Oracle Waveset 8.1.1 Resources Reference

Chapter 34 SAP Access Control Web Service Adapter

The SAP BusinessObjects Access Control web service adapter is defined in the com.waveset.adapter.SAPAccessControlWebServiceAdapter class. This class extends the WebServiceResourceAdapter class.

The SAP Access Control web service adapter manages web services requests to and from SAP Access Control 5.3. It does not provision accounts in the normal Waveset way of using methods such as realCreate and realUpdate. Use this adapter in conjunction with an external resource to perform provisioning or an SAP connector to perform risk analysis.

Adapter Details

Resource Configuration Notes

If you are using this adapter with the External Policy Check workflow process, the SAP Access Control autoprovision setting should be disabled in the SAP Access Control user interface. Otherwise, this setting should be enabled.

Waveset Installation Notes

The SAP Access Control web service adapter is a custom adapter. You must perform the following steps to complete the installation process.

ProcedureInstalling the SAP Access Control Web Service Adapter

  1. Download Glassfish Metro 1.5 from the following location:

    Note –

    Glassfish Metro might be incompatible with Apache Axis on some application servers. In this case, you must remove Apache Axis if it is present on your application server.

  2. Install Metro on your application server. Refer to the Metro documentation for more information.

    • If you are installing Metro on JBoss 4.2.3 and use JDK 1.6, delete all the JAR files related to JAXB, JAXWS, and JAAS from the jboss-4.2.3\lib\endorsed directory except for the following:

      • Serializer.jar

      • Xalan.jar

      • xercesImpl.jar

      Then place the following JAR files from Metro into idm-dir/WEB-INF/lib directory:

      • webservices-api.jar

      • webservices-extra.jar

      • webservices-extra-api.jar

      • webservices-rt.jar

      • webservices-tools.jar

      • webservices.war

    • Otherwise, note that the following JAR files are required at runtime:

      • webservices-api.jar

      • webservices-extra.jar

      • webservices-extra-api.jar

      • webservices-rt.jar

      • webservices-tools.jar

  3. Download the JCo (Java Connection) toolkit from (Access to the SAP JCO download pages require a login and password.) The toolkit will have a name similar to This name will vary depending on the platform and version selected.

    Note –

    Make sure that the JCo toolkit you download matches the bit version of Java your application server runs on. For example, JCo is available only in the 64-bit version on the Solaris x86 platform. Therefore, your application server must be running the 64-bit version on the Solaris x86 platform.

  4. Unzip the toolkit and follow the installation instructions. Be sure to place library files in the correct location and to set the environment variables as directed.

    Note –

    If you plan to use the SAP Access Control web service adapter with the Sun Application Server on a Windows machine, you must add SAP JCo RFC dlls to the Sun Application Server /lib directory or an error will result.

    • For SAP JCo 2.1.8: Add the sapjcorfc.dll and the librfc32.dll files to the Sun-app-server-install-dir/lib directory and restart the server.

    • For SAP JCo 3.0.x: Add the sapjco3.dll file to the Sun-app-server-install-dir/lib directory and restart the server.

  5. Copy the sapjco.jar file to the InstallDir\WEB-INF\lib directory.

  6. To add an SAP Access Control resource to the Waveset resources list, you must add the following value in the CustomResources section of the Configure Managed Resources page.


Usage Notes

The SAP Access Control adapter can be used in the following types of integrations:

The External SAP Access Control User Form aggregates the data required for an SAP Access Control Risk Analysis web service implemented through the SAP Access Control adapter. This data is placed in the accounts[Lighthouse].properties.externalPolicy[ResourceName] property in the User object.

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

Web services using GlassFish Metro.

Required Administrative Privileges

The user name that connects to Access Control must be assigned to a role that can access the SAP users.

Provisioning Notes

This adapter does not support provisioning directly. If you are implementing an external policy check, use an SAP connector for provisioning. Otherwise, use an external resource configured with Web Service Notification and this resource as the delegated resource for provisioning requests.

Account Attributes

The following table provides information about the account attributes that are specific to SAP Access Control. Refer to the documentation for the SAP Access Control web services and SAP Access Control for information about general SAP attributes. Unless stated otherwise, all attribute types are String.

Identity System User Attribute 

Resource User Attribute 




Required. The user's first name.  



Required. The user's last name.  



Required. The email assigned to the user. 



Required. The User ID for the Access Control account.  



Required if a Manager stage is configured. The account ID of the user's manager.  



Required if a Manager stage is configured. The manager's first name.  



Required if a Manager stage is configured. The manager's last name.  



Required if a Manager stage is configured. The email assigned to the manager. This value must be a valid, existing value in Access Control. 



Required. The user ID of the person requesting the account.  



Required. The requestor.s first name.  



Required. The requestor.s last name.  



Required. The email address of the requestor.  



Required. The applications to grant access to. This value is a comma-separated list. 



Required. Complex data type.The roles assigned to the user. This attribute contains values for ValidFrom, ValidTo, Rolename, CoApplicationId, and Company. 



Required. The priority of the request  



The employment status of the user.  



Complex data type. Additional fields for the user. 



SAP functional area for the user. Valid only if 5.3 SP9 is selected as the version of the resource. 



The first date the user is valid. Valid only if 5.3 SP9 is selected as the version of the resource. 



The last date the user is valid. Valid only if 5.3 SP9 is selected as the version of the resource. 



The telephone number of the user's manager. Valid only if 5.3 SP9 is selected as the version of the resource. 



The telephone number of the requestor. Valid only if 5.3 SP9 is selected as the version of the resource. 



The Secure Network Communications user name. Valid only if 5.3 SP9 is selected as the version of the resource. 



Allows the use of the unsecure logon feature. The value of this attribute must be “true” or “false” and be of type String. Valid only if 5.3 SP9 is selected as the version of the resource. 

Resource Object Management

The adapter supports the following:

Identity Template

Not applicable

Sample Forms


Use the Waveset debug pages to set trace options on the following classes: