Skip Headers
Oracle® Identity Manager Connector Guide for SAP User Management
Release 9.1.2
E11212-14
Index
Next
Contents
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Documentation Updates
Conventions
What's New in Oracle Identity Manager Connector for SAP User Management?
Software Updates
Documentation-Specific Updates
1
About the Connector
1.1
Certified Components
1.2
Certified Languages
1.3
Connector Architecture and Supported Deployment Configurations
1.3.1
Basic User Management
1.3.2
User Management with SoD
1.3.3
User Management with Compliant User Provisioning
1.3.4
User Management with Both SoD and Compliant User Provisioning
1.3.5
Guidelines on Using a Deployment Configuration
1.3.6
Considerations to Be Addressed When You Enable Compliant User Provisioning
1.4
Features of the Connector
1.4.1
Support for Both SAP R/3 and SAP CUA
1.4.2
Mapping Standard and Custom Attributes for Reconciliation and Provisioning
1.4.3
SoD Validation of Entitlement Requests
1.4.4
Routing of Provisioning Requests Through SAP GRC Compliant User Provisioning
1.4.5
Full and Incremental Reconciliation
1.4.6
Limited (Filtered) Reconciliation
1.4.7
Batched Reconciliation
1.4.8
Enabling and Disabling Accounts
1.4.9
Linking of SAP HRMS and SAP R/3 or SAP CUA Accounts
1.4.10
SNC Communication Between the Target System and Oracle Identity Manager
1.4.11
Specifying Accounts to Be Excluded from Reconciliation and Provisioning Operations
1.4.12
Configuring Password Changes for Newly Created Accounts
1.4.13
Specifying a SAP JCo Trace Level
1.4.14
Connection Pooling
1.4.15
Specifying the Use of a Logon Group on the Target System for Connector Operations
1.4.16
Transformation and Validation of Account Data
1.4.17
Transformation of Lookup Field Data
1.4.18
Support for Both Unicode and Non-Unicode Modes
1.5
Lookup Definitions Used During Connector Operations
1.5.1
Lookup Definitions Synchronized with the Target System
1.5.2
Preconfigured Lookup Definitions
1.6
Connector Objects Used During Reconciliation
1.6.1
User Attributes for Reconciliation
1.6.2
Reconciliation Rules
1.6.2.1
Reconciliation Rule
1.6.2.2
Viewing Reconciliation Rules in the Design Console
1.6.3
Reconciliation Action Rules
1.6.3.1
Reconciliation Action Rules for Reconciliation
1.6.3.2
Viewing Reconciliation Action Rules in the Design Console
1.7
Connector Objects Used During Provisioning
1.7.1
User Provisioning Functions
1.7.2
User Attributes for Provisioning
1.8
Roadmap for Deploying and Using the Connector
2
Deploying the Connector
2.1
Preinstallation
2.1.1
Preinstallation on Oracle Identity Manager
2.1.1.1
Files and Directories on the Installation Media
2.1.1.2
Determining the Release Number of the Connector
2.1.1.3
Creating a Backup of the Existing Common.jar File
2.1.2
Preinstallation on the Target System
2.1.2.1
Creating a Target System User Account for Connector Operations
2.1.2.2
Downloading and Installing the SAP JCo
2.2
Installation
2.3
Postinstallation
2.3.1
Configuring Ports on the Target System
2.3.2
Configuring the Target System
2.3.2.1
Gathering Required Information
2.3.2.2
Creating an Entry in the BAPIF4T Table
2.3.2.3
Importing the Request
2.3.3
Setting Up the Configuration Lookup Definition in Oracle Identity Manager
2.3.3.1
Linking of SAP HRMS and SAP R/3 or SAP CUA Accounts
2.3.3.2
Configuring Password Changes for Newly Created Accounts
2.3.3.3
Setting Values in the Lookup.SAP.UM.Configuration Lookup Definition
2.3.4
Enabling Request-Based Provisioning
2.3.4.1
Enabling Request-Based Provisioning in Oracle Identity Manager Release 9.1.0.
x
2.3.4.2
Enabling Request-Based Provisioning in Oracle Identity Manager Release 11.1.1
2.3.5
Changing to the Required Input Locale
2.3.6
Clearing Content Related to Connector Resource Bundles from the Server Cache
2.3.7
Enabling Logging
2.3.7.1
Enabling Logging on Oracle Identity Manager Release 9.1.0.
x
2.3.7.2
Enabling Logging on Oracle Identity Manager Release 11.1.1
2.3.8
Setting Up the Lookup.SAP.UM.ExclusionList Lookup Definition
2.3.9
Setting Up the Lookup.SAP.UM.LookupMappings and Lookup.SAP.CUA.LookupMappings Lookup Definitions
2.3.10
Copying the SAPCUP.jar File for User Provisioning
2.3.11
Configuring the Compliant User Provisioning Feature of the Connector
2.3.11.1
Importing the XML File for the Compliant User Provisioning Feature
2.3.11.2
Enabling Request-Based Provisioning for the Compliant User Provisioning Feature
2.3.11.3
Specifying Values for the GRC-ITRes IT Resource
2.3.11.4
Specifying Values in the Lookup.SAP.UM.Configuration Lookup Definition
2.3.11.5
Setting Up the Link with the Web Services for SAP Compliant User Provisioning
2.3.11.6
Configuring Request Types and Workflows on SAP GRC Compliant User Provisioning
2.3.11.7
Setting Values in the Lookup.SAP.CUP.Configuration Lookup Definition
2.3.12
Configuring SoD
2.3.12.1
Configuring SAP GRC to Act As the SoD Engine
2.3.12.2
Specifying Values for SoD-Related Entries in the Lookup.SAP.UM.SoDConfiguration Lookup Definition
2.3.12.3
Modifying the SoD-Related Lookup Definitions
2.3.12.4
Specifying Values for the GRC-ITRes IT Resource
2.3.12.5
Verifying Entries Created in the Lookup.SAP.UM.System Lookup Definition
2.3.12.6
Specifying a Value for the TopologyName IT Resource Parameter
2.3.12.7
Disabling and Enabling SoD
2.3.13
Configuring SNC to Secure Communication Between Oracle Identity Manager and the Target System
2.3.13.1
Prerequisites for Configuring the Connector to Use SNC
2.3.13.2
Installing the Security Package
2.3.13.3
Configuring SNC
2.3.14
Configuring the IT Resource
2.3.14.1
Parameters for Enabling the Use of a Logon Group
2.3.14.2
Parameters for Enabling SNC-Based Communication
2.3.14.3
Parameters for Enabling Multiple Attempts to Update Multivalued Attributes
2.3.14.4
Mapping New Connection Properties
2.3.14.5
Specifying Values for the IT Resource Parameters
2.3.15
Addressing the Issue Related to Non-Unique Values in Lookup Definitions Synchronized with the Target System
3
Using the Connector
3.1
Performing Full Reconciliation
3.2
Scheduled Task for Lookup Field Synchronization
3.3
Guidelines on Performing Reconciliation
3.4
Configuring Reconciliation
3.4.1
Full Reconciliation vs. Incremental Reconciliation
3.4.2
Limited Reconciliation
3.4.3
Reconciliation Scheduled Tasks
3.4.3.1
SAP User Management User Recon
3.4.3.2
SAP User Management Delete Recon
3.4.3.3
SAP CUP Status Update Recon
3.4.3.4
SAP CUP Delete Recon
3.5
Configuring Scheduled Tasks
3.6
Guidelines on Performing Provisioning
3.7
Provisioning Operations Performed in an SoD-Enabled Environment
3.7.1
Overview of the Provisioning Process in an SoD-Enabled Environment
3.7.2
Guidelines on Performing Provisioning Operations
3.7.3
Direct Provisioning in an SoD-Enabled Environment
3.7.3.1
Prerequisites
3.7.3.2
Performing Direct Provisioning
3.7.4
Request-Based Provisioning in an SoD-Enabled Environment
3.7.4.1
End User's Role in Request-Based Provisioning
3.7.4.2
Approver's Role in Request-Based Provisioning
3.8
Switching Between SAP R/3 and SAP CUA Target Systems
3.9
Switching Between SAP R/3 or SAP CUA Target System to an SAP CUP Target System on Oracle Identity Manager Release 11.1.1
3.10
Switching Between Request-Based Provisioning and Direct Provisioning on Oracle Identity Manager Release 11.1.1
3.11
Enabling and Disabling the SoD Feature
3.12
Enabling and Disabling the Compliant User Provisioning Feature
4
Extending the Functionality of the Connector
4.1
Determining the Names of Target System Attributes
4.2
Adding New Attributes for Reconciliation
4.3
Adding New Standard and Custom Multivalued Attributes for Reconciliation
4.4
Adding New Standard Attributes for Provisioning
4.5
Adding New Standard SAP GRC Compliant User Provisioning Attributes for Provisioning
4.6
Adding New Standard Multivalued Attributes for Provisioning
4.7
Adding Custom Attributes for Provisioning
4.8
Adding Custom Multivalued Attributes for Provisioning
4.9
Configuring Validation of Data During Reconciliation and Provisioning
4.10
Configuring Transformation of Data During User Reconciliation
4.11
Configuring Transformation of Data During Lookup Field Synchronization
4.12
Configuring Synchronization of New Lookup Definitions with the Target System
4.13
Modifying Field Lengths on the Process Form
4.14
Configuring the Connector for Multiple Installations of the Target System
4.14.1
Enabling the Dependent Lookup Fields Feature
5
Known Issues
A
Standard BAPIs Used During Connector Operations
A.1
Standard BAPIs Used on Both SAP R/3 and SAP CUA
A.2
Standard BAPIs Used on SAP R/3
A.3
Standard BAPIs Used on SAP CUA
Index