test

Oracle Waveset 8.1.1 Deployment Guide

SPML 1.0 Integration

The integration scenario in which SAP BusinessObjects Access Control is used as the leading provisioning system and Waveset is used for provisioning to non-ERP systems requires specific configuration on both SAP Access Control and Waveset. The SAP Access Control configuration steps are part of the SAP GRC Access Control 5.3 Configuration Guide, chapter “Sending Provisioning Request to an IdM System“.

SPML Configuration

Waveset provides an SPML schema that defines the object class and extended request information needed to configure SAP Access Control integration. The schema is defined in InstallDir/sample/spml.xml. You must edit this file before loading it into Waveset. Specifically, you must uncomment the IDMperson object. This object includes a change to the standard person object, as described in the comments contained in the file.

After this task has been performed, the file must be imported and the configuration finished following the steps in Oracle Waveset 8.1.1 Web Services.

Note –

SAP Access Control tries to use HTTP basic authentication when it creates a connection to the Waveset system. If the container in which the Waveset server runs does not support basic authentication, a connection will be established without authentication. The user name and password specified in SAP Access Control as part of the connector cannot be used to create an Waveset session. No request will be processed by Waveset without a valid session. This means that you must configure the proxy user and password for the SPML interface as described in Editing the Waveset.properties File in Oracle Waveset 8.1.1 Web Services. The proxy user will allow anyone access to the SPML interface and care should be taken to shield the URL from misuse.

SAP Access Control Configuration Information

The following table lists actions and their corresponding parameter names and values. These must be set in the SAP Access Control connector configuration.

Action 

Parameter Name 

Parameter Value 

Create User 

SCHEMA_ID  

standard  
 

CREATE_USER:OC  

IDMperson  
 

CREATE_USER:options.AllowPasswordGeneration  

true 
 

CREATE_USER:options.onlyResourcesUserPasswordRequired  

true 

Change User 

CHANGE_USER:OC  

IDMperson 

Delete User 

DELETE_USER:OC  

IDMperson 

Assign Roles 

ASSIGN_ROLES:OC  

IDMperson 
 

ROLE  

roles 

Lock User 

LOCK_USER:EXT  

disableUser 

Unlock User 

UNLOCK_USER:EXT  

enableUser 

Audit Logs 

not configurable  

not applicable 
 

AUDIT_TYPE 

statusrequest 

Reset Password 

RESET_PASSWORD:EXT  

resetUserPassword 

Search Password 

SEARCH_PASSWORD:EXT  

launchProcess 
 

SEARCH_PASSWORD:process  

SPML Decrypt Password  
 

SEARCH_PASSWORD:taskName  

Decrypt Password  

Search 

SEARCH_CRITERIA 

identifier 

SAP Access Control currently does not support filtering the SPML attributes defined in the schema based on the object class. When you create the mapping for the SAP Access Control connector, all attributes are displayed, even the attributes that are not part of the object class used. During the fields mapping SAP Access Control sends a SchemaRequest to Waveset to allow you to map the attributes for the connector in SAP Access Control. By default, the Waveset schema contains multiple object classes, and you will see attributes that are not valid for the object class you have configured. There are two possible workarounds for this:

The following table lists field mappings for the SAP Access Control connector. This is not a complete list of all the fields which could be mapped.

Access Control Field 

Application Field 

Email Address - STANDARD  

email 

User FName - STANDARD  

gn 

User ID - STANDARD  

accountId 

User LName - STANDARD 

sn 

These application fields are the SPML schema attribute names. These names do not have to correspond with internal Waveset attribute names. In the SPML configuration, these names can be mapped using a form to internal Waveset attribute names.

Note –

The SAP Access Control connector must not be configured to run over HTTPS.

SPML Request Behavior

An action on a user is a request SAP Access Control sends to Waveset using SPML. The SPML request is a batch request type. One request in SAP Access Control can consist of multiple steps, each an individual SPML request inside the batch, that Waveset must process. This behavior is not configurable on the SAP Access Control side, but it has implications for processing the request on both systems.

Waveset processes the individual requests inside the batch in the order that they are received. A status is returned for each of the requests processed: success, failure, or pending. A failure will show up as an error in SAP Access Control, marking the action appropriately. Any request that requires an approval or other manual action in Waveset creates a background process. The status that is returned for these requests will be pending. Any pending requests will be interpreted as a failed request by SAP Access Control. Processing of the request on the Waveset side is not impacted by this.

SAP Access Control does not maintain state of the individual requests sent inside the batch and marks the whole request as a failure if at least one request returns a status of failure. The approval or manual action on Waveset should complete as normal. If the changes were approved in Waveset, the request must then be resubmitted or reapproved in SAP Access Control. This action will generated a new batch request which will retry each individual request. In this case, the audit log entries in SAP Access Control could show inconsistent information about the user state on Waveset. The final state in SAP Access Control should be correct after the batch request is resubmitted.

User Create Password Notification

When a user is created in Waveset using SPML from SAP Access Control, Waveset generates the password. SAP Access Control does not provide a password in the initial create request, but it tries to retrieve the password from Waveset in clear text after the user has been created. To satisfy SAP Access Control process requirements, the Create User workflow generates the password and informs the user by sending an email notification. The workflow sends a notification only if the user has no password and if the AllowPasswordGeneration parameter is set to true.

Waveset uses the Generated Password Notice email template to send out this notification.

Audit Log Support

SAP Access Control can request audit log entries from the Waveset system, but these entries are not automatically enabled. The default requests rely on audit entries that have the SPML request ID as part of the attributes. Normal audit log entries neither contain nor have access to the SPML request ID.

To enable this feature, add the following attribute to the Waveset.properties file:

soap.auditlog=true

With this setting, Waveset adds request IDs to all subsequent audit events. It does not change any of the currently logged entries. The number of logged audit events will not increase or decrease as a result of this change. However, the same audit entry can be logged twice: once with the request ID, and once without.

SPML requests that contain one request ID and multiple actions are called batch requests. SAP Access Control often uses them during updates of user objects. These batch requests cause multiple audit log entries to be generated with the same SPML request ID. The Waveset Administrator interface displays these log entries as separate entries. If the extended SPML request auditlog is used to retrieve the audit log entries, only one entry will be returned. This behavior might change in future releases.