If you are using this adapter with the External Policy Check workflow process, the SAP Access Control autoprovision setting should be disabled in the SAP Access Control user interface. Otherwise, this setting should be enabled.
The SAP Access Control web service adapter is a custom adapter. You must perform the following steps to complete the installation process.
Download Glassfish Metro 1.5 from the following location:
https://metro.dev.java.net/1.5/
Glassfish Metro might be incompatible with Apache Axis on some application servers. In this case, you must remove Apache Axis if it is present on your application server.
Install Metro on your application server. Refer to the Metro documentation for more information.
If you are installing Metro on JBoss 4.2.3 and use JDK 1.6, delete all the JAR files related to JAXB, JAXWS, and JAAS from the jboss-4.2.3\lib\endorsed directory except for the following:
Serializer.jar
Xalan.jar
xercesImpl.jar
Then place the following JAR files from Metro into idm-dir/WEB-INF/lib directory:
webservices-api.jar
webservices-extra.jar
webservices-extra-api.jar
webservices-rt.jar
webservices-tools.jar
webservices.war
Otherwise, note that the following JAR files are required at runtime:
webservices-api.jar
webservices-extra.jar
webservices-extra-api.jar
webservices-rt.jar
webservices-tools.jar
Download the JCo (Java Connection) toolkit from http://service.sap.com/connectors. (Access to the SAP JCO download pages require a login and password.) The toolkit will have a name similar to sapjco-ntintel-2.1.6.zip. This name will vary depending on the platform and version selected.
Make sure that the JCo toolkit you download matches the bit version of Java your application server runs on. For example, JCo is available only in the 64-bit version on the Solaris x86 platform. Therefore, your application server must be running the 64-bit version on the Solaris x86 platform.
Unzip the toolkit and follow the installation instructions. Be sure to place library files in the correct location and to set the environment variables as directed.
If you plan to use the SAP Access Control web service adapter with the Sun Application Server on a Windows machine, you must add SAP JCo RFC dlls to the Sun Application Server /lib directory or an error will result.
For SAP JCo 2.1.8: Add the sapjcorfc.dll and the librfc32.dll files to the Sun-app-server-install-dir/lib directory and restart the server.
For SAP JCo 3.0.x: Add the sapjco3.dll file to the Sun-app-server-install-dir/lib directory and restart the server.
Copy the sapjco.jar file to the InstallDir\WEB-INF\lib directory.
To add an SAP Access Control resource to the Waveset resources list, you must add the following value in the CustomResources section of the Configure Managed Resources page.
com.waveset.adapter.SAPAccessControlWebServiceAdapter
The SAP Access Control adapter can be used in the following types of integrations:
External Policy Check Integration. Waveset submits requests using web services to SAP Access Control for Segregation of Duties compliance. This option uses Waveset as the front-end interface and initiates requests into SAP Access Control for risk analysis. This integration requires an SAP Access Control adapter to handle all web service requests and an SAP connector for provisioning.
External Resource Integration. Waveset submits provisioning requests using SAP Access Control. This option uses Waveset to initiate the workflow processes configured in SAP Access Control. SAP Access Control will then perform the provisioning operations after its workflow processes and approvals are complete. This integration requires an SAP Access Control adapter to handle the risk analysis web service requests and an external resource for provisioning.
The External SAP Access Control User Form aggregates the data required for an SAP Access Control Risk Analysis web service implemented through the SAP Access Control adapter. This data is placed in the accounts[Lighthouse].properties.externalPolicy[ResourceName] property in the User object.
This section provides information about supported connections and privilege requirements.
Web services using GlassFish Metro.
The user name that connects to Access Control must be assigned to a role that can access the SAP users.
This adapter does not support provisioning directly. If you are implementing an external policy check, use an SAP connector for provisioning. Otherwise, use an external resource configured with Web Service Notification and this resource as the delegated resource for provisioning requests.
The following table provides information about the account attributes that are specific to SAP Access Control. Refer to the documentation for the SAP Access Control web services and SAP Access Control for information about general SAP attributes. Unless stated otherwise, all attribute types are String.
Identity System User Attribute |
Resource User Attribute |
Description |
---|---|---|
firstname |
firstname |
Required. The user's first name. |
lastname |
lastname |
Required. The user's last name. |
|
|
Required. The email assigned to the user. |
acUserId |
userId |
Required. The User ID for the Access Control account. |
acManagerId |
managerId |
Required if a Manager stage is configured. The account ID of the user's manager. |
acManagerFirstname |
managerFirstname |
Required if a Manager stage is configured. The manager's first name. |
acManagerLastname |
managerLastname |
Required if a Manager stage is configured. The manager's last name. |
acManagerEmail |
managerEmail |
Required if a Manager stage is configured. The email assigned to the manager. This value must be a valid, existing value in Access Control. |
acRequestorId |
requestorId |
Required. The user ID of the person requesting the account. |
acRequestorFirstname |
requestorFirstname |
Required. The requestor.s first name. |
acRequestorLastname |
requestorLastname |
Required. The requestor.s last name. |
acRequestorEmail |
requestorEmail |
Required. The email address of the requestor. |
acApplications |
applications |
Required. The applications to grant access to. This value is a comma-separated list. |
acRoles |
rolesObject |
Required. Complex data type.The roles assigned to the user. This attribute contains values for ValidFrom, ValidTo, Rolename, CoApplicationId, and Company. |
acPriority |
priority |
Required. The priority of the request |
acEmployeeType |
employeeType |
The employment status of the user. |
acCustomFields |
customFieldsObject |
Complex data type. Additional fields for the user. |
acFunctionalArea |
functionalArea |
SAP functional area for the user. Valid only if 5.3 SP9 is selected as the version of the resource. |
acValidFrom |
validFrom |
The first date the user is valid. Valid only if 5.3 SP9 is selected as the version of the resource. |
acValidTo |
validTo |
The last date the user is valid. Valid only if 5.3 SP9 is selected as the version of the resource. |
acManagerTelephone |
managerTelephone |
The telephone number of the user's manager. Valid only if 5.3 SP9 is selected as the version of the resource. |
acRequestorTelephone |
requestorTelephone |
The telephone number of the requestor. Valid only if 5.3 SP9 is selected as the version of the resource. |
acSNCName |
sNCName |
The Secure Network Communications user name. Valid only if 5.3 SP9 is selected as the version of the resource. |
acUnsecureLogon |
unsecureLogon |
Allows the use of the unsecure logon feature. The value of this attribute must be “true” or “false” and be of type String. Valid only if 5.3 SP9 is selected as the version of the resource. |
The adapter supports the following:
list roles
get roles
get role
list applications
get applications
get application
Not applicable
SAPAccessControlUserForm.xml (for use with the SAP Connector User Form)
SAPAccessControlCompViol.xml
ExternalSAPAccesControlUserForm.xml (for use when an external resource is used for provisioning)
Use the Waveset debug pages to set trace options on the following classes:
com.waveset.adapter.SAPAccessControlWebServiceAdapter
com.waveset.adapter.WebServiceResourceAdapter