test

Sun Identity Manager 8.1 Resources Reference

Adapter Details

The resource adapter is defined in the com.waveset.adapter.SAPResourceAdapter class.

To enable the ability of a user to change his or her own SAP password, perform the following steps:

ProcedureEnabling a User to Change His Password

  1. Set the User Provides Password On Change resource attribute.

  2. Add WS_USER_PASSWORD to both sides of the schema map. You do not need to modify the user form or other forms.

Resource Configuration Notes

None.

Identity Manager Installation Notes

The SAP resource adapter is a custom adapter. You must perform the following steps to complete the installation process:

ProcedureInstalling the SAP Resource Adapter

  1. Download the JCo (Java Connection) toolkit from http://service.sap.com/connectors. (Access to the SAP JCO download pages require a login and password.) The toolkit will have a name similar to sapjco-ntintel-2.1.6.zip. This name will vary depending on the platform and version selected.

    Note –

    Make sure that the JCo toolkit you download matches the bit version of Java your application server runs on. For example, JCo is available only in the 64-bit version on the Solaris x86 platform. Therefore, your application server must be running the 64-bit version on the Solaris x86 platform.

  2. Unzip the toolkit and follow the installation instructions. Be sure to place library files in the correct location and to set the environment variables as directed.

  3. Copy the sapjco.jar file to the InstallDir\WEB-INF\lib directory.

  4. To add an SAP resource to the Identity Manager resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.

    com.waveset.adapter.SAPResourceAdapter

Usage Notes

This section provides information related to using the SAP resource adapter, which is organized into the following sections:

General Notes

The following general notes are provided for the resource:

Enabling Secure Network Communications (SNC) Connections

By default, the SAP adapter uses the SAP Java Connector (JCo) to communicate with the SAP adapters. For information about implementing SNC connections, see Chapter 54, Enabling Secure Network Communications (SNC) Connections.

SAP JCO and RFC Tracing

The SAPResourceAdapter and the SAPHRActiveSyncAdapter provide resource attributes for SAP JCO and RFC tracing. They can be used to trace Identity Manager’s communication with the SAP system. The attributes are JCO Trace Level and JCO Trace Directory.

The following environment variables can be set in the environment to enable SAP RFC tracing. These variables must be set in the environment before starting the application server. They control the shared library that JCO uses to communicate with the SAP system.

Note –

If no JCO tracing is desired, set RFC_TRACE to 0 to ensure that no trace files are created.

Changing Productive Passwords in a CUA Environment

SAP considers a password a secret shared between the account on the system where the account resides. In a CUA landscape, this means that every CUA client maintains its own copy of a password for a user. The standard password change methods in a CUA landscape do not allow you to set a productive password on a client system. (A productive password is a password that has not expired and that does not require changing on the next logon.) They will allow you to set an initial password for the user on all systems in the landscape, clients and the central system.

The function module for changing a password must be executable remotely. In a CUA landscape, you must set the SCUM settings for the initial password to 'global' or 'everywhere'. In all other cases, the CUA central system can not reset passwords on the clients, which will cause failures of password changes under certain circumstances. The adapter will allow you to set a productive password in a CUA landscape on all systems on which the user exists. You can do this only by changing the password on each system separately. To enable this feature, you must install a special Function Module on the CUA central system that is executed for all client systems. The module is provided in source form in InstallDir\idm\sample\other and must be installed on the SAP central system. The name of the Function Module must be set in the “CUA Child Password Change Function Module” resource attribute.

When a password is changed in a CUA landscape and the module is used, multiple failures for one password change can occur: one for each client and one for the central system. Each system keeps its own password policies. A password that complies to the rules on one system could cause a policy failure on another. A failure on one system does not mean that the other systems will not be changed. This accords with how SAP defines and works with passwords in a CUA landscape.

When CUA is configured on the adapter, but the module is not installed on the central system or the attribute is not configured on the adapter, then productive password changes will be applied to the central system only. Setting initial passwords or performing a password reset, in other words password which are expired, is not affected by this configuration change.

Renaming Accounts

The SAP adapter now supports renaming accounts, except when CUA mode is enabled on the adapter. The adapter performs this function by copying an existing account to a new account and deleting the original. SAP discourages renaming accounts, but provides the option in the user management application (Transaction SU01 from the SAP GUI). Therefore, Identity Manager also supports the option. Be aware that SAP may not support the rename feature in future releases.

The SAP GUI uses a different method to perform the rename because it has access to non-public APIs and to the SAP kernel. The following steps provide a high-level description of how the adapter performs the rename operation:

ProcedureHow the SAP Adapter Performs the rename Operation

  1. Get the user information for the existing user.

  2. Save the ALIAS attribute, if one exists.

  3. Create the new user.

  4. Set the Activity Groups on the new user.

  5. Set the Profiles on the new user.

  6. Get the old user’s Personalization Data.

  7. Set the new user’s Personalization Data.

  8. Delete the old user.

  9. Set the Alias on the new user if one was set on the old user.

    If an error occurs during steps 1-3, the operation fails immediately. If an error occurs during steps 4-7, the new user is deleted and the whole operation fails. (If the new user cannot be deleted, a warning is placed into the WavesetResult). If an error occurs during steps 8-9, a warning is added to the WavesetResult, but the operation succeeds.

    The Rename operation requires that a new password be set on the new user. This is most easily accomplished by customizing the Rename User Task to invoke the Change User Password Task.

Global Trade Services (GTS) Support

To enable SAP Global Trace Services support on the SAP adapter, activate the appropriate roles listed Role Name column in the following table. SAP generates the roles listed in the Generated Role column of the table. You must assign the generated roles to the appropriate user profiles in SAP GTS.

Role Label  

Role Name  

Generated Role  

Customs Processing Specialist 

SAP_BW_SLL_CUS 

SAP_BWC_SLL_CUS 

Preference Processing Specialist 

SAP_BW_SLL_PRE 

SAP_BWC_SLL_PRE 

Restitution Specialist 

SAP_BW_SLL_RES 

SAP_BWC_SLL_RES 

Legal Control Specialist 

SAP_BW_SLL_LCO 

SAP_BWC_SLL_LCO 

Additional Table Support

The SAP adapter can provision to any SAP table called by BAPI_USER_CREATE1 and BAPI_USER_CHANGE, most notably the GROUPS and PARAMETER tables. To enable this feature for any table other than GROUPS, you must add a Resource User Attribute to the schema map in the format SAP_Table_Name->Table. (For example, PARAMETER->Table.) The attribute must be assigned the complex data type.

The adapter provides an account attribute of type string named GROUPS->USERGROUP account attribute. This attribute processes data from the GROUPS table. By default, this attribute type is string. When this attribute type set to string, the adapter processes values as a list of strings. If you want the adapter to process data from the table in the same manner as other tables, you must change the data type to complex.

The $WSHOME/web/sample/forms/SAPUserForm.xml file contains an example user form that illustrates how the GROUP table is managed using a string account attribute type as well as a complex attribute type.

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

Required Administrative Privileges

The user name that connects to SAP must be assigned to a role that can access the SAP users.

Provisioning Notes

Feature  

Supported?  

Enable/disable account 

Yes 

Rename account 

Yes, except when CUA is enabled. 

Pass-through authentication 

No 

Before/after actions 

No 

Data loading methods 

  • Import directly from resource

  • Reconciliation

Account Attributes

The following table provides information about the default SAPaccount attributes. (Additional attributes are provided if the Enable SAP GRC Access Enforcer? resource parameter is selected.) All attribute types are String.

Identity System User Attribute

Resource Attribute Name

Description

accountId

USERNAME->BAPIBNAME 

Required. The user’s account ID. 

firstname

ADDRESS->FIRSTNAME 

User’s first name 

fullname

ADDRESS->FULLNAME 

User’s first and last name 

email

ADDRESS->E_MAIL 

User’s e-mail address 

lastname

ADDRESS->LASTNAME 

Required. User’s last name 

groups

GROUPS->USERGROUP 

Provisions to the SAP GROUPS table. 

l

WS_PasswordExpired 

Forces the user to supply a new password upon login. 

accountLockedNoPwd

ISLOCKED->NO_USER_PW 

Boolean. Indicates whether the account is locked because the user has no password. 

accountLockedWrngPwd

ISLOCKED->WRNG_LOGON 

Boolean. Indicates whether the account is locked because of failed login attempts. 

personNumber

ADDRESS->PERS_NO 

Internal key for identifying a person 

addressNumber

ADDRESS->ADDR_NO 

Internal key for identifying an address for central address management 

birthName

ADDRESS->BIRTH_NAME 

Maiden name or name given at birth 

middleName

ADDRESS->MIDDLENAME 

User’s middle name 

secondLastName

ADDRESS->SECONDNAME 

Second last name 

academicTitle

ADDRESS->TITLE_ACA1 

An academic title, such as Dr. or Prof. 

academicTitle2

ADDRESS->TITLE_ACA3 

A second academic title 

namePrefix

ADDRESS->PREFIX1 

A prefix to a last name, such as von, van der, or de la 

namePrefix2

ADDRESS->PREFIX2 

A second prefix to a last name 

titleSupplement

ADDRESS->TITLE_SPPL 

Name supplement, for example noble title, such as Lord or Lady 

nickname

ADDRESS->NICKNAME 

User’s nickname 

initials

ADDRESS->INITIALS 

Middle initial or initials 

nameFormat

ADDRESS->NAMEFORMAT 

The sequence in which name components are assembled to present the name of a person in a complete form. The sequence can vary for each country. 

nameFormatCountry

ADDRESS->NAMCOUNTRY 

The country used to determine the name format 

languageKey

ADDRESS->LANGU_P 

The language used to enter and display text 

iso639Language

ADDRESS->LANGUP_ISO 

ISO 639 language code 

sortKey1

ADDRESS->SORT1_P 

A search term 

sortKey2

ADDRESS->SORT2_P 

A secondary search term 

department

ADDRESS->DEPARTMENT 

The department in a company as part of the company address 

function

ADDRESS->FUNCTION 

The user’s job functionality 

buildingNumber

ADDRESS->BUILDING_P 

The building number where the user’s office is located 

buildingFloor

ADDRESS->FLOOR_P 

The floor where the user’s office is located 

roomNumber

ADDRESS->ROOM_NO_P 

The room number where the user’s office is located 

correspondenceCode

ADDRESS->INITS_SIG 

A correspondence code 

inhouseMailCode

ADDRESS->INHOUSE_ML 

An internal mail code 

communicationType

ADDRESS->COMM_TYPE 

States how the user wants to exchange documents and messages with a business partner. 

title

ADDRESS->TITLE 

A title, such as Mr. or Mrs. 

titleP

ADDRESS->TITLE_P 

A title, such as Mr. or Mrs. 

addressName

ADDRESS->NAME 

Name of an address 

addressName2

ADDRESS->NAME_2 

Second line in a name of an address 

addressName3

ADDRESS->NAME_3 

Third line in a name of an address 

addressName4

ADDRESS->NAME_4 

Fourth line in a name of an address 

careOfName

ADDRESS->C_O_NAME 

Part of the address if the recipient is different from the occupant (c/o = care of) 

city

ADDRESS->CITY 

User’s city 

district

ADDRESS->DISTRICT 

City or district supplement 

cityNumber

ADDRESS->CITY_N 

City code 

districtNumber

ADDRESS->DISTRCT_NO 

District code 

cityPostalCode

ADDRESS->POSTL_COD1 

User’s postal code 

poBoxPostalCode

ADDRESS->POSTL_COD2 

Postal code required for unique assignment of the PO Box. 

companyPostalCode

ADDRESS->POSTL_COD3 

Postal code that is assigned directly to a company. 

poBox

ADDRESS->PO_BOX 

The user’s post office box 

poBoxCity

ADDRESS->PO_BOX_CIT 

Post office box city 

poBoxCityCode

ADDRESS->PBOXCIT_NO 

The PO Box city, if it is different from the address city. 

postalDeliveryDistrict

ADDRESS->DELIV_DIS 

Postal delivery district 

transportZone

ADDRESS->TRANSPZONE 

Regional zone of a goods recipient or supplier 

street

ADDRESS->STREET 

The user’s street 

streetNumber

ADDRESS->STREET_NO 

A street code 

streetAbbreviation

ADDRESS->STR_ABBR 

A street abbreviation 

houseNumber

ADDRESS->HOUSE_NO 

The number portion of a street address 

houseNumber2

ADDRESS->HOUSE_NO2 

A secondary address number 

street2

ADDRESS->STR_SUPPL1 

Additional address field printed above the Street line. 

street3

ADDRESS->STR_SUPPL2 

Additional address field printed above the Street line. 

street4

ADDRESS->STR_SUPPL3 

Additional address field printed below the Street line. 

street5

ADDRESS->LOCATION 

Additional address field printed below the Street line. 

oldBuilding

ADDRESS->BUILDING 

Number or ID for the building in a contact person address. 

floor

ADDRESS->FLOOR 

The floor number of an address 

roomNumber

ADDRESS->ROOM_NO 

The room number in an address 

countryCode

ADDRESS->COUNTRY 

The country in an address 

countryCodeISO

ADDRESS->COUNTRYISO 

The two-letter ISO code for the country in an address 

languageKey

ADDRESS->LANGU 

The language used to enter and display text 

languageKeyISO

ADDRESS->LANGU_ISO 

ISO 639 language code 

region

ADDRESS->REGION 

State or province 

sort2

ADDRESS->SORT2 

A secondary search term 

timeZone

LOGONDATA->TZONE 

The time difference of the time zone in hours/minutes relative to the UTC 

taxJurisdictionCode

ADDRESS->TAXJURCODE 

the tax authority to which taxes must be paid. It is always the city to which the goods were delivered. 

telephoneNumber

ADDRESS->TEL1_NUMBR 

Telephone number, including the area code, but no country code 

telephoneExtension

ADDRESS->TEL1_EXT 

Telephone number extension 

faxNumber

ADDRESS->FAX_NUMBER 

Fax number, including the area code, but no country code 

faxExtension

ADDRESS->FAX_EXTENS 

Fax number extension 

buildingNumber

ADDRESS->BUILD_LONG 

Number or abbreviation of a building in an address. 

cuaSystems

SYSTEMS->CUASYSTEMS 

Central User Administration system names 

profiles

PROFILES->BAPIPROF 

Profiles assigned to the user. 

activityGroups

ACTIVITYGROUPOBJECTS 

Roles assigned to the user. 

lastLoginTime

LOGONDATA->LTIME 

Read only attribute that lists the most recent login time. 

Resource Object Support

Managed Objects

This adapter does not manage objects on the SAP resource.

Listable Objects

The following table describes the SAP objects that can be called using the listAllObjects method within a user form.

Object  

Description  

account

Lists the users defined on the SAP resource. 

activityGroups

Lists the activity groups (or roles) available for users. (Non-CUA mode only) 

cuaSystems

When CUA is enabled, lists the names of the CUA children. 

Group

Lists the available groups on the SAP resource. 

localActivityGroups

When CUA is enabled, lists the activity groups that exist on a particular child system in a CUA environment. 

profiles

Lists the names of the authorization profiles. 

table

Lists the contents of a column of an SAP table. The options map requires the following parameters. 

name, which represents SAP table name 

offset, which indicates the starting character column in the table 

length, which represents the length of the data field 

Refer to the SAP documentation for the BAPI RFC_GET_TABLE_ENTRIES to determine these values. See Additional Table Support for more information.

timeZones

Lists the available time zones supported by the SAP system. 

usertype

Lists the user types available on the SAP system 

Identity Template

$accountId$

Sample Forms

SAPForm.xml
SAPUserForm_with_RoleEffectiveDates_Timezone.xml
SAPHRActiveSyncForm.xml

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following classes:

To determine which version of the SAP Java Connector (JCO) is installed, and to determine whether it is installed correctly, run the following command:

java -jar sapjco.jar

The command returns the JCO version as well as the JNI platform-dependent and the RFC libraries that communicate with the SAP system.

If the platform-dependent libraries are not found, refer to the SAP documentation to find out how to correctly install the SAP Java Connector.