Skip Headers
Oracle® Identity Manager Connector Guide for SAP User Management
Release 9.0.4

E10444-11
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with third-party applications. This guide discusses the procedure to deploy the connector that is used to integrate Oracle Identity Manager with SAP User Management.

Note:

Oracle Identity Manager connectors were referred to as resource adapters prior to the acquisition of Thor Technologies by Oracle.

This chapter contains the following sections:

Note:

In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.

At some places in this guide, SAP User Management has been referred to as the target system.

1.1 Certified Components

Table 1-1 lists the certified components for this connector.

Table 1-1 Certified Components

Item Requirement

Oracle Identity Manager

Oracle Identity Manager release 9.1.0.1 and any later BP in this release track

Note: In this guide, Oracle Identity Manager release 9.1.0.x has been used to denote Oracle Identity Manager release 9.1.0.1 and future releases in the 9.1.0.x series that the connector supports.

Note: From release 9.0.4.5 onwards, the connector supports SAP JCo 3.0 which supports JDK 1.5 or later. Therefore, you must verify that the Oracle Identity Manager and application server combination that you use support JDK 1.5.

See the following Oracle Technology Network page for information about certified configurations of Oracle Identity Manager:

http://www.oracle.com/technology/software/products/ias/files/idm_certification_101401.html

Target systems

The target system can be any one of the following:

  • SAP R/3 4.6C (running on Basis 4.6C)

  • SAP R/3 4.7 (running on WAS 6.20)

  • mySAP ERP 2004 ECC 5.0 (running on WAS 6.40)

  • mySAP ERP 2005 ECC 6.0 (running on WAS 7.00)

Note: From version 6.40 onward, SAP WAS is also known as "SAP NetWeaver."

External code

The following SAP custom code files:

sapjco3.jar version 3.0

Additional file for Microsoft Windows:

sapjco3.dll version: 3.0

Additional file for Solaris and Linux:

libsapjco3.so version: 3.0

Target system user account

Oracle Identity Manager uses this user account to connect to and communicate with the target system.

For minimum authorization, create a user account and assign the S_CUS_CMP profile, P_ALL profile, and SAP_BC_USER_ADMIN role to it. The User type must be set to Communication. This is the default setting for user accounts.

If you are not able to find the profiles or role for minimum authorization, then you need to create a user account and assign it to the SAP_ALL and SAP_NEW groups. These are used for full authorization.

You provide the credentials of this user account while configuring the IT resource. The procedure is described later in this guide.

If this target system user account is not assigned the specified rights, then the following error message may be displayed during connector operations:

SAP Connection JCO Exception: User TEST_USER has no RFC authorization for function group SYST

JDK

JDK 1.4.2


1.2 Usage Recommendation

Depending on the Oracle Identity Manager version that you are using, you must deploy and use one of the following connectors:

1.3 Reconciliation Module

Reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. It is an automated process initiated by a scheduled task that you configure.

See Also:

The "Deployment Configurations of Oracle Identity Manager" section in Oracle Identity Manager Connector Concepts Guide for conceptual information about reconciliation configurations

This section discusses the elements that are extracted from the target system by the reconciliation module for constructing reconciliation event records. The following are features of the reconciliation module:

Based on the type of data reconciled from the target system, reconciliation can be divided into the following types:

1.3.1 Lookup Data Reconciliation

The following lookup fields are reconciled:

  • Lookup.SAP.R3.Roles

  • Lookup.SAP.R3.TimeZone

  • Lookup.SAP.R3.LangComm

  • Lookup.SAP.R3.UserTitle

  • Lookup.SAP.R3.DecimalNotation

  • Lookup.SAP.R3.DateFormat

  • Lookup.SAP.R3.UserGroups

  • Lookup.SAP.R3.CommType

  • Lookup.SAP.R3.Profiles

The following lookup fields are not reconciled:

  • Lookup.SAP.R3.UserType

  • Lookup.SAP.LockUnlock

  • Lookup.SAP.R3.FieldNames

  • Lookup.SAP.R3.FieldNamesX

  • Lookup.SAP.R3.BAPIKeys

  • Lookup.SAP.R3.BAPIXKeys

1.3.2 User Reconciliation

User reconciliation can be divided into the following:

1.3.2.1 Reconciled SAP User Management Resource Object Fields

The following fields are reconciled:

  • Extension

  • Telephone

  • Time Zone

  • Lang Logon

  • User Group

  • Department

  • Lang Comm

  • Last Name

  • First Name

  • User Title

  • User ID

  • Start Menu

  • User Type

  • Alias

  • Lock User

  • Communication Type

  • Code

  • Building

  • Floor

  • Room No

  • Function

  • Decimal Notation

  • Date Format

  • Email Address

  • Fax

  • User Profile

  • User Role

1.3.2.2 Reconciled Xellerate User (OIM User) Fields

If trusted source reconciliation is implemented, then the following fields are reconciled:

  • User ID

  • FirstName

  • LastName

  • Organization

  • Email

  • Employee Type

  • User Type

1.4 Provisioning Module

Provisioning involves creating or modifying a user's account on the target system through Oracle Identity Manager. You use the Oracle Identity Manager Administrative and User Console to perform provisioning operations.

See Also:

The "Deployment Configurations of Oracle Identity Manager" section in Oracle Identity Manager Connector Concepts Guide for conceptual information about provisioning

For this target system, the following fields are provisioned:

1.5 Supported Functionality

The following table lists the functions that are available with this connector.

Function Type Description

Create User

Provisioning

Creates a user in SAP User Management

Update User

Provisioning

Updates a user in SAP User Management

Delete User

Provisioning

Deletes a user from SAP User Management

Lock User

Provisioning

Locks a user in SAP User Management

UnLock User

Provisioning

Unlocks a user in SAP User Management

Add User Role

Provisioning

Adds a role to a user in SAP User Management

Add User Profile

Provisioning

Adds a profile to a user in SAP User Management

Remove User Role

Provisioning

Removes the role of a user in SAP User Management

Remove User Profile

Provisioning

Removes the profile of a user in SAP User Management

List Roles of User

Provisioning

Lists the roles of a user in SAP User Management

List Profiles of User

Provisioning

Lists the profiles of a user in SAP User Management

List All Roles

Provisioning

Lists all the roles present in SAP User Management

List All Profiles

Provisioning

Lists all the profiles present in SAP User Management

Reconciliation Insert Received

Reconciliation

Creates a user in Oracle Identity Manager if a user is created in SAP User Management

Reconciliation Update Received

Reconciliation

Updates a user in Oracle Identity Manager if a user is updated in SAP User Management

Reconciliation Delete Received

Reconciliation

Deletes a user from Oracle Identity Manager if a user is deleted from SAP User Management


See Also:

Appendix A for information about attribute mappings between Oracle Identity Manager and SAP User Management.

1.6 Multilanguage Support

This release of the connector supports the following languages:

See Also:

Oracle Identity Manager Globalization Guide for information about supported special characters

1.7 Files and Directories on the Installation Media

The files and directories on the installation media are listed and described in Table 1-2.

Table 1-2 Files and Directories on the Installation Media

File in the Installation Media Directory Description
Configuration/SAPBIW-CI.xml
Configuration/SAPCRM-CI.xml
Configuration/SAPR3-CI.xml

This connector supports the following target systems:

  • SAP BIW

  • SAP CRM

  • SAP R/3

These XML files contain configuration information that is used during connector installation.

BAPI/xlsapcar.sar

This file contains information for configuring the SAP system so that the connector is able to access the APIs on the target system.

lib/SAPAdapter.jar

This JAR file contains the class files that are required for provisioning. During connector deployment, this file is copied into the following directory:

OIM_HOME/xellerate/JavaTasks
lib/SAPAdapterRecon.jar

This JAR file contains the class files that are required for reconciliation. During connector deployment, this file is copied into the following directory:

OIM_HOME/xellerate/ScheduleTask

Files in the resources directory

Each of these resource bundle files contains language-specific information that is used by the connector. During connector deployment, this file is copied into the following directory:

OIM_HOME/xellerate/connectorResources

Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the Administrative and User Console. These text strings include GUI element labels and messages.

test/troubleshoot/troubleShootingUtility.class

This utility is used to test connector functionality.

test/troubleshoot/global.properties

This file is used to specify the parameters and settings required to connect to the target system by using the testing utility.

test/troubleshoot/log.properties

This file is used to specify the log level and the directory in which the log file is to be created when you run the testing utility.

xml/SAPBIWResourceObject.xml

This file contains definitions for the following components of the SAP BIW connector:

  • IT resource definition

  • SAP User form

  • Lookup definitions

  • Connectors

  • Resource object

  • Reconciliation scheduled tasks

xml/SAPBIWXLResourceObject.xml

This XML file contains the configuration for the Xellerate User (OIM User). You must import this file only if you plan to use the connector in trusted source reconciliation mode.

xml/SAPCRMResourceObject.xml

This file contains definitions for the following components of the SAP CRM connector:

  • IT resource definition

  • SAP User form

  • Lookup definitions

  • Connectors

  • Resource object

  • Process definition

  • Reconciliation scheduled tasks

xml/SAPCRMXLResourceObject.xml

This file is used only if the connector is configured as a trusted source. The SAPCRMXLResourceObject.xml file contains only the Oracle Identity Manager resource objects and dependent values.

xml/SAPR3ResourceObject.xml

This XML file contains definitions for the following components of the connector:

  • IT resource definition

  • SAP User form

  • Lookup definitions

  • Adapters

  • Resource object

  • Process definition

  • Reconciliation scheduled tasks

xml/SAPR3XLResourceObject.xml

This XML file contains the configuration for the Xellerate User (OIM User). You must import this file only if you plan to use the connector in trusted source reconciliation mode.


Note:

The files in the troubleshoot directory are used only to run tests on the connector.

1.8 Determining the Release Number of the Connector

You might have a deployment of an earlier release of the connector. While deploying the latest release, you might want to know the release number of the earlier release. To determine the release number of the connector that has already been deployed:

  1. In a temporary directory, extract the contents of the following JAR file:

    OIM_HOME/xellerate/JavaTasks/SAPAdapter.jar
    
  2. Open the manifest.mf file in a text editor. The manifest.mf file is one of the files bundled inside the SAPAdapter.jar file.

    In the manifest.mf file, the release number of the connector is displayed as the value of the Version property.