2  Deploying the Connector

The procedure to deploy the connector is divided across three stages namely preinstallation, installation, and postinstallation.

This chapter contains the following sections:

• Preinstallation

• Installation

• Postinstallation

• Upgrading the Connector

• Postcloning Steps

Note:

Some of the procedures described in this chapter must be performed on the target system. To perform these procedures, you must use an SAP administrator account to which the SAP_ALL and SAP_NEW profiles have been assigned.

2.1 Preinstallation

Preinstallation for the SAP UM connector involves performing a series of tasks on the target system.

Preinstallation information is divided across the following sections:

• Downloading and Installing the SAP JCo

• Creating a Target System User Account for Connector Operations

• Assigning Roles to a User Account in a SAP Business Objects Access Control System for Connector Operations

2.1.1 Downloading and Installing the SAP JCo

The SAP Java Connector file is a middleware component that enables the development of SAP-compatible components and applications in Java. This component is required to support inbound and outbound SAP server communication during runtime.

Note:

Ensure that you are using version 3.0.2 or later of the sapjco3.jar file.

To download files from the SAP Web site, you must have access to the SAP service marketplace with Software Download authorization.

To download and copy the external code files to the required locations:

1. Download the SAP Java connector file from the SAP Web site as follows:

   1. Open the SAP JAVA Connector page by selecting Application Platform, Connectivity, Connectors, SAP Java Connector, and Tools & Services.

   2. On the SAP JAVA Connector page, links for files that you can download are displayed on the right pane. Click the link for the SAP JCo release that you want to download.

   3. In the dialog box that is displayed, specify the path of the directory in which you want to save the file.

2. Extract the contents of the file that you download.

3. Create a directory called sap-11.1.1.7.0 for the SAP User Management connector in the following directory:

   OIM_HOME/server/ConnectorDefaultDirectory/targetsystems-lib/

   The files in this directory are not shared with any other connectors, which avoids version conflicts among shared libraries.

4. Copy the sapjco3.jar file into the OIM_HOME/server/ThirdParty directory. Then, add its path to the DOMAIN_HOME\bin\startWebLogic file as follows:

   • On Microsoft Windows:

     In a text editor, open the DOMAIN_HOME/bin/startWebLogic.cmd file and add the following path:

     set CLASSPATH=MIDDLEWARE_HOME_PATH\Oracle_IDM1\server\ThirdParty\sapjco3.jar;%SAVE_CLASSPATH%

     Save and close the file. Restart the server for the changes in the CLASSPATH variable to take effect.

   • On Linux:

     In a text editor, open the DOMAIN_HOME/bin/startWebLogic.sh file and add the following path:

     CLASSPATH=MIDDLEWARE_HOME_PATH/Oracle_IDM1/server/ThirdParty/sapjco3.jar:"${SAVE_CLASSPATH}"

     For example, CLASSPATH=/home/shareuser/SYR2PS1BP2O7/Middleware/Oracle_IDM1/server/ThirdParty/sapjco3.jar:"${SAVE_CLASSPATH}"

     Save and close the file. Restart the server for the changes in the CLASSPATH variable to take effect.

5. Copy the RFC files into the required directory on the Oracle Identity Manager host computer, and then modify the appropriate environment variable so that it includes the path to this directory:

   • On Microsoft Windows:

     Copy the sapjco3.dll file into the winnt\system32 directory. Alternatively, you can copy these files into any directory and then add the path to the directory in the PATH environment variable.

   • On Solaris and Linux:

     Copy the libsapjco3.so file into the /usr/local/jco directory, and then add the path to this directory in the LD_LIBRARY_PATH environment variable.

6. On a Microsoft Windows platform, ensure that the msvcr80.dll and msvcp80.dll files are in the c:\WINDOWS\system32 directory. If required, both files can be downloaded from various sources on the Internet.

   Note:

   If you are using Cluster setup, add CLASSPATH and LD_LIBRARY_PATH to each node.

7. If you are using IBM WebSphere Application Server, perform the following steps:

   1. Copy the following files to WEBSPHERE_HOME/AppServer/lib:

      libsapjco3.so

      sapidoc3.jar

      sapjco3.jar

      For example, copy the preceding files to /home/shareuser/R2PS1ST1WAS/IBM/WebSphere/AppServer/lib

   2. Update the PROFILE_HOME/bin/setupCmdLine.sh file as shown in the following example:

      WAS_CLASSPATH="$WAS_HOME"/properties:"$WAS_HOME"/lib/startup.jar:"$WAS_HOME"/lib/bootstrap.jar:"$WAS_HOME"/lib/lmproxy.jar:"$WAS_HOME"/lib/urlprotocols.jar:"$WAS_HOME"/lib/sapjco3.jar:"$WAS_HOME"/lib/sapidoc3.jar:"$JAVA_HOME"/lib/tools.jar

8. Restart the server for the changes in the environment variable to take effect.

   Note:

   You can either restart the server now or after the connector is installed.

9. To check if SAP JCo is correctly installed, in a command window, run one of the following commands:

   java –jar JCO_DIRECTORY/sapjco3.jar
   java –classpath JCO_DIRECTORY/sapjco3.jar com.sap.conn.jco.rt.About
   

   The JCo classes and JCo library paths must be displayed in this dialog box.

2.1.2 Creating a Target System User Account for Connector Operations

The connector uses a target system account to connect to the target system during each connector operation.

This target system account must be one of the following:

• If you are using a target system in which the SAP HRMS module is enabled, then the target system account must be a user to whom you assign a customized role (for example, ZHR_ORG_UM) with the PLOG and P_ORIGIN authorization objects. Note that the P_ORIGIN authorization object is related to the SAP HRMS module. Therefore, you can assign a customized role with the P_ORIGIN authorization object only if the SAP HRMS module is enabled.

• If you are using a target system in which the SAP HRMS module is not enabled, then the target system account must be a user to whom you assign a customized role (for example, ZHR_ORG_UM) with the following authorization objects:

  • PLOG

  • Authorization objects that run BAPIs corresponding to each provisioning function.

  For example, consider a provisioning function that adds a multivalued attribute (such as role) to a user. If you want the connector to perform this provisioning operation, then you must create a target system user account to which you assign a customized role with the PLOG authorization object and an authorization object that runs the BAPIs to create, modify, or display roles.

This section provides information on the following topics:

• Creating a Target System User Account for the SAP UM (SAP ERP or SAP CUA) Target

• Creating a Target System User Account for the SAP HR Target

2.1.2.1 Creating a Target System User Account for the SAP UM (SAP ERP or SAP CUA) Target

Oracle Identity Governance requires a target system user account to access the target system during connector operations. 

To create a target system user account for the SAP UM target:

1. Create a CPIC User with the S_IDOC_ALL profile.
2. Add the following authorizations along with the corresponding default parameter values:

   • S_RFC

   • S_TABU_DIS

   • S_TABU_NAM

   • S_USER_AGR

   • S_USER_AUT

   • S_USER_GRP

   • S_USER_PRO

   • S_USER_SAS

   • S_USER_SYS

3. Modify the parameter values as follows:

   For S_RFC

   • ACTVT: 16

   • RFC_NAME: *

   • RFC_TYPE: FUGR

   For S_TABU_DIS

   • ACTVT: 03

   • DICBERCLS: SUSR

   For S_TABU_NAM

   • ACTVT: 03

   • TABLE: USH*, USR*, USZ*

   For S_USER_AGR

   • ACTVT: 03, 22

   • ACT_GROUP: *

   For S_USER_AUT

   • ACTVT: 03

   • AUTH: *

   • OBJECT: *

   For S_USER_GRP

   • ACTVT: 01, 02, 03, 05, 06, 08, 22, 78, PP

   • CLASS: *

   For S_USER_PRO

   • ACTVT: 03, 22

   • PROFILE: *

   For S_USER_SAS

   • ACTVT: 01, 06, 22

   • ACT_GROUP: *

   • CLASS: *

   • PROFILE: *

   • SUBSYSTEM: *

   For S_USER_SYS

   • ACTVT: 78

   • SUBSYSTEM: *

2.1.2.2 Creating a Target System User Account for the SAP HR Target

The connector uses a target system account to connect to the target system during reconciliation. This target system account must be a CPIC user to whom you assign a customized role with the S_IDOC_ALL profile, S_RFC authorization object, and PLOG authorization object.

Create user of type CPIC with the following privileges:

1. Assign S_IDOC_ALL profile.
2. Assign authorization object S_RFC with values:

   • ACTVT: 16

   • RFC_NAME: *

   • RFC_TYPE: FUGR, FUNC

3. Assign authorization object PLOG with values:

   • INFORTY: *

   • ISTAT: *

   • OTYPE: $$, O, P, S

   • PLVAR: 01, RS

   • PPFCODE: *

   • SUBTYP: *

4. Assign authorization object P_ORGIN with values:

   • AUTHC: R

   • INFTY: 0000-0003, 0006, 0105

   • PERSA: *

   • PERSG: *

   • PERSK: *

   • SUBTY: *

   • VDSK1: *

5. Assign authorization object P_ORGINCON with values:

   • AUTHC: R

   • INFTY: 0000-0003, 0006, 0105

   • PERSA: *

   • PERSG: *

   • PERSK: *

   • SUBTY: *

   • VDSK1: *

   • PROFL: *

6. Assign authorization object P_PERNR with values:

   • AUTHC: R

   • PSIGN: E, I

   • INFTY: 0000-0003, 0006, 0105

   • SUBTY: *

7. Assign authorization object B_ALE_RECV with values:

   • EDI_MES: HRMD_A

Note:

You must configure the PLOG authorization object so that the values assigned to this object match the ones shown in Step 2 through 6. Only the Plan Version (PLVAR) object can be set according to your requirements.

2.1.3 Assigning Roles to a User Account in a SAP Business Objects Access Control System for Connector Operations

You can perform connector operations such as Access Request Management and Access Risk Analysis through the SAP Business Objects Access Control system.

Note:

The naming convention of the connector name created in SAP Business Objects Access Control system should be synchronized with the logical name of the system to be integrated. To achieve this, a standard naming convention like <SID>CLNT<XXX> can be followed.

The below figure illustrates an example of the naming convention to be followed. According to this example, when a connector is created while integrating any system like ECC, CRM, SRM, or S/4 HANA with SAP Business Objects Access Control system, ensure to create an RFC destination of the system by following the standard naming convention which is synchronized with the logical name of the system.

Figure 2-1 Naming Convention For Connector Created in SAP Business Objects Access Control System

If you want to perform connector operations such as Access Request Management and Access Risk Analysis through the SAP Business Objects Access Control system, then assign the following minimum set of roles to a user account in SAP Business Objects Access Control:

Role Name	Description
SAP_BC_WEBSERVICE_CONSUMER	Web Service Consumer
SAP_GRC_NWBC	Governance, Risk, and Compliance
SAP_GRAC_ACCESS_APPROVER	Role for Access Request Approver
SAP_GRAC_RISK_OWNER	Risk Maintenance and Risk Analysis
SAP_GRAC_ROLE_MGMT_ROLE_OWNER	Role Owner

Apart from the default roles provided by SAP in the preceding table, you must add the additional authorizations to the user.

To create a target system user account for NW or S/4 HANA in an access control system:

1. Add the following authorizations along with the corresponding default parameter values:

   • GRFN_CONN

   • GRAC_SYS

   • GRAC_ROLER

   • GRAC_RISK

   • GRAC_REQ

   • GRAC_RA

   • S_USER_GRP

   • GRFN_USER

   • GRAC_ROLED

   • GRAC_ROLEP

   • GRAC_EMPLY

   • GRAC_USER

   • S_CTS_ADMI

   • S_CTS_SADM

   • GRAC_ACTN

   • GRAC_FFOWN

2. Modify the parameter values as follows:

   For GRFN_CONN

   • ACTVT: 16

   • GRCFN_CONN: *

   For GRAC_SYS

   • ACTVT: 01, 02, 03, 78

   • GRAC_APPTY: *

   • GRAC_ENVRM: *

   • GRAC_SYSID: *

   For GRAC_ROLER

   • ACTV: 16

   • GRAC_OUNIT: *

   • GRAC_ROLE: *

   • GRAC_ROTYP: *

   • GRAC_SYSID: *

   For GRAC_RISK

   • ACTVT: 16

   • GRAC_BPROC: *

   • GRAC_RISK: *

   • GRAC_RLVL: *

   • GRAC_RSET: *

   • GRAC_RTYPE: *

   For GRAC_REQ

   • ACTVT: 01, 02, 03

   • GRAC_BPROC: *

   • GRAC_FNCAR: *

   • GRAC_RQFOR: *

   • GRAC_RQINF: *

   • GRAC_RQTYPE: *

   For GRAC_RA

   • ACTVT: 16, 70

   • GRAC_OTYPE: *

   • GRAC_RAMOD: 1, 2, 3, 4, 5

   • GRAC_REPT: 01, 02, 03, 04, 05

   For S_USER_GRP

   • ACTVT: 03

   • CLASS: *

   For GRFN_USER_GRP

   • ACTVT: *

   For GRAC_ROLED

   • GRAC_ACTRD: 03, FS

   • GRAC_BPROC: *

   • GRAC_LDSCP: *

   • GRAC_RLSEN: *

   • GRAC_RLTYP: *

   • GRAC_ROLE: *

   For GRAC_ROLEP

   • ACTVT: 78

   • GRAC_BPROC: *

   • GRAC_OUNIT: *

   • GRAC_RLTYP: *

   • GRAC_ROLE: *

   • GRAC_SYSID: *

   For GRAC_USER

   • ACTVT: 01, 02, 03

   • GRAC_CLASS: *

   • GRAC_OUNIT: *

   • GRAC_SYSID: *

   • GRAC_USER: *

   • GRAC_UTYPE: *

   For GRAC_EMPLY

   • ACTVT: 01, 02, 03

   • GRAC_COMP: *

   • GRAC_COSTC: *

   • GRAC_DEPT: *

   • GRAC_LOCTN: *

   For GRAC_FFOWN

   • ACTVT: *

   • GRAC_OWN_T: *

   • GRAC_SYSID: *

   • GRAC_USER: *

   For GRAC_ACTN

   • GRAC_ACTN: HOLD

   • GRFNMW_PRC: *

   For S_CTS_SADM

   • CTS_ADMFC: *

   • DESTSYS: *

   • DOMAIN: *

   For S_CTS_ADMI

   • CTS_ADMFCT: *

2.2 Installation

You must install the connector in Oracle Identity Manager. If necessary, you can also deploy the connector in a Connector Server.

The following topics provide details on installing the SAP UM connector:

• To run the connector code locally in Oracle Identity Manager, perform the procedure described in Installing the Connector in Oracle Identity Manager.

• To run the connector code remotely in a Connector Server, perform the procedures described in Installing the Connector in Oracle Identity Manager and Deploying the Connector Bundle in a Connector Server.

2.2.1 Installing the Connector in Oracle Identity Manager

In this scenario, you install the connector in Oracle Identity Manager using the Connector Installer:

Note:

Direct provisioning is automatically enabled after you run the Connector Installer. If required, you can enable request-based provisioning in the connector. Direct provisioning is automatically disabled when you enable request-based provisioning. See Enabling Request-Based Provisioning if you want to use the request-based provisioning feature for this target system.

To run the Connector Installer:

1. Download the connector package (ZIP file) from Oracle Technology Network and extract the connector package. Then, copy the contents into the following directory:

   OIM_HOME/server/ConnectorDefaultDirectory

2. If you are using Oracle Identity Manager release 11.1.1.x, perform the following steps:

   1. Log in to Oracle Identity System Administration by using the user account described in Creating the User Account for Installing Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager.

   2. On the Welcome to Identity Manager Advanced Administration page, in the System Management region, click Manage Connector.

3. If you are using Oracle Identity Manager release 11.1.2.x, perform the following steps:

   1. Log in to Oracle Identity System Administration.

   2. In the left pane, under System Management, click Manage Connector.

4. In the Manage Connector page, click Install.

5. From the Connector List list, select SAP UM RELEASE_NUMBER. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory in Step 1.

   If you have copied the installation files into a different directory, then:

   1. In the Alternative Directory field, enter the full path and name of that directory.

   2. To repopulate the list of connectors in the Connector List list, click Refresh.

   3. From the Connector List list, select SAP UM RELEASE_NUMBER.

6. Click Load.

7. To start the installation process, click Continue.

   The following tasks are performed in sequence:

   1. Configuration of connector libraries

   2. Import of the connector XML files (by using the Deployment Manager)

   3. Compilation of adapters

   On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. If a task fails, then make the required correction and perform one of the following steps:

   • Retry the installation by clicking Retry.

   • Cancel the installation and begin again from Step 5.

8. If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed.

   In addition, a list of the steps that you must perform after the installation is displayed. These steps are as follows:

   1. Ensuring that the prerequisites for using the connector are addressed

      Note:

      At this stage, run the PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. See Clearing Content Related to Connector Resource Bundles from the Server Cache for information about running the PurgeCache utility.

      There are no prerequisites for some predefined connectors.

   2. Configuring the IT resource for the connector

      The procedure to configure the IT resource is described later in this guide.

   3. Configuring the scheduled jobs

      The procedure to configure these scheduled tasks is described later in this guide.

2.2.2 Deploying the Connector Bundle in a Connector Server

You can deploy the connector either locally in Oracle Identity Manager or remotely in the Connector Server. A Connector Server is an application that enables remote execution of an Identity Connector, such as the SAP User Management connector.

Note:

• To deploy the connector bundle remotely in a Connector Server, you must first deploy the connector in Oracle Identity Manager, as described in Installing the Connector in Oracle Identity Manager.

• See Configuring the IT Resource for the Connector Server for related information.

This procedure can be divided into the following stages:

• Installing and Configuring the Connector Server

• Installing the Connector in the Connector Server

• Running the Connector Server

2.2.2.1 Installing and Configuring the Connector Server

Connector servers are available in two implementations:

• As a .Net implementation that is used by Identity Connectors implemented in .Net

• As a Java implementation that is used by Java-based Identity Connectors

The SAP User Management connector is implemented in Java, so you must deploy this connector to a Java Connector Server.

Use the following steps to install and configure the Java Connector Server:

Note:

Before you deploy the Java Connector Server, ensure that you install the JDK or JRE on the same computer where you are installing the Java Connector Server and that your JAVA_HOME or JRE_HOME environment variable points to this installation.

1. Create a new directory on the computer where you want to install the Java Connector Server.

   Note:

   In this guide, CONNECTOR_SERVER_HOME represents this directory.

2. Unzip the Java Connector Server package in the new directory created in Step 1. You can download the Java Connector Server package from the Oracle Technology Network.
3. Open the ConnectorServer.properties file located in the conf directory. In the ConnectorServer.properties file, set the following properties, as required by your deployment.

   Property	Description
   connectorserver.port	Port on which the Java Connector Server listens for requests. Default value: 8759
   connectorserver.bundleDir	Directory where the connector bundles are deployed. Default value: bundles
   connectorserver.libDir	Directory in which to place dependent libraries. Default value: lib
   connectorserver.usessl	If set to true, the Java Connector Server uses SSL for secure communication. Default value: false If you specify true, use the following options on the command line when you start the Java Connector Server: -Djavax.net.ssl.keyStore -Djavax.net.ssl.keyStoreType (optional) -Djavax.net.ssl.keyStorePassword
   connectorserver.ifaddress	Bind address. To set this property, uncomment it in the file (if necessary). The bind address can be useful if there are more NICs installed on the computer.
   connectorserver.key	Java Connector Server key.

4. Set the properties in the ConnectorServer.properties file, as follows:

   • To set the connectorserver.key, run the Java Connector Server with the /setKey option.

     Note:

     For more information, see Running the Connector Server.

   • For all other properties, edit the ConnectorServer.properties file manually.

5. The conf directory also contains the logging.properties file, which you can edit if required by your deployment.

Note:

Oracle Identity Manager has no built-in support for testing the Connector Server configuration.

2.2.2.2 Installing the Connector in the Connector Server

See Also:

Using an Identity Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about installing and configuring connector server and running the connector server.

To deploy the SAP User Management connector into the Java Connector Server:

1. Stop the Java Connector Server.

   Note:

   You can download the necessary Java Connector Server from the Oracle Technology Network web page.

2. From the installation media, copy the SAP User Management the bundle\org.identityconnectors.sap-1.0.11170.jar file to the CONNECTOR_SERVER_HOME\lib directory.

   Note:

   • Copy SAP User Management third party libraries (sapjco3.jar) into the CONNECTOR_SERVER_HOME\lib directory.
   • Use org.identityconnectors.sapacum-1.0.11170.jar file if you are using SAP BusinessObjects AC system.
3. From the installation media, copy the SAP User Management the lib\sap-oim-integration.jar file to the CONNECTOR_SERVER_HOME\lib directory.

   Note:

   Use sapac-oim-integration.jar file if you are using SAP BusinessObjects AC system.

4. Start the Connector Server for the connector bundle to be picked up by the Connector Server.

2.2.2.3 Running the Connector Server

To run the Java Connector Server, use the ConnectorServer.bat script as follows:

1. Ensure that you have set the properties required by your deployment in the ConnectorServer.properties file, as described in Installing and Configuring the Connector Server.
2. Change to the CONNECTOR_SERVER_HOME\bin directory and find the ConnectorServer.bat script.

   The ConnectorServer.bat supports the following options:

   Option	Description
   /install [serviceName] ["-J java-option"]	Installs the Java Connector Server as a Windows service. Optionally, you can specify a service name and Java options. If you do not specify a service name, the default name is ConnectorServerJava.
   /run ["-J java-option"]	Runs the Java Connector Server from the console. Optionally, you can specify Java options. For example, to run the Java Connector Server with SSL: ConnectorServer.bat /run "-J-Djavax.net.ssl.keyStore=mykeystore.jks" "-J-Djavax.net.ssl.keyStorePassword=password"
   /setKey [key]	Sets the Java Connector Server key. The ConnectorServer.bat script stores the hashed value of the key in the connectorserver.key property in the ConnectorServer.properties file.
   /uninstall [serviceName]	Uninstalls the Java Connector Server. If you do not specify a service name, the script uninstalls the ConnectorServerJava service.

3. If you need to stop the Java Connector Server, stop the respective Windows service.

2.3 Postinstallation

Postinstallation for the connector involves configuring Oracle Identity Manager, enabling logging to track information about all connector events, and configuring SoD. It also involves performing some optional configurations such as configuring ports on the target system, enabling the reset password option in OIM, setting up the configuration lookup definitions in OIM, changing the required input locale and so on.

Postinstallation steps are divided across the following sections:

• Configuring Ports on the Target System

• Configuring the Target System to Enable Propagation of User Password Changes

• Configuring Oracle Identity Manager 11.1.2 or Later

• Enabling the Reset Password Option in Oracle Identity Manager 11.1.2.1.0 or Later

• Setting Up the Configuration Lookup Definition in Oracle Identity Manager

• Enabling Request-Based Provisioning

• Changing to the Required Input Locale

• Clearing Content Related to Connector Resource Bundles from the Server Cache

• Managing Logging

• Configuring the Access Request Management Feature of the Connector

• Configuring SoD (Segregation of Duties)

• Configuring SNC to Secure Communication Between Oracle Identity Manager and the Target System

• Configuring the IT Resource

• Configuring the IT Resource for the Connector Server

• Downloading WSDL files from SAP BusinessObjects AC

• Localizing Field Labels in UI Forms

• Synchronizing the SAPUM Process Form Field Length Needs with the Target Field Length

Note:

The field length of the values of an attribute coming from the SAPUM Process form should be in bounds of the length of values of attributes in the target system.

2.3.1 Configuring Ports on the Target System

You can configure ports to enable communication between the target system and Oracle Identity Manager.

To enable communication between the target system and Oracle Identity Manager, you must ensure that the ports listed in Table 2-1 are open.

Table 2-1 Ports for SAP Services

Service	Port Number Format	Default Port
Dispatcher	32SYSTEM_NUMBER	3200
Gateway (for non-SNC communication)	33SYSTEM_NUMBER	3300
Gateway (for SNC communication)	48SYSTEM_NUMBER	4800
Message server	36SYSTEM_NUMBER	3600

To check if these ports are open, you can, for example, try to establish a Telnet connection from Oracle Identity Manager to these ports.

2.3.2 Configuring the Target System to Enable Propagation of User Password Changes

This section describes the procedures involved in configuring the target system to enable propagation of user password changes from the SAP CUA parent system to its child systems. You may need the assistance of the SAP Basis administrator to perform some of these procedures.

Configuring the target system involves the following tasks:

• Gathering Required Information

• Creating an Entry in the BAPIF4T Table

• Importing the Request

2.3.2.1 Gathering Required Information

The following information is required to configure the target system:

Note:

During SAP installation, a system number and client number are assigned to the server on which the installation is carried out. These items are mentioned in the following list.

• Login details of an admin user having the permissions required to import requests

• Client number of the server on which the request is to be imported

• System number

• Server IP address

• Server name

• User ID of the account to be used for connecting to the SAP application server

• Password of the account to be used for connecting to the SAP application server

2.3.2.2 Creating an Entry in the BAPIF4T Table

The User Group field is one of the fields that holds user data in SAP. F4 values are values of a field that you can view and select from a list. To view F4 values of the User Group field, you must create an entry in the BAPIF4T table by running the SM30 transaction. Ensure that the entry in the table includes XUCLASS as the data element and ZXL_PARTNER_BAPI_F4_AUTHORITY as the function name.

2.3.2.3 Importing the Request

You must import the request to create the following custom objects in the SAP system.

Object Type	Object Name
Package	ZXLC
Function Group	ZXLCGRP ZXLCHLPVALUES ZXLCPRF ZXLCRL ZXLCUSR
Message class	ZXLCBAPI
Program	ZLCF4HLP_DATA_DEFINITIONS ZLCMS01CTCO ZLCMS01CTCO1 ZLCMS01CTP2 ZXLCGRP ZXLCHLPVALUES ZXLCPRF ZXLCRL ZXLCUSR
Search Help	ZXLC_ROLE ZXLC_SYS
Business object types	ZXLCGRP ZXLCHLP ZXLCPRF ZXLCRL ZXLCUSR
Table	ZXLCBAPIMODE ZXLCBAPIMODM ZXLCGROUPS ZXLCPRF ZXLCROLE ZXLCSTRING ZXLCSYSNAME

The xlsapcar.sar file contains the definitions for these objects. When you import the request represented by the contents of the xlsapcar.sar file, these objects are automatically created in SAP. This procedure does not result in any change in the existing configuration of SAP.

Importing the request into SAP involves extracting the request files and performing the request import operation as follows:

1. Using SAPCAR utility, extract the Cofile and Data file from "xlsapcar.sar" as:

   xlsapcar.sar file location <Connecter Binaries>/sar

   • K900397.G10

   • R900397.G10

2. Import the request in target SAP system.

2.3.3 Configuring Oracle Identity Manager 11.1.2 or Later

You must create an UI form and an application instance for the resource against which you want to perform reconciliation and provisioning operations. In addition, you must run entitlement and catalog synchronization jobs.

These procedures are described in the following sections:

• Creating and Activating a Sandbox
• Creating a New UI Form
• Creating an Application Instance
• Publishing a Sandbox
• Harvesting Entitlements and Sync Catalog
• Updating an Existing Application Instance with a New Form

2.3.3.1 Creating and Activating a Sandbox

You must create and activate a sandbox to begin using the customization and form management features. You can then publish the sandbox to make the customizations available to other users.

See Managing Sandboxes in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for instructions on creating and activating a sandbox.

2.3.3.2 Creating a New UI Form

You can use Form Designer in Oracle Identity System Administration to create and manage application instance forms.

See Managing Forms in Oracle Fusion Middlware Administering Oracle Identity Manager for instructions on creating a new UI form. While creating the UI form, ensure that you select the resource object corresponding to the Concur connector that you want to associate the form with. In addition, select the Generate Entitlement Forms check box..

2.3.3.3 Creating an Application Instance

Create an application instance as follows. For detailed instructions, see Managing Application Instances in Oracle Fusion Middlware Administering Oracle Identity Manager.

1. In the System Administration page, under Configuration in the left pane, click Application Instances.
2. Under Search Results, click Create.
3. Enter appropriate values for the fields displayed on the Attributes form and click Save.
4. In the Form drop-down list, select the newly created form and click Apply.
5. Publish the application instance for a particular organization.

2.3.3.4 Publishing a Sandbox

Before publishing a sandbox, perform the following procedure as a best practice to validate all sandbox changes made till this stage as it is difficult to revert the changes after a sandbox is published:

1. In Identity System Administration, deactivate the sandbox.
2. Log out of Identity System Administration.
3. Log in to Identity Self Service using the xelsysadm user credentials and then activate the sandbox that you deactivated in Step 1.
4. In the Catalog, ensure that the Concur application instance form appears with correct fields.
5. Publish the sandbox. See Publishing a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for instructions on publishing a sandbox.

2.3.3.5 Harvesting Entitlements and Sync Catalog

To harvest entitlements and sync catalog:

1. Run the scheduled jobs for lookup field synchronization listed in Scheduled Jobs for Lookup Field Synchronization and Scheduled Jobs for SAP BusinessObjects AC Lookup Field Synchronization.
2. Run the Entitlement List scheduled job to populate Entitlement Assignment schema from child process form table. See Predefined Scheduled Tasks in Oracle Fusion Middleware Administering Oracle Identity Manager for more information about this scheduled job.
3. Run the Catalog Synchronization Job scheduled job. See Predefined Scheduled Tasks in Oracle Fusion Middleware Administering Oracle Identity Manager for more information about this scheduled job.

2.3.3.6 Updating an Existing Application Instance with a New Form

For any changes you do in the Form Designer, you must create a new UI form and update the changes in an application instance. To update an existing application instance with a new form:

1. Create a sandbox and activate it as described in Creating and Activating a Sandbox.
2. Create a new UI form for the resource as described in Creating a New UI Form.
3. Open the existing application instance.
4. In the Form field, select the new UI form that you created.
5. Save the application instance.
6. Publish the sandbox as described in Publishing a Sandbox.

2.3.4 Enabling the Reset Password Option in Oracle Identity Manager 11.1.2.1.0 or Later

In Oracle Identity Manager release 11.1.2.1.0 or later, you can reset password for an account after logging in as the user by navigating to My Access, Accounts tab.

The Reset Password option is enabled for only those accounts that follow the UD_FORMNAME_PASSWORD naming convention for the password field. Otherwise, this option would be disabled as shown in the following sample screenshot:

Description of the illustration pwd_reset1.gif

To enable the Reset Password option in Oracle Identity Manager release 11.1.2.1.0 or later:

1. Log in to Oracle Identity System Administration.
2. In the left pane, under Configuration, click Form Designer.
3. Enter UD_SAP in the Table Name field and click the Query for records button.
4. Click Create New Version.
5. In the Create a New Version dialog box, specify the version name in the Label field, save the changes, and then close the dialog box.
6. From the Current Version list, select the newly created version.
7. Click the Properties tab.
8. Select the password field, and click Add Property.
9. From the Property Name list, select AccountPassword.
10. In the Property Value field, enter true.
11. Click Save.

    The password field is tagged with the AccountPassword = true property as shown in the following screenshot:

    
    Description of the illustration pwd_reset2.gif
12. Click Make Version Active.
13. Update the application instance with the new form as described in Updating an Existing Application Instance with a New Form.

2.3.5 Setting Up the Configuration Lookup Definition in Oracle Identity Manager

When you deploy the connector, configuration lookup definitions are created in Oracle Identity Manager. 

The following sections discuss the entries in the Lookup.SAPABAP.UM.Configuration lookup definition:

• Linking of SAP HRMS and SAP R/3 or SAP CUA Accounts

• Configuring Password Changes for Newly Created Accounts

• Setting up the Lookup Definition for Connection Pooling

2.3.5.1 Linking of SAP HRMS and SAP R/3 or SAP CUA Accounts

An SAP HRMS account created for a particular user can be linked with the SAP R/3 or SAP CUA account created for the same user. For a particular user, an attribute of SAP HRMS holds the user ID of the corresponding SAP R/3 or SAP CUA account.

You can duplicate this link in Oracle Identity Manager by using the following parameters of the Advanced Settings section:

• validatePERNR: You enter yes as the value if your operating environment contains multiple SAP HRMS installations. If there is only one SAP HRMS installation, then enter no.

• overwriteLink: You enter yes as the value if you want existing links in SAP to be overwritten by the ones set up through provisioning operations.

The following topics provide detailed information about the linking process:

• About the Linking Process

• Enabling Linking of SAP HRMS and SAP R/3 or SAP CUA Accounts

2.3.5.1.1 About the Linking Process

An SAP HRMS account created for a particular user can be linked with the SAP R/3 or SAP CUA account created for the same user. For a particular user, an attribute of SAP HRMS holds the user ID of the corresponding SAP R/3 or SAP CUA account.

The following example describes the manner in which the linking process is performed:

1. An OIM User record is created for user John Doe through trusted source reconciliation with SAP HRMS. During creation, the user ID value is put in the User ID and Personnel Number attributes of the record.

   Note:

   The Personnel Number field is a hidden UDF on the OIM User form.

2. To provision an SAP R/3 or SAP CUA account for John, you enter and submit the required data on Oracle Identity System Administration.

3. The connector looks for the user's SAP HRMS account. If you entered yes as the value of validatePERNR attribute, then the connector checks for a match for the Personnel Number attribute on SAP HRMS.

4. After a match is found with an existing SAP HRMS account, the connector performs one of the following steps:

   • If the value of overwriteLink advanced settings parameter is yes, then the connector posts the User ID value of the SAP R/3 or SAP CUA account into the 0001 subtype in the Communication (0105) infotype of the SAP HRMS account. This is regardless of whether that infotype contains a value.

   • If the value of overwriteLink advanced settings parameter is no, then the connector posts the User ID value of the SAP R/3 or SAP CUA account into the 0001 subtype in the Communication (0105) infotype of the SAP HRMS account only if that subtype does not hold a value.

The Create Link task is one of the tasks that are run during the Create User provisioning operation. You can, if required, remove this task so that it is not displayed in the list of tasks that are run. Use the Design Console for this operation.

2.3.5.1.2 Enabling Linking of SAP HRMS and SAP R/3 or SAP CUA Accounts

To enable linking of SAP HRMS and SAP R/3 or SAP CUA accounts, perform the following steps:

1. In the Design Console, expand Process Management and then double-click Process Definition.
2. Search for and open the SAP UM Process form.
3. Double-click the Create User task to open the Editing Task:Create User dialog box.
4. In the Responses tab, select the SUCCESS response, as shown in the following screenshot.
   
   Description of the illustration link_ac1.gif
5. Click Assign.
6. In the new dialog box, select the Create Link task, as shown in the following screenshot.
   
   Description of the illustration link_ac2.gif
7. The Create Link task will appear in the Tasks To Generate region for the SUCCESS response, as shown in the following screenshot.
   
   Description of the illustration link_ac3.gif
8. Save the changes and close the dialog box.

2.3.5.2 Configuring Password Changes for Newly Created Accounts

When you log in to SAP by using a newly created account, you are prompted to change your password at first logon. For accounts created through Oracle Identity Governance, password management can be configured by using the changePasswordAtNextLogon parameter of the Advanced Settings section.

You can apply one of the following approaches:

• Configure the connector so that users with newly created accounts are prompted to change their passwords at first logon.

  To achieve this, set the changePasswordAtNextLogon parameter to yes. With this setting, the password entered on the process form for a new user account is used to set the password for the new account on the target system. When the user logs in to the target system, the user is prompted to change the password.

• Configure the connector so that the password set while creating the account on Oracle Identity Governance is set as the new password on the target system. The user is not prompted to change the password at first logon.

  To achieve this, set the value of changePasswordAtNextLogon parameter to no and enter a string in the dummyPassword parameter of the Basic Configuration Section. With these settings, when you create a user account through Oracle Identity Governance, the user is first created with the dummy password. Immediately after that, the connector changes the password of the user to the one entered on the process form. When the user logs in to the target system, the user is not prompted to change the password.

2.3.5.3 Setting up the Lookup Definition for Connection Pooling

By default, this connector uses the ICF connection pooling. Table 2-2 lists the connection pooling properties, their description, and default values set in ICF:

Table 2-2 Connection Pooling Properties

Property	Description
Pool Max Idle	Maximum number of idle objects in a pool. Default value: 10
Pool Max Size	Maximum number of connections that the pool can create. Default value: 10
Pool Max Wait	Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation. Default value: 150000
Pool Min Evict Idle Time	Minimum time, in milliseconds, the connector must wait before evicting an idle object. Default value: 120000
Pool Min Idle	Minimum number of idle objects in a pool. Default value: 1

If you want to modify the connection pooling properties to use values that suit requirements in your environment, then:

1. Log in to the Design Console.
2. Expand Administration, and then double-click Lookup Definition.
3. Search for and open the configuration lookup definition for the target system your are using.

   For example, open Lookup.SAPABAP.Configuration.

4. On the Lookup Code Information tab, click Add.

   A new row is added.

5. In the Code Key column of the new row, enter Pool Max Idle.
6. In the Decode column of the new row, enter a value corresponding to the Pool Max Idle property.
7. Repeat Steps 4 through 6 for adding each of the connection pooling properties listed in Table 2-2.
8. Click the save icon.

2.3.6 Enabling Request-Based Provisioning

In request-based provisioning, an end user creates a request for a resource or entitlement by using Oracle Identity System Administration. Administrators or other users cannot create requests for a particular user. Requests can be viewed and approved by approvers designated in Oracle Identity Manager.

Note:

Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.1.x.

Do not enable request-based provisioning if you want to use the direct provisioning feature of the connector.

The following are features of request-based provisioning:

• A user can be provisioned only one resource (account) on the target system.

• Direct provisioning cannot be used if you enable request-based provisioning.

The following sections discuss the steps to be performed to enable request-based provisioning:

• Approver's Role in Request-Based Provisioning

• Importing Request Datasets Using Deployment Manager

• End User's Role in Request-Based Provisioning

• Enabling the Auto Save Form Feature

• Running the PurgeCache Utility

2.3.6.1 Approver's Role in Request-Based Provisioning

The following are steps performed by the approver in a request-based provisioning operation:

1. Log in to Oracle Identity System Administration.
2. On the Welcome page, click Self-Service in the upper-right corner of the page.
3. On the Welcome to Identity Manager Self Service page, click the Tasks tab.
4. On the Approvals tab, in the first section, you can specify a search criterion for request task that is assigned to you.
5. From the search results table, select the row containing the request you want to approve, and then click Approve Task.

   A message confirming that the task was approved is displayed.

2.3.6.2 Importing Request Datasets Using Deployment Manager

A request dataset is an XML file that specifies the information to be submitted by the requester during a provisioning operation. These request datasets specify information about the default set of attributes for which the requester must submit information during a request-based provisioning operation.

To import a request dataset XML file by using the Deployment Manager:

1. Log in to Oracle Identity System Administration.
2. Click the Deployment Management link on the left navigation bar.
3. Click the Import link under Deployment Management.

   A dialog box for opening files is displayed.

4. Locate and open the request dataset XML file, SAPUM-Datasets.xml, which is in the xml directory of the installation media.

   Details of this XML file are shown on the File Preview page.

5. Click Add File.

   The Substitutions page is displayed.

6. Click Next.

   The Confirmation page is displayed.

7. Click Import.
8. Close the Deployment Manager dialog box.

   The request dataset is imported into Oracle Identity Manager.

2.3.6.3 End User's Role in Request-Based Provisioning

The following steps are performed by the end user in a request-based provisioning operation:

1. Log in to the Administrative User Console.
2. On the Welcome page, click Advanced in the upper-right corner of the page.
3. On the Welcome to Identity Administration page, click the Administration tab, and then click the Requests tab.
4. From the Actions menu on the left pane, select Create Request.

   The Select Request Template page is displayed.

5. From the Request Template list, select Provision Resource and click Next.
6. On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specify is displayed in the Available Users list.
7. From the Available Users list, select the user to whom you want to provision the account.

   If you want to create a provisioning request for more than one user, then from the Available Users list, select users to whom you want to provision the account.

8. Click Move or Move All to include your selection in the Selected Users list, and then click Next.
9. On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.
10. From the Available Resources list, select SAP UM Resource Object, move it to the Selected Resources list, and then click Next.
11. On the Resource Details page, enter details of the account that must be created on the target system, and then click Next.
12. On the Justification page, you can specify values for the following fields, and then click Finish.

    • Effective Date

    • Justification

    A message confirming that your request has been sent successfully is displayed along with the Request ID.

13. If you click the request ID, then the Request Details page is displayed.
14. To view details of the approval, on the Request Details page, click the Request History tab.

2.3.6.4 Enabling the Auto Save Form Feature

To enable the Auto Save Form feature:

1. Log in to the Design Console.
2. Expand Process Management, and then double-click Process Definition.
3. Search for and open the SAP UM Process Form process definition.
4. Select the Auto Save Form check box.
5. Click the Save icon.

2.3.6.5 Running the PurgeCache Utility

Run the PurgeCache utility to clear content belonging to the Metadata category from the server cache. See Clearing Content Related to Connector Resource Bundles from the Server Cache for instructions.

The procedure to enable enabling request-based provisioning ends with this step.

2.3.7 Changing to the Required Input Locale

Note:

In an Oracle Identity Manager cluster, perform this procedure on each node of the cluster. Then, restart each node.

Changing to the required input locale (language and country setting) involves installing the required fonts and setting the required input locale.

You may require the assistance of the system administrator to change to the required input locale.

2.3.8 Clearing Content Related to Connector Resource Bundles from the Server Cache

Note:

In an Oracle Identity Manager cluster, you must perform this step on each node of the cluster. Then, restart each node.

When you deploy the connector, the resource bundles are copied from the resources directory on the installation media into the Oracle Identity Manager database. Whenever you add a new resource bundle to the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.

To clear content related to connector resource bundles from the server cache:

1. In a command window, switch to the OIM_HOME/server/bin directory.

   Note:

   You must perform Step 1 before you perform Step 2. An exception is thrown if you run the command described in Step 2 as follows:

   OIM_HOME/server/bin/SCRIPT_FILE_NAME
   

2. Enter one of the following commands:

   Note:

   You can use the PurgeCache utility to purge the cache for any content category. Run PurgeCache.bat CATEGORY_NAME on Microsoft Windows or PurgeCache.sh CATEGORY_NAME on UNIX. The CATEGORY_NAME argument represents the name of the content category that must be purged.

   For example, the following commands purge Metadata entries from the server cache:

   PurgeCache.bat MetaData

   PurgeCache.sh MetaData

   On Microsoft Windows: PurgeCache.bat All

   On UNIX: PurgeCache.sh All

   When prompted, enter the user name and password of an account belonging to the SYSTEM ADMINISTRATORS group. In addition, you are prompted to enter the service URL in the following format:

   t3://OIM_HOST_NAME:OIM_PORT_NUMBER
   

   In this format:

   • Replace OIM_HOST_NAME with the host name or IP address of the Oracle Identity Manager host computer.

   • Replace OIM_PORT_NUMBER with the port on which Oracle Identity Manager is listening.

2.3.9 Managing Logging

Oracle Identity Manager uses the Oracle Diagnostic Logging (ODL) logging service for recording all types of events pertaining to the connector.

The following topics provide detailed information about logging:

• Understanding Log Levels

• Enabling Logging

2.3.9.1 Understanding Log Levels

When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations.

Oracle Identity Manager release 11.1.x uses Oracle Java Diagnostic Logging (OJDL) for logging. OJDL is based on java.util.logger. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

• SEVERE.intValue()+100

  This level enables logging of information about fatal errors.

• SEVERE

  This level enables logging of information about errors that might allow Oracle Identity Manager to continue running.

• WARNING

  This level enables logging of information about potentially harmful situations.

• INFO

  This level enables logging of messages that highlight the progress of the application.

• CONFIG

  This level enables logging of information about fine-grained events that are useful for debugging.

• FINE, FINER, FINEST

  These levels enable logging of information about fine-grained events, where FINEST logs information about all events.

These message types are mapped to ODL message type and level combinations as shown in Table 2-3.

Table 2-3 Log Levels and ODL Message Type:Level Combinations

Java Level	ODL Message Type:Level
SEVERE.intValue()+100	INCIDENT_ERROR:1
SEVERE	ERROR:1
WARNING	WARNING:1
INFO	NOTIFICATION:1
CONFIG	NOTIFICATION:16
FINE	TRACE:1
FINER	TRACE:16
FINEST	TRACE:32

The configuration file for OJDL is logging.xml, which is located at the following path:

DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml

Here, DOMAIN_HOME and OIM_SEVER are the domain name and server name specified during the installation of Oracle Identity Manager.

2.3.9.2 Enabling Logging

To enable logging in Oracle WebLogic Server:

1. Edit the logging.xml file as follows:

   1. Add the following blocks in the file:

      <log_handler name='sap-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
      <property name='logreader:' value='off'/>
           <property name='path' value='[FILE_NAME]'/>
           <property name='format' value='ODL-Text'/>
           <property name='useThreadName' value='true'/>
           <property name='locale' value='en'/>
           <property name='maxFileSize' value='5242880'/>
           <property name='maxLogSize' value='52428800'/>
           <property name='encoding' value='UTF-8'/>
         </log_handler>
      

      <logger name="ORG.IDENTITYCONNECTORS.SAP" level="[LOG_LEVEL]" useParentHandlers="false">
           <handler name="sap-handler"/>
           <handler name="console-handler"/>
         </logger>
      

      If you are using SAP BusinessObjects AC, then add the following block:

      <logger name="ORG.IDENTITYCONNECTORS.SAPAC" level="[Log_LEVEL]" useParentHandlers="false">
           <handler name="sap-handler"/>
           <handler name="console-handler"/>
      </logger>
      

   2. Replace both occurrences of [LOG_LEVEL] with the ODL message type and level combination that you require. Table 2-3 lists the supported message type and level combinations.

      Similarly, replace [FILE_NAME] with the full path and name of the log file in which you want log messages to be recorded.

      The following blocks show sample values for [LOG_LEVEL] and [FILE_NAME]:

      <log_handler name='sap-handler' level='NOTIFICATION:1' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
      <property name='logreader:' value='off'/>
           <property name='path' value='F:\MyMachine\middleware\user_projects\domains\base_domain1\servers\oim_server1\logs\oim_server1-diagnostic-1.log'/>
           <property name='format' value='ODL-Text'/>
           <property name='useThreadName' value='true'/>
           <property name='locale' value='en'/>
           <property name='maxFileSize' value='5242880'/>
           <property name='maxLogSize' value='52428800'/>
           <property name='encoding' value='UTF-8'/>
         </log_handler>
      

      <logger name="ORG.IDENTITYCONNECTORS.SAP" level="NOTIFICATION:1" useParentHandlers="false">
           <handler name="sap-handler"/>
           <handler name="console-handler"/>
         </logger>
      

      If you are using SAP BusinessObjects AC, then add the following block:

      <logger name="ORG.IDENTITYCONNECTORS.SAPAC" level="NOTIFICATION:1" useParentHandlers="false">
           <handler name="sap-handler"/>
           <handler name="console-handler"/>
      </logger>
      

      With these sample values, when you use Oracle Identity Manager, all messages generated for this connector that are of a log level equal to or higher than the NOTIFICATION:1 level are recorded in the specified file.

2. Save and close the file.

3. Set the following environment variable to redirect the server logs to a file:

   For Microsoft Windows:

   set WLS_REDIRECT_LOG=FILENAME
   

   For UNIX:

   export WLS_REDIRECT_LOG=FILENAME
   

   Replace FILENAME with the location and name of the file to which you want to redirect the output.

4. Restart the application server.

Note:

In an Oracle Identity Governance cluster, perform this step on each node of the cluster.

2.3.10 Configuring the Access Request Management Feature of the Connector

Access Request Management is a module in the SAP BusinessObjects AC suite. In an SAP environment, you can set up Access Request Management as the front end for receiving account creation and modification provisioning requests. In Access Request Management, workflows for processing these requests can be configured and users designated as approvers act upon these requests.

Oracle Identity Manager can be configured as the medium for sending provisioning requests to SAP BusinessObjects AC Access Request Management. A request from Oracle Identity Manager is sent to Access Request Management, which forwards the provisioning data contained within the request to the target system (SAP R/3 or SAP CUA). The outcome is the creation of or modification to the user's account on the target system.

Note:

Before you configure the Access Request Management feature, it is recommended that you read the guidelines described in Guidelines on Using a Deployment Configuration

The following sections provide information about configuring the Access Request Management feature:

• Specifying Values for the GRC-ITRes IT Resource

• Configuring Request Types and Workflows on SAP BusinessObjects AC Access Request Management

2.3.10.1 Specifying Values for the GRC-ITRes IT Resource

The GRC-ITRes IT resource holds information that is used during communication with SAP BusinessObjects AC Access Request Management. To set values for the parameters of this IT resource:

1. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

   • For Oracle Identity Manager release 11.1.1.x:

     Log in to Oracle Identity System Administration.

   • For Oracle Identity Manager release 11.1.2.x:

     Log in to Oracle Identity System Administration.

2. If you are using Oracle Identity Manager release 11.1.1.x, then:

   1. On the Welcome page, click Advanced in the upper-right corner of the page.

   2. On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.

3. If you are using Oracle Identity Manager release 11.1.2.x, then, in the left pane under Configuration, click IT Resource.

4. In the IT Resource Name field on the Manage IT Resource page, enter GRC-ITRes and then click Search.

5. Click the edit icon for the IT resource.

6. From the list at the top of the page, select Details and Parameters.

7. Specify values for the parameters of the IT resource.

   Table 2-4 lists the parameters of the GRC-ITRes IT resource.

   Table 2-4 Parameters of the GRC-ITRes IT Resource

   Parameter	Description
   Configuration Lookup	Enter the name of the configuration lookup definition. For SAP BusinessObjects AC 10: Lookup.SAPAC10ABAP.Configuration
   language	Enter the two-letter code for the language set on the target system. Sample value: EN
   Connector Server Name	Name of the IT resource of the type "Connector Server." You create an IT resource for the Connector Server in Configuring the IT Resource for the Connector Server. Note: Enter a value for this parameter only if you have deployed the SAP User Management connector in the Connector Server.
   password	Enter the password of the account created on Access Request Management system.
   port	Enter the number of the port at which Access Request Management system is listening. Sample value: 8090
   server	Enter the IP address of the host computer on which Access Request Management system is listening. Sample value: 10.231.231.231
   username	Enter the user name of an account created on Access Request Management system. This account is used to call Access Request Management system APIs that are used during request validation. Sample value: jdoe

8. To save the values, click Update.

2.3.10.2 Configuring Request Types and Workflows on SAP BusinessObjects AC Access Request Management

You must create and configure request types and workflows on SAP BusinessObjects AC Access Request Management for provisioning operations.

1. Create a request type in SAP BusinessObjects AC Access Request Management.

   A request type In SAP BusinessObjects AC Access Request Management defines the action that is performed when a request is processed. Oracle Identity Manager is a requester. It works with request types defined in SAP BusinessObjects AC Access Request Management. The Lookup.SAPAC10ABAP.Configuration lookup definition maps request types to provisioning operations submitted through Oracle Identity Manager.

2. Create an access request workflow using the MSMP (Multi Step Multi process) Workflow Engine.

2.3.11 Configuring SoD (Segregation of Duties)

SoD is a process that ensures that every individual is given access to only one module of a business process and will not be able to access other modules to reduce risk of fraud and error.

This section discusses the following procedures:

• Configuring SAP BusinessObjects AC to Act As the SoD Engine

• Specifying Values for the GRC-ITRes IT Resource

• Verifying Entries Created in the Lookup.SAPABAP.System Lookup Definition

• Specifying a Value for the TopologyName IT Resource Parameter

• Disabling and Enabling SoD

Note:

• The ALL USERS group has INSERT, UPDATE, and DELETE permissions on the UD_SAP, UD_SAPRL, and UD_SPUM_PRO process forms. This is required to enable the following process:

  During SoD validation of an entitlement request, data first moves from a dummy object form to a dummy process form. From there data is sent to the SoD engine for validation. If the request clears the SoD validation, then data is moved from the dummy process form to the actual process form. Because the data is moved to the actual process forms through APIs, the ALL USERS group must have INSERT, UPDATE, and DELETE permissions on the three process forms.

• In the Lookup.SAPABAP.Configuration lookup definition, you must change the Decode value of the SOD Configuration lookup entry.

  By default, the Decode value of this entry is Lookup.SAPAC10ABAP.Configuration.

2.3.11.1 Configuring SAP BusinessObjects AC to Act As the SoD Engine

To configure SAP BusinessObjects AC to act as the SoD engine, see Using Segregation of Duties in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager at for 11g Release 1 (11.1.2).

2.3.11.2 Specifying Values for the GRC-ITRes IT Resource

The GRC-ITRes IT resource holds information that is used by the connector during SoD operations. This IT resource is the same as the one used by the Access Request Management feature for both Oracle Identity Manager.

See Specifying Values for the GRC-ITRes IT Resource for the procedure to set values for the parameters of this IT resource.

2.3.11.3 Verifying Entries Created in the Lookup.SAPABAP.System Lookup Definition

The Lookup.SAPABAP.System lookup definition is automatically populated with system names when you run lookup field synchronization. After synchronization, you must open this lookup definition and ensure that only entries for systems that you want to use for the SoD validation process are retained in this table.

2.3.11.4 Specifying a Value for the TopologyName IT Resource Parameter

The TopologyName IT resource parameter holds the name of the combination of the following elements that you want to use for SoD validation:

• Oracle Identity Manager installation

• SAP BusinessObjects AC installation

• SAP ERP installation

Enter sodgrc as the value of the TopologyName parameter.

For more inofmration about this element, see Using Segregation of Duties in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for 11g Release 1 (11.1.2.0).

See Configuring the IT Resource for information about specifying values for parameters of the IT resource.

2.3.11.5 Disabling and Enabling SoD

This section describes the procedure to disable and enable SoD on Oracle Identity Governance.

• Disabling SoD on Oracle Identity Manager

• Enabling SoD on Oracle Identity Manager

2.3.11.5.1 Disabling SoD on Oracle Identity Manager

To disable SoD:

1. If you are using the Oracle Identity Manager release 11.1.1.x, then perform the following steps:

   1. Log in to Oracle Identity System Administration.

   2. On the Welcome page, click Advanced in the upper-right corner of the page.

   3. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management tab, click System Configuration.

2. If you are using the Oracle Identity Manager release 11.1.2.x, then perform the following steps:

   1. Log in to Oracle Identity System Administration.

   2. In the left pane, under System Management, click System Configuration.

3. In the Search System Configuration box, enter XL.SoDCheckRequired and then click Search.

   A list that matches your search criteria is displayed in the search results table.

4. Click the XL.SoDCheckRequired property name.

   System properties for SoD are displayed on the right pane.

5. In the Value box, enter FALSE to disable SoD.

6. Click Save.

7. Restart Oracle Identity Manager.

2.3.11.5.2 Enabling SoD on Oracle Identity Manager

To enable SoD:

1. If you are using Oracle Identity Manager release 11.1.1.x, then perform the following steps:

   1. Log in to Oracle Identity System Administration.

   2. On the Welcome page, click Advanced in the upper-right corner of the page.

   3. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management tab, click System Configuration.

2. If you are using Oracle Identity Manager release 11.1.2.x, then perform the following steps:

   1. Log in to Oracle Identity System Administration.

   2. In the left pane, under System Management, click System Configuration.

3. In the Search System Configuration box, enter XL.SoDCheckRequired and then click Search.

   A list that matches your search criteria is displayed in the search results table.

4. Click the XL.SoDCheckRequired property name.

   System properties for SoD are displayed on the right pane.

5. In the Value box, enter TRUE to enable SoD.

6. Click Save.

7. Restart Oracle Identity Manager.

2.3.12 Configuring SNC to Secure Communication Between Oracle Identity Manager and the Target System

Oracle Identity Manager uses a Java application server. To connect to the SAP system application server, this Java application server uses the SAP Java connector (JCo). If required, you can use Secure Network Communication (SNC) to secure communication between Oracle Identity Manager and the SAP system.

Note:

For more information, see the SAP SNC Documentation.

This section discusses the following topics:

• Prerequisites for Configuring the Connector to Use SNC

• Installing the Security Package

• Configuring SNC

2.3.12.1 Prerequisites for Configuring the Connector to Use SNC

The following are prerequisites for configuring the connector to use SNC:

• SNC must be activated on the SAP application server.

• You must be familiar with the SNC infrastructure. You must know which Personal Security Environment (PSE) the application server uses for SNC.

2.3.12.2 Installing the Security Package

To install the security package on the Java application server used by Oracle Identity Manager:

1. Download SAP Cryptolib for encrypted communication with Oracle Identity Manager.

   The necessary SAP Cryptolib for the encrypted communication of third-party software can be downloaded directly from the SAP Service Marketplace.

2. Extract the contents of the SAP Cryptographic Library installation package. This package contains the following files:

   • SAP Cryptographic Library (sapcrypto.dll for Microsoft Windows or libsapcrypto.so for UNIX)

   • A corresponding license ticket (ticket)

   • The configuration tool, sapgenpse

   Note:

   In this guide, sapgenpse.exe is used for Microsoft Windows and sapgenpse is used for UNIX.
3. Copy the library and the sapgenpse.exe file into a local directory. For example: C:/usr/sap
4. Check the file permissions. Ensure that the user under which the Java application server runs is able to run the library functions in the directory into which you copy the library and the sapgenpse file.
5. Create the sec directory inside the directory into which you copy the library and the sapgenpse file.

   Note:

   You can use any names for the directories that you create. However, creating the C:\usr\sap\sec (or /usr/sap/sec) directory is SAP recommendation.

6. Copy the ticket file into the sec directory. This is also the directory in which the Personal Security Environment (PSE) and credentials of the Java application server are generated.

   See Also:

   Configuring SNC

7. Set the SECUDIR environment variable for the Oracle WebLogic Application Server user to the sec directory.

   Note:

   From this point onward, the term SECUDIR directory is used to refer to the directory whose path is defined in SECUDIR environment variable.

8. Set the SNC_LIB and PATH environment variables for the user of the Java application server to the cryptographic library directory, which is the parent directory of the sec directory.

   For Linux: Export LD_LIBRARY_PATH and PATCH

2.3.12.3 Configuring SNC

To configure SNC:

1. Either create a PSE or copy the SNC PSE of the SAP application server to the SECUDIR directory. To create the SNC PSE for the Java application server, use the sapgenpse.exe command-line tool as follows:

   1. To determine the location of the SECUDIR directory, run the sapgenpse command without specifying any command options. The program displays information such as the library version and the location of the SECUDIR directory.

   2. Enter a command similar to the following to create the PSE:

      sapgenpse get_pse -p PSE_Name -x PIN Distinguished_Name
      

      The following is a sample distinguished name:

      CN=SAPJ2EE, O=MyCompany, C=US 
      

      The sapgenpse command creates a PSE in the SECUDIR directory.

2. Create credentials for the Java application server.

   The Java application server must have active credentials at run time to be able to access its PSE. To check whether or not this condition is met, enter the following command in the parent directory of the SECUDIR directory:

   Sapgenpse seclogin
   

   Then, enter the following command to open the PSE of the server and create the credentials.sapgenpse file:

   seclogin -p PSE_Name -x PIN -O [NT_Domain\]user_ID 
   

   The user_ID that you specify must have administrator rights. PSE_NAME is the name of the PSE file.

   The credentials file, cred_v2, for the user specified with the -O option is created in the SECUDIR directory.

3. Exchange the public key certificates of the two servers as follows:

   Note:

   If you are using individual PSEs for each certificate of the SAP server, then you must perform this procedure once for each SAP server certificate. This means that the number of times you must perform this procedure is equal to the number of PSEs.

   1. Export the Oracle Identity Manager certificate by entering the following command:

      sapgenpse export_own_cert -o filename.crt -p PSE_Name -x PIN
      

   2. Import the Oracle Identity Manager certificate into the SAP application server. You may require the SAP administrator's assistance to perform this step.

      Use one of the following ways to set up SNC on the SAP application server:

      • Certificate or User Mapping
      • Rule based Certificate Mapping

      If you do not want to map each user with the certificate and use batch processing, define a general rule-based certificate mapping to enable NetWeaver map user certificates automatically.

   3. Export the certificate of the SAP application server. You may require the SAP administrator's assistance to perform this step.

   4. Import the SAP application server certificate into Oracle Identity Manager by entering the following command:

      sapgenpse maintain_pk -a serverCertificatefile.crt -p PSE_Name -x PIN
      

4. Configure the following parameters in the SAP UM ITResource IT resource object:

   • sncLib

   • sncName

   • sncPartnerName

   • sncProtectionLevel

   • useSNC

2.3.13 Configuring the IT Resource

An IT resource for your target system is created after you install the connector. You configure this IT resource to let the connector connect Oracle Identity Manager with your target system. 

The following sections provide information about features that can be enabled using the IT resource:

• Parameters for Enabling the Use of a Logon Group

• Parameters for Enabling SNC-Based Communication

• Parameters for Enabling Multiple Attempts to Update Multivalued Attributes

The following section describes the parameters of the IT resource:

• Specifying Values for the IT Resource Parameters

2.3.13.1 Parameters for Enabling the Use of a Logon Group

In SAP, a logon group is used as a load-sharing mechanism. When a user logs in to a logon group, the system internally routes the connection request to the logon group member with the least load.

The following parameters of the IT resource are used to enable this feature. These parameters are explained in Table 2-5.

• jcoGroup

• loadBalance

• msHost

• msServ

In addition, perform the procedure described in Enabling SAP JCo Connectivity on the Oracle Identity Manager host computer to enable SAP JCo connectivity.

2.3.13.1.1 Enabling SAP JCo Connectivity

Perform the following procedure on the Oracle Identity Manager host computer to enable SAP JCo connectivity:

1. Open the following file in a text editor:

   For Microsoft Windows:

   C:\WINDOWS\system32\drivers\etc\services

   For Solaris or Linux, open the following file:

   /etc/services

2. Add an entry in the following format:

   Note:

   Ensure that you add the entry in the correct ascending order of the port number as shown in the example.

   sapmsSYSTEM_ID          36SYSTEM_NUMBER/tcp
   

   For example:

   . . . 
   ipx               213/udp               #IPX over IP
   ldap              389/tcp               #Lightweight Directory Access Protocol
   sapmsE60          3600/tcp
   . . .
   

3. Save and close the file.
4. Create the sapmsg.ini file and add the following lines in the file:

   [Message Server]
   o01=oss001.wdf.sap-ag.de
   SYSTEM_ID=HOST_NAME
   

   For example:

   [Message Server]
   o01=oss001.wdf.sap-ag.de
   E60=mysap08.corp.example.com
   

5. Save and close the file.
6. On the Oracle Identity Manager host computer, copy the file into the C:\Windows directory or the root directory (depending on the operating system running on the host).

2.3.13.2 Parameters for Enabling SNC-Based Communication

Secure Network Communication (SNC) is the SAP-proprietary mechanism for securing communication between SAP and applications with which SAP interacts. See Configuring SNC to Secure Communication Between Oracle Identity Manager and the Target System for detailed information to enable SNC-based communication. The names of the SNC parameters are prefixed with SNC.

2.3.13.3 Parameters for Enabling Multiple Attempts to Update Multivalued Attributes

During provisioning operations, there is a possibility that more than one user tries to update the multivalued attribute (for example, a role) of a particular user. The following parameters of the IT resource are used to automatically manage simultaneous update attempts:

• Timeout count: Enter the time (in milliseconds) for which the connector must wait before retrying the operation to update a multivalued attribute on the target system.

• Timeout retry count: Enter the maximum number of retry attempts for updating a multivalued attribute on the target system.

2.3.13.4 Specifying Values for the IT Resource Parameters

The SAP UM ITResource IT resource is automatically created when you run the Connector Installer. You must specify values for the parameters of the IT resource.

Note:

The ALL USERS group has INSERT, UPDATE, and DELETE permissions on the default IT resource. This is to ensure that end users can select the IT resource during request-based provisioning. If you create another IT resource, then you must assign INSERT, UPDATE, and DELETE permissions for the ALL USERS group on the IT resource.

You must use Oracle Identity System Administration to configure the IT resource. Values set for the connection pooling parameters will not take effect if you use the Design Console to configure the IT resource.

To specify values for the parameters of the IT resource:

1. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

   • For Oracle Identity Manager release 11.1.1.x:

     Log in to Oracle Identity System Administration.

   • For Oracle Identity Manager release 11.1.2.x:

     Log in to Oracle Identity System Administration.

2. If you are using Oracle Identity Manager release 11.1.1.x, then:

   1. On the Welcome page, click Advanced in the upper-right corner of the page.

   2. On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.

3. If you are using Oracle Identity Manager release 11.1.2.x, then, in the left pane under Configuration, click IT Resource.

4. In the IT Resource Name field on the Manage IT Resource page, enter SAP UM ITResource and then click Search.

5. Click the edit icon for the IT resource.

6. From the list at the top of the page, select Details and Parameters.

7. Specify values for the parameters of the IT resource. Table 2-5 describes the parameters of the SAP UM IT resource and Table 2-6 describes the parameters of the SAP AC UM IT resource.

   Table 2-5 Parameters of the SAP UM IT Resource

   Parameter	Description	Mandatory?
   client	SAP client setting Default value: 000	Yes
   Configuration Lookup	Name of the lookup definition containing configuration information Default value: Lookup.SAPABAP.Configuration	Yes
   configureConnectionTuning	Allows the connection properties to be customized when the SAP Destination is configured Default value: FALSE	No
   connectionMaxGetTime	Maximum time to wait for a connection (specified in milliseconds)	No
   connectionPoolActiveTime	Maximum number of active connections that can be created for a destination simultaneously	No
   connectionPoolCapacity	Maximum number of idle connections that can be kept open by the destination	No
   connectionPoolExpirationPeriod	Released connections are checked for expiration after waiting for this time period (specified in milliseconds)	No
   connectionPoolExpirationTime	Freed connections held by the destination that can be closed after this amount of time (specified in milliseconds)	No
   Connector Server Name	Name of the IT resource of the type "Connector Server." You create an IT resource for the Connector Server in Configuring the IT Resource for the Connector Server. Note: Enter a value for this parameter only if you have deployed the SAP User Management connector in the Connector Server.	No
   destination	This value must be unique. This is a mandatory connection parameter needed for SAPJCo to interact with the SAP System. Sample value: dest or dest123 (any random value) The value specified has to be unique to each instance of the IT Resource.	Yes
   dummyPassword	Enter the dummy password that you want the connector to use during a Create User provisioning operation. The connector first sets the password as this value and then changes it to the password specified on the process form. See Configuring Password Changes for Newly Created Accounts for more information about this parameter.	Mandatory
   host	Host name of the resource	Mandatory
   jcoGroup	Group of SAP application servers	Optional
   jcoSAPRouter	SAP router string to be used for a system protected by a firewall	Optional
   jcoTrace	Level of SAP JCO tracing to enable. Enter 0 or any positive integer up to and including 10. Default value: 0	Optional
   jcoTraceDir	Absolute path to the directory where the trace files will be created	Optional
   language	Enter the two-letter code for the language set on the target system Default value: EN	Optional
   loadBalance	Enter TRUE to enable the use of Logon Group Default value: FALSE	Optional
   masterSystem	Enter the RFC Destination value that is used for identification of the SAP system. This value must be same as that of the Logical System name. Sample value: EH6CLNT001 Here the sample value is based on the following format used in SAP system: <SYSTEM_ID>CLNT<CLIENT_NUM> In this sample value, EH6 is the System ID of the target system and 001 is the client number.	Mandatory
   maxBAPIRetries	Maximum Number retries for BAPI execution Default value: 5	Optional
   msHost	Enter the host name of the message server	Optional
   msServ	(Optional) SAP message server port to be used instead of the default sapms	Optional
   password	When using normal authentication, password of the User account	Mandatory
   r3Name	Enter the host name of the SAP R/3 or SAP CUA system	Optional
   retryWaitTime	Connection retry wait time Default value: 500	Optional
   sncLib	Enter the full path and name of the crypto library on the target system host computer This is required only if SNC is enabled. Sample value: c://usr//sap/sapcrypto.dll	Optional
   sncName	SNC system name Specify a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Manager. Sample value: p:CN=TST,OU=SAP, O=ORA,c=IN	Optional
   sncPartnerName	Enter the domain name of the target system host computer Specify a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Manager. Sample value: p:CN=I47,OU=SAP, O=ORA, c=IN	Optional
   sncProtection Level	Enter the protection level (quality of protection, QOP) at which data is transferred The value can be any one of the following numbers: 1: Secure authentication only 2: Data integrity protection 3: Data privacy protection 8: Use value from the parameter 9: Use maximum value available Specify a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Manager. Default value: 3	Optional
   sncX509Cert	The X509 certificate that does not contain the BEGIN CERTIFICATE or END CERTIFICATE strings when using SNC Note: You must remove all new line characters from the certificate.	Optional
   systemNumber	SAP system number Default value: 00	Mandatory
   TopologyName	Name of the topology of the target system host computer Default value: sodgrc	Optional
   user	When using normal authentication, a user name that has permissions to create new accounts	Mandatory
   useSNC	Enter TRUE, if you want to configure secure communication between Oracle Identity Manager and the target system. Otherwise, enter FALSE. Default value: FALSE	Optional

   Table 2-6 Parameters of the SAP AC UM IT Resource

   Parameter	Description
   client	SAP client setting Default value: 000
   Configuration Lookup	Name of the lookup definition containing configuration information Default value: Lookup.SAPAC10ABAP.Configuration
   configureConnectionTuning	Allows the connection properties to be customized when the SAP Destination is configured Default value: FALSE
   connectionMaxGetTime	Maximum time to wait for a connection (specified in milliseconds)
   connectionPoolActiveTime	Maximum number of active connections that can be created for a destination simultaneously
   connectionPoolCapacity	Maximum number of idle connections that can be kept open by the destination
   connectionPoolExpirationPeriod	Released connections are checked for expiration after waiting for this time period (specified in milliseconds)
   connectionPoolExpirationTime	Freed connections held by the destination that can be closed after this amount of time (specified in milliseconds)
   Connector Server Name	Name of the IT resource of the type "Connector Server." You create an IT resource for the Connector Server in Configuring the IT Resource for the Connector Server. Note: Enter a value for this parameter only if you have deployed the SAP User Management connector in the Connector Server.
   destination	This value must be unique. This is a mandatory connection parameter needed for SAPJCo to interact with the SAP System. Sample value: dest or dest123 (any random value) The value specified has to be unique to each instance of the IT Resource.
   dummyPassword	Enter the dummy password that you want the connector to use during a Create User provisioning operation. The connector first sets the password as this value and then changes it to the password specified on the process form. See Configuring Password Changes for Newly Created Accounts for more information about this parameter.
   grcLanguage	Enter the two-letter code for the language set on the GRC system. Sample value: EN
   grcPassword	Enter Password of the GRC System.
   grcUsername	Enter User name of the GRC System.
   host	Host name of the resource
   jcoGroup	Group of SAP application servers
   jcoSAPRouter	SAP router string to be used for a system protected by a fire wall
   jcoTrace	Level of SAP JCO tracing to enable. Enter 0 or any positive integer up to and including 10. Default value: 0
   jcoTraceDir	Absolute path to the directory where the trace files will be created
   language	Enter the two-letter code for the language set on the target system Default value: EN
   loadBalance	Enter TRUE to enable the use of Logon Group Default value: FALSE
   masterSystem	Enter the RFC Destination value that is used for identification of the SAP system. This value must be same as that of the Logical System name. Sample value: EH6CLNT001 Here the sample value is based on the following format used in SAP system: <SYSTEM_ID>CLNT<CLIENT_NUM> In this sample value, EH6 is the System ID of the target system and 001 is the client number.
   maxBAPIRetries	Maximum Number retries for BAPI execution. Default value: 5
   msHost	Enter the host name of the message server
   msServ	(Optional) SAP message server port to be used instead of the default sapms
   password	When using normal authentication, password of the User account
   r3Name	Enter the host name of the SAP R/3 or SAP CUA system
   retryWaitTime	Connection retry wait time Default value: 500
   sncLib	Enter the full path and name of the crypto library on the target system host computer This is required only if SNC is enabled. Sample value: c://usr//sap/sapcrypto.dll
   sncName	SNC system name Specify a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Manager. Sample value: p:CN=TST,OU=SAP, O=ORA,c=IN
   sncPartnerName	Enter the domain name of the target system host computer Specify a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Manager. Sample value: p:CN=I47,OU=SAP, O=ORA, c=IN
   sncProtection Level	Enter the protection level (quality of protection, QOP) at which data is transferred The value can be any one of the following numbers: 1: Secure authentication only 2: Data integrity protection 3: Data privacy protection 8: Use value from the parameter 9: Use maximum value available Specify a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Manager. Default value: 3
   sncX509Cert	The X509 certificate that does not contain the BEGIN CERTIFICATE or END CERTIFICATE strings when using SNC Note: You must remove all new line characters from the certificate.
   systemNumber	SAP system number Default value: 00
   TopologyName	Name of the topology of the target system host computer Default value: sodgrc
   user	When using normal authentication, a user name that has permissions to create new accounts
   useSNC	Enter FALSE, if you want to configure secure communication between Oracle Identity Manager and the target system. Otherwise, enter TRUE. Default value: FALSE

8. To save the values, click Update.

2.3.14 Configuring the IT Resource for the Connector Server

During the installation of the connector, a default IT resource for the connector server for SAP UM is created with the name, SAP UM IT Resource.

To create the IT resource for the Connector Server:

1. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

   • For Oracle Identity Manager release 11.1.1.x:

     Log in to Oracle Identity System Administration.

   • For Oracle Identity Manager release 11.1.2.x:

     Log in to Oracle Identity System Administration.

2. If you are using Oracle Identity Manager release 11.1.1.x, then:

   1. On the Welcome page, click Advanced in the upper-right corner of the page.

   2. On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Create IT Resource.

3. If you are using Oracle Identity Manager release 11.1.2.x, then:

   1. In the left pane under Configuration, click IT Resource.

   2. In the Manage IT Resource page, click Create IT Resource.

4. On the Step 1: Provide IT Resource Information page, perform the following steps:

   • IT Resource Name: Enter a name for the IT resource.

   • IT Resource Type: Select Connector Server from the IT Resource Type list.

   • Remote Manager: Do not enter a value in this field.

5. Click Continue. Figure 2-2 shows the IT resource values added on the Create IT Resource page.

   Figure 2-2 Step 1: Provide IT Resource Information

   
   Description of "Figure 2-2 Step 1: Provide IT Resource Information"

6. On the Step 2: Specify IT Resource Parameter Values page, specify values for the parameters of the IT resource and then click Continue. Figure 2-3 shows the Step 2: Specify IT Resource Parameter Values page.

   Figure 2-3 Step 2: Specify IT Resource Parameter Values

   
   Description of "Figure 2-3 Step 2: Specify IT Resource Parameter Values"

   Table 2-7 provides information about the parameters of the IT resource.

   Note:

   See Step 8 of Installing and Configuring the Connector Server for the values to be specified for the parameters of the IT resource.

   Table 2-7 Parameters of the IT Resource for the Connector Server

   Parameter	Description
   Host	Enter the host name or IP address of the computer hosting the connector server. Sample value: myhost.com
   Key	Enter the key for the connector server.
   Port	Enter the number of the port at which the connector server is listening. Default value: 8759
   Timeout	Enter an integer value which specifies the number of milliseconds after which the connection between the connector server and Oracle Identity Manager times out. Sample value: 0 A value of 0 means that the connection never times out.
   UseSSL	Enter true to specify that you will configure SSL between Oracle Identity Manager and the Connector Server. Otherwise, enter false. Default value: false Note: It is recommended that you configure SSL to secure communication with the connector server. To configure SSL between Oracle Identity Manager and Connector Server, see Configuring SNC to Secure Communication Between Oracle Identity Manager and the Target System.

7. On the Step 3: Set Access Permission to IT Resource page, the SYSTEM ADMINISTRATORS group is displayed by default in the list of groups that have Read, Write, and Delete permissions on the IT resource that you are creating.

   Note:

   This step is optional.

   If you want to assign groups to the IT resource and set access permissions for the groups, then:

   1. Click Assign Group.

   2. For the groups that you want to assign to the IT resource, select Assign and the access permissions that you want to set. For example, if you want to assign the ALL USERS group and set the Read and Write permissions to this group, then you must select the respective check boxes in the row, as well as the Assign check box, for this group.

   3. Click Assign.

8. On the Step 3: Set Access Permission to IT Resource page, if you want to modify the access permissions of groups assigned to the IT resource, then:

   Note:

   • This step is optional.

   • You cannot modify the access permissions of the SYSTEM ADMINISTRATORS group. You can modify the access permissions of only other groups that you assign to the IT resource.

   1. Click Update Permissions.

   2. Depending on whether you want to set or remove specific access permissions for groups displayed on this page, select or deselect the corresponding check boxes.

   3. Click Update.

9. On the Step 3: Set Access Permission to IT Resource page, if you want to unassign a group from the IT resource, then:

   Note:

   • This step is optional.

   • You cannot unassign the SYSTEM ADMINISTRATORS group. You can unassign only other groups that you assign to the IT resource.

   1. Select the Unassign check box for the group that you want to unassign.

   2. Click Unassign.

10. Click Continue. Figure 2-4 shows the Step 3: Set Access Permission to IT Resource page.

    Figure 2-4 Step 3: Set Access Permission to IT Resource

    
    Description of "Figure 2-4 Step 3: Set Access Permission to IT Resource"

11. On the Step 4: Verify IT Resource Details page, review the information that you provided on the first, second, and third pages. If you want to make changes in the data entered on any page, click Back to revisit the page and then make the required changes.

12. To proceed with the creation of the IT resource, click Continue. Figure 2-5 shows Step 4: Verify IT Resource Details page.

    Figure 2-5 Step 4: Verify IT Resource Details

    
    Description of "Figure 2-5 Step 4: Verify IT Resource Details"

13. The Step 5: IT Resource Connection Result page displays the results of a connectivity test that is run using the IT resource information. If the test is successful, then click Continue. If the test fails, then you can perform one of the following steps:

    • Click Back to revisit the previous pages and then make corrections in the IT resource creation information.

    • Click Cancel to stop the procedure, and then begin from the first step onward.

      Figure 2-6 shows the Step 5: IT Resource Connection Result page.

      Figure 2-6 Step 5: IT Resource Connection Result

      
      Description of "Figure 2-6 Step 5: IT Resource Connection Result"

14. Click Finish. Figure 2-7 shows the IT Resource Created Page.

    Figure 2-7 Step 6: IT Resource Created

    
    Description of "Figure 2-7 Step 6: IT Resource Created"

2.3.15 Downloading WSDL files from SAP BusinessObjects AC

In SAP BusinessObjects AC 10, you need to download the WSDL files from SAP BusinessObjects AC before configuring the web services.

Since the connector only supports basic authentication, select the User ID/Password check box for the following web services supported from OIM:

WSDL	Description
GRAC_AUDIT_LOGS_WS	Audit log web service
GRAC_LOOKUP_WS	Lookup service
GRAC_REQUEST_STATUS_WS	Request status web service
GRAC _RISK_ANALYSIS_WOUT_NO_WS	Risk analysis without request number. Note: For this WSDL, ReportFormat is a mandatory field from SP17.
GRAC_SELECT_APPL_WS	Select application web service
GRAC_USER_ACCES_WS	User access request service
GRAC_SEARCH_ROLES_W	Search role web service

When you download the WSDL file, ensure to save it with the same name as mentioned in the SOA Management page. In addition, ensure that the folder containing WSDL files have read permission.

2.3.16 Localizing Field Labels in UI Forms

You can localize UI form field labels by using the resource bundle corresponding to the language you want to use. The resource bundles are available in the connector installation media.

Note:

Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.2.x or later and you want to localize UI form field labels.

To localize field label that is added to the UI forms:

1. Log in to Oracle Enterprise Manager.

2. In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.

3. In the right pane, from the Application Deployment list, select MDS Configuration.

4. On the MDS Configuration page, click Export and save the archive to the local computer.

5. Extract the contents of the archive, and open one of the following files in a text editor:

   • For Oracle Identity Manager 11g Release 2 PS2 and later (11.1.2.2.0):

     SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle_en.xlf

   • For releases prior to Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0):

     SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle.xlf

6. Edit the BizEditorBundle.xlf file in the following manner:

   1. Search for the following text:

      <file source-language="en"  
      original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
      datatype="x-oracle-adf">
      

   2. Replace with the following text:

      <file source-language="en" target-language="LANG_CODE"
      original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
      datatype="x-oracle-adf">
      

      In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in Japanese:

      <file source-language="en" target-language="ja"
      original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
      datatype="x-oracle-adf">
      

   3. Search for the application instance code. This procedure shows a sample edit for SAP User Management application instance. The original code is:

      <trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_SAP_TITLE__c_description']}">
      <source>Title</source>
      </target>
      </trans-unit>
      <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.umform.entity.umformEO.UD_SAP_TITLE__c_LABEL">
      <source>Title</source>
      </target>
      </trans-unit>
      

   4. Open the resource file from the connector package, for example SAPUM_ja.properties, and get the value of the attribute from the file, for example, global.udf. UD_SAP_TITLE = \u5F79\u8077.

   5. Replace the original code shown in Step 6.b with the following:

      <trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_SAP_TITLE__c_description']}">
      <source>Title</source>
      <target>\u5F79\u8077</target>
      </trans-unit>
      <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.umform.entity.umformEO.UD_SAP_TITLE__c_LABEL">
      <source>Title</source>
      <target>\u5F79\u8077</target>
      </trans-unit>
      

   6. Repeat Steps 6.a through 6.d for all attributes of the process form.

   7. Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing.

      Sample file name: BizEditorBundle_ja.xlf.

7. Repackage the ZIP file and import it into MDS.

   See Also:

   Deploying and Undeploying Customizations in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager, for more information about exporting and importing metadata files

8. Log out of and log in to Oracle Identity Manager.

2.3.17 Synchronizing the SAPUM Process Form Field Length Needs with the Target Field Length

Ensure that the field length of the values of an attribute coming from the target system should be in bounds of the length of values of attributes in SAPUM process form.

2.4 Upgrading the Connector

If you have already deployed an earlier release of this connector, then upgrade the connector to the current release.

You can upgrade the SAP User Management connector while in production, and with no downtime. Your customizations will remain intact and the upgrade will be transparent to your users. All form field names are preserved from the legacy connector.

To upgrade the SAP User Management connector, perform the procedures described in the following sections:

• Preupgrade Steps for the SAP UM Connector

• Upgrade Steps for the SAP UM Connector

• Performing the Postupgrade Steps

Note:

• Before you perform the upgrade procedure, it is strongly recommended that you create a backup of the Oracle Identity Manager database. Refer to the database documentation for information about creating a backup.

• As a best practice, first perform the upgrade procedure in a test environment.

• Direct upgrade to release 11.1.1.7.0 or later from release 9.x of the connector is not supported. You must first upgrade to release 11.1.1.6.0 from release 9.x and then upgrade to release 11.1.1.7.0 or later.

2.4.1 Preupgrade Steps for the SAP UM Connector

Before you perform an upgrade operation or any of the upgrade procedures, you must perform the following actions:

• Perform a reconciliation run to fetch all latest updates to Oracle Identity Manager.

• Define the source connector (an earlier release of the connector that must be upgraded) in Oracle Identity Manager. You define the source connector to update the Deployment Manager XML file with all customization changes made to the connector.

• Run the Oracle Identity Manager Delete JARs utility to delete the old connector bundle to the Oracle Identity Manager database.

  See Also:

  Delete JAR Utility in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for detailed information about the Delete JARs utility

2.4.2 Upgrade Steps for the SAP UM Connector

Depending on the environment in which you are upgrading the connector, perform one of the following steps:

• Staging Environment

  Perform the upgrade procedure by using the wizard mode.

• Production Environment

  Perform the upgrade procedure by using the silent mode.

See Also:

Managing Connector Lifecycle of Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about the wizard and silent modes

2.4.3 Performing the Postupgrade Steps

Perform the procedure described in this section to complete the steps that are required to post-upgrade.

1. Run the Oracle Identity Manager Upload JARs utility to post the new connector bundle to the Oracle Identity Manager database.

   See Also:

   Upload JAR Utility in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance for detailed information about the Upload JARs utility

2. If the connector is deployed on a Connector Server, then:

   1. Stop the Connector Server.

   2. Replace the existing connector bundle and lib JARs located in the CONNECTOR_SERVER_HOME/bundles and CONNECTOR_SERVER_HOME/lib directories respectively with the new connector bundles (bundle/org.identityconnectors.sapacum-12.3.0.jar and bundle/org.identityconnectors.sapum-12.3.0.jar) and lib JARs ( lib/sapac-oim-integration.jarlib/sapum-oim-integration.jar) from the connector installation media.

   3. Start the Connector Server.

3. Reconfigure the IT resource of the connector.

4. Upgrading the connector will generate duplicate entries in Lookups, you must manually delete these duplicate entries. Perform the postupgrade procedure documented in Managing Connector Lifecycle of Oracle Fusion Middleware Administering Oracle Identity Manager.
5. Perform the postupgrade steps. Depending on the version of the connector that you are using, perform one of the procedures described in the following sections:
   • Postupgrade Steps for Releases 9.x to 11.1.1.5.0, 9.x to 11.1.1.6.0, and 11.1.1.5.0 to 11.1.1.6.0 of the Connector
   • Postupgrade Steps for Release 11.1.1.6.0 of the Connector
6. Run the FVC utility. This utility is copied into the following directory when you install the design console:
   • For Microsoft Windows: OIM_DC_HOME/fvcuti.bat
   • For UNIX: OIM_DC_HOME/fvcutil.sh

   When you run this utility, you are prompted to enter the login credentials of the Oracle Identity manager administrator, and the logger level, and log file location.

7. Create a new version of the process form.

   If you are using Oracle Identity Manager release 11.1.2.x, then all changes made to the Form Designer of the Design Console must be done in a new UI form as follows:

   1. Log in to Oracle Identity System Administration.

   2. Create and activate a sandbox. See Creating and Activating a Sandbox.

   3. Create a new UI form to view the upgraded fields. See Creating a New UI Form.

   4. Associate the newly created UI form with the application instance of your target system. To do so, open the existing application instance for your resource, from the Form field, select the form (created in the preceding step), and then save the application instance.

   5. Publish the sandbox. Publishing a Sandbox.

8. Perform full reconciliation.

   This operation updates the Unique Id resource object field and the lock status of the users. The lock status will be updated as per the value specified in the fvc.properties file for Release 9.x through Release 11.1.1.5.0 of the connector.

   See Full and Incremental Reconciliationfor more information about this step.

   Perform the postupgrade procedure in Managing Connector Lifecycle of Oracle Fusion Middlware Administering Oracle Identity Governance.

9. After upgrading the connector, you can perform delete reconciliation.

   See Reconciliation Scheduled Jobs for the SAP UM Connector for more information about delete reconciliation.

2.4.3.1 Postupgrade Steps for Releases 9.x to 11.1.1.5.0, 9.x to 11.1.1.6.0, and 11.1.1.5.0 to 11.1.1.6.0 of the Connector

Run the Form Version Control (FVC) utility to manage data changes on a form after an upgrade operation.

To do so, in a text editor, open the fvc.properties file located in the OIM_DC_HOME directory.

If you are using the connector release 9x, include the following entries:

ResourceObject;SAPUM Resource Object
FormName;UD_SAP
FromVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_WAS_IN_THE_ACTIVE_STATUS_BEFORE_THE_UPGRADE
ToVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_IS_IN_THE_ACTIVE_STATUS_AFTER_THE_UPGRADE
Parent;UD_SAPUSER

Example:

ResourceObject;SAPUM Resource Object
FormName;UD_SAP
FromVersion;V_9.1.2.6
ToVersion;v_11.1.1.5.0
Parent;UD_SAPUSER

If you are using the connector release 11.1.1.x, include the following entries:

ResourceObject;SAPUM Resource Object
FormName;UD_SAP
FromVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_WAS_IN_THE_ACTIVE_STATUS_BEFORE_THE_UPGRADE
ToVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_IS_IN_THE_ACTIVE_STATUS_AFTER_THE_UPGRADE
Parent;UD_SAPUSER

Example:

ResourceObject;SAPUM Resource Object
FormName;UD_SAP
FromVersion;V_11.1.1.5.0
ToVersion;v_11.1.1.6.0
Parent;UD_SAPUSER

2.4.3.2 Postupgrade Steps for Release 11.1.1.6.0 of the Connector

Depending on the type of connector that you choose to upgrade, perform one of the following procedures:

• Postupgrade Steps While Upgrading the Basic User Management configuration from Release 11.1.1.6.0 to Release 11.1.1.7.0

• Postupgrade Steps While Upgrading the SoD validation of SAP BusinessObjects AC Access Risk Analysis from Release 11.1.1.6.0 to Release 11.1.1.7.0

• Postupgrade Steps While Upgrading the SAP BusinessObjects AC Access Request Management from Release 11.1.1.6.0 to Release 11.1.1.7.0

2.4.3.2.1 Postupgrade Steps While Upgrading the Basic User Management configuration from Release 11.1.1.6.0 to Release 11.1.1.7.0

Run the Form Version Control (FVC) utility to manage data changes on a form after an upgrade operation. To do so, in a text editor, open the fvc.properties file located in the OIM_DC_HOME directory.

If you are using the connector release 11.1.1.6.0, include the following entries:

ResourceObject;SAPUM Resource Object
FormName;UD_SAP
FromVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_WAS_IN_THE_ACTIVE_STATUS_BEFORE_THE_UPGRADE
ToVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_IS_IN_THE_ACTIVE_STATUS_AFTER_THE_UPGRADE

Example:

ResourceObject;SAPUM Resource Object
FormName;UD_SAP
FromVersion;V_11.1.1.6.0
ToVersion;v_11.1.1.7.0

Note:

While upgrading the connector, the following information will display. You must manually delete the following adapters and Event handlers:

• The "sapacum ac remove child" and "sapacum add child" Adapters.

• The "adpSAPACUMREMOVECHILD" and "adpSAPACUMADDCHILD" EventHandlers.

2.4.3.2.2 Postupgrade Steps While Upgrading the SoD validation of SAP BusinessObjects AC Access Risk Analysis from Release 11.1.1.6.0 to Release 11.1.1.7.0

Perform the procedure described in this section to complete the postupgrade steps for the SoD validation of SAP BusinessObjects AC Access Risk Analysis:

1. Re-configure the GRC-ITRes IT resource.
2. You must manually update the decode values of the following entries in the "Lookup.SAPABAP.Configuration" lookup definition:

   • wsdlFilePath

   • entitlementRiskAnalysisAccessURL

3. Run the Form Version Control (FVC) utility to manage data changes on a form after an upgrade operation. To do so, in a text editor, open the fvc.properties file located in the OIM_DC_HOME directory. If you are using the connector release 11.1.1.6.0, include the following entries:

   ResourceObject;SAPUM Resource Object
   FormName;UD_SAP
   FromVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_WAS_IN_THE_ACTIVE_STATUS_BEFORE_THE_UPGRADE
   ToVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_IS_IN_THE_ACTIVE_STATUS_AFTER_THE_UPGRADE
   

   Example:

   ResourceObject;SAP UM Resource Object
   FormName;UD_SAP
   FromVersion;V_11.1.1.6.0
   ToVersion;v_11.1.1.7.0
   

4. Create a new version of the process form, and run the "Resubmit Uninitiated Provisioning SODChecks" scheduler.

   Note:

   While upgrading the connector, the following information will display. You must manually delete the following adapters and Event handlers:

   • The "sapacum ac remove child" and "sapacum add child" Adapters.

   • The "adpSAPACUMREMOVECHILD" and "adpSAPACUMADDCHILD" EventHandlers.

2.4.3.2.3 Postupgrade Steps While Upgrading the SAP BusinessObjects AC Access Request Management from Release 11.1.1.6.0 to Release 11.1.1.7.0

Perform the procedure described in this section to complete the postupgrade steps for the SAP BusinessObjects AC Access Request Management:

1. Re-configure the SAPUM IT Resource IT resource.

2. You must manually update the decode value to None for the following entries in the "Lookup.SAPAC10ABAP.Configuration" lookup definition:

   • roleLookupAccessURL

   • otherLookupAccessURL

   • auditLogsAccessURL

   • appLookupAccessURL

   • wsdlFilePath

   • userAccessAccessURL

   • requestStatusAccessURL

3. Run the PostUpgradeScript_SAPUM.sql script as follows:

   1. Log into the Oracle Identity Manager database using the OIM DB User credentials.

   2. Run the PostUpgradeScript_SAPUM.sql. This script is located in the Upgrade directory on the installation media.

      Note:

      You must change the task name of the bulk adapter after upgrade. For example, replace the task name "UD_SAPACUM Updated" with "UD_SAPUM Updated."

4. Run the following lookups:

   • SAP AC UM BusinessProcess Lookup Reconciliation

   • SAP AC UM CommType Lookup Reconciliation

   • SAP AC UM Company Lookup Reconciliation

   • SAP AC UM ContractUserType Lookup Reconciliation

   • SAP AC UM DateFormat Lookup Reconciliation

   • SAP AC UM DecimalNot Lookup Reconciliation

   • SAP AC UM FunctionalArea Lookup Reconciliation

   • SAP AC UM ItemProvAction Lookup Reconciliation

   • SAP AC UM LangComm Lookup Reconciliation

   • SAP AC UM Parameter Lookup Reconciliation

   • SAP AC UM Priority Lookup Reconciliation

   • SAP AC UM ReqInitSystem Lookup Reconciliation

   • SAP AC UM RequestType Lookup Reconciliation

   • SAP AC UM Role Lookup Reconciliation

   • SAP AC UM TimeZone Lookup Reconciliation

   • SAP AC UM Title Lookup Reconciliation

   • SAP AC UM UserGroup Lookup Reconciliation

   • SAP AC UM UserType Lookup Reconciliation

5. Run the Form Version Control (FVC) utility to manage data changes on a form after an upgrade operation. To do so, in a text editor, open the fvc.properties file located in the OIM_DC_HOME directory. If you are using the connector release 11.1.1.6.0, include the following entries:

   ResourceObject;SAP AC UM Resource Object
   FormName;UD_SAP
   FromVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_WAS_IN_THE_ACTIVE_STATUS_BEFORE_THE_UPGRADE
   ToVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_IS_IN_THE_ACTIVE_STATUS_AFTER_THE_UPGRADE
   FromVersion;V_11.1.1.6.0
   ToVersion;v_11.1.1.7.0
   ParentParent;UD_SAP_AC_MANAGER_FIRST_NAME;UD_SAP_AC_MNGR_FIRSTNAME
   ParentParent;UD_SAP_AC_MANAGER_LAST_NAME;UD_SAP_AC_MNGR_LASTNAME
   ParentParent;UD_SAP_AC_MANAGER_EMAIL;UD_SAP_AC_MNGR_EMAIL
   

   Example:

   ResourceObject;SAP AC UM Resource Object
   FormName;UD_SAP
   FromVersion;V_11.1.1.6.0
   ToVersion;v_11.1.1.7.0
   ParentParent;UD_SAP_AC_MANAGER_FIRST_NAME;UD_SAP_AC_MNGR_FIRSTNAME
   ParentParent;UD_SAP_AC_MANAGER_LAST_NAME;UD_SAP_AC_MNGR_LASTNAME
   ParentParent;UD_SAP_AC_MANAGER_EMAIL;UD_SAP_AC_MNGR_EMAIL

2.5 Postcloning Steps

You can clone this connector by setting new names for some of the objects that comprise the connector. The outcome of the process is a new connector XML file. Most of the connector objects, such as Resource Object, Process Definition, Process Form, IT Resource Type Definition, IT Resource Instances, Lookup Definitions, Adapters, Reconciliation Rules and so on in the new connector XML file have new names.

Note:

Managing Connector Lifecycle in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about cloning connectors and the postcloning steps.

After a copy of the connector is created by setting new names for connector objects, some objects might contain the details of the old connector objects. Therefore, you must modify the following Oracle Identity Manager objects to replace the base connector artifacts or attribute references with the corresponding cloned artifacts or attributes:

• IT Resource

  The cloned connector has its own set of IT resources. You must configure both the cloned connector IT resources and ensure you use the configuration lookup definition of the cloned connector.

• Scheduled Job

  The values of the Resource Object Name and IT Resource scheduled job attributes in the cloned connector refer to the values of the base connector. Therefore, these values (values of the Resource Object Name and IT resource scheduled job attributes that refer to the base connector) must be replaced with the new cloned connector artifacts.

• Adapter

  You must change the itResourceFieldName (Literal Value) in the Variable list of “sapum update” Adapter.For example UD_SAP_ITRESOURCECLONE To be the cloned IT Resource name , After Clone Update the itResourceFieldName (Literal Value) with Form name (e.g.: UD_SAP_ITRESOURCECLONE).

• Lookup Definition

  The cloned lookup definition (for example, Lookup.SAPABAP.ConfigurationCLONE) corresponding to the Lookup.SAPABAP.Configuration lookup definition has Code Key or Decode Key entries related to child form fields that still map to the old child form fields. You must change the values of these Code Key entries so that they map to the cloned child form fields.

  For example, consider UD_CloneSAPRL and UD_CloneSAP_PRO to be the cloned child forms of the UD_SAPRL and UD_SAP_ PRO child forms respectively. After cloning, the Lookup.SAPABAP.ConfigurationCLONE lookup definition contains Code Key entries that correspond to the fields of the old child form UD_SAPRL and UD_SAP_ PRO respectively. To ensure that the Code Key entries point to the fields of the cloned child form (UD_CloneSAPRL and UD_CloneSAP_PRO), specify the following values in the corresponding Code Key or Decode Key columns:

  • UD_SPUMPC_P; UD_CloneSAP_PRO

  • UD_SPUMRC_P; UD_CloneSAPRL

  Note:

  You must update the respective child form field names manually in the required lookup definitions. For example, Lookup.SAPABAP.UM.ProvAttrMapClone.

• Process Tasks

  You must change the literal value of the childTableName adapter variable from UD_SAPRL and UD_SAP_PRO to the cloned form names UD_CLONESAPRL anUD_CLONESAP_PRO, respectively in the following process tasks:

  • Add Role

  • Update Role

  • Remove Role

  • Add Profile

  • Remove Profile

  • Add Group

  • Remove Group

  • Add Parameter

  • Remove Parameter

  • Update Parameter

  You must change the literal value of the parent form from UD_SAP to the cloned form name UD_SAPCLONED in the UD_SAP in the Bulk adapter process task.

• Localization Properties

  You must update the resource bundle of a user locale with new names of the process form attributes for proper translations after cloning the connector. You can modify the properties file of your locale in the resources directory of the connector bundle.

  For example, the process form (UD_SAP) attributes are referenced in the Japanese properties file, SAPUM_ja.properties, as global.udf.UD_SAP_FIRST_NAME. During cloning, if you change the process form name from UD_SAPCL to global.udf.UD_SAPCL_FIRST_NAME, then you must add the process form attributes to global.udf.UD_SAP_FIRST_NAME.

• Replicate changes made to the form designer to a new UI form

  To do so, perform the procedure described in Postupgrade Steps for Release 11.1.1.6.0 of the Connector.