| Oracle® Identity Manager Connector Guide for SAP User Management Release 9.1.0 Part Number E11212-02 |
|
|
View PDF |
| Oracle® Identity Manager Connector Guide for SAP User Management Release 9.1.0 Part Number E11212-02 |
|
|
View PDF |
Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide discusses the connector that enables you to use SAP ERP Applications as a managed (target) resource of Oracle Identity Manager.
In the account management (target resource) mode of the connector, data about users created or modified directly on SAP ERP can be reconciled into Oracle Identity Manager. This data is used to provision (assign) resources or update resources already assigned to OIM Users. In addition, you can use Oracle Identity Manager to provision or update resources assigned to OIM Users. These provisioning operations performed on Oracle Identity Manager translate into the creation of or updates to the corresponding target system accounts.
Note:
At some places in this guide, SAP ERP is referred to as the target system.This chapter contains the following sections:
Section 1.5, "Lookup Definitions Used During Connector Operations"
Section 1.8, "Roadmap for Deploying and Using the Connector"
Table 1-1 lists the certified components for the connector.
Table 1-1 Certified Components
| Component | Requirement |
|---|---|
|
Oracle Identity Manager release 9.1.0.2 or later Note: This release of the connector leverages features, such as SoD validation of entitlement provisioning, introduced in Oracle Identity Manager release 9.1.0.2. |
|
|
The target system can be any one of the following:
|
|
|
SoD engine |
If you want to enable and use the Segregation of Duties (SoD) feature of Oracle Identity Manager with this target system, then install the version of SAP GRC that is supported by Oracle Identity Manager. See Section 1.4.1, "SoD Validation of Entitlement Requests" for more information about the SoD feature. See Oracle Identity Manager Readme for Release 9.1.0.2 for information about the supported releases of SAP GRC. |
|
The following SAP custom code files:
Note: You must verify that the Oracle Identity Manager and application server combination that you use supports JDK 1.5. This requirement is imposed by support for SAP JCo 3.0 from release 9.0.4.5 of the connector. SAP JCo 3.0 supports JDK 1.5 and later. See the following Oracle Technology Network Web site for information about certified components of Oracle Identity Manager:
|
The connector supports the following languages:
Arabic
Chinese (Simplified)
Chinese (Traditional)
Danish
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish
See Also:
Oracle Identity Manager Globalization Guide for information about supported special charactersFigure 1-1 shows the architecture of the connector.
The adapters carry provisioning data submitted through the process form to the target system. Standards and custom BAPIs on the target system accept provisioning data from the adapters, carry out the required operation on the target system, and return the response to the adapters. The adapters return the response to Oracle Identity Manager.
Note:
This is the standard provisioning process. See Section 3.4, "Provisioning Operations Performed in an SoD-Enabled Environment" for detailed information about how provisioning takes places in an SoD-enabled environment.During reconciliation, the scheduled task establishes a connection with the target system and sends reconciliation criteria to the custom BAPIs.
Note:
You deploy these custom BAPIs on the target system as part of the connector deployment procedure.The custom BAPIs extracts user records that match the reconciliation criteria and hand them over to the scheduled task, which brings the records to Oracle Identity Manager. Each record is compared with SAP ERP resources that are already provisioned to OIM Users. If a match is found, then the update made to the SAP ERP record from the target system is copied to the SAP ERP resource in Oracle Identity Manager. If no match is found between a record from the target system and an existing SAP ERP resource, then the user ID of the record is compared with the user ID of each OIM User. If a match is found, then data in the target system record is used to provision an SAP ERP resource to the OIM User.
The following are features of the connector:
Starting from this release, the connector supports the SoD feature introduced in Oracle Identity Manager release 9.1.0.2. The following are the focal points of this software update:
The SoD Invocation Library (SIL) is bundled with Oracle Identity Manager release 9.1.0.2. The SIL acts as a pluggable integration interface with any SoD engine.
The SAP User Management connector is preconfigured to work with SAP GRC as the SoD engine. To enable this, changes have been made in the approval and provisioning workflows of the connector.
The SoD engine processes role and profile entitlement requests that are sent through the connector. This preventive simulation approach helps identify and correct potentially conflicting assignment of entitlements to a user, before the requested entitlements are granted to users.
See Also:
Oracle Identity Manager Tools Reference for Release 9.1.0.2 for detailed information about the SoD feature
Section 2.3.3, "Configuring SoD" in this guide
In full reconciliation, all person records are fetched from the target system to Oracle Identity Manager. In incremental reconciliation, only person records that are added or modified after the last reconciliation run are fetched into Oracle Identity Manager.
A parameter of the IT resource is used as the time stamp at which a reconciliation run begins. If that parameter is set to 0, then full reconciliation is performed. If that parameter holds a non-zero value, then incremental reconciliation is performed.
As mentioned earlier in this chapter, you can switch from incremental to full reconciliation at any time.
To limit or filter the records that are fetched into Oracle Identity Manager during a reconciliation run, you can specify the subset of added or modified target system records that must be reconciled.
See Section 3.2.2, "Limited Reconciliation vs. Regular Reconciliation" for more information.
You can break down a reconciliation run into batches by specifying the number of records that must be included in each batch.
See Section 3.2.3, "Batched Reconciliation" for more information.
You can configure SNC to secure communication between Oracle Identity Manager and the target system.
See Section 2.3.4, "Configuring SNC to Secure Communication Between Oracle Identity Manager and the Target System" for more information.
During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you use the Date Format lookup field to select a date format from the list of supported date formats. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.
Note:
The target system allows you to use special characters in lookup fields. However, in Oracle Identity Manager, special characters are not supported in lookup definitions.The Lookup.SAP.R3.LookupMappings lookup definition is used to map each lookup definition with the BAPI that is used to fetch values for the lookup definition from the target system.
The Code Key column of the Lookup.SAP.R3.LookupMappings lookup definition contains names of the lookup definitions that are synchronized with the target system. The Decode column contains the name and parameters of the corresponding BAPIs.
Table 1-2 lists the entries in the Lookup.SAP.R3.LookupMappings lookup definition.
Table 1-2 Entries in the Lookup.SAP.R3.LookupMappings Lookup Definition
| Code Key | Decode |
|---|---|
|
Lookup.SAP.R3.CommType |
BAPI_HELPVALUES_GET;GETDETAIL;ADDRESS;COMM_TYPE;COMM_TYPE;COMM_TEXT |
|
Lookup.SAP.R3.DateFormat |
BAPI_HELPVALUES_GET;GETDETAIL;DEFAULTS;DATFM;_LOW;_TEXT |
|
Lookup.SAP.R3.DecimalNotation |
BAPI_HELPVALUES_GET;GETDETAIL;DEFAULTS;DCPFM;_LOW;_TEXT |
|
Lookup.SAP.R3.LangComm |
BAPI_HELPVALUES_GET;GETDETAIL;ADDRESS;LANGU_P;SPRAS;SPTXT |
|
Lookup.SAP.R3.TimeZone |
BAPI_HELPVALUES_GET;CHANGE;ADDRESS;TIME_ZONE;TZONE;DESCRIPT |
|
Lookup.SAP.R3.UserGroups |
BAPI_HELPVALUES_GET;GETDETAIL;GROUPS;USERGROUP;USERGROUP;TEXT |
|
Lookup.SAP.R3.UserTitle |
BAPI_HELPVALUES_GET;GETDETAIL;ADDRESS;TITLE_P;TITLE_MEDI;TITLE_MEDI; |
|
Lookup.SAP.R3.Roles |
BAPI_HELPVALUES_GET;GETDETAIL;ACTIVITYGROUPS;AGR_NAME;AGR_NAME;TEXT;AGR_COLL;AGR_SINGLE;SH |
|
Lookup.SAP.R3.Profiles |
BAPI_HELPVALUES_GET;GETDETAIL;PROFILES;BAPIPROF;PROFN;PTEXT |
The following is the format of entries in the lookup definitions listed in the preceding table:
Code Key value: IT_RESOURCE_KEY~LOOKUP_FIELD_ID
In this format:
IT_RESOURCE_KEY is the numeric code assigned to each IT resource in Oracle Identity Manager.
LOOKUP_FIELD_ID is the target system code assigned to each lookup field entry.
Sample value: 1~PRT
Decode value: Description of the lookup field entry
Sample value: Printer
The SAP R3 Lookup Recon scheduled task is used to synchronize values of these lookup definitions with the target system. See Section 3.1, "Scheduled Task for Lookup Field Synchronization" for more information about this scheduled task.
While performing a provisioning operation on the Administrative and User Console, you select the IT resource for the target system on which you want to perform the operation. When you perform this action, the lookup definitions on the page are automatically populated with values corresponding to the IT resource (target system installation) that you select.
Table 1-3 describes the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed.
Table 1-3 Other Lookup Definitions
| Lookup Definition | Description of Values | Method to Specify Values for the Lookup Definition |
|---|---|---|
|
Lookup.SAP.LockUnlock |
This lookup definition is used to populate the Lock User list on the Admin and User Console. The following are the Code Key and Decode values in this lookup definition:
|
This lookup definition is preconfigured. You must not change the entries in this lookup definition. |
|
Lookup.SAP.R3.BAPIKeys |
Code Key: Resource object attribute name Decode: Structure name in the corresponding BAPI This lookup definition is used during linking of an SAP HRMS account with an SAP ERP account, for all attributes other than the UserAlias attribute. |
This lookup definition is preconfigured. You must not change the entries in this lookup definition. |
|
Lookup.SAP.R3.BAPIXKeys |
Code Key: Resource object attribute name Decode: Structure name in the corresponding BAPI This lookup definition is used during linking of an SAP HRMS account with an SAP ERP account, for only the UserAlias attribute. |
This lookup definition is preconfigured. You must not change the entries in this lookup definition. |
|
Lookup.SAP.R3.Configuration |
This lookup definition contains configuration values that are used during SoD validation. |
This lookup definition is preconfigured. You can only set a value for the Risk Level entry. See Section 2.3.3.2, "Specifying Values for SoD-Related Entries in the Lookup.SAP.R3.Configuration Lookup Definition" for more information. |
|
Lookup.SAP.R3.FieldNames |
Code Key: Resource object attribute name Decode: Attribute name in the corresponding BAPI This lookup definition is used during linking of an SAP HRMS account with an SAP ERP account, for all attributes other than the UserAlias attribute. |
This lookup definition is preconfigured. You must not change the entries in this lookup definition. |
|
Lookup.SAP.R3.FieldNamesX |
Code Key: Resource object attribute name Decode: Attribute name in the corresponding BAPI This lookup definition is used during linking of an SAP HRMS account with an SAP ERP account, for only the UserAlias attribute. |
This lookup definition is preconfigured. You must not change the entries in this lookup definition. |
|
Lookup.SAP.R3.LookupMappings |
Code Key: Names of lookup definitions to be synchronized with the target system Decode: Name of the corresponding BAPI and parameters to be passed to the BAPI |
This lookup definition is preconfigured. You must not change the entries in this lookup definition. |
|
Lookup.SAP.R3.Systems |
Both Code Key and Decode columns contain the system name of the SAP ERP installation This lookup definition is used during SoD validation of entitlement requests. |
You must enter the system name of the SAP ERP system in both Code Key and Decode columns. There can be only one entry in this lookup definition. |
|
Lookup.SAP.R3.RoleChildformMappings |
Code Key: Dummy role child form attribute name Decode: Corresponding actual role child form attribute name This lookup definition is used during SoD validation of entitlement requests. |
This lookup definition is preconfigured. You must not change the entries in this lookup definition. |
|
Lookup.SAP.R3.ProfileChildformMappings |
Code Key: Dummy profile child form attribute name Decode: Corresponding actual profile child form attribute name This lookup definition is used during SoD validation of entitlement requests. |
This lookup definition is preconfigured. You must not change the entries in this lookup definition. |
The R3 Recon scheduled task is used to initiate a target resource reconciliation run. This scheduled task is discussed in Section 3.2.4, "Reconciliation Scheduled Task".
See Also:
The "Reconciliation" section in Oracle Identity Manager Connector Concepts for conceptual information about target resource reconciliationThis section discusses the following topics:
Table 1-4 lists the user attributes whose values are fetched during a target resource reconciliation run.
Table 1-4 User Attributes for Target Resource Reconciliation
| Process Form Field | SAP ERP Attribute | Description |
|---|---|---|
|
Alias |
USERALIAS |
User alias |
|
Building |
BUILDING_P |
Building number |
|
Code |
INITS_SIG |
Code |
|
CommType |
COMM_TYPE |
Communication type |
|
DateFormat |
DATFM |
Date format |
|
DecimalNotation |
DCPFM |
Decimal notation |
|
Department |
DEPARTMENT |
Department |
|
|
E_MAIL |
E-mail address |
|
Extension |
TEL1_EXT |
Extension for the telephone number |
|
Fax |
FAX_NUMBER |
Fax number |
|
FirstName |
FIRSTNAME |
First name |
|
Floor |
FLOOR_P |
Floor number |
|
Function |
FUNCTION |
Function |
|
LangComm |
LANGU_P |
Communication language |
|
LangLogon |
LANGU |
Logon language |
|
LastName |
LASTNAME |
Last name |
|
LockUser |
Lock User |
Status (either Locked or Unlocked) of the user |
|
RoomNo |
ROOM_NO_P |
Room number |
|
TimeZone |
TZONE |
Time zone |
|
StartMenu |
START_MENU |
Default menu for the user |
|
Telephone |
TEL1_NUMBR |
Telephone number |
|
UserGroup |
CLASS |
Group to which the user is assigned |
|
UserId |
USERNAME |
Login ID |
|
UserProfile |
BAPIPROF |
Multivalued attribute for profiles |
|
UserRole |
AGR_NAME |
Multivalued attribute for roles |
|
UserTitle |
TITLE_P |
Title of the user |
|
Xellerate Type |
USTYP |
Type of user |
See Also:
Oracle Identity Manager Connector Concepts for generic information about reconciliation matching and action rulesThe following sections provide information about the reconciliation rules for this connector:
Section 1.6.2.1, "Reconciliation Rule for Target Resource Reconciliation"
Section 1.6.2.2, "Viewing Reconciliation Rules in the Design Console"
The following is the process-matching rule:
Rule name: SAP R3 Recon Rule
Rule element: (SAP Linked User ID Equals UserId) or (User Login Equals UserId)
In the first element:
SAP Linked User ID is the field in SAP HRMS that holds the User ID of the linked SAP ERP account.
UserId is the User ID of the SAP ERP account in Oracle Identity Manager.
In the second element:
User Login is the User ID field of the OIM User form.
UserId is the User ID of the SAP ERP account.
After you deploy the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:
Note:
Perform the following procedure only after the connector is deployed.Log in to the Oracle Identity Manager Design Console.
Expand Development Tools.
Double-click Reconciliation Rules.
Search for SAP R3 Recon Rule. Figure 1-2 shows the reconciliation rule for target resource reconciliation.
Note:
No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See Oracle Identity Manager Design Console Guide for information about modifying or creating reconciliation action rules.The following sections provide information about the reconciliation rules for this connector:
Section 1.6.3.1, "Reconciliation Action Rules for Target Resource Reconciliation"
Section 1.6.3.2, "Viewing Reconciliation Action Rules in the Design Console"
Table 1-5 lists the action rules for target resource reconciliation.
After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:
Log in to the Oracle Identity Manager Design Console.
Expand Resource Management.
Double-click Resource Objects.
If you want to view the reconciliation action rules for target resource reconciliation, then search for and open the SAP UM Resource Object resource object.
Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-3 shows the reconciliation action rules for target resource reconciliation.
Provisioning involves creating or modifying user data on the target system through Oracle Identity Manager.
See Also:
The "Provisioning" section in Oracle Identity Manager Connector Concepts for conceptual information about provisioningThis section discusses the following topics:
Table 1-6 lists the supported user provisioning functions and the adapters that perform these functions. The functions listed in the table correspond to either a single or multiple process tasks.
See Also:
Oracle Identity Manager Connector Concepts for generic information about process tasks and adaptersTable 1-6 User Provisioning Functions
| Function | Adapter |
|---|---|
|
Create a user account |
SAP R3 Create User |
|
Delete a user account |
SAP R3 Delete User |
|
Lock a user account |
SAP R3 Lock UnLock User |
|
Unlock a user account |
SAP R3 Lock UnLock User |
|
Change password |
SAP R3 Password Change |
|
Edit a user account |
SAP R3 Modify User |
|
Change a user's alias |
SAP R3 Modify UserX |
|
Add a user account to an activity group (role) |
SAP R3 Add Role |
|
Remove a user account from an activity group (role) |
SAP R3 Remove Role |
|
Assign a profile to a user account |
SAP R3 Add Profile |
|
Remove a profile from a user account |
SAP R3 Remove Profile |
Table 1-7 lists the user attributes for which you can specify or modify values during provisioning operations.
Table 1-7 User Attributes for Provisioning
| Process Form Field | SAP ERP Attribute | Description |
|---|---|---|
|
Alias |
USERALIAS |
User alias |
|
Building |
BUILDING_P |
Building number |
|
Code |
INITS_SIG |
Code |
|
CommType |
COMM_TYPE |
Communication type |
|
DateFormat |
DATFM |
Date format |
|
DecimalNotation |
DCPFM |
Decimal notation |
|
Department |
DEPARTMENT |
Department |
|
|
E_MAIL |
E-mail address Note: In SAP 4.7 or later, you can enter only English letters in the E-mail Address field. |
|
Extension |
TEL1_EXT |
Extension for the telephone number |
|
Fax |
FAX_NUMBER |
Fax number |
|
FirstName |
FIRSTNAME |
First name |
|
Floor |
FLOOR_P |
Floor number |
|
Function |
FUNCTION |
Function |
|
LangComm |
LANGU_P |
Communication language |
|
LangLogon |
LANGU |
Logon language |
|
LastName |
LASTNAME |
Last name |
|
LockUser |
BAPIPWD |
Password |
|
RoomNo |
ROOM_NO_P |
Room number |
|
TimeZone |
TZONE |
Time zone |
|
StartMenu |
START_MENU |
Default menu for the user |
|
Telephone |
TEL1_NUMBR |
Telephone number |
|
UserGroup |
CLASS |
Group to which the user is assigned |
|
UserId |
USERNAME |
Login ID |
|
Password |
PASSWORD |
Password Note: You must ensure that the password specified during a provisioning operation adheres to password policies set on the target system. Otherwise, you might encounter the following error: SAP.PASSWORD_CHANGE_ERROR |
|
UserProfile |
BAPIPROF |
Multivalue attribute for profiles |
|
UserRole |
AGR_NAME |
Multivalue attribute for roles |
|
UserTitle |
TITLE_P |
Title of the user |
|
Xellerate Type |
USTYP |
Type of user |
The following is the organization of information in the rest of this guide:
Chapter 2, "Deploying the Connector" describes procedures that you must perform on Oracle Identity Manager and the target system during each stage of connector deployment.
Chapter 3, "Using the Connector" describes guidelines on using the connector and the procedure to configure reconciliation runs and perform provisioning operations.
Chapter 4, "Extending the Functionality of the Connector" describes the procedures to perform if you want to extend the functionality of the connector.
Chapter 5, "Testing and Troubleshooting" describes procedures to test and troubleshoot the connector.
Chapter 6, "Known Issues" lists known issues associated with this release of the connector.
|
 Copyright © 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
