Sun Java[TM] System Identity Manager 7.1 Resources Reference |
Access EnforcerThe SAP Governance, Risk, and Compliance (GRC) Access Enforcer resource adapter is defined in the com.waveset.adapter.AccessEnforcerResourceAdapter class. This class extends the SAPResourceAdapter class.
This resource adapter currently supports the following versions of Access Enforcer:
Resource Configuration Notes
The Access Enforcer autoprovision setting must be set to "true" for the adapter to operate correctly.
Identity Manager Installation Notes
The Access Enforcer resource adapter is a custom adapter. You must perform the following steps to complete the installation process:
- Download the JCo (Java Connection) toolkit from the following URL:
http://service.sap.com/connectors
Access to the SAP JCO download pages require a login and password. The toolkit will have a name similar to sapjco-ntintel-2.1.8.zip. This name will vary depending on the platform and version selected.
Note
For Solaris x86, only the 64-bit version of the JCO is available. If you are using 64-bit Solaris on Sparc, ensure that the 64-bit version of the JCO is used.
- Unzip the toolkit and follow the installation instructions. Be sure to place library files in the correct location and to set the environment variables as directed.
- Copy the sapjco.jar file to the InstallDir\WEB-INF\lib directory.
- Download the Apache Axis SOAP toolkit from the following URL:
http://www.apache.org/dyn/closer.cgi/ws/axis/1_4/
- Unzip the toolkit and and follow the installation instructions.
- Copy the following files to the InstallDir\WEB-INF\lib directory:
- To add an Access Enforcer resource to the Identity Manager resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.AccessEnforcerResourceAdapter
- Import the $WSHOME/sample/accessenforcer.xml to enable support for Access Enforcer.
Usage Notes
Asynchronous Provisioning
This adapter introduces the concept of asynchronous provisioning. Access Enforcer has its own system of approvals that must be negotiated before a user can be provisioned or modified.
If a SubmitRequest web service call returns successfully, the Identity Manager task performing the provisioning request periodically polls Access Enforcer to check if the request is complete. The polling interval is set in the Delay Between Asynchronous Retries (seconds) parameter on Identity System Parameters page of the resource wizard.
When the request has been completed or otherwise acted upon in Access Enforcer, the Identity Manager user object is updated with the status of the request. Identity Manager then processes the provisioning request as defined in the workflow.
Access Enforcer Rule Library
Access Enforcer does not provide a way to fetch certain types of objects. To help facilitate management of these objects, Identity Manager provides an Access Enforcer rule library that allows you to specify the names of these objects. These names must be manually entered as strings in the rule library.
The following table lists the Access Enforcer objects, the corresponding Identity Manager rule, and the default values. Use the debug pages or the Identity Manager IDE to edit the values to match your environments.
Web Services
The Access Enforcer adapter works by sending web service requests to the Access Enforcer. The web services are performed using Apache AXIS tools. The supported acrtions for the SubmitRequest provisioning web service are:
User fetch is performed by the SAPResourceAdapter.getUser() method because Access Enforcer does not provide a web service to query for this information.
User Forms
The default Access Enforcer User Form attempts to populate the manager and requestor account attributes with values available from the views available from the Create/Edit User form.
User forms may return a list of the following objects by calling the listObjects method:
To disable, enable, and delete users the Access Enforcer EnableDisableDelete Form must be imported and individually added to the Disable, Enable, and Deprovision forms. See the comments in $WSHOME/sample/forms/AE-EnableDisableDeleteForm.xml for details.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses BAPI over SAP Java Connector (JCo) to communicate with the SAP systems for the getUser and listObjects methods and the account iterator.
Required Administrative Privileges
The user name that connects to SAP must be assigned to a role that can access the SAP users.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature
Supported?
Enable/disable account
Yes
Rename account
No
Pass-through authentication
No
Before/after actions
No
Data loading methods
Account Attributes
The following table provides information about the account attributes that are specific to Access Enforcer. Refer to the documentation for the SAP adapter for information about general SAP attributes. Unless stated otherwise, all attribute types are String, and all attributes are write-only. The values for all attributes listed below are converted to uppercase.
Other attributes may be added to the schema map, but are considered custom attributes in Access Enforcer. To distinguish the custom attributes, you must prepend AE to any Resource User Attribute. (For example, AEMyAttribute.) The values for custom attributes are not converted to uppercase.
Resource Object Management
Not applicable
Identity Template
$accountId$
Sample Forms
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
To determine which version of the SAP Java Connector (JCO) is installed, and to determine whether it is installed correctly, run the following command:
java -jar sapjco.jar
The command returns the JCO version as well as the JNI platform-dependent and the RFC libraries that communicate with the SAP system.
If the platform-dependent libraries are not found, refer to the SAP documentation to find out how to correctly install the SAP Java Connector.