Previous      Contents      Index      Next
Sun[TM] Identity Manager 8.0 Resources Reference

---

SAP

The SAP resource adapter supports SAP R/3 and SAP R/3 Enterprise. The resource adapter is defined in the com.waveset.adapter.SAPResourceAdapter class.

Resource Configuration Notes

To enable the ability for a user to change his or her own SAP password, perform the following steps:

Set the User Provides Password On Change resource attribute.
Add WS_USER_PASSWORD to both sides of the schema map. You do not need to modify the user form or other forms.

Identity Manager Installation Notes

The SAP resource adapter is a custom adapter. You must perform the following steps to complete the installation process:

Download the JCo (Java Connection) toolkit from http://service.sap.com/connectors . (Access to the SAP JCO download pages require a login and password.) The toolkit will have a name similar to sapjco-ntintel-2.1.6.zip. This name will vary depending on the platform and version selected.

Note	Make sure that the JCo toolkit you download matches the bit version of Java your application server runs on. For example, JCo is available only in the 64-bit version on the Solaris x86 platform. Therefore, your application server must be running the 64-bit version on the Solaris x86 platform.

Unzip the toolkit and follow the installation instructions. Be sure to place library files in the correct location and to set the environment variables as directed.
Copy the sapjco.jar file to the InstallDir\WEB-INF\lib directory.
To add an SAP resource to the Identity Manager resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.

com.waveset.adapter.SAPResourceAdapter

Usage Notes

This section provides information related to using the SAP resource adapter, which is organized into the following sections:

General Notes
Enabling Secure Network Communications (SNC) Connections
SAP JCO and RFC Tracing
Renaming Accounts
Global Trade Services (GTS) Support
Additional Table Support

General Notes

The following general notes are provided for the resource:

To allow editing of to and from dates on a per activity group basis, load the SAPUserForm_with_RoleEffectiveDates_Timezone.xml form. This form also provides the ability to select a time zone for the user.
The sources.ResourceName.hosts property in the waveset.properties file can be used to control which host or hosts in a cluster will be used to execute the synchronization portion of an Active Sync resource adapter. ResourceName must be replaced with the name of the Resource object.
The sample user forms SAPUserForm.xml and SAPUserForm_with_RoleEffectiveDates_Timezone.xml now contain a definition for a field that pre-expires the user’s password. If this field's value is true, and an Identity Manager administrator creates or changes a user’s password, the user must specify a new password upon logging in to SAP.

Enabling Secure Network Communications (SNC) Connections

By default, the SAP adapter uses the SAP Java Connector (JCo) to communicate with the SAP adapters. For information about implementing SNC connections, see Enabling Secure Network Communications (SNC) Connections.

SAP JCO and RFC Tracing

The SAPResourceAdapter and the SAPHRActiveSyncAdapter provide resource attributes for SAP JCO and RFC tracing. They can be used to trace Identity Manager's communication with the SAP system. The attributes are JCO Trace Level and JCO Trace Directory.

The following environment variables can be set in the environment to enable SAP RFC tracing. These variables must be set in the environment before starting the application server. They control the shared library that JCO uses to communicate with the SAP system.

RFC_TRACE: 0 or 1
RFC_TRACE_DUMP: 0 or 1
RFC_TRACE_DIR: Path to the directory for the trace files
CPIC_TRACE_DIR: Path to the directory for the trace files

Note	If no JCO tracing is desired, set RFC_TRACE to 0 to ensure that no trace files are created.

Renaming Accounts

The SAP adapter now supports renaming accounts, except when CUA mode is enabled on the adapter. The adapter performs this function by copying an existing account to a new account and deleting the original. SAP discourages renaming accounts, but provides the option in the user management application (Transaction SU01 from the SAP GUI). Therefore, Identity Manager also supports the option. Be aware that SAP may not support the rename feature in future releases.

The SAP GUI uses a different method to perform the rename because it has access to non-public APIs and to the SAP kernel. The following steps provide a high-level description of how the adapter performs the rename operation:

Get the user information for the existing user.
Save the ALIAS attribute, if one exists.
Create the new user.
Set the Activity Groups on the new user.
Set the Profiles on the new user.
Get the old user's Personalization Data.
Set the new user's Personalization Data.
Delete the old user.
Set the Alias on the new user if one was set on the old user.

If an error occurs during steps 1-3, the operation fails immediately. If an error occurs during steps 4-7, the new user is deleted and the whole operation fails. (If the new user cannot be deleted, a warning is placed into the WavesetResult). If an error occurs during steps 8-9, a warning is added to the WavesetResult, but the operation succeeds.

The Rename operation requires that a new password be set on the new user. This is most easily accomplished by customizing the Rename User Task to invoke the Change User Password Task.

Global Trade Services (GTS) Support

To enable SAP Global Trace Services support on the SAP adapter, activate the appropriate roles listed Role Name column in the following table. SAP generates the roles listed in the Generated Role column of the table. You must assign the generated roles to the appropriate user profiles in SAP GTS.

Role Label	Role Name	Generated Role
Customs Processing Specialist	SAP_BW_SLL_CUS	SAP_BWC_SLL_CUS
Preference Processing Specialist	SAP_BW_SLL_PRE	SAP_BWC_SLL_PRE
Restitution Specialist	SAP_BW_SLL_RES	SAP_BWC_SLL_RES
Legal Control Specialist	SAP_BW_SLL_LCO	SAP_BWC_SLL_LCO

Additional Table Support

The SAP adapter can provision to any SAP table called by BAPI_USER_CREATE1 and BAPI_USER_CHANGE, most notably the GROUPS and PARAMETER tables. To enable this feature for any table other than GROUPS, you must add a Resource User Attribute to the schema map in the format SAP_Table_Name->Table. (For example, PARAMETER->Table.) The attribute must be assigned the complex data type.

The adapter provides an account attribute of type string named GROUPS->USERGROUP account attribute. This attribute processes data from the GROUPS table. By default, this attribute type is string. When this attribute type set to string, the adapter processes values as a list of strings. If you want the adapter to process data from the table in the same manner as other tables, you must change the data type to complex.

The $WSHOME/web/sample/forms/SAPUserForm.xml file contains an example user form that illustrates how the GROUP table is managed using a string account attribute type as well as a complex attribute type.

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

BAPI over SAP Java Connector (JCo)
SAP Secure Network Communications

Required Administrative Privileges

The user name that connects to SAP must be assigned to a role that can access the SAP users.

Provisioning Notes

Feature	Supported?
Enable/disable account	Yes
Rename account	Yes, except when CUA is enabled.
Pass-through authentication	No
Before/after actions	No
Data loading methods	Import directly from resource Reconciliation

Account Attributes

The following table provides information about the default SAPaccount attributes. (Additional attributes are provided if the Enable SAP GRC Access Enforcer? resource parameter is selected.) All attribute types are String.

Identity System User Attribute	Resource Attribute Name	Description
accountId	USERNAME->BAPIBNAME	Required. The user’s account ID.
firstname	ADDRESS->FIRSTNAME	User’s first name
fullname	ADDRESS->FULLNAME	User’s first and last name
email	ADDRESS->E_MAIL	User’s e-mail address
lastname	ADDRESS->LASTNAME	Required. User’s last name
groups	GROUPS->USERGROUP	Provisions to the SAP GROUPS table.
expirePassword	WS_PasswordExpired	Forces the user to supply a new password upon login.
accountLockedNoPwd	ISLOCKED->NO_USER_PW	Boolean. Indicates whether the account is locked because the user has no password.
accountLockedWrngPwd	ISLOCKED->WRNG_LOGON	Boolean. Indicates whether the account is locked because of failed login attempts.
personNumber	ADDRESS->PERS_NO	Internal key for identifying a person
addressNumber	ADDRESS->ADDR_NO	Internal key for identifying an address for central address management
birthName	ADDRESS->BIRTH_NAME	Maiden name or name given at birth
middleName	ADDRESS->MIDDLENAME	User’s middle name
secondLastName	ADDRESS->SECONDNAME	Second last name
academicTitle	ADDRESS->TITLE_ACA1	An academic title, such as Dr. or Prof.
academicTitle2	ADDRESS->TITLE_ACA3	A second academic title
namePrefix	ADDRESS->PREFIX1	A prefix to a last name, such as von, van der, or de la
namePrefix2	ADDRESS->PREFIX2	A second prefix to a last name
titleSupplement	ADDRESS->TITLE_SPPL	Name supplement, for example noble title, such as Lord or Lady
nickname	ADDRESS->NICKNAME	User’s nickname
initials	ADDRESS->INITIALS	Middle initial or initials
nameFormat	ADDRESS->NAMEFORMAT	The sequence in which name components are assembled to present the name of a person in a complete form. The sequence can vary for each country.
nameFormatCountry	ADDRESS->NAMCOUNTRY	The country used to determine the name format
languageKey	ADDRESS->LANGU_P	The language used to enter and display text
iso639Language	ADDRESS->LANGUP_ISO	ISO 639 language code
sortKey1	ADDRESS->SORT1_P	A search term
sortKey2	ADDRESS->SORT2_P	A secondary search term
department	ADDRESS->DEPARTMENT	The department in a company as part of the company address
function	ADDRESS->FUNCTION	The user’s job functionality
buildingNumber	ADDRESS->BUILDING_P	The building number where the user’s office is located
buildingFloor	ADDRESS->FLOOR_P	The floor where the user’s office is located
roomNumber	ADDRESS->ROOM_NO_P	The room number where the user’s office is located
correspondenceCode	ADDRESS->INITS_SIG	A correspondence code
inhouseMailCode	ADDRESS->INHOUSE_ML	An internal mail code
communicationType	ADDRESS->COMM_TYPE	States how the user wants to exchange documents and messages with a business partner.
title	ADDRESS->TITLE	A title, such as Mr. or Mrs.
titleP	ADDRESS->TITLE_P	A title, such as Mr. or Mrs.
addressName	ADDRESS->NAME	Name of an address
addressName2	ADDRESS->NAME_2	Second line in a name of an address
addressName3	ADDRESS->NAME_3	Third line in a name of an address
addressName4	ADDRESS->NAME_4	Fourth line in a name of an address
careOfName	ADDRESS->C_O_NAME	Part of the address if the recipient is different from the occupant (c/o = care of)
city	ADDRESS->CITY	User’s city
district	ADDRESS->DISTRICT	City or district supplement
cityNumber	ADDRESS->CITY_N	City code
districtNumber	ADDRESS->DISTRCT_NO	District code
cityPostalCode	ADDRESS->POSTL_COD1	User’s postal code
poBoxPostalCode	ADDRESS->POSTL_COD2	Postal code required for unique assignment of the PO Box.
companyPostalCode	ADDRESS->POSTL_COD3	Postal code that is assigned directly to a company.
poBox	ADDRESS->PO_BOX	The user’s post office box
poBoxCity	ADDRESS->PO_BOX_CIT	Post office box city
poBoxCityCode	ADDRESS->PBOXCIT_NO	The PO Box city, if it is different from the address city.
postalDeliveryDistrict	ADDRESS->DELIV_DIS	Postal delivery district
transportZone	ADDRESS->TRANSPZONE	Regional zone of a goods recipient or supplier
street	ADDRESS->STREET	The user’s street
streetNumber	ADDRESS->STREET_NO	A street code
streetAbbreviation	ADDRESS->STR_ABBR	A street abbreviation
houseNumber	ADDRESS->HOUSE_NO	The number portion of a street address
houseNumber2	ADDRESS->HOUSE_NO2	A secondary address number
street2	ADDRESS->STR_SUPPL1	Additional address field printed above the Street line.
street3	ADDRESS->STR_SUPPL2	Additional address field printed above the Street line.
street4	ADDRESS->STR_SUPPL3	Additional address field printed below the Street line.
street5	ADDRESS->LOCATION	Additional address field printed below the Street line.
oldBuilding	ADDRESS->BUILDING	Number or ID for the building in a contact person address.
floor	ADDRESS->FLOOR	The floor number of an address
roomNumber	ADDRESS->ROOM_NO	The room number in an address
countryCode	ADDRESS->COUNTRY	The country in an address
countryCodeISO	ADDRESS->COUNTRYISO	The two-letter ISO code for the country in an address
languageKey	ADDRESS->LANGU	The language used to enter and display text
languageKeyISO	ADDRESS->LANGU_ISO	ISO 639 language code
region	ADDRESS->REGION	State or province
sort2	ADDRESS->SORT2	A secondary search term
timeZone	LOGONDATA->TZONE	The time difference of the time zone in hours/minutes relative to the UTC
taxJurisdictionCode	ADDRESS->TAXJURCODE	the tax authority to which taxes must be paid. It is always the city to which the goods were delivered.
telephoneNumber	ADDRESS->TEL1_NUMBR	Telephone number, including the area code, but no country code
telephoneExtension	ADDRESS->TEL1_EXT	Telephone number extension
faxNumber	ADDRESS->FAX_NUMBER	Fax number, including the area code, but no country code
faxExtension	ADDRESS->FAX_EXTENS	Fax number extension
buildingNumber	ADDRESS->BUILD_LONG	Number or abbreviation of a building in an address.
cuaSystems	SYSTEMS->CUASYSTEMS	Central User Administration system names
profiles	PROFILES->BAPIPROF	Profiles assigned to the user.
activityGroups	ACTIVITYGROUPOBJECTS	Roles assigned to the user.
lastLoginTime	LOGONDATA->LTIME	Read only attribute that lists the most recent login time.

Resource Object Support

Managed Objects

This adapter does not manage objects on the SAP resource.

Listable Objects

The following table describes the SAP objects that can be called using the listAllObjects method within a user form.

Object	Description
account	Lists the users defined on the SAP resource.
activityGroups	Lists the activity groups (or roles) available for users. (Non-CUA mode only)
cuaSystems	When CUA is enabled, lists the names of the CUA children.
Group	Lists the available groups on the SAP resource.
localActivityGroups	When CUA is enabled, lists the activity groups that exist on a particular child system in a CUA environment.
profiles	Lists the names of the authorization profiles.
table	Lists the contents of a column of an SAP table. The options map requires the following parameters. name — SAP table name offset — Starting character column in the table length — Length of the data field Refer to the SAP documentation for the BAPI RFC_GET_TABLE_ENTRIES to determine these values. See Additional Table Support for more information.
timeZones	Lists the available time zones supported by the SAP system.
usertype	Lists the user types available on the SAP system

Identity Template

$accountId$

Sample Forms

SAPForm.xml

SAPUserForm_with_RoleEffectiveDates_Timezone.xml

SAPHRActiveSyncForm.xml

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following classes:

com.waveset.adapter.SAPResourceAdapter

To determine which version of the SAP Java Connector (JCO) is installed, and to determine whether it is installed correctly, run the following command:

java -jar sapjco.jar

The command returns the JCO version as well as the JNI platform-dependent and the RFC libraries that communicate with the SAP system.

If the platform-dependent libraries are not found, refer to the SAP documentation to find out how to correctly install the SAP Java Connector.

Previous      Contents      Index      Next

---

.   Copyright 2008 Sun Microsystems, Inc. All rights reserved.