1 About the Connector
Note:
At some places in this guide, SAP User Management Engine has been referred to as the target system.
In the account management (target resource) mode of the connector, data about users created or modified directly on the target system can be reconciled into Oracle Identity Manager. This data is used to provision (allocate) new resources or update resources already assigned to OIM Users. In addition, you can use Oracle Identity Manager to provision or update SAP User Management Engine resources assigned to OIM Users. These provisioning operations performed on Oracle Identity Manager translate into the creation of or updates to target system accounts.
This chapter contains the following sections:
1.1 Certified Components
These are the software components and their versions required for installing and using the connector.
Table 1-1 lists certified components for the connector.
Table 1-1 Certified Components
| Component | Requirement |
|---|---|
|
Oracle Identity Governance or Oracle Identity Manager |
You can use one of the following releases of Oracle Identity Governance or Oracle Identity Manager:
|
|
Target systems |
The target system can be one of the following:
Note: If you install an SAP application in Java stack, such as SAP Enterprise Portal, then the connector can connect to SAP User Management Engine (UME) of the application. If you install an SAP application, such as SAP BW or SAP SRM, in ABAP stack, then you must configure SAP Enterprise Portal against SAP UME of the application. See the respective target system documentation for information about this configuration. If you install an SAP application, such as SAP PI, in dual stack (ABAP and Java), then the connector can connect to SAP UME of the application. However, the limitations of the ABAP data source are applicable. |
|
Connector Server |
11.1.2.1.0 |
|
Connector Server JDK |
JDK 1.6 update 24 or later and JDK 1.7 or later, or JRockit 1.6 or later |
|
SAP Governance, Risk and Compliance Access Control (GRC AC) |
If you want to configure and use the Access Risk Analysis or Access Request Management feature of this target system, then install the following:
|
|
OpenSPML Toolkit |
OpenSPML Toolkit version 0.6 (included with the connector bundle). |
1.2 Usage Recommendation
Depending on the Oracle Identity Manager version that you are using, you must deploy and use one of the following connectors:
Note:
In Oracle Identity Manager, you can install and configure both SAP User Management and SAP User Management Engine connectors.
You can configure the connectors with SAP GRC AC target system to use either Access Risk Analysis or Access Request Management feature.
-
If you are using an Oracle Identity Manager release 9.1.0.2 or later and earlier than Oracle Identity Manager 11g Release 1 PS1 BP07 (11.1.1.5.7), then you must use the 9.1.0 version of this connector.
-
If you are using Oracle Identity Manager 11g Release 1 PS1 BP07 (11.1.1.5.7) and any later BP in this release track (such as Oracle Identity Manager 11g Release 1 PS1 BP08 (11.1.1.5.8) or later, or Oracle Identity Manager 11g Release 2 BP05 (11.1.2.0.5)), or Oracle Identity Manager 11g Release 2 PS3 (11.1.2.3.0), then use the latest 11.1.1.x version of this connector.
- If u are using Oracle Identity Governance releases 12c BP02 (12.2.1.3.2) or 12.2.1.4.0, then use the latest SAP User Management Engine 11.1.1.9.2 (one-off p28550151_111190_Generic.zip) version of this connector. However, if you are using SAP NetWeaver 7.5 SPS 00 or later and SAP GRC AC 10.1, then you must use the SAP User Management Engine 11.1.1.9.2 (one-off p28550151_111190_Generic.zip) version of this connector.
1.3 Certified Languages
These are the languages that the connector supports.
-
Arabic
-
Chinese (Simplified)
-
Chinese (Traditional)
-
Czech
-
Danish
-
Dutch
-
English
-
Finnish
-
French
-
German
-
Greek
-
Hebrew
-
Hungarian
-
Italian
-
Japanese
-
Korean
-
Norwegian
-
Polish
-
Portuguese
-
Portuguese (Brazilian)
-
Romanian
-
Russian
-
Slovak
-
Spanish
-
Swedish
-
Thai
-
Turkish
1.4 Connector Architecture and Supported Deployment Configurations
The SAP UME connector is implemented by using the Identity Connector Framework (ICF).
The connector sets up Oracle Identity Manager as the front end for sending account creation or modification requests to applications that use the data source linked with SAP User Management Engine.
Account data added or modified through provisioning operations performed directly on the data source can be reconciled into Oracle Identity Manager through SAP User Management Engine.
Figure 1-1 shows the connector integrating SAP User Management Engine with Oracle Identity Manager.
As shown in the figure, SAP User Management Engine is configured as the management tool for user data stored on a data source, which is either the ABAP module, AS Java database, or an LDAP-based solution. User data changes made through the SAP User Management Engine UI are reflected on applications that use the data source or on the UI of the LDAP-based solution.
By deploying the connector, you configure SAP User Management Engine as a target resource of Oracle Identity Manager.
Provisioning requests sent from Oracle Identity Manager are routed through the SPML service to the application or system that uses the data source linked with SAP User Management Engine. User data changes resulting from the provisioning requests can be viewed through the SAP User Management Engine UI. Reconciliation is performed directly from SAP User Management Engine.
This connector can be configured to run in the account management mode. Account management is also known as target resource management. In the account management mode, the target system is used as a target resource. This mode of the connector enables the following operations:
-
Provisioning
Provisioning involves creating or updating users on the target system through Oracle Identity Manager. When you allocate (or provision) an SAP User Management Engine resource to an OIM User, the operation results in the creation of an account on SAP UME for that user. In the Oracle Identity Manager context, the term provisioning is also used to mean updates made to the target system account through Oracle Identity Manager.
During provisioning, adapters carry provisioning data submitted through the process form to the target system. The SPML service in the SAP User Management Engine accepts provisioning data from the adapters, performs the necessary provisioning operation, and then returns the response to adapters in Oracle Identity Manager.
-
Reconciliation
The scheduled task provided by the connector acts as the SPML client to send SPML requests to the SPML service in this application server.
During reconciliation, a scheduled task establishes a connection with the SPML service. Reconciliation criteria are sent through SPML requests to this SPML service. The SPML service processes the requests and returns SPML responses containing user records that match the reconciliation criteria. The scheduled task brings these records to Oracle Identity Manager.
Each record fetched from the target system is compared with SAP User Management Engine resources that are already provisioned to OIM Users. If a match is found, then the update made to the record is copied to the SAP User Management Engine resource in Oracle Identity Manager. If no match is found, then the user ID of the record is compared with the user ID of each OIM User. If a match is found, then data in the target system record is used to provision an SAP User Management Engine resource to the OIM User.
Besides enabling direct integration with the target system, the connector can also be used to act as an interface with the Access Risk Analysis and Access Request Management modules of SAP BusinessObjects AC. The target system (SAP R/3 or SAP CUA) and these two modules of SAP BusinessObjects AC together provide various deployment configurations. The following sections provide information about the supported deployment configurations of the connector:
1.4.1 User Management with Access Request Management
Access Request Management is a module in the SAP BusinessObjects AC suite. In an SAP environment, you can set up Access Request Management as the front end for receiving account creation and modification provisioning requests. In Access Request Management, workflows for processing these requests can be configured and users designated as approvers act upon these requests.
Note:
In this guide, the phrase configuring Access Request Management has been used to mean configuring the integration between Oracle Identity Manager and SAP BusinessObjects AC Access Request Management.
In your operating environment, the Access Request Management module might be directly linked with the Access Risk Analysis module. In other words, provisioning requests are first sent from Access Request Management to Access Risk Analysis for SoD validation. Only requests that clear the validation process are implemented on the target system. In this scenario, it is recommended that you do not configure the SoD feature of the connector.
Reconciliation does not involve SAP BusinessObjects AC Access Request Management. Scheduled tasks on Oracle Identity Manager fetch data from the target system to Oracle Identity Manager.
Figure 1-2 shows data flow in this mode of the connector.
Figure 1-2 Connector Integrating SAP BusinessObjects AC Access Request Management with Oracle Identity Manager and the Target System
Description of "Figure 1-2 Connector Integrating SAP BusinessObjects AC Access Request Management with Oracle Identity Manager and the Target System"
The following is the detailed sequence of steps performed during a provisioning operation:
-
The provisioning operation is initiated through direct provisioning, request-based provisioning, or an access policy change.
-
A SPML Create User request is run on the target system to determine one of the following:
-
For a Create User operation, if the SPML Create User request determines that the user exists on the target system, then an error message is displayed. If the user does not exist, then a request is created out of the provisioning data and sent to SAP BusinessObjects AC Access Request Management.
-
For a Modify User operation, if the SPML Create User request determines that the user does not exist on the target system, then an error message is displayed. If the user exists, then a request is created out of the provisioning data and sent to SAP BusinessObjects AC Access Request Management.
The connector sends requests and receives responses through the following Web services of SAP BusinessObjects AC:
-
GRAC_USER_ACCESS_WS: This Web service is used to submit requests.
-
GRAC_REQUEST_STATUS_WS: This Web service is used to fetch request statuses.
-
GRAC_AUDIT_LOGS_WS: This Web service is used to check if there are error messages in the SAP BusinessObjects AC Access Request Management logs.
The process form holds fields for both basic user management and Access Request Management. However, for a Create User operation, only the Access Request Management fields (attributes) on the process form are used. Mappings for these fields are stored in the Lookup.SAPAC10UME.UM.ProvAttrMap lookup definitions. If you specify values for any attribute that is not present in these lookup definitions, then the connector ignores those attributes during the Create User operation.
Note:
SAP BusinessObjects AC Access Request Management does not process passwords. Therefore, any value entered in the Password field is ignored during Create User provisioning operations.
See Guidelines on Performing Provisioning for information about setting passwords when you configure Access Request Management.
For a Modify User operation, a request is created only for attributes whose mappings are present in these lookup definitions. If you specify values for attributes that are not present in these lookup definitions, then the connector directly sends them to the target system.
Note:
In a Modify User operation, you can specify values for attributes that are mapped with SAP BusinessObjects AC Access Request Management and attributes that are directly updated on the target system.
-
-
When the request is created on SAP BusinessObjects AC Access Request Management, data sent back by Access Request Management is stored in the following read-only fields in Oracle Identity Manager:
-
AC Request ID: This field holds the request ID that is generated on SAP BusinessObjects AC Access Request Management. The AC Request ID does not change during the lifetime of the request.
-
AC Request Status: This field holds the status of the request on SAP BusinessObjects AC Access Request Management. You configure and run the SAP AC Request Status scheduled job to fetch the latest status of the request from the target system.
-
AC Request Type: This field holds the type of request, such as New Account, Change Account, Delete Account, New, and Change.
-
-
The request is passed through the workflow defined in SAP BusinessObjects AC Access Request Management. The outcome is one of the following:
-
If Access Request Management clears the request, then the outcome is the creation or modification of a user's account on the target system (SAP UME). The status of the request is set to OK. Then, a message is recorded in the Oracle Identity Manager logs.
-
If Access Request Management rejects the provisioning request, then the status of the request is set to Failed. Then, a message is recorded in the Oracle Identity Manager logs.
-
If an error occurs during communication between Access Request Management and the target system, then the request remains in the Open state. A message stating that the operation has failed is recorded in the audit log associated with the request. An error message is displayed on the console.
-
1.4.2 Audit Trail Details in Connector Logs
You can capture the audit trail details in the connector logs after configuring the Access Request Management.
Here are a few samples of Audit trail in the connector logs:
-
Create User
logAuditTrial : Audit Trial: {Result=[Createdate:20130409,Priority:HIGH,Requestedby:,johndoe (JOHNDOE),Requestnumber:9000001341,Status:Decision pending,Submittedby:,johndoe (JOHNDOE),auditlogData:{,ID:000C290FC2851ED2A899DA29DAA1B1E2,Description:,Display String:Request 9000001341 of type New Account Submitted by johndoe ( JOHNDOE ) for JK1APRIL9 JK1APRIL9 ( JK1APRIL9 ) with Priority HIGH}], Status=0_Data Populated successfully} -
Request Status Schedule Job
logAuditTrial : Audit Trial: {Result=[Createdate:20130409,Priority:HIGH,Requestedby:,johndoe (JOHNDOE),Requestnumber:9000001341,Status:Approved,Submittedby:,johndoe (JOHNDOE),auditlogData:{,ID:000C290FC2851ED2A899DA29DAA1B1E2,Description:,Display String:Request 9000001341 of type New Account Submitted by johndoe ( JOHNDOE ) for JK1APRIL9 JK1APRIL9 ( JK1APRIL9 ) with Priority HIGH,ID:000C290FC2851ED2A899DAF9961C91E2,Description:,Display String:Request is pending for approval at path GRAC_DEFAULT_PATH stage GRAC_MANAGER,ID:000C290FC2851ED2A89A1400B60631E2,Description:,Display String:Approved by JOHNDOE at Path GRAC_DEFAULT_PATH and Stage GRAC_MANAGER,ID:000C290FC2851ED2A89A150972D091E2,Description:,Display String:Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage GRAC_MANAGER,ID:000C290FC2851ED2A89A150972D111E2,Description:,Display String:Approval path processing is finished, end of path reached,ID:000C290FC2851ED2A89A150972D151E2,Description:,Display String:Request is closed}], Status=0_Data Populated successfully} -
Modify User
logAuditTrial : Audit Trial: {Result=[Createdate:20130409,Priority:HIGH,Requestedby:,johndoe (JOHNDOE),Requestnumber:9000001342,Status:Decision pending,Submittedby:,johndoe (JOHNDOE),auditlogData:{,ID:000C290FC2851ED2A89A3ED3B1D7B1E2,Description:,Display String:Request 9000001342 of type Change Account Submitted by johndoe ( JOHNDOE ) for JK1FirstName JK1APRIL9 ( JK1APRIL9 ) with Priority HIGH}], Status=0_Data Populated successfully}
1.4.3 User Management with SoD
If the Access Risk Analysis module of SAP GRC is configured to implement segregation of duties (SoD) in your SAP operating environment, the connector can be used as the interface between Oracle Identity Governance and the SoD module. You can configure the connector to first process the provisioning requests sent from Oracle Identity Governance through SoD validation of SAP GRC Access Risk Analysis. Provisioning requests that clear this validation process are then propagated from Oracle Identity Governance to the target system.
Reconciliation does not involve SAP GRC Access Risk Analysis. Account data added or modified through provisioning operations performed directly on the target system can be reconciled into Oracle Identity Governance.
In this guide, the phrase configuring SoD is used to mean configuring the integration between Oracle Identity Governance and SAP GRC Access Risk Analysis.
Figure 1-3 shows data flow in this mode of the connector.
Figure 1-3 Data Flow During the SoD Validation Process
Description of "Figure 1-3 Data Flow During the SoD Validation Process"
The steps performed during a provisioning operation can be summarized as follows:
-
The provisioning operation is initiated through direct provisioning, request-based provisioning, or an access policy change.
-
The resource approval workflow of Oracle Identity Governance sends this request to the SoD engine (SAP GRC Access Risk Analysis).
-
The SoD engine uses predefined rules to check if the entitlement assignment would lead to SoD violations. The outcome of this check is then sent back to Oracle Identity Governance.
-
If the request fails SoD validation, then the approval workflow can be configured to take remediation steps. If the request passes SoD validation and if the approver in Oracle Identity Governance approves the request, then the resource provisioning workflow is initiated.
-
This resource provisioning workflow can be configured to perform the SoD validation again. This is to ensure SoD compliance of the entitlement assignment immediately before the entitlement assignment is provisioned to the target system. You can also configure the SoD validation check in the resource provisioning workflow to be bypassed if this validation has been passed in the resource approval workflow.
-
The resource provisioning workflow performs the required change on the target system, and the outcome of the operation is sent back to and stored in Oracle Identity Governance.
1.4.4 User Management with Both SoD and Access Request Management
If both SAP GRC Access Risk Analysis and Access Request Management are configured in your SAP operating environment, then configure the connector features for both SoD and Access Request Management at the same time only if the Access Risk Analysis and Access Request Management modules are discretely configured (that is, not linked) modules in your operating environment.
Note:
If SAP GRC Access Request Management is configured to send provisioning requests to SAP GRC Access Risk Analysis for SoD validation, then you must not configure the SoD feature of the connector.
-
Data from a provisioning operation on Oracle Identity Governance is first sent to the SAP GRC Access Risk Analysis module for SoD validation.
-
After the SoD validation checks are cleared, the provisioning request is sent to SAP GRC Access Request Management.
-
After the SAP GRC Access Request Management workflow clears the request, the provisioning request is implemented on the target system.
-
Scheduled tasks run from Oracle Identity Governance reconcile the outcome of the operation from the target system into Oracle Identity Governance.
1.4.5 Guidelines on Using a Deployment Configuration
These are the guidelines that you must apply while using a deployment configuration.
When you integrate Oracle Identity Manager with your SAP operating environment, you might have one of the following requirements in mind:
-
Use Oracle Identity Manager as the provisioning source for account management on SAP resources.
-
Leverage workflows and access policies configured in SAP BusinessObjects AC Access Request Management, with Oracle Identity Manager as the provisioning source for account management on SAP resources.
-
Use SAP BusinessObjects AC Access Risk Analysis for SoD enforcement and SAP BusinessObjects AC Access Request Management for user approval of provisioning requests sent through Oracle Identity Manager. Overall account management on SAP resources is performed through Oracle Identity Manager.
The following sections describe guidelines on the supported deployment configurations:
Note:
There are no special guidelines for the Basic User Management configuration and the User Management Engine with SoD configuration.
1.4.5.1 User Management Engine with SoD and Access Request Management
The following are deployment guidelines that you must apply for a scenario in which SAP BusinessObjects AC Access Risk Analysis and SAP BusinessObjects AC Access Request Management are enabled and discretely configured modules:
-
Configure both SoD and Access Request Management features of the connector.
-
On SAP BusinessObjects AC Access Request Management, configure the no-stage approval for account creation. In other words, account creation requests must be auto-approved on Access Request Management.
If a role or profile is provisioned on Oracle Identity Manager but rejected on SAP BusinessObjects AC Access Request Management, then the role or profile is revoked from Oracle Identity Manager at the end of the next user reconciliation run. Therefore, you can have approval workflows defined for role provisioning requests on SAP BusinessObjects AC Access Request Management.
1.4.5.2 Summary of Account Management Process when SAP BusinessObjects AC Access Risk Analysis and SAP BusinessObjects AC Access Request Management are Enabled
Summary of the account management process:
-
Data from a provisioning operation on Oracle Identity Manager is first sent to the SAP BusinessObjects AC Access Risk Analysis module for SoD validation.
-
After the SoD validation checks are cleared, the provisioning request is sent to SAP BusinessObjects AC Access Request Management.
-
After the SAP BusinessObjects AC Access Request Management workflow clears the request, the provisioning request is implemented on the target system.
-
Scheduled tasks run from Oracle Identity Manager reconcile the outcome of the operation from the target system into Oracle Identity Manager.
1.4.5.3 User Management with Access Request Management
The following are deployment guidelines that you must apply for a scenario in which SAP BusinessObjects AC Access Request Management is configured and enabled in your SAP operating environment:
Note:
SAP BusinessObjects AC Access Risk Analysis is either configured as a linked module of SAP BusinessObjects AC Access Request Management or it is not used at all.
-
On SAP BusinessObjects AC Access Request Management, configure the no-stage approval for account creation. In other words, account creation requests must be auto-approved on Access Request Management.
The scenario described earlier in this section explains this guideline.
-
Configure the Access Request Management feature of the connector.
-
Do not configure the SoD feature of the connector.
1.4.5.4 Summary of Account Request Management when SAP BusinessObjects AC Access Request Management is Configured and Enabled in your SAP Operating Environment
Summary of the account management process:
-
Data from a provisioning operation on Oracle Identity Manager is sent to SAP BusinessObjects AC Access Request Management.
-
The workflow defined in SAP BusinessObjects AC Access Request Management sends the request to the SAP BusinessObjects AC Access Risk Analysis module for SoD validation.
-
After the SoD validation checks are cleared, the provisioning request is implemented on the target system.
-
Scheduled tasks run from Oracle Identity Manager reconcile the outcome of the operation from the target system into Oracle Identity Manager.
1.4.6 Considerations to Be Addressed When You Enable Access Request Management
These are the considerations you must keep in mind when you enable the Access Request Management feature of the connector.
-
Multiple requests are generated from Oracle Identity Manager in response to some provisioning operations. For example, if you assign multiple roles to a user in a particular provisioning operation, then one request is created and sent to Access Request Management for each role.
-
For a particular account, Oracle Identity Manager keeps track of the latest request only. This means, for example, if more than one attribute of an account has been modified in separate provisioning operations, then Oracle Identity Manager keeps track of data related to the last operation only.
-
A Modify User operation can involve changes to multiple process form fields or child form fields. For each field that is modified, one request is created and sent to SAP BusinessObjects AC Access Request Management. Only information about the last request sent to Access Request Management is stored in Oracle Identity Manager.
-
Only parent or child form requests can be submitted in a single operation. You cannot submit both parent and child form requests at the same time.
1.5 Features of the Connector
The features of the connector include SoD validation of entitlement requests, full reconciliation, limited reconciliation and some additional features likes support for multiple data sources, support for remoted role assignment in federated portal network and so on.
The following are features of the connector:
1.5.1 Routing of Provisioning Requests Through SAP BusinessObjects AC Access Request Management
You can configure the connector to work with SAP BusinessObjects AC Access Request Management. See User Management with Access Request Management for detailed information about this feature.
1.5.2 SoD Validation of Entitlement Requests
The connector supports the SoD feature introduced in Oracle Identity Manager release 9.1.0.2. The following are the focal points of this software update:
-
The SoD Invocation Library (SIL) is bundled with Oracle Identity Manager. The SIL acts as a pluggable integration interface with any SoD engine.
-
The connector can be configured to work with SAP BusinessObjects AC as the SoD engine. To enable this, changes have been made in the approval and provisioning workflows of the connector.
Note:
The default approval workflow and associated object form are configured for the SoD validation capabilities of SAP BusinessObjects AC. You can use them to develop your own approval workflows and object forms.
In Oracle Identity Manager release 11.1.1, object forms have been replaced by request datasets. A request dataset is an XML file that specifies information to be submitted by the requester during a provisioning operation. Predefined request datasets are shipped with this connector. The default approval workflow and associated request dataset are configured for the SoD validation capabilities of SAP BusinessObjects AC. You can use them to develop your own approval workflows and request datasets.
-
The SoD engine processes role entitlement requests that are sent through the connector. This preventive simulation approach helps identify and correct potentially conflicting assignment of entitlements to a user, before the requested entitlements are granted to users.
See Also:
Configuring SoD (Segregation of Duties) in this guide
Note:
If you are using SAP User Management with SOD, ensure to request entitlements from the Entitlements tab.
1.5.3 Full Reconciliation
Note:
The SPML UME API does not return records for which the Last Modified Date value is greater than a specified date. Therefore, the connector cannot support incremental reconciliation. This point is also mentioned in Connector Limitations Related to Features of the Target System.
In full reconciliation, all records are fetched from the target system to Oracle Identity Manager. During reconciliation, an SPML request is sent to the target system to fetch user accounts with user IDs that start with valid characters allowed in SAP. See the logonNameInitialSubstring entry in the Table 2-3 for a list of all valid characters.
During full reconciliation, a single reconciliation event is generated for each target system account.
1.5.4 Limited (Filtered) Reconciliation
To limit or filter the records that are fetched into Oracle Identity Manager during a reconciliation run, you can specify the subset of added or modified target system records that must be reconciled.
See Limited Reconciliation for more information.
1.5.5 Enabling and Disabling Accounts
Valid From and Valid Through are two user attributes on the target system. For a particular user in SAP, if the Valid Through date is less than the current date, then the account is in the Disabled state. Otherwise, the account is in the Enabled state. The same behavior is duplicated in Oracle Identity Manager through reconciliation. In addition, you can set the value of the Valid Through date to a current date or a date in the past through a provisioning operation.
Note:
The Enabled or Disabled state of an account is not related to the Locked or Unlocked status of the account.
1.5.6 Support for Multiple Data Sources
The SAP User Management Engine connector can be configured and used for provisioning and reconciling user-related data to and from multiple data sources such as Lightweight Directory Access Protocol (LDAP) directories, system database of the SAP NetWeaver Application Server Java, and user management of an Application Server ABAP. In other words, this connector can be configured for performing user management operations from user management engines irrespective of the data source configuration.
1.5.7 Support for Remote Role Assignment in Federated Portal Network
Federate Portal Network (FPN) allows organizations with multiple portals, SAP and non-SAP, to share content between independent portals. In FPN, the producers hold and run the applications. The consumer manages the redirect to producer portals. In FPN configuration, the content can be shared throughout the network using Remote Role Assignment content usage mode. It enables the consumer to assign roles offered by a producer. The SAP User Management Engine connector can be used to support Remote Role Assignment in FPN configuration.
1.5.8 Transformation and Validation of Account Data
You can configure validation of account data that is brought into or sent from Oracle Identity Manager during reconciliation and provisioning. In addition, you can configure transformation of account data that is brought into Oracle Identity Manager during reconciliation. The following sections provide more information:
1.5.9 Specifying Accounts to Be Excluded from Reconciliation and Provisioning Operations
You can specify a list of accounts that must be excluded from all reconciliation and provisioning operations. Accounts whose user IDs you specify in the exclusion list are not affected by reconciliation and provisioning operations.
Lookup Definitions for Exclusion Lists describes the lookup definitions where you specify the user IDs to be excluded during reconciliation and provisioning operations.
Setting Up the Lookup Definitions for Exclusion Lists describes the procedure to add entries in these lookup definitions.
1.5.10 Support for Bulk Update of Attributes
The connector supports the bulk update of attributes. That is, the connector allows you to update multiple attributes in one operation. With earlier connectors, you could update only one attribute at a time. However, if you specify an invalid value for any of the attributes, none of the attributes are updated. The entire update operation is unsuccessful, and an error is returned. You must then correct any errors in the attribute values and repeat the bulk update operation.
1.6 Lookup Definitions Used During Connector Operations
Lookup definitions used during reconciliation and provisioning are preconfigured. Preconfigured lookup definitions are automatically created in Oracle Identity Manager after you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed.
Lookup definitions used during connector operations can be categorized as follows:
1.6.1 Lookup Definitions Synchronized with the Target System
During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you use the Role lookup field to select a role from the list of roles defined on the target system. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are automatically created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.
Note:
The target system allows you to use special characters in lookup fields. However, in Oracle Identity Manager, special characters are not supported in lookup definitions.
The following lookup definitions are populated with values fetched from the target system by the scheduled jobs for lookup field synchronization:
-
Lookup.SAPUME.UM.Group
-
Lookup.SAPUME.UM.Role
The SAP UME Group Lookup Reconciliation or SAP UME Role Lookup Reconciliation scheduled jobs are used to synchronize values of these lookup definitions with the target system. Scheduled Job for Lookup Field Synchronization provides more information about these scheduled jobs.
After lookup definition synchronization, data is stored in the following format:
-
Code Key format: IT_RESOURCE_KEY~LOOKUP_FIELD_ID
In this format:
-
IT_RESOURCE_KEY is the numeric code assigned to the IT resource in Oracle Identity Manager.
-
LOOKUP_FIELD_ID is the target system code assigned to the lookup field entry, which is in the following format:
OBJ_CLASS_NAME.DATASOURCE_NAME.AUTO_GEN_VALUE
In this format:
OBJ_CLASS_NAME is the name of the object class. For groups, the object class name is GRUP. Similarly, the object class name for roles is ROLE.
DATASOURCE_NAME is name of the data source on the target system from which values are being fetched.
AUTO_GEN_VALUE is the auto generated value.
Sample value:
1~ROLE.UME_ROLE_PERSISTENCE.un:SAP_SLD_CONFIGURATOR -
-
Decode format: IT_RESOURCE_NAME~LOOKUP_FIELD_ENTRY
In this format:
-
IT_RESOURCE_NAME is the name of the IT resource in Oracle Identity Manager.
-
LOOKUP_FIELD_ENTRY is the value or description of the lookup field entry on the target system.
Sample value:
SAPUME IT Resource~Configurator role -
While performing a provisioning operation on the Oracle Identity Self Service, you select the IT resource for the target system on which you want to perform the operation. When you perform this action, the lookup definitions on the page are automatically populated with values corresponding to the IT resource (target system installation) that you select.
During lookup field synchronization, new entries are appended to the existing set of entries in the lookup definitions. Because the IT resource key is part of each entry created in each lookup definition, only lookup field entries that are specific to the IT resource you select during a provisioning operation are displayed.
1.6.2 Preconfigured Lookup Definitions
This section discusses the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed. The other lookup definitions are as follows:
1.6.2.1 Lookup.SAPUME.Configuration
The Lookup.SAPUME.Configuration lookup definition holds connector configuration entries that are used during reconciliation and provisioning operations.
Table 1-2 lists the default entries in this lookup definition.
Table 1-2 Entries in the Lookup.SAPUME.Configuration Lookup Definition
| Code Key | Decode | Description |
|---|---|---|
|
Bundle Name |
org.identityconnectors.sapume |
This entry holds the name of the connector bundle package. Do not modify this entry. |
|
Bundle Version |
1.0.111100 |
This entry holds the version of the connector bundle class. Do not modify this entry. |
|
Connector Name |
org.identityconnectors.sapume.SAPUMEConnector |
This entry holds the name of the connector class. Do not modify this entry. |
|
entitlementRiskAnalysisAccessURL |
None |
This entry holds the WSDL URL for the Entitlement Risk Analysis web service. |
|
entitlementRiskAnalysisWS |
oracle.iam.grc.sod.scomp.impl.grcsap.util.webservice.sap.ac10.RiskAnalysisWithoutNo |
Web service client to perform risk analysis without request number |
|
Group attribute name |
GROUPNAME |
Name of the role duty type used in SIL |
|
Group form names |
UD_UME_GRP |
List of all group child form names used during direct and request-based provisioning |
|
RoleAttributeLabel |
Role |
Label name of the role ID field in the child form |
|
Role attribute name |
ROLENAME |
Name of the role duty type used in SIL |
|
Role form names |
UD_UMERC_P;UD_UME_ROLE |
List of all role child form names used during direct and request-based provisioning |
|
SOD Configuration lookup |
Lookup.SAPUME.Configuration |
This entry holds the name of the lookup definition that contains SoD configuration properties. |
|
SODSystemKey |
None |
Specify the name of the computer hosting the SAP UME connector from the Lookup.SAPUME.ReqInitSystem lookup definition. |
|
User Configuration Lookup |
Lookup.SAPUME.UM.Configuration |
This entry holds the name of the lookup definition that contains user-specific configuration properties. Do not modify this entry. |
|
wsdlFilePath |
<wsdl file directory> |
Enter the absolute path of the directory containing the following file on your local machine: GRAC_RISK_ANALYSIS_WOUT_NO_WS.WSDL Note: If you are using a Connector Server, the WSDL File must be copied on the system running the Connector Server. The location of WSDL files are available on the local machine that is running the Connector Server. |
1.6.2.2 Lookup.SAPUME.UM.Configuration
As discussed earlier, the Lookup.SAPUME.UM.Configuration lookup definition holds configuration entries that are specific to the user object type. This lookup definition is used during user management operations.
Table 1-3 lists the default entries in this lookup definition.
Table 1-3 Entries in the Lookup.SAPUME.UM.Configuration
| Code Key | Decode | Description |
|---|---|---|
|
Provisioning Attribute Map |
Lookup.SAPUME.UM.ProvAttrMap |
This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.SAPUME.UM.ProvAttrMap for more information about this lookup definition. |
|
Recon Attribute Map |
Lookup.SAPUME.UM.ReconAttrMap |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.SAPUME.UM.ReconAttrMap for more information about this lookup definition. |
|
Recon Transformation Lookup |
Lookup.SAPUME.UM.ReconTransformation |
This entry holds the name of the lookup definition that is used to configure transformation of attribute values that are fetched from the target system during user reconciliation. See Configuring Transformation of Data During User Reconciliation for more information about adding entries in this lookup definition. |
|
Recon Validation Lookup |
Lookup.SAPUME.UM.ReconValidation |
This entry holds the name of the lookup definition that is used to configure validation of attribute values that are fetched from the target system during reconciliation. See Configuring Validation of Data During Reconciliation and Provisioning for more information about adding entries in this lookup definition. |
|
Provisioning Validation Lookup |
Lookup.SAPUME.UM.ProvValidation |
This entry holds the name of the lookup definition that is used to configure validation of attribute values entered on the process form during provisioning operations. See Configuring Validation of Data During Reconciliation and Provisioning for more information about adding entries in this lookup definition. |
|
Provisioning Exclusion List |
Lookup.SAPUME.UM.ProvExclusionList |
This entry is optional. You can enable exclusions during provisioning operations by adding this entry. This entry holds the name of the lookup definition that is used to specify exclusions during provisioning. See Lookup Definitions for Exclusion Lists for more information about adding entries in this lookup definition. |
|
Recon Exclusion List |
Lookup.SAPUME.UM.ReconExclusionList |
This entry is optional. You can enable exclusions during reconciliation operations by adding this entry. This entry holds the name of the lookup definition that is used to specify exclusions during reconciliation. See Lookup Definitions for Exclusion Lists for more information about adding entries in this lookup definition. |
1.6.2.3 Lookup.SAPUME.UM.ProvAttrMap
The Lookup.SAPUME.UM.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is used during provisioning. This lookup definition is preconfigured. Table 1-12 lists the default entries.
You can add entries in this lookup definitions if you want to map new target system attributes for provisioning. See Extending the Functionality of the Connector for more information.
1.6.2.4 Lookup.SAPUME.UM.ReconAttrMap
The Lookup.SAPUME.UM.ReconAttrMap lookup definition holds mappings between resource object fields and target system attributes. This lookup definitions is used during reconciliation. This lookup definition is preconfigured. Table 1-8 lists the default entries.
You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation. See Extending the Functionality of the Connector for more information.
1.6.2.5 Lookup.SAPUME.UM.ReconValidation
The Lookup.SAPUME.UM.ReconValidation lookup definition is used to configure validation of attribute values that are fetched from the target system during reconciliation. See Configuring Validation of Data During Reconciliation and Provisioning for more information about adding entries in this lookup definition.
1.6.2.6 Lookup.SAPUME.UM.ReconTransformation
The Lookup.SAPUME.UM.ReconnTransformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during user reconciliation. See Configuring Transformation of Data During User Reconciliation for more information about adding entries in this lookup definition.
1.6.2.7 Lookup.SAPUME.UM.ProvValidation
The Lookup.SAPUME.UM.ProvValidation lookup definition is used to configure validation of attribute values entered on the process form during provisioning operations. See Configuring Validation of Data During Reconciliation and Provisioning for more information about adding entries in this lookup definition.
1.6.2.8 Lookup.SAPUME.UM.SecurityPolicy
The Lookup.SAPUME.UM.SecurityPolicy lookup definition holds information about security policies that you can select for a user account that you create through Oracle Identity Manager. This lookup definition is preconfigured. You cannot add or modify entries in this lookup definition.
1.6.2.9 Lookup.SAPUME.UM.RoleChildformMappings
The Lookup.SAPUME.UM.RoleChildformMappings lookup definition contains information about the actual and dummy child form mapped fields that are used during request-based provisioning of role entitlements. This lookup definition is preconfigured. Do not add or modify entries in this lookup definition.
If you are using a cloned connector for request-based provisioning of entitlements, then you must update the respective child form field names manually in this lookup definition.
This lookup definition contains the following entries:
| Code Key | Decode |
|---|---|
|
UD_UMERC_P_DATASOURCE |
UD_UME_ROLE_DATASOURCE |
|
UD_UMERC_P_ROLENAME |
UD_UME_ROLE_ROLENAME |
1.6.2.10 Lookup.SAPUME.UM.RoleDatasource
The Lookup.SAPUME.UM.RoleDatasource lookup definition holds data source names of the role object class that you can select for a user account that you create through Oracle Identity Manager. See Setting Up the Lookup.SAPUME.UM.RoleDataSource Lookup Definition for more information.
1.6.2.11 Lookup.SAPUME.UM.GroupDatasource
The Lookup.SAPUME.UM.GroupDatasource lookup definition holds data source names of the group object class that you can select for a user account that you create through Oracle Identity Manager. See Setting Up the Lookup.SAPUME.UM.GroupDataSource Lookup Definition for more information.
1.6.2.12 Lookup.SAPUME.UM.TimeZone
The Lookup.SAPUME.UM.TimeZone lookup definition contains information about time zones that you can select for a user account that you create through Oracle Identity Manager. This lookup definition is preconfigured. You cannot add or modify entries in this lookup definition.
1.6.2.13 Lookup.SAPUME.UM.Lock
The Lookup.SAPUME.UM.Lock lookup definition contains information about statuses (lock or unlock) that you can select for a user account that you create through Oracle Identity Manager. This lookup definition is preconfigured. You cannot add or modify entries in this lookup definition.
1.6.2.14 Lookup.SAPUME.UM.Locale
The Lookup.SAPUME.UM.Locale lookup definition contains information about locales that you can select for a user account that you create through Oracle Identity Manager.
1.6.2.15 Lookup.SAPUME.UM.Country
The Lookup.SAPUME.UM.Country lookup definition contains information about countries that you can select for a user account that you create through Oracle Identity Manager.
1.6.2.16 Lookup.SAPUME.UM.Group
The Lookup.SAPUME.UM.Group lookup contains information about the Groups. SAPUME Group Lookup Reconciliation scheduled job is used to synchronize values with the target system for this lookup.
1.6.2.17 Lookup.SAPUME.UM.Role
The Lookup.SAPUME.UM.Role lookup contains information about the Roles. SAPUME Role Lookup Reconciliation scheduled job is used to synchronize values with the target system for this lookup.
1.6.2.18 Lookup Definitions for Exclusion Lists
The Lookup.SAPUME.UM.ProvExclusionList and Lookup.SAPUME.UM.ReconExclusionList lookup definitions hold user IDs of target system accounts for which you do not want to perform provisioning and reconciliation operations, respectively.
Note:
The Lookup.SAPUME.UM.ProvExclusionList and Lookup.SAPUME.UM.ReconExclusionList lookup definitions are optional and do not exist by default.
You must add these lookups to the Lookup.SAPUME.UM.Configuration lookup definition to enable exclusions during provisioning and reconciliation operations. See Lookup.SAPUME.UM.Configuration for more information.
The following is the format of the values stored in these lookups:
| Code Key | Decode | Sample Values |
|---|---|---|
|
Logon Name resource object field name |
User ID of a user |
Code Key: Logon Name Decode: User001 |
|
Logon Name resource object field name with the [PATTERN] suffix |
A regular expression supported by the representation in the |
Code Key: Logon Name[PATTERN] To exclude users matching any of the user ID 's User001, User002, User088, then: Decode: User001|User002|User088 To exclude users whose user ID 's start with 00012, then: Decode: 00012* See Also: For information about the supported patterns, visit |
Setting Up the Lookup Definitions for Exclusion Lists describes the procedure to add entries in these lookup definitions.
1.6.3 Preconfigured Lookup Definitions for SAP BusinessObjects AC 10
This section discusses the lookup definitions for SAP BusinessObjects AC 10 that are created in Oracle Identity Manager when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed.
The lookup definitions are as follows:
1.6.3.1 Lookup.SAPAC10UME.Configuration
The Lookup.SAPAC10UME.Configuration lookup definition holds connector configuration entries that are used during target resource reconciliation and provisioning operations.
Table 1-4 lists the default entries in this lookup definition.
Table 1-4 Entries in the Lookup.SAPAC10UME.Configuration Lookup Definition
| Code Key | Decode | Description |
|---|---|---|
|
appLookupAccessURL |
None |
WSDL URL for Application Lookup web service |
|
appLookupWS |
oracle.iam.ws.sap.ac10.SelectApplication |
Web service client to get all applications configured in SAP BusinessObjects AC |
|
assignRoleReqType |
002~Change Account~002~006 |
Name of the request type to be used for assign role request in SAP BusinessObjects AC |
|
auditLogsAccessURL |
None |
WSDL URL for Audit Logs web service |
|
auditLogsWS |
oracle.iam.ws.sap.ac10.AuditLogs |
Web service client to get audit logs |
|
Bundle Name |
org.identityconnectors.sapacume |
Name of the connector bundle package |
|
Bundle Version |
1.0.111100 |
Version of the connector bundle class |
|
Connector Name |
org.identityconnectors.sapacume.SAPACUMEConnector |
Name of the connector class |
|
ConnectorImplType |
SAPUME |
Enter this value to enable SAP UME roles in SOD |
|
createUserReqType |
001~New Account~001 |
Name of the request type to use for create user request in SAP BusinessObjects AC |
|
deleteUserReqType |
003~Delete Account~003 |
Name of the request type to use for delete user request in SAP BusinessObjects AC |
|
ignoreOpenStatus |
Yes |
Specify whether new requests can be sent for a particular user, even if the last request for the user is in the Open status |
|
lockUserReqType |
004~Lock Account~004 |
Name of the request type to use for lock user request in SAP BusinessObjects AC |
|
logAuditTrial |
Yes |
Specify whether complete audit trial needs to be logged whenever status request web service is invoked |
|
modifyUserReqType |
002~Change Account~002 |
Name of the request type to use for modify user request in SAP BusinessObjects AC |
|
otherLookupAccessURL |
None |
WSDL URL for Other Lookup web service |
|
otherLookupWS |
oracle.iam.ws.sap.ac10.SearchLookup |
Web service client to get other lookup field details |
|
provActionAttrName |
provAction;ReqLineItem |
Name of the Provision Action target system attribute |
|
provItemActionAttrName |
provItemAction;ReqLineItem |
Name of the Provision Item Action target system attribute |
|
removeRoleReqType |
002~Change Account~002~009 |
Name of the request type to use for remove user request in SAP BusinessObjects AC |
|
requestStatusAccessURL |
None |
WSDL URL for Status Request web service |
|
requestStatusValue |
OK |
This entry is used by the SAP UME AC Request Status schedule job to update status in the process form. |
|
requestStatusWS |
oracle.iam.ws.sap.ac10.RequestStatus |
Web service client to get status of provisioning request |
|
requestTypeAttrName |
Reqtype;Header |
Name of the request type attribute used to differentiate request flows from the SAPUMCREATE adapter |
|
RiskLevel |
High |
In SAP BusinessObjects AC, each business risk is assigned a criticality level. You can control the risk analysis data returned by SAP BusinessObjects by specifying a risk level. |
|
roleLookupAccessURL |
None |
WSDL URL for Role Lookup web service |
|
roleLookupWS |
oracle.iam.ws.sap.ac10.SearchRoles |
Web service client to get all roles |
|
Status Configuration |
Lookup.SAPACUME.Status.Configuration |
Status Configuration. |
|
unlockUserReqType |
005~unlock user~005 |
Name of the request type to use for unlock user request in SAP BusinessObjects AC |
|
userAccessAccessURL |
None |
WSDL URL for User Access web service |
|
userAccessWS |
oracle.iam.ws.sap.ac10.UserAccess |
Web service client to get status of user access |
|
User Configuration Lookup |
Lookup.SAPAC10UME.UM.Configuration |
Name of the lookup definition that contains user-specific configuration properties |
|
wsdlFilePath |
WSDL file directory |
Enter the absolute path of the directory containing the following files on your local machine:
Note: If you are using a Connector Server, the WSDL File must be copied on the system running the Connector Server. The location of WSDL files are available on the local machine that is running the Connector Server. |
1.6.3.2 Lookup.SAPAC10UME.UM.Configuration
The Lookup.SAPAC10UME.UM.Configuration lookup definition holds configuration entries that are specific to the user object type. This lookup definition is used during user management operations when your target system is configured as a target resource.
Table 1-5 lists the default entries in this lookup definition.
Table 1-5 Entries in the Lookup.SAPAC10UME.UM.Configuration Lookup Definition
| Code Key | Decode | Description |
|---|---|---|
|
Provisioning Attribute Map |
Lookup.SAPAC10UME.UM.ProvAttrMap |
This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.SAPAC10UME.UM.ProvAttrMap for more information about this lookup definition. |
|
Provisioning Validation Lookup |
Lookup.SAPAC10UME.UM.ProvValidation |
This entry holds the name of the lookup definition that is used to configure validation of attribute values entered on the process form during provisioning operations. See Configuring Validation of Data During Reconciliation and Provisioning for more information about adding entries in this lookup definition. |
|
Recon Attribute Map |
Lookup.SAPAC10UME.UM.ReconAttrMap |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.SAPAC10UME.UM.ReconAttrMap for more information about this lookup definition. |
|
Recon Transformation Lookup |
Lookup.SAPAC10UME.UM.ReconTransformation |
This entry holds the name of the lookup definition that is used to configure transformation of attribute values that are fetched from the target system during user Reconciliation. See Configuring Transformation of Data During User Reconciliation for more information about adding entries in this lookup definition. |
|
Recon Validation Lookup |
Lookup.SAPAC10UME.UM.ReconValidation |
This entry holds the name of the lookup definition that is used to configure validation of attribute values that are fetched from the Target system during reconciliation. See Configuring Validation of Data During Reconciliation and Provisioning for more information about adding entries in this lookup definition. |
1.6.3.3 Lookup.SAPAC10UME.UM.ProvAttrMap
The Lookup.SAPAC10UME.UM.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definition is used during provisioning. This lookup definition is preconfigured. Table 1-6 lists the default entries.
You can add entries in this lookup definitions if you want to map new target system attributes for provisioning. See Extending the Functionality of the Connector for more information.
Table 1-6 Entries in the Lookup.SAPAC10UME.UM.ProvAttrMap Lookup Definition
| Code Key | Decode |
|---|---|
|
AC Business Process[Lookup] |
bproc;Header |
|
Accounting Number |
accno;UserInfo |
|
AC Functional Area[Lookup] |
funcarea;Header |
|
AC Manager |
manager;UserInfo |
|
AC Manager email |
managerEmail;UserInfo |
|
AC Manager First Name |
managerFirstname;UserInfo |
|
AC Manager Last Name |
managerLastname;UserInfo |
|
AC Priority[Lookup] |
priority;Header |
|
AC Request Due Date[Date] |
reqDueDate;Header |
|
AC Request Id[WRITEBACK] |
RequestId |
|
AC Requestor email |
email;Header |
|
AC Requestor ID |
requestorId;Header |
|
AC Request Reason |
requestReason;Header |
|
AC Request Status[WRITEBACK] |
RequestStatus |
|
AC Request Type[WRITEBACK] |
RequestType |
|
AC System[Lookup] |
reqInitSystem;Header |
|
City |
city |
|
Country |
country |
|
Department |
department;UserInfo |
|
E-Mail Address |
email;UserInfo |
|
End Date of Account Validity[Date] |
validTo;UserInfo |
|
Fax |
fax;UserInfo |
|
First Name |
fname;UserInfo |
|
Form of Address |
personnelarea;UserInfo |
|
Language |
logonLang;UserInfo |
|
Last Name |
lname;UserInfo |
|
Logon Name |
userId;UserInfo |
|
Mobile |
personnelno;UserInfo |
|
Name |
displayname |
|
Password |
__PASSWORD__ |
|
Position |
empposition;UserInfo |
|
Security Policy |
securitypolicy |
|
Start Date of Account Validity[Date] |
validFrom;UserInfo |
|
State |
state |
|
Street |
streetaddress |
|
Telephone |
telnumber;UserInfo |
|
Time Zone |
timezone |
|
Title |
title;UserInfo |
|
UD_ACUMEGRP~Group[Lookup] |
itemName;ReqLineItem |
|
UD_ACUMEROL~Role[Lookup] |
itemName;ReqLineItem |
|
UniqueID |
__UID__ |
|
User Account Locked |
userLock;None |
|
Zip |
zip |
1.6.3.4 Lookup.SAPAC10UME.UM.ReconAttrMap
The Lookup.SAPAC10UME.UM.ReconAttrMap lookup definition holds mappings between resource object fields and target system attributes. This lookup definition is used during reconciliation. This lookup definition is preconfigured. Table 1-7 lists the default entries.
You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation. See Extending the Functionality of the Connector for more information.
Table 1-7 Entries in the Lookup.SAPAC10UME.ReconAttrMap Lookup Definition
| Code Key | Decode |
|---|---|
|
City |
city |
|
Country |
country |
|
Department |
department |
|
E-Mail Address |
|
|
End Date of Account Validity[Date] |
validto |
|
Fax |
fax |
|
First Name |
firstname |
|
Form of Address |
salutation |
|
Groups~Group[Lookup] |
assignedgroups |
|
Language |
locale |
|
Last Name |
lastname |
|
Logon Name |
logonname |
|
Mobile |
mobile |
|
Name |
displayname |
|
Position |
jobtitle |
|
Roles~Role[Lookup] |
assignedroles |
|
Security Policy |
securitypolicy |
|
Start Date of Account Validity[Date] |
validfrom |
|
State |
state |
|
Status |
__ENABLE__ |
|
Street |
streetaddress |
|
Telephone |
telephone |
|
Time Zone |
timezone |
|
Title |
title |
|
UniqueID |
id |
|
User Account Locked |
islocked |
|
Zip |
zip |
1.6.3.5 Lookup.SAPAC10UME.UM.ProvValidation
The Lookup.SAPAC10UME.UM.ProvValidation lookup definition is used to configure validation of attribute values entered on the process form during provisioning operations. See Configuring Validation of Data During Reconciliation and Provisioning for more information.
1.6.3.6 Lookup.SAPAC10UME.UM.ReconTransformation
The Lookup.SAPAC10UME.UM.ReconTransformation lookup definition is used to configure transformation of attribute values that are fetched from the target system during user reconciliation. See Configuring Transformation of Data During User Reconciliation for more information about adding entries in this lookup definition
1.6.3.7 Lookup.SAPAC10UME.UM.ReconValidation
The Lookup.SAPAC10UME.UM.ReconValidationlookup definition is used to configure validation of attribute values that are fetched from the target system during reconciliation. See Configuring Validation of Data During Reconciliation and Provisioning for more information about adding entries in this lookup definition
1.6.3.8 Lookup.Lookup.SAPAC10UME.ItemProvAction
The Lookup.SAPAC10UME.ItemProvAction is used to obtain the request type from the GRC system using the web service, when scheduler job get executed then, ItemProvAction lookup is populated.
1.7 Connector Objects Used During Reconciliation
Connector objects such as adapters are used for performing reconciliation operations on the target system. These adapters perform reconciliation functions on the fields defined in the lookup definition for reconciliation.
The SAP UME User Recon scheduled task is used to initiate a reconciliation run. This scheduled task is discussed in Reconciliation Scheduled Jobs.
See Also:
Managing Reconciliation of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for conceptual information about reconciliation
This section discusses the following topics:
1.7.1 User Attributes for Reconciliation
The Lookup.SAPUME.UM.ReconAttrMap lookup definition maps resource object fields and target system attributes. This lookup definition is used for performing target resource user reconciliation runs.
Table 1-8 lists entries in this lookup definition.
Table 1-8 Entries in the Lookup.SAPUME.UM.ReconAttrMap Lookup Definition
| Resource Object Field (Code Key) | Target System Attribute (Decode) |
|---|---|
|
City |
city |
|
Country |
country |
|
Department |
department |
|
E-Mail Address |
|
|
End Date of Account Validity[Date] |
validto |
|
Fax |
fax |
|
First Name |
firstname |
|
Form of Address |
salutation |
|
Groups~Group[Lookup] |
assignedgroups |
|
Language |
locale |
|
Last Name |
lastname |
|
Logon Name |
logonname |
|
Mobile |
mobile |
|
Name |
displayname |
|
Position |
jobtitle |
|
Roles~Role[Lookup] |
assignedroles |
|
Security Policy |
securitypolicy |
|
Start Date of Account Validity[Date] |
validfrom |
|
State |
state |
|
Status |
__ENABLE__ |
|
Street |
streetaddress |
|
Telephone |
telephone |
|
Time Zone |
timezone |
|
Title |
title |
|
Unique Id |
id |
|
User Account Locked |
islocked |
|
Zip |
zip |
1.7.2 Reconciliation Rules
Reconciliation rules are automatically created when you generate the SAP UME connector.
See Also:
Reconciliation Engine of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for generic information about reconciliation matching and action rules
The following sections provide information about the reconciliation rules for this connector:
1.7.2.1 Reconciliation Rule
The following is the process-matching rule:
Rule name: SAPUME Recon Rule
Rule element: User Login Equals Logon Name
Note:
Perform the following procedure only after the connector is deployed. If you are using SAP BusinessObjects AC system, see the following rule:
-
Rule name: SAP AC UME Recon Rule
-
Rule element: User Login Equals Logon Name
In this rule element:
-
User Login is the User ID field of the OIM User form.
-
Logon Name is the logonname of the SAP account.
1.7.2.2 Viewing Reconciliation Rules in the Design Console
After you deploy the connector, you can view the reconciliation rule for reconciliation by performing the following steps:
Note:
Perform the following procedure only after the connector is deployed.
- Search for and open the SAPUME Recon Rule rule.
Note:
If you are using SAP BusinessObjects AC system. Search for and open the SAP AC UME Recon Rule rule.
Figure 1-4 shows this reconciliation rule.
1.7.3 Reconciliation Action Rules
Reconciliation action rules define that actions the connector must perform based on the reconciliation rules defined for Users.
Note:
No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See
in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about setting a reconciliation action rule.
The following sections provide information about the reconciliation rules for this connector:
1.7.3.1 Reconciliation Action Rules for Reconciliation
Table 1-9 lists the action rules for reconciliation.
Table 1-9 Action Rules for Reconciliation
| Rule Condition | Action |
|---|---|
|
One Entity Match Found |
Establish Link |
|
One Process Match Found |
Establish Link |
1.7.3.2 Viewing Reconciliation Action Rules in the Design Console
After you deploy the connector, you can view the reconciliation action rules for reconciliation by performing the following steps:
- Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-5 shows the reconciliation action rules for reconciliation.
1.8 Connector Objects Used During Provisioning
Connector objects such as adapters are used for performing provisioning operations on the target system. These adapters perform provisioning functions on the fields defined in the lookup definition for provisioning.
Provisioning involves creating or modifying user data on the target system through Oracle Identity Manager.
See Also:
Managing Provisioning Tasks of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for conceptual information about provisioning
This section discusses the following topics:
1.8.1 User Provisioning Functions
These are the supported provisioning functions and the adapters that perform these functions for the connector.
Table 1-10 and Table 1-12 list the user provisioning functions supported by the SAP UME and SAP AC UME connectors, and the adapters that perform these functions. The functions listed in the table correspond to either a single or multiple process tasks.
Table 1-10 User Provisioning Functions Supported by the SAP UME Connector
| Function | Adapter |
|---|---|
|
Create a user account |
adpSAPUMECREATE |
|
Modify a user account |
adpSAPUMEUPDATE |
|
Delete a user account |
adpSAPUMEDELETE |
|
Enable a user account |
adpSAPUMEENABLE |
|
Disable a user account |
adpSAPUMEDISABLE |
|
Add multivalued attribute |
adpSAPUMEADDCHILD |
|
Prepopulates the SAPUME Form |
adpPREPOPULATESAPUMEFORM |
|
Remove multivalued attribute |
adpSAPUMEREMOVECHILD |
|
SAPUME request ENTITLEMENT |
adpSAPUMEREQUESTENTITLEMENT |
|
Updates the SAPUME |
adpSAPUMEUPDATE |
|
Child SAPUME update |
adpSAPUMEUPDATECHILD |
|
Initiates the SODCheck |
InitiateSODCheck |
Table 1-11 User Provisioning Functions Supported by the SAP AC UME Connector
| Function | Adapter |
|---|---|
|
Create a user account |
adpSAPACUMCREATEUSER |
|
Modify a user account |
adpSAPACUMEUPDATE |
|
Delete a user account |
adpSAPACUMEDELETE |
|
Enable a user account |
adpSAPACUMEENABLE |
|
Disable a user account |
adpSAPACUMEDISABLE |
|
Add multivalued attribute |
adpSAPACUMEADDCHILD |
|
Remove multivalued attribute |
adpSAPACUMEREMOVECHILD |
|
Prepopulates the SAPACUME |
adpPREPOPULATESAPACUME |
1.8.2 User Attributes for Provisioning
The connector provides a default set of attribute mappings for provisioning between Oracle Identity Manager and the target system. If required, you can add new user attributes for provisioning.
The Lookup.SAPUME.UM.ProvAttrMap lookup definition maps process form fields with target system attributes. This lookup definition is used for performing provisioning operations.
Table 1-12 lists the default entries in this lookup definition.
Table 1-12 Entries in the Lookup.SAPUME.UM.ProvAttrMap Lookup Definition
| Process Form Field | Target System Attribute |
|---|---|
|
Single-Valued Fields |
|
|
City |
city |
|
Country |
country |
|
Department |
department |
|
E-Mail Address |
|
|
End Date of Account Validity[Date] |
validto |
|
Fax |
fax |
|
First Name |
firstname |
|
Language |
locale |
|
Last Name |
lastname |
|
Logon Name |
__NAME__ |
|
Mobile |
mobile |
|
Name |
displayname |
|
Password |
__PASSWORD__ |
|
Position |
jobtitle |
|
Security Policy |
securitypolicy |
|
Start Date of Account Validity[Date] |
validfrom |
|
State |
state |
|
Street |
streetaddress |
|
Telephone |
telephone |
|
Time Zone |
timezone |
|
Title |
title |
|
Unique ID |
__UID__ |
|
User Account Locked |
islocked |
|
Zip |
zip |
|
Multivalued Fields |
|
|
UD_UME_GRP~Group[Lookup] |
assignedgroups |
|
UD_UME_ROLE~Role[Lookup] |
assignedroles |
1.9 Roadmap for Deploying and Using the Connector
The following is the organization of information in the rest of this guide:
- Deploying the Connector describes procedures that you must perform on Oracle Identity Manager and the target system during each stage of connector deployment.
- Using the Connector describes guidelines on using the connector and the procedure to configure reconciliation runs and perform provisioning operations.
- Extending the Functionality of the Connector describes procedures that you can perform if you want to extend the functionality of the connector.
- Known Issues, Limitations, and FAQs lists known issues, limitations, and FAQs associated with this release of the connector.
- Files and Directories in the Installation Package provides information about files and directories on the installation media.
- Scheduled Jobs for Lookup Field Synchronization and Reconciliation provides information about scheduled jobs for lookup field synchronization and reconciliation.