The integration scenario in which SAP BusinessObjects Access Control is used as the leading provisioning system and Waveset is used for provisioning to non-ERP systems requires specific configuration on both SAP Access Control and Waveset. The SAP Access Control configuration steps are part of the SAP GRC Access Control 5.3 Configuration Guide, chapter “Sending Provisioning Request to an IdM System“.
Waveset provides an SPML schema that defines the object class and extended request information needed to configure SAP Access Control integration. The schema is defined in InstallDir/sample/spml.xml. You must edit this file before loading it into Waveset. Specifically, you must uncomment the IDMperson object. This object includes a change to the standard person object, as described in the comments contained in the file.
After this task has been performed, the file must be imported and the configuration finished following the steps in Oracle Waveset 8.1.1 Web Services.
SAP Access Control tries to use HTTP basic authentication when it creates a connection to the Waveset system. If the container in which the Waveset server runs does not support basic authentication, a connection will be established without authentication. The user name and password specified in SAP Access Control as part of the connector cannot be used to create an Waveset session. No request will be processed by Waveset without a valid session. This means that you must configure the proxy user and password for the SPML interface as described in Editing the Waveset.properties File in Oracle Waveset 8.1.1 Web Services. The proxy user will allow anyone access to the SPML interface and care should be taken to shield the URL from misuse.
The following table lists actions and their corresponding parameter names and values. These must be set in the SAP Access Control connector configuration.
Action |
Parameter Name |
Parameter Value |
---|---|---|
Create User |
SCHEMA_ID |
standard |
CREATE_USER:OC |
IDMperson |
|
CREATE_USER:options.AllowPasswordGeneration |
true |
|
CREATE_USER:options.onlyResourcesUserPasswordRequired |
true |
|
Change User |
CHANGE_USER:OC |
IDMperson |
Delete User |
DELETE_USER:OC |
IDMperson |
Assign Roles |
ASSIGN_ROLES:OC |
IDMperson |
ROLE |
roles |
|
Lock User |
LOCK_USER:EXT |
disableUser |
Unlock User |
UNLOCK_USER:EXT |
enableUser |
Audit Logs |
not configurable |
not applicable |
AUDIT_TYPE |
statusrequest |
|
Reset Password |
RESET_PASSWORD:EXT |
resetUserPassword |
Search Password |
SEARCH_PASSWORD:EXT |
launchProcess |
SEARCH_PASSWORD:process |
SPML Decrypt Password |
|
SEARCH_PASSWORD:taskName |
Decrypt Password |
|
Search |
SEARCH_CRITERIA |
identifier |
SAP Access Control currently does not support filtering the SPML attributes defined in the schema based on the object class. When you create the mapping for the SAP Access Control connector, all attributes are displayed, even the attributes that are not part of the object class used. During the fields mapping SAP Access Control sends a SchemaRequest to Waveset to allow you to map the attributes for the connector in SAP Access Control. By default, the Waveset schema contains multiple object classes, and you will see attributes that are not valid for the object class you have configured. There are two possible workarounds for this:
Reduce the SPML schema on the Waveset server temporarily to use just the object class and attributes needed. When the SAP Access Control server is configured you should reload the original schema again. Changes to the SPML schema require a restart of the server.
Use a printout of the schema and mark the available attributes for the object class used and do not rely on the attributes presented in the drop down of the SAP Access Control user interface.
The following table lists field mappings for the SAP Access Control connector. This is not a complete list of all the fields which could be mapped.
Access Control Field |
Application Field |
---|---|
Email Address - STANDARD |
|
User FName - STANDARD |
gn |
User ID - STANDARD |
accountId |
User LName - STANDARD |
sn |
These application fields are the SPML schema attribute names. These names do not have to correspond with internal Waveset attribute names. In the SPML configuration, these names can be mapped using a form to internal Waveset attribute names.
The SAP Access Control connector must not be configured to run over HTTPS.
An action on a user is a request SAP Access Control sends to Waveset using SPML. The SPML request is a batch request type. One request in SAP Access Control can consist of multiple steps, each an individual SPML request inside the batch, that Waveset must process. This behavior is not configurable on the SAP Access Control side, but it has implications for processing the request on both systems.
Waveset processes the individual requests inside the batch in the order that they are received. A status is returned for each of the requests processed: success, failure, or pending. A failure will show up as an error in SAP Access Control, marking the action appropriately. Any request that requires an approval or other manual action in Waveset creates a background process. The status that is returned for these requests will be pending. Any pending requests will be interpreted as a failed request by SAP Access Control. Processing of the request on the Waveset side is not impacted by this.
SAP Access Control does not maintain state of the individual requests sent inside the batch and marks the whole request as a failure if at least one request returns a status of failure. The approval or manual action on Waveset should complete as normal. If the changes were approved in Waveset, the request must then be resubmitted or reapproved in SAP Access Control. This action will generated a new batch request which will retry each individual request. In this case, the audit log entries in SAP Access Control could show inconsistent information about the user state on Waveset. The final state in SAP Access Control should be correct after the batch request is resubmitted.
When a user is created in Waveset using SPML from SAP Access Control, Waveset generates the password. SAP Access Control does not provide a password in the initial create request, but it tries to retrieve the password from Waveset in clear text after the user has been created. To satisfy SAP Access Control process requirements, the Create User workflow generates the password and informs the user by sending an email notification. The workflow sends a notification only if the user has no password and if the AllowPasswordGeneration parameter is set to true.
Waveset uses the Generated Password Notice email template to send out this notification.
SAP Access Control can request audit log entries from the Waveset system, but these entries are not automatically enabled. The default requests rely on audit entries that have the SPML request ID as part of the attributes. Normal audit log entries neither contain nor have access to the SPML request ID.
To enable this feature, add the following attribute to the Waveset.properties file:
soap.auditlog=true
With this setting, Waveset adds request IDs to all subsequent audit events. It does not change any of the currently logged entries. The number of logged audit events will not increase or decrease as a result of this change. However, the same audit entry can be logged twice: once with the request ID, and once without.
SPML requests that contain one request ID and multiple actions are called batch requests. SAP Access Control often uses them during updates of user objects. These batch requests cause multiple audit log entries to be generated with the same SPML request ID. The Waveset Administrator interface displays these log entries as separate entries. If the extended SPML request auditlog is used to retrieve the audit log entries, only one entry will be returned. This behavior might change in future releases.