1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with third-party applications. This guide discusses the procedure to deploy the connector that is used to integrate Oracle Identity Manager with SAP User Management.

Note:

Oracle Identity Manager connectors were referred to as resource adapters prior to the acquisition of Thor Technologies by Oracle.

This chapter contains the following sections:

Certified Components
Usage Recommendation
Reconciliation Module
Provisioning Module
Supported Functionality
Multilanguage Support
Files and Directories on the Installation Media
Determining the Release Number of the Connector

Note:

In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.

At some places in this guide, SAP User Management has been referred to as the target system.

1.1 Certified Components

Table 1-1 lists the certified components for this connector.

Table 1-1 Certified Components

Item	Requirement
Oracle Identity Manager	Oracle Identity Manager release 9.1.0.1 and any later BP in this release track Note: In this guide, Oracle Identity Manager release 9.1.0.x has been used to denote Oracle Identity Manager release 9.1.0.1 and future releases in the 9.1.0.x series that the connector supports. Note: From release 9.0.4.5 onwards, the connector supports SAP JCo 3.0 which supports JDK 1.5 or later. Therefore, you must verify that the Oracle Identity Manager and application server combination that you use support JDK 1.5. See the following Oracle Technology Network page for information about certified configurations of Oracle Identity Manager: `http://www.oracle.com/technology/software/products/ias/files/idm_certification_101401.html`
Target systems	The target system can be any one of the following: SAP R/3 4.6C (running on Basis 4.6C) SAP R/3 4.7 (running on WAS 6.20) mySAP ERP 2004 ECC 5.0 (running on WAS 6.40) mySAP ERP 2005 ECC 6.0 (running on WAS 7.00) Note: From version 6.40 onward, SAP WAS is also known as "SAP NetWeaver."
External code	The following SAP custom code files: `sapjco3.jar` version 3.0 Additional file for Microsoft Windows: `sapjco3.dll` version: 3.0 Additional file for Solaris and Linux: `libsapjco3.so` version: 3.0
Target system user account	Oracle Identity Manager uses this user account to connect to and communicate with the target system. For minimum authorization, create a user account and assign the `S_CUS_CMP` profile, `P_ALL` profile, and `SAP_BC_USER_ADMIN` role to it. The User type must be set to `Communication`. This is the default setting for user accounts. If you are not able to find the profiles or role for minimum authorization, then you need to create a user account and assign it to the `SAP_ALL` and `SAP_NEW` groups. These are used for full authorization. You provide the credentials of this user account while configuring the IT resource. The procedure is described later in this guide. If this target system user account is not assigned the specified rights, then the following error message may be displayed during connector operations: `SAP Connection JCO Exception: User TEST_USER has no RFC authorization for function group SYST`
JDK	JDK 1.4.2

1.2 Usage Recommendation

Depending on the Oracle Identity Manager version that you are using, you must deploy and use one of the following connectors:

If you are using an Oracle Identity Manager release that is 9.1.0.1 or later and earlier than Oracle Identity Manager Release 9.1.0.2 BP04, then use the 9.0.4.x version of this connector.
If you are using Oracle Identity Manager Release 9.1.0.2 BP04 or later, and earlier than Oracle Identity Manager 11g Release 1 PS1 BP07 (11.1.1.5.7) with patch 16627402, then use the latest 9.1.x version of this connector.
If you are using Oracle Identity Manager 11g Release 1 PS1 BP07 (11.1.1.5.7) with patch 16627402 or later, or Oracle Identity Manager 11g Release 2 BP05 (11.1.2.0.5) with patch 16627415 or later, then use the latest 11.1.1.x version of this connector.

1.3 Reconciliation Module

Reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. It is an automated process initiated by a scheduled task that you configure.

See Also:

The "Deployment Configurations of Oracle Identity Manager" section in Oracle Identity Manager Connector Concepts Guide for conceptual information about reconciliation configurations

This section discusses the elements that are extracted from the target system by the reconciliation module for constructing reconciliation event records. The following are features of the reconciliation module:

The default data elements of each reconciliation event record are Organization, User Type, and Employee Type.
The default labels for the data elements in each reconciliation event record are as follows:
- Event Linked (for successful reconciliation)
- No Match Found (for failed reconciliation)

Based on the type of data reconciled from the target system, reconciliation can be divided into the following types:

Lookup Data Reconciliation
User Reconciliation

1.3.1 Lookup Data Reconciliation

The following lookup fields are reconciled:

Lookup.SAP.R3.Roles
Lookup.SAP.R3.TimeZone
Lookup.SAP.R3.LangComm
Lookup.SAP.R3.UserTitle
Lookup.SAP.R3.DecimalNotation
Lookup.SAP.R3.DateFormat
Lookup.SAP.R3.UserGroups
Lookup.SAP.R3.CommType
Lookup.SAP.R3.Profiles

The following lookup fields are not reconciled:

Lookup.SAP.R3.UserType
Lookup.SAP.LockUnlock
Lookup.SAP.R3.FieldNames
Lookup.SAP.R3.FieldNamesX
Lookup.SAP.R3.BAPIKeys
Lookup.SAP.R3.BAPIXKeys

1.3.2 User Reconciliation

User reconciliation can be divided into the following:

Reconciled SAP User Management Resource Object Fields
Reconciled Xellerate User (OIM User) Fields

1.3.2.1 Reconciled SAP User Management Resource Object Fields

The following fields are reconciled:

Extension
Telephone
Time Zone
Lang Logon
User Group
Department
Lang Comm
Last Name
First Name
User Title
User ID
Start Menu
User Type
Alias
Lock User
Communication Type
Code
Building
Floor
Room No
Function
Decimal Notation
Date Format
Email Address
Fax
User Profile
User Role

1.3.2.2 Reconciled Xellerate User (OIM User) Fields

If trusted source reconciliation is implemented, then the following fields are reconciled:

User ID
FirstName
LastName
Organization
Email
Employee Type
User Type

1.4 Provisioning Module

Provisioning involves creating or modifying a user's account on the target system through Oracle Identity Manager. You use the Oracle Identity Manager Administrative and User Console to perform provisioning operations.

See Also:

The "Deployment Configurations of Oracle Identity Manager" section in Oracle Identity Manager Connector Concepts Guide for conceptual information about provisioning

For this target system, the following fields are provisioned:

User ID
Password
First Name
Last Name

1.5 Supported Functionality

The following table lists the functions that are available with this connector.

Function	Type	Description
Create User	Provisioning	Creates a user in SAP User Management
Update User	Provisioning	Updates a user in SAP User Management
Delete User	Provisioning	Deletes a user from SAP User Management
Lock User	Provisioning	Locks a user in SAP User Management
UnLock User	Provisioning	Unlocks a user in SAP User Management
Add User Role	Provisioning	Adds a role to a user in SAP User Management
Add User Profile	Provisioning	Adds a profile to a user in SAP User Management
Remove User Role	Provisioning	Removes the role of a user in SAP User Management
Remove User Profile	Provisioning	Removes the profile of a user in SAP User Management
List Roles of User	Provisioning	Lists the roles of a user in SAP User Management
List Profiles of User	Provisioning	Lists the profiles of a user in SAP User Management
List All Roles	Provisioning	Lists all the roles present in SAP User Management
List All Profiles	Provisioning	Lists all the profiles present in SAP User Management
Reconciliation Insert Received	Reconciliation	Creates a user in Oracle Identity Manager if a user is created in SAP User Management
Reconciliation Update Received	Reconciliation	Updates a user in Oracle Identity Manager if a user is updated in SAP User Management
Reconciliation Delete Received	Reconciliation	Deletes a user from Oracle Identity Manager if a user is deleted from SAP User Management

See Also:

Appendix A for information about attribute mappings between Oracle Identity Manager and SAP User Management.

1.6 Multilanguage Support

This release of the connector supports the following languages:

Arabic
Chinese Simplified
Chinese Traditional
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish

See Also:

Oracle Identity Manager Globalization Guide for information about supported special characters

1.7 Files and Directories on the Installation Media

The files and directories on the installation media are listed and described in Table 1-2.

Table 1-2 Files and Directories on the Installation Media

File in the Installation Media Directory	Description
Configuration/SAPBIW-CI.xml Configuration/SAPCRM-CI.xml Configuration/SAPR3-CI.xml	This connector supports the following target systems: SAP BIW SAP CRM SAP R/3 These XML files contain configuration information that is used during connector installation.
BAPI/xlsapcar.sar	This file contains information for configuring the SAP system so that the connector is able to access the APIs on the target system.
lib/SAPAdapter.jar	This JAR file contains the class files that are required for provisioning. During connector deployment, this file is copied into the following directory: OIM_HOME/xellerate/JavaTasks
lib/SAPAdapterRecon.jar	This JAR file contains the class files that are required for reconciliation. During connector deployment, this file is copied into the following directory: OIM_HOME/xellerate/ScheduleTask
Files in the `resources` directory	Each of these resource bundle files contains language-specific information that is used by the connector. During connector deployment, this file is copied into the following directory: OIM_HOME/xellerate/connectorResources Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the Administrative and User Console. These text strings include GUI element labels and messages.
test/troubleshoot/troubleShootingUtility.class	This utility is used to test connector functionality.
test/troubleshoot/global.properties	This file is used to specify the parameters and settings required to connect to the target system by using the testing utility.
test/troubleshoot/log.properties	This file is used to specify the log level and the directory in which the log file is to be created when you run the testing utility.
xml/SAPBIWResourceObject.xml	This file contains definitions for the following components of the SAP BIW connector: IT resource definition SAP User form Lookup definitions Connectors Resource object Reconciliation scheduled tasks
xml/SAPBIWXLResourceObject.xml	This XML file contains the configuration for the Xellerate User (OIM User). You must import this file only if you plan to use the connector in trusted source reconciliation mode.
xml/SAPCRMResourceObject.xml	This file contains definitions for the following components of the SAP CRM connector: IT resource definition SAP User form Lookup definitions Connectors Resource object Process definition Reconciliation scheduled tasks
xml/SAPCRMXLResourceObject.xml	This file is used only if the connector is configured as a trusted source. The `SAPCRMXLResourceObject.xml` file contains only the Oracle Identity Manager resource objects and dependent values.
xml/SAPR3ResourceObject.xml	This XML file contains definitions for the following components of the connector: IT resource definition SAP User form Lookup definitions Adapters Resource object Process definition Reconciliation scheduled tasks
xml/SAPR3XLResourceObject.xml	This XML file contains the configuration for the Xellerate User (OIM User). You must import this file only if you plan to use the connector in trusted source reconciliation mode.

Note:

The files in the troubleshoot directory are used only to run tests on the connector.

1.8 Determining the Release Number of the Connector

You might have a deployment of an earlier release of the connector. While deploying the latest release, you might want to know the release number of the earlier release. To determine the release number of the connector that has already been deployed:

In a temporary directory, extract the contents of the following JAR file:
```
OIM_HOME/xellerate/JavaTasks/SAPAdapter.jar
```
Open the manifest.mf file in a text editor. The manifest.mf file is one of the files bundled inside the SAPAdapter.jar file.

In the manifest.mf file, the release number of the connector is displayed as the value of the Version property.