SAP NetWeaver Identity Management 7.0 SPS 2 Identity Management for SAP System Landscapes: Configuration Guide Document Version 1.2 April 2008
SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com Copyright 2008 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iseries, pseries, xseries, zseries, z/os, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. SAP, R/3, mysap, mysap.com, xapps, xapp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Documentation on SAP Service Marketplace You can find this documentation at service.sap.com/security Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden.
Typographic Conventions Icons Type Style Example Text Example text EXAMPLE TEXT Example text Represents Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation. Emphasized words or phrases in body text, graphic titles, and table titles. Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. <Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER. Icon Meaning Caution Example Note Recommendation Syntax
History of Changes Version Change 1.2 Provided information for connecting dual-stack systems to the Identity Center. For this case, connect the dual-stack SAP system to the Identity Center using the AS ABAP templates. Provided information for connecting a central user administration (CUA) to the Identity Center. Connect the CUA system to the Identity Center using the AS ABAP templates. Set the repository constant CUA_MASTER. Also see the other considerations that apply. Provided information about supporting time-dependent ABAP role assignments. See the considerations and prerequisites that apply. Provided instructions for updating the provisioning framework from SPS 1. Minor improvements made throughout the document. 1.1 Error fixed in HR attributes P0002-VORNA, SYHR_A_P0000_AF_HIREDATE, and SYHR_A_P0000_AF_HIREDATE. Changed the recommendation to deactive the option for automatically creating new attributes as this can lead to indiscrepencies due to minor mistakes such as typing errors. Therefore, deactivate this option and create the attributes used by the provisioning framework manually. The ABAP connector does support importing derived roles during the initial load. Derived roles are read and provisioned the same way as non-derived ones. Error fixed in AS Java respository constants for the provisioning, deprovisioning, and modifying user tasks. Included SNC configuration for connectors to AS ABAP. Minor improvements made throughout the document. Changed the title to reflect the content better. Previous title: Provisioning Framework for SAP Systems: Connectivity. 1.0 Original version
Contents 1 INTRODUCTION... 1 1.1 Prerequisites... 1 1.2 Limitations and Considerations... 2 2 GETTING STARTED WITH THE PROVISIONING FRAMEWORK FOR SAP SYSTEMS... 6 2.1 Overview... 6 2.2 Rules and Recommendations... 10 3 IMPLEMENTATION PROCESS... 13 3.1 Importing the Provisioning Framework for SAP Systems... 14 3.2 Adjusting Constants and Assigning Event Tasks... 18 3.3 Selecting the Use Case to Implement... 20 3.4 Setting up the Landscape... 21 3.5 Performing the Initial Loads... 35 3.6 Cleaning up the Collected Data... 38 3.7 Scheduling the Update Jobs... 39 3.8 Set Up User Interfaces for User Administration (Workflow)... 39 3.9 Maintaining Business Roles... 41 3.10 Provisioning... 41 3.11 Next Steps... 42 APPENDIX A: REPOSITORY CONSTANTS... 45 APPENDIX B: MAPPING BETWEEN IDENTITY CENTER AND AS ABAP ATTRIBUTES... 50 APPENDIX C: CONFIGURING THE VIRTUAL DIRECTORY SERVER... 54 APPENDIX D: CONFIGURING THE SAP HCM SYSTEM... 56 D.1 Creating the Query to Use for the Export... 56 D.2 Specifying the Attribute Mapping Between the HR Fields and LDAP Synchronization... 58 D.3 Creating an RFC Destination to Use for the LDAP Connector... 60 D.4 Configuring the Parameters to Use for the Connection to the VDS... 60 D.5 Maintain the Attribute Mappings... 62 D.6 Export the Data... 65 APPENDIX E: CONFIGURING THE ABAP CONNECTOR TO USE SNC... 66 E.1 Downloading and Installing the SAP Cryptographic Library... 67 E.2 Creating a Personal Security Environment... 68 E.3 Creating Credentials... 70 E.4 Exchanging the Public-Key Certificates... 71
E.4.1 Exporting the Identity Center s Public-Key Certificate... 71 E.4.2 Importing the Identity Center s Public-Key Certificate Into the AS ABAP s SNC PSE... 72 E.4.3 Exporting the AS ABAP s Public-Key Certificate... 73 E.4.4 Importing the AS ABAP s Public-Key Certificate Into the Identity Center s PSE... 73 E.5 Setting the SNC parameters... 74 E.6 Maintaining the Extended User ACL... 75 E.7 Testing the Connection... 75
Identity Management for SAP System Landscapes: Configuration Guide 1 Introduction You can use SAP NetWeaver Identity Management for processing identity information in a variety of ways, depending on your system landscape. You can use it in homogeneous or heterogeneous landscapes, either with or without SAP systems. In Identity Management for SAP System Landscapes: Architectural Overview, we described a number of use cases where you can use SAP NetWeaver Identity Management for identity provisioning with SAP systems. These use cases are: SAP Human Capital Management (HCM) Integration This use case shows how to manage identities when the leading identity source is an SAP HCM system and the identities are provisioned to an LDAP directory server by the Identity Center. SAP NetWeaver Portal Environment This use case shows how to manage identities in an SAP NetWeaver Portal environment. In this case, the leading identity source is a corporate directory, and the identities are provisioned to the portal s AS Java and the various back-end systems. In this example, we show how to provision to an AS ABAP back-end system. Identity Lifecycle Management This use case shows how to integrate the first two cases, whereby the identities from the SAP HCM use case that have been provisioned to the LDAP directory server are also used for the portal environment and the corresponding back-end system(s). To implement these use cases, we provide a provisioning framework for SAP systems with SAP NetWeaver Identity Management 7.0 (as of SPS 1). This framework provides templates for connecting SAP systems to SAP NetWeaver Identity Management and for setting up the corresponding provisioning jobs. 1.1 Prerequisites Role model As mentioned in the document Identity Management for SAP System Landscapes: Architectural Overview, a primary prerequisite for the implementation of identity management is a role model. The role model provides a mapping between the user s business role (for example, EMPLOYEE) to the technical roles or privileges in the back-end system (for example, the ABAP role Z_HCM_EMPLOYEE_ROLE). You are familiar with the SAP NetWeaver Identity Management components. These comprise of the Identity Center and the Virtual Directory Server (VDS). You have installed the Identity Center, as well as the Workflow and Monitoring components. For the SAP HCM use case, you have also installed the VDS component. 1
When working with the provisioning framework for SAP systems, the systems must meet the following system requirements: SAP NetWeaver Identity Management: Release 7.0 SPS 1 or higher The following features require Release 7.0 SPS 2: Support for time-dependent privilege assignments Support for connecting a central user administration central system Support for connecting a dual-stack system AS ABAP: Release 4.6C or higher AS Java/Portal: Release 6.40, 7.00, or 7.10 In addition, SPML patches must be deployed on the AS Java as described in SAP Note 1064236. You have credentials to use for the connections to the target systems. The corresponding authorizations allow for creating and updating entries. 1.2 Limitations and Considerations Limitations and Considerations When Using the SAP HCM Use Case The following limitations apply when using the SAP HCM use case: When replicating the data to the Identity Center from SAP HCM over the Virtual Directory Server, you can only use scheduled synchronization. You can not synchronize the data based on events. This is a limitation of SAP HCM. The delta mechanism is not pre-configured when importing the data from the SAP HCM system into the staging area in the Identity Center. A full load is always performed. The employee data in the SAP HCM system cannot be updated from the Identity Center. If you have difficulties transferring Unicode characters from the SAP HCM system, then start the system s LDAP connector using the code page that corresponds to the SAP HCM system. For more information, see SAP note 539198. Considerations When Using the Identity Lifecycle Management Use Case When using this use case you must ensure that users exist in the LDAP directory server before running jobs or initiating provisioning steps that will assign portal roles to the users. Otherwise, if a user exists in SAP HCM and is assigned to a portal role, and the portal role assignment is provisioned without the user existing in the LDAP directory server that is used as a user store for the portal, then you will receive errors. For more information, see page 32. 2
Limitations that Apply to All Connectors The following limitations apply when using the provisioning framework for SAP systems: Whenever a user attribute is changed (except for role assignments), all user attributes are provisioned to the selected back-end systems (not only the changed attributes). After removing all of the privileges from an MX_PERSON entry in the Identity Store, the respective Java or ABAP user is deleted in the corresponding repository. The system attempts to delete the user for each assignment that was removed, therefore, if there were several privileges assigned to the user in the repository, the system will also attempt to delete the user several times. The first deletion will be succsessful, but the following attempts will produce error messages because the user was already deleted. You can ignore these error messages. Whenever a role or group assignment is changed, all role, profile, and group assignments are provisioned (not only the roles, profiles, or groups). The assignments are provisioned to all systems that are affected by the change. When performing the initial loads, consolidation occurs based on user IDs, meaning that an identity is created in the identity store for each unique user ID that is read. When performing the initial load, the script custom_initializepassword is called, which generates initial passwords for the users. By default, the script s input parameter is set as the last name, however, it is only a placeholder and is not actually used to generate the password. You must modify this script to generate passwords for the users based on your needs. The users used for the connections should be technical users that do not have to change their passwords, for example, service users in AS ABAP or technical users in AS Java. Since the connections are system-to-system connections that do not have a user interface, if the user is a dialog user and is required to change his or her password, for example, if the password is initial, then errors will occur. Limitations and Considerations for ABAP System Connectors As of SPS 2, time dependencies for privilege assignments are supported. This means that time-dependent ABAP role assignments are no longer lost in the initial load. The time dependencies are read into the Identity Center with the initial load. The privilege assignments are then provisioned to the target systems when they become active. After the initial load, the time dependencies are stored in the Identity Center and no longer in the AS ABAP. Previous time-dependent assignments are lost in this step, therefore, you no longer have a history of such assignments. You also no longer see future assignments in the AS ABAP. 3
To improve efficiency, you can execute the report PRGN_COMPRESS_TIMES with the option Remove Validity Periods That Have Already Expired for all users. This removes all outdated role assignments so that the initial load only reads active and future role assignments. For Release 7.0 SPS1 and lower, the templates do not support time dependencies and the execution of this report is mandatory. If you connect an AS ABAP system that has time dependencies in role assignments to the Identity Center in these releases, then these are lost when the Identity Center provisions the assignments back to the AS ABAP system. In this case, you must execute the report PRGN_COMPRESS_TIMES as mentioned above. As of Release 7.0 SPS 2, the templates provided support dual-stack systems. In this case, specify the repository as a dual-stack type and use the AS ABAP job and task templates. The dual-stack repository type contains the connection information for both the AS ABAP and the AS Java back-end systems, and the job and task templates check whether the system is a dual-stack system at execution time. The ABAP connector does not support reference users. The ABAP connector does not support user groups. User groups are not loaded during the initial load and are not provisioned. This applies to both user groups used for maintenance as well as for the groups used for authorization checks. Composite roles and derived roles are read into the identity store, however, there is no information in the Identity Center to indicate these role types. In the Identity Center, you will see a flat list containing all roles. The ABAP connector cannot delete company addresses. Mobile numbers must not contain a hyphen (-). The ABAP connector interprets the hyphen (-) as an extension, but the AS ABAP ignores extensions for mobile numbers. Not all identity attributes are supported. See Appendix B: Mapping Between Identity Center and AS ABAP Attributes [Page 50] for a list of the supported attributes. Additional Prerequisites for AS ABAP System Connectors Automatic profile generation must be enabled on the AS ABAP so that changes to role assignments are automatically reflected in a user s profile. You can check this using table maintenance (for example, transaction SM30). Maintain the table PRGN_CUST. Make sure an entry with the name AUTO_USERCOMPARE exists in the table and that it contains the value YES. If you do not activate AUTO_USERCOMPARE, then run the report PFCG_TIME_DEPENDENCY after executing any provisioning steps. The communication user used for the ABAP connector should only have the necessary authorizations in the back-end system. For this purpose, we deliver the role Z_SAP_BC_SEC_IDM_COMMUNICATION with SAP NetWeaver Identity Management. You can find this role in the installation package in the folder <IC_Install_Package>\Misc subdirectory. Upload this file to the ABAP system and assign it to the user used for the ABAP connector. 4
This role was updated with Release 7.0 SPS 2 with authorizations for using the CUA. Therefore, if you are upgrading to SPS2 and want to connect a CUA system to the Identity Center, then you must also upload the new version of the role, regenerate the corresponding profiles, and update the role assignment for the communication user. Limitations and Considerations when Connecting a CUA System As of Release 7.0 SPS 2, the templates provided support central user administration (CUA). To support a CUA landscape, connect the CUA central system to the Identity Center using the ABAP connector. The Identity Center provisions identity data to the CUA central system, which in turn provisions the data to its child systems. This provisioning takes place according to the configuration of the attribute distribution settings on the central system. Although you do not have to change the attribute distribution settings (using transaction SCUM), we recommend using the global distribution setting for attributes so that they can be maintained in the Identity Center. Only connect the CUA central system to the Identity Center. Do not connect any of the CUA child systems. If you want to connect a child system directly to the Identity Center, disconnect it from CUA first. If a corresponding LDAP directory is also connected to the Identity Center, then the LDAP synchronization for the CUA central system is obsolete. You no longer need to assign users to systems in the CUA landscape as the Identity Center makes this correlation when a user is assigned a priviliege in the corresponding system. Additional Prerequisites for AS Java System Connectors The communication user used for the AS Java connector should only have the necessary authorizations in the back-end system, which are provided with the UME action UME.Spml_Write_Action. (There is also an action called UME.Spml_Read_Action for readonly access.) Limitations and Considerations for LDAP Directory Connectors Templates for the Sun One directory server are provided. Templates for other directory servers are not available. You can adjust the tasks and jobs for other directory servers to meet your needs on a project base. Considerations When Customizing the Provisioning Framework If you need to modify the provisioning framework to meet your needs, then copy the corresponding templates to a custom folder and only modify the copied tasks. See Section 2.2 Rules and Recommendations [Page 10]. 5
2 Getting Started with the Provisioning Framework for SAP Systems 2.1 Overview The provisioning framework for SAP systems provides a set of templates that you can reference when you set up the system-specific jobs used for your provisioning use case. Before you start working with the templates and creating the jobs, you should familiarize yourself with the structure and content of the framework. You should be familiar with: The entry types that you will be working with, for example, the entry type MX_PERSON represents user objects in the system. The attributes that describe these entry types. How to use tasks and jobs to work with the entry types. These aspects are described in the sections that follow. Entry Types The identity store stores the identity data according to a schema that consists of entry types and attributes. The entry types are objects that describe how the different identity-relevant objects are represented in the Identity Center. The entry types used when working with the provisioning framework for SAP systems are: MX_PERSON This is the entry type used for user objects in the system. MX_ROLE This is the entry type used for business role objects. Nesting MX_ROLE entries is possible. MX_PRIVILEGE This is the entry type used for permission objects (that is, technical roles) in the system, for example, ABAP roles and profiles Portal and UME roles UME database groups LDAP groups Nesting is not possible. MX_GROUP This is the entry type used for LDAP group hierarchies that contain privileges. For example, in addition to being a privilege itself, an LDAP group can contain privileges that represent ABAP roles, ABAP profiles, or portal roles. The attribute MX_GROUP contains the hierarchical structure used for assigning these privileges to the users. 6
MX_COMPANY_ADDRESS This is the entry type used for company addresses. These entry types are delivered with predefined sets of attributes that you can extend to meet your needs. Attributes The schema used by the provisioning framework for SAP systems contains a number of attributes that are used to describe the entry types (for example, MX_LASTNAME, MX_FIRSTNAME). See the identity store schema for a complete list of the attributes available. Some of the most important are shown in the table below. Attribute Description Applicable Entry Type MSKEYVALUE Unique identifier for the identity object All ACCOUNT<Repository> Unique user ID for the user in the target repository. MX_REPOSITORYNAME Tasks and Jobs Identifier for the home repository where the original privilege is defined. MX_PERSON MX_PRIVILEGE Setting up SAP NetWeaver Identity Management for provisioning and the identity provisioning itself takes place using tasks and jobs. Although both are flexible and you can use either in many situations, we provide the following guidelines. Tasks Use tasks for provisioning identity data when changes occur. They are triggered, for example, when a user account is changed from the Workflow user interface. Jobs Use jobs for performing specific mass operations like initial loads, updates, or reconciliation. You can start jobs explicitly or schedule them to run at a certain time. The way that tasks and jobs are reflected when using the provisioning framework for SAP systems is described below. 7
Task Templates The framework provides a set of task templates that you can refer to when creating the tasks to use for identity management. These templates are divided into the following categories: Global event tasks This group contains task templates for global tasks that are triggered during the provisioning process. System type specific tasks This group includes task templates that are specific to the specific system type. They include tasks for AS ABAP, AS Java, and LDAP. Generic tasks This group contains task templates for tasks that are reusable for other tasks. Web-enabled tasks This group contains task templates for tasks that are used for setting up the Workflow user interface. Job Templates The framework also provides a set of templates that you can use for setting up jobs. The following jobs are supported: Initial Load The initial load job retrieves the identity information from the connected system and stores it in the identity store in the Identity Center. Initial Provisioning This job provisions the data that was consolidated during the initial load back to the connected systems. The following data is provisioned accordingly: Use Case Provisioned Data SAP HCM AS ABAP: all MX_PERSON and MX_COMPANY_ADDRESS entries SAP NetWeaver Portal Lifecycle Lifecycle Management LDAP (SUNONE): all MX_PERSON entries AS ABAP: all MX_PERSON and MX_COMPANY_ADDRESS entries AS Java (Database): all MX_PERSON entries AS ABAP: all MX_PERSON and MX_COMPANY_ADDRESS entries AS Java (Database): all MX_PERSON entries LDAP (SUNONE): all MX_PERSON entries The leading systems LDAP (SUNONE) and SAP HCM are not included for their use cases. In these cases, we assume that the data being read is complete and correct and does not need to be updated by the Initial Provisioning jobs. 8
Update Set up this job to run occasionally to update data from the connected systems. This job checks for changes on original objects, for example, for changes to identities in the leading system, or changes to roles that are locally maintained in the connected systems. These changes are then read into the Identity Center and provisioned to the affected systems. You should carefully define which local changes are still permitted as soon as SAP NetWeaver Identity Management is active. To enforce the desired rules, specify the authorizations for users and administrators in the target systems as appropriate. Then, enable or disable the passes of the update job according your rules. Example rules for SAP systems: Create, modify, delete users: no Create, delete roles/groups/profiles: yes Assign/unassign roles/groups/profiles: no Example rules for an LDAP directory that is a leading system: Create, modify, delete entries: yes Create, delete groups: yes Assign/unassign groups: yes Reset Delta This job template is useful during the set-up phase in case something was not completely set up correctly and you need to rerun any initial load jobs. It resets the delta information that was stored after the original initial load job so that the job can be run again in an initial state. Clean Provisioning Queue Run this job to clean up the provisioning queue after performing the initial loads. 9
2.2 Rules and Recommendations You most likely will have to modify the jobs and tasks provided by the provisioning framework, for example, to set up your own Workflow approval process. There are several rules and recommendations that you need to take into account when adapting the framework to your own use case. See the points below. Do not modify the tasks provided in the framework. If you do need to adjust the tasks to meet your needs, create a second provisioning folder in which you create your own tasks (Custom Tasks in the example below). Use the tasks provided with the framework as templates that you copy into your own folder. In this case, we recommend creating subfolders for each repository in your landscape. Also create subfolders for those global event tasks, system type specific tasks, generic tasks and Web-enabled tasks, as necessary. See the figure below. If you modify the tasks in the SAP Provisioning Framework folder, then your changes will be overwritten if you import an updated version of the framework. Also, make copies of any tasks in your own folder and do not link to the existing tasks in the SAP Provisioning Framework. Links to existing tasks also modify the original tasks and therefore such links are also overwritten if you import and updated version of the framework. 10
You will have to modify the Web enabled tasks. Therefore, when setting up the Workflow tasks, make a copy of the Web Enabled Tasks folder and its tasks. Make your changes in this copied folder and not in the SAP Provisioning Framework folder. Disable any templates that are not used. See the figure below. See the procedure for setting up the Workflow application on page 40. When you create the job folder that contains your jobs, we also recommend structuring the job folders according to each system. Use the repository name for the folder name. Also set up a folder for global jobs. See the example below. See the procedure for setting up the corresponding jobs on page 27 and page 30. 11
Create a separate job structure for each identity store you use. For example, for the SAP HCM use case, also create a job folder that corresponds to the identity store used as the staging area. See the figure below. See the procedure for setting up the corresponding jobs on page 25. You are free to set up the job folders as you like, however, if you follow these recommendations and naming conventions, then it is easier to resolve consulting or support issues if they arise. 12
3 Implementation Process To implement identity provisioning in SAP NetWeaver Identity Management based on the templates we provide, proceed as follows: 1. Import the provisioning framework for SAP systems into the SAP NetWeaver Identity Management Identity Center. 2. Perform the initial configuration. You must adjust some global constants and assign event tasks to entry types and attributes. 3. Select the use case to implement. 4. Set up the landscape for the use case. This includes: Creating repositories for each system that you connect to the Identity Center. Setting up the jobs to use for the use case. For the SAP HCM use case, you must also set up a staging area in the Identity Center, set up the Virtual Directory Server, configure the SAP HCM system, and maintain the attribute mappings. 5. Import the identity data into the Identity Center s identity store by performing the initial loads. 6. Clean up the data that was collected from the initial loads and provision the consolidated data back to the connected systems. 7. Schedule the update jobs that should run regularly. 8. Set up the user interfaces for performing user administration. 9. Maintain the business roles in the Identity Center. Afterwards, changes to user master records in the leading system and changes to technical roles or the corresponding user and role assignments (in the original system for the roles or their assignments) are provisioned to the various systems. 13
3.1 Importing the Provisioning Framework for SAP Systems The first step in working with the provisioning framework for SAP systems is to import them into the Identity Center. If you are updating the framework from a previous version, see section 3.1.1 Updating the Provisioning Framework [Page 17]. Prerequisites You have installed the Identity Center and performed the initial configuration. For more information, see the installation guides and the Getting Started tutorial. You have created an Identity Center configuration to use for the provisioning framework for SAP systems. This is donated in the following procedure as <IC_Configuration_for_SAP_Systems>. You have created a dispatcher for running jobs. If you are connecting a central user administration (CUA) system to the Identity Center, then you have updated the role assignment for the communication user. Upload the new version of the role Z_SAP_BC_SEC_IDM_COMMUNICATION, which is delivered with SAP NetWeaver Identity Management and make sure it is assigned to the communication user. Procedure In the Identity Center: 1. Select the <IC_Configuration_for_SAP_Systems> and choose the Options tab page. Activate the option Enable imported jobs. Also select your dispatcher as the Default dispatcher. See the figure below. If you do not select these options, then you must enable all of the tasks and set the dispatcher for each task after importing the provisioning framework. 14
2. Create an identity store to use with the provisioning framework for SAP systems: a. Under Console Root SAP NetWeaver Identity Management <IC_Configuration_for_SAP_Systems> Identity stores, choose New Identity store... from the context menu for the Identity stores node. b. Follow the instructions provided by the wizard. Use the following data: Name: Specify a name for the identity store, for example, SAP_Master. Do not use special characters in the name. Description: Optional Automatically create new attributes: Deactivate (Recommended) Entry types: Do not select any entry types. If you activate the option to automatically create new attributes and an error occurs in an attribute definition, for example, a typing error, then a corresponding erroneous attribute will also be automatically created in the identity store. This type of error is difficult to detect and fix. Therefore, we recommend not activating this option. However, in this case, you must manually create the following attributes any time you create a repository: ACCOUNT<REPOSITORYNAME> TEMPACCOUNT<REPOSITORYNAME> DN<REPOSITORYNAME> TEMPDN<REPOSITORYNAME> GROUP<REPOSITORYNAME> For information about how to create these attributes and which entry types apply to each attribute, see Section 3.4.1 Creating Repositories [Page 21]. 3. Import the SAP Provisioning Framework: a. Choose Import... from the context menu for your identity store. b. Select the SAP Provisioning Framework_Folder.mcc file from the file system and choose Open. You can find it in the folder <Install_folder>\Templates\Identity Center\SAP Provisioning framework. This file contains the templates available with the framework. c. In the Import option screen that appears, select the following: Import (or Update if you are updating the framework from a previous support package) In the Advanced tab page, select the dispatcher(s) that will run the import jobs by selecting the Run jobs option for a default dispatcher. d. Choose Next. 15
e. In the Import provision group screen, select the SAP Provisioning Framework node and choose Import. You receive a message about the status. Result You can ignore warnings that refer to cyclic dependencies. Check however, for jobs and tasks for which a dispatcher could not be set. f. Choose Finish. The SAP Provisioning Framework is imported into the Identity Center. See the figure below: 16
3.1.1 Updating the Provisioning Framework If you are updating the framework from a previous version, then follow the instructions above for importing the framework. Note the following: Because updating the provisioning framework overwrites the existing framework, we do not recommend changing the framework itself, but instead, you should copy the templates to your own folders before you make changes (see Section 2.2 Rules and Recommendations [Page 10]). If you did make changes to the framework, copy the changed folders to a separate location before performing the update. Make sure you select the correct level in the structure to start the import. This is one level above the SAP Provisioning Framework folder. In the example above, this is SAP_Master. Proceed as follows: Select Import from the context menu for this node. Select the SAP Provisioning Framework_Folder.mcc file from the file system and choose Open. You can find it in the folder <Install_folder>\Templates\Identity Center\SAP Provisioning framework. This file contains the templates available with the framework. In the Import option screen, select Update. Also select the Ignore timestamp option. This ensures that the newest version of the framework is imported completely into the Identity Center. In the Update global script screen, select the Overwrite option and activate Use this action for all matching global scripts. Any changes to scripts will also be overwritten with the updated provisioning framework. In the Update provision group screen that follows, select the options: Remove tasks from target system that have been deleted in source system Remove groups from target system which have been deleted in source system By selecting these options, the corresponding tasks and groups will be removed in the target systems upon deletion in the source system. Otherwise, they will be moved to the Lost and Found folder. Update attributes with event tasks This option also updates any changes to event tasks. 17
3.2 Adjusting Constants and Assigning Event Tasks After importing the framework, you must adjust the following settings: 1. Adjust the global constants shown in the table below. These constants are needed to identity the identity store and to identify the tasks used for provisioning company addresses. You can find the global constants under <IC_Configuration_for_SAP_Systems> Management Global constants. Global Constant Value Comment SAP_MASTER_IDS_ID <Identity_Store_ID> This is the ID of the productive identity store. MX_ABAP_COMPANY_ ADDRESS_CREATE_TASK MX_ABAP_COMPANY_ ADDRESS_DELETE_TASK MX_ABAP_COMPANY_ ADDRESS_UPDATE_TASK SAP_SYNC_COMPADDR_ TO_USER_TASK <Task_ID_for_ ProvisionABAPNew CompanyAddress> <blank> <Task_ID_for_ ProvisionABAPModified CompanyAddress> <Task_ID_for_ HandleModifiedUser CompanyAddress Assignment> You can find the task under SAP Provisioning Framework System Type Specific Tasks AS ABAP Tasks You can find the task under SAP Provisioning Framework System Type Specific Tasks AS ABAP Tasks You can find the task under SAP Provisioning Framework Global Event Tasks. 2. Assign event tasks to the entry types shown in the table below. This sets up the tasks to trigger when changes occur to entries of the corresponding type. You can find the entry types under <IC_Configuration_for_SAP_Systems> Identity stores <Identity_store> Identity stores schema Entry types. Select the entry type with a double-click and choose the Event tasks tab page to locate the event handling options. 18
You can find the corresponding tasks under SAP Provisioning Framework Global Event Tasks. Entry Type MX_COMPANY_ADDRESS MX_GROUP MX_PERSON Event Handling Option Add Modify Delete Add Modify Delete Add Modify Delete Value <Task_ID_for_ AddCompanyAddress> <Task_ID_for_ ModifyCompanyAddress> None <Task_ID_for_LinkGroup> None <Task_ID_for_UnlinkGroup> None <Task_ID_for_ModifyUser> None 3. Assign event tasks to the following attributes in the identity store schema. This sets up the tasks to trigger when changes occur to the corresponding attributes. You can find the attributes under <IC_Configuration_for_SAP_Systems> Identity stores <Identity_store> Identity stores schema Attributes. Select the attribute with a double-click and choose the Event tasks tab page to locate the event handling options. You can find the corresponding tasks under SAP Provisioning Framework Global Event Tasks. Attributes MX_ADDRESS_CITY MX_ADDRESS_COUNTRY MX_ADDRESS_POBOX MX_ADDRESS_POBOX_ POSTAL_CODE MX_ADDRESS_POSTAL_ CODE MX_ADDRESS_REGION MX_ADDRESS_ STREETADDRESS MXREF_MX_COMPANY_ ADDRESS Event Handling Option Add Modify Delete Add Modify Delete Value <Task_ID_for_ ModifyBasicAddressData> <Task_ID_for_HandleModifiedUser CompanyAddressAssignment> None 19
3.3 Selecting the Use Case to Implement Once you have set up the intial configuration, you must set up the Identity Center for your particular use case. Therefore, the next step is to identity the use case you want to implement so that you can continue with the corresponding configuration. Based on the information provided in Identity Management for SAP System Landscapes: Architectural Overview, and the summary provided in the table below, select the use case that you want to implement. Use Case Overview Use Case Leading Identity System Source System for Data SAP HCM SAP HCM SAP HCM: Employee data (Identities) SAP NetWeaver Portal Identity Lifecycle Management Corporate LDAP directory SAP HCM LDAP server: Users and groups AS Java: Portal roles, UME roles AS ABAP: ABAP roles, ABAP profiles, company addresses SAP HCM: Employee data (Identities) AS Java: Portal roles and UME roles AS ABAP: ABAP roles, ABAP profiles, company addresses Provisioned Data LDAP server: Users and user/group assignments AS Java (read from LDAP): UME users and UME groups AS Java (provisioned from IC): Role assignments AS ABAP: Users, user/role assignments, and user/profile assignments LDAP server: Users and user/group assignments AS Java (read from LDAP): UME users and UME groups AS Java (provisioned from IC): Role assignments AS ABAP: Users, user/role assignments, and user/profile assignments When determining which use case to implement, your primary decision criteria should be the leading identity system. Depending on where your user information originally comes from (HR or a corporate LDAP directory server), select the appropriate use case. For the identity lifecycle management use case, start with either of the other two use cases and then add the additional components as appropriate. Also note that your use case may be based on one or more of these use cases or it may be a derivative. For example, in test landscapes, you may just want to connect a single system to the Identity Center. In such cases, adjust your landscape accordingly. 20
3.4 Setting up the Landscape Once you have determined which use case you will implement, set up the landscape accordingly. How to set up the landscape for each use case is described in the sections that follow. See Section 1.2 Limitations and Considerations [Page 2] for considerations that apply to each use case and each connector type. 3.4.1 Creating Repositories The first step is to create a repository in the Identity Center for each system in the system landscape. The repository data provides the connection information to the system and other system-specific information. Procedure For AS ABAP systems, the repository entry corresponds to a logical system on the AS ABAP (that is, system ID and client). To create a repository: 1. In the Identity Center, under Console Root SAP NetWeaver Identity Management <IC_Configuration_for_SAP_Systems> Management Repositories, choose New Repository from the context menu for the Repositories node. 2. Follow the instructions provided by the wizard. Use the following data as input for the wizard. a. Select the template in the <Install_folder>\Templates\Identity Center\Repositories folder that applies to the system type: Directory SAP NetWeaver AS ABAP (Load Balanced Connection) SAP NetWeaver AS ABAP (Specific Application Server) SAP NetWeaver AS Java repository SAP NetWeaver Dual Stack (Load Balanced Connection) SAP NetWeaver Dual Stack (Specific Application Server) b. Enter a name and description for the repository and the data that applies to the system connection. The name can contain only letters (A-Z) and numbers (0-9). Spaces or special characters are not supported. For SAP NetWeaver systems, we recommend using <SID><Client> as the name. 21
c. Specify the repository constants that apply to the system type. See Appendix A: Repository Constants [Page 45] for a list of constants per repository type. After using the wizard, you can maintain additional constants, for example, the options for using Secure Network Communications (SNC) to securely connect to the AS ABAP. 3. If you did not activate the option to automatically create attributes when importing the provisioning framework, then add the following attributes for the repository to the identity store attributes. To create these attributes: a. Under Console Root SAP NetWeaver Identity Management <IC_Configuration_for_SAP_Systems> Identity stores <Identity Store> Identity store schema, choose New Identity store attribute from the context menu for the Attributes node. b. Enter the data for the attributes as shown in the table below: Attribute Name (Under General) ACCOUNT <REPOSITORYNAME> TEMPACCOUNT <REPOSITORYNAME> GROUP <REPOSITORYNAME> DN <REPOSITORYNAME> TEMPDN <REPOSITORYNAME> Applicable for Repository Type LDAP AS ABAP AS Java LDAP AS ABAP AS Java LDAP (not needed for respository types AS ABAP or AS Java) LDAP (not needed for respository types AS ABAP or AS Java) Entry Types to Allow (Under Entry Types) MX_PERSON MX_GROUP MX_PERSON, MX_GROUP and MX_PRIVILEGE MX_PERSON Continue with setting up the systems and connectors that are specific to the use case you are implementing. The corresponding steps are described in the sections that follow. 22
3.4.2 Setting up the SAP HCM Use Case When using this use case, you export identity data from the SAP HCM system and import it into the Identity Center. To do this, use the Virtual Directory Server as the common interface for processing the data. You can therefore use the export functions in SAP HCM that are available for exporting data to an LDAP directory. This data is then imported into a staging area in the Identity Center before being replicated into the productive identity store. Once the data is in the identity store, it can be provisioned to the connected systems, for example, another LDAP directory server. Using a staging area instead of writing directly to the identity store has the following advantages: You can work with the data in the staging area before processing it further. For example, you can also set up the Workflow approval tasks to access the data in the staging area before writing it to the productive identity store. If you make changes to the database schema used for identity data in the SAP HCM system, you can adjust the attribute mapping in the staging area accordingly and you do not have to change the productive identity store s schema. The staging area is a separate identity store in Identity Center. To set up SAP NetWeaver Identity Management for the SAP HCM use case, proceed as described below. Prerequisites The Virtual Directory Server is installed. The Identity Center is installed and configured. The SAP HCM system is installed and contains employee data. You have decided how to assign a user account name to an employee. There are two options: Procedure SAP HCM uses the infotype 0105 to assign the user account name that will be used by the Identity Center. SAP HCM does not use the infotype 0105. In this case, a user account name will be generated during the import into the Identity Center. 1. Create an additional identity store in the Identity Center to use as a staging area for identity data provided by the SAP HCM system. 2. Configure the Virtual Directory Server (see Appendix C: Configuring the Virtual Directory Server [Page 54]). 3. Configure the SAP HCM system to export identity data to the Virtual Directory Server and export the data (see Appendix D: Configuring the SAP HCM System [Page 56]). 4. Create a job in the Identity Center that writes the identity data from the staging area to the productive identity store. 5. Create and configure the jobs used for the connectors to each of the systems involved in the landscape. 23
3.4.2.1 Creating the Staging Area in the Identity Center Create an identity store in the Identity Center to use as a staging area for the HR data before it is replicated to the productive identity store. Procedure 1. In the Identity Center, in the structure for your Identity Center configuration that you use for provisioning to SAP systems, for example, Console Root SAP NetWeaver Identity Management <IC_Configuration_for_SAP_Systems>, choose New Identity Store... from the context menu for the Identity stores node. 2. Follow the instructions provided by the wizard. Use the following data as input for the wizard. Screen: Identity store wizard Identity store name Field / Option Value Example Name <Name_of_Staging_Area> HR_Staging_Area Description <Description> This identity store is used as a staging area for employee data. Automatically create new attributes Activate By activating this option, any new attributes in the SAP HCM system are automatically created in the staging area identity store. For the productive identity store, we do not recommend activitating this option. Screen: Identity store wizard Select entry types Entry types: Group, InetOrgPerson, Location, Organization Do not select any of the entry types. Not applicable Not applicable 3. Choose Finish to exit the wizard and create the identity store. 4. Check the properties for the identity store by selecting it in the navigation tree. 24
5. Note the identity store s ID that is shown in the field ID/Name in the General properties. You will need this for the VDS configuration in the next step. See the example below. 6. Create the global constant HR_STAGING_AREA_IDS_ID and also set it to this value. Next Steps Continue with configuring the Virtual Directory Server and the SAP HCM system as described in Appendix C: Configuring the Virtual Directory Server [Page 54]) and Appendix D: Configuring the SAP HCM System [Page 56]. 3.4.2.2 Writing the Identity Data From the Staging Area to the Identity Store For the next step, create a job in the Identity Center that writes the identity data from the staging area to the identity store so that it can be provisioned to the rest of the systems. Procedure Using the Identity Center: 1. Create a job folder for your HR staging area, for example, Console Root SAP NetWeaver Identity Management <IC_Configuration_for_SAP_Systems> <HR_Staging_Area_identity_store>. To create the job folder, choose New Folder from the context menu for your Identity Center configuration. See the structuring recommendations [Page 12]. 2. Create a job for the HR pass. Choose New Run job wizard... from the context menu for the folder. Follow the instructions provided by the wizard. a. Select the template <Install_folder>\Templates\Identity Center\Jobs\SAP NetWeaver\HCM Read Employees b. Provide the database connection string for your IC configuration. (You can use the Define JDBC URL value help to specify this string.) c. Specify the Identity Store ID for your staging area identity store (HR_STAGING_AREA_IDS_ID). 25
3. Choose Finish. The job is created in your folder. 4. Enable the job, select Java as the runtime engine, and select a dispatcher for the job. 5. Save the data by choosing Apply. 6. Adjust the attribute mapping under Destination if necessary. The default mapping is shown in the table below. Add additional mappings according to the data which you have loaded from SAP HCM. Attribute (Source Attributes) MSKEYVALUE MX_LANGUAGE MX_LASTNAME MX_FIRSTNAME DISPLAYNAME MX_MAIL_PRIMARY MX_PHONE_PRIMARY MX_MOBILE_PRIMARY MX_FAX_PRIMARY 7. Apply the changes. Value (Destination Attributes) $FUNCTION.sap_generateHRID(%P0000- PERNR%!!%SYHR_A_P0105_AF_SYSUNAME%!!%MSKEYVALUE%)$$ %P0002-SPRSL% %P0002-NACHN% %P0002-VORNA% %P0001-ENAME% %SYHR_A_P0105_AF_EMAIL% %SYHR_A_P0105_AF_TEL_NR% + %SYHR_A_P0105_AF_EXT% %SYHR_A_P0105_AF_CELL% %SYHR_A_P0105_AF_FAX% Result The MSKEYVALUE attribute is defined in a JScript function called sap_generatehrid. This function has a custom exit called custom_generatehrid(par) that uses the attributes P0000-PERNR, SYHR_A_P0105_AF_SYSUNAME and Employee-Key (which is the MSKEYVALUE of the HR staging area) as input parameters. Currently the function custom_generatehrid returns an empty string. If necessary, change this function to adjust the MSKEYVALUE to fit your needs. The job is ready to be executed. Scheduling the Job to Run Periodically To schedule the job to run periodically, Under Options, in the Scheduling section, choose Edit to specify the times that the job should run. Make sure this job runs after the ABAP report that exports the identity data to the staging area. 26
3.4.2.3 Creating and Configuring the Jobs for Each Connector In this step, you will create and configure the jobs for each connector used in the system landscape. For our sample use case, these are the AS ABAP system and the LDAP directory server. The table below shows an overview of the jobs used for this use case. System Identity Store Jobs Comment SAP HCM LDAP Directory Server SAP HCM (AS ABAP) Staging area Example: HR_Staging_Area Productive identity store Example: SAP_Master Productive identity store Example: SAP_Master Read Employees Initial Load Initial Provisioning Update All Update Groups Reset Delta Initial Load Update Reset Delta This job was set up for the HR_Staging_Area identity store in the last step. Optional. Set up this job if you want to read SU01 data from the AS ABAP system. Prerequisites You can also include additional systems in the landscape that are not explicitly shown here, for example, other AS ABAP systems, AS Java systems, or non- SAP systems. A repository entry exists for each of the systems used in the landscape. Procedure Using the Identity Center: 1. Create a job folder in your structure to use for the provisioning jobs, for example, Console Root SAP NetWeaver Identity Management <IC_Configuration_for_SAP_Systems> <identity_store>, for example SAP_Master. Choose New Folder from the context menu for your Identity Center configuration. See the structuring recommendations [Page 12]. 2. Create a sub-folder for each system. 3. In each system folder, create a job for each task that applies to the system: a. Choose New Run job wizard... from the context menu for the system s folder. b. Follow the instructions provided by the wizard. Select the template that applies to the job you are creating, for example LDAP (SUNONE) Initial Load, and the name of the repository that applies to the corresponding system. 27
c. Choose Finish. The job is created in your folder. d. Enable the job, select Java as the runtime engine, and select a dispatcher for the job. e. Save the data. 4. Repeat for each job and each system that applies. Result Each system used in the use case has a set of jobs to be used for initial load, updating, and resetting the delta in the database. Example The following figure shows the jobs for the SAP HCM system and the LDAP directory server as used in this use case. Next Steps Continue with Step 3.5 Performing the Initial Loads [Page 35]. 28
3.4.3 Setting up the SAP NetWeaver Portal Environment Use Case When using this use case, the leading system for identity data is a corporate LDAP directory server. The corporate LDAP directory server is also used as the user data store for the SAP NetWeaver Portal system. When using SAP NetWeaver Identity Management with this use case, the identities are replicated from the LDAP directory server into the Identity Center. The corresponding users and role assignments are provisioned to all of the systems that are included in the system landscape (where users and assignments are relevant), except for the AS Java where the portal runs. The AS Java that is running the portal reads the identity data directly from the corporate LDAP directory server, and only the user/role assignments are provisioned to this system. To set up SAP NetWeaver Identity Management for the portal use case, set up the initial load and provisioning jobs for each of systems connected to the Identity Center. The table below shows an overview of the jobs to create for this use case. System Jobs LDAP Directory Server Initial Load Update All Update Groups Reset Delta AS Java (with portal) Initial Load Update Reset Delta AS ABAP Initial Load Initial Provisioning Update Reset Delta Prerequisites You can also include additional systems in the landscape that are not explicitly shown here, for example, other AS ABAP systems, AS Java systems, or non- SAP systems. For dual-stack systems, use the AS ABAP job templates. The Identity Center is installed and configured. A repository entry exists for each of the systems used in the landscape. The corporate LDAP directory server contains the identity data. The SAP NetWeaver Portal is installed and the portal s AS Java uses the LDAP directory server as its data source. The communication user used for the connection between the Identity Center and the LDAP directory server should have read-only access for the LDAP directory server. 29
Procedure Using the Identity Center: 1. Create a job folder for your provisioning jobs, for example, Console Root SAP NetWeaver Identity Management <IC_Configuration_for_SAP_Systems> SAP_Master. See the structuring recommendations [Page 12]. To create a folder, choose New Folder from the context menu for your Identity Center configuration. 2. Create a sub-folder for each system. 3. In each system folder, create the jobs that apply to the system: a. Choose New Run job wizard... from the context menu for the system s folder. b. Follow the instructions provided by the wizard. Select the template that applies to the job you are creating, for example AS ABAP Initial Load, and the name of the repository that applies to the corresponding system. You can find the job templates in the folder <Install_folder>\Templates\Identity Center\Jobs. c. Choose Finish. The job is created in your folder. d. Enable the job, select Java as the runtime engine, and select a dispatcher for the job. e. Save the data. 4. Repeat for each job and each system that applies. Result Each system used in the use case has a set of jobs to be used for initial load, updating, and resetting the delta in the database. 30
Example The following figure shows the jobs for the LDAP directory server, the AS Java system, and the AS ABAP system as used in this use case. Next Steps Continue with Step 3.5 Performing the Initial Loads [Page 35]. 31
3.4.4 Setting up the Identity Lifecycle Management Use Case This use case combines the previous use cases to show how to use SAP NetWeaver Identity Management in a complete system landscape that includes all of the components SAP HCM, a corporate LDAP directory server, the SAP NetWeaver Portal, and additional SAP NetWeaver ABAP or Java-based systems. As with the other use cases, we assume that one system is the leading system for identity information, and in this example, we use the SAP HCM system for this leading system. Identity information is then provided to the Identity Center from the SAP HCM system and provisioned to the LDAP directory server, which is also used as the user store for the SAP NetWeaver portal. Users are also provisioned to the AS ABAP system that is also included in the portal landscape, and user/role assignments are provisioned to the AS ABAP system and the portal. Making Sure Users Exist in the LDAP Directory Server Also make sure that users exist in the LDAP directory server before role assignments are provisioned to the portal system. You can do this by creating a custom task that performs the following steps: 1. Create the user in the LDAP directory. 2. Assign the user to the appropriate LDAP group(s). (The user is first created in the directory when he or she is assigned to an LDAP group.) Afterwords, you can assign portal roles to the user, either through jobs or provisioning tasks. Setting Up the Jobs To set up SAP NetWeaver Identity Management for this use case, adjust the jobs in the Identity Center so that the jobs for each system are set up as shown in the table below. Add the jobs if necessary. System Identity Store Jobs Comment SAP HCM LDAP Directory Server AS Java (with portal) SAP HCM (AS ABAP) Staging area Example: HR_Staging_Area Productive identity store Example: SAP_Master Productive identity store Productive identity store Read Employees Initial Load Initial Provisioning Update All Update Groups Reset Delta Initial Load Update Reset Delta Initial Load Update Reset Delta This job was set up for the HR_Staging_Area identity store in step 3.4.2.2 [Page 25]. Optional. Set up this job if you want to read SU01 data from the AS ABAP system. 32
Prerequisites You can also include additional systems in the landscape that are not explicitly shown here, for example, other AS ABAP systems, AS Java systems, or non- SAP systems. For dual-stack systems, use the AS ABAP job templates. The Identity Center is installed and configured. A repository entry exists for each of the systems used in the landscape. The corporate LDAP directory server contains the identity data. The SAP NetWeaver Portal is installed and the portal s AS Java uses the LDAP directory server as its data source. Procedure 1. If you are using the portal use case as the starting point, then set up the SAP HCM system and the Identity Center as described in Section 3.4.2: Setting up the SAP HCM Use Case [Page 23]. 2. Add any systems that have not yet been included in the job folder. Set up their jobs accordingly: a. Choose New Run job wizard... from the context menu for the system s folder. b. Follow the instructions provided by the wizard. Select the template that applies to the job you are creating, for example AS ABAP Initial Load, and the name of the repository that applies to the corresponding system. c. Choose Finish. The job is created in your folder. d. Enable the job, select Java as the runtime engine, and select a dispatcher for the job. e. Save the data. 3. Repeat for each job and each system that applies. 4. Check the permissions for the communication user used for the connection between the LDAP directory server and the Identity Center. For this use case, the user should have write permissions for the LDAP directory server. Result Each system used in the use case has a set of jobs to be used for initial load, updating, and resetting the delta in the database. 33
Example The following figure shows the jobs for the SAP HCM system, the LDAP directory server, the AS Java system, and the AS ABAP system as used in this use case. Next Steps Continue with Step 3.5 Performing the Initial Loads [Page 35]. 34
3.5 Performing the Initial Loads Once you have set up the connectors for the systems in your system landscape, perform the initial loads, which retrieve the identity data into the Identity Center. Before you retrieve the data, make sure that provisioning is deactivated on the dispatcher so that the data read is not provisioned into the various systems. This is shown in step 1 below. Reactivate provisioning on the dispatcher once the initial load has been completed. Prerequisites When Using Central User Administration If you are connecting a CUA system to the Identity Center, then you must make sure that the data in the CUA central system is clean before you perform the initial load. Therefore: 1. Make sure that all data is synchronized in the CUA, for example, company address data. To do this, execute the transaction SCUG in the central system. 2. Remove any unnecessary CUA entries that may exist in CUA tables. To do this, execute the report RSDELCUA. Activate the option Invalid Content in CUA Tables. 3. Make sure role assignments are up-to-date by executing the user master record comparison (sometimes referred to as text comparision) function in the CUA master system. Execute it for all child systems and activate the Delete invalid assignments option. 4. Clean up profiles that are not assigned to any roles by executing the transaction PFUD in the master system. Select the Cleanups option. Changing the Configuration Before Running the Initial Loads You most likely have to change the configuration before proceeding with the initial loads. In particular, you must determine which system is the leading system for each attribute so that attributes will not be incorrectly overwritten by jobs running for other systems. You also have to determine how initial passwords are to be generated. Determining the Leading System for Attributes Before proceeding, you must determine which system is the leading system for each attribute and role assignment. Then adjust the attributes in the Destination tab pages for each write pass in the initial load and update jobs. For attributes, set the period (.) in the first column of the pass definition so that these attributes do not overwrite those from the leading system. For role assignments use the {A} option in the pass value if the role assignment is to be added to any existing role assignments. Also adjust the Workflow interface so that these attributes can not be mistakenly overwritten. This step is very important. If you do not specify the leading system per attribute correctly, attributes could be overwritten from other system, leading to unexpected results. 35
For example, the following configuration is for the LDAP directory server that is the leading system for the attributes in the pass. No period is set for these attributes. In the write pass for the ABAP initial load, these attributes should not be written to the identity store if the entry already exists. Therefore, the period is set for these attributes. For attributes where the ABAP system is to be the leading system (for example, date format and user type in the example below), no period is set. In the following figure, the role specified in the MXREF_MX_ROLE attribute is always added to the list of roles for the employee. On the other hand, the privilege specified by MXREF_MX_PRIVILEGE is only added if the entry in the identity store does not already exist. Existing role and privilege assignments are not overwritten. The screen shots above show examples about how the attributes can be set. They do not coincide with the default configuration. 36
Generating Initial Passwords During the initial load or any other task which creates identities in the identity store, you can have initial passwords generated for the users. In this case, you have to provide values for the attributes MX_PASSWORD (which is used to logon to the Identity Center) and optionally MX_ENCRYPTED_PASSWORD (which is used for a password synchronization workflow). Note the following: Use the following attribute mapping on the Destination tab: Attribute Value MX_PASSWORD $FUNCTION.sap_encryptPasswordMD5(%param%)$$ MX_ENCRYPTED_PASSWORD $FUNCTION.sap_encryptPassword(%param%)$$ Optimization option: If you want to ensure that all new identities get some well-defined default values, for example, a default password, and that well-defined workflows are initiated for all new identities, then create a provisioning task which sets the default values and register this task as an Add event task for the entry type MX_PERSON. This task can also trigger additional Workflow tasks, for example, a task that sends an e- mail. To specify the rules to use when generating these passwords, you adapt the global JScript custom_initializepassword. Running a Test Initial Load You can run a test initial load by creating a temporary identity store to use for the initial load passes. Set the global constant SAP_MASTER_IDS to the temporary identity store. Run the initial loads and check if everything works as expected. Before proceeding with the productive initial load, run the Reset Delta job for each repository and change the global constant back to the productive identity store. Running the Initial Loads Proceed as follows: 1. Deactivate provisioning. Select Console Root SAP NetWeaver Identity Management <IC_Configuration_for_SAP_Systems> Management Dispatchers <Dispatcher> and deactivate the Run provisioning jobs option(s) for your runtime engine(s) (Windows or Java). 2. Apply the changes and regenerate the service scripts for the dispatcher. 3. Stop and restart the dispatcher. 4. Run the initial loads for your systems. Select each job and choose Run now. Make sure you run the jobs in the correct order. 37
5. Delete the provisioning jobs that were sent to the provisioning queue during the initial load: a. Create a job folder for global jobs. b. Create a job in this folder for cleaning up the provisioning queue. Use the job wizard and select the job Clean Provisioning Queue <MS-SQL or Oracle>. c. Enable this job and select the dispatcher. d. Run the job. 6. Reactivate provisioning for the dispatcher. Select Console Root SAP NetWeaver Identity Management <IC_Configuration_for_SAP_Systems> Management Dispatchers <Dispatcher> and activate the Run provisioning jobs option(s) for your runtime engine(s) (Windows or Java). 7. Apply the changes, regenerate the service scripts for the dispatcher, and restart the dispatcher. 3.6 Cleaning up the Collected Data After performing the initial loads, the identity data from all systems is stored in the Identity Center s identity store. It is likely that the quality of this data is quite low. Attributes may be duplicated or missing in some sources, or there may be conflicts between attributes. For example, an identity may be represented in several sources by different user IDs, or different identities may be represented in different sources using the same ID. You therefore need to consolidate and clean up this low-quality data and resolve any conflicts before continuing with the provisioning process. When resolving the data for the use cases described in this document, the user ID is the determining attribute for the identity. This means that each unique user ID that is read from the various data sources is identified and used as the criteria for creating and maintaining identities in the system that is provisioned to. Once you have cleaned up the data, provision the consolidated data back to the connected systems by starting the Initial Provisioning job for each connected system. There is no Initial Provisioning job for the leading system. When using the SAP provisioning framework for this use case, we assume that the data coming from the leading system is correct and does not need to be updated. 38
3.7 Scheduling the Update Jobs The Update jobs check for changes for specific in the source system and provisions the changes to the target systems. For the SAP HCM use case, employee data that is maintained in the SAP HCM system is checked. For the SAP NetWeaver portal environment use case, the corresponding entry types are checked for the following system types: LDAP directory: Users and groups AS ABAP: Roles and profiles AS Java: Roles Therefore, you should schedule the update jobs to run frequently, for example, daily. Changes made to entry types in the identity store using the Workflow application are provisioned immediately. To schedule the job: 1. Select the Update job for each system that should be updated. 2. Select the Schedule rule that applies, for example, Midnight. 3. Choose Edit... and specify the exact times and days for the job to run. 4. Apply the changes. 3.8 Set Up User Interfaces for User Administration (Workflow) Prerequisites The Workflow component is installed. The user administrator accounts that should have access to the Workflow tasks exist in the identity store. If you do not have any user administrator accounts, you can create them in the Identity Center. See the procedure below. 39
Creating a User Administrator Account (Optional) To set up a user administrator account for using the Workflow application in the Identity Center: 1. Select the identity store to configure (for example, SAP_Master) and choose the Workflow tab page. 2. Select an authentication method, for example, Identity store. (This means that this user ID and password is stored in the identity store.) 3. Choose Add user. 4. In the dialog that follows, specify the Entry type MX_PERSON, create an administrator user and specify a password for this user. 5. Specify MSKEYVALUE as the Unique ID. 6. Apply the changes. Configuring the User Interfaces 1. To assign the access rights, you must modify the Web-enabled tasks. Therefore, copy these tasks to a custom Web-Enabled Tasks folder. See the recommendations on page 10. 2. To make tasks appear in the Workflow application, assign the access control rights so that user administrators can access the task. To do this, select the task and choose the Access control tab page. Add the users, roles or privileges that should have access to the application. Also select the Show on welcome page indicator to make the task appear in the user s Welcome page. We recommend configuring the following (custom) Web-Enabled Tasks so they appear in the Workflow user interface: Change User Data Create Business Role Change Business Role Assign/Unassign Business Role Change Company Address You can also create and set up additional tasks as necessary. 3. In the Attributes tab page, adjust the attributes to display as necessary. 4. Apply the changes. 40
3.9 Maintaining Business Roles Once you have activated the Workflow application, you can maintain your business roles in the identity store. 1. Start the Workflow application and log on as a user administrator that has access rights to the Create (or Change) Business Role task. The Workflow application has the URL <host>:<port>/workflow. 2. Start the task Create (or Change) Business Role. 3. When creating a business role, enter the Unique ID: for the role in the Create Business Role screen. The Unique ID has the syntax ROLE:BUSINESS:<Role_Name>. 4. To assign privileges to this role, choose the wizard for Assigned Technical Roles ( ). 5. In the dialog that follows, search and select the privileges that apply to this business role. The privileges are repository-specific, and the name of the home repository for the privilege is indicated in the privilege name. To see more information about the privilege, select it and choose Details. The syntax for the privilege s detailed information is PRIV:<Privilege_Type>:<Repository>:<ID>, where the syntax for the <Privilege_Type> depends on the system type for which the privilege applies. 6. Submit the changes. 3.10 Provisioning Changes you make to identity data using the Workflow application are provisioned to the appropriate systems. 41
3.11 Next Steps Testing and Troubleshooting If you have problems, check the following logs in the Identity Center and Monitoring application. Identity Center main system log You can find this log under Console Root SAP NetWeaver Identity Management <IC_Configuration_for_SAP_Systems> Management System log. It shows a consolidated view about the overall system. For example, information about the jobs that are run per dispatcher or errors that occur in the runtime environment are shown in this log. You can configure the amount of information that is shown in the options for the Identity Center configuration you are working with. Identity Center main job log You can find this log under Console Root SAP NetWeaver Identity Management <IC_Configuration_for_SAP_Systems> Management Job log. This log shows a consolidated view of all of the jobs that are run on the system. You can configure the amount of information that is shown in the logging options for each job. 42
Job-specific system log / Job-specific job log For each job, there is also a specific system log and a job log. Each of these logs shows the system log and job log entries that apply to the specific job. Monitoring provisioning audit log You can find this log in the Monitoring application under Provisioning audit. See the figure below. The URL for the Monitoring application is <host>:<port>/monitoring. The Monitoring provisioning audit log shows the changes that are executed on individual entries, for example, users, groups, or roles. You can drill down on the entries to see what exactly has taken place in the identity store. 43
Additional Functions The Identity Center and the corresponding identity management applications also support additional functions that are not described here, for example, functions for password recovery. For more information on such functions, see the documentation provided with the installation package (in the Documents subfolder). 44
Appendix Appendix A: Repository Constants The tables below show the repository constants used for each repository type. Repository Constants for AS ABAP (Load Balanced Connection) Repository Wizard Field Repository Constant Value Message Server JCO_CLIENT_MSHOST <message_server_hostname> System ID JCO_CLIENT_R3NAME <SID> Logon Group JCO_CLIENT_GROUP <Group>, for example, Public User Name JCO_CLIENT_USER <user_id> Password JCO_CLIENT_PASSWD <password> Client JCO_CLIENT_CLIENT <client> Language JCO_CLIENT_LANG <language identifier>, for example, EN Provision Task MX_PROVISIONTASK <task number for ProvisionABAP> Deprovision Task MX_DEPROVISIONTASK <task number for DeprovisionABAP> Modify Task MX_MODIFYTASK <task number for ModifyABAPUser> CUA_MASTER REPOSITORY_TYPE <TRUE/FALSE> ABAP The constant REPOSITORY_TYPE is automatically created. The constant CUA_MASTER must be added manually and set to TRUE if the system is the CUA central system. There are additional attributes for configuring Secure Network Communications (SNC). For more information, see Appendix E: Configuring the ABAP Connector to use SNC [Page 66]. For the provision, deprovision, and modify tasks, you can use the value help ( ) when creating the repository to browse to the appropriate system type specific task in the SAP Provisioning Framework. 45
Repository Constants for AS ABAP (Specific Application Server) Repository Wizard Field Repository Constant Value Target Host JCO_CLIENT_ASHOST <hostname> System Number JCO_CLIENT_SYSNR <system number> User Name JCO_CLIENT_USER <user_id> Password JCO_CLIENT_PASSWD <password> Client JCO_CLIENT_CLIENT <client> Language JCO_CLIENT_LANG <language identifier>, for example, EN Provision Task MX_PROVISIONTASK <task number for ProvisionABAP> Deprovision Task MX_DEPROVISIONTASK <task number fordeprovisionabap> Modify Task MX_MODIFYTASK <task number for ModifyABAPUser> CUA_MASTER REPOSITORY_TYPE <TRUE/FALSE> ABAP The constant REPOSITORY_TYPE is automatically created. The constant CUA_MASTER must be added manually and set to TRUE if the system is the CUA central system. There are additional attributes for configuring Secure Network Communications (SNC). For the provision, deprovision, and modify tasks, you can use the value help ( ) when creating the repository to browse to the appropriate system type specific task in the SAP Provisioning Framework. Repository Constants for AS Java Repository Repository Constant Wizard Field Value HTTP Protocol HTTP_PROTOCOL <http/https> Target Host APPLICATION_HOST <hostname> HTTP Port HTTP_PORT <http_port> User Name HTTP_AUTH_USER <user_id> Password HTTP_AUTH_PWD <password> Provision Task MX_PROVISIONTASK <task number for ProvisionJava> Deprovision Task MX_DEPROVISIONTASK <task number for DeprovisionJava> Modify Task MX_MODIFYTASK <task number for ModifyJavaUser> Backend Repository Name BACKEND_ REPOSITORYNAME REPOSITORY_TYPE <LDAP directory repository name> Java The constant REPOSITORY_TYPE is automatically created. 46
For the provision, deprovision, and modify tasks, you can use the wizard ( ) when creating the repository to browse to the appropriate task in the provisioning framework. Repository Constants for a Dual-Stack System (Load Balanced Connection) Repository Wizard Field Repository Constant Value Message Server JCO_CLIENT_MSHOST <message_server_hostname> System ID JCO_CLIENT_R3NAME <SID> Logon Group JCO_CLIENT_GROUP <Group>, for example, Public User Name JCO_CLIENT_USER <user_id> Password JCO_CLIENT_PASSWD <password> Client JCO_CLIENT_CLIENT <client> Language JCO_CLIENT_LANG <language identifier>, for example, EN Provision Task MX_PROVISIONTASK <task number for ProvisionABAP> Deprovision Task MX_DEPROVISIONTASK <task number for DeprovisionABAP> Modify Task MX_MODIFYTASK <task number for ModifyABAPUser> HTTP Protocol HTTP_PROTOCOL <http/https> Target Host APPLICATION_HOST <hostname> HTTP Port HTTP_PORT <http_port> User Name HTTP_AUTH_USER <user_id> Password HTTP_AUTH_PWD <password> Provision Task MX_PROVISIONTASK <task number for ProvisionJava> Deprovision Task MX_DEPROVISIONTASK <task number for DeprovisionJava> Modify Task MX_MODIFYTASK <task number for ModifyJavaUser> Backend Repository Name BACKEND_ REPOSITORYNAME CUA_MASTER REPOSITORY_TYPE <LDAP directory repository name> <TRUE/FALSE> DUALABAP The constant REPOSITORY_TYPE is automatically created. The constant CUA_MASTER must be added manually and set to TRUE if the system is the CUA central system. There are additional attributes for configuring Secure Network Communications (SNC). For more information, see Appendix E: Configuring the ABAP Connector to use SNC [Page 66]. For the provision, deprovision, and modify tasks, you can use the value help ( ) when creating the repository to browse to the appropriate system type specific task in the SAP Provisioning Framework. 47
Repository Constants for a Dual-Stack System (Specific Application Server) Repository Wizard Field Repository Constant Value Target Host JCO_CLIENT_ASHOST <hostname> System Number JCO_CLIENT_SYSNR <system number> User Name JCO_CLIENT_USER <user_id> Password JCO_CLIENT_PASSWD <password> Client JCO_CLIENT_CLIENT <client> Language JCO_CLIENT_LANG <language identifier>, for example, EN Provision Task MX_PROVISIONTASK <task number for ProvisionABAP> Deprovision Task MX_DEPROVISIONTASK <task number fordeprovisionabap> Modify Task MX_MODIFYTASK <task number for ModifyABAPUser> HTTP Protocol HTTP_PROTOCOL <http/https> Target Host APPLICATION_HOST <hostname> HTTP Port HTTP_PORT <http_port> User Name HTTP_AUTH_USER <user_id> Password HTTP_AUTH_PWD <password> Provision Task MX_PROVISIONTASK <task number for ProvisionJava> Deprovision Task MX_DEPROVISIONTASK <task number for DeprovisionJava> Modify Task MX_MODIFYTASK <task number for ModifyJavaUser> Backend Repository Name BACKEND_ REPOSITORYNAME CUA_MASTER REPOSITORY_TYPE <LDAP directory repository name> <TRUE/FALSE> DUALABAP The constant REPOSITORY_TYPE is automatically created. The constant CUA_MASTER must be added manually and set to TRUE if the system is a CUA system. There are additional attributes for configuring Secure Network Communications (SNC). For the provision, deprovision, and modify tasks, you can use the value help ( ) when creating the repository to browse to the appropriate system type specific task in the SAP Provisioning Framework. 48
Repository Constants for LDAP Directory Server Repository Wizard Field Repository Constant Value Host Name LDAP_HOST <hostname> Starting Point LDAP_STARTING_POINT <LDAP starting point> Port number LDAP_PORT <LDAP port> Password LDAP_PASSWORD <password> Login user LDAP_LOGIN <LDAP user ID> MX_DEPROVISIONTASK MX_MODIFYTASK MX_PROVISIONTASK NAMING_ATTRIBUTE REPOSITORY_TYPE <Task_Number_for_DeprovisionSunOne> <Task_Number_for_ModifySunOneUser> <Task_Number_for_ProvisionSunOne> uid LDAP The constant REPOSITORY_TYPE is automatically created, and you must create the constants for the provision, deprovision, and modify tasks manually when you create the repository. 49
Appendix B: Mapping Between Identity Center and AS ABAP Attributes The following table shows the ABAP attributes that are supported by the ABAP connector and how they are mapped to attributes in the Identity Center. IC attributes MSKEYVALUE MSKEY MX_ENTRY TYPE MX_LOGON ALIAS MX_DATE FORMAT Java (SPML) Attribute logon name ABAP Connector Attribute logonuid BAPI Parameter USER NAME BAPI Field useralias ALIAS USERALIAS dateformat DEFAULTS DATFM MX_LOCKED islocked islocked ISLOCKED LOCAL_ LOCK MX_PASSWORD_ DISABLED is password disabled ispassword disabled ISLOCKED NO_USER_ PW HR Field SYHR_A_P0105 _AF_SYSU NAME MX_LANGUAGE locale DEFAULTS LANGU P0002-SPRSL MX_NUMBER FORMAT number format DEFAULTS MX_PASSWORD password password PASS WORD MX_ENCRYPTED_P ASSWORD MX_TIMEZONE timezone timezone LOGON DATA MX_VALIDFROM validfrom validfrom LOGON DATA MX_VALIDTO validto validto LOGON DATA MX_LANGUAGE_ COUNTRY MX_LANGUAGE_ VARIANT MX_ ACCOUNTING_ NUMBER Logon dataaccnt LOGON DATA DCPFM BAPIPWD TZONE GLTGV GLTGB ACCNT 50
IC attributes MX_CATT_TEST_ STATUS MX_ CERTIFICATE MX_PRINTER SETTINGS_SPDA MX_PRINTER SETTINGS_SPDB MX_PRINTER SETTINGS_SPLD MX_PRINTER SETTINGS_SPLG MXREF_MX_ PRIVILEGE MXREF_MX_ PRIVILEGE MX_REFERENCE_ USER DISPLAYNAME Java (SPML) Attribute display name ABAP Connector Attribute Defaults Cattkennz Defaults Spda Defaults Spdb Defaults Spld Defaults Splg roles BAPI Parameter DEFAULTS DEFAULTS DEFAULTS DEFAULTS DEFAULTS ACTIVITY GROUPS BAPI Field CATT KENNZ SPDA SPDB SPLD SPLG AGR_NAME profiles PROFILES BAPIPROF Reference User Display name REF_USER REF_USER MX_FIRSTNAME firstname firstname ADDRESS FIRST NAME HR Field ADDRESS FULLNAME P0001-ENAME P0002-VORNA MX_LASTNAME lastname lastname ADDRESS LASTNAME P0002-NACHN MX_COMMUNICATI ON_LANGUAGE MX_BIRTHNAME MX_INITIALS MX_MIDDLENAME MX_NAME_ PREFIX_1 MX_NAME_ PREFIX_2 MX_SEARCH_ TERM_1 MX_SEARCH_ TERM_2 Address LangupP Address BirthName Address Initials Address Middle name Address Prefix1 Address Prefix2 Address Sort1P Address Sort2P ADDRESS ADDRESS ADDRESS ADDRESS ADDRESS ADDRESS ADDRESS ADDRESS LANGU_P BIRTH_ NAME INITIALS MIDDLE NAME PREFIX1 PREFIX2 SORT1_P SORT2_P P0002-MIDNM 51
IC attributes MX_NICKNAME MX_SECOND NAME MX_FAX_ PRIMARY MX_MAIL_ PRIMARY MX_MOBILE_ PRIMARY MX_PAGER_ PRIMARY MX_PHONE_ PRIMARY MX_FAX_ ADDITIONAL MX_MAIL_ ADDITIONAL MX_MOBILE_ ADDITIONAL MX_PAGER_ ADDITIONAL MX_PHONE_ ADDITIONAL MX_ADDRESS_ CITY MX_ADDRESS_ COUNTRY MX_ADDRESS_ POBOX MX_ADDRESS_ POBOX_POSTAL_ CODE MX_ADDRESS_ POSTAL_CODE MX_ADDRESS_ REGION Java (SPML) Attribute ABAP Connector Attribute Address Nickname Address Second name BAPI Parameter ADDRESS ADDRESS BAPI Field NICKNAME SECOND NAME HR Field fax primaryfax ADDFAX SYHR_A_P0105 _AF_FAX email primarymail ADDSMTP SYHR_A_P0105 _AF_EMAIL mobile telephone primary Mobile primary Pager primary Phone additional Faxes additional Mails additional Mobiles additional Pagers additional Phones Address City Address Country Address PoBox Address PostlCod2 Address PostlCod1 Address Region ADDTEL ADDPAG ADDTEL ADDFAX ADDSMTP ADDTEL ADDPAG ADDTEL SYHR_A_P0105 _AF_CELL SYHR_A_P0105 _AF_TEL_NR + SYHR_A_P0105 _AF_TEL_EXT SYHR_A_P0105 _AF_EMAIL ADDRESS CITY WORKCENTER _CITY ADDRESS COUNTRY WORKCENTER _COUNTRY ADDRESS ADDRESS ADDRESS ADDRESS PO_BOX POSTL_ COD2 POSTL_ COD1 REGION 52
IC attributes MX_ADDRESS_ STREETADDRESS MXREF_MX_ COMPANY_ ADDRESS MX_COST CENTER MX_WORKPLACE_ BUILDING MX_COMMUNICA TION_METHOD Java (SPML) Attribute ABAP Connector Attribute BAPI Parameter BAPI Field Company COMPANY COMPANY Default Costcenter Address BuildingP Address CommType DEFAULTS ADDRESS ADDRESS KOSTL BUILDING_ P COMM_ TYPE MX_DEPARTMENT department ADDRESS DEPARTME NT MX_WORKPLACE_ FLOOR MX_JOB_ FUNCTION MX_INHOUSE_ MAIL MX_NAME_ ABBREVIATION MX_WORKPLACE_ ROOM Address FloorP ADDRESS FLOOR_P HR Field WORKCENTER _STREET TEXT_P8001_ BUILD P0001_ ORGEH_TL jobfunction ADDRESS FUNCTION P0001_PLANS_ TL Address InhouseMl Address InitsSig Address RoomNoP ADDRESS ADDRESS ADDRESS INHOUSE_ ML INITS_SIG ROOM_ NO_P WORKCENTER _ROOM 53
Appendix C: Configuring the Virtual Directory Server In this section, we describe how to configure the Virtual Directory Server so that the SAP HCM system can connect to it for the data export. Prerequisites You have maintained the database connection for the identity store in Identity Center and know the password for the database user. The JDBC driver to use to access the Identity Center database is maintained in the class path for the Virtual Directory Server. (Maintain the driver under Tools Options Classpath.) Procedure 1. Start the Virtual Directory Server console. 2. To maintain the configuration, choose File New. The New configuration dialog appears. 3. Select the Group SAP NetWeaver and the Template HR Export to IdM Identity Center and choose OK. 4. Configure the parameters to use for the VDS as shown in the table below. Field Value Example Comment Port 1389 1389 Select a different port if 1389 is already being used. Display Name Identity store Identity store number Username Password <Name_of_VDS> <Database_ Connection_ Parameters> <Staging_Area_ Identity_Store _ID> <Directory_ Server_User> <Directory_ Server_User_ Password> Identity Store jdbc:sqlserver: //localhost:1433; databasename=mxmc_db; user=mxmc_rt; password=<password> Use the wizard ( ) to maintain them. Examples for Microsoft SQL Server parameters are shown in the table that follows. 5 This ID was determined when setting up the staging area identity store. HR_USER <password> This is the user that is used for the bind to the VDS. 54
Microsoft SQL Server Database Connection Parameters Field Value Example Comment Server <Server_Name> localhost Port <Port> 1433 Database User Password <Database_ Identifier> <Database_ User> <Database_ User_Password> 5. Save the configuration. 6. Start the server. mxmc_db mxmc_rt <password> The password was specified during the installation. 55
Appendix D: Configuring the SAP HCM System To configure the SAP HCM to export data to the Virtual Directory Server, you must: 1. Create the query to use for the export. 2. Maintain the attribute mapping between the HR fields and the input attributes used by the LDAP synchronization. 3. Create an RFC destination to use for the connection to the VDS. 4. Configure the parameters to use for this connection. 5. Maintain the mappings between the attributes used by the LDAP synchronization and the VDS. 6. Export the data. Because the VDS does not use a specific LDAP schema for attributes, you can freely choose names for the attributes. To make maintenance easier, we recommend using the same attribute names throughout all of the mappings. D.1 Creating the Query to Use for the Export In this step, you will set up the query to use for the export. For this purpose, you can use the existing query LDAPEXTRACT46C as a template. This query is assigned to the user group SAPQUERY/L1. Prerequisites Create or modify the query in the SAP HCM Customizing development system and transport it to the productive system. Procedure 1. Using query maintenance (transaction SQ01): 2. Choose Edit Other user group and select the user group SAPQUERY/L1. The queries available for this user group are displayed. 3. Select LDAPEXTRACT46C with a double-click and choose Query Copy. 4. In the dialog that follows, enter a name for the new query, for example, LDAP_VD. 5. Select this query with a double-click and choose Query Change. The attributes for the query appear. 6. To see the HR fields used by this query, choose Basic List. 56
7. Expand the data fields and adjust the field selection for the query so that the following fields are selected when you execute the query. Info Type Attribute Technical Name HR Master Record: Personnel Number P0000-PERNR InfoType 0000 (Actions) Employment Status P0000-STAT2 Leaving Date SYHR_a_P0000_AF_FIREDATE HR Master Record: InfoType 0001 (Org Assignment) HR Master Record: InfoType 0002 (Personal Data) HR Master Record: InfoType 0105 (Communications) Entry date Formatted Name of Employee or Applicant Last Name First Name c P0001-ENAME P0002-NACHN P0002-VORNA Communication Language P0002-SPRSL Mobile Telephone Telefax E-Mail System User Name Area Code + Local Access Code Extension See the figure below for the fields for Infotype 0000. SYHR_A_P0105_AF_CELL SYHR_A_P0105_AF_FAX SYHR_A_P0105_AF_EMAIL SYHR_A_P0105_AF_SYSUNAME SYHR_A_P0105_AF_TEL_NR SYHR_A_P0105_AF_TEL_EXT 57
8. Note the Infotyp number that the attributes belong to. You will need this number when you maintain the attribute mapping in the next step. 9. Save the query and return to the initial screen. 10. Activate the query by executing it. You must execute the query once so that the query is generated and available for later steps. You can reduce the amount of data selected for this initial execution of the query by using an limited time period (for example, Today) and a range for the Personnel Number (for example, 1 to 1000). D.2 Specifying the Attribute Mapping Between the HR Fields and LDAP Synchronization In this step, you map the HR fields that are selected by the query to the input attributes used by LDAP synchronization. Prerequisites The query used for extracting the data is active. Procedure Using field assignment maintenance (transaction HRLDAP_MAP): 1. Select the Global Work Area indicator. 2. Enter /SAPQUERY/L1 as the User Group. 3. Enter the name of your query. 4. Choose Import. The fields assigned to your query appear. 5. Maintain the Attribute Grp and Attrib.Name fields for each query field. Specify the attribute group so that it corresponds to the Infotype number you noted in the last step. We recommend using the query field names as the attribute names. To omit a field, set the Tech. Field field. Fields marked as such are not exported. 58
The table below shows an example based on the query fields listed in step D.1. QueryFld Description Attribute Grp Attrib.Name P0000-PERNR P0000-STAT3 Personnel Number Employment Status P0000 P0000 P0000-PERNR P0000-STAT2 SYHR_a_P0000_AF_FIREDATE Leaving Date P0000 SYHR_a_P0000_AF_FIREDATE SYHR_A_P0000_AF_HIREDATE Entry date P0000 SYHR_A_P0000_AF_HIREDATE P0001-ENAME Formatted Name of Employee or Applicant P0001 P0001-ENAME P0002-NACHN Last Name P0002 P0002-NACHN P0002-VORNA First Name P0002 P0002-VORNA P0002-SPRSL SYHR_A_P0105_AF_CELL Communication Language Mobile Telephone P0002 P0105 P0002-SPRSL SYHR_A_P0105_AF_CELL SYHR_A_P0105_AF_FAX Telefax P0105 SYHR_A_P0105_AF_FAX SYHR_A_P0105_AF_EMAIL E-Mail P0105 SYHR_A_P0105_AF_EMAIL SYHR_A_P0105_AF_SYSUNAME System User Name SYHR_A_P0105_AF_TEL_NR Area Code + Local Access Code P0105 P0105 SYHR_A_P0105_AF_SYSUNAME SYHR_A_P0105_AF_TEL_NR SYHR_A_P0105_AF_TEL_EXT Extension P0105 SYHR_A_P0105_AF_TEL_EXT 6. Save the data. 59
D.3 Creating an RFC Destination to Use for the LDAP Connector Using destination maintenance (transaction SM59): 1. Create an RFC destination with the following properties: Type: T (TCP/IP Connection) Name: <Destination_Name> (for example, LDAP_VD) Activation Type: Registered server program Program ID: <Program_ID> (for example, LDAP_LOCALHOST) Gateway host: <Gateway_host> (host where the system s gateway runs) Gateway service: <Gateway_service> (name of the gateway service, for example sapgw<sys_nr>) 2. Save the data. D.4 Configuring the Parameters to Use for the Connection to the VDS Using directory service connection maintenance (transaction LDAP): 1. Set up the LDAP connector: a. Choose LDAP Connectors. The LDAP Connector (Maintenance View) screen appears. b. Choose Display/Change to change to edit mode. c. Choose New Entries. d. Enter the name of the RFC destination you created in the last step (for example, LDAP_VD). e. Maintain the LDAP connector settings as necessary. f. Save the data and return to the main screen for the directory service connection maintenance. 2. Set up a service user to use for the connection: a. Choose System Users. b. Choose Display/Change to change to edit mode. c. Choose New Entries. 60
d. Enter the properties for the system user. For the Distinguished Name, use the user ID that you specified for the VDS in step C.4. User ID: <User_ID> (for example, HR_USER) Distinguished Name: <Directory_Server_User> (for example, hruser) Auth. mechanism: Simple Bind Credential storage: Simple Memory e. For the Credentials, choose the symbol for Change to enter the directory server user s password. (This password must also match the password specified for the directory server user in step C.4.) See the figure below. f. Save the data and return to the main screen for directory service connection maintenance. 3. Create an entry for the LDAP server: a. Choose LDAP Servers. b. Choose Display/Change to change to edit mode. c. Choose New Entries. 61
d. Enter the properties for the VDS as follows: Host name: <VDS_Host> Port number: <LDAP_Port> (for example, 1389) Product name: <blank> Protocol version: LDAP version 3 LDAP Application: Employee Default: Inactive (unless the VDS should be the default LDAP server) Base entry: (for example, o=idstore) The path is defined in the virtual tree of the virtual directory server. System Logon: <User_ID> (Use the user ID you specified in the last step, for example, HR_USER.) Read Anonymously: Inactive e. Save the data and return to the main screen for directory service connection maintenance. D.5 Maintain the Attribute Mappings Using directory service connection maintenance (transaction LDAP): 1. Choose LDAP Servers. 2. Select the LDAP server to maintain (for example, LDAP_VD) so that the row is marked. 3. If you are not in edit mode, then switch to edit mode (choose ). 4. In the left frame, select Mapping with a double-click. The Mapping Overview screen appears. 5. In the ObjectClasses list, enter sapidentity. 62
6. Maintain the mappings between the fields used by the LDAP synchronization and the VDS: a. Create an entry that maps the structure EMPLOYEE, field KEY, to the attribute cn. To create a new entry, choose Edit Add New Mapping. b. Specify the rest of the entries to map the fields used by the HR LDAP query to identically-named attributes. The entries for Structure and Field must be identical to the Attribute Grp and Attrib.Name entries you created for the query mapping in step D.2. See the table below. Structure Field Attribute Flags to Set EMPLOYEE KEY cn Filter Import Mapping Export Mapping RDN Mapping P0000 P0000-PERNR P0000-PERNR Export Mapping P0000 P0000-STAT2 P0000-STAT2 Export Mapping P0000 P0000 SYHR_a_P000_AF_ FIREDATE SYHR_A_P000_AF_ HIREDATE SYHR_a_P000_AF_ FIREDATE SYHR_A_P000_AF_ HIREDATE Export Mapping Export Mapping P0001 P0001-ENAME P0001-ENAME Export Mapping P0002 P0002-NACHN P0002-NACHN Export Mapping P0002 P0002-VORNA P0002-VORNA Export Mapping P0002 P0002-SPRSL P0002-SPRSL Export Mapping P0105 SYHR_A_P0105_AF_ SYSUNAME SYHR_A_P0105_AF_ SYSUNAME Export Mapping P0105 SYHR_A_P0105_AF_EMAIL SYHR_A_P0105_AF_EMAIL Export Mapping P0105 SYHR_A_P0105_AF_CELL SYHR_A_P0105_AF_CELL Export Mapping P0105 SYHR_A_P0105_AF_FAX SYHR_A_P0105_AF_FAX Export Mapping P0105 P0105 SYHR_A_P0105_AF_ TEL_NR SYHR_A_P0105_AF_ TEL_EXT 7. Go back and save the data. SYHR_A_P0105_AF_ TEL_NR SYHR_A_P0105_AF_ TEL_EXT Export Mapping Export Mapping 63
Example For an example of the LDAP attribute mappings, see the figure below. 64