The Identity functionalities of this connector enable you as an Identity administrator to configure SAP NetWeaver as a connected system and then make Identity users part of the SAP NetWeaver system. This enables the user or Identity administrator to reset SAP NetWeaver account passwords. This also enables you to enable and disable user accounts.
The Provisioning functionalities of this connector enable exporting and importing user accounts on a SAP NetWeaver system. The connector supports managing role and profile assignments for users. This includes exporting, adding, modifying, and deleting role and profile assignments of users.
This connector was developed and tested with SAP ECC 6.0. Because the connector uses standard user management BAPIs/RFCs for user management and provisioning, it is expected that the connector will work for other versions of SAP.

 

 

Functionalities

Identity Integration

Provisioning Integration

 

Prerequisites

Ensure that these prerequisites are satisfied:

• An administrator account that can be used to establish a connection and has authority to manage accounts on the connected system.
• This connector uses SAP JCo3 to communicate with SAP.  SAP JCo3 running on Windows requires Visual Studio 2005 C/C++ runtime libraries. This is shipped as Windows side-by-side assemblies. If it is not available in the machine, use the link https://www.microsoft.com/en-us/ download/details.aspx?id=21254 for 64-bit and https://www.microsoft.com/en-in/download/ details.aspx?id=3387 for 32-bit to download and install it.
• Download SAP JCo3 components from SAP Service Marketplace http://service.sap.com/connectors. The path to reach download link is SAP Java Connector --> Tools & Services. This is available as a zip file. These components are platform dependent; so download the components suitable for your platform.

• Notes:

  
  
  • SAP libraries cannot be redistributed. You must have a valid SAP NetWeaver license to download the libraries as described in this chapter.
  • The JCo should be accessible to anyone who has an On-line Service System (OSS) ID.
  • Extract sapjco3.jar and sapjco3.dll from the zip file (downloaded above). For non-Windows platforms, it is libsapjco3.so instead of sapjco3.dll.

 

Installing the SAP JCo dll and jar Files

Notes:

• Identity and Provisioning should already be installed prior to completing the procedures in this section.
• If a GIG is to be used it should already be installed prior to completing the procedures in this section.
• If the Workflow and Connectivity Studio is to be used, it should already be installed prior to completing the procedures in this section.

 

Follow the steps below for your server installation:

• Identity
• Provisioning
• GIG
• Workflow and Connectivity Studio

Identity

For the connector to support Identity features only, the SAP JCo components must be installed in the Identity Server. If the connector is used only for Identity, deployment of components in Provisioning is not required.

Ensure that these prerequisites are satisfied:

• For Windows platforms, ensure that Visual Studio 2005 C/C++ runtime libraries are installed.
• Download SAP JCo3 components suitable for your platform.
• Locate fisc-sap-dest-data-provider.jar from IdM Suite Software folder\Identity\Resource\Connectors\SAPNetWeaver.

 

For Windows platforms, follow these steps:

1. Stop your Web application server.
2. Copy the jar files sapjco3.jar and fisc-sap-dest-data-provider.jar to lib folder of the application server. For apache-tomcat, it is:
   <CATALINA_HOME>/lib
3. Copy the sapjco3.dll file to this directory:
   <installation folder>/IdM/identity/agentdll
4. Add agentdll folder to the path. This can be done using either one of the following options.
   1. Update PATH environment variable to include <installation folder>/IdM/identity/agentdll
   2. Through tomcat's JAVA_OPTS as -Djava.library.path=<installation folder>/IdM/identity/agentdll
5. Restart your Web application server.

Provisioning

For the connector to support Provisioning features, the SAP JCo components must be installed on the Provisioning Server. If the connector is used only for Provisioning, deployment of components in Identity is not required.

Ensure that these prerequisites are satisfied:

• For Windows platforms, ensure that Visual Studio 2005 C/C++ runtime libraries are installed.
• Download SAP JCo3 components suitable for your platform.
• Locate fisc-sap-dest-data-provider.jar from IdM Suite Software folder\Provisioning\Resource\Connectors\SAPNetWeaver.

 

For Windows platforms, follow these steps:

1. Stop your Web application server.
2. Copy the jar files sapjco3.jar and fisc-sap-dest-data-provider.jar to lib folder of the application server. For apache-tomcat, it is:
   <CATALINA_HOME>/lib
   
   Note: You can skip this step 2 if Identity and Provisioning are sharing the same application server.
3. Copy the sapjco3.dll file to this directory:
   <installation folder>/Provisioning/dataforum/agentdll
   
   
4. Add agentdll folder to the path. This can be done using either one of the following options.
   1. Update PATH environment variable to include <installation folder>/Provisioning/dataforum/ agentdll
   2. Through tomcat's JAVA_OPTS as -Djava.library.path=<installation folder>/Provisioning/ dataforum/agentdll.
      
      
5. Restart your Web application server.

GIG

If the connector is used in a GIG, the SAP JCo components must be installed in the GIG. If the connector is used only in a GIG, deployment of components in Identity and Provisioning is not required.

Ensure that these prerequisites are satisfied:

• For Windows platforms,ensure that Visual Studio 2005 C/C++ runtime libraries are installed.
• Download SAP JCo3 components suitable for your platform.
• Locate fisc-sap-dest-data-provider.jar from IdM Suite Software folder\Identity\Resource\Connectors\SAPNetWeaver.

 

For Windows platforms, follow these steps:

1. Stop your Web application server.
   
   
2. Copy the jar files sapjco3.jar and fisc-sap-dest-data-provider.jar to lib folder of the application server. For apache-tomcat, it is:
   <CATALINA_HOME>/lib
   
3. Copy the sapjco3.dll file to these directories:
   <installation folder>/gig/agentdll/idm
   <installation folder>/gig/agentdll/prov
   
   
4. Add agentdll folder to the path. This can be done using either one of the following options.
   
   
   1. Update PATH environment variable to include <installation folder>/gig/agentdll/idm and <installation folder>/gig/agentdll/prov
   2. Through tomcat's JAVA_OPTS as -Djava.library.path=<installation folder>/gig/agentdll/ idm;<installation folder>/gig/agentdll/prov
      
      
5. Restart your Web application server.

Workflow and Connectivity Studio

If the connector is used in the Workflow and Connectivity Studio, the SAP JCo components must be installed in the Studio.

Ensure that these prerequisites are satisfied:

• For Windows platforms, ensure that Visual Studio 2005 C/C++ runtime libraries are installed.
• Download SAP JCo3 components for Windows platforms.

1. Stop the Workflow and Connectivity Studio.
   
   
2. Copy the sapjco3.jar file to this directory:
   <installation folder>/Provisioning/jars
   
   
3. Copy the sapjco3.dll file to this directory:
   <installation folder>/Provisioning/dataforum/agentdll
   
   
4. Restart the Workflow and Connectivity Studio.

Creating the Connected System in the Admin UI

Note: You must have already performed the steps described in Installing the SAP JCo dll and jar Files before proceeding.

1. Log in to Identity Administration and click the Systems tab.
   
   

2. On the Connected System View page, click the Add button and select the SAP NetWeaver connected system from the Type drop-down list. The Connected System Details page displays the default values:
   
   
   
   

3. Enter the desired information:

   Definition
   Supported Connectors	Displays whether the connected system is Identity only, Provisioning only, or both.
   Type	Select the connected system type.
   Locale	Select the preferred language (default: English). Locale specific information such as Display Name and Description can be added only while modifying the connected system.
   Name	The name for this connected system. Note: The name cannot be modified later.
   Display Name	The display name of the new connected system.
   Description	The description of the connected system.
   Associated With	Select how the connector associated with this system will run: Server (default) - Runs locally on the Provisioning/Identity Server. Global Identity Gateway - Runs remotely on a Global Identity Gateway cluster member. Note: Only GIG clusters that have at least one registered and enabled member will display in this list. See Using the Global Identity Gateway with Connected Systems for additional information.
   Password Reset By	Enables administrators to configure password management functions normally available to Users and OBO (On Behalf Of) Users: OBO User Only - Connected system and account association information is displayed only in Self-Service user management (for OBO Users). OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/ disable, validate, associate user, and password reset). End users will not see their accounts on this connected system in Self-Service and Kiosk; therefore, they cannot reset passwords for accounts on this connected system. Users and OBO User - Connected system and account association information is displayed in Self-Service password reset, Self- Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users can reset passwords for accounts on this connected Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset). External - Connected system and account association information is not displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users cannot reset passwords for accounts on this connected Note: When user management configuration enables OBO Users to perform password resets, this definition must be set to OBO User Only or Users and OBO User. For connectors that support Provisioning only, there is no password reset capability.
   Provisioning Option	Select the provisioning option: Automated (default) - The connected system functions as a normal connected system; there are no restrictions. Administrative - The connected system cannot be used as an object in a workflow.
   Enable HPAM Support	Select to make the connected system HPAM enabled (default: cleared). Note: This can only be set for systems that support Identity.
   Enable Transfer Of Accounts	Select to make the transfer of Accounts enabled (default cleared).
   Connection Information
   Connection Type	Select the connection type: Direct (Default) - Connects directly to an SAP Group - Connects to a load balancing group of SAP instances.
   Application/Message Server Host	SAP server host address. This should be the host name of the ABAP (Advanced Business Application Programming) application server when the connection type is Direct and SAP message server when connection type is Group.
   Message Server Port	SAP message server port. This is an optional parameter used only when the connection type is Group.
   System Number/ID	The system number of the ABAP (Advanced Business Application Programming) application server when the connection type is Direct and System ID of the SAP system when connection type is Group.
   Group Name	Group name of SAP application servers. This is a mandatory parameter when connection type is Group.
   Client	The Client ID number.
   SAP Router String	The SAP router string for connection to systems behind a SAP router.
   Service Account Name	The name of the administrative user account used to connect to the server.
   Service Account Password	The administrative user password.
   Connection Pool (JCO) Size	Select the maximum number of connections that can be created in the connection pool by the connector to a SAP Server. As needed, the connection pool will grow only to this maximum limit.
   Unicode Enabled	Check this box if the connection is to be Unicode enabled.
   GRC Webservice URL	Specify the URL syntax to build the SAP GRC web service URL. This syntax is used to build the end point URL for each web service by substituting the place holders. Place holder ##WS_Name## is replaced with the web service name and ##Client_ID## is replaced with the Client provided with connected system. A sample URL syntax is: http://sapsrv:8000/sap/bc/srt/rfc/sap/##WS_Name##/ ##Client_ID##/##WS_Name##/##WS_Name##_binding
   Password Expiration Support
   Expiration Options For Admin/OBO User Password Reset	Specify the password expiration: None or Immediate.
   System Owner	Add or Remove users assigned as the owners of the system. Displays the Connected System Owner Search page for selecting users. The HPAM column indicates whether the system owner is authorized to use the HPAM feature. The Approvers column indicates whether the system owner is an approver in the approval process.

4. Click the Test Connection button to test the Connection Information:

   • If successful, one or both of these messages may display::

   Message: Connection from Provisioning to the connected system was established successfully.
   Message: Connection from Identity to the connected system was established successfully.

   • If unsuccessful, one or both of these messages may display:

   Error: Failed to establish connection from Provisioning to the connected system.
   Error: Failed to establish connection from Identity to the connected system.
   
   Note: If the connection fails, additional messages may display providing more information regarding the failure, and additional information may be posted to the Provisioning logs.

5. (Optional) To select owners of the system, click the System Owner Add button. The Connected System Owner Search page displays:
   
   
   
   

   1. Select the owners and then click the Select button. The system owner displays under the System Owner section:
      
      
      Note: More than one user can be assigned as an owner.
      
      
   2. To add additional system owners, click the Add button.
6. On the Connected System Details page, click the Add button to save the configured connected system. The Object Category Association page displays a list of categories that are already associated and/or can be selected to add additional associations to this connected system:
   
   
   

   1. Select one or more available object categories or provide search criteria and click the Search button to find specific categories to select. If there are no available categories to select, proceed to Step 7.

   2. Click the Add Association button to associate the selected object categories to the connected system.

7. Click the Back button to return to the Connected System View page. The new connected system displays in the list.

See Copying, Modifying, and Deleting Connected Systems for additional information.

Creating the Connected System in the Studio

1. Log in to the Workflow and Connectivity Studio and click Connectivity ► Add Systems on the menu bar. The Add Connected Systems window displays.
   
   
2. Select the SAP NetWeaver connected system from the Type drop-down list. The default values display.
   
   
   

3. Enter the desired information:
   
   

   Definition
   Type	Select the connected system type.
   Name	The name for this connected system. Note: The name cannot be modified later.
   Display Name	The display name of the new connected system.
   Description	The description of the connected system.
   Supported Connectors	Displays whether the connected system is Identity only, Provisioning only, or both. Only connectors that support Provisioning are available here.
   Associated With	Select how the connector associated with this system will run: Server (default) - Runs locally on the Provisioning/Identity Global Identity Gateway - Runs remotely on a Global Identity Gateway cluster member. Note: Only GIG clusters that have at least one registered and enabled member will display in this See the appendix Using the Global Identity Gateway with Connected Systems for additional information.
   Password Reset By	Enables administrators to configure password management functions normally available to Users and OBO (On Behalf Of) Users: OBO User Only - Connected system and account association information is displayed only in Self-Service user management (for OBO Users). OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset). End users will not see their accounts on this connected system in Self-Service and Kiosk; therefore, they cannot reset passwords for accounts on this connected system. Users and OBO User - Connected system and account association information is displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset). External - Connected system and account association information is not displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users cannot reset passwords for accounts on this connected system. Note: When user management configuration enables OBO Users to perform password resets, this definition must be set to OBO User Only or Users and OBO User. For connectors that support Provisioning only, there is no password reset capability.
   Provisioning Option	Select the provisioning option: Automated (default) - The connected system functions as a normal connected system; there are no restrictions. Administrative - The connected system cannot be used as an object in a workflow.
   Enable HPAM Support	Select to make the connected system HPAM enabled (default: cleared). Note: This can only be set for systems that support Identity.
   Enable Transfer Of Accounts	Select to make the transfer of Accounts enabled (default cleared).
   Connection Information
   Connection Type	Select the connection type: Direct (Default) - Connects directly to an SAP Group - Connects to a load balancing group of SAP instances.
   Application/Message Server Host	SAP server host address. This should be the host name of the ABAP (Advanced Business Application Programming) application server when the connection type is Direct and SAP message server when connection type is Group.
   Message Server Port	SAP message server port. This is an optional parameter used only when the connection type is Group.
   System Number/ID	The system number of the ABAP (Advanced Business Application Programming) application server when the connection type is Direct and System ID of the SAP system when connection type is Group.
   Group Name	Group name of SAP application servers. This is a mandatory parameter when connection type is Group.
   Client	The Client ID number.
   SAP Router String	The SAP router string for connection to systems behind a SAP router.
   Service Account Name	The name of the administrative user account used to connect to the server.
   Service Account Password	The administrative user password.
   Connection Pool (JCO) Size	Select the maximum number of connections that can be created in the connection pool by the connector to a SAP Server. As needed, the connection pool will grow only to this maximum limit.
   Unicode Enabled	Check this box if the connection is to be Unicode enabled.
   GRC Webservice URL	Specify the URL syntax to build the SAP GRC web service URL. This syntax is used to build the end point URL for each web service by substituting the place holders. Place holder ##WS_Name## is replaced with the web service name and ##Client_ID## is replaced with the Client provided with connected system. A sample URL syntax is: http://sapsrv:8000/sap/bc/srt/rfc/sap/##WS_Name##/ ##Client_ID##/##WS_Name##/##WS_Name##_binding
   Password Expiration Support
   Expiration Options For Admin/OBO User Password Reset	Specify the password expiration: None or Immediate.

4. Click the Connect button to test the Connection Information:
   • If successful, this message displays:

   Connection from Studio to the connected system was established successfully.

   • If unsuccessful this message displays:

   Failed to establish connection from Studio to the connected system.

   Note: If the connection fails, additional messages may display providing more information regarding the failure.

    

5. Click the Apply button to apply changes. The Category Association window displays.

    

   1. Select one or more object categories from the Available Categories list or enter a category name and click the Search button to find a specific category to select. If there are no available categories to select, proceed to Step 6.

   2. Click the Add button to associate the selected object categories to the connected system.

6. Click OK to accept selected categories.

See Copying, Modifying, and Deleting Connected Systems for additional information.

Using JCo Trace

SAP JCo has native trace support. This is for debugging SAP JCo calls, and it can be controlled by using the configuration property SAP JCO Trace Level. If this greater than 0, JCo traces are written to one or multiple files named JCO<date>_<time>.<no>.trc under the logs folder. JCo offers trace levels from 0 to 10. The amount of traced data increases with the chosen trace level. Each trace level also contains all the trace data from the lower trace levels.

JCo trace can be managed in Identity using the SAP JCO Trace Level property under the section Identity Server Logs, and in Provisioning under the section Provisioning Server Logs.

JCo trace can be managed for a GIG in the Admin UI -> Server tab, by selecting the GIG from GIG and changing this property under Configuration-> Logs.

JCo trace can be managed in the Workflow and Connectivity Studio by changing the property SAPJCOTraceLevel in studio.properties. Then either restart the Workflow and Connectivity Studio or reload the configuration using Tools -> Refresh Configuration for the changes to take effect.

Using the Connected System for Identity

Perform these procedures to configure the connector:

• Connector Details for Identity
• Identity Password Management

Connector Details for Identity

This table lists values to enter when associating the Identity user with an existing user in the connected system:

 

Identity

These standard BAPIs are used to achieve the Identity operations such as enable, disable, reset- password, validate, and check the status of a SAP user account:

• BAPI_USER_GETLIST
• SUSR_LOGIN_CHECK_RFC
• BAPI_USER_EXISTENCE_CHECK
• BAPI_USER_LOCK
• BAPI_USER_CHANGE
• BAPI_USER_UNLOCK

During password reset, the initial password is set. This is a temporary password and the user must change this password when logging in from the SAP UI.

Identity Password Management

See the Identity Suite Administration documentation for details on password management.

Using the Connected System for Provisioning

Perform these procedures to configure the connector:

• Configuring for Export
• Configuring for Import
• Connector Details for Provisioning

Note: If the number of records to be processed exceeds one thousand, we recommend configuring the workflow to use bulk mode, which lowers the memory consumption of the system by streaming data to files. Because data is streamed for every task, performance of the workflow execution will be decreased due to increased read-write operations. See the Workflow and Connectivity Studio document for details on how to configure bulk mode.

See the appendix SAP NetWeaver Library Workflows for details on the library workflows included in the IdM Suite.

Configuring for Export

Perform these procedures to configure the connector:

• Configuring the Export Connector
• Configuring the Export Link

From the Workflow and Connectivity Studio, select the SAP NetWeaver UserExport workflow listed under the projects folder.

If a workflow does not already exist, create an export workflow. See the Workflow and Connectivity Studio document for details on creating export workflows.

Configuring the Export Connector

1. In the Design pane, double-click the export object (the first workflow object after the Start object). The Configure Data Source window displays:
   
   
   
   
2. From the Configure Plug-in tab, set these properties as required:
   
   

Note: Hover the pointer over a property to view its description.

Set Filter

Setting the filter is a means to narrow the search scope and return specific results. Enter the required text in the Filter field or click the Set button to set the search filter. The Set Filter window displays.

Notes:

• For the AND operator, if more than one identical field for the same structured multi-valued attribute is specified, the filter returns an empty
• While building a filter involving texts, if the number of characters exceeds the value specified by SAP, the filter ignores the characters beyond that permitted value.

3. (Optional) Select the Attributes tab. Only standard attributes display

Modify schema attributes using these buttons:

For information about supported attributes, see the sectionsSingle Valued Attributes and Structured Multi-valued Attributes.

5. (Optional) Select the Appearance tab to change how the Connected System object displays in the Design

6. Click OK to save any changes and return to the Workflow and Connectivity Studio

 

Connector Attributes

These are the attributes per data format:

• User Attributes
• Role Attributes
• GRC Role Attributes
• Value Lookup Attributes
• PersonalData, OrganizationalAssignment, Communication, InternalControl, Address, HRCombined, and PDObjectTypes Attributes
• Actions Attributes

User Attributes

Single Valued Attributes

This table lists the single-valued attributes supported for User data format. All attributes can be exported except PASSWORD.BAPIPWD. Only USERNAME is needed to delete a user. Other attributes are not considered when changetype is delete. M = Mandatory.

Structured Multi-valued Attributes

This table lists the single-valued attributes supported for User data format. All attributes can be exported except PASSWORD.BAPIPWD. Only USERNAME is needed to delete a user. Other attributes are not considered when changetype is delete. M = Mandatory.

Role Attributes

GRC Role Attributes

Value Lookup Attributes

PersonalData, OrganizationalAssignment, Communication, InternalControl, Address, HRCombined, and PDObjectTypes Attributes

 

Actions Attributes

This table lists the single-valued attributes supported for Actions data format.

 

Configuring the Export Link

1. In the Design pane, double-click the export link between the export object (the first workflow object after the Start object) and the Data Mapper object. The Configure Link window displays:

   

   Source Attributes	Select the attributes to export.
   Selected Attributes	Displays default attributes and those attributes that have been selected from the Source Attributes. Notes: The check boxes are used only for delta export operations. These checked attributes will always be exported whether they were changed or not. Usually, the attributes that are selected as mandatory attributes help in identifying or verifying an entry when completing mapping functions.
   Format	Displays the Format Date window to specify a date/time format to be applied to the selected date type attribute, for example, BirthDate. During export, the attribute's value is converted to the specified format. See the Format Date steps below for additional information. Notes: The Format button is only enabled for date attributes. The Refresh Schema button on the Configure Data Source window’s Attributes tab must be used to refresh the schema and enable the Format button for date attributes.
   Advanced Settings	Displays the Configure Attributes window for selecting any attributes that need to be encrypted.

2. From the Attribute Selection tab, select attributes to export. Usually, these attributes that are selected (mandatory attributes) help in identifying or verifying an entry when completing Data Mapper functions.

3. (Optional) Click the Format button to specify a date/time format to be applied to the selected date type attribute. The Format Date window displays.
   
   
   1. Select the Include Time check box to add the timestamp with the date.
   2. Select the 24 Hour or 12 Hour option button and then select the required date/time format.
   3. Click OK to save the selected format. The Configure Link window displays.
      
      
4. (Optional) Select the Appearance tab to change how the link displays in the Design pane.
   
   
5. Click OK to save any changes and return to the Workflow and Connectivity Studio window
   
   
6. (Optional) To create scripts for advanced functionality, right-click the export link and select the export task properties. See the section ‘Success Scripts and Failure Scripts’ in the Workflow and Connectivity Studio document for specific details.
   
   
7. Deploy the workflow by selecting Deploy ► New Deployment.
   See the Workflow and Connectivity Studio documentation for details of deployment options.
   
   
8. Manage and run the deployed workflow from the Admin UI ► Server See the Identity Suite Administration Guide documentation for details.

Configuring For Import

Perform these procedures to configure the connector for data import:

• Configuring the Import Connector
• Configuring the Import Link

From the Workflow and Connectivity Studio, select the SAP NetWeaver UserAdd, UserModify, or UserDelete workflow listed under the projects folder.

If a workflow does not already exist, create an import workflow. See the Workflow and Connectivity Studio document for details on creating import workflows.

Configuring the Import Connector

1. In the Design pane, double-click the import object (the last workflow object). The Configure Data Source window displays:
   
   
   
2. From the Configure Plug-in tab, set these properties as required:

   Associated Connected System	Select the connected system from the list. The import operation will be done to this connected system.
   Data Formats	Select the type of data format to use: User (this is the only data format supported at this time).
   DynamicConnectedSystem	Select the global variable to use as the dynamic connected system name. This works in conjunction with DynamicCon- nectedSystemOption when GlobalVariable is selected.
   DynamicConnectedSystemOption	Select how to control Dynamic System Support (DSS): None - There will not be any Dynamic System Transaction-SystemName - The value of the Transaction- SystemName attribute in data will be used as the dynamic connected system. The connected system name must be passed as the value of the attribute Transaction- SystemName; if it is missing in data, the operation will GlobalVariable - Select a global variable to use as the dynamic connected system name from the property DynamicConnectedSystem.
   Id *	Enter the attribute that contains the value used to uniquely identify the user account user ID on the connected system.
   loginId *	Enter the attribute that contains the value used to uniquely identify the user account login ID on the connected system.
   SubRecordsInFoldedState	When set to TRUE, the connector accepts multi-level attributes in a folded state

   1. 
      Notes:

      * Id and loginId are used by the Provisioning Policy and IdentityHub features to populate the ACCOUNT_ID and ACCOUNT_USERNAME columns of the FISC_USER_ACCOUNT table of the Product database. See the ‘Provisioning Policy’ and ‘Provisioning Using the IdentityHub’ chapters of the Identity Suite Administration Guide for details.

      Hover the pointer over a property to view its description.

    

3. (Optional) Select the Attributes Only standard attributes display:
   
   Modify schema attributes with the buttons.
   
   
4. (Optional) Select the Appearance tab to change how the Connected System object displays in the Design pane.
   
   
5. Click OK to save any changes and return to the Workflow and Connectivity Studio window.
   

   Configuring the Import Link
   
   

6. In the Design pane, double-click the import link between the Data Mapper object and the import object (the last workflow object). The Configure Link window displays:
   
   
   

   Source Attributes	Select the attributes to import.
   Check for attribute-level auditing	If auditing is enabled and these attributes below are checked, Provisioning will log all events for auditing purposes.
   Selected Attributes	Displays default attributes and those attributes that have been selected from the Source Attributes. Check the box of any attribute required for attribute-level auditing.
   Advanced Settings	Displays the Configure Attributes window for selecting any attributes that need to be encrypted.
   Audit Key	Select the attribute to associate with the Audit Key.

7. From the Attribute Selection tab, select attributes to import.
8. (Optional) Select the Appearance tab to change how the link displays in the Design pane.
9. Click OK to save any changes and return to the Workflow and Connectivity Studio window.
10. Deploy the workflow by selecting Deploy ► New Deployment.
    See the Workflow and Connectivity Studio document for details of deployment options.
11. Manage and run the deployed workflow from the Admin UI ► Server tab.
    See the Identity Suite Administration Guide documentationfor details.

Connector Details for Provisioning

Configuration import properties Id and loginId are used by the Provisioning Policy and IdentityHub features to populate the ACCOUNT_ID and ACCOUNT_USERNAME columns of the FISC_USER_ACCOUNT table of the Product database. See the ‘Provisioning Policy’ and ‘Provisioning Using the IdentityHub’ chapters of the Identity Suite Administration Guide for details.

This table shows the default attributes specified for these properties for the connected system:

The connector supports export and import operations. The data is exported from, or imported to the SAP system in different data formats:

• This connector supports exporting User, Role, PersonalData, OrganizationalAssignment, Communication, InternalControl, Address, and HRCombined See Export Data Format.
• This connector supports importing only the User data format. Using this data format, you can create, modify and delete users. See Import Data Format.

See the appendix SAP NetWeaver Library Workflows for details on the library workflows included in the IdM Suite.

Export Data Format

This connector export has these data formats:

• User - Exports user details such as user company details, user role and profile assignments, etc.
• Role - Exports available roles, and user associations for each role
• PersonalData - Exports personal data information of a single employee if PERNO is selected as a filter; otherwise, it exports all employee records, by specifying search criteria,
• GRC Role - Exports available GRC Roles.
• Value Lookup - Exports available values of the ValueLookupType selected
• OrganizationalAssignment - Exports the organizational assignment of a single employee if PERNO is selected as a filter; otherwise, it exports all employee records, by specifying search criteria.
• Communication - Exports communication information of a single employee if PERNO is selected as a filter; otherwise, it exports all employee records, by specifying search criteria.
• InternalControl - Exports the internal data of a single employee if PERNO is selected as a filter; otherwise, it exports all employee records, by specifying search criteria.
• Address - Exports address information of a single employee if PERNO is selected as a filter; otherwise, it exports all employee records, by specifying search criteria.
• Actions - Exports Actions-PA0000 and/or AdditionalActions-PA0302.
• HRCombined - Exports HR data in a combined format of a single employee if PERNO is selected as a filter; otherwise, it exports all employee records, by specifying search criteria. The combined information includes the organizational assignment, personal data, internal data, communication, and address information
• PDObjectTypes - Exports PD object types for all employees by specifying ObjectType, PlanningStatus, StartDate, EndDate, etc.

Sub records can be exported in a folded state as attributes. The attribute name is the same as the sub record name. Each sub attribute in a sub record is added as <name>=<value> format with ( ; ) as the delimiter. For the Role data format, MemberUser is the only multi-level attribute.

The following details are of the same role in the folded and non-folded states.

Folded

<entry changetype="add">

<USERNAME>JOHN THOMAS</USERNAME>

<ADDRESS.FIRSTNAME>John</ADDRESS.FIRSTNAME>

<ADDRESS.LASTNAME>Thomas</ADDRESS.LASTNAME>

<ACTIVITYGROUPS>AGR_NAME=SAP_J2EE_ADMIN;FROM_DAT=2010-08-25;TO_DAT=2011-06-25;AGR_TEXT=Administration User

for the SAP J2EE Engine</ACTIVITYGROUPS>

<ADDSMTP>STD_NO=X;E_MAIL=John.Thomas@fisc.com;HOME_FLAG=X</ADDSMTP>

</entry>

Non-Folded

<entry changetype="add">

<USERNAME>JOHN THOMAS</USERNAME>

<ADDRESS.FIRSTNAME>John</ADDRESS.FIRSTNAME>

<ADDRESS.LASTNAME>Thomas</ADDRESS.LASTNAME>

<ACTIVITYGROUPS>

<AGR_NAME>SAP_J2EE_ADMIN</AGR_NAME>

<FROM_DAT>2010-08-25</FROM_DAT>

<TO_DAT>2011-06-25</TO_DAT>

<AGR_TEXT>Administration User for the SAP J2EE Engine</AGR_TEXT>

</ACTIVITYGROUPS>

<ADDSMTP>

<STD_NO>X</STD_NO>

<E_MAIL>John.Thomas@fisc.com</E_MAIL>

<HOME_FLAG>X</HOME_FLAG>

</ADDSMTP>

</entry>

Import Data Format

This connector import has one data format - User. This can create, modify, and delete users. It can add, modify, and delete role and profile assignments of the user. When connected to a CUA system, it can add, modify, and delete role and profile assignments of the user in child systems. 

Sub records can be imported in a folded state as attributes. The data source configuration property SubRecordsInFoldedState must be set to accept sub records in a folded state.

When connected to a Non CUA system, the User data format can also add and remove entitlements (Roles, Profiles, Groups, and Attributes).

Entitlement Support

This connector supports static and dynamic entitlements in the form of Roles, Profiles, Groups or GRC Roles. Entitlements are configured from the Admin UI _ Server _ Resources. See the Resource Management chapter in the Identity Suite Administration Guide for details on resources.

To configure entitlements

1. On the Resource Detail page, under Entitlement Options, enter a Name and Value, and select the Type, for example:
   

 

To enable Roles, Profiles, Groups and or GRC Roles entitlement

1. From the Admin UI, click the Server tab, and then on the Function Menu, click Resources. The Resource View page displays:
   
   
   
2. Click Add to create the resource. The Resource Detail (Add New) page displays:
   
   

   See the chapter 'Administering Security' in the Identity Suite Administration Guide for a description of this page.
   
   

3. Enter a Name (e.g., SAP Entitlement), Display Name, Description, and select a Resource Type (Entitlement).
   
   Note: Before continuing, ensure that the Resource workflows are deployed.
   
   
4. Select a System associated with the resource by clicking the Select button. The Connected System View page displays:
   
   
   
5. Select SAP NetWeaver and then click the Select button or double-click the option button next to the connected system to select it. 
   
   
6. Under Resource Workflows, select the appropriate check box of the Transaction Type to assign a Resource workflow.
   
   
7. Click Add/Modify to select the deployed workflows associated with the connected system selected. The Deployed Workflow List page displays:
   
   

   Note: Clicking Add/Modify to select deployed workflows associated with the connected system only displays Resource workflows.

    

8. Select the desired workflow and then click Select or double-click the option button next to the desired workflow to select it. Repeat Step 6. and Step 7. to select the Remove Workflow.
   
   
9. If this resource is for account provisioning and deprovisioning, the Resource Type should be Account.
   
   
10. Under Entitlement Options, click Add. The Entitlement Search on SAP NetWeaver System page displays.
    
    
11. Select the Type (Roles, Profiles, Groups or GRC Roles).
    
    

    Roles

    For Type Roles, this page displays:
    
    

12. Select the Role Type (Single and/or Composite), enter search criteria (if desired), and then click Search. The Provisioning Entitlements View page displays the first 400 results:
    
    
    

    Profiles

    For Type Profiles, this page displays:
    
    

    
    

    Select the Profile Type (Single or Composite), enter search criteria (if desired), and then click Search. The Provisioning Entitlements View page displays the first 400 results:

    
    
    
    
    

    Groups

    For Type Groups, this page displays:

    
    
    

    Enter search criteria (if desired), and then click Search. The Provisioning Entitlements View page displays the first 400 results:

    
    
    

    GRC Roles

    For Type GRC Roles, this page displays:

    
13. Enter search criteria (if desired), and then click Search. The Provisioning Entitlements View page displays the first 400 results:
    
    
    
14. Select the desired entitlement(s) and then click the Select button.
    
    
15. For static entitlement, single-level and multi-level attributes can be specified. The single-level attribute is specified by using the (.) separator and the multi-level attribute is specified by using the (->) separator. For example, these settings include the single-level attribute REF_USER.REF_USER and the multi-level attribute PARAMETER→PARID:
    

     

    
16. To view entitlements that have been provisioned for existing users, From the Admin UI ► Users ► Search Users to Modify _ User Access View page, all entitlements associated for the user are listed.

 

Lookup Data

 

To filter data, use the Data Mapper rule Lookup Data

1. Log in to the Workflow and Connectivity Studio and double-click the Data Mapper object on the Design The Configure Data Mapper window displays.
   
   
2. Select the Lookup Data rule under the Mapping Rule column, and then click the Source Value. The Configure Lookup window displays.
   
   
3. Select the SAP NetWeaver system from the Select System drop-down list:
   
   
   
4. In the Enter Lookup Prefix field, enter the prefix to be added to the Lookup fields.
   
   
5. Select the SAP Lookup Type from the drop-down list, for example, User.
   
   
6. Click the Selected Filter Build button, and then from the Set Filter window, generate the search filter, for example:
   
   See Set Filter  for a description of this window.
   
   
7. Click the Selected Fields Pick button to select the attributes to be fetched after a successful lookup. The Lookup Configuration dialog displays:
   

   
   
   

   1. Select the attribute(s) from the Selected Attributes list that require a date and/or time format and click the Format The Format Date window displays.

   2. Select the Include Time check box to use a date and time format. Select the required date/ time format for your target database.

8.  

   Click OK. The updated Configure Lookup window displays, for example:
   
   
   
9. Select the Exit as Mapper Task Failed on Lookup Failure check box to exit the task with Failed status on lookup failure. It will not process the succeeding entries and will ignore the already processed entries and will not return any data. This is selected by default.
   
   
10. Click OK.

SAP GRC Support

SAP connector supports SAP GRC (Governance, Risk, and Compliance) for user provisioning from Fischer IdM. If an SAP resource has at least one GRC role, account management for that resource is done using GRC processing. This is applicable when request/remove access feature in self-service is used or an account is Provisioned/de-Provisioned by policy engine. When GRC is used for user provisioning, user creation and GRC role assignment is done by GRC. USSP/Policy engine launch the resource workflows just to manage the account/entitlement association.

GRC processing is done by creating a GRC access request in SAP GRC. There are different types of requests in SAP GRC. Fischer IdM uses the request types New Account, Change Account and Lock Account. Once the request is created in SAP GRC, the approval process has to be completed in GRC. For that, the approver has to login to SAP GRC and approve, reject or cancel the request.

There can be one or more levels of approval based on the SAP GRC configuration. Fischer IdM proceeds with the further processing of request only after receiving the completed status of the request from SAP GRC.

When the user does not have an account in the SAP system and requests an account in that system, USSP engine will create an SAP GRC request of type New Account. Similarly if a user who does not have an account in the SAP system is qualified for a policy having resource for that system, Policy engine will create an SAP GRC request of type New Account.

If the user already has an account in the SAP system and requests an account to that system, it will create an SAP GRC request of type Change Account. If the user already has an account in the SAP system and requests/removes a GRC role entitlement to that system, it will create an SAP GRC request of type Change Account. Similarly if the user already has an account in the SAP system and qualified/disqualified for a policy having GRC role entitlement resource, it will create an SAP GRC request of type Change Account.

When an SAP account removal request is made from Self-Service or through policy engine, the type of the SAP GRC request generated is decided by the Provisioning Server Configuration property “SAP GRC Remove Role and Account Behavior”. If this property is set to “Role Removal and Account Lock by Workflow” no GRC request is created. If the property is set to “Role Removal by GRC and Account Lock by Workflow”, it will create an SAP GRC request of type Change Account. If the property is set to “Role Removal and Account Lock by GRC, it will create an SAP GRC request of type Lock Account.

SAP GRC Mapping

SAP GRC request is created using the data generated for the resource workflow. This data is in product attribute schema and will have the user details merged with the pre-process data for self- service request. For policy workflow, this will be the data given to the policy engine. So there is option to provide extra attributes when required. SAP GRC component will convert this data to the format in which the GRC web service is expecting. This is done with the help of SAP GRC mapping. This mapping can be configured at the Org level from product attributes page once the Provisioning Server Configuration property "Enable SAP GRC Mapping" is set to “True” for the Org. Following table shows the default mapping for these attributes.

 

There are three types of attributes in a SAP GRC request data. They are header data, user data and role data attributes. Currently the mapping is used only for user data attributes.

Role data attributes are populated using the entitlements. Other that that, the following attribute is supported to set role data.

 

 

 

Since header data is not user specific, we use the following predefined product attributes to build header data.

 

 

There are few attributes which are supported in SAP but not in GRC. Such attributes are handled by the resource workflows. The first entry is always used to manage account/entitlement association. So, USSP/Policy engine add extra entries to handle the attributes that are not supported by GRC.

SAP GRC Role Consolidation

When multiple resources having GRC roles are requested together, the default behavior is to create an SAP GRC request for each resource. SAP GRC Segregations of Duties (SoD) can be processed properly only when the GRC roles are requested in a single request. To allow this, there is a Provisioning Server Configuration property, "Enable SAP GRC Role Consolidation". When this property is true, if multiple resources are requested together, all GRC roles from these resources are consolidated and send as a single request to GRC. If there is approval for these resources, the consolidation happens after the approval process is completed. When there is approval, consolidation happens only for items fetched by approval engine in a single pick. So the consolidation may not happen properly if the approval process of different resources is completed in separate steps.

SAP GRC Polling

SAP GRC supports two options to notify the user provisioning status. First is the polling option in which the IdM server has to periodically call GRC to identify status changes of the request. Second is the callback option in which GRC will send a notification when provisioning process is completed. Fischer IdM is using the polling option since it is more

reliable. The polling period can be configured based on the requirement using the Provisioning Background Processes Configuration property “SAP GRC Request Status Polling Interval”.

Using the Global Identity Gateway with Connected Systems

Note: You must have already performed the steps described in Installing the SAP JCo dll and jar Files for the GIG.

See the appendix Using the Global Identity Gateway with Connected Systems.