This chapter provides an overview of the updates made to the software and documentation for release 9.1.2.6 of the SAP User Management connector.
The updates discussed in this chapter are divided into the following categories:
These include updates made to the connector software.
Documentation-Specific Updates
These include major changes made to the connector documentation. These changes are not related to software updates.
The following sections discuss software updates:
The following are issues resolved in release 9.1.2.6:
| Bug Number | Issue | Resolution |
|---|---|---|
|
13361517 |
The connector did not allow addition of roles with the same name for different systems. |
This issue has been resolved. |
|
12675870 |
Two attributes were marked with |
This issue has been resolved. Now, only one attribute is marked with |
|
14209711 |
The valid-through date was not updated correctly when the user was enabled and disabled. |
This issue has been resolved. |
The following are the software updates in release 9.1.2.5:
From this release onward, the connector can be configured to propagate user password changes from the SAP CUA parent system to the child systems. To enable propagation of password changes to the child systems, you must set the value of the Is Password Propagate To Child System entry in the configuration lookup definition to Yes. In addition, you must configure the target system for password propagation by installing custom BAPIs.
See Section 2.3.4, "Configuring the Target System" for more information about configuring the target system to enable the connector to propagate password changes from the SAP CUA parent system to its child systems.
The following table lists issues resolved in release 9.1.2.5:
| Bug Number | Issue | Resolution |
|---|---|---|
|
12586222 |
When running the SAP User Management Lookup Recon scheduled task against a set of different IT resources, the lookup definitions are populated. However, the values in the Code columns did not reflect the correct IT resource keys. |
This issue has been resolved. The values in the Code columns reflect the correct IT resource keys. The ITResource APIs are used for this purpose. |
|
10627537 |
During a reconciliation operation, two reconciliation events were generated for every SAP account. |
This issue has been resolved. Instead of generating separate reconciliation events for the account lock status, the connector generates status in a single reconciliation event. |
The following table lists issues resolved in release 9.1.2.4:
| Bug Number | Issue | Resolution |
|---|---|---|
|
9475592 and 10408848 |
After the Disable User provisioning operation was performed, the value of the Valid Through field in Oracle Identity Manager did not match the value of the corresponding attribute in the target system. In addition, the Valid Through Updated task failed. |
This issue has been resolved. After the Disable User provisioning operation, to ensure that the values of the Valid Through fields in the target system and Oracle Identity Manager match, the connector performs one of the following steps:
|
|
10373020 |
Suppose you assign more than one instance of a role with different Start Date and End Date values to a user account. If you reconciled the user account, then only the role instance with the latest date as the Start Date value was reconciled. |
This issue has been resolved. The connector reconciles all instances of a role assigned to the user. Reconcile future dated roles and Reconcile past dated roles entries have been added in the Lookup.SAP.UM.Configuration lookup definition. You use these entries to specify whether you want reconcile future-date or past-dated roles. See Section 2.3.5.3, "Setting Values in the Lookup.SAP.UM.Configuration Lookup Definition" for more information about these entries. |
|
11070597 |
The connector did not log BAPI attributes. |
This issue has been resolved. The connector now logs BAPI attributes. |
The following are the software updates in release 9.1.2.2:
From this release onward, the connector can be installed and used on Oracle Identity Manager 11g release 1 (11.1.1). Where applicable, instructions specific to this Oracle Identity Manager release have been added in the guide.
See Section 1.1, "Certified Components" for the full list of certified Oracle Identity Manager releases.
From this release onward, the connector provides support for request-based provisioning on Oracle Identity Manager 11g release 1 (11.1.1).
See Section 3.7.4, "Request-Based Provisioning in an SoD-Enabled Environment" for more information.
The following are the software updates in release 9.1.2:
Changes in the Certified Oracle Identity Manager and Target System Releases
Support for Integration with SAP GRC Compliant User Provisioning
Reconciliation and Provisioning of Custom Multivalued Attributes
Support for Configuring Transformation of Data During Lookup Field Synchronization
Section 1.1, "Certified Components" lists the Oracle Identity Manager and target system releases certified from this release onward.
In an SAP environment, you can set up SAP GRC Compliant User Provisioning as the front end for receiving account creation and modification provisioning requests. From this release onward, the connector can be used to integrate Oracle Identity Manager with SAP GRC Compliant User Provisioning. In this deployment configuration, Oracle Identity Manager acts as the medium for sending provisioning requests to Compliant User Provisioning.
From this release onward, the connector allows you to add custom multivalued attributes that you create on the target system for reconciliation and provisioning with Oracle Identity Manager. See the following sections for information about the procedure:
Section 4.3, "Adding New Standard and Custom Multivalued Attributes for Reconciliation"
Section 4.8, "Adding Custom Multivalued Attributes for Provisioning"
In this release, the Dependent Lookup Fields feature is disabled by default. You can enable this feature after you deploy the Oracle Identity Manager release 9.1.0.2 bundle patch that addresses Bug 9181280. See Section 4.14.1, "Enabling the Dependent Lookup Fields Feature" for more information.
From this release onward, you can configure transformation of lookup field data synchronized from the target system. Section 1.5.17, "Transformation of Lookup Field Data" provides a pointer to additional information about this feature.
The following are software updates in release 9.1.1:
Support for Mapping Standard and Custom Attributes for Reconciliation and Provisioning
Support for Specifying Accounts to Be Excluded from Reconciliation and Provisioning Operations
Support for Configuring Linking of SAP HRMS and SAP R/3 or SAP CUA Accounts
Support for Specifying the Use of a Logon Group on the Target System for Connector Operations
From this release onward, this connector replaces release 9.1.0 of both the SAP User Management and SAP CUA connectors.
See Section 1.5.1, "Support for Both SAP R/3 and SAP CUA" for more information.
The connector has been certified on Oracle Identity Manager release 9.1.0.2 BP02 and later. This change is mentioned in Section 1.1, "Certified Components".
In earlier releases, custom BAPIs were provided for reconciliation and provisioning with the target system. You deployed these BAPIs on the target system as part of the connector deployment procedure. From this release onward, only standard BAPIs are used during reconciliation and provisioning.
The default set of attribute mappings for reconciliation and provisioning has been enhanced. See the following sections for a full listing of the attribute mappings:
In Section 1.8.1, "User Provisioning Functions", the following provisioning functions have been added:
Enable a user account
Disable a user account
Link a user account
Update the start date or end date of a role
Update a custom attribute added on the target system
When you log in to SAP by using a newly created account, you are prompted to change your password at first logon. This behavior can be configured for target system accounts created through Oracle Identity Manager. In addition, the connector can be configured so that it is not mandatory to specify passwords for new accounts.
See Section 1.5.12, "Configuring Password Changes for Newly Created Accounts" for more information.
From this release onward, you can create mappings for attributes that are not included in the list of default attribute mappings. These attributes can be part of the standard set of attributes provided by the target system or custom attributes that you add on the target system.
See Chapter 4, "Extending the Functionality of the Connector" for more information.
From this release onward, you can specify a list of accounts that must be excluded from all reconciliation and provisioning operations.
See Section 2.3.10, "Setting Up the Lookup.SAP.UM.ExclusionList Lookup Definition" for more information.
From this release onward, you can configure the manner in which an SAP R/3 or SAP CUA account is linked with an SAP HRMS account. When enabled, the linking process is automatically triggered during the Create User provisioning operation. If a matching SAP HRMS account cannot be found the first time, then you can manually trigger the linking process after the SAP HRMS account is created.
See Section 1.5.9, "Linking of SAP HRMS and SAP R/3 or SAP CUA Accounts" for more information.
The connector uses the SAP JCo for reconciliation and provisioning operations. The JCo trace level is a numeric specification of the level of trace data that must be logged when the SAP JCo is used. From this release onward, you can specify the trace level as a parameter of the IT resource.
See Table 2-12, "Parameters of the IT Resource" for more information.
In SAP, a logon group is used as a load-sharing mechanism. When a user logs in to a logon group, the system internally routes the connection request to the logon group member with the least load. From this release onward, you can configure the connector to use a logon group for logging in to the target system for reconciliation and provisioning operations.
See Section 2.3.16.1, "Parameters for Enabling the Use of a Logon Group" for more information.
Valid From and Valid Through are two user attributes on the target system. For a particular user in SAP, if the Valid Through date is less than the current date, then the account is in the Disabled state. Otherwise, the account is in the Enabled state. From this release onward, the same behavior is duplicated in Oracle Identity Manager.
See Section 1.5.8, "Enabling and Disabling Accounts" for more information.
The connector supports the connection pooling feature introduced in Oracle Identity Manager release 9.1.0.2. In earlier releases, a connection with the target system was established at the start of a reconciliation run and closed at the end of the reconciliation run. With the introduction of connection pooling, multiple connections are established by Oracle Identity Manager and held in reserve for use by the connector.
See Section 1.5.14, "Connection Pooling" for more information.
The testing utility is not included in this release of the connector.
This is the first release of the Oracle Identity Manager Connector for SAP User Management. The following are software updates in release 9.1.0:
From this release onward, the connector supports the Segregation of Duties (SoD) feature introduced in Oracle Identity Manager release 9.1.0.2. Requests for SAP role and profile entitlements can be validated with SAP GRC. Entitlements are provisioned into SAP ERP only if the request passes the SoD validation process. This preventive simulation approach helps identify and correct potentially conflicting assignment of entitlements to a user, before the requested entitlements are granted to users.
See Section 1.5.3, "SoD Validation of Entitlement Requests" for more information.
In earlier releases, if you had multiple installations of the target system, then entries in a lookup definition were not linked with the target system installation from which the entries were copied. During a provisioning operation, you could not select lookup field values that were specific to the target system installation on which the provisioning operation was to be performed.
From this release onward, entries in lookup definitions are linked to the target system installation from which they are copied. See Section 1.6, "Lookup Definitions Used During Connector Operations" for more information.
From this release onward:
The required SAP JCo version is 3.0.
The minimum certified release of Oracle Identity Manager is release 9.1.0.2.
AIX is one of the certified operating systems for the host computer on which Oracle Identity Manager is installed.
See Section 1.1, "Certified Components" for the complete listing of certified components. See the following Oracle Technology Network page for information about certified components of Oracle Identity Manager:
http://www.oracle.com/technology/software/products/ias/files/idm_certification_101401.html
Note:
The title of that section has been changed from "Certified Deployment Configurations" to "Certified Components."
The reconciliation rules have been modified. See Section 1.7.2, "Reconciliation Rules" for more information.
From this release onward, the trusted source reconciliation mode of the connector has been deprecated. All features related to this mode of the connector will be removed in a future release.
The following sections discuss documentation-specific updates:
The following are documentation-specific updates in revision "16" of release 9.1.2.6:
The "Oracle Identity Manager" row of Section 1.1, "Certified Components" has been modified.
Section 1.2, "Usage Recommendation" has been added.
The following are documentation-specific updates in revision "15" of release 9.1.2.6:
The "Oracle Identity Manager" row in Table 1-1, "Certified Components" has been modified.
A note has been added in the following rows of Table 2-1, "Files and Directories On the Installation Media":
Files in the Datasets directory
xml/SAP-UserMgmt-RequestApproval-ConnectorConfig.xml
xml/SAP-UserMgmt-CUP-RequestApproval-ConnectorConfig.xml
The following sections have been added:
Instructions specific to Oracle Identity Manager release 11.1.2.x have been added in the following sections:
The following are documentation-specific update in release 9.1.2.5:
In Chapter 4, "Extending the Functionality of the Connector," Table 4-1 the comments on creating a copy for the Resource Object, Process Definition, and Process Form connector objects have been updated.
In Chapter 5, "Known Issues," bug 13429841 has been added.
The following are the documentation-specific updates in this release:
In Chapter 5, "Known Issues," the issue tracked by bug 10361925 has been added.
Section 2.1.2.1, "Creating a Target System User Account for Connector Operations," has been modified.
Section 2.3.12, "Copying the SAPCUP.jar File for User Provisioning" has been added.
In Section 2.3.13.5, "Setting Up the Link with the Web Services for SAP Compliant User Provisioning," the note has been modified.
There are no documentation-specific updates in this release.
Minor changes have been made in the structure and location of some sections.
The following documentation-specific updates have been made in release 9.1.1:
The "Configuring the Connector for Multiple Trusted Source Reconciliation" section has been removed from Chapter 4, "Extending the Functionality of the Connector". The connector does not support this feature.
The list of standard BAPIs used during connector operations has been added in Appendix A.
This is the first release of the Oracle Identity Manager Connector for SAP User Management. Major changes have been made in the structure of the guide. The objective of these changes is to synchronize the guide with the changes made to the connector and to improve the usability of information provided by the guide.
See Section 1.9, "Roadmap for Deploying and Using the Connector" for information about the organization of content in this guide.