for all users. Thisremoves all outdated role assignments so that the initial load only reads active andfuture role assignments.

For Release 7.0 SPS1 and lower, the templates do not support timedependencies and the execution of this report is mandatory. If you connect anAS ABAP system that has time dependencies in role assignments to the IdentityCenter in these releases, then these are lost when the Identity Center provisionsthe assignments back to the AS ABAP system. In this case, you must executethe report PRGN_COMPRESS_TIMES as mentioned above.

As of Release 7.0 SPS 2, the templates provided support dual-stack systems. In thiscase, specify the repository as a dual-stack type and use the AS ABAP job and tasktemplates. The dual-stack repository type contains the connection information for boththe AS ABAP and the AS Java back-end systems, and the job and task templatescheck whether the system is a dual-stack system at execution time.

The ABAP connector does not support reference users.

Composite roles and derived roles are read into the identity store, however, there is noinformation in the Identity Center to indicate these role types. In the Identity Center,you will see a flat list containing all roles.

The ABAP connector cannot delete company addresses.


6

Mobile numbers must not contain a hyphen (-). The ABAP connector interprets thehyphen (-) as an extension, but the AS ABAP ignores extensions for mobile numbers.

When connecting to an AS ABAP Release 4.6C, the password used for the connectionneeds to be entered in the repository constants in upper case.

Not all identity attributes are supported, for example, licensing attributes. SeeAppendix B: Mapping Between Identity Center and AS ABAP Attributes [Page 59] for alist of the supported attributes.

Additional Prerequisites for AS ABAP System ConnectorsAutomatic profile generation must be enabled on the AS ABAP so that changes to roleassignments are automatically reflected in a user’s profile.

You can check this using table maintenance (for example, transaction SM30). Maintainthe table PRGN_CUST. Make sure an entry with the name AUTO_USERCOMPAREexists in the table and that it contains the value YES.

If you do not activate AUTO_USERCOMPARE, then run the reportPFCG_TIME_DEPENDENCY after executing any provisioning steps.

To make sure the communication user used for the ABAP connector only has thenecessary authorizations in the back-end system, assign theSAP_BC_SEC_IDM_COMMUNICATION role to the user.

This role was updated with Release 7.0 SPS 2 with authorizations for using the CUA,and with Release 7.1 for authorizations to retrieve value help values. Therefore, if youare upgrading to SPS2 or Release 7.1 respectively, and want to use these features,then you must also upload the new version of the role, regenerate the correspondingprofiles, and update the role assignment for the communication user.

For enhanced Business Suite integration, the communication user also needs the roleSAP_CA_BP_IDM_INTEGRATION.

Limitations and Considerations when Connecting a CUA SystemAs of Release 7.0 SPS 2, the templates provided support central user administration(CUA). To support a CUA landscape, connect the CUA central system to the IdentityCenter using the ABAP connector. The Identity Center provisions identity data to theCUA central system, which in turn provisions the data to its child systems. Thisprovisioning takes place according to the configuration of the attribute distributionsettings on the central system.

The CUA is not supported with the SAP Business Suite integration use case.

Although you do not have to change the attribute distribution settings (usingtransaction SCUM), we recommend using the global distribution setting for attributesso that they can be maintained in the Identity Center.

Only connect the CUA central system to the Identity Center. Do not connect any of theCUA child systems. If you want to connect a child system directly to the IdentityCenter, disconnect it from CUA first.

If a corresponding LDAP directory is also connected to the Identity Center, then theLDAP synchronization for the CUA central system is obsolete.


7

You no longer need to assign users to systems in the CUA landscape as the IdentityCenter makes this correlation when a user is assigned a privilege in the correspondingsystem.

Additional Prerequisites for AS Java System ConnectorsThe communication user used for the AS Java connector should only have the necessaryauthorizations in the back-end system, which are provided with the UME actionUME.Spml_Write_Action. (There is also an action called UME.Spml_Read_Action for read-only access.)

Limitations and Considerations for LDAP Directory ConnectorsTemplates for the Sun Microsystems Sun One LDAP server and Microsoft Active DirectoryServer (ADS) are provided. You can adjust the tasks and jobs for other directory servers tomeet your needs on a project base.

1.2.3 Considerations When Customizing the ProvisioningFramework

If you need to modify the provisioning framework to meet your needs, then copy thecorresponding templates to a custom folder and only modify the copied tasks. See Section2.2: Rules and Recommendations [Page 12].


8

2 Getting Started with the ProvisioningFramework for SAP Systems

2.1 OverviewThe provisioning framework for SAP systems provides a set of templates that you canreference when you set up the system-specific jobs used for your provisioning use case.

Before you start working with the templates and creating the jobs, you should familiarizeyourself with the structure and content of the framework. You should be familiar with:

The entry types that you will be working with, for example, the entry type MX_PERSONrepresents user objects in the system.

The attributes that describe these entry types.

How to use tasks and jobs to work with the entry types.

These aspects are described in the sections that follow.

Entry TypesThe identity store stores the identity data according to a schema that consists of entry typesand attributes. The entry types are objects that describe how the different identity-relevantobjects are represented in the Identity Center. The entry types used when working with theprovisioning framework for SAP systems are:

MX_PERSON

This is the entry type used for user objects in the system.

MX_ROLE

This is the entry type used for business role objects. Nesting MX_ROLE entries ispossible.

MX_PRIVILEGE

This is the entry type used for permission objects (that is, technical roles) in thesystem, for example,

ABAP roles and profiles

Portal and UME roles

UME database groups

LDAP groups

Nesting is not possible.

MX_GROUP

This is the entry type used for LDAP group hierarchies that contain privileges. Forexample, in addition to being a privilege itself, an LDAP group can contain privilegesthat represent ABAP roles, ABAP profiles, or portal roles. The attribute MX_GROUPcontains the hierarchical structure used for assigning these privileges to the users.


9

MX_COMPANY_ADDRESS

This is the entry type used for company addresses.

MX_HCM_EMPLOYEE

This is an entry type used for employees read from the SAP HCM system. It allows forevent-driven provisioning for SAP HCM identity data.

These entry types are delivered with predefined sets of attributes that you can extend to meetyour needs.

AttributesThe schema used by the provisioning framework for SAP systems contains a number ofattributes that are used to describe the entry types (for example, MX_LASTNAME,MX_FIRSTNAME). See the identity store schema for a complete list of the attributes available.

Some of the most important are shown in the table below.

Attribute Description Applicable EntryType

MSKEYVALUE Unique identifier for the identity object All

ACCOUNT<Repository> Unique user ID for the user in the targetrepository.

MX_PERSON

MX_REPOSITORYNAME Identifier for the home repository wherethe original privilege is defined.

MX_PRIVILEGE

For more information about the default schema delivered with the Identity Center, see thedocument Identity Center – Identity Store Schema, which is available on the SAP DeveloperNetwork at www.sdn.sap.com/irj/sdn/nw-identitymanagement under the topicInformation in Detail.

Tasks and JobsSetting up SAP NetWeaver Identity Management for provisioning and the identity provisioningitself takes place using tasks and jobs. Although both are flexible and you can use either inmany situations, we provide the following guidelines.

Tasks

Use tasks for provisioning identity data when changes occur. They are triggered, forexample, when a user account is changed from the Workflow user interface.

Jobs

Use jobs for performing specific mass operations like initial loads, updates, orreconciliation. You can start jobs explicitly or schedule them to run at a certain time.

The way that tasks and jobs are reflected when using the provisioning framework for SAPsystems is described below.

http://www.sdn.sap.com/irj/sdn/nw-identitymanagement


10

Task TemplatesThe framework provides a set of task templates that you can refer to when creating the tasksto use for identity management. These templates are divided into the following categories:

Global event tasks

This group contains task templates for global tasks that are triggered during theprovisioning process.

System type specific tasks

This group includes task templates that are specific to the specific system type. Theyinclude tasks for AS ABAP, AS Java, and LDAP.

Generic tasks

This group contains task templates for tasks that are reusable for other tasks.

Web-enabled tasks

This group contains task templates for tasks that are used for setting up the Workflowuser interface.

Job TemplatesThe framework also provides a set of templates that you can use for setting up jobs. Thefollowing jobs are supported:

Initial Load

The initial load job retrieves the identity information from the connected system andstores it in the identity store in the Identity Center.

Initial Provisioning

This job provisions the data that was consolidated during the initial load back to theconnected systems. See the table below:

Use Case Provisioned Data

SAP HCM SAP HCM: all MX_PERSON and MX_COMPANY_ADDRESS entries

AS ABAP: all MX_PERSON and MX_COMPANY_ADDRESS entries

LDAP (SUNONE/ADS): all MX_PERSON entries

SAP NetWeaverPortal


AS Java (Database): all MX_PERSON entries

Identity LifecycleManagement


AS Java (Database): all MX_PERSON entries

LDAP (SUNONE/ADS): all MX_PERSON entries

Enhanced SAPBusiness SuiteIntegration



11

When using an LDAP directory server as the leading system, we assume thatthe data being read is complete and correct and does not need to be updated bythe Initial Provisioning jobs.

Update

Set up this job to run occasionally to update data from the connected systems. This jobchecks for changes on original objects, for example, for changes to identities in theleading system, or changes to roles that are locally maintained in the connectedsystems. These changes are then read into the Identity Center and provisioned to theaffected systems.

You should carefully define which local changes are still permitted as soon as SAPNetWeaver Identity Management is active. To enforce the desired rules, specify theauthorizations for users and administrators in the target systems as appropriate. Then,enable or disable the passes of the update job according your rules.

Example rules for SAP systems:

Create, modify, delete users: no

Create, delete roles/groups/profiles: yes

Assign/unassign roles/groups/profiles: no

Example rules for an LDAP directory that is a leading system:

Create, modify, delete entries: yes

Create, delete groups: yes

Assign/unassign groups: yes

ABAP Read Help Values

Run this job prior to the initial load to read the value help from the ABAP system. Thevalue help content is then written to the corresponding database table specified in theschema.

Reconciliation

Set up this job if you are using an AS Java with an LDAP directory as the data source.This job checks for inconsistencies between identities in the LDAP directory and theidentity store. It produces three text files:

Users missing in the identity store

Users missing in the LDAP directory server

Users that are different in the identity store and in the LDAP directory server

The path and filename for these files are specified in the Destination tab page for thecorresponding passes in the job.

Reset Delta

This job template is useful during the set-up phase in case something was notcompletely set up correctly and you need to rerun any initial load jobs. It resets thedelta information that was stored after the original initial load job so that the job can berun again in an initial state.


12

Clean Provisioning Queue

Run this job to clean up the provisioning queue after performing the initial loads.

2.2 Rules and RecommendationsYou most likely will have to modify the jobs and tasks provided by the provisioning framework,for example, to set up your own Workflow approval process. There are several rules andrecommendations that you need to take into account when adapting the framework to yourown use case. See the points below.

Identity StoresEach AS Java installation can only access one identity store. Therefore, to reduce the numberof AS Java installations, we recommend you set up one single identity store that is accessiblefrom the user interface functions (for example, Workflow and Monitoring).

You may want to set up additional identity stores as staging areas (for example, with the SAPHCM use case), but these staging area identity stores do not have to be accessed by the userinterfaces and therefore do not require additional AS Java installations.

TasksDo not modify the tasks provided in the framework.

If you do need to adjust the tasks to meet your needs, create a second provisioningfolder in which you create your own tasks (Custom Tasks in the example below). Usethe tasks provided with the framework as templates that you copy into your own folder.

In this case, we recommend creating subfolders for each repository in yourlandscape. Also create subfolders for those global event tasks, system typespecific tasks, generic tasks and Web-enabled tasks, as necessary. See thefigure below.


13

If you modify the tasks in the SAP Provisioning Framework folder, thenyour changes will be overwritten if you import an updated version of theframework.

Also, make copies of any tasks in your own folder and do not link to the existingtasks in the SAP Provisioning Framework. Links to existing tasks also modify theoriginal tasks and therefore such links are also overwritten if you import andupdated version of the framework.

You will have to modify the Web enabled tasks. Therefore, when setting up theWorkflow tasks, make a copy of the Web Enabled Tasks folder and its tasks. Makeyour changes in this copied folder and not in the SAP Provisioning Frameworkfolder. Disable any templates that are not used.

See the figure below.

See the procedure for setting up the Workflow application on page 49.


14

JobsWhen you create the job folder that contains your jobs, we also recommend structuringthe job folders according to each system. Use the repository name for the folder name.Also set up a folder for global jobs. See the example below.

See the procedure for setting up the corresponding jobs on page 30 and page 33.

You are free to set up the job folders as you like, however, if you follow theserecommendations and naming conventions, then it is easier to resolveconsulting or support issues if they arise.


15

3 Implementation ProcessTo implement identity provisioning in SAP NetWeaver Identity Management based on thetemplates we provide, proceed as follows:

1. Import the provisioning framework for SAP systems into the SAP NetWeaver IdentityManagement Identity Center.

2. Perform the initial configuration. You must adjust some global constants and assignevent tasks to entry types and attributes.

3. Select the use case to implement.

4. Set up the landscape for the use case. This includes:

Creating repositories for each system that you connect to the Identity Center.

Setting up the jobs to use for the use case.

For the SAP HCM or enhanced SAP Business Suite integration use cases, youmust also set up a staging area in the Identity Center, set up the VirtualDirectory Server, configure the SAP HCM system, and maintain the attributemappings.

5. Determine the leading system for attributes that use value help and read the value helpfrom this system.

6. Import the identity data into the Identity Center’s identity store by performing the initialloads.

7. Clean up the data that was collected from the initial loads and provision theconsolidated data back to the connected systems.

8. Schedule the update jobs that should run regularly.

9. Set up the user interfaces for performing user administration.

10. Maintain the business roles in the Identity Center.

Afterwards, changes to user master records in the leading system and changes to technicalroles or the corresponding user and role assignments (in the original system for the roles ortheir assignments) are provisioned to the various systems.

3.1 Importing the Provisioning Framework for SAPSystems

The first step in working with the provisioning framework for SAP systems is to import theminto the Identity Center.

If you are updating the framework from a previous version, see Section 3.1.1: Updating theProvisioning Framework [Page 18].

PrerequisitesYou have installed the Identity Center and performed the initial configuration. For moreinformation, see the installation guides and the Identity Center Initial Configurationguide.

You have created an Identity Center configuration to use for the provisioningframework for SAP systems. This is donated in the following procedure as<IC_Configuration_for_SAP_Systems>.


16

You have created a dispatcher for running jobs.

If you are connecting a central user administration (CUA) system to the Identity Center,then you have assigned the role SAP_BC_SEC_IDM_COMMUNICATION to thecommunication user.

This role was updated with Release 7.0 SPS 2 with authorizations for using the CUA.Therefore, if you are upgrading to Release 7.0 SPS2 or Release 7.1 and want toconnect a CUA system to the Identity Center, then you must also regenerate thecorresponding profiles.

ProcedureIn the Identity Center:

1. Select the <IC_Configuration_for_SAP_Systems> and choose the Options tabpage.

Activate the option Enable imported jobs. Also select your dispatcher as theDefault dispatcher. See the figure below.

If you do not select these options, then you must enable all of the tasks and set thedispatcher for each task after importing the provisioning framework.

2. Create an identity store to use with the provisioning framework for SAP systems:

a. Under Console Root SAP NetWeaver Identity Management<IC_Configuration_for_SAP_Systems> Identity stores, chooseNew Identity store... from the context menu for the Identity stores node.

b. Follow the instructions provided by the wizard. Use the following data:

Name: Specify a name for the identity store, for example, SAP_Master.

Do not use special characters in the name.

Description: Optional

Automatically create new attributes: Deactivate(Recommended)

Entry types: Do not select any entry types.


17

If you activate the option to automatically create new attributes and an erroroccurs in an attribute definition, for example, a typing error, then acorresponding erroneous attribute will also be automatically created in theidentity store. This type of error is difficult to detect and fix.

Therefore, we recommend not activating this option. In this case, you mustmanually create the missing attributes manually any time you create arepository. For more information about how to create these attributes and whichentry types apply to each attribute, see Section 3.4.1: Creating Repositories[Page 24].

3. Import the SAP Provisioning Framework:

a. Choose Import... from the context menu for your identity store.

b. Select the SAP Provisioning Framework_Folder.mcc file from the filesystem and choose Open. You can find it in the folder<Install_folder>\Templates\Identity Center\SAP Provisioningframework. This file contains the templates available with the framework.

c. In the Import option screen that appears, select the following:

Import (or Update if you are updating the framework from a previoussupport package)

In the Advanced tab page, select the dispatcher(s) that will run theimport jobs by selecting the Run jobs option for a default dispatcher.

d. Choose Next.

e. In the Import provision group screen, select the SAP ProvisioningFramework node and choose Import.

You receive a message about the status.

You can ignore warnings that refer to cyclic dependencies. Check however, forjobs and tasks for which a dispatcher could not be set.

f. Choose Finish.

ResultThe SAP Provisioning Framework is imported into the Identity Center. See the figure below:


18

3.1.1 Updating the Provisioning FrameworkIf you are updating the framework from a previous version, then follow the instructions abovefor importing the framework. Note the following:

Because updating the provisioning framework overwrites the existing framework, wedo not recommend changing the framework itself, but instead, you should copy thetemplates to your own folders before you make changes (see Section 2.2: Rules andRecommendations [Page 12]). If you did make changes to the framework, copy thechanged folders to a separate location before performing the update.

Make sure you select the correct level in the structure to start the import. This is onelevel above the SAP Provisioning Framework folder. In the example above, this isSAP_Master.

Proceed as follows:

1. Select Import… from the context menu for this node.

2. Select the SAP Provisioning Framework_Folder.mcc file from the file systemand choose Open. You can find it in the folder<Install_folder>\Templates\Identity Center\SAP Provisioningframework. This file contains the templates available with the framework.

3. In the Import option screen, select Update. Also select the Ignore timestampoption. This ensures that the newest version of the framework is imported completelyinto the Identity Center.

4. In the Update global script screen, select the Overwrite option and activate Usethis action for all matching global scripts. Any changes to scripts willalso be overwritten with the updated provisioning framework.

5. In the Update provision group screen that follows, select the options:

Remove tasks from target system that have been deleted insource system

Remove groups from target system which have been deleted insource system

By selecting these options, the corresponding tasks and groups will beremoved in the target systems upon deletion in the source system. Otherwise,they will be moved to the Lost and Found folder.

Update attributes with event tasks

This option also updates any changes to event tasks.

3.2 Post Processing Adjusting Constants, AssigningEvent Tasks, and Adjusting the Web-Enabled

After importing the framework, you must perform the following post-processing steps:

1. Updating the service user role (if you are updating existing AS ABAP repositories).

2. Adjust global constants

3. Assign event tasks to entry types and attributes

4. Adjust the Web-enabled task for deleting identities

See the sections below.


19

3.2.1 Updating the Service User RoleFor existing AS ABAP repositories, you must also update the role used for the service user.The service user is specified in the repository constants and the corresponding role isSAP_BC_SEC_IDM_COMMUNICATION.

This role was updated with Release 7.0 SPS 2 with authorizations for using the CUA, andwith Release 7.1 for authorizations to retrieve value help values. Therefore, if you areupgrading to SPS2 or Release 7.1 respectively, and want to use these features, then:

1. Upload the new version of the role

2. Regenerate the corresponding profiles

3. Update the role assignment for the communication user

3.2.2 Adjusting Global ConstantsThe following constants are needed to identity the identity store and to identify the tasks usedfor provisioning company addresses. This information is only available after importing theframework. Therefore, adjust them as shown in the table below.

You can find the global constants under <IC_Configuration_for_SAP_Systems>Management Global constants.

Global Constant Value Comment

SAP_MASTER_IDS_ID <Identity_Store_ID> This is the ID of the productiveidentity store.

MX_ABAP_COMPANY_ADDRESS_CREATE_TASK

<Task_ID_for_ProvisionABAPNewCompanyAddress>

You can find the task under SAPProvisioning FrameworkSystem Type SpecificTasks AS ABAP Tasks

MX_ABAP_COMPANY_ADDRESS_DELETE_TASK

<blank>

MX_ABAP_COMPANY_ADDRESS_UPDATE_TASK

<Task_ID_for_ProvisionABAPModifiedCompanyAddress>

You can find the task under SAPProvisioning FrameworkSystem Type SpecificTasks AS ABAP Tasks

SAP_SYNC_COMPADDR_TO_USER_TASK

<Task_ID_for_HandleModifiedUserCompanyAddressAssignment>

You can find the task under SAPProvisioning FrameworkGlobal Event Tasks.

EMAIL_ORIGINATOR <originator_name>@<address>

This email address is used bythe task Send E-Mail whencreating identities.

EMAIL_SERVER <mail-server> This is the mail server to sendmails when creating identities.

MX_ABAP_DISABLE_PASSWORD

<Task_ID_for_DisablePasswordABAPIdentity>

You can find the task under SAPProvisioning FrameworkSystem Type SpecificTasks AS ABAP BusinessSuite Tasks AS ABAPPassword is DisabledIs Password DisabledTrue.


20

Global Constant Value Comment

MX_ABAP_RESET_PASSWORD

<Task_ID_for_ResetPasswordABAPIdentity >

You can find the task under SAPProvisioning FrameworkSystem Type SpecificTasks AS ABAP BusinessSuite Tasks AS ABAPPassword is DisabledIs Password DisabledFalse.

onstantsAdjusting Global Const ants

3.2.3 Assigning Event Tasks1. Assign event tasks to the entry types shown in the table below.

You can find the entry types under <IC_Configuration_for_SAP_Systems>Identity stores <Identity_store> Identity stores schemaEntry types. Select the entry type with a double-click and choose the Event taskstab page to locate the event handling options.

You can find the corresponding tasks under SAP Provisioning FrameworkGlobal Event Tasks.

Entry Type Event HandlingOption

Value

MX_COMPANY_ADDRESS Add <Task_ID_for_AddCompanyAddress>

Modify <Task_ID_for_ModifyCompanyAddress>

Delete None

MX_GROUP Add <Task_ID_for_LinkGroup>

Modify None

Delete <Task_ID_for_UnlinkGroup>

MX_PERSON Add None

Modify <Task_ID_for_ModifyUser>

Delete None

2. Assign event tasks to the following attributes in the identity store schema.

This sets up the tasks to trigger when changes occur to the corresponding attributes.

You can find the attributes under <IC_Configuration_for_SAP_Systems>Identity stores <Identity_store> Identity stores schemaAttributes. Select the attribute with a double-click and choose the Event tasks tabpage to locate the event handling options.

You can find the corresponding tasks under SAP Provisioning FrameworkGlobal Event Tasks.


21

Attributes Event HandlingOption

Value

MX_ADDRESS_CITY

MX_ADDRESS_COUNTRY

MX_ADDRESS_POBOX

MX_ADDRESS_POBOX_POSTAL_CODE

MX_ADDRESS_POSTAL_CODE

MX_ADDRESS_REGION

MX_ADDRESS_STREETADDRESS

Add

Modify

Delete

<Task_ID_for_ModifyBasicAddressData>

MXREF_MX_COMPANY_ADDRESS

Add

Modify

<Task_ID_for_HandleModifiedUserCompanyAddressAssignment>

Delete None

3.2.4 Adjusting the Web-Enabled Tasks for DeletingIdentities

The Web-Enabled task Delete Identity consists of two parts:

1. First, asssigned roles are unassigned.

2. Afterwards, the MX_PERSON is deleted.

If the corresponding deprovisioning jobs are started because roles are unassigned, theDelete Identity job for the MX_PERSON object can end up running before all of thedeprovisioning jobs have been started. This leads to some MX_PERSON objects beingdeleted before the roles are unassigned and error messages will occur. Therefore, werecommend starting the task Delete Identity with a time delay of one hour after the rolesare unassigned.

Also, the Unassign Roles task only deletes directly assigned roles. Therefore, adjust thistask to make sure that directly assigned privileges also get deleted.

Postponing the Delete Identity Job1. Navigate to the Delete Identity job in the Web-Enabled tasks.

You can find this job under <IC_Configuration_for_SAP_Systems>Identity stores <Identity_store> SAP Provisioning Framework WebEnabled Tasks Identity Management Delete Identity DeleteIdentity Delete Identity.

2. In the Options tab page, set the Timing option Delay before start: to 1 Hour.

3. Choose Apply.


22

See the example below.

Setting up the Unassing Roles Task to Delete Directly AssignedPrivileges

1. Expand the Unassign Roles task.

2. In the Unassign Roles job, choose the Destination tab page.

3. Add the following line:MXREF_MX_PRIVILEGE {R}

The result should be:


23

3.3 Selecting the Use Case to ImplementOnce you have set up the initial configuration, you must set up the Identity Center for yourparticular use case. Therefore, the next step is to identity the use case you want to implementso that you can continue with the corresponding configuration.

Based on the information provided in Identity Management for SAP System Landscapes:Architectural Overview, and the summary provided in the table below, select the use case thatyou want to implement.

Use Case Overview

Use Case Leading IdentitySystem

Source System forData

Provisioned Data

SAP HCM SAP HCM SAP HCM: Employeedata (Identities)

SAP HCM: Employee data(Identities)

LDAP server: Users anduser/group assignments

SAP NetWeaverPortal

Corporate LDAPdirectory

LDAP server: Usersand groups

AS Java: Portal roles,UME roles

AS ABAP: ABAProles, ABAP profiles,company addresses

AS Java (read from LDAP):UME users and UMEgroups

AS Java (provisioned fromIC): Role assignments

AS ABAP: Users, user/roleassignments, anduser/profile assignments

Identity LifecycleManagement

SAP HCM SAP HCM: Employeedata (Identities)

AS Java: Portal rolesand UME roles

AS ABAP: ABAProles, ABAP profiles,company addresses


AS Java (read from LDAP):UME users and UMEgroups

AS Java (provisioned fromIC): Role assignments

AS ABAP: Users, user/roleassignments, anduser/profile assignments

Enhanced SAPBusiness SuiteIntegration

SAP HCM SAP HCM: Employeedata (Identities)

SAP HCM: Employee data(Identities)


SAP Business Suitesystems: Users, user/roleassignments, anduser/profile assignmentsplus application-specificidentity data according toSAP Business Suitescenario.


24

When determining which use case to implement, your primary decision criteriashould be the leading identity system. Depending on where your userinformation originally comes from (SAP HCM or a corporate LDAP directoryserver), select the appropriate use case. For the identity lifecycle managementuse case, start with either of the other two use cases and then add theadditional components as appropriate.

Also note that your use case may be based on one or more of these use casesor it may be a derivative. For example, in test landscapes, you may just want toconnect a single system to the Identity Center. In such cases, adjust yourlandscape accordingly.

3.4 Setting up the LandscapeOnce you have determined which use case you will implement, set up the landscapeaccordingly. How to set up the landscape for each use case is described in the sections thatfollow. See Section 1.2: Limitations and Considerations [Page 3] for considerations that applyto each use case and each connector type.

3.4.1 Creating RepositoriesThe first step is to create a repository in the Identity Center for each system in the systemlandscape. The repository data provides the connection information to the system and othersystem-specific information.

For AS ABAP systems, the repository entry corresponds to a logical system onthe AS ABAP (that is, system ID and client).

ProcedureTo create a repository:

1. In the Identity Center, under Console Root SAP NetWeaver IdentityManagement <IC_Configuration_for_SAP_Systems> ManagementRepositories, choose New Repository from the context menu for theRepositories node.

2. Follow the instructions provided by the wizard. Use the following data as input for thewizard.

a. Select the template in the <Install_folder>\Templates\IdentityCenter\Repositories folder that applies to the system type, for example:

Business Suite AS ABAP (Load Balanced Connection)

Directory

SAP NetWeaver AS ABAP (Load Balanced Connection)

SAP NetWeaver AS Java repository

SAP NetWeaver Dual Stack (Load Balanced Connection)


25

b. Enter a name and description for the repository and the data that applies to thesystem connection.

The name can contain only letters (A-Z) and numbers (0-9). Spaces or specialcharacters are not supported.

For SAP systems, we recommend using <SID><Client> as the name.

c. Specify the repository constants that apply to the system type. See Appendix A:Repository Constants [Page 53] for a list of constants per repository type.

If you are setting up the enhanced SAP Business Suite Integration use case,and have provisioning tasks where a corresponding user account should not becreated or maintained, then you must set up an additional repository for thesystem that contains the constant NO_USER_ACCOUNT with the value 1.

Also, if the repository constants apply to an AS ABAP Release 4.6C, make sureyou enter the password to use for the connection in upper case.

After using the wizard, you can maintain additional constants, for example, the optionsfor using Secure Network Communications (SNC) to securely connect to the ASABAP.

3. If you did not activate the option to automatically create attributes when importing theprovisioning framework, then add the attributes shown in the table below to the identitystore attributes for the repository. To create these attributes:

a. Under Console Root SAP NetWeaver Identity Management<IC_Configuration_for_SAP_Systems> Identity stores<Identity Store> Identity store schema, choose New Identitystore attribute from the context menu for the Attributes node.

b. Enter the data for the attributes as shown in the table below:

Attribute Name(Under General)

Applicable for RepositoryType

Entry Types to Allow(Under Entry Types)

ACCOUNT<REPOSITORYNAME>

TEMPACCOUNT<REPOSITORYNAME>

LDAPAS ABAPAS Java

MX_PERSON

GROUP<REPOSITORYNAME>

LDAPAS ABAPAS Java

MX_GROUP

DN<REPOSITORYNAME>

LDAP(not needed for repositorytypes AS ABAP or AS Java)

MX_PERSON,MX_GROUP andMX_PRIVILEGE

TEMPDN<REPOSITORYNAME>

LDAP(not needed for repositorytypes AS ABAP or AS Java)

MX_PERSON

Continue with setting up the systems and connectors that are specific to the use case you areimplementing. The corresponding steps are described in the sections that follow.


26

3.4.2 Setting up the SAP HCM Use CaseWhen using this use case, you export identity data from the SAP HCM system and import itinto the Identity Center. To do this, use the Virtual Directory Server as the common interfacefor processing the data. You can therefore use the export functions in SAP HCM that areavailable for exporting data to an LDAP directory. This data is then imported into a stagingarea in the Identity Center before being replicated into the productive identity store. Once thedata is in the identity store, it can be provisioned to the connected systems, for example,another LDAP directory server.

Using a staging area instead of writing directly to the identity store has the followingadvantages:

You can work with the data in the staging area before processing it further. Forexample, you can also set up the Workflow approval tasks to access the data in thestaging area before writing it to the productive identity store.

If you make changes to the database schema used for identity data in the SAP HCMsystem, you can adjust the attribute mapping in the staging area accordingly and youdo not have to change the productive identity store’s schema.

We provide a template to use for setting up the staging area in the IdentityCenter.

To set up SAP NetWeaver Identity Management for the SAP HCM use case, proceed asdescribed below.

PrerequisitesThe Virtual Directory Server is installed.

The Identity Center is installed and configured.

The SAP HCM system is installed and contains employee data.

You have decided how to assign a user account name to an employee. See theLimitations and Considerations When Using the SAP HCM Use Case on page 3.

Procedure1. Import the staging area template.

2. Adjust the event handling for the MX_HCM_EMPLOYEE entry type.

3. Configure the Virtual Directory Server (see Appendix D: Configuring the VirtualDirectory Server [Page 76]) and the SAP HCM system to export identity data to theVirtual Directory Server.

4. Export the data from the SAP HCM system (see Appendix E: Configuring the SAPHCM System [Page 78]).

5. Set up the Identity Center to assign the user account name.

6. Create a job in the Identity Center that writes the identity data from the staging area tothe productive identity store.

7. Create and configure the jobs used for the connectors to each of the systems involvedin the landscape.


27

3.4.2.1 Importing the Staging Area TemplateIn this step, you will import the template that contains the staging area identity store to use forSAP HCM, as well as the corresponding tasks for writing the identity data from the stagingarea to the productive identity store.

In the Identity Center, navigate to the staging area identity store.

1. In the Identity Center, choose Import... from the context menu for the Identitystores.

2. Select the HCM_Staging_Area_Identity store.mcc file from the file system andchoose Open. You can find it in the folder<Install_folder>\Templates\Identity Center\SAP Provisioningframework.

The staging area identity store and corresponding provisioning tasks are imported intothe Identity Center. See the figure below.

3.4.2.2 Adjusting the Event Handling for MX_HCM_EMPLOYEEAfter importing the staging area identity store, adjust the event handling for the entry typeMX_HCM_EMPLOYEE.

1. Expand the Identity store schema Entry types.

2. Select the MX_HCM_Employee entry type with a double-click.

3. Choose the Event tasks tab.

4. Under Event handling, select the Write HCM Employee To SAP Master orderedtask for the Add and Modify event. You can find this task in the Select task screenunder Identity Center HCM Staging Area 2 SAP Master.


28

See the screen shot below:

3.4.2.3 Configuring the Virtual Directory Server andFor this step, see Appendix D: Configuring the Virtual Directory Server [Page 76]).

3.4.2.4 Configure the SAP HCM System and Export the DataFor this step, see Appendix E: Configuring the SAP HCM System [Page 78].

3.4.2.5 Setting up the Identity Center to Assign the User AccountName

By default, for the SAP HCM use case, the user account name is determined by the SAPHCM system using the P0105-SYHR_A_P0105_AF_SYSUNAME field. As an alternative, theprovisioning framework also supports using the field P0000-PERNR. To activate thismechanism, see the procedure below.

If you want to set up other mechanisms, then you must manually modify the tasks mentionedbelow according to your needs.

Procedure1. In the Identity Center, navigate to the provisioning task for HCM Master Check for

SYSUNAME of Employee.

2. To have the Identity Center determine the user name account using the field P0000-PERNR, disable this task. For the default set up (use the SYSUNAME field), leave thetask as it is.

3. Navigate to the pass Write HCM Employee To SAP Master in the task with thesame name.

4. Choose the Destination tab page.

5. Depending on your set up, make sure the attribute MSKEYVALUE has the followingvalue:

Set Up Value for MSKEYVALUE

User account name is determinedby the SAP HCM system usingthe SYSUNAME field (default).

$FUNCTION.sap_getSysUname(%P0105-SYHR_A_P0105_AF_SYSUNAME%)$$

User account name is determinedby the Identity Center using thePERNR field.

$FUNCTION.sap_calcID(%P0000-PERNR%!!%P0105-SYHR_A_P0105_AF_SYSUNAME%!!%MSKEYVALUE%)$$


29

Enable and disable the MSKEYVALUE rows accordingly.

This function sap_getSysUname has a custom exit calledcustom_generateHRID(Par) that uses the attributes P0000-PERNR,SYHR_A_P0105_AF_SYSUNAME and Employee-Key (which is theMSKEYVALUE of the HCM staging area) as input parameters.

Currently the function custom_generateHRID returns an empty string. Ifnecessary, change this function to adjust the MSKEYVALUE to fit your needs.

3.4.2.6 Creating and Configuring the Jobs for Each ConnectorIn this step, you will create and configure the jobs for each connector used in the systemlandscape. For our sample use case, these are the AS ABAP system and the LDAP directoryserver.

The table below shows an overview of the jobs used for this use case.

System Identity Store Jobs Comment

LDAP DirectoryServer

Productive identitystore

Example:SAP_Master

Initial Load


Update All

Update Groups

Reset Delta

SAP HCM

AS ABAP

Productive identitystoreExample:SAP_Master

ABAP Read HelpValues (optional)

Initial Load (Optional)


Update

Reset Delta

ABAP Read HelpValues: Set up this job ifyou want to retrievevalue help content fromthe AS ABAP system.See Section 3.5:Reading Value HelpContent [Page 39].

Initial Load: Set up thisjob if you want to readSU01 data from the ASABAP system.

You can also include additional systems in the landscape that are not explicitlyshown here, for example, other AS ABAP systems, AS Java systems, or non-SAP systems.

PrerequisitesA repository entry exists for each of the systems used in the landscape.


30

ProcedureUsing the Identity Center:

1. Create a job folder in your structure to use for the provisioning jobs, for example,Console Root SAP NetWeaver Identity Management<IC_Configuration_for_SAP_Systems> <identity_store>, for exampleSAP_Master. Choose New Folder from the context menu for your Identity Centerconfiguration.

See the structuring recommendations [Page 14].

2. Create a sub-folder for each system.

3. In each system folder, create a job for each task that applies to the system:

a. Choose New Run job wizard... from the context menu for the system’s folder.

b. Follow the instructions provided by the wizard. Select the template that applies tothe job you are creating, for example LDAP (SUNONE) – Initial Load, andthe name of the repository that applies to the corresponding system.

c. Choose Finish.

The job is created in your folder.

d. Enable the job, select Java as the runtime engine, and select a dispatcher forthe job.

e. Save the data.

4. Repeat for each job and each system that applies.

ResultEach system used in the use case has a set of jobs to be used for initial load, updating, andresetting the delta in the database.


31

ExampleThe following figure shows the jobs for the SAP HCM system and the LDAP directory serveras used in this use case.

Next StepsContinue with Step 3.5 Reading Value Help Content [Page 39].


32

3.4.3 Setting up the SAP NetWeaver Portal EnvironmentUse Case

When using this use case, the leading system for identity data is a corporate LDAP directoryserver. The corporate LDAP directory server is also used as the user data store for the SAPNetWeaver Portal system.

When using SAP NetWeaver Identity Management with this use case, the identities arereplicated from the LDAP directory server into the Identity Center. The corresponding usersand role assignments are provisioned to all of the systems that are included in the systemlandscape (where users and assignments are relevant), except for the AS Java where theportal runs. The AS Java that is running the portal reads the identity data directly from thecorporate LDAP directory server, and only the user/role assignments are provisioned to thissystem.

To set up SAP NetWeaver Identity Management for the portal use case, set up the initial loadand provisioning jobs for each of systems connected to the Identity Center.

The table below shows an overview of the jobs to create for this use case.

System Jobs Comment

LDAP Directory Server Initial Load

Update All

Update Groups

Reset Delta

AS Java (with portal) Initial Load

Update

Reset Delta

AS ABAP ABAP Read Help Values (optional)

Initial Load


Update

Reset Delta

ABAP Read Help Values:Set up this job if you wantto read value help contentfrom the AS ABAP system.See Section 3.5: ReadingValue Help Content [Page39].


For dual-stack systems, use the AS ABAP job templates.

Also, note that SAP Netweaver IDM does not support remote roles used by aFederated Portal Network (FPN) to share content. If you are integrating a FPNwith SAP NetWeaver Identity Management, use the Remote Delta Link mode inthe FPN to share content instead.


33

PrerequisitesThe Identity Center is installed and configured.

A repository entry exists for each of the systems used in the landscape.

The corporate LDAP directory server contains the identity data.

The SAP NetWeaver Portal is installed and the portal’s AS Java uses the LDAPdirectory server as its data source.

The communication user used for the connection between the Identity Center and theLDAP directory server should have read-only access for the LDAP directory server.

ProcedureUsing the Identity Center:

1. Create a job folder for your provisioning jobs, for example, Console Root SAPNetWeaver Identity Management<IC_Configuration_for_SAP_Systems> SAP_Master.

See the structuring recommendations [Page 14].

To create a folder, choose New Folder from the context menu for your IdentityCenter configuration.

2. Create a sub-folder for each system.

3. In each system folder, create the jobs that apply to the system:


b. Follow the instructions provided by the wizard. Select the template that applies tothe job you are creating, for example AS ABAP – Initial Load, and thename of the repository that applies to the corresponding system.

You can find the job templates in the folder<Install_folder>\Templates\Identity Center\Jobs.

c. Choose Finish.



e. Save the data.




34

ExampleThe following figure shows the jobs for the LDAP directory server, the AS Java system, andthe AS ABAP system as used in this use case.



35

3.4.4 Setting up the Identity Lifecycle Management UseCase

This use case combines the previous use cases to show how to use SAP NetWeaver IdentityManagement in a complete system landscape that includes all of the components SAP HCM,a corporate LDAP directory server, the SAP NetWeaver Portal, and additional SAPNetWeaver ABAP or Java-based systems.

As with the other use cases, we assume that one system is the leading system for identityinformation, and in this example, we use the SAP HCM system for this leading system.

Identity information is then provided to the Identity Center from the SAP HCM system andprovisioned to the LDAP directory server, which is also used as the user store for the SAPNetWeaver portal. Users are also provisioned to the AS ABAP system that is also included inthe portal landscape, and user/role assignments are provisioned to the AS ABAP system andthe portal.

Making Sure Users Exist in the LDAP Directory ServerAlso make sure that users exist in the LDAP directory server before role assignments areprovisioned to the portal system. You can do this by creating a custom task that performs thefollowing steps:

1. Create the user in the LDAP directory.

2. Assign the user to the appropriate LDAP group(s). (The user is first created in thedirectory when he or she is assigned to an LDAP group.)

Afterwards, you can assign portal roles to the user, either through jobs or provisioning tasks.

Setting Up the JobsTo set up SAP NetWeaver Identity Management for this use case, adjust the jobs in theIdentity Center so that the jobs for each system are set up as shown in the table below. Addthe jobs if necessary.


LDAPDirectoryServer

Productive identity store

Example:SAP_Master

Initial Load


Update All

Update Groups

Reset Delta

AS Java(with portal)

Productive identity store Initial Load

Update

Reset Delta


36


SAP HCM

AS ABAP

Productive identity store ABAP Read HelpValues (optional)

Initial Load (optional)

Update

Reset Delta

ABAP Read Help Values:Set up this job if youwant to read value helpcontent from the ASABAP system. SeeSection 3.5: ReadingValue Help Content[Page 39].

Initial Load: Set up thisjob if you want to readSU01 data from the SAPHCM AS ABAP system.


For dual-stack systems, use the AS ABAP job templates.

PrerequisitesThe Identity Center is installed and configured.


The corporate LDAP directory server contains the identity data.

The SAP NetWeaver Portal is installed and the portal’s AS Java uses the LDAPdirectory server as its data source.

Procedure1. If you are using the portal use case as the starting point, then set up the SAP HCM

system and the Identity Center as described in Section 3.4.2: Setting up the SAP HCMUse Case [Page 26].

2. Add any systems that have not yet been included in the job folder. Set up their jobsaccordingly:


b. Follow the instructions provided by the wizard. Select the template that applies tothe job you are creating, for example AS ABAP – Initial Load, and thename of the repository that applies to the corresponding system.

c. Choose Finish.



e. Save the data.



37

4. Check the permissions for the communication user used for the connection betweenthe LDAP directory server and the Identity Center. For this use case, the user shouldhave write permissions for the LDAP directory server.


ExampleThe following figure shows the jobs for the SAP HCM / AS ABAP system, the LDAP directoryserver, and the AS Java system as used in this use case.



38

3.4.5 Setting up the Enhanced SAP Business SuiteIntegration Use Case

For this use case, start with the SAP HCM integration use case. Afterwards, connect the SAPBusiness Suite systems as AS ABAP systems accordingly.

Setting Up the JobsTo set up SAP NetWeaver Identity Management for this use case, adjust the jobs in theIdentity Center so that the jobs for each system are set up as shown in the table below. Addthe jobs if necessary.


SAP HCM

AS ABAP



Initial Load(optional)

Update

Reset Delta

ABAP Read Help Values: Setup this job if you want to readvalue help content from theAS ABAP system. SeeSection 3.5: Reading ValueHelp Content [Page 39].

Initial Load: Set up this job ifyou want to read SU01 datafrom the AS ABAP system.

SAP BusinessSuiteapplicationsystems

AS ABAP



Initial Load

Update

Reset Delta

ABAP Read Help Values: Setup this job if you want to readvalue help content from theAS ABAP system. SeeSection 3.5: Reading ValueHelp Content [Page 39].

Only one AS ABAP systemcan be the leading system forvalue help content for aparticular entry.

Reset Delta: There is noReset Delta job in the SAPBusiness Suite job template.For this job, use the templatefor AS ABAP.

PrerequisitesThe Identity Center and Virtual Directory Server components are installed andconfigured.


The SAP HCM system has been set up and configured as described in Section 3.4.2:Setting up the SAP HCM Use Case [Page 26].


39

Procedure1. Add any systems that have not yet been included in the job folder. Set up their jobs

accordingly:

a. Create a sub-folder for the system.

b. Choose New Run job wizard... from the context menu for the system’s folder.

c. Follow the instructions provided by the wizard. Select the template that applies tothe job you are creating, for example Business Suite AS ABAP – InitialLoad, and the name of the repository that applies to the corresponding system.

d. Choose Finish.


e. Enable the job, select Java as the runtime engine, and select a dispatcher forthe job.

f. Save the data.




3.5 Reading Value Help ContentThere are certain attributes in the provisioning framework’s identity store schema that makeuse of the value help provided by the AS ABAP system(s).

These attributes are classified into three categories, according to the storage location:

Fixed values: The value help content is maintained in fixed domain values or dataelements. Examples for this category include value help for date or number formats.

System tables: The value help content is maintained in ABAP system tables (notmodifiable). Examples for this category include value help for languages or time zones.

Customer table entries: The value help content is available in tables that are modifiableby customers, for example, application tables, control tables, or Customizing tables.Examples for this category include value help for printer settings or salutations.

For a complete list of attributes that support value help, see Appendix C:Attributes that Support Value Help [Page 74].

The value help content that is either fixed or available in system tables is delivered with theprovisioning framework for SAP systems and stored in the database tablemxi_AttrValueHelp. The value help content that you can define yourself must be readfrom the corresponding AS ABAP system into this table. To do this, use the job ABAP ReadHelp Values.


40

If there are discrepancies between the values maintained in the tablemxi_AttriValueHelp and the data read from the system during an initialload, you will receive errors.

Therefore, if you are connecting multiple AS ABAP systems to the IdentityCenter that all use value help, then choose one of these systems as the leadingsystem for the value help for each attribute. Make sure the value help content ismaintained in this system so that it can be used by all of the connected systems.

Also, if you do not read the value help (or maintain their values in the identitystore schema manually), then these values are missing in the table and cannotbe found for the corresponding attributes. In this case, you will receive errorsduring the initial loads.

PrerequisitesYou know which system is the leading system to use for the value help for each attribute.

ProcedureThis procedure consists of two steps.

1. First, set the properties for each attribute in the identity store schema that uses valuehelp.

For those attributes where the data is provided with the provisioning frameworkfor SAP systems (as fixed values or in system tables), the properties should beset correctly. You can use the procedure below to check these properties.

2. Second, run the job that reads the value help from the leading system.

Changing the Properties for Each Attribute1. Navigate to the identity store schema attributes. (Choose

<IC_Configuration_for_SAP_Systems> Identity stores<Identity_store> Identity stores schema Attributes.)

2. Select the attribute to modify with a double-click.

The properties for the attribute appear.

3. Choose the Presentation tab page.

4. Set the Presentation option to ObjectValueHelp.


41

See the example below for the attribute MX_SALUTATION.

5. Choose the Attribute values tab page.

6. Enter mxi_AttrValueHelp as the Value help Table name and set the languagedependency option. (See the table in Appendix C: Attributes that Support Value Help[Page 74].)

7. Also set the Values ID to the attribute name with the following exceptions:

Attribute Values ID

MX_ACADEMIC_TITLE_1 MX_ACADEMIC_TITLE

MX_ACADEMIC_TITLE_2 MX_ACADEMIC_TITLE

MX_NAME_PREFIX_1 MX_NAME_PREFIX

MX_NAME_PREFIX_2 MX_NAME_PREFIX

See the example below for the attribute MX_SALUTATION.


42

Running the Read Help Values Job1. Choose New Run job wizard... from the context menu for the system’s folder that is

the leading system.

If you have multiple systems that leading systems for different attributes, thenselect the system that is the most appropriate.

2. Follow the instructions provided by the wizard. Select the ABAP Read Help Valuestemplate and enter the name of the repository that applies to the correspondingsystem.

3. Choose Finish.


4. Enable the job, select Java as the runtime engine, and select a dispatcher for the job.

5. If this system is not the leading system for the value help for all attributes, then adjustthe repository for those passes that use a different system.

6. Save the data.

There are also passes for reading content for system-specific attributes such asMX_START_MENU or MX_PARAMETER. Although reading and provisioningsuch data is supported by the ABAP connector, these passes are deactivated bydefault because there is no support in the provisioning framework for storing andprovisioning this data in a system-specific manner. If you want to read andprovision this data, you must implement the provisioning rules yourself to meetyour needs.

7. Run the job.


43

3.6 Performing the Initial LoadsOnce you have set up the connectors for the systems in your system landscape, perform theinitial loads, which retrieve the identity data into the Identity Center.

Before you retrieve the data, make sure that provisioning is deactivated on thedispatcher so that the data read is not provisioned into the various systems. Thisis shown in step 1 below. Reactivate provisioning on the dispatcher once theinitial load has been completed.

Prerequisites When Using Central User AdministrationIf you are connecting a CUA system to the Identity Center, then you must make sure that thedata in the CUA central system is clean before you perform the initial load. Therefore:

1. Make sure that all data is synchronized in the CUA, for example, company addressdata. To do this, execute the transaction SCUG in the central system.

2. Remove any unnecessary CUA entries that may exist in CUA tables. To do this,execute the report RSDELCUA. Activate the option Invalid Content in CUATables.

3. Make sure role assignments are up-to-date by executing the user master recordcomparison (sometimes referred to as text comparison) function in the CUA mastersystem. Execute it for all child systems and activate the Delete invalidassignments option.

4. Clean up profiles that are not assigned to any roles by executing the transaction PFUDin the master system. Select the Cleanups option.

Changing the Configuration Before Running the Initial LoadsYou most likely have to change the configuration before proceeding with the initial loads. Inparticular, you must determine which system is the leading system for each attribute so thatattributes will not be incorrectly overwritten by jobs running for other systems. You also haveto determine how initial passwords are to be generated.

Determining the Leading System for AttributesBefore proceeding, you must determine which system is the leading system for each attributeand role assignment. Then adjust the attributes in the Destination tab pages for each writepass in the initial load and update jobs. For attributes, set the period (.) in the first column ofthe pass definition so that these attributes do not overwrite those from the leading system. Forrole assignments use the {A} option in the pass value if the role assignment is to be added toany existing role assignments. Also adjust the Workflow interface so that these attributes cannot be mistakenly overwritten.

This step is very important. If you do not specify the leading system per attributecorrectly, attributes could be overwritten from other system, leading tounexpected results.


44

For example, the following configuration is for the LDAP directory server that isthe leading system for the attributes in the pass. No period is set for theseattributes.

In the write pass for the ABAP initial load, these attributes should not be writtento the identity store if the entry already exists. Therefore, the period is set forthese attributes. For attributes where the ABAP system is to be the leadingsystem (for example, date format and user type in the example below), noperiod is set.

In the following figure, the role specified in the MXREF_MX_ROLE attribute isalways added to the list of roles for the employee. On the other hand, theprivilege specified by MXREF_MX_PRIVILEGE is only added if the entry in theidentity store does not already exist. Existing role and privilege assignments arenot overwritten.

The screen shots above show examples about how the attributes can be set.They do not coincide with the default configuration.


45

Generating Initial PasswordsDuring the initial load or any other task which creates identities in the identity store, you canhave initial passwords generated for the users. In this case, you have to provide values forthe attributes MX_PASSWORD (which is used to logon to the Identity Center) and optionallyMX_ENCRYPTED_PASSWORD (which is used for a password synchronization workflow).

Note the following:

Use the following attribute mapping on the Destination tab:

Attribute Value

MX_PASSWORD $FUNCTION.sap_encryptPasswordMD5(%param%)$$

MX_ENCRYPTED_PASSWORD $FUNCTION.sap_encryptPassword(%param%)$$

Optimization option: If you want to ensure that all new identities get some well-defineddefault values, for example, a default password, and that well-defined workflows areinitiated for all new identities, then create a provisioning task which sets the defaultvalues and register this task as an Add event task for the entry type MX_PERSON. Thistask can also trigger additional Workflow tasks, for example, a task that sends an e-mail.

To specify the rules to use when generating these passwords, you adapt the globalJScript custom_initializePassword.

Running a Test Initial LoadYou can run a test initial load by creating a temporary identity store to use for the initial loadpasses. Set the global constant SAP_MASTER_IDS to the temporary identity store.

Run the initial loads and check if everything works as expected. Before proceeding with theproductive initial load, run the Reset Delta job for each repository and change the globalconstant back to the productive identity store.

Fixing Inconsistencies with Privileges (AS ABAP)There may be inconsistencies with privileges on the AS ABAP that lead to errors in the initialload. This can happen due to the order of processing in the initial load, which is:

1. The initial load first reads the AS ABAP roles and creates them in the identity store (inthe pass ReadABAPRoles).

2. It then creates the privileges that apply to this role (in the passWriteABAPRolePrivileges).

3. In then assigns the privileges to the user (in the passWriteABAPUsersRolePrivilegeAssignments).

Inconsistencies can occur if, for example, the user is assigned to a role or profile that nolonger exists. In this case, the initial load cannot read the role or profile and therefore it cannotcreate the privileges. An error then occurs during the attempt to assign privileges to a userbecause either the role or privilege does not exist.


46

If this happens:

1. Check whether the role exists on the AS ABAP (use transaction PFCG).

2. If the role does not exist anymore, run the report RHAUTUPD_NEW on the AS ABAPto get a new consistent state. This reports eliminates inconsistencies with deleted rolesand leftover role assignments.

3. If AUTO_USERCOMPARE is not active, also run the reportPFCG_TIME_DEPENDENCY to generate the appropriate profiles.

Out of Memory: Adjusting the Heap SizeIf you receive an out of memory error during the initial load due to processing a large numberof identities:

1. Set up a separate dispatcher to use for the initial loads.

2. Adjust the heap size for this dispatcher.

The heap size is specified in the property file for the dispachter. For more informationabout how to locate this file and which properties to set, see SAP Note 1347301.

Timeout: Too many Identities (AS ABAP)If you receive a timeout during the initial load due to reading a large number of identities froman AS ABAP system, you can use the filter mechanism to split up the initial load into severalpasses. For more information, see SAP Note 1398976.

Running the Initial LoadsProceed as follows:

1. Deactivate provisioning. Select Console Root SAP NetWeaver IdentityManagement <IC_Configuration_for_SAP_Systems> ManagementDispatchers <Dispatcher> and deactivate the Run provisioning jobs option(s)for your runtime engine(s) (Windows or Java).

2. Apply the changes and regenerate the service scripts for the dispatcher.

3. Stop and restart the dispatcher.

4. Run the initial loads for your systems. Select each job and choose Run now.

Make sure you run the jobs in the correct order.

5. Delete the provisioning jobs that were sent to the provisioning queue during the initialload:

a. Create a job folder for global jobs.

b. Create a job in this folder for cleaning up the provisioning queue. Use the jobwizard and select the job Clean Provisioning Queue <MS-SQL orOracle>.

You can find the job templates in the folder<Install_folder>\Templates\Identity Center\Jobs.

c. Enable this job and select the dispatcher.

d. Run the job.


47

6. Reactivate provisioning for the dispatcher. Select Console Root SAPNetWeaver Identity Management<IC_Configuration_for_SAP_Systems> Management Dispatchers<Dispatcher> and activate the Run provisioning jobs option(s) for your runtimeengine(s) (Windows or Java).

7. Apply the changes, regenerate the service scripts for the dispatcher, and restart thedispatcher.

3.7 Cleaning up the Collected DataAfter performing the initial loads, the identity data from all systems is stored in the IdentityCenter’s identity store. It is likely that the quality of this data is quite low. Attributes may beduplicated or missing in some sources, or there may be conflicts between attributes. Forexample, an identity may be represented in several sources by different user IDs, or differentidentities may be represented in different sources using the same ID. You therefore need toconsolidate and clean up this low-quality data and resolve any conflicts before continuing withthe provisioning process.

When resolving the data for the use cases described in this document, the userID is the determining attribute for the identity. This means that each unique userID that is read from the various data sources is identified and used as the criteriafor creating and maintaining identities in the system that is provisioned to.

Once you have cleaned up the data, provision the consolidated data back to the connectedsystems by starting the Initial Provisioning job for each connected system.

There is no Initial Provisioning job for the leading system. When using the SAPprovisioning framework for this use case, we assume that the data coming fromthe leading system is correct and does not need to be updated.


48

3.8 Scheduling the Update JobsThe Update jobs check for changes for specific in the source system and provisions thechanges to the target systems.

For the SAP HCM use case, employee data that is maintained in the SAP HCM system ischecked.

For the SAP NetWeaver portal environment use case, the corresponding entry types arechecked for the following system types:

LDAP directory: Users and groups

AS ABAP: Roles and profiles

AS Java: Roles

Therefore, you should schedule the update jobs to run frequently, for example, daily.

Changes made to entry types in the identity store using the Workflow applicationare provisioned immediately.

To schedule the job:

1. Select the Update job for each system that should be updated.

2. Select the Schedule rule that applies, for example, Midnight.

3. Choose Edit... and specify the exact times and days for the job to run.

4. Apply the changes.

3.9 Set Up User Interfaces for User Administration(Workflow)

PrerequisitesThe user administrator accounts that should have access to the Workflow tasks exist in theidentity store.

If you do not have any user administrator accounts, you can create them in the IdentityCenter. See the procedure below.

Creating a User Administrator Account (Optional)To set up a user administrator account for using the Workflow application in the IdentityCenter:

1. Select the identity store to configure (for example, SAP_Master) and choose theWorkflow tab page.

2. Select an authentication method, for example, Identity store. (This means thatthis user ID and password is stored in the identity store.)

3. Choose Add user.

4. In the dialog that follows, specify the Entry type MX_PERSON, create an administratoruser and specify a password for this user.


49

5. Specify MSKEYVALUE as the Unique ID.


Configuring the User Interfaces1. To assign the access rights, you must modify the Web-enabled tasks. Therefore, copy

these tasks to a custom Web-Enabled Tasks folder. See the recommendations onpage 13.

2. To make tasks appear in the Workflow application, assign the access control rights sothat user administrators can access the task.

To do this, select the task and choose the Access control tab page. Add the users,roles or privileges that should have access to the application. Also select the Show onwelcome page indicator to make the task appear in the user’s Welcome page.

We recommend configuring the following (custom) Web-Enabled Tasks sothey appear in the Workflow user interface:

Change User Data

Create Business Role

Change Business Role

Assign/Unassign Business Role

Change Company Address

You can also create and set up additional tasks as necessary.

3. In the Attributes tab page, adjust the attributes to display as necessary.


3.10 Maintaining Business RolesOnce you have set up the workflow tasks, you can maintain your business roles in the identitystore.

The exact procedure depend on your own processes. For example, if you haveset up an approval process, then you have to take this into account. Theprocedure below describes the basic process.

PrerequisitesYou have set up the role model and know which privileges (technical roles) apply to whichbusiness roles.

Procedure1. Start the Workflow application and log on as a user administrator.

The Workflow application has the URL <host>:<port>/webdynpro/dispatcher/sap.com/tc~idm~wd~workflow/Idm.

2. To create or edit a business role, choose the Manage tab page.


50

3. Select Role in the Show field.

4. To create a new role:

a. Choose New to create a new role.

The Tasks Available for this Entry dialog appears.

b. Expand Roles Management, select Create Role, and choose Choose Task.

The Create Role screen appears.

c. Enter a name and a unique ID for the role.

The unique ID has the syntax ROLE:BUSINESS:<Role_Name>.

d. Save the role and close the screen.

5. To edit an existing role (including the one you just created):

a. Search for the role to edit, select it from the list and choose Choose Task.

The Tasks Available for this Entry dialog appears.

b. Expand Roles Management, select Create Role, and choose Choose Task.

The Edit Role screen appears.

c. Add privileges to the role.

i. Select Privilege from the Show field in the Available section.

ii. Search for the privilege to assign to the role.

The syntax for the privilege’s detailed information isPRIV:<Privilege_Type>:<Repository>:<ID>, where the syntaxfor the <Privilege_Type> depends on the system type for which theprivilege applies.

iii. Choose Add.

The privilege is added to the list of privileges in the Assigned section.

Repeat these steps until all appropriate privileges are assigned.

d. Save the data.

6. To assign users to the business role, select Person from the Show field and add theusers to the role in the same way.

You can assign other objects to the role in the same way, for example, otherroles or groups.


51

3.11 ProvisioningChanges you make to identity data using the Identity Management workflow application arethen provisioned to the appropriate systems.

3.12 Next Steps

Testing and Troubleshooting

MonitoringChoose the Monitoring tab page in the Identity Management workflow application to accessthe various logs. These include:

Approval Queue

Dispatcher status

Job log

Job status

Provisioning audit

Provisioning log

Provisioning queue

System log

In these logs, you can check the status of jobs or tasks, check for tasks that are in theprocessing queue, or analyze error or warning messages.

The job status, job log, and system log are also available in the Identity Center for the casethat the system is offline.

Setting up a SAP Java Connector (SAP JCo) Trace To analyze SAP JCo exceptions in the Identity Center server, you must first activate traces toget more information. To set up the SAP JCo trace:

1. Find the location of the dispatcher scripts. The default location is:

C:\Program Files\SAP\IdM\Identity Center\Service-Scripts

2. Open the property file for the dispatcher:

Dispatcher_Service_<dispatcher_name>.prop


52

3. Enter the following lines:MXDISPATCHER_EXECSTRING=1

JAVAOPTIONS=-Djco.trace_path=C:<Dir> -Djco.trace_level=10

MXDISPATCHER_EXECSTRING=1

JAVAOPTIONS=-Djco.trace_path=C:\\Temp -Djco.trace_level=10

Specify an existing directory for the trace_path. In the above example, the trace filewill be written to the directory C:\Temp.

For more information about JCo analysis, see the SAP Library athttp://help.sap.com/saphelp_nw70/helpdata/en/f6/daea401675752ae10000000a155106/frameset.htm

4. Open your MMC console for the Identity Center. Navigate to Dispatchers and selectthe dispatcher for which you changed the script. Restart this dispatcher by stoppingand starting this service in the MMC console.

Make sure you de-activate the trace again when you are finished with your analysis. An activetrace file can affect performance.

Additional FunctionsThe Identity Center and the corresponding identity management applications also supportadditional functions that are not described here, for example, functions for password recovery.For more information on such functions, see the documentation provided with the installationpackage (in the Documents subfolder) or at http://www.sdn.sap.com/irj/sdn/nw-identitymanagement.

http://help.sap.com/saphelp_nw70/helpdata/en/f6/daea401675752ae10000000a15510

http://www.sdn.sap.com/irj/sdn/nw-


53

Appendix

Appendix A: Repository ConstantsThe tables below show the repository constants used for each repository type.

Repository Constants for AS ABAP (Load Balanced Connection)

RepositoryWizard Field

Repository Constant Value

Message Server JCO_CLIENT_MSHOST <message_server_hostname>

System ID JCO_CLIENT_R3NAME <SID>

Logon Group JCO_CLIENT_GROUP <Group>, for example, Public

User Name JCO_CLIENT_USER <user_ID>

Password JCO_CLIENT_PASSWD <password>

For AS ABAP Release 4.6C, use uppercase.

Client JCO_CLIENT_CLIENT <client>

Language JCO_CLIENT_LANG <language identifier>, for example,EN

Provision Task MX_PROVISIONTASK <task number for ProvisionABAP>

Deprovision Task MX_DEPROVISIONTASK <task number for DeprovisionABAP>

Modify Task MX_MODIFYTASK <task number for ModifyABAPUser>

CUA System CUA_MASTER <TRUE/FALSE>

REPOSITORY_TYPE ABAP

The constant REPOSITORY_TYPE is automatically created.

There are additional attributes for configuring Secure Network Communications (SNC). Formore information, see Appendix F: Configuring the ABAP Connector to use SNC [Page 87].

For the provision, deprovision, and modify tasks, you can use the value help ( ) whencreating the repository to browse to the appropriate system type specific task in the SAPProvisioning Framework.

Repository Constants for AS ABAP (Specific Application Server)



Target Host JCO_CLIENT_ASHOST <hostname>

System Number JCO_CLIENT_SYSNR <system number>





54

Repository Constants for AS ABAP (Specific Application Server) (Continued)






Deprovision Task MX_DEPROVISIONTASK <task number forDeprovisionABAP>


CUA System CUA_MASTER <TRUE/FALSE>





Repository Constants for AS Java



HTTP Protocol HTTP_PROTOCOL <http/https>

Target Host APPLICATION_HOST <hostname>

HTTP Port HTTP_PORT <http_port>

User Name HTTP_AUTH_USER <user_ID>

Password HTTP_AUTH_PWD <password>

Provision Task MX_PROVISIONTASK <task number for ProvisionJava>

Deprovision Task MX_DEPROVISIONTASK <task number forDeprovisionJava>

Modify Task MX_MODIFYTASK <task number for ModifyJavaUser>

REPOSITORY_TYPE JAVA


For the provision, deprovision, and modify tasks, you can use the wizard ( ) when creatingthe repository to browse to the appropriate task in the provisioning framework.


55

Repository Constants for AS Java (LDAP Backend)








Provision Task MX_PROVISIONTASK <task number for ProvisionJavaReadonly>

Deprovision Task MX_DEPROVISIONTASK <task number for DeprovisionJavaReadonly>

Modify Task MX_MODIFYTASK <task number for ModifyJavaUserReadonly>

BackendRepository Name

BACKEND_REPOSITORYNAME

<LDAP directory repository name>

REPOSITORY_TYPE JAVA




56

Repository Constants for a Dual-Stack System (Load Balanced Connection)








For AS ABAP Release 4.6C, useuppercase.




Deprovision Task MX_DEPROVISIONTASK <task number forDeprovisionABAP>










AS ABAP CUASystem

CUA_MASTER <TRUE/FALSE>

REPOSITORY_TYPE DUALABAP





57

Repository Constants for a Dual-Stack System (Specific Application Server)



Target Host JCO_CLIENT_ASHOST <hostname>

System Number JCO_CLIENT_SYSNR <system number>

















AS ABAP CUASystem

CUA_MASTER <TRUE/FALSE>

REPOSITORY_TYPE DUALABAP





58

Repository Constants for Business Suite AS ABAP (Load Balanced Connection)













CUA System CUA_MASTER FALSE

NO_USER_ACCOUNT <0/1>


The constant REPOSITORY_TYPE is automatically created. You have to create the repositoryconstant NO_USER_ACCOUNT manually and set it to the value 1 if you do not want a useraccount created in the target system for an identity.



Repository Constants for LDAP Directory Server (Sun One)



Host Name LDAP_HOST <hostname>

Starting Point LDAP_STARTING_POINT <LDAP starting point>

Port number LDAP_PORT <LDAP port>

Password LDAP_PASSWORD <password>

Login user LDAP_LOGIN <LDAP user ID>

MX_DEPROVISIONTASK <Task_Number_for_DeprovisionSunOne>

MX_MODIFYTASK <Task_Number_for_ModifySunOneUser>

MX_PROVISIONTASK <Task_Number_for_ProvisionSunOne>


59

Repository Constants for LDAP Directory Server (Sun One)



NAMING_ATTRIBUTE uid

REPOSITORY_TYPE LDAP

The constant REPOSITORY_TYPE is automatically created, and you must create theconstants for the provision, deprovision, and modify tasks manually when you create therepository.

Repository Constants for LDAP Directory Server (ADS)



Part of DN AD_HOST <DN substring>

Exchange ServerName

EXCHANGE_HOST <Name of Exchange Server>

Storage GroupHost Name

HOSTNAME <Host name for storage group>

LDAP Domain LDAP_DOMAIN <LDAP domain>

Host name ofADS

LDAP_HOST <Host name of ADS>

LDAP MailDomain

LDAP_MAIL_DOMAIN <Mail domain>

Starting point LDAP_STARTING_POINT <LDAP starting point>

Starting pointgroups

LDAP_STARTING_POINT_GROUPS

<LDAP starting point for groups>

Port number LDAP_PORT <LDAP port>

Login user LDAP_LOGIN <LDAP user ID>

Password LDAP_PASSWORD <password>

LDAP UPN LDAP_UPN <LDAP UPN>

Provision Task MX_PROVISIONTASK <task number for ProvisionADS>

Deprovision Task MX_DEPROVISIONTASK <task number for DeprovisionADS>

Modify Task MX_MODIFYTASK <task number for ModifyADS>

LDAP_FILTER (objectclass=person)

LDAP_FILTER_GROUPS (objectclass=group)

NAMING_ATTRIBUTE uid

REPOSITORY_TYPE LDAP

The constants LDAP_FILTER, LDAP_FILTER_GROUPS, NAMING_ATTRIBUTE, andREPOSITORY_TYPE are automatically created.



60

Appendix B: Mapping Between Identity Center and AS ABAP AttributesThe following table shows the ABAP attributes that are supported by the ABAP connector and how they are mapped to attributes in the IdentityCenter.

Attributes that are new to Release 7.1 are indicated accordingly.

IC Attribute Java (SPML)Attribute

ABAPConnectorAttribute

BAPIParameter

BAPI Field HR Field LDAP Mapping toInetOrgPerson

DISPLAYNAME displayname Displayname ADDRESS FULLNAME P0001-ENAME cn

MSKEY

MSKEYVALUE logonname logonuid USERNAME SYHR_A_P0105_AF_SYSUNAME

MX_ACADEMIC_TITLE_1 AddressTitleAca1

ADDRESS TITLE_ACA1 TEXT_P0002-TITEL title

MX_ACADEMIC_TITLE_2 AddressTitleAca2

ADDRESS TITLE_ACA2

MX_ACCESSIBILITYLEVEL

MX_ACCOUNTING_NUMBER LogondataAccnt

LOGONDATA ACCNT

MX_ADDRESS_BUILDING AddressBuildLong

ADDRESS BUILD_LONG

MX_ADDRESS_CHECKSTTUS AddressChckstatus

ADDRESS CHCKSTATUS

MX_ADDRESS_CITY AddressCity

ADDRESS CITY WORKCENTER_CITY l

MX_ADDRESS_CITY_NO AddressCityNo ADDRESS CITY_NO


61



BAPIParameter


MX_ADDRESS_CO_NAME AddressCOName

ADDRESS C_O_NAME

MX_ADDRESS_COMPANY_POSTAL_CODE

AddressPostlCod3

ADDRESS POSTL_COD3 WORKCENTER_POSTCODE

MX_ADDRESS_COUNTRY AddressCountry

ADDRESS COUNTRY WORKCENTER_COUNTRY

MX_ADDRESS_DIFFERENT_CITY AddressHomeCity

ADDRESS HOME_CITY

MX_ADDRESS_DIFFERENT_CITY_NO

AddressHomecityno

ADDRESS HOMECITYNO

MX_ADDRESS_DISTRICT AddressDistrict ADDRESS DISTRICT

MX_ADDRESS_DISTRICT_NO AddressDistrictNo

ADDRESS DISTRICT_NO

MX_ADDRESS_FLOOR AddressFloor ADDRESS FLOOR

MX_ADDRESS_HOUSE_NO AddressHouseNo

ADDRESS HOUSE_NO

MX_ADDRESS_HOUSE_NO_SUPPLEMENT

AddressHouseNo2

ADDRESS HOUSE_NO2

MX_ADDRESS_LANGUAGE AddresssLanguISO

ADDRESSLANGUISO

MX_ADDRESS_NAME_1 AddressName ADDRESS NAME

MX_ADDRESS_NAME_2 AddressName2

ADDRESS NAME_2


ADDRESS NAME_3


62



BAPIParameter



ADDRESS NAME_4

MX_ADDRESS_NOTES AddressAdrNotes

ADDRESS ADR_NOTES

MX_ADDRESS_POBOX AddressPoBox

ADDRESS PO_BOX postofficebox

MX_ADDRESS_POBOX_CITY AddressPoBoxCit

ADDRESS PO_BOX_CIT

MX_ADDRESS_POBOX_CITY_NO AddressPboxcitNo

ADDRESS PBOXCIT_NO

MX_ADDRESS_POBOX_COUNTRY AddressPoboxCtry

ADDRESS POBOX_CTRY

MX_ADDRESS_POBOX_POSTAL_CODE

AddressPostlCod2

ADDRESS POSTL_COD2

MX_ADDRESS_POBOX_REGION AddressPoBoxReg

ADDRESS REGION

MX_ADDRESS_POBOX_WITHOUT_NUMBER

AddressPoWONo

ADDRESS PO_W_O_NO

MX_ADDRESS_POSTAL_CODE AddressPostlCod1

ADDRESS POSTL_COD1 postalcode

MX_ADDRESS_REASON_DONT_USE_POBOX_ADDRESS

AddressDontUseP

ADDRESS DONT_USE_P

MX_ADDRESS_REASON_DONT_USE_STREE_ADDRESS

AddressDontUseS

ADDRESS DONT_USE_S

MX_ADDRESS_REGION AddressRegion

ADDRESS REGION st


63



BAPIParameter


MX_ADDRESS_REGION_GROUP AddressRegiogroup

ADDRESS REGIOGROUP

MX_ADDRESS_ROOM_NO AddressRoomNo

ADDRESS ROOM_NO

MX_ADDRESS_STREET_1 AddressStreet ADDRESS STREET

MX_ADDRESS_STREET_2 AddressStrSuppl1

ADDRESS STR_SUPPL1


ADDRESS STR_SUPPL2


ADDRESS STR_SUPPL3

MX_ADDRESS_STREET_5 AddressLocation

ADDRESS LOCATION

MX_ADDRESS_STREET_NO AddressStreetNo

ADDRESS STREET_NO

MX_ADDRESS_STREETADDRESS WORKCENTER_STREET street

MX_ADDRESS_TAX_JURISDICTION_CODE

AddressTaxjurcode

ADDRESS TAXJURCODE

MX_ADDRESS_TIME_ZONE AddressTimeZone

ADDRESS TIME_ZONE

MX_ADDRESS_TITLE AddressTitle ADDRESS TITLE

MX_ADDRESS_TRANSPORT_ZONE AddressTranspzone

ADDRESS TRANSPZONE

MX_ADMIN_UNIT companyid LOGONDATA CLASS


64



BAPIParameter


MX_BIRTHNAME AddressBirthName

ADDRESS BIRTH_NAME

MX_CATT_TEST_STATUS DefaultsCattkennz

DEFAULTS CATTKENNZ

MX_CERTIFICATE usercertificate

MX_COMMUNICATION_LANGUAGE AddressLangupP

ADDRESS LANGU_P

MX_COMMUNICATION_METHOD AddressCommType

ADDRESS COMM_TYPE

MX_COSTCENTER DefaultCostcenter

DEFAULTS KOSTL

MX_DATEFORMAT dateformat DEFAULTS DATFM

MX_DEPARTMENT department ADDRESS DEPARTMENT P0001_ORGEH_TL ou

MX_FAX_ADDITIONAL additionalFaxes

ADDFAX

MX_FAX_PRIMARY fax primaryFax ADDFAX SYHR_A_P0105_AF_FAX

facsimilletelephonenumber

MX_FIRSTNAME firstname firstname ADDRESS FIRSTNAME P0002-VORNA givenname

MX_HCM_SYSUNAME (7.1) SYHR_A_P0105_AF_SYSUNAME

MX_INHOUSE_MAIL AddressInhouseMl

ADDRESS INHOUSE_ML

MX_INITIALS AddressInitials ADDRESS INITIALS initials

MX_LANGUAGE locale DEFAULTS LANGU P0002-SPRSL preferredlanguage


65



BAPIParameter


MX_LASTNAME lastname lastname ADDRESS LASTNAME P0002-NACHN sn

MX_LOCKED islocked islocked ISLOCKED LOCAL_LOCK

MX_LOGONALIAS useralias ALIAS USERALIAS

MX_MAIL_ADDITIONAL additionalMails ADDSMTP SYHR_A_P0105_AF_EMAIL

MX_MAIL_PRIMARY email primaryMail ADDSMTP SYHR_A_P0105_AF_EMAIL

mail

MX_MIDDLENAME AddressMiddlename

ADDRESS MIDDLENAME P0002-MIDNM

MX_MOBILE_ADDITIONAL additionalMobiles

ADDTEL

MX_MOBILE_PRIMARY mobile primaryMobile ADDTEL SYHR_A_P0105_AF_CELL

mobile

MX_NAMCOUNTRY (7.1) ADDRESS NAMCOUNTRY

MX_NAME_ABBREVIATION AddressInitsSig

ADDRESS INITS_SIG

MX_NAME_PREFIX_1 AddressPrefix1 ADDRESS PREFIX1

MX_NAME_PREFIX_2 AddressPrefix2 ADDRESS PREFIX2

MX_NAMEFORMAT (7.1) ADDRESS NAMEFORMAT

MX_NICKNAME AddressNickname

ADDRESS NICKNAME

MX_NUMBERFORMAT Numberformat

DEFAULTS DCPFM

MX_PAGER_ADDITIONAL additionalPagers

ADDPAG pager


66



BAPIParameter


MX_PAGER_PRIMARY primaryPager ADDPAG

MX_PARAMETER (7.1) PARAMETER1 PARID, PARVA

MX_PASSWORD password password PASSWORD BAPIPWD userpassword

MX_PASSWORD_DISABLED ispassworddisabled

Ispassworddisabled

ISLOCKED NO_USER_PW

MX_PHONE_ADDITIONAL additionalPhones

ADDTEL homephone

MX_PHONE_PRIMARY telephone primaryPhone ADDTEL SYHR_A_P0105_AF_TEL_NR + SYHR_A_P0105_AF_TEL_EXT

telephonenumber

MX_PRINTERSETTINGS_SPDA DefaultsSpda

DEFAULTS SPDA

MX_PRINTERSETTINGS_SPDB DefaultsSpdb

DEFAULTS SPDB

MX_PRINTERSETTINGS_SPLD DefaultsSpld

DEFAULTS SPLD

MX_PRINTERSETTINGS_SPLG DefaultsSplg

DEFAULTS SPLG

MX_REFERENCE_USER ReferenceUser

REF_USER REF_USER

MX_SALUTATION salutation ADDRESS TITLE_P T522T-ANRLT

MX_SEARCH_TERM_1 AddressSort1P ADDRESS SORT1_P

MX_SEARCH_TERM_2 AddressSort2P ADDRESS SORT2_P


67



BAPIParameter


MX_SECONDNAME AddressSecondname

ADDRESS SECONDNAME

MX_SNC_FLAG SNCFlag SNC GUIFLAG

MX_SNC_NAME SNCName SNC PNAME

MX_START_MENU (7.1) DEFAULTS START_MENU

MX_TIMEZONE timezone timezone LOGONDATA TZONE

MX_TITLE_SUPPLEMENT AddressTitleSppl

ADDRESS TITLE_SPPL

MX_USER_CATEGORY (7.1) GROUPS USERGROUP

MX_USERTYPE securitypolicy

LOGONDATA USTYP

MX_VALIDFROM validfrom validfrom LOGONDATA GLTGV

MX_VALIDTO validto validto LOGONDATA GLTGB

MX_WORKPLACE_BUILDING AddressBuildingP

ADDRESS BUILDING_P TEXT_P8001_BUILD

MX_WORKPLACE_FLOOR AddressFloorP

ADDRESS FLOOR_P

MX_WORKPLACE_FUNCTION jobfunction ADDRESS FUNCTION P0001_PLANS_TL

MX_WORKPLACE_ROOM AddressRoomNoP

ADDRESS ROOM_NO_P WORKCENTER_ROOM

MXREF_MX_COMPANY_ADDRESS Company COMPANY COMPANY

MXREF_MX_PRIVILEGE roles ACTIVITYGROUPS

AGR_NAME

MXREF_MX_PRIVILEGE profiles PROFILES BAPIPROF


68



BAPI Parameter BAPI Field HR Field LDAP Mapping toInetOrgPerson

MX_LASTMODDATE (7.1 SPS 5) LASTMODIFIED MODDATE

MX_LASTMODTIME (7.1 SPS 5) LASTMODIFIED MODTIME

MX_LASTMODIFIER (7.1 SPS 5) LASTMODIFIED MODIFIER

MX_TTX_ADDITIONAL (7.1 SPS 5) ADDTTX

MX_TLX_ADDITIONAL (7.1 SPS 5) ADDTLZ

MX_RML_ADDITIONAL (7.1 SPS 5) ADDRML

MX_X400_ADDITIONAL(7.1 SPS 5)

ADDX400

MX_PRT_ADDITIONAL (7.1 SPS 5) ADDPRT

MX_SSF_ADDITIONAL (7.1 SPS 5) ADDSSF

MX_URI_ADDITIONAL (7.1 SPS 5) ADDURI

MX_ADDRESS_NOTES (7.1 SPS 5) ADDRESS ADR_NOTES

MX_TIMEFORMAT (7.1 SPS 5) DEFAULTS TIMEFM


69

The following table shows additional attributes that are used for the enhanced SAP Business Suite integration use case. These attributes are used asparameters for the Business Add-In (BadI) implementations that apply to the specific integration scenario, for example, Customer RelationshipManagement (CRM).

Attributes that are explicitly used for the SAP Business Suite applications are indicated as such in the Identity Center schema using the prefix MX_FSso that they can be recognized and provisioned accordingly.

For example, the SAP HCM attribute PERNR is mapped to MX_FS_PERSONNEL_NUMBER in the Identity Center schema.

IC Attribute ShortDescription

Source System Source Attribute Name(for example, DDIC Data Element)

BAdI Parameter Name

DISPLAYNAME Formatted Nameof Employee orApplicant

SAP HCM P0001-ENAME ADDRESS-FULLNAME

MX_ACADEMIC_TITLE_1 Academic TitleText

SAP HCM TEXT_P0002_TITLE ADDRESS-TITLE_ACA1

MX_ADDRESS_STREETADDRESS

Street SAP HCM P8001-STRAS ADDRESS-STREET(AD_STREET)

MX_ADDRESS_CITY City SAP HCM P8001-ORT01 ADDRESS-CITY (AD_CITY1)

MX_ADDRESS_COUNTRY Country SAP HCM ADDRESS-COUNTRYISO

MX_FIRSTNAME First Name SAP HCM P0002-VORN ADDRESS-FIRSTNAME

MX_FS__POSITION_ID Position SAP HCM P0001-PLANS POSITION_ID

MX_FS_ACADEMIC_TITLE_1_ID

Academic Title SAP HCM P0002-TITLE ACADEMIC_TITLE_1_ID


70



BAdI Parameter Name

MX_FS_BP_PERSON_ID Business Partner(Person)

SYSUUID BP_PERSON_ID

MX_FS_BUSINESS_AREA Business AreaText

SAP HCM TEXT_P0001_GSBER BUSINESS_AREA

MX_FS_BUSINESS_AREA_ID Business Area SAP HCM P0001-GSBER BUSINESS_AREA_ID

MX_FS_CENTRALPERSON_ID Central Person(CP)

SAP HCM OBJID (char 10) CENTRALPERSON_ID

MX_FS_COMPANY_CODE Company CodeText

SAP HCM TEXT_P0001-BUKRS COMPANY_CODE

MX_FS_COMPANY_CODE_ID Company Code SAP HCM P0001-BUKRS COMPANY_CODE_ID

MX_FS_COST_CENTER Text Cost Center SAP HCM TEXT_P0001-KOSTL COST_CENTER

MX_FS_COST_CENTER_ID Cost Center SAP HCM / SAPNetWeaver

P0001-KOSTL COST_CENTER_ID

MX_FS_EMPLOYEE_SUBGROUP_ID

EmployeeSubgroup

SAP HCM P0001-PERSK EMPLOYEE_SUBGROUP_ID

MX_FS_EMPLOYEE_GROUP Employee GroupText

SAP HCM TEXT_P0001_PERSG EMPLOYEE_GROUP

MX_FS_EMPLOYEE_GROUP_ID Employee Group SAP HCM P0001-PERSG EMPLOYEE_GROUP_ID

MX_FS_EMPLOYEE_SUBGROUP EmployeeSubgroup_Text

SAP HCM TEXT_P0001_PERSK EMPLOYEE_SUBGROUP

MX_FS_EMPLOYMENT_STATUS_ID

EmploymentStatus

SAP HCM P0000-STAT2 EMPLOYMENT_STATUS_ID

MX_FS_EMPLOYMENT_STATUS EmploymentStatus Text

SAP HCM TEXT_P0000_STAT2 EMPLOYMENT_STATUS

MX_FS_IDENTITY_TYPE Type of Identity IDENTITY _TYPE


71



BadI Parameter Name

MX_FS_IDENTITY_UUID UUID for identity

MX_FS_JOB Job Text SAP HCM P0001_STELL_TL JOB

MX_FS_JOB_ID Job SAP HCM P0001-STELL JOB_ID

MX_FS_ORGANIZATIONAL_UNIT

OrganizationalUnit Text

SAP HCM P0001_ORGEH_TL ORGANIZATIONAL_UNIT

MX_FS_ORGANIZATIONAL_UNIT_ID

OrganizationalUnit

SAP HCM P0001-ORGEH ORGANIZATIONAL_UNIT_ID

MX_FS_PERNR_IS_MANAGER PERNR_IS_MANAGER

SAP HCM PERNR_IS_MANAGER

MX_FS_PERSONNEL_AREA Personnel AreaText

SAP HCM TEXT_P0001_WERKS PERSONNEL_AREA

MX_FS_PERSONNEL_AREA_ID Personnel Area SAP HCM P0001-WERKS PERSONNEL_AREA_ID

MX_FS_PERSONNEL_NUMBER Personnelnumber

SAP HCM PERNR PERSONNEL_NUMBER

MX_FS_PERSONNEL_NUMBER_OF_MANAGER

PersonnelNumber of next-level manager

SAP HCM PERNR_OF_MANAGER PERSONNEL_NUMBER_OF_MANAGER

MX_FS_PERSONNEL_SUBAREA PersonnelSubarea Text

SAP HCM TEXT_P0001_BTRTL PERSONNEL_SUBAREA

MX_FS_PERSONNEL_SUBAREA_ID

PersonnelSubarea

SAP HCM P0001-BTRTL PERSONNEL_SUBAREA_ID

MX_FS_POSITION Position Text SAP HCM P0001_PLANS_TL POSITION

MX_FS_SALUTATION_ID Form-of-AddressKey

SAP HCM P0002-ANRED SALUTATION_ID


72



BAdI Parameter Name

MX_FS_SCMEWM_PRR_ID EWM Processor EWM /SCMB/DE_PRR SCMEWM_PRR_ID

MX_FS_SCMSNC_BP_ORG_ID SNC BusinessPartner(Organization)

SCM, SNC SYSUUID SCMSNC_BP_ORG_ID

MX_FS_SCMSNC_VISIBILITY_PROFILE

SNC VisibilityProfile

IDM SCMSNC_VISIBILITY_PROFILE

MX_FS_SCMTMS_BP_ORG_ID TM TSP(OrganizationBusinessPartner)

SCM TM SYSUUID or BP Number SCMTMS_BP_ORG_ID

MX_FS_SOURCE_SYSTEM SourceSystem SAP NetWeaver SY-SYSID+ SY-MANDT SOURCE_SYSTEM

MX_FS_WORK_CONTRACT Contract Text SAP HCM TEXT_P0001_ANSVH WORK_CONTRACT

MX_FS_WORK_CONTRACT_ID Contract (in CEmode, should berenamed toPersonnelAssignment)

SAP HCM P0001-ANSVH WORK_CONTRACT_ID

MX_HCM_SYSUNAME System user SAP HCM P0105_AF-SYSUNAME

MX_LANGUAGE Language SAP HCM P0002-SPRSL DEFAULTS-LANGU

MX_LASTNAME Last Name SAP HCM P0002-NACHN ADDRESS-LASTNAME

MX_MAIL_PRIMARY orMX_MAIL_ADDITIONAL

E-Mail SAP HCM or IDM P0105_AF-EMAIL ADDRESS-E_MAIL or tableADDSMTP

MX_MOBILE_PRIMARY Cell Phone SAP HCM P0105_AF-CELL list of numbers in table ADDTEL


73



BAdI Parameter Name

MX_PHONE_PRIMARY orMX_PHONE_ADDITIONAL

Phone SAP HCM P0105_AF-TEL_NR +

P0105_AF-TEL_EXT

ADDRESS-TEL1_NUMBR (Firsttelephone no.: diallingcode+number)

ADDRESS-TEL1_EXT (FirstTelephone No.: Extension) or listof numbers in table ADDTEL

MX_ROOM_NUMBER Room Number SAP HCM P1028-ROOM1

(P8001-ROOM1)

ADDRESS-ROOM_NO_P

MX_SALUTATION Form-of-AddressText

SAP HCM TEXT_P0002_ANRED ADDRESS-TITLE_P

MX_WORKPLACE_BUILDING Building Number SAP HCM P1028-BUILDING

(P8001-BUILDING)

ADDRESS-BUILDING_P


74

Appendix C: Attributes that Support Value HelpThe table below shows the attributes that support value help.

Identity Center Attribute Value Help Content Modifiable / Tobe Read fromAS ABAP

LanguageDependency

MX_DATEFORMAT Fixed (Deliveredwith the provisioningframework)

N Y

MX_LANGUAGE Fixed (Deliveredwith the provisioningframework)

N Y

MX_LANGUAGE_COUNTRY Fixed (Deliveredwith the provisioningframework)

N Y

MX_NUMBERFORMAT Fixed (Deliveredwith the provisioningframework)

N Y

MX_TIMEZONE Fixed (Deliveredwith the provisioningframework)

N Y

MX_USERTYPE Fixed (Deliveredwith the provisioningframework)

N Y

MX_ACADEMIC_TITLE_1 Tables TSAD2 andTSAD2T

Y N

MX_ACADEMIC_TITLE_2 Tables TSAD2 andTSAD2T

Y N

MX_ADMIN_UNIT Tables USGRP andUSGRPT

Y N

MX_NAME_PREFIX_1 Table TSAD4 Y N

MX_NAME_PREFIX_2 Table TSAD4 Y N

MX_PRINTERSETTINGS_SPLD Table TSP03 Y N

MX_SALUTATION Tables TSAD3 andTSAD3T

Y Y

MX_TITLE_SUPPLEMENT Tables TSAD5 andTSAD5T

Y Y

MX_USER_CATEGORY Tables USGRP andUSGRPT

Y N


75

The value help content is stored in the database table mxi_AttrValueHelp, which isspecified in the attribute value properties. See the example below for the MX_DATEFORMATattribute.

See also Section 3.5 Reading Value Help Content [Page 39].


76

Appendix D: Configuring the Virtual DirectoryServerIn this section, we describe how to configure the Virtual Directory Server so that the SAPHCM system can connect to it for the data export.

PrerequisitesYou have maintained the database connection for the identity store in Identity Centerand know the password for the database user.

The JDBC driver to use to access the Identity Center database is maintained in theclass path for the Virtual Directory Server. (Maintain the driver under Tools Options

Classpath.)

Procedure1. Start the Virtual Directory Server console.

2. To maintain the configuration, choose File New.

The New configuration dialog appears.

3. Select the Group SAP NetWeaver and the Template HCM LDAP EXTRACT for IDMand choose OK.

4. Configure the parameters to use for the VDS as shown in the table below.

Field Value Example Comment

Port 1389 1389 Select a different portif 1389 is alreadybeing used.

DisplayName

<Name_of_VDS> Identity Store

Identity store <Database_Connection_Parameters>

jdbc:sqlserver://localhost:1433;databasename=mxmc_db;user=mxmc_rt;password=<password>

Use the wizard

( ) tomaintain them.Examples forMicrosoft SQL Serverparameters areshown in the tablethat follows.

Identity storenumber

<Staging_Area_Identity_Store_ID>

5 This ID wasdetermined whensetting up the stagingarea identity store.

Username <Directory_Server_User>

HR_USER This is the user that isused for the bind tothe VDS.

Password <Directory_Server_User_Password>

<password>


77

Microsoft SQL Server Database Connection Parameters

Field Value Example Comment

Server <Server_Name> localhost

Port <Port> 1433

Database <Database_Identifier>

mxmc_db

User <Database_User>

mxmc_rt

Password <Database_User_Password>

<password> The password wasspecified during theinstallation.

5. Save the configuration.

6. Start the server.


78

Appendix E: Configuring the SAP HCM SystemTo configure the SAP HCM to export data to the Virtual Directory Server, you must:

1. Create the query to use for the export.

2. Maintain the attribute mapping between the HR fields and the input attributes used bythe LDAP synchronization.

3. Create an RFC destination to use for the connection to the VDS.

4. Configure the parameters to use for this connection.

5. Maintain the mappings between the attributes used by the LDAP synchronization andthe VDS.

6. Export the data.

Because the VDS does not use a specific LDAP schema for attributes, you canfreely choose names for the attributes. To make maintenance easier, werecommend using the same attribute names throughout all of the mappings.

E.1 Creating the Query to Use for the ExportIn this step, you will set up the query to use for the export. For this purpose, you can use theexisting query LDAPEXTRACT604 as a template. This query is assigned to the user groupSAPQUERY/L1.

Create or modify the query in the SAP HCM Customizing development system and transportit to the productive system.

Procedure1. Using query maintenance (transaction SQ01):

2. Choose Edit Other user group and select the user group SAPQUERY/L1.

The queries available for this user group are displayed.

3. Select LDAPEXTRACT604 with a double-click and choose Query Copy.

4. In the dialog that follows, enter a name for the new query, for example, LDAP_QUERY.

5. Select this query with a double-click and choose Query Change.

The attributes for the query appear.

6. To see the HR fields used by this query, choose Basic List.


79

7. To view the fields that are already selected in the example, query, expand the datafields. These are the fields that are supported by the provisioning framework for SAPsystems.

See the figure below for the a subset of the fields for Infotype 0000.

The attributes marked in the sample query LDAPEXTRACT604 are supportedby the provisioning framework for SAP Systems, meaning they are included inthe schema and in the passes used for writing to the staging area and theproductive identity store.

You can remove certain attributes from the query if you do not need to havethem provisioned, however, if you add attributes, you will receive errormessages when attempting to process the data further.

8. Note the Infotyp number that the attributes belong to. You will need this number whenyou maintain the attribute mapping in the next step.

9. Save the query and return to the initial screen.

10. Activate the query by executing it.

You must execute the query once so that the query is generated and availablefor later steps.

You can reduce the amount of data selected for this initial execution of the queryby using an limited time period (for example, Today) and a range for thePersonnel Number (for example, 1 to 1000).


80

E.2 Specifying the Attribute Mapping Between theHR Fields and LDAP SynchronizationIn this step, you map the HR fields that are selected by the query to the input attributes usedby LDAP synchronization.

PrerequisitesThe query used for extracting the data is active.

ProcedureUsing field assignment maintenance (transaction HRLDAP_MAP):

1. Select the Global Work Area indicator.

2. Enter /SAPQUERY/L1 as the User Group.

3. Enter the name of your query, for example, LDAP_QUERY.

4. Choose Import.

The fields assigned to your query appear.

5. Maintain the Attribute Grp and Attrib.Name fields for each query field. Specify theattribute group so that it corresponds to the Infotype number you noted in the last step.

We recommend using the query field names as the attribute names.

To omit a field, set the Tech. Field field. Fields marked as such are not exported.

The table below shows a subset of the fields, based on the sample query used in step E.1.

Query Fld Description AttributeGrp

Attrib.Name

P0000-PERNR PersonnelNumber

P0000 P0000-PERNR

P8003-OBJID Object ID P8003 P8003-OBJID

SYHR_A_P0002_AF_SPLIT_BEG Start Date P0002 SYHR_A_P0002_AF_SPLIT_BEG

SYHR_A_P0002_AF_SPLIT_END End Date P0002 SYHR_A_P0002_AF_SPLIT_END

P0002-NACHN Last Name P0002 P0002-NACHN

P0002-VORNA First Name P0002 P0002-VORNA

P0002-NAME2 Name at Birth P0002 P0002-NAME2

P0001-ENAME FormattedName ofEmployee orApplicant

P0001 P0001-ENAME

P0002-TITEL Title P0002 P0002-TITEL

TEXT_P0002_TITLE Text: Title P0002 TEXT_P0002_TITEL


81

Query Fld Description AttributeGrp

Attrib.Name

P0002-ANRED Form-of-Address Key

P0002 P0002-ANRED

TEXT_P0002_ANRED Text:Form-of-Address Key

P0002 TEXT_P0002_ANRED

6. Save the data.

E.3 Creating an RFC Destination to Use for theLDAP ConnectorUsing destination maintenance (transaction SM59):

1. Create an RFC destination with the following properties:

Type: T (TCP/IP Connection)

Name: <Destination_Name> (for example, LDAP_VD)

Activation Type: Registered server program

Program ID: <Program_ID> (for example, LDAP_VD)

For easier reference in traces and logs, use the RFC destination name for theprogram ID.

Gateway host: <Gateway_host> (host where the system’s gateway runs)

Gateway service: <Gateway_service> (name of the gateway service, forexample sapgw<sys_nr>)

2. Save the data.

E.4 Configuring the Parameters to Use for theConnection to the VDSUsing directory service connection maintenance (transaction LDAP):

1. Set up the LDAP connector:

a. Choose LDAP Connectors.

The LDAP Connector (Maintenance View) screen appears.

b. Choose Display/Change to change to edit mode.

c. Choose New Entries.

d. Enter the name of the RFC destination you created in the last step (for example,LDAP_VD).

e. Maintain the LDAP connector settings as necessary.

f. Save the data and return to the main screen for the directory service connectionmaintenance.


82

2. Set up a service user to use for the connection:

a. Choose System Users.



d. Enter the properties for the system user. For the Distinguished Name, use theuser ID that you specified for the VDS in step D.4.

User ID: <User_ID> (for example, HR_USER)

Distinguished Name: <Directory_Server_User> (for example,hruser)

Auth. mechanism: Simple Bind

Credential storage: Simple Memory

e. For the Credentials, choose the symbol for Change to enter the directory serveruser’s password. (This password must also match the password specified for thedirectory server user in step C.4.)

See the figure below.

f. Save the data and return to the main screen for directory service connectionmaintenance.

3. Create an entry for the LDAP server:

a. Choose LDAP Servers.



d. Enter the properties for the VDS as follows:

Host name: <VDS_Host>

Port number: <LDAP_Port> (for example, 1389)

Product name: <blank>

Protocol version: LDAP version 3

LDAP Application: Employee


83

Default: Inactive (unless the VDS should be the default LDAP server)

Base entry: (for example, o=idstore)

The path is defined in the virtual tree of the virtual directory server.

System Logon: <User_ID> (Use the user ID you specified in the laststep, for example, HR_USER.)

Read Anonymously: Inactive

e. Save the data and return to the main screen for directory service connectionmaintenance.

E.5 Maintain the Attribute MappingsUsing directory service connection maintenance (transaction LDAP):

1. Choose LDAP Servers.

2. Select the LDAP server to maintain (for example, LDAP_VD) so that the row is marked.

3. If you are not in edit mode, then switch to edit mode (choose ).

4. In the left frame, select Mapping with a double-click.

The Mapping Overview screen appears.

5. In the ObjectClasses list, enter sapIdentity.

6. Maintain the mappings between the fields used by the LDAP synchronization and theVDS.

The mappings are available on the installation CD (or in the installationpackage) in the subfolder Designtime Components\Misc, in the file HCMLdap Mapping.xml. You can upload the mappings using the XML-Importfunction.

To maintain the mappings manually:

a. Create an entry that maps the structure EMPLOYEE, field KEY, to the attribute cn.

To create a new entry, choose Edit Add New Mapping.


84

b. Specify the rest of the entries to map the fields used by the HR LDAP query toidentically-named attributes.

The entries for Structure and Field must be identical to the Attribute Grp andAttrib.Name entries you created for the query mapping in step E.2.

See the table below.

Structure Field Attribute Flags to Set

EMPLOYEE KEY cn Filter

Import Mapping

Export Mapping

RDN Mapping

P0000 P0000-PERNR P0000-PERNR Export Mapping

P8003 P8003-OBJID P8003-OBJID Export Mapping

P0002 SYHR_A_P0002_AF_SPLIT_BEG

SYHR_A_P0002_AF_SPLIT_BEG

Export Mapping

P0002 SYHR_A_P0002_AF_SPLIT_END

SYHR_A_P0002_AF_SPLIT_END

Export Mapping

P0002 P0002-NACHN P0002-NACHN Export Mapping

P0002 P0002-VORNA P0002-VORNA Export Mapping

P0002 P0002-NAME2 P0002-NAME2 Export Mapping

P0001 P0001-ENAME P0001-ENAME Export Mapping

P0002 TEXT_P0002_TITLE TEXT_P0002_TITEL Export Mapping

P0002 P0002-TITEL P0002-TITEL Export Mapping

P0002 P0002-ANRED P0002-ANRED Export Mapping

P0002 TEXT_P0002_ANRED TEXT_P0002_ANRED Export Mapping

7. Go back and save the data.

ExampleFor an example of the LDAP attribute mappings, see the figure below.


85

E.6 Export the DataTo export the data, execute the report RPLDAP_EXTRACT_IDM. This report writes the HRdata to the LDAP directory server, in this case, the VDS.

ProcedureUsing the ABAP editor (transaction SA38):

1. Enter RPLDAP_EXTRACT_IDM as the program and choose Execute ( ).

2. Enter the criteria to use for the report. Note the following for the corresponding fields:

LDAP Connector: <blank>

The system searches for an active connector.

LDAP Server: <LDAP_Server> (for example, LDAP_VD)

Data source: Enter the data that corresponds to the query you defined in stepE.1.

For example:

Global Work Area: Activate

User Group: /SAPQUERY/L1

Name: <Query_Name>, for example, LDAP_QUERY

Variant: <blank>

Options: Delete Person in Directory with Employment Status 3

Activate this option if you want to delete user master records for users whohave left the company.

The users are then deleted in the Identity Center’s identity store, but not in theSAP HCM system.

3. Execute the report.

Scheduling the Job to Run PeriodicallyTo regularly export identity data, create a variant and schedule a job that runs using thisvariant. Proceed as follows:

1. To create a variant, enter the data for the report and save it instead of executing it.When saving it, enter a name for the variant and a short description.

2. Using job maintenance (transaction SM36), create a job that executes the reportRPLDAP_EXTRACT_IDM. Configure the frequency of the job execution under Startcondition and configure the report and variant names under Step.


86

ResultAfter configuring the LDAP connection to the VDS and executing this report, the identity datais extracted from the SAP HCM system and written to the VDS and the staging area in theIdentity Center.

In VDS, the identities are assigned to the entry type MX_HCM_EMPLOYEE. This allows theIdentity Center to recognize events for the entry type and to trigger the corresponding taskswhen the entry type is changed.

Continue with the SAP HCM system set up as described in step 3.4.2.1 Importing the StagingArea Template [Page 27].

TroubleshootingYou can troubleshoot problems with the export from the SAP HCM system with the followingtools:

View the log produced for the export from the SAP HCM system using reportSPLDAP_DISPLAY_LOG_TABLES

View traces for the LDAP Connector using report RSLDAPTRACE

Check connections using report RSBDCOS0

Show the result using transaction LDAP


87

Appendix F: Configuring the ABAP Connectorto use SNCYou can use Secure Network Communications (SNC) to secure the connection between theIdentity Center and the ABAP system.

SNC requires the use of an external security product to perform the security functions. Forthis purpose, you can use the SAP Cryptographic Library or any SNC-certified product. Thefollowing description shows how to configure SNC when using the SAP Cryptographic Library.If you are using a different SNC-certified product, then see the documentation provided by thevendor for information about how to establish the security context for the Identity Center.

PrerequisitesYou have access to the SAP Cryptographic Library.

The distribution of the SAP Cryptographic Library is subject to and controlled byGerman export regulations and is not available to all customers. In addition, thelibrary may be subject to local regulations of your own country that may furtherrestrict the import, use and (re-)export of cryptographic software. If you have anyfurther questions on this issue, contact your local SAP subsidiary.

The AS ABAP is configured to use SNC.

For more information, see the SNC documentation on the Help Portal athttp://help.sap.com/saphelp_nw70/helpdata/en/e6/56f466e99a11d1a5b00000e835363f/frameset.htm.

You will exchange the public-key certificates in the procedure below.

Procedure1. Download and install the SAP Cryptographic Library.

2. Create a Personal Security Environment for the Identity Center.

3. Create credentials for the Identity Center.

4. Exchange the public-key certificates belonging to the Identity Center and the ASABAP.

5. Set the SNC parameters for the AS ABAP connector.

6. Maintain the extended user access control lists (ACL) on the AS ABAP to allow theservice user to connect to the AS ABAP using the SNC connection.

7. Test the connection.

For each of these steps, see the sections that follow.

http://help.sap.com/saphelp_nw70/helpdata/en/e6/56f466e99a11d1a5b00000e835363f


88

F.1 Downloading and Installing the SAPCryptographic LibraryThe SAP Cryptographic Library installation package is available for authorized customers onthe SAP Service Marketplace at service.sap.com/swdc.

The installation package sapcrypto.car contains the following files:

The SAP Cryptographic Library (sapcrypto.dll for Windows NT orlibsapcrypto.<ext> for UNIX)

A corresponding license ticket (ticket)

The configuration tool sapgenpse.exe

PrerequisitesYou know the user under which the dispatcher runs. You can find this user by checking theuser that runs the Windows service MXDispatcher_<dispatcher_name>.

ProcedureOn the server that runs the Identity Center (runtime engines):

1. Download the file from the SAP Service Marketplace and extract it to a local directory.

If you are not authorized to download the file, then contact your local subsidiary toclarify whether you are allowed to receive the installation package.

2. Copy the library (sapcrypto.dll) and the command line tool (sapgenpse.exe) to alocal directory, for example, the Identity Center’s install directory.

<Install_folder>\sapcrypto.dll

<Install_folder>\sapgenpse.exe

3. Copy the license ticket (ticket) to a local directory.

We recommend creating a subdirectory sec and copying the ticket to thisdirectory.

<Install_folder>\sec\ticket

This will also be the location for the Identity Center’s Personal Security Environment(PSE) that contains the key pair used for securing the connections.

4. Set the environment variable SECUDIR to this directory.

SECUDIR=<Install_folder>\sec


89

Make sure you set SECUDIR for the user that runs the corresponding dispatcher (or asa system variable, if the user is the SYSTEM user).

Default SECUDIR

If SECUDIR is not set, then the server searches for the license ticket in the secsubdirectory of the server's home directory:

On Windows NT: $HOMEDRIVE$HOMEPATH\sec\

5. If the user running the dispatcher is different than the logged on user, set the systemenvironment variable USER to the dispatcher’s user.

F.2 Creating a Personal Security EnvironmentUse the command line tool’s command get_pse to generate the server's PSE, whichincludes the public and private key pair and a public-key certificate. If you are using a trustedCA, then you can also use the get_pse command to generate a certificate request. Perdefault, all of the items are generated, however, you can use the options -noreq or -onlyreq to explicitly include or omit the certificate request.

For easier administration, we recommend using self-signed certificates that arenot signed by a trusted CA.

As an alternative to creating a PSE, you can use the same PSE as the ASABAP server. If this is the case, and you have already created the PSE on theAS ABAP, then copy the AS ABAP’s PSE to the appropriate location instead ofcreating a new one.

Procedure1. Start a command line interface.

2. Navigate to the location of the sapgenpse command line tool.

3. Use the following command line to generate a PSE. Create the server's PSE in theSECUDIR directory.

sapgenpse get_pse [-p <PSE_name>] [-x <PIN>] [DN]

Where:

Option Parameter Description Allowed Values Default

-p <PSE_name> Path and file name for theserver's PSE

Path description (inquotation marks, ifspaces exist)

None

-x <PIN> PIN that protects the PSE Character string None

None DN Distinguished Name for the server

The Distinguished Name is usedto build the server's SNC name.

Character string (inquotation marks, ifspaces exist)

None


90

The Distinguished Name consists of the following elements:

CN = <Common_Name>

OU = <Organizational_Unit>

O = <Organization>

C = <Country>

The following examples show possible Distinguished Names for the IdentityCenter:

CN=IC, OU=MyDept, O=MyCompany, C=DE

CN=IC, OU=IdM, O=MyCompany, C=US

There are also additional command line options that you can use to specify further details.See the table below.

Additional Options


-r <file_name> File name for a certificaterequest

Path description(in quotationmarks, if spacesexist)

stdout

-s <key_len> Key length 512, 1024, 2048 1024

-a <algorithm> Algorithm used RSA, DSA RSA

-noreq None Only generate a key pair andPSE. Do not generate acertificate request.

Not applicable Not set

-onlyreq None Generate a certificate requestfor the public key stored in thePSE specified by the -pparameter.


ExampleThe following command line generates a PSE for the Identity Center where a self-signedcertificate is used.sapgenpse get_pse -p IC.pse -noreq -x abcpin "CN=IC, O=MyCompany,C=DE"

ResultThe server's PSE is created in the directory you specified.

Check the contents of the directory at the operating system level to make surethe PSE was created in the correct location before proceeding with the nextstep.


91

F.3 Creating CredentialsThe server must have active credentials at run-time. Therefore, to produce active credentials,use the configuration tool's command seclogin to "open" the server's PSE.

The credentials are located in the file cred_v2 in the directory specified in theenvironment variable SECUDIR. Make sure that only the user under which theserver runs has access to this file (including read access).

It is very important to create the credentials for the user who runs the IdentityCenter’s processes. In a default installation, this user is SYSTEM.

ProcedureUse the following command line to open the server's PSE and create credentials:

sapgenpse seclogin [-p <PSE_name>] [-x <PIN>] [-O[<NT_Domain>\]<user_ID>]

Where:

Options



Path description(in quotationmarks, if spacesexist)

None


-O [<NT_Domain>]\<user_ID>

User for which thecredentials are created.(The user that runs thedispatcher service.)

Valid operatingsystem user

The currentuser

With the additional options, you can also use the seclogin command to delete the server'scredentials, change the PIN that protects a PSE, or to list the available credentials for a user.See the table below.

Additional Options


-l None List all availablecredentials for the currentuser.


-d None Delete PSE Not applicable Not set

-chpin None Specifies that you want tochange the PIN



92

ExampleThe following command line opens the Identity Center’s PSE and creates credentials for theuser MXDispatcher_Service_User.sapgenpse seclogin -p IC.pse -x abcpin -O MXDispatcher_Service_User

ResultThe credentials file (cred_v2) for the user provided with the -O option is created in theSECUDIR directory.

Check the contents of the directory at the operating system level to make surethe credentials were created in the correct location before proceeding with thenext step.

F.4 Exchanging the Public-Key CertificatesThis procedure assumes that you are using different PSEs for the AS ABAP server and theIdentity Center. If you are using the same PSE, then you can skip this step.

In this step, you will establish a trust relationship between the two servers by exchanging theirpublic-key certificates. This procedure consists of the following steps.

1. Export the Identity Center’s public-key certificate from the Identity Center’s PSE.

2. Import the Identity Center’s public-key certificate into the AS ABAP’s SNC PSE.

3. Export the AS ABAP’s public-key certificate from the AS ABAP’s SNC PSE.

4. Import the AS ABAP’s public-key certificate into the Identity Center’s PSE.

See the sections that follow.

F.4.1 Exporting the Identity Center’s Public-Key Certificate

ProcedureUse the tool's command export_own_cert to export the server's certificate:

sapgenpse export_own_cert -o <output_file> -p <PSE_name> [-x <PIN>]

Where:

Options


-o <output_file> Exports the certificate tothe named file


stdout



None



93

ExampleThe following command line exports the Identity Center’s public-key certificate to the fileIC.crt.

sapgenpse export_own_cert -o IC.crt -p IC.pse -x abcpin

F.4.2 Importing the Identity Center’s Public-Key CertificateInto the AS ABAP’s SNC PSEIf the AS ABAP uses the SAP Cryptographic Library as it’s security provider for SNC, thenyou can use the trust manager to maintain the AS ABAP’s SNC PSE.

PrerequisitesYou know the PIN that protects access to the AS ABAP’s SNC PSE.

You have access to the Identity Center’s public-key certificate that you exported in thelast step.

ProcedureUsing the trust manager on the AS ABAP (transaction STRUST):

1. Select the SNC PSE with a double-click.

2. Enter the PIN that protects access to the PSE.

Information about the SNC PSE appears in the upper section of the trust manager’sscreen.

3. Choose Certificate Import from the menu or the symbol for Import certificate ( ).

4. In the dialog that follows, enter the path and file name of the Identity Center’s public-key certificate file, select the Base64 format, and choose Enter.

The certificate appears in the Certificate section of the trust manager’s screen.

5. Choose Add to Certificate List to add the certificate to the AS ABAP’s SNC PSE.

6. Save the data.

Do not forget to save the data. Otherwise, changes made to the PSE are lost.


94

F.4.3 Exporting the AS ABAP’s Public-Key CertificateContinue with exporting the AS ABAP’s public-key certificate.

Procedure1. Make sure the SNC PSE is still the selected PSE.

2. Select the certificate shown in the Owner field with a double-click.

Information about the certificate appears in the Certificate section.

3. Choose Certificate Export from the menu or the symbol for Export certificate ( ).

4. In the dialog that follows, enter the path and file name where you want to save the file,select the Base64 format and choose Enter.

The file is saved to the file system.

You can now import this file into the Identity Center’s PSE’s.

F.4.4 Importing the AS ABAP’s Public-Key Certificate Into theIdentity Center’s PSEReturn to the Identity Center server and import the AS ABAP’s public-key certificate into theIdentity Center’s PSE.

PrerequisitesYou have access to the AS ABAP’s public-key certificate that you exported in the last step.

ProcedureUse the tool's command maintain_pk to import the AS ABAP’s public-key certificate intothe Identity Center PSE’s certificate list.

sapgenpse maintain_pk [-a <cert_file>] -p <PSE_name> [-x<PIN>]

Where:

Options


-a <cert_file> Add certificate from file<cert_file> to thecertificate list.

Path description (inquotation marks, if spacesexist)

None

-p <PSE_name> Path and file name forthe server's PSE

Path description (inquotation marks, if spacesexist)

None

-x <PIN> PIN that protects thePSE

Character string None


95

Additional Options


-m <cert_file> Add multiple certificates from<cert_file> to thecertificate list.

Not applicable None

-M <store> Add multiple certificates fromthe CryptoAPI certificatestore to the certificate list.

ROOT, CA, MY, SPC None

-d <number> Delete certificate number<number> from certificatelist.

Numerical value None

-l None List existing certificate list Not applicable None

-y None Automatic YES-mode for –mor –M options.

Not applicable None

ExampleThe following command line imports the AS ABAP’s certificate from the file <ASABAP_DIR_INSTANCE>\sec\ABC.crt into the Identity Center’s PSE.

sapgenpse maintain_pk -a <AS_ABAP_DIR_INSTANCE>\sec\ABC.crt -p<Install_folder>\sec\IC.pse

F.5 Setting the SNC parametersYou then have to set the connection-specific SNC parameters in the repository constants forthe AS ABAP system that you are connecting to. Set the parameters as shown in the tablebelow.

Repository Constants for SNC

Parameter Description Permitted Values Example

JCO_CLIENT_SNC_LIB

Path and file name ofthe SAPCryptographic Library

String value <Install_folder>\sapcrypto.dll

JCO_CLIENT_SNC_MODE

SNC activationindicator

0,1

0 = SNC disabled

1= SNC activated

1

JCO_CLIENT_SNC_MYNAME

The Identity Center’sSNC name.

String value p:CN=IC,O=MyCompany, C=DE

JCO_CLIENT_SNC_PARTNERNAME

SNC name of thecommunicationpartner (AS ABAP)

String value p:CN=ABC,O=MyCompany, C=DE


96

Parameter Description Permitted Values Example

JCO_CLIENT_SNC_QOP

Quality of protectionlevel

1: Secureauthentication only

2: Data integrityprotection

3: Data privacyprotection

9: Use the valuefromsnc/data_protection/max

3

For more information about setting repository constants, see Creating Repositories [Page 24].

For more information about the SNC parameters, seehttp://help.sap.com/saphelp_nw70/helpdata/en/d9/e8a740bbaa4d8f8bee6f7b173bd99f/frameset.htm in the SAP Help Portal.

F.6 Maintaining the Extended User ACLWhen setting up the SNC-protected connection, the two systems are authenticated within theSNC layer, but not the actual user that is to log on to the AS ABAP using the connection.Therefore, to allow the service user to connect to the AS ABAP using the secure connection,you must maintain the extended user ACL. Proceed as follows:

Using table maintenance (for example, transaction SM30):

1. Maintain the table USRACLEXT.

2. Choose New Entries.

3. Enter the following data in the corresponding fields:

Field Value Example

User <IC_service_user> IC_SERV_USER

Sequence Number <seqential number> 000

SNC Name <IC_SNC_Name> p:CN=IC, O=MyCompany, C=DE

4. Save the data.

F.7 Testing the Connection1. Set up a job that reads data from the AS ABAP and run it.

If the job returns errors, set the following system environment variables:

RFC_TRACE = 1

CPIC_TRACE = 3

2. Run the job again.

3. Check the CPIC trace file.

This file has the name CPICTRC<number> and, by default, is located in the IdentityCenter’s install folder.

http://help.sap.com/saphelp_nw70/helpdata/en/d9/e8a740bbaa4d8f8bee6f7b173bd99f/frames


97

The file contains the SNC initialization information. A correct initialization appears asfollows.

[Thr 3560] <<- SncSetParam()==SAP_O_K[Thr 3560] ->> SncInit(prg=5, ini_fname=(NULL), &sec_avail=000784D3)[Thr 3560] SncInit(): Initializing Secure Network Communication (SNC)[Thr 3560] PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/32/32)[Thr 3560] SncInit(): Trying user/application supplied as a gssapi library name: "C:\Program Files\SAP\IdM\Identity Center\sapcrypto.dll".[Thr 3560] load shared library (C:\ProgramFiles\SAP\IdM\Identity Center\sapcrypto.dll), hdl 0[Thr 3560] using "C:\Program Files\SAP\IdM\Identity Center\sapcrypto.dll"...[Thr 3560] File "C:\Program Files\SAP\IdM\Identity Center\sapcrypto.dll" dynamically loaded as GSS-API v2 library.[Thr 3560] The internal Adapter for the loaded GSS-API mechanism identifies as: Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2[Thr 3560] <<- SncPDLInit()==SAP_O_K[Thr 3560] SncInit(): Initiating Credentials available, lifetime=263246h 32m 39s[Thr 3560] <<- SncInit()==SAP_O_K[Thr 3560] sec_avail = "true"[Thr 3560] ->> SncSessionInit(&snc_hdl=000784D4)[Thr 3560] <<- SncSessionInit()==SAP_O_K[Thr 3560] out: &snc_hdl = 0D753FC8[Thr 3560] ->> SncSetMyName(snc_hdl=0D753FC8, myname="p:CN=IC, O=MyCompany, C=DE")[Thr 3560] <<- SncSetMyName()==SAP_O_K[Thr 3560] in: myname = "p:CN=IC, O=MyCompany, C=DE"[Thr 3560] ->> SncSessionInitiator(snc_hdl=0D753FC8, auth_type=1, buf_size_hint=0,target='p:CN=ABC, O=MyCompany, C=DE')[Thr 3560] <<- SncSessionInitiator()==SAP_O_K[Thr 3560] in: target = "p:CN=ABC, O=MyCompany, C=DE"[Thr 3560] parses to = "p:CN=ABC, O=MyCompany, C=DE"[Thr 3560] ->> SncSetQOP(snc_hdl=0D753FC8, min=max default, max=max default, qop=max default)[Thr 3560] <<- SncSetQOP()==SAP_O_K[Thr 3560] in: qop values = "min=9 (max default), max=9 (max default), use=9 (max default)"[Thr 3560] resulting = "min=3 (old:2), max=3 (old:3), use=3 (old:3)"[Thr 3560] STISncInit: set snc state to SNC_ENABLED


98

Any errors will be indicated in this initialization block. The table below shows typical errorconditions.

Error Description Solution

GSS-API(maj): Nocredentials weresupplied

GSS-API(min): Can'tread file

Couldn't acquireDEFAULT INITIATINGcredentials

Either credentials werenot created, or they werecreated for the wronguser.

Make sure the Identity Center’s SNC iscorrect. Use the sapgenpse commandget_my_name to obtain theDistinguished Name being used. Makesure this coincides with the repositoryconstant JCO_CLIENT_SNC_MYNAME.

Also make sure the credentials exist forthe correct user. To make sure, deletethe cred_v2 file (if it exists) and createcredentials for the correct user. (Theuser ID is also indicated in the errormessage.) Use the sapgenpseseclogin command with the –O optionto set the user for which the credentialsapply.

SncSetMyName()==SNCERR_BAD_NT_PREFIX

in: myname

in: target

The message in:myname indicates thatthe Identity Center’sSNC name is notcorrect. The messagein: target indicatesthat the AS ABAP’s SNCname is not correct.

Check the value of the repositoryconstant JCO_CLIENT_SNC_MYNAMEor JCO_CLIENT_SNC_PARTNERNAMEdepending on the correspondingmessage. Make sure the SNC namecontains the prefix p:.

GSS-API(maj): Atoken had an invalidsignature

GSS-API(min):Thename is wrong

The connection couldnot be established.

Check the SNC name for the AS ABAPin the repository constantJCO_CLIENT_SNC_PARTNERNAME.Make sure it corresponds to the SNCname specified in the profile parametersnc/identity/as on the AS ABAP.

GSS-API(maj): Atoken had an invalidsignature

GSS-API(min):Certification pathends at wrong CA

The connection couldnot be established.

The certification path could not beverified. Check the trust relationships.Make sure the Identity Center’s public-key certificate is contained in the SNCPSE’s certificate list on the AS ABAP.

Also make sure the AS ABAP’s public-key certificate is contained in theIdentity Center’s certificate list. You canuse the sapgenpse maintain_pk –l option to check the Identity Center’scertificate list.

no conversationfound with id <ID>

In addition, the error SNCname and specifieduser/client do notmatch appears in the joblog.

The connection couldnot be established withthe given parametervalues.

Check the connection parameters in therepository constants that are used forlogon. These include user ID,password, client and language. Inaddition, make sure the access controltable USRACLEXT contains an entrythat maps the service user to theIdentity Center’s SNC name.


99

Error Description Solution

SNC disabled,reject request fromhost=<host> TP=java

SNC is not active ontarget system.

Activate SNC and check the configurationon the target system.