1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide discusses the connector that enables you to use SAP User Management Engine as a managed (target) resource of Oracle Identity Manager.

Note:

At some places in this guide, SAP User Management Engine has been referred to as the target system.

In the account management (target resource) mode of the connector, data about users created or modified directly on the target system can be reconciled into Oracle Identity Manager. This data is used to provision (allocate) new resources or update resources already assigned to OIM Users. In addition, you can use Oracle Identity Manager to provision or update SAP User Management Engine resources assigned to OIM Users. These provisioning operations performed on Oracle Identity Manager translate into the creation of or updates to target system accounts.

This chapter contains the following sections:

1.1 Certified Components

Table 1-1 lists certified components for the connector.

Table 1-1 Certified Components

Component Requirement

Oracle Identity Manager

Oracle Identity Manager release 9.1.0.2 BP 04 or later

See the following Oracle Technology Network Web page for information about certified components of Oracle Identity Manager:

http://www.oracle.com/technology/software/products/ias/files/idm_certification_101401.html

JDK

JDK 1.5 or later

Target system

SAP User Management Engine running on SAP NetWeaver '04 SPS 14 or SAP NetWeaver 7.0 SPS 05

SAP GRC Compliant User Provisioning

You must configure the Compliant User Provisioning module included in SAP GRC versions 5.2 SP4 or later and 5.3 SP5 or later.

External code

The connector uses OpenSPML Toolkit 2.0 (openspml2-toolkit.jar). See Section 2.1.1.4, "Copying OpenSPML Toolkit 2.0" for more information about addressing this requirement.

1.2 Certified Languages

This release of the connector supports the English locale.

1.3 Connector Architecture

The connector sets up Oracle Identity Manager as the front end for sending account creation or modification requests to applications that use the data source linked with SAP User Management Engine. These requests are processed and then forwarded by the Complaint User Provisioning module of SAP GRC.

Account data added or modified through provisioning operations performed directly on the data source can be reconciled into Oracle Identity Manager through SAP User Management Engine.

Figure 1-1 shows the connector integrating SAP User Management Engine with Oracle Identity Manager.

Figure 1-1 Connector Integrating SAP User Management Engine with Oracle Identity Manager

Description of Figure 1-1 follows
Description of "Figure 1-1 Connector Integrating SAP User Management Engine with Oracle Identity Manager"

As shown in the figure, SAP User Management Engine is configured as the management tool for user data stored on a data source, which is either the ABAP module or an LDAP-based solution. User data changes made through the SAP User Management Engine UI are reflected on the SAP applications that use the data source or on the UI of the LDAP-based solution.

By deploying the connector, you configure SAP User Management Engine as a target resource of Oracle Identity Manager.

Provisioning requests sent from Oracle Identity Manager are routed through SAP GRC to the application or system that uses the data source linked with SAP User Management Engine. User data changes resulting from the provisioning requests can be viewed through the SAP User Management Engine UI. Reconciliation is performed directly from SAP User Management Engine.

1.3.1 Provisioning Process

During provisioning, adapters carry provisioning data submitted through the process form to the target system. The Compliant User Provisioning module of SAP GRC accepts provisioning data from the adapters, creates requests, and then forwards the requests to the application or system that forms the front end of the SAP User Management Engine data source.

In Compliant User Provisioning, workflows for processing these requests can be configured and users designated as approvers act upon these requests.

Reconciliation does not involve the Compliant User Provisioning module. Scheduled tasks on Oracle Identity Manager fetch data from the target system to Oracle Identity Manager.

The following is the detailed sequence of steps performed during a provisioning operation:

  1. The provisioning operation is initiated through direct provisioning and access policy changes.

  2. The connector sends requests and receives responses through the following Web services of SAP GRC:

    • SAPGRC_AC_IDM_SUBMITREQUEST: This Web service is used to submit requests.

    • SAPGRC_AC_IDM_REQUESTSTATUS: This Web service is used to fetch request statuses.

    • SAPGRC_AC_IDM_AUDITTRAIL: This Web service is used to check if there are error messages in the SAP GRC Compliant User Provisioning logs.

    The process form holds fields for both SAP User Management Engine and Compliant User Provisioning. However, for a Create User operation, only the Compliant User Provisioning fields (attributes) on the process form are used. Mappings for these fields are stored in the Lookup.SAP.CUP.ProvisionAttrMap and Lookup.SAP.CUP.ProvisionRoleAttrMap lookup definitions. If you specify values for any attribute that is not present in these lookup definitions, then the connector ignores those attributes during the Create User operation.

    Note:

    SAP GRC Compliant User Provisioning does not process passwords. During Create User provisioning operations, any value entered in the Password field is directly propagated to SAP User Management Engine.

    See Section 3.7, "Guidelines on Performing Provisioning" for information about setting passwords when you configure Compliant User Provisioning.

    For a Modify User operation, a request is created only for attributes whose mappings are present in these lookup definitions. If you specify values for attributes that are not present in these lookup definitions, then the connector directly ignores those attributes.

  3. When the request is created on SAP GRC Compliant User Provisioning, data sent back by Compliant User Provisioning is stored in the following read-only fields in Oracle Identity Manager:

    • Request ID: This field holds the request ID that is generated on SAP GRC Compliant User Provisioning. The request ID does not change during the lifetime of the request.

    • Request Status: This field holds the status of the request on SAP GRC Compliant User Provisioning. You configure and run the SAP CUP Status Update Recon scheduled task to fetch the latest status of the request from the target system. Section 3.5.3.3, "SAP CUP Status Update Recon" describes this scheduled task.

  4. The request is passed through the workflow defined in SAP GRC Compliant User Provisioning. The outcome is one of the following:

    • If Compliant User Provisioning clears the request, then the outcome is the creation or modification of a user's account on the target system. The status of the request is set to Closed and a message is recorded in the Oracle Identity Manager logs.

    • If Compliant User Provisioning rejects the provisioning request, then the status of the request is set to Reject and a message is recorded in the Oracle Identity Manager logs.

    • If an error occurs during communication between Compliant User Provisioning and the target system, then the request remains in the Open state. A message stating that the operation has failed is recorded in the audit log associated with the request. An error message is displayed on the console.

1.3.2 Reconciliation Process

SAP NetWeaver AS Java offers an SPML 1.0 compliant interface to manage users, groups, and roles in SAP User Management Engine over a network. The scheduled task provided by the connector acts as the SPML client to send SPML requests to the SPML service in this application server.

During reconciliation, a scheduled task establishes a connection with the SPML service. Reconciliation criteria are sent through SPML requests to this SPML service. The SPML service processes the requests and returns SPML responses containing user records that match the reconciliation criteria. The scheduled task brings these records to Oracle Identity Manager.

Each record fetched from the target system is compared with SAP User Management Engine resources that are already provisioned to OIM Users. If a match is found, then the update made to the record is copied to the SAP User Management Engine resource in Oracle Identity Manager. If no match is found, then the user ID of the record is compared with the user ID of each OIM User. If a match is found, then data in the target system record is used to provision an SAP User Management Engine resource to the OIM User.

The process form holds attributes for both SAP User Management Engine and Compliant User Provisioning. However, only the SAP User Management Engine fields (attributes) on the process form are used for reconciliation. Mappings for these fields are stored in the Lookup.SAP.UME.ReconAttrMap and Lookup.SAP.UME.ReconChildAttrMap lookup definitions.

1.4 Features of the Connector

The following are features of the connector:

1.4.1 Routing of Provisioning Requests Through SAP GRC Compliant User Provisioning

Provisioning requests generated on Oracle Identity Manager are routed through SAP GRC Compliant User Provisioning. See Section 1.3.1, "Provisioning Process" for detailed information about this feature.

1.4.2 Full Reconciliation

Note:

The SPML UME API does not return records for which the Last Modified Date value is greater than a specified date. Therefore, the connector cannot support incremental reconciliation. This point is also mentioned in Section 5.2, "Connector Limitations Related to Features of the Target System."

In full reconciliation, all records are fetched from the target system to Oracle Identity Manager. The list of valid characters allowed in SAP is stored in the Lookup.SAP.UME.FullReconFilter lookup definition. During reconciliation, an SPML request is sent to the target system to fetch user IDs that start with these characters. The second SPML request is sent to fetch the details of these users.

During full reconciliation, a single reconciliation event is generated for each target system account.

1.4.3 Limited (Filtered) Reconciliation

To limit or filter the records that are fetched into Oracle Identity Manager during a reconciliation run, you can specify the subset of added or modified target system records that must be reconciled.

See Section 3.5.2, "Limited Reconciliation" for more information.

1.4.4 Enabling and Disabling Accounts

Valid From and Valid Through are two user attributes on the target system. For a particular user in SAP, if the Valid Through date is less than the current date, then the account is in the Disabled state. Otherwise, the account is in the Enabled state. The same behavior is duplicated in Oracle Identity Manager through reconciliation. In addition, you can set the value of the Valid Through date to a current date or a date in the past through a provisioning operation.

Note:

The Enabled or Disabled state of an account is not related to the Locked or Unlocked status of the account.

1.4.5 Specifying Accounts to Be Excluded from Reconciliation and Provisioning Operations

You can specify a list of accounts that must be excluded from all reconciliation and provisioning operations. Accounts whose user IDs you specify in the exclusion list are not affected by reconciliation and provisioning operations.

See Section 2.3.5, "Setting Up the Lookup.SAP.UME.ExclusionList Lookup Definition" for more information.

1.4.6 Transformation and Validation of Account Data

You can configure validation of account data that is brought into or sent from Oracle Identity Manager during reconciliation and provisioning. In addition, you can configure transformation of account data that is brought into Oracle Identity Manager during reconciliation. The following sections provide more information:

1.5 Lookup Definitions Used During Connector Operations

Lookup definitions used during connector operations can be categorized as follows:

1.5.1 Lookup Definitions Synchronized with the Target System

During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you use the Role lookup field to select a role from the list of roles defined on the target system. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are automatically created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.

Note:

The target system allows you to use special characters in lookup fields. However, in Oracle Identity Manager, special characters are not supported in lookup definitions.

The Lookup.SAP.UME.LookupMappings lookup definition is used to map each lookup definition with the data source from which values must be fetched for the lookup definition from the target system. The Code Key column of these lookup definitions contains names of the lookup definitions that are synchronized with the target system. The Decode column contains the data source name.

Table 1-2 lists the entries in these lookup definitions. The Decode column holds a list of parameters required to fetch values from each lookup field on the target system.

Table 1-2 Entries in the Lookup.SAP.UME.LookupMappings Lookup Definition

Code Key Decode

Lookup.SAP.UME.Roles

saprole

Lookup.SAP.UME.Groups

sapgroup

The following is the format of entries in the lookup definitions listed in this table:

  • Code Key format: IT_RESOURCE_KEY~LOOKUP_FIELD_ID

    In this format:

    • IT_RESOURCE_KEY is the numeric code assigned to the IT resource in Oracle Identity Manager.

    • LOOKUP_FIELD_ID is the target system code assigned to the lookup field entry.

    Sample value: 1~SAP_EHS_SAF_UTIL

  • Decode format: IT_RESOURCE_NAME~LOOKUP_FIELD_ENTRY

    In this format:

    • IT_RESOURCE_NAME is the name of the IT resource in Oracle Identity Manager.

    • LOOKUP_FIELD_ENTRY is the value or description of the lookup field entry on the target system.

    Sample value: SAP UME IT Resource~Tools

The SAP UME Lookup Recon scheduled task is used to synchronize values of these lookup definitions with the target system. Section 3.2, "Scheduled Task for Lookup Field Synchronization" provides more information about this scheduled task.

While performing a provisioning operation on the Administrative and User Console, you select the IT resource for the target system on which you want to perform the operation. When you perform this action, the lookup definitions on the page are automatically populated with values corresponding to the IT resource (target system installation) that you select.

During lookup field synchronization, new entries are appended to the existing set of entries in the lookup definitions. Because the IT resource key is part of each entry created in each lookup definition, only lookup field entries that are specific to the IT resource you select during a provisioning operation are displayed.

1.5.2 Preconfigured Lookup Definitions

Table 1-3 describes the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed.

Table 1-3 Preconfigured Lookup Definitions

Lookup Definition Description of Values Method to Specify Values for the Lookup Definition

Lookup.SAP.CUP.Configuration

This lookup definition holds connector configuration entries that are used during reconciliation and provisioning by the Compliant User Provisioning feature.

Section 2.3.7.4, "Setting Values in the Lookup.SAP.CUP.Configuration Lookup Definition" describes the entries for which you must set values.

Lookup.SAP.CUP.Constants

This lookup definition stores values that are used internally by the Compliant User Provisioning feature of the connector. The connector development team can use this lookup definition to make minor configuration changes in the connector.

You must not modify the entries in this lookup definition.

Lookup.SAP.CUP.ProvisionAttrMap

This lookup definition holds mappings between process form fields and single-valued attributes on SAP GRC Compliant User Provisioning.

This lookup definition is preconfigured. Table 1-8 lists the default entries in this lookup definition.

Lookup.SAP.CUP.ProvisionRoleAttrMap

This lookup definition holds mappings between process form fields and multivalued attributes on SAP GRC Compliant User Provisioning.

This lookup definition is preconfigured. Table 1-9 lists the default entries in this lookup definition.

Lookup.SAP.UME.Configuration

This lookup definition holds connector configuration entries that are used during reconciliation and provisioning.

Some of the entries in this lookup definition are preconfigured. See Section 2.3.1, "Setting Values in the Lookup.SAP.UME.Configuration Lookup Definition" for information about the entries for which you can set values.

Lookup.SAP.UME.Constants

This lookup definition stores values that are used internally by the connector. The connector development team can use this lookup definition to make minor configuration changes in the connector.

You must not modify the entries in this lookup definition.

Lookup.SAP.UME.ExclusionList

This lookup definition holds user IDs of target system accounts for which you do not want to perform reconciliation and provisioning.

You can enter user IDs in this lookup definition. See Section 2.3.5, "Setting Up the Lookup.SAP.UME.ExclusionList Lookup Definition" for more information.

Lookup.SAP.UME.FullReconFilter

This lookup definition contains the list of characters that can be used in the logon name of an SAP User Management Engine account.

This lookup definition is preconfigured. You must not modify the entries in this lookup definition.

Lookup.SAP.UME.LookupMappings

These lookup definitions hold data required to synchronize other lookup definitions with the target system.

This lookup definition is preconfigured. You must not modify the entries in this lookup definition.

Lookup.SAP.UME.ReconAttrMap

This lookup definition holds mappings between resource object fields and single-valued target system attributes.

This lookup definition is preconfigured. Table 1-4 lists the default entries in this lookup definition.

Lookup.SAP.UME.ReconChildAttrMap

This lookup definition holds mappings between resource object fields and multivalued target system attributes.

This lookup definition is preconfigured. Table 1-5 lists the default entries in this lookup definition.

Lookup.SAP.UME.ReconTransformation

This lookup definition is used to configure transformation of attribute values that are fetched from the target system during user reconciliation.

You manually create entries in this lookup definition. See Section 4.2, "Configuring Transformation of Data During User Reconciliation" for more information.

Lookup.SAP.UME.ReconValidation

This lookup definition is used to configure validation of attribute values that are fetched from the target system during reconciliation.

You manually create entries in this lookup definition. See Section 4.1, "Configuring Validation of Data During Reconciliation and Provisioning" for more information.

Lookup.SAP.UME.System

This lookup definition is used to hold the system IDs of application that use the data source with which SAP User Management Engine is linked.

You manually create entries in this lookup definition. See Section 2.3.6, "Setting Up the Lookup.SAP.UME.System Lookup Definition" for more information.

1.6 Connector Objects Used During Reconciliation

The SAP UME User Recon scheduled task is used to initiate a reconciliation run. This scheduled task is discussed in Section 3.5.3, "Reconciliation Scheduled Tasks".

See Also:

The "Reconciliation" section in Oracle Identity Manager Connector Concepts for conceptual information about reconciliation

This section discusses the following topics:

1.6.1 User Attributes for Reconciliation

The Lookup.SAP.UME.ReconAttrMap lookup definition maps process form fields and target system attributes. The Code Key column stores the names of attributes in the SPML schema and the Decode column stores the labels of the process form fields.

Table 1-4 lists entries in this lookup definition.

Table 1-4 Entries in the Lookup.SAP.UME.ReconAttrMap Lookup Definition

Target System Attribute Process Form Label

email

E Mail

salutation

Salutation

title

Title

jobtitle

Job Title

mobile

Mobile

telephone

Telephone Number

fax

Fax Number

locale

Locale

timezone

Time Zone

department

Department

logonname

User ID

firstname

First Name

lastname

Last Name

validto

Valid Through

validfrom

Valid From

The Lookup.SAP.UME.ReconChildAttrMap lookup definition maps resource object fields and multivalued target system attributes. The Code Key column stores the names of attributes in the SPML schema, and the Decode column stores the names of reconciliation fields in the resource object.

Table 1-5 lists entries in this lookup definition.

Table 1-5 Entries in the Lookup.SAP.UME.ReconChildAttrMap Lookup Definition

Target System Attribute Reconciliation Field

assignedroles

RoleName

assignedgroups

GroupName

1.6.2 Reconciliation Rules

See Also:

Oracle Identity Manager Connector Concepts for generic information about reconciliation matching and action rules

The following sections provide information about the reconciliation rules for this connector:

1.6.2.1 Reconciliation Rule

The following is the process-matching rule:

Rule name: SAP UME Recon Rule

Rule element: User Login Equals User ID

In this rule element:

  • User Login is the User ID field of the OIM User form.

  • User ID is the user ID of the SAP account.

1.6.2.2 Viewing Reconciliation Rules in the Design Console

After you deploy the connector, you can view the reconciliation rule for reconciliation by performing the following steps:

Note:

Perform the following procedure only after the connector is deployed.

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Development Tools.

  3. Double-click Reconciliation Rules.

  4. Search for and open the SAP UME Recon Rule rule. Figure 1-2 shows this reconciliation rule.

    Figure 1-2 Reconciliation Rule

    Description of Figure 1-2 follows
    Description of "Figure 1-2 Reconciliation Rule"

1.6.3 Reconciliation Action Rules

Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See Oracle Identity Manager Design Console Guide for information about modifying or creating reconciliation action rules.

The following sections provide information about the reconciliation rules for this connector:

1.6.3.1 Reconciliation Action Rules for Reconciliation

Table 1-6 lists the action rules for reconciliation.

Table 1-6 Action Rules for Reconciliation

Rule Condition Action

No Matches Found

Assign to Administrator With Least Load

One Entity Match Found

Establish Link

One Process Match Found

Establish Link

1.6.3.2 Viewing Reconciliation Action Rules in the Design Console

After you deploy the connector, you can view the reconciliation action rules for reconciliation by performing the following steps:

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Resource Management, and double-click Resource Objects.

  3. If you want to view the reconciliation action rules for reconciliation, then search for and open the SAP UME Resource Object resource object.

  4. Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-3 shows the reconciliation action rules for reconciliation.

    Figure 1-3 Reconciliation Action Rules

    Description of Figure 1-3 follows
    Description of "Figure 1-3 Reconciliation Action Rules"

1.7 Connector Objects Used During Provisioning

Provisioning involves creating or modifying user data on the target system through Oracle Identity Manager.

See Also:

The "Provisioning" section in Oracle Identity Manager Connector Concepts for conceptual information about provisioning

This section discusses the following topics:

1.7.1 User Provisioning Functions

Table 1-7 lists the supported user provisioning functions and the adapters that perform these functions. The functions listed in the table correspond to either a single or multiple process tasks.

See Also:

Oracle Identity Manager Connector Concepts for generic information about process tasks and adapters

Table 1-7 User Provisioning Functions

Function Adapter

Create a user account

UME Create User

Update a user account

UME Modify User

Delete a user account

UME Delete User

Lock or unlock a user account

UME Lock UnLock User

Enable a user account

UME Enable User

Disable a user account

UME Disable User

Change the password of an account

UME Modify Password

Add (provision) a multivalued attribute (for example, role or group)

UME Add Multivalue Data

Remove (revoke) a multivalued attribute (for example, role or group)

UME Remove Multivalue Data

Update a multivalued attribute (for example, role or group)

UME Update Multivalue Data

1.7.2 User Attributes for Provisioning

In the Compliant User Provisioning feature, the Lookup.SAP.CUP.ProvAttrMap lookup definition maps process form fields with single-valued attributes in SAP GRC Compliant User Provisioning. Table 1-8 lists entries in this lookup definition.

Table 1-8 Entries in the Lookup.SAP.CUP.ProvAttrMap Lookup Definition

Process Form Field Target System Attribute

CUP Requestor ID

requestorId;TEXT;STANDARD;NONE;MANDATORY

CUP Requestor First Name

requestorFirstName;TEXT;STANDARD;NONE;MANDATORY

CUP Requestor Last Name

requestorLastName;TEXT;STANDARD;NONE;MANDATORY

CUP Requestor Email

requestorEmailAddress;TEXT;STANDARD;NONE;MANDATORY

E Mail

emailAddress;TEXT;STANDARD;E_MAIL;MANDATORY

First Name

firstName;TEXT;STANDARD;FIRSTNAME;MANDATORY

Last Name

lastName;TEXT;STANDARD;LASTNAME;MANDATORY

User ID

userId;TEXT;STANDARD;NONE;MANDATORY

Valid From

validFrom;DATE;STANDARD;GLTGV;NONE

Valid Through

validTo;DATE;STANDARD;GLTGB;MANDATORY

In the Compliant User Provisioning feature, the Lookup.SAP.CUP.ProvisionRoleAttrMap lookup definition maps process form fields with multivalued attributes (roles and profiles) in SAP GRC Compliant User Provisioning. Table 1-9 lists entries in this lookup definition.

Table 1-9 Entries in the Lookup.SAP.CUP.ProvisionRoleAttrMap Lookup Definition

Process Form Field Target System Attribute

Role Name

roleId;LOOKUP

Group Name

roleId;LOOKUP

1.8 Roadmap for Deploying and Using the Connector

The following is the organization of information in the rest of this guide: