Oracle® Identity Manager Connector Guide for SAP User Management Release 9.1.2 E11212-06 |
|
![]() Previous |
![]() Next |
This chapter provides an overview of the updates made to the software and documentation for release 9.1.2 of the SAP User Management connector.
The updates discussed in this chapter are divided into the following categories:
These include updates made to the connector software.
Documentation-Specific Updates
These include major changes made to the connector documentation. These changes are not related to software updates.
The following sections discuss software updates:
The following are software updates in release 9.1.0:
From this release onward, the connector supports the Segregation of Duties (SoD) feature introduced in Oracle Identity Manager release 9.1.0.2. Requests for SAP role and profile entitlements can be validated with SAP GRC. Entitlements are provisioned into SAP ERP only if the request passes the SoD validation process. This preventive simulation approach helps identify and correct potentially conflicting assignment of entitlements to a user, before the requested entitlements are granted to users.
See Section 1.4.3, "SoD Validation of Entitlement Requests" for more information.
In earlier releases, if you had multiple installations of the target system, then entries in a lookup definition were not linked with the target system installation from which the entries were copied. During a provisioning operation, you could not select lookup field values that were specific to the target system installation on which the provisioning operation was to be performed.
From this release onward, entries in lookup definitions are linked to the target system installation from which they are copied. See Section 1.5, "Lookup Definitions Used During Connector Operations" for more information.
From this release onward:
The required SAP JCo version is 3.0.
The minimum certified release of Oracle Identity Manager is release 9.1.0.2.
AIX is one of the certified operating systems for the host computer on which Oracle Identity Manager is installed.
See Section 1.1, "Certified Components" for the complete listing of certified components. See the following Oracle Technology Network page for information about certified components of Oracle Identity Manager:
http://www.oracle.com/technology/software/products/ias/files/idm_certification_101401.html
Note: The title of that section has been changed from "Certified Deployment Configurations" to "Certified Components." |
The reconciliation rules have been modified. See Section 1.6.2, "Reconciliation Rules" for more information.
From this release onward, the trusted source reconciliation mode of the connector has been deprecated. All features related to this mode of the connector will be removed in a future release.
The following are software updates in release 9.1.1:
Support for Mapping Standard and Custom Attributes for Reconciliation and Provisioning
Support for Specifying Accounts to Be Excluded from Reconciliation and Provisioning Operations
Support for Configuring Linking of SAP HRMS and SAP R/3 or SAP CUA Accounts
Support for Specifying the Use of a Logon Group on the Target System for Connector Operations
From this release onward, this connector replaces release 9.1.0 of both the SAP User Management and SAP CUA connectors.
See Section 1.4.1, "Support for Both SAP R/3 and SAP CUA" for more information.
The connector has been certified on Oracle Identity Manager release 9.1.0.2 BP02 and later. This change is mentioned in Section 1.1, "Certified Components".
In earlier releases, custom BAPIs were provided for reconciliation and provisioning with the target system. You deployed these BAPIs on the target system as part of the connector deployment procedure. From this release onward, only standard BAPIs are used during reconciliation and provisioning.
The default set of attribute mappings for reconciliation and provisioning has been enhanced. See the following sections for a full listing of the attribute mappings:
In Section 1.7.1, "User Provisioning Functions", the following provisioning functions have been added:
Enable a user account
Disable a user account
Link a user account
Update the start date or end date of a role
Update a custom attribute added on the target system
When you log in to SAP by using a newly created account, you are prompted to change your password at first logon. This behavior can be configured for target system accounts created through Oracle Identity Manager. In addition, the connector can be configured so that it is not mandatory to specify passwords for new accounts.
See Section 1.4.12, "Configuring Password Changes for Newly Created Accounts" for more information.
From this release onward, you can create mappings for attributes that are not included in the list of default attribute mappings. These attributes can be part of the standard set of attributes provided by the target system or custom attributes that you add on the target system.
See Chapter 4, "Extending the Functionality of the Connector" for more information.
From this release onward, you can specify a list of accounts that must be excluded from all reconciliation and provisioning operations.
See Section 2.3.7, "Setting Up the Lookup.SAP.UM.ExclusionList Lookup Definition" for more information.
From this release onward, you can configure the manner in which an SAP R/3 or SAP CUA account is linked with an SAP HRMS account. When enabled, the linking process is automatically triggered during the Create User provisioning operation. If a matching SAP HRMS account cannot be found the first time, then you can manually trigger the linking process after the SAP HRMS account is created.
See Section 1.4.9, "Linking of SAP HRMS and SAP R/3 or SAP CUA Accounts" for more information.
The connector uses the SAP JCo for reconciliation and provisioning operations. The JCo trace level is a numeric specification of the level of trace data that must be logged when the SAP JCo is used. From this release onward, you can specify the trace level as a parameter of the IT resource.
See Table 2-11, "Parameters of the IT Resource" for more information.
In SAP, a logon group is used as a load-sharing mechanism. When a user logs in to a logon group, the system internally routes the connection request to the logon group member with the least load. From this release onward, you can configure the connector to use a logon group for logging in to the target system for reconciliation and provisioning operations.
See Section 2.3.12.1, "Parameters for Enabling the Use of a Logon Group" for more information.
Valid From and Valid Through are two user attributes on the target system. For a particular user in SAP, if the Valid Through date is less than the current date, then the account is in the Disabled state. Otherwise, the account is in the Enabled state. From this release onward, the same behavior is duplicated in Oracle Identity Manager.
See Section 1.4.8, "Enabling and Disabling Accounts" for more information.
The connector supports the connection pooling feature introduced in Oracle Identity Manager release 9.1.0.2. In earlier releases, a connection with the target system was established at the start of a reconciliation run and closed at the end of the reconciliation run. With the introduction of connection pooling, multiple connections are established by Oracle Identity Manager and held in reserve for use by the connector.
See Section 1.4.14, "Connection Pooling" for more information.
The testing utility is not included in this release of the connector.
The following is the software update in release 9.1.2:
Changes in the Certified Oracle Identity Manager and Target System Releases
Support for Integration with SAP GRC Compliant User Provisioning
Reconciliation and Provisioning of Custom Multivalued Attributes
Support for Configuring Transformation of Data During Lookup Field Synchronization
Section 1.1, "Certified Components" lists the Oracle Identity Manager and target system releases certified from this release onward.
In an SAP environment, you can set up SAP GRC Compliant User Provisioning as the front end for receiving account creation and modification provisioning requests. From this release onward, the connector can be used to integrate Oracle Identity Manager with SAP GRC Compliant User Provisioning. In this deployment configuration, Oracle Identity Manager acts as the medium for sending provisioning requests to Compliant User Provisioning.
From this release onward, the connector allows you to add custom multivalued attributes that you create on the target system for reconciliation and provisioning with Oracle Identity Manager. See the following sections for information about the procedure:
Section 4.3, "Adding New Standard and Custom Multivalued Attributes for Reconciliation"
Section 4.8, "Adding Custom Multivalued Attributes for Provisioning"
In this release, the Dependent Lookup Fields feature is disabled by default. You can enable this feature after you deploy the Oracle Identity Manager release 9.1.0.2 bundle patch that addresses Bug 9181280. See Section 4.14.1, "Enabling the Dependent Lookup Fields Feature" for more information.
From this release onward, you can configure transformation of lookup field data synchronized from the target system. Section 1.4.17, "Transformation of Lookup Field Data" provides a pointer to additional information about this feature.
The following sections discuss documentation-specific updates:
Major changes have been made in the structure of the guide. The objective of these changes is to synchronize the guide with the changes made to the connector and to improve the usability of information provided by the guide.
See Section 1.8, "Roadmap for Deploying and Using the Connector" for information about the organization of content in this guide.
The following documentation-specific updates have been made in release 9.1.1:
The "Configuring the Connector for Multiple Trusted Source Reconciliation" section has been removed from Chapter 4, "Extending the Functionality of the Connector". The connector does not support this feature.
The list of standard BAPIs used during connector operations has been added in Appendix A.
Minor changes have been made in the structure and location of some sections.