The SAP Governance, Risk, and Compliance (GRC) Access Enforcer resource adapter is defined in the com.waveset.adapter.AccessEnforcerResourceAdapter class. This class extends the SAPResourceAdapter class.

Resource Configuration Notes

The Access Enforcer autoprovision setting must be set to "true" for the adapter to operate correctly.

Identity Manager Installation Notes

The Access Enforcer resource adapter is a custom adapter. You must perform the following steps to complete the installation process:

Download the JCo (Java Connection) toolkit from the following URL:

http://service.sap.com/connectors

Access to the SAP JCo download pages require a login and password. The toolkit will have a name similar to sapjco-ntintel-2.1.8.zip. This name will vary depending on the platform and version selected.



Note	Make sure that the JCo toolkit you download matches the bit version of Java your application server runs on. For example, JCo is available in only in the 64-bit version on the Solaris x86 platform. Therefore, your application server must be running the 64-bit version on the Solaris x86 platform.

Unzip the toolkit and follow the installation instructions. Be sure to place library files in the correct location and to set the environment variables as directed.

Copy the sapjco.jar file to the InstallDir\WEB-INF\lib directory.

Download the Apache Axis SOAP toolkit from the following URL:

http://www.apache.org/dyn/closer.cgi/ws/axis/1_4/

Unzip the toolkit and and follow the installation instructions.

Copy the following files to the InstallDir\WEB-INF\lib directory:

axis.jar

commons-discovery-0.2.jar

commons-logging-1.0.4.jar

jaxrpc.jar

log4j-1.2.8.jar

saaj.jar

wsdl4j-1.5.1.jar



Note	Other versions of the commons-discovery, commons-logging, log4j, and wsdl4j JAR files may be used instead.

To add an Access Enforcer resource to the Identity Manager resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.

com.waveset.adapter.AccessEnforcerResourceAdapter

Import the $WSHOME/sample/accessenforcer.xml to enable support for Access Enforcer.

Usage Notes

This section provides information related to using the Access Enforcer resource adapter, which is organized into the following sections:

Asynchronous Provisioning

This adapter introduces the concept of asynchronous provisioning. Access Enforcer has its own system of approvals that must be negotiated before a user can be provisioned or modified.

If a SubmitRequest web service call returns successfully, the Identity Manager task performing the provisioning request periodically polls Access Enforcer to check if the request is complete. The polling interval is set in the Delay Between Asynchronous Retries (seconds) parameter on Identity System Parameters page of the resource wizard.

When the request has been completed or otherwise acted upon in Access Enforcer, the Identity Manager user object is updated with the status of the request. Identity Manager then processes the provisioning request as defined in the workflow.

If the Use IDM Password on Create parameter is selected, Identity Manager assigns a password defined within Identity Manager to the user account. If the parameter is not selected, a password defined by Access Enforcer is assigned. Access Enforcer always sends the user an email that contains the Access Enforcer-generated password. This Access Enforcer feature cannot be disabled.

Access Enforcer Rule Library

Access Enforcer does not provide a way to fetch certain types of objects. To help facilitate management of these objects, Identity Manager provides an Access Enforcer rule library that allows you to specify the names of these objects. These names must be manually entered as strings in the rule library.

The following table lists the Access Enforcer objects, the corresponding Identity Manager rule, and the default values. Use the debug pages or the Identity Manager IDE to edit the values to match your environments.


Access Enforcer Object	Rule Name	Default Values
Applications	getApplications	CELAENO.CENTRAL. This value must be changed.
Access Enforcer Roles	getRoles	TestRoles. This value must be changed.
Requests	getRequests	NEW NEW_HIRE CHANGE DELETE LOCK UNLOCK INFORMATION
Priorities	getPriorities	LOW MEDIUM HIGH These values may need to be changed.
Employee Type	getEmployeeType	TEMP PERM CONTRACT These values may need to be changed.
Service Level Agreements	getSLAs	Level0 Level1 Level2 These values may need to be changed.

Web Services

The Access Enforcer adapter works by sending web service requests to the Access Enforcer. The web services are performed using Apache AXIS tools. The supported acrtions for the SubmitRequest provisioning web service are:

User fetch is performed by the SAPResourceAdapter.getUser() method because Access Enforcer does not provide a web service to query for this information.

User Forms

The default Access Enforcer User Form attempts to populate the manager and requestor account attributes with values available from the views available from the Create/Edit User form.

User forms may return a list of the following objects by calling the listObjects method:

To disable, enable, and delete users the Access Enforcer EnableDisableDelete Form must be imported and individually added to the Disable, Enable, and Deprovision forms. See the comments in $WSHOME/sample/forms/AE-EnableDisableDeleteForm.xml for details.

Enabling Secure Network Communications (SNC) Connections

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

Identity Manager uses BAPI over SAP Java Connector (JCo) to communicate with the SAP systems for the getUser and listObjects methods and the account iterator.

Required Administrative Privileges

The user name that connects to SAP must be assigned to a role that can access the SAP users.

Provisioning Notes

Account Attributes

The following table provides information about the account attributes that are specific to Access Enforcer. Refer to the documentation for the SAP adapter for information about general SAP attributes. Unless stated otherwise, all attribute types are String, and all attributes are write-only. The values for all attributes listed below are converted to uppercase.

Feature	Supported?
Enable/disable account	Yes
Rename account	No
Pass-through authentication	No
Before/after actions	No
Data loading methods	Import from resource (via SAPResourceAdapter class) Reconciliation (via SAPResourceAdapter class)


Identity System User Attribute	Resource Attribute Name	Description
aeUserId	UserId	Required. The User ID for the Access Enforcer account
aeEmailAddress	EmailAddress	Required. The email assigned to the user
aeFirstName	FirstName	Required. The user’s first name
aeLastName	LastName	Required. The user’s last name
aeRequestorId	RequestorId	Required. The user ID of the person requesting the account.
aeRequestorLastName	RequestorLastName	Required. The last name of the requestor
aeRequestorFirstName	RequestorFirstName	Required. The first name of the requestor
aeRequestorEmailAddr	RequestorEmailAddr	Required. The email address of the requestor
aePriority	Priority	Required. The priority of the request.
aeApplication	Application	Required. The application to add to grant access to.
aeLocation	Location	The user’s location.
aeCompany	Company	The user’s company
aeDepartment	Department	The user’s department
aeEmployeeType	EmployeeType	The employment status of the user
aeRequestReason	RequestReason	Description of why access is being requested
aeRoles	Roles	Complex. The roles assigned to the user. This attribute contains values for ValidFrom, ValidTo, and Rolename.
aeValidFrom	ValidFrom	The beginning time of a request
aeValidTo	ValidTo	The end time of a request
aeTelephone	Telephone	The user’s telephone number
aeManagerId	ManagerId	Required. The account ID of the user’s manager. This value must be valid, existing value in Access Enforcer.
aeManagerFirstName	ManagerFirstName	Required. The manager’s first name. This value must be valid, existing value in Access Enforcer.
aeManagerLastName	ManagerLastName	Required. The manager’s last name. This value must be valid, existing value in Access Enforcer.
aeManagerEmailAddr	ManagerEmailAddr	Required. The manager’s email address. This value must be valid, existing value in Access Enforcer.


Note	The attributes designated as required must be sent in the Submit Request service call. However, they are not marked as required on the schema map because of conflicts that may occur when updating a user that has other resources assigned.

Other attributes may be added to the schema map, but are considered custom attributes in Access Enforcer. To distinguish the custom attributes, you must prepend AE to any Resource User Attribute. (For example, AEMyAttribute.) The values for custom attributes are not converted to uppercase.

Resource Object Management

Identity Template

Sample Forms

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following classes:

To determine which version of the SAP Java Connector (JCO) is installed, and to determine whether it is installed correctly, run the following command:

The command returns the JCO version as well as the JNI platform-dependent and the RFC libraries that communicate with the SAP system.

If the platform-dependent libraries are not found, refer to the SAP documentation to find out how to correctly install the SAP Java Connector.

Previous Contents Index Next
Sun[TM] Identity Manager 8.0 Resources Reference