Sun[TM] Identity Manager 8.0 Resources Reference |
SAPThe SAP resource adapter supports SAP R/3 and SAP R/3 Enterprise. The resource adapter is defined in the com.waveset.adapter.SAPResourceAdapter class.
Resource Configuration Notes
To enable the ability for a user to change his or her own SAP password, perform the following steps:
Identity Manager Installation Notes
The SAP resource adapter is a custom adapter. You must perform the following steps to complete the installation process:
- Download the JCo (Java Connection) toolkit from http://service.sap.com/connectors . (Access to the SAP JCO download pages require a login and password.) The toolkit will have a name similar to sapjco-ntintel-2.1.6.zip. This name will vary depending on the platform and version selected.
- Unzip the toolkit and follow the installation instructions. Be sure to place library files in the correct location and to set the environment variables as directed.
- Copy the sapjco.jar file to the InstallDir\WEB-INF\lib directory.
- To add an SAP resource to the Identity Manager resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.SAPResourceAdapter
Usage Notes
This section provides information related to using the SAP resource adapter, which is organized into the following sections:
General Notes
The following general notes are provided for the resource:
- To allow editing of to and from dates on a per activity group basis, load the SAPUserForm_with_RoleEffectiveDates_Timezone.xml form. This form also provides the ability to select a time zone for the user.
- The sources.ResourceName.hosts property in the waveset.properties file can be used to control which host or hosts in a cluster will be used to execute the synchronization portion of an Active Sync resource adapter. ResourceName must be replaced with the name of the Resource object.
- The sample user forms SAPUserForm.xml and SAPUserForm_with_RoleEffectiveDates_Timezone.xml now contain a definition for a field that pre-expires the user’s password. If this field's value is true, and an Identity Manager administrator creates or changes a user’s password, the user must specify a new password upon logging in to SAP.
Enabling Secure Network Communications (SNC) Connections
By default, the SAP adapter uses the SAP Java Connector (JCo) to communicate with the SAP adapters. For information about implementing SNC connections, see Enabling Secure Network Communications (SNC) Connections.
SAP JCO and RFC Tracing
The SAPResourceAdapter and the SAPHRActiveSyncAdapter provide resource attributes for SAP JCO and RFC tracing. They can be used to trace Identity Manager's communication with the SAP system. The attributes are JCO Trace Level and JCO Trace Directory.
The following environment variables can be set in the environment to enable SAP RFC tracing. These variables must be set in the environment before starting the application server. They control the shared library that JCO uses to communicate with the SAP system.
Renaming Accounts
The SAP adapter now supports renaming accounts, except when CUA mode is enabled on the adapter. The adapter performs this function by copying an existing account to a new account and deleting the original. SAP discourages renaming accounts, but provides the option in the user management application (Transaction SU01 from the SAP GUI). Therefore, Identity Manager also supports the option. Be aware that SAP may not support the rename feature in future releases.
The SAP GUI uses a different method to perform the rename because it has access to non-public APIs and to the SAP kernel. The following steps provide a high-level description of how the adapter performs the rename operation:
- Get the user information for the existing user.
- Save the ALIAS attribute, if one exists.
- Create the new user.
- Set the Activity Groups on the new user.
- Set the Profiles on the new user.
- Get the old user's Personalization Data.
- Set the new user's Personalization Data.
- Delete the old user.
- Set the Alias on the new user if one was set on the old user.
If an error occurs during steps 1-3, the operation fails immediately. If an error occurs during steps 4-7, the new user is deleted and the whole operation fails. (If the new user cannot be deleted, a warning is placed into the WavesetResult). If an error occurs during steps 8-9, a warning is added to the WavesetResult, but the operation succeeds.
The Rename operation requires that a new password be set on the new user. This is most easily accomplished by customizing the Rename User Task to invoke the Change User Password Task.
Global Trade Services (GTS) Support
To enable SAP Global Trace Services support on the SAP adapter, activate the appropriate roles listed Role Name column in the following table. SAP generates the roles listed in the Generated Role column of the table. You must assign the generated roles to the appropriate user profiles in SAP GTS.
Additional Table Support
The SAP adapter can provision to any SAP table called by BAPI_USER_CREATE1 and BAPI_USER_CHANGE, most notably the GROUPS and PARAMETER tables. To enable this feature for any table other than GROUPS, you must add a Resource User Attribute to the schema map in the format SAP_Table_Name->Table. (For example, PARAMETER->Table.) The attribute must be assigned the complex data type.
The adapter provides an account attribute of type string named GROUPS->USERGROUP account attribute. This attribute processes data from the GROUPS table. By default, this attribute type is string. When this attribute type set to string, the adapter processes values as a list of strings. If you want the adapter to process data from the table in the same manner as other tables, you must change the data type to complex.
The $WSHOME/web/sample/forms/SAPUserForm.xml file contains an example user form that illustrates how the GROUP table is managed using a string account attribute type as well as a complex attribute type.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Required Administrative Privileges
The user name that connects to SAP must be assigned to a role that can access the SAP users.
Provisioning Notes
Feature
Supported?
Enable/disable account
Yes
Rename account
Yes, except when CUA is enabled.
Pass-through authentication
No
Before/after actions
No
Data loading methods
Account Attributes
The following table provides information about the default SAPaccount attributes. (Additional attributes are provided if the Enable SAP GRC Access Enforcer? resource parameter is selected.) All attribute types are String.
Resource Object Support
Managed Objects
This adapter does not manage objects on the SAP resource.
Listable Objects
The following table describes the SAP objects that can be called using the listAllObjects method within a user form.
Object
Description
account
Lists the users defined on the SAP resource.
activityGroups
Lists the activity groups (or roles) available for users. (Non-CUA mode only)
cuaSystems
When CUA is enabled, lists the names of the CUA children.
Group
Lists the available groups on the SAP resource.
localActivityGroups
When CUA is enabled, lists the activity groups that exist on a particular child system in a CUA environment.
profiles
Lists the names of the authorization profiles.
table
Lists the contents of a column of an SAP table. The options map requires the following parameters.
name — SAP table name
offset — Starting character column in the table
length — Length of the data field
Refer to the SAP documentation for the BAPI RFC_GET_TABLE_ENTRIES to determine these values. See Additional Table Support for more information.
timeZones
Lists the available time zones supported by the SAP system.
usertype
Lists the user types available on the SAP system
Identity Template
$accountId$
Sample Forms
SAPForm.xml
SAPUserForm_with_RoleEffectiveDates_Timezone.xml
SAPHRActiveSyncForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
To determine which version of the SAP Java Connector (JCO) is installed, and to determine whether it is installed correctly, run the following command:
java -jar sapjco.jar
The command returns the JCO version as well as the JNI platform-dependent and the RFC libraries that communicate with the SAP system.
If the platform-dependent libraries are not found, refer to the SAP documentation to find out how to correctly install the SAP Java Connector.