The SAP Governance, Risk, and Compliance (GRC) Access Enforcer resource adapter is defined in the com.waveset.adapter.AccessEnforcerResourceAdapter class. This class extends the SAPResourceAdapter class.
The Access Enforcer autoprovision setting must be set to true for the adapter to operate correctly.
The Access Enforcer resource adapter is a custom adapter. You must perform the following steps to complete the installation process:
Download the JCo (Java Connection) toolkit from the following URL:
http://service.sap.com/connectors
Access to the SAP JCo download pages require a login and password. The toolkit will have a name similar to sapjco-ntintel-2.1.8.zip. This name will vary depending on the platform and version selected.
Make sure that the JCo toolkit you download matches the bit version of Java your application server runs on. For example, JCo is available in only in the 64-bit version on the Solaris x86 platform. Therefore, your application server must be running the 64-bit version on the Solaris x86 platform.
Unzip the toolkit and follow the installation instructions. Be sure to place library files in the correct location and to set the environment variables as directed.
Copy the sapjco.jar file to the InstallDir\WEB-INF\lib directory.
Download the Apache Axis SOAP toolkit from the following URL:
http://www.apache.org/dyn/closer.cgi/ws/axis/1_4/
Unzip the toolkit and follow the installation instructions.
Copy the following files to the InstallDir\WEB-INF\lib directory:
axis.jar
commons-discovery-0.2.jar
commons-logging-1.0.4.jar
jaxrpc.jar
log4j-1.2.8.jar
saaj.jar
wsdl4j-1.5.1.jar
Other versions of the commons-discovery, commons-logging, log4j, and wsdl4j JAR files can be used instead.
To add an Access Enforcer resource to the Waveset resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.AccessEnforcerResourceAdapter
Import the $WSHOME/sample/accessenforcer.xml to enable support for Access Enforcer.
This section provides information about supported connections and privilege requirements.
Waveset uses BAPI over SAP Java Connector (JCo) to communicate with the SAP systems for the getUser and listObjects methods and the account iterator.
The user name that connects to SAP must be assigned to a role that can access the SAP users.
The following table summarizes the provisioning capabilities of this adapter.
The following table provides information about the account attributes that are specific to Access Enforcer. Refer to the documentation for the SAP adapter for information about general SAP attributes. Unless stated otherwise, all attribute types are String, and all attributes are write-only. The values for all attributes listed below are converted to uppercase.
Identity System User Attribute |
Resource Attribute Name |
Description |
---|---|---|
aeUserId |
UserId |
Required. The User ID for the Access Enforcer account |
aeEmailAddress |
EmailAddress |
Required. The email assigned to the user. |
aeFirstName |
FirstName |
Required. The user’s first name. |
aeLastName |
LastName |
Required. The user’s last name. |
aeRequestorId |
RequestorId |
Required. The user ID of the person requesting the account. |
aeRequestorLastName |
RequestorLastName |
Required. The last name of the requestor. |
aeRequestorFirstName |
RequestorFirstName |
Required. The first name of the requestor. |
aeRequestorEmailAddr |
RequestorEmailAddr |
Required. The email address of the requestor. |
aePriority |
Priority |
Required. The priority of the request. |
aeApplication |
Application |
Required. The application to add to grant access to. |
aeLocation |
Location |
The user’s location. |
aeCompany |
Company |
The user’s company. |
aeDepartment |
Department |
The user’s department. |
aeEmployeeType |
EmployeeType |
The employment status of the user. |
aeRequestReason |
RequestReason |
Description of why access is being requested. |
aeRoles |
Roles |
Complex. The roles assigned to the user. This attribute contains values for ValidFrom, ValidTo, and Rolename. |
aeValidFrom |
ValidFrom |
The beginning time of a request. |
aeValidTo |
ValidTo |
The end time of a request. |
aeTelephone |
Telephone |
The user’s telephone number. |
aeManagerId |
ManagerId |
Required. The account ID of the user’s manager. This value must be valid, existing value in Access Enforcer. |
aeManagerFirstName |
ManagerFirstName |
Required. The manager’s first name. This value must be valid, existing value in Access Enforcer. |
aeManagerLastName |
ManagerLastName |
Required. The manager’s last name. This value must be valid, existing value in Access Enforcer. |
aeManagerEmailAddr |
ManagerEmailAddr |
Required. The manager’s email address. This value must be valid, existing value in Access Enforcer. |
The attributes designated as required must be sent in the Submit Request service call. However, they are not marked as required on the schema map because of conflicts that may occur when updating a user that has other resources assigned.
Other attributes may be added to the schema map, but are considered custom attributes in Access Enforcer. To distinguish the custom attributes, you must prepend AE to any Resource User Attribute. (For example, AEMyAttribute.) The values for custom attributes are not converted to uppercase.
Not applicable
$accountId$
Access Enforcer User Form
Access Enforcer EnableDisableDelete Form
Use the Waveset debug pages to set trace options on the following classes:
com.waveset.adapter.AccessEnforcerResourceAdapter
com.waveset.adapter.SAPResourceAdapter
To determine which version of the SAP Java Connector (JCO) is installed, and to determine whether it is installed correctly, run the following command:
java -jar sapjco.jar
The command returns the JCO version as well as the JNI platform-dependent and the RFC libraries that communicate with the SAP system.
If the platform-dependent libraries are not found, refer to the SAP documentation to find out how to correctly install the SAP Java Connector.