Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide discusses the connector that enables you to use SAP CUA as a managed (target) resource of Oracle Identity Manager.
In the account management (target resource) mode of the connector, data about users created or modified directly on SAP CUA can be reconciled into Oracle Identity Manager. This data is used to provision (assign) resources to or update resources already assigned to OIM Users. In addition, you can use Oracle Identity Manager to provision or update resources assigned to OIM Users. These provisioning operations performed on Oracle Identity Manager translate into the creation of or updates to the corresponding target system accounts.
Note:
At some places in this guide, SAP CUA is referred to as the target system.This chapter contains the following sections:
Section 1.5, "Lookup Definitions Used During Connector Operations"
Section 1.8, "Roadmap for Deploying and Using the Connector"
Table 1-1 lists the certified components for the connector.
Table 1-1 Certified Components
Component | Requirement |
---|---|
Oracle Identity Manager release 9.1.0.2 or later Note: This release of the connector leverages features, such as SoD validation of entitlement provisioning, introduced in Oracle Identity Manager release 9.1.0.2. |
|
The target system can be any one of the following:
|
|
SoD engine |
If you want to enable and use the Segregation of Duties (SoD) feature of Oracle Identity Manager with this target system, then install the version of SAP GRC that is supported by Oracle Identity Manager. See Section 1.4.1, "SoD Validation of Entitlement Requests" for more information about the SoD feature. See Oracle Identity Manager Readme for Release 9.1.0.2 for information about the supported releases of SAP GRC. |
External code |
The following SAP custom code files:
Note: You must verify that the Oracle Identity Manager and application server combination that you use supports JDK 1.5. This requirement is imposed by support for SAP JCo 3.0 from release 9.0.4.5 of the connector. SAP JCo 3.0 supports JDK 1.5 and later. See the following Oracle Technology Network Web site for information about certified components of Oracle Identity Manager:
|
The connector supports the following languages:
Arabic
Chinese (Simplified)
Chinese (Traditional)
Danish
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish
See Also:
Oracle Identity Manager Globalization Guide for information about supported special charactersFigure 1-1 shows the architecture of the connector.
The adapters carry provisioning data submitted through the process form to the target system. Standards and custom BAPIs on the target system accept provisioning data from the adapters, carry out the required operation on the target system, and return the response to the adapters. The adapters return the response to Oracle Identity Manager.
Note:
This is the standard provisioning process. See Section 3.4, "Provisioning Operations Performed in an SoD-Enabled Environment" for detailed information about how provisioning takes places in an SoD-enabled environment.During reconciliation, the scheduled task establishes a connection with the target system and sends reconciliation criteria to the custom BAPIs.
Note:
You deploy these custom BAPIs on the target system as part of the connector deployment procedure.The custom BAPIs extracts SAP CUA Master system user records that match the reconciliation criteria and hand them over to the scheduled task, which brings the records to Oracle Identity Manager. Each record is compared with SAP CUA resources that are already provisioned to OIM Users. If a match is found, then the update made to the SAP CUA record from the target system is copied to the SAP CUA resource in Oracle Identity Manager. If no match is found between a record from the target system and an existing SAP CUA resource, then the user ID of the record is compared with the user ID of each OIM User. If a match is found, then data in the target system record is used to provision an SAP CUA resource to the OIM User.
The following are features of the connector:
Starting from this release, the connector supports the SoD feature introduced in Oracle Identity Manager release 9.1.0.2. The following are the focal points of this software update:
The SoD Invocation Library (SIL) is bundled with Oracle Identity Manager release 9.1.0.2. The SIL acts as a pluggable integration interface with any SoD engine.
The SAP CUA connector is preconfigured to work with SAP GRC as the SoD engine. To enable this, changes have been made in the approval and provisioning workflows of the connector.
Note:
The default approval workflow and associated object form can be used as an example of how to configure the SoD validation capabilities of SAP GRC into the SAP connector. You can use this to develop your own approval workflows and object forms.The SoD engine processes role and profile entitlement requests that are sent through the connector. This preventive simulation approach helps identify and correct potentially conflicting assignment of entitlements to a user, before the requested entitlements are granted to users.
See Also:
Oracle Identity Manager Tools Reference for Release 9.1.0.2 for detailed information about the SoD feature
Section 2.3.3, "Configuring SoD" in this guide
In full reconciliation, all person records are fetched from the target system to Oracle Identity Manager. In incremental reconciliation, only person records that are added or modified after the last reconciliation run are fetched into Oracle Identity Manager.
A parameter of the IT resource is used as the time stamp at which a reconciliation run begins. If that parameter is set to 0, then full reconciliation is performed. If that parameter holds a non-zero value, then incremental reconciliation is performed.
See Section 3.2.1, "Full Reconciliation vs. Incremental Reconciliation" for more information.
To limit or filter the records that are fetched into Oracle Identity Manager during a reconciliation run, you can specify the subset of added or modified target system records that must be reconciled.
See Section 3.2.2, "Limited Reconciliation vs. Regular Reconciliation" for more information.
You can break down a reconciliation run into batches by specifying the number of records that must be included in each batch.
See Section 3.2.3, "Batched Reconciliation" for more information.
You can configure SNC to secure communication between Oracle Identity Manager and the target system.
See Section 2.3.4, "Configuring SNC to Secure Communication Between Oracle Identity Manager and the Target System" for more information.
During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you use the Date Format lookup field to select a date format from the list of supported date formats. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.
Note:
The target system allows you to use special characters in lookup fields. However, in Oracle Identity Manager, special characters are not supported in lookup definitions.The Lookup.SAP.CUA.Lookupfields
lookup definition is used to map each lookup definition with the BAPI that is used to fetch values for the lookup definition from the target system.
The Code Key column of the Lookup.SAP.CUA.Lookupfields
lookup definition contains names of the lookup definitions that are synchronized with the target system. The Decode column contains the name and parameters of the corresponding BAPIs.
Table 1-2 lists the entries in the Lookup.SAP.CUA.Lookupfields
lookup definition.
Table 1-2 Entries in the Lookup.SAP.CUA.LookupMappings Lookup Definition
Code Key | Decode |
---|---|
Lookup.SAP.CUA.CommType |
BAPI_HELPVALUES_GET;GETDETAIL;ADDRESS;COMM_TYPE;COMM_TYPE;COMM_TEXT |
Lookup.SAP.CUA.DateFormat |
BAPI_HELPVALUES_GET;GETDETAIL;DEFAULTS;DATFM;_LOW;_TEXT |
Lookup.SAP.CUA.DecimalNotation |
BAPI_HELPVALUES_GET;GETDETAIL;DEFAULTS;DCPFM;_LOW;_TEXT |
Lookup.SAP.CUA.LangComm |
BAPI_HELPVALUES_GET;GETDETAIL;ADDRESS;LANGU_P;SPRAS;SPTXT |
Lookup.SAP.CUA.TimeZone |
BAPI_HELPVALUES_GET;CHANGE;ADDRESS;TIME_ZONE;TZONE;DESCRIPT |
Lookup.SAP.CUA.UserGroups |
BAPI_HELPVALUES_GET;GETDETAIL;GROUPS;USERGROUP;USERGROUP;TEXT |
Lookup.SAP.CUA.UserTitle |
BAPI_HELPVALUES_GET;GETDETAIL;ADDRESS;TITLE_P;TITLE_MEDI;TITLE_MEDI; |
Lookup.SAP.CUA.Roles |
BAPI_HELPVALUES_GET;GETDETAIL;ACTIVITYGROUPS;AGR_NAME;AGR_NAME;TEXT;AGR_COLL;AGR_SINGLE;SH |
Lookup.SAP.CUA.Profiles |
BAPI_HELPVALUES_GET;GETDETAIL;PROFILES;BAPIPROF;PROFN;PTEXT |
The following is the format of entries in the lookup definitions listed in the preceding table:
Code Key value: IT_RESOURCE_KEY~LOOKUP_FIELD_ID
In this format:
IT_RESOURCE_KEY is the numeric code assigned to each IT resource in Oracle Identity Manager.
LOOKUP_FIELD_ID is the target system code assigned to each lookup field entry.
Sample value: 1~PRT
Decode value: Description of the lookup field entry
Sample value: Printer
The SAP CUA Lookup Recon scheduled task is used to synchronize values of these lookup definitions with the target system. See Section 3.1, "Scheduled Task for Lookup Field Synchronization" for more information about this scheduled task.
While performing a provisioning operation on the Administrative and User Console, you select the IT resource for the target system on which you want to perform the operation. When you perform this action, the lookup definitions on the page are automatically populated with values corresponding to the IT resource (target system installation) that you select.
Table 1-3 describes the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed.
Table 1-3 Other Lookup Definitions
Lookup Definition | Description of Values | Method to Specify Values for the Lookup Definition |
---|---|---|
Lookup.SAP.LockUnlock |
This lookup definition is used to populate the Lock User list on the Admin and User Console. The following are the Code Key and Decode values in this lookup definition:
|
This lookup definition is preconfigured. You must not change the entries in this lookup definition. |
Lookup.SAP.CUA.BAPIKeys |
Code Key: Resource object attribute name Decode: Structure name in the corresponding BAPI This lookup definition is used during linking of an SAP HRMS account with an SAP R/3 account, for all attributes other than the UserAlias attribute. |
This lookup definition is preconfigured. You must not change the entries in this lookup definition. |
Lookup.SAP.CUA.BAPIXKeys |
Code Key: Resource object attribute name Decode: Structure name in the corresponding BAPI This lookup definition is used during linking of an SAP HRMS account with an SAP R/3 account, for only the UserAlias attribute. |
This lookup definition is preconfigured. You must not change the entries in this lookup definition. |
Lookup.SAP.CUA.Configuration |
This lookup definition contains configuration values that are used during SoD validation. |
This lookup definition is preconfigured. You can only set a value for the Risk Level entry. See Section 2.3.3.2, "Specifying Values for SoD-Related Entries in the Lookup.SAP.CUA.Configuration Lookup Definition" for more information. |
Lookup.SAP.CUA.FieldNames |
Code Key: Resource object attribute name Decode: Attribute name in the corresponding BAPI This lookup definition is used during linking of an SAP HRMS account with an SAP R/3 account, for all attributes other than the UserAlias attribute. |
This lookup definition is preconfigured. You must not change the entries in this lookup definition. |
Lookup.SAP.CUA.FieldNamesX |
Code Key: Resource object attribute name Decode: Attribute name in the corresponding BAPI This lookup definition is used during linking of an SAP HRMS account with an SAP R/3 account, for only the UserAlias attribute. |
This lookup definition is preconfigured. You must not change the entries in this lookup definition. |
Lookup.SAP.CUA.LookupMappings |
Code Key: Names of lookup definitions to be synchronized with the target system Decode: Name of the corresponding BAPI and parameters to be passed to the BAPI |
This lookup definition is preconfigured. You must not change the entries in this lookup definition. |
Lookup.SAP.CUA.Systems |
Both Code Key and Decode columns contain the system name of the SAP CUA installation This lookup definition is used during SoD validation of entitlement requests. |
You must enter the system name of the SAP R/3 system in both Code Key and Decode columns. There can be only one entry in this lookup definition. |
Lookup.SAP.CUA.RoleChildformMappings |
Code Key: Dummy role child form attribute name Decode: Corresponding actual role child form attribute name This lookup definition is used during SoD validation of entitlement requests. |
This lookup definition is preconfigured. You must not change the entries in this lookup definition. |
Lookup.SAP.CUA.ProfileChildformMappings |
Code Key: Dummy profile child form attribute name Decode: Corresponding actual profile child form attribute name This lookup definition is used during SoD validation of entitlement requests. |
This lookup definition is preconfigured. You must not change the entries in this lookup definition. |
The SAPCUA User Recon scheduled task is used to initiate a target resource reconciliation run. This scheduled task is discussed in Section 3.2.4, "Reconciliation Scheduled Tasks".
See Also:
The "Reconciliation" section in Oracle Identity Manager Connector Concepts for conceptual information about target resource reconciliationThis section discusses the following topics:
The following sections list user attributes that are used in reconciliation:
Note:
The connector can reconcile only elements present in the SAP CUA master system.Table 1-4 lists the user attributes whose values are reconciled during target resource reconciliation.
Table 1-4 User Attributes for Target Resource Reconciliation
Process Form Field | SAP CUA Attribute | Description |
---|---|---|
Alias |
USERALIAS |
User alias |
Building |
BUILDING_P |
Building number |
Code |
INITS_SIG |
Code |
Communication Type |
COMM_TYPE |
Communication type |
Date Format |
DATFM |
Date format |
Decimal Notation |
DCPFM |
Decimal notation |
Department |
DEPARTMENT |
Department |
Email Address |
E_MAIL |
E-mail address |
Extension |
TEL1_EXT |
Extension for the telephone number |
Fax Number |
FAX_NUMBER |
Fax number |
First Name |
FIRSTNAME |
First name |
Floor |
FLOOR_P |
Floor number |
Function |
FUNCTION |
Function |
Lang Comm |
LANGU_P |
Communication language |
Lang Logon |
LANGU |
Logon language |
Last Name |
LASTNAME |
Last name |
Lock User |
Lock User |
Status (either Locked or Unlocked) of the user |
Room No |
ROOM_NO_P |
Room number |
Start Menu |
START_MENU |
Default menu displayed when the user logs in |
Telephone |
TEL1_NUMBR |
Telephone number |
Time Zone |
TZONE |
Time zone |
User Group |
CLASS |
Group to which the user is assigned |
User ID |
USERNAME |
Login ID |
User Profile |
PROFILE |
Multivalue attribute for profiles |
User Role |
AGR_NAME |
Multivalue attribute for roles |
User Title |
TITLE_P |
Title |
Xellerate Type |
USTYP |
Type of user |
See Also:
Oracle Identity Manager Connector Concepts for generic information about reconciliation matching and action rulesThe following sections provide information about the reconciliation rules for this connector:
Section 1.6.2.1, "Reconciliation Rule for Target Resource Reconciliation"
Section 1.6.2.2, "Viewing Reconciliation Rules in the Design Console"
The following is the reconciliation rule for target resource reconciliation:
Rule name: Target Resource Recon Rule
Rule element: User Login Equals UserId
In this rule:
User Login is the User ID field on the OIM User form.
UserId is the Login Name field of the target system.
After you deploy the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:
Note:
Perform the following procedure only after the connector is deployed.Log in to the Oracle Identity Manager Design Console.
Expand Development Tools.
Double-click Reconciliation Rules.
To view the reconciliation rule for target resource reconciliation, search for and open SAPCUA User.
Note:
No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See Oracle Identity Manager Design Console Guide for information about modifying or creating reconciliation action rules.The following sections provide information about the reconciliation rules for this connector:
Section 1.6.3.1, "Reconciliation Action Rules for Target Resource Reconciliation"
Section 1.6.3.2, "Viewing Reconciliation Action Rules in the Design Console"
Table 1-5 lists the action rules for target resource reconciliation.
After you deploy the connector, you can view the reconciliation action rules by performing the following steps:
Log in to the Oracle Identity Manager Design Console.
Expand Resource Management.
Double-click Resource Objects.
Search for and open the SAP CUA Resource Object resource object.
Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector.
Provisioning involves creating or modifying user data on the target system through Oracle Identity Manager.
See Also:
The "Provisioning" section in Oracle Identity Manager Connector Concepts for conceptual information about provisioningThis section discusses the following topics:
Table 1-6 lists the supported user provisioning functions and the adapters that perform these functions. The functions listed in the table correspond to either a single or multiple process tasks.
See Also:
Oracle Identity Manager Connector Concepts for generic information about process tasks and adaptersTable 1-6 User Provisioning Functions
Function | Adapter |
---|---|
Create a user account |
SAP CUA Create User |
Delete a user account |
SAP CUA Delete User |
Lock a user account |
SAP CUA Lock UnLock User |
Unlock a user account |
SAP CUA Lock UnLock User |
Change password |
SAP CUA Password Change |
Edit a user account |
SAP CUA Modify User |
Change a user's alias |
SAP CUA Modify UserX |
Add a user account to an activity group (role) |
SAP CUA Add Role |
Remove a user account from an activity group (role) |
SAP CUA Remove Role |
Assign a profile to a user account |
SAP CUA Add Profile |
Remove a profile from a user account |
SAP CUA Remove Profile |
Table 1-7 lists the user attributes for which you can specify or modify values during provisioning operations.
Table 1-7 User Attributes for Provisioning
Process Form Field | SAP CUA Attribute | Description |
---|---|---|
Alias |
USERALIAS |
User alias |
Building |
BUILDING_P |
Building number |
Code |
INITS_SIG |
Code |
Communication Type |
COMM_TYPE |
Communication type |
Date Format |
DATFM |
Date format |
Decimal Notation |
DCPFM |
Decimal notation |
Department |
DEPARTMENT |
Department |
Email Address |
E_MAIL |
E-mail address Note: In SAP 4.7 or later, you can enter only English letters in the E-mail Address field. |
Extension |
TEL1_EXT |
Extension for the telephone number |
Fax Number |
FAX_NUMBER |
Fax number |
First Name |
FIRSTNAME |
First name |
Floor |
FLOOR_P |
Floor number |
Function |
FUNCTION |
Function |
Lang Comm |
LANGU_P |
Communication language |
Lang Logon |
LANGU |
Logon language |
Last Name |
LASTNAME |
Last name |
Lock User |
Lock User |
Status (either Locked or Unlocked) of the user |
Room No |
ROOM_NO_P |
Room number |
Start Menu |
START_MENU |
Default menu displayed when the user logs in |
Telephone |
TEL1_NUMBR |
Telephone number |
Time Zone |
TZONE |
Time zone |
User Group |
CLASS |
Group to which the user is assigned |
User ID |
USERNAME |
Login ID |
Password |
PASSWORD |
Password Note: When a user is created, the password is set only for the SAP CUA Master system, not the SAP CUA Child system. You must ensure that the password specified during a provisioning operation adheres to password policies set on the target system. Otherwise, you might encounter the following error: SAP.PASSWORD_CHANGE_ERROR |
User Profile |
PROFILE |
Multivalue attribute for profiles |
User Role |
AGR_NAME |
Multivalue attribute for roles |
User Title |
TITLE_P |
Title |
Xellerate Type |
USTYP |
Type of user |
The following is the organization of information in the rest of this guide:
Chapter 2, "Deploying the Connector" describes procedures that you must perform on Oracle Identity Manager and the target system during each stage of connector deployment.
Chapter 3, "Using the Connector" describes guidelines on using the connector and the procedure to configure reconciliation runs and perform provisioning operations.
Chapter 4, "Extending the Functionality of the Connector" describes the procedures to perform if you want to extend the functionality of the connector.
Chapter 6, "Testing and Troubleshooting" describes procedures to test and troubleshoot the connector.
Chapter 5, "Known Issues" lists known issues associated with this release of the connector.