Sun Identity Manager 8.1 Resources Reference

Usage Notes

This section provides information related to using the SAP resource adapter, which is organized into the following sections:

General Notes

The following general notes are provided for the resource:

Enabling Secure Network Communications (SNC) Connections

By default, the SAP adapter uses the SAP Java Connector (JCo) to communicate with the SAP adapters. For information about implementing SNC connections, see Chapter 54, Enabling Secure Network Communications (SNC) Connections.

SAP JCO and RFC Tracing

The SAPResourceAdapter and the SAPHRActiveSyncAdapter provide resource attributes for SAP JCO and RFC tracing. They can be used to trace Identity Manager’s communication with the SAP system. The attributes are JCO Trace Level and JCO Trace Directory.

The following environment variables can be set in the environment to enable SAP RFC tracing. These variables must be set in the environment before starting the application server. They control the shared library that JCO uses to communicate with the SAP system.

Note –

If no JCO tracing is desired, set RFC_TRACE to 0 to ensure that no trace files are created.

Changing Productive Passwords in a CUA Environment

SAP considers a password a secret shared between the account on the system where the account resides. In a CUA landscape, this means that every CUA client maintains its own copy of a password for a user. The standard password change methods in a CUA landscape do not allow you to set a productive password on a client system. (A productive password is a password that has not expired and that does not require changing on the next logon.) They will allow you to set an initial password for the user on all systems in the landscape, clients and the central system.

The function module for changing a password must be executable remotely. In a CUA landscape, you must set the SCUM settings for the initial password to 'global' or 'everywhere'. In all other cases, the CUA central system can not reset passwords on the clients, which will cause failures of password changes under certain circumstances. The adapter will allow you to set a productive password in a CUA landscape on all systems on which the user exists. You can do this only by changing the password on each system separately. To enable this feature, you must install a special Function Module on the CUA central system that is executed for all client systems. The module is provided in source form in InstallDir\idm\sample\other and must be installed on the SAP central system. The name of the Function Module must be set in the “CUA Child Password Change Function Module” resource attribute.

When a password is changed in a CUA landscape and the module is used, multiple failures for one password change can occur: one for each client and one for the central system. Each system keeps its own password policies. A password that complies to the rules on one system could cause a policy failure on another. A failure on one system does not mean that the other systems will not be changed. This accords with how SAP defines and works with passwords in a CUA landscape.

When CUA is configured on the adapter, but the module is not installed on the central system or the attribute is not configured on the adapter, then productive password changes will be applied to the central system only. Setting initial passwords or performing a password reset, in other words password which are expired, is not affected by this configuration change.

Renaming Accounts

The SAP adapter now supports renaming accounts, except when CUA mode is enabled on the adapter. The adapter performs this function by copying an existing account to a new account and deleting the original. SAP discourages renaming accounts, but provides the option in the user management application (Transaction SU01 from the SAP GUI). Therefore, Identity Manager also supports the option. Be aware that SAP may not support the rename feature in future releases.

The SAP GUI uses a different method to perform the rename because it has access to non-public APIs and to the SAP kernel. The following steps provide a high-level description of how the adapter performs the rename operation:

ProcedureHow the SAP Adapter Performs the rename Operation

  1. Get the user information for the existing user.

  2. Save the ALIAS attribute, if one exists.

  3. Create the new user.

  4. Set the Activity Groups on the new user.

  5. Set the Profiles on the new user.

  6. Get the old user’s Personalization Data.

  7. Set the new user’s Personalization Data.

  8. Delete the old user.

  9. Set the Alias on the new user if one was set on the old user.

    If an error occurs during steps 1-3, the operation fails immediately. If an error occurs during steps 4-7, the new user is deleted and the whole operation fails. (If the new user cannot be deleted, a warning is placed into the WavesetResult). If an error occurs during steps 8-9, a warning is added to the WavesetResult, but the operation succeeds.

    The Rename operation requires that a new password be set on the new user. This is most easily accomplished by customizing the Rename User Task to invoke the Change User Password Task.

Global Trade Services (GTS) Support

To enable SAP Global Trace Services support on the SAP adapter, activate the appropriate roles listed Role Name column in the following table. SAP generates the roles listed in the Generated Role column of the table. You must assign the generated roles to the appropriate user profiles in SAP GTS.

Role Label  

Role Name  

Generated Role  

Customs Processing Specialist 



Preference Processing Specialist 



Restitution Specialist 



Legal Control Specialist 



Additional Table Support

The SAP adapter can provision to any SAP table called by BAPI_USER_CREATE1 and BAPI_USER_CHANGE, most notably the GROUPS and PARAMETER tables. To enable this feature for any table other than GROUPS, you must add a Resource User Attribute to the schema map in the format SAP_Table_Name->Table. (For example, PARAMETER->Table.) The attribute must be assigned the complex data type.

The adapter provides an account attribute of type string named GROUPS->USERGROUP account attribute. This attribute processes data from the GROUPS table. By default, this attribute type is string. When this attribute type set to string, the adapter processes values as a list of strings. If you want the adapter to process data from the table in the same manner as other tables, you must change the data type to complex.

The $WSHOME/web/sample/forms/SAPUserForm.xml file contains an example user form that illustrates how the GROUP table is managed using a string account attribute type as well as a complex attribute type.