Configuring the SAP User Management Connector

3 Configuring the SAP User Management Connector

While creating a target application, you must configure connection-related parameters that the connector uses to connect Oracle Identity Governance with your target system and perform connector operations. In addition, you can view and edit attribute mappings between the process form fields in Oracle Identity Governance and target system columns, predefined correlation rules, situations and responses, and reconciliation jobs.

3.1 Basic Configuration Parameters

These are the connection-related parameters that Oracle Identity Governance requires to connect to the target applications.

The following tables list basic configuration parameters of the SAP UM and SAP AC UM connectors.

Table 3-1 Parameters in the Basic Configuration Section for the SAP UM Connector and the SAP UM Connector with SoD

Parameters	Mandatory?	Description
Connector Server Name	No	If you created an IT resource of the type `Connector Server`, then enter its name.
TopologyName	No	Name of the topology of the target system host computer.
client	Yes	SAP client setting Default value: `000`
configureConnectionTuning	No	Allows the connection properties to be customized when the SAP Destination is configured. Default value: `false`
connectionMaxGetTime	No	Maximum time to wait for a connection (specified in milliseconds). Default value: `None`
connectionPoolActiveLimit	No	Maximum number of active connections that can be created for a destination simultaneously. Default value: `None`
connectionPoolCapacity	No	Maximum number of idle connections that can be kept open by the destination. Default value: `None`
connectionPoolExpirationPeriod	No	Enter an integer value which specifies the number of milliseconds after which the connections that have been released have expired. See Table 3-3 for more information. Default value: `None`
connnectionPoolExpirationTime	No	Enter an integer value which specifies the number of milliseconds after which the connections that have been freed can be closed. See Table 3-3 for more information. Default value: `None`
destination	Yes	Enter a unique value that the SAPJCo library uses to interact with the SAP system. Sample value: `dest or dest123` (any random value)
dummyPassword	No	Enter the dummy password that you want the connector to use during a Create User provisioning operation. The connector first sets the password as this value and then changes it to the password specified on the process form.
host	Yes	Enter the host name of the target system.
jcoGroup	No	Group of SAP application servers. It is one of the parameters used for enabling the use of a logon group.
jcoSAPRouter	No	SAP router string to be used for a system protected by a firewall Default value: `None`
jcoTrace	No	Absolute path to the directory where the trace files will be created Default value: `0`
jcoTraceDir	No	Level of SAP JCO tracing to enable. Enter `0` or any positive integer up to and including 10 Default value: `None`
language	Yes	Enter the two-letter code for the language set on the target system. Default value: `EN`
loadBalance	No	Enter `TRUE` to enable the use of Logon Group. Default value: `false`
masterSystem	Yes	Enter the RFC Destination value that is used for identification of the SAP system. This value must be same as that of the Logical System name. Sample value: `EH6CLNT001` Here the sample value is based on the following format used in SAP System: <SYSTEM_ID>CLNT<CLIENT_NUM> In this sample value, EH6 is the System ID of the target system and 001 is the client number.
maxBAPIRetries	No	Maximum number of retries for BAPI execution. Default value: `5`
msHost	No	Enter the host name of the message server. Default value: `None`
msServ	No	SAP message server port to be used instead of the default sapms Default value: `None`
password	Yes	When using normal authentication, password of the User account.
r3Name	No	Enter the host name of the SAP ERP or SAP CUA system
retryWaitTime	No	Enter a value in milliseconds within which the connection to the target system is retried after a connection failure. Default value: `500`
sncLib	No	Enter the full path and name of the crypto library on the target system host computer. This is required only if SNC is enabled. For Windows: `c://usr//sap/sapcrypto.dll` For Linux: `sncLib: //home/oracle/sec/sapcrypto.so`
sncName	No	Enter a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Governance. Sample value: `p:CN=TST,OU=SAP, O=ORA,c=IN`
sncPartnerName	No	Enter the domain name of the target system host computer. Enter a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Governance. Sample value: `p:CN=I47,OU=SAP, O=ORA, c=IN`
sncProtectionLevel	No	Enter the protection level (quality of protection, QOP) at which data is transferred. The value can be any one of the following numbers: `1`: Secure authentication only `2`: Data integrity protection `3`: Data privacy protection `8`: Use value from the parameter `9`: Use maximum value available Note: Enter a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Governance. Default value: `3`
sncX509Cert	No	The X509 certificate that does not contain the BEGIN CERTIFICATE or END CERTIFICATE strings when using SNC
systemNumber	Yes	SAP system number Default value: `00`
useSNC	No	Enter `true`, if you want to configure secure communication between Oracle Identity Governance and the target system. Otherwise, enter `false`. Default value: `false`
user	Yes	Enter a user name that has permissions to create accounts in target.

Table 3-2 Parameters in the Basic Configuration Section for the SAP AC UM Connector

Parameters	Mandatory?	Description
Connector Server Name	No	If you created an IT resource of the type `Connector Server`, then enter its name.
TopologyName	No	Name of the topology of the target system host computer.
client	Yes	SAP client setting Default value: `000`
configureConnectionTuning	No	Allows the connection properties to be customized when the SAP Destination is configured. Default value: `false`
connectionMaxGetTime	No	Maximum time to wait for a connection (specified in milliseconds). Default value: `None`
connectionPoolActiveLimit	No	Maximum number of active connections that can be created for a destination simultaneously. Default value: `None`
connectionPoolCapacity	No	Maximum number of idle connections that can be kept open by the destination. Default value: `None`
connectionPoolExpirationPeriod	No	Enter an integer value which specifies the number of milliseconds after which the connections that have been released have expired. See Table 3-3 for more information. Default value: `None`
connnectionPoolExpirationTime	No	Enter an integer value which specifies the number of milliseconds after which the connections that have been freed can be closed. See Table 3-3 for more information. Default value: `None`
destination	Yes	Enter a unique value that the SAPJCo library uses to interact with the SAP system. Sample value: `dest or dest123` (any random value)
dummyPassword	No	Enter the dummy password that you want the connector to use during a Create User provisioning operation. The connector first sets the password as this value and then changes it to the password specified on the process form.
host	Yes	Enter the host name of the target system.
jcoGroup	No	Group of SAP application servers. It is one of the parameters used for enabling the use of a logon group.
jcoSAPRouter	No	SAP router string to be used for a system protected by a firewall Default value: `None`
jcoTrace	No	Absolute path to the directory where the trace files will be created Default value: `0`
jcoTraceDir	No	Level of SAP JCO tracing to enable. Enter `0` or any positive integer up to and including 10 Default value: `None`
language	Yes	Enter the two-letter code for the language set on the target system. Default value: `EN`
loadBalance	No	Enter `TRUE` to enable the use of Logon Group. Default value: `false`
masterSystem	Yes	Enter the RFC Destination value that is used for identification of the SAP system. This value must be same as that of the Logical System name. Sample value: `EH6CLNT001` Here the sample value is based on the following format used in SAP System: <SYSTEM_ID>CLNT<CLIENT_NUM> In this sample value, EH6 is the System ID of the target system and 001 is the client number.
maxBAPIRetries	No	Maximum number of retries for BAPI execution. Default value: `5`
msHost	No	Enter the host name of the message server. Default value: `None`
msServ	No	SAP message server port to be used instead of the default sapms Default value: `None`
password	Yes	When using normal authentication, password of the User account.
r3Name	No	Enter the host name of the SAP ERP or SAP CUA system
retryWaitTime	No	Enter a value in milliseconds within which the connection to the target system is retried after a connection failure. Default value: `500`
sncLib	No	Enter the full path and name of the crypto library on the target system host computer. This is required only if SNC is enabled. For Windows: `c://usr//sap/sapcrypto.dll` For Linux: `sncLib: //home/oracle/sec/sapcrypto.so`
sncName	No	Enter a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Governance. Sample value: `p:CN=TST,OU=SAP, O=ORA,c=IN`
sncPartnerName	No	Enter the domain name of the target system host computer. Enter a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Governance. Sample value: `p:CN=I47,OU=SAP, O=ORA, c=IN`
sncProtectionLevel	No	Enter the protection level (quality of protection, QOP) at which data is transferred. The value can be any one of the following numbers: `1`: Secure authentication only `2`: Data integrity protection `3`: Data privacy protection `8`: Use value from the parameter `9`: Use maximum value available Note: Enter a value for this parameter only if you enable SNC communication between the target system and Oracle Identity Governance. Default value: `3`
sncX509Cert	No	The X509 certificate that does not contain the BEGIN CERTIFICATE or END CERTIFICATE strings when using SNC
systemNumber	Yes	SAP system number Default value: `00`
useSNC	No	Enter `true`, if you want to configure secure communication between Oracle Identity Governance and the target system. Otherwise, enter `false`. Default value: `false`
user	Yes	Enter a user name that has permissions to create accounts in target.
grcLanguage	yes	Enter the two-letter code for the language set on the GRC system. Sample value: `EN` Note: This is applicable only to the SAP AC UM connector.
grcPassword	Yes	Enter the password of the GRC System. Note: This is applicable only to the SAP AC UM connector.
grcUsername	Yes	Enter the user name of the GRC System. Note: This is applicable only to the SAP AC UM connector.

3.2 Advanced Settings Parameters

These are the configuration-related entries that the connector uses during reconciliation and provisioning operations.

The following table lists the advanced settings parameters for the SAP UM connector.

Table 3-3 Advanced Settings Parameters for the SAP UM Connector and the SAP UM Connector with SoD

Parameter	Mandatory?	Description
aliasUser	No	Enter the logon on user alias depending on the target system. Default value: `none`
batchSize	No	Enter the number of records in each batch that must be fetched from the target system during a reconciliation run. Default value: `100`
Bundle Name	No	Name of the connector bundle package. Default value: `org.identityconnectors.sap`
Bundle Version	No	Version of the connector bundle class. Default value: `12.3.0`
changePasswordAtNextLogon	No	For accounts created through Oracle Identity Governance, password management can be configured by using the changePasswordAtNextLogon entry. Enter `yes` if you want to configure the password.
codePage	No	This entry holds the initial code page in SAP notation. Default value: `none`
compositeRoles	No	Enter `yes` if you want to fetch composite roles from target. Otherwise enter `no`. Note: Both singleRoles and compositeRoles decode values cannot be "no", at least one of the values should be "yes."
Connector Name	No	Name of the connector class. Default value: `org.identityconnectors.sap.SAPConnector`
cuaChildInitialPasswordChangeFuncModule	No	Name of the Remote Enabled function module that changes the initial password for a user on all CUA child systems. This parameter is not used unless CUA is enabled. If the value is not set, then the password changes will only apply to the CUA system. Setting productive passwords on CUA child systems will also automatically fail without this setting. Do not this entry. Default value: `ZXLCBAPI_ZXLCUSR_PW_CHANGE`
cuaChildPasswordChangeFuncModue	No	Name of the Remote Enabled function module which changes the productive password for a user on a CUA child system. This attribute is not used unless CUA is enabled. Note: If the default value is used, then only the password stored on the CUA central system will be changed. Default value: `ZXLCBAPI_ZXLCUSR_PASSWORDCHNGE`
disableLockStatus	No	Enter a lock status of a user in SAP system. Default value: `64`
enableCUA	No	Enter `yes` if the target system is SAP CUA. Otherwise, enter `no`.
gatewayHost	No	This entry holds the name or IP address of the gateway host. Default value: `None`
gatewayService	No	This entry holds the name of the gateway service. Default value: `None`
getSSO2	No	Get or do not get a SSO ticket after logon. The value of this entry can be `1` or `0`.
groups	No	This field is an embedded object that is defined in the attribute mapping. In the default entry, GROUPS is a table name and USERGROUP is a field name on the target system. Default value: `GROUPS~USERGROUP`
ICheck	No	Enable or disable logon check at open time. The value of this entry can be set to `1` to enable logon check or `0` to disable logon check.
mySAPSSO2	No	Specifies the SAP Cookie Version 2 that must be used as a logon ticket.
parameters	No	This field is an embedded object that is defined in the attribute mapping. In the default entry, PARAMETER1 is a table name, and PARID and PARVA are the field names on the target system. Default value: `PARAMETER1~PARID;PARVA`
overwriteLink	No	Enter `Yes` as the value if you want existing links in SAP to be overwritten by the ones set up through provisioning operations.
passwordPropagateToChildSystem	No	Enter `yes` if you want the connector to propagate user password changes from the SAP CUA parent system to its child systems. Otherwise, enter `no`
profiles	No	This field is an embedded object defined in the attribute mapping. In the decode entry, PROFILES is a table name, and SUBSYSTEM and PROFILE are the field names on the target system. Default value: `PROFILES~SUBSYSTEM;PROFILE`
ProfileAttributeLabel	No	This field holds the label name of the profile name field in the child form. Sample value: `Profile Name`
Profile attribute name	No	This field holds a list of field names for the Profile duty type. The values of this list are separated by a semicolon (;). Sample value: `PROFILE_NAME`
Profile form names	No	This field holds a list of all profile child form names used during direct and request-based provisioning. Sample value: `PROFILE`
reconcilefuturedatedroles	No	Enter `yes` if you want to reconcile future-dated roles. Otherwise, enter `no`.
reconcilepastdatedroles	No	Enter `yes` if you want to reconcile past-dated roles. Otherwise, enter `no`.
repositoryDestination	No	Specifies the destination to be used as repository. Default value: `None`
repositoryPassword	No	Specifies the password for a repository user. This entry is mandatory if a repository user is used Default value: `None`
repositorySNCMode	No	This entry is optional. If SNC is used for this destination, you can turn off SNC for repository connections by setting the value of this parameter to `0`
repositoryUser	No	This entry is optional. If the repository destination is not set, and this entry is set, this entry will be used as user for repository calls. With this entry, you can use a different user for repository lookups. Default value: `None`
RoleAttributeLabel	No	This entry holds the label name of the role name field in the child form. Sample value: `Role Name`
Role attribute name	No	This field holds a list of field names for the Role duty type. The values of this list are separated by a semicolon (;). Sample value: `ROLE_NAME`
Role form names	No	This field holds a list of all role child form names used during direct and request-based provisioning. Sample value: `USERROLE`
sapSystemTimeZone	No	This entry holds the SAP target system time zone. Default value: `PST`
singleRoles	No	Enter `yes` if you want to fetch single roles from target. Otherwise enter `no`.
tpHost	No	This entry holds the host name of the external server program. Default value: `None`
tpName	No	This entry holds the program ID of the tp server program Default value: `None`
type	No	This entry holds the type of the remote host. This entry can hold the following values: For SAP R/2: `2` For SAP R/3: `3` For external remote host: `E`
validatePERNR	No	Enter `yes` as the value if your operating environment contains multiple SAP HRMS installations. If there is only one SAP HRMS installation, then enter `no`.
wsdlFilePath	No	Enter the absolute path of the directory containing the following file: GRAC_RISK_ANALYSIS_WOUT_NO_WS.WSDL Note: Download the WSDL file from the GRC system and save it any of the Oracle Identity Governance system directories. In an Oracle Identity Governance cluster, copy the WSDL file to each node of the cluster and make sure that the folder structure is the same for each node.
roles	No	This field is an embedded object defined in the attribute mapping. In the decode entry, ACTIVITYGROUPS is a table name on the target system. SUBSYSTEM, TO_DAT, FROM_DAT, AGR_NAME and ORG_FLAG are the field names on the target system. Default value: `ACTIVITYGROUPS~SUBSYSTEM;AGR_NAME;TO_DAT;FROM_DAT;ORG_FLAG`
Pool Max Idle	No	Maximum number of idle objects in a pool. Default value: `10`
Pool Max Size	No	Maximum number of connections that the pool can create. Default value: `10`
Pool Max Wait	No	Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation. Default value: `150000`
Pool Min Evict Idle Time	No	Minimum time, in milliseconds, the connector must wait before evicting an idle object. Default value: `150000`
Pool Min Idle	No	Minimum number of idle objects in a pool. Default value: `1`
entitlementRiskAnalysisAccessURl	No	This entry holds the URL for Entitlement Risk Analysis web service. Note: This parameter is applicable only for SAP UM with SoD.
entitlementRiskAnalysisWS	No	Web service client class to do the risk analysis in SAP BusinessobjectAC. Default value: `oracle.iam.grc.sod.scomp.impl.grcsap.util.webservice.sap.ac10.RiskAnalysisWithoutNo` Note: This parameter is applicable only for SAP UM with SoD.
ReportFormat	No	Note: For webService grac_risk_analysis_wout_no_ws, ReportFormat is a mandatory field from SP17 onwards. Default value: `1` Note: This parameter is applicable only for SAP UM with SoD.

The following table lists the advanced settings parameters for the SAP AC UM connector.

Table 3-4 Advanced Settings Parameters for the SAP AC UM Connector

Parameter	Mandatory?	Description
aliasUSer	No	Enter the logon on user alias depending on the target system. Default value: `None`
appLookupAccessURL	No	URL for Application Lookup web service. Default value: `None`
appLookupWS	No	Web service client class to get all applications configured in SAP GRC. Default value: `oracle.iam.ws.sap.ac10.SelectApplication`
assignRoleReqType	No	This entry holds the name of the request type that is used for assign role request in SAP GRC. The format of the decode value is as follows: `RequestType~RequestTypeName~ItemProvActionForSystem~ItemProvActionForRole` The value of RequestType is available in Lookup.SAPAC10ABAP.RequestType. The values of ItemProvActionForSystem and ItemProvActionForRole are available in Lookup.SAPAC10ABAP.ItemProvAction. Default value: `002~Change Account~002~006`
auditLogsAccessURL	No	URL for Audit Logs web service. Default value: `None`
auditLogsWS	No	Web service client class to get audit logs. Default value: `oracle.iam.ws.sap.ac10.AuditLogs`
batchSize	No	Enter the number of records in each batch that must be fetched from the target system during a reconciliation run. Default value: `100`
Bundle Name	No	Name of the connector bundle package. Default value: `org.identityconnectors.sapacum`
Bundle Version	No	Version of the connector bundle class. Default value: `12.3.0`
changePasswordAtNextLogon	No	For accounts created through Oracle Identity Governance, password management can be configured by using the changePasswordAtNextLogon entry. Enter `yes` if you want to configure the password.
codePage	No	This entry holds the initial code page in SAP notation. Default value: `none`
compositeRoles	No	Enter `yes` if you want to fetch composite roles from target. Otherwise enter `no`. Note: Both singleRoles and compositeRoles decode values cannot be "no", at least one of the values should be "yes."
Connector Name	No	Name of the connector class. Default value: `org.identityconnectors.sap.SAPConnector`
createUserReqType	No	Name of the request type that the connector must use for the create user request in SAP GRC. The format of the decode value is as follows: `RequestType~RequestTypeName~ItemProvActionForSystem` The value of RequestType is available in Lookup.SAPAC10ABAP.RequestType. The value of ItemProvActionForSystem is available in Lookup.SAPAC10ABAP.ItemProvAction. Default value: `001~New Account~001`
UserReqType	No	Name of the request type to use for modifying user request in SAP GRC. Default value: `002~Change Account~002`
cuaChildInitialPasswordChangeFuncModule	No	Name of the Remote Enabled function module that changes the initial password for a user on all CUA child systems. This parameter is not used unless CUA is enabled. If the value is not set, then the password changes will only apply to the CUA system. Setting productive passwords on CUA child systems will also automatically fail without this setting. Do not this entry. Default value: `ZXLCBAPI_ZXLCUSR_PW_CHANGE`
cuaChildPasswordChangeFuncModue	No	Name of the Remote Enabled function module which changes the productive password for a user on a CUA child system. This attribute is not used unless CUA is enabled. Note: If the default value is used, then only the password stored on the CUA central system will be changed. Default value: `ZXLCBAPI_ZXLCUSR_PASSWORDCHNGE`
deleteUserReqType	No	Name of the request type that the connector must use for the delete user request in SAPGRC. Default value: `003~Delete user~003`
disableLockStatus	No	Enter a lock status of a user in SAP system. Default value: `64`
enableCUA	No	Enter `yes` if the target system is SAP CUA. Otherwise, enter `no`.
gatewayHost	No	This entry holds the name or IP address of the gateway host. Default value: `None`
gatewayService	No	This entry holds the name of the gateway service. Default value: `None`
getSSO2	No	Get or do not get a SSO ticket after logon. The value of this entry can be `1` or `0`.
ignoreOpenStatus	No	Specify whether new requests can be sent for a particular user, even if the last request for the user is in the Open status. Default value: `Yes`
ICheck	No	Enable or disable logon check at open time. The value of this entry can be set to `1` to enable logon check or `0` to disable logon check.
lockUserReqType	No	Name of the request type to use for lock user request in SAP GRC. Default value: `004~Lock user~004`
logAuditTrial	No	Specify whether complete audit trial needs to be logged whenever status request web service is invoked. Default value: `Yes`
mySAPSSO2	No	Specifies the SAP Cookie Version 2 that must be used as a logon ticket. Default value: `none`
otherLookupAccessURL	No	URL for Other Lookup web service areas such as Business Process, Functional Area, and so on. Default value: `none`
otherLookupWS	No	Web service client class to get other lookup fields such as Business Process, Functional Area, and so on. Default value: `oracle.iam.ws.sap.ac10.SearchLookup`
overwriteLink	No	Enter `Yes` as the value if you want existing links in SAP to be overwritten by the ones set up through provisioning operations.
provActionAttrName	No	Name of the attribute in the target system that contains the details required for performing provisioning operations to a specific backend system. Default value: `provAction;ReqLineItem` Note: Do not this value.
provItemActionAttrName	No	Name of the attribute in the target system that contains the details required for performing provisioning roles. Default value: `provItemAction;ReqLineItem` Note: Do not this value.
reconcilefuturedatedroles	No	Enter `yes` if you want to reconcile future-dated roles. Otherwise, enter `no`.
reconcilepastdatedroles	No	Enter `yes` if you want to reconcile past-dated roles. Otherwise, enter `no`.
removeRoleReqType	No	Name of the request type to use for remove user request in SAP GRC. Default value: `002~Change Account~002~009`
repositoryDestination	No	Specifies the destination to be used as repository. Default value: `None`
repositoryPassword	No	Specifies the password for a repository user. This entry is mandatory if a repository user is used Default value: `None`
repositorySNCMode	No	This entry is optional. If SNC is used for this destination, you can turn off SNC for repository connections by setting the value of this parameter to `0`
repositoryUser	No	This entry is optional. If the repository destination is not set, and this entry is set, this entry will be used as user for repository calls. With this entry, you can use a different user for repository lookups. Default value: `None`
requestStatusAccessURL	No	URL for Status Request web service. Default value: `None`
requeststatusvalue	No	The value that gets updated in the AC Request Status field on the process form. Default value: `OK`
requestStatusWS	No	Web service client class to get status of provisioning request. Default value: `oracle.iam.ws.sap.ac10.RequestStatus`
requestTypeAttrName	No	Name of the request type attribute used to differentiate request flows from the SAPUMCREATE adapter. Default value: `Reqtype;Header`
riskLevel	No	In SAP GRC, each business risk is assigned a criticality level. You can control the risk analysis data returned by SAP GRC by specifying a risk level. Default value: `3`
roleLookupAccessURL	No	URL for Role Lookup web service. Default value: `None`
roleLookupWS	No	Web service client class to get all roles. Default value: `oracle.iam.ws.sap.ac10.SearchRoles`
sapSystemTimeZone	No	This entry holds the SAP target system time zone. Default value: `PST`
singleRoles	No	Enter `yes` if you want to fetch single roles from target. Otherwise enter `no`.
tpHost	No	This entry holds the host name of the external server program. Default value: `None`
tpName	No	This entry holds the program ID of the tp server program Default value: `None`
type	No	This entry holds the type of the remote host. This entry can hold the following values: For SAP R/2: `2` For SAP R/3: `3` For external remote host: `E`
unlockUserReqType	No	Name of the request type to use for unlock user request in SAP GRC. Default value: `005~unlock user~005`
userAccessAccessURL	No	URL for User Access web service. Default value: `None`
userAccessWS	No	Web service client class to get status of user access. Default value: `oracle.iam.ws.sap.ac10.UserAccess`
wsdlFilePath	No	Enter the absolute path of the directory containing the following files: GRAC_USER_ACCESS_WS.WSDL GRAC_SEARCH_ROLES_WS.WSDL GRAC_SELECT_APPL_WS.WSDL GRAC_REQUEST_STATUS_WS.WSDL GRAC_LOOKUP_WS.WSDL GRAC_AUDIT_LOGS_WS.WSDL Note: Download the WSDL files from the GRC system and save it any of the Oracle Identity Governance system directories. In an Oracle Identity Governance cluster, copy the WSDL files to each node of the cluster and make sure that the folder structure is the same for each node.
parameters	No	This field is an embedded object that is defined in the attribute mapping. In the default entry, PARAMETER1 is a table name, and PARID and PARVA are the field names on the target system. Default value: `PARAMETER1~PARID;PARVA`
profiles	No	This field is an embedded object defined in the attribute mapping. In the decode entry, PROFILES is a table name, and SUBSYSTEM and PROFILE are the field names on the target system. Default value: `PROFILES~SUBSYSTEM;PROFILE`
roles	No	This field is an embedded object defined in the attribute mapping. In the decode entry, ACTIVITYGROUPS is a table name on the target system. SUBSYSTEM, TO_DAT, FROM_DAT, AGR_NAME and ORG_FLAG are the field names on the target system. Default value: `ACTIVITYGROUPS~SUBSYSTEM;AGR_NAME;TO_DAT;FROM_DAT;ORG_FLAG`
groups	No	This field is an embedded object that is defined in the attribute mapping. In the default entry, GROUPS is a table name and USERGROUP is a field name on the target system. Default value: `GROUPS~USERGROUP`

3.3 Attribute Mappings

The attribute mappings on the Schema page vary depending on whether you are using the SAP UM or SAP AC UM connector.

3.3.1 Attribute Mappings for the SAP UM Connector

The Schema page for a target application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system attributes. The SAP UM connector uses these mappings during reconciliation and provisioning operations.

SAP UM User Account Attributes

Table 3-5 lists the user-specific attribute mappings between the process form fields in Oracle Identity Governance and the SAP UM attributes. The table also lists whether a specific attribute is used during provisioning or reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit these attributes mappings by adding new attributes or deleting existing attributes on the Schema page as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

The mapping for the SoD fields in the target attribute is empty because they do not exist in the target system but in the GRC system. When SOD is enabled in OIG, adding any violation or nonviolation entitlement triggers a response from the GRC system and the following SoD fields are updated with their respective values:

SoDCheckStatus
SodCheckResult
SoDCheckEntitlement
SodCheckTimestamp

Table 3-5 Default Attribute Mappings for SAP UM User Account

Display Name	Target Attribute	Data Type	Mandatory Provisioning Property?	Provision Field?	Recon Field?	Key Field?	Case Insensitive?
User ID	_NAME_	String	Yes	Yes	Yes	Yes	Yes
Password	_PASSWORD_	String	No	Yes	No	No	No
First Name	FIRSTNAME;ADDRESS;FIRSTNAME;ADDRESSX	String	No	Yes	Yes	No	No
Last Name	LASTNAME;ADDRESS;LASTNAME;ADDRESSX	String	yes	Yes	Yes	No	No
Title	TITLE_P;ADDRESS;TITLE_P;ADDRESSX	String	No	Yes	Yes	No	No
Alias	USERALIAS;ALIAS;BAPIALIAS;ALIASX	String	No	Yes	Yes	No	No
E Mail	E_MAIL;ADDRESS;E_MAIL;ADDRESSX	String	No	Yes	Yes	No	No
Telephone Number	TEL1_NUMBR;ADDRESS;TEL1_NUMBR;ADDRESSX	String	No	Yes	Yes	No	No
Telephone Extension	TEL1_EXT;ADDRESS;TEL1_EXT;ADDRESSX	String	No	Yes	Yes	No	No
Valid From	GLTGV;LOGONDATA;GLTGV;LOGONDATAX	Date	No	Yes	Yes	No	No
Valid Through	GLTGB;LOGONDATA;GLTGB;LOGONDATAX	String	No	Yes	Yes	No	No
Fax Number	FAX_NUMBER;ADDRESS;FAX_NUMBER;ADDRESSX	Date	No	Yes	Yes	No	No
Fax Extension	FAX_EXTENS;ADDRESS;FAX_EXTENS;ADDRESSX	String	No	Yes	Yes	No	No
Building	BUILDING_P;ADDRESS;BUILDING_P;ADDRESSX	String	No	Yes	Yes	No	No
Room Number	ROOM_NO_P;ADDRESS;ROOM_NO_P;ADDRESSX	String	No	Yes	Yes	No	No
Floor	FLOOR_P;ADDRESS;FLOOR_P;ADDRESSX	String	No	Yes	Yes	No	No
Function	FUNCTION;ADDRESS;FUNCTION;ADDRESSX	String	No	Yes	Yes	No	No
Group Name	CLASS;LOGONDATA;CLASS;LOGONDATAX	String	No	Yes	Yes	No	No
Department	DEPARTMENT;ADDRESS;DEPARTMENT;ADDRESSX	String	No	Yes	Yes	No	No
Accounting Number	ACCNT;LOGONDATA;ACCNT;LOGONDATAX	String	No	Yes	Yes	No	No
Cost Center	KOSTL;DEFAULTS;KOSTL;DEFAULTSX	String	No	No	Yes	No	No
User Lock	__LOCK_OUT__	String	No	Yes	Yes	No	No
Logon language	LANGU;DEFAULTS;LANGU;DEFAULTSX	String	No	Yes	Yes	No	No
User Type	USTYP;LOGONDATA;USTYP;LOGONDATAX	String	No	Yes	Yes	No	No
Date Format	DATFM;DEFAULTS;DATFM;DEFAULTSX	String	No	Yes	Yes	No	No
Decimal Notation	DCPFM;DEFAULTS;DCPFM;DEFAULTSX	String	No	Yes	Yes	No	No
Time Zone	TZONE;LOGONDATA;TZONE;LOGONDATAX	String	No	Yes	Yes	No	No
Start Menu	START_MENU;DEFAULTS;START_MENU;DEFAULTSX	String	No	Yes	Yes	No	No
Company	COMPANY;COMPANY;COMPANY;COMPANYX	String	No	Yes	Yes	No	No
Contractual User	LIC_TYPE;UCLASS;UCLASS;UCLASSX	String	No	Yes	Yes	No	No
Communication Type	COMM_TYPE;ADDRESS;COMM_TYPE;ADDRESSX	String	No	Yes	Yes	No	No
Language Comm	LANGU_P;ADDRESS;LANGU_P;ADDRESSX	String	No	Yes	Yes	No	No
unique ID	_UID_	String	No	Yes	Yes	No	No
Personnel Number	PERNR	String	No	Yes	No	No	No
SoDCheckStatus	NA	String	No	No	No	No	No
SodCheckResult	NA	String	No	No	No	No	No
SoDCheckEntitlement	NA	String	No	No	No	No	No
SodCheckTimestamp	NA	String	No	No	No	No	No
Status	_ENABLE_	String	No	No	Yes	No	No

Figure 3-1 shows the default User account attribute mappings.

Figure 3-1 Default Attribute Mappings for SAP UM User Account

Description of "Figure 3-1 Default Attribute Mappings for SAP UM User Account"

Group Attributes

Table 3-6 lists the group-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP UM attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

Table 3-6 Default Attribute Mappings for Groups

Display Name	Target Attribute	Data Type	Mandatory Provisioning Property?	Recon Field?	Key Field?	Case Insensitive?
User Group	groups~GROUPS~USERGROUP	String	No	Yes	Yes	No

Figure 3-2 shows default attribute mappings for groups.

Figure 3-2 Default Attribute Mappings for Groups

Description of "Figure 3-2 Default Attribute Mappings for Groups"

Parameter Attributes

Table 3-7 lists the parameter-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP UM attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit these attributes mappings by adding new attributes or deleting existing attributes on the Schema page as described in Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-7 Default Attribute Mappings for Parameters

Display Name	Target Attribute	Data Type	Mandatory Provisioning Property?	Recon Field?	Key Field?	Case Insensitive?
Parameter Id	parameters~PARAMETER1~PARID	String	Yes	Yes	Yes	No
Parameter Value	parameters~PARAMETER1~PARVA	String	No	Yes	No	No

Figure 3-3 shows default attribute mappings for parameters.

Figure 3-3 Default Attribute Mappings for Parameters

Description of "Figure 3-3 Default Attribute Mappings for Parameters"

Role Entitlement Attributes

Table 3-8 lists the role-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP UM attributes. The table lists whether a given role is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

Table 3-8 Default Attribute Mappings for Role Entitlement

Display Name	Target Attribute	Data Type	Mandatory Provisioning Property?	Recon Field?	Key Field?	Case Insensitive?
Role System Name	roles~ACTIVITYGROUPS~SUBSYSTEM	String	No	Yes	No	No
Role Name	roles~ACTIVITYGROUPS~AGR_NAME	String	Yes	Yes	Yes	No
Start Date	roles~ACTIVITYGROUPS~FROM_DAT	String	No	Yes	No	No
End Date	roles~ACTIVITYGROUPS~TO_DAT	String	No	Yes	No	No

Figure 3-4 shows the role entitlement mappings.

Figure 3-4 Default Attribute Mappings for Role Entitlement

Description of "Figure 3-4 Default Attribute Mappings for Role Entitlement "

Profile Entitlement Attributes

Table 3-9 lists the profile-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP UM attributes. The table lists whether a given profile is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

Table 3-9 Default Attribute Mappings for Profile Entitlement

Display Name	Target Attribute	Data Type	Mandatory Provisioning Property?	Recon Field?	Key Field?	Case Insensitive?
Profile System Name	profiles~PROFILES~SUBSYSTEM	String	No	Yes	No	No
Profile Name	profiles~PROFILES~PROFILE	String	Yes	Yes	Yes	No

Figure 3-5 shows the profile entitlement mappings.

Figure 3-5 Default Attribute Mappings for Profile Entitlement

Description of "Figure 3-5 Default Attribute Mappings for Profile Entitlement "

3.3.2 Attribute Mappings for the SAP AC UM Connector

The Schema page for an SAP AC UM target application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system attributes. The connector uses these mappings during reconciliation and provisioning operations.

SAP AC UM User Account Attributes

Table 3-5 lists the user-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP AC UM attributes. The table also lists whether a specific attribute is used during provisioning or reconciliation and whether it is a matching key field for fetching records during reconciliation.

Table 3-10 Default Attribute Mappings for the SAP AC UM User Account

Display Name	Target Attribute	Data Type	Mandatory Provisioning Property?	Provision Field?	Recon Field?	Key Field?	Case Insensitive?
User ID	_NAME_	String	Yes	Yes	Yes	Yes	Yes
Password	_PASSWORD_	String	No	Yes	No	No	No
First Name	fname;UserInfo	String	No	Yes	Yes	No	No
Last Name	lname;UserInfo	String	No	Yes	Yes	No	No
Title	title;UserInfo	String	No	Yes	Yes	No	No
Alias	alias;UserInfo	String	No	Yes	Yes	No	No
E Mail	email;UserInfo	String	No	Yes	Yes	No	No
Telephone Number	telnumber;UserInfo	String	No	Yes	Yes	No	No
Telephone Extension	TEL1_EXT;ADDRESS;TEL1_EXT;ADDRESSX	String	No	Yes	Yes	No	No
Valid From	validFrom;UserInfo	Date	No	Yes	Yes	No	No
Valid Through	validTo;UserInfo	String	No	Yes	Yes	No	No
Fax Number	fax;UserInfo	Date	No	Yes	Yes	No	No
Fax Extension	FAX_EXTENS;ADDRESS;FAX_EXTENS;ADDRESSX	String	No	Yes	Yes	No	No
Building	BUILDING_P;ADDRESS	String	No	Yes	Yes	No	No
Room Number	ROOM_NO_P;ADDRESS	String	No	Yes	Yes	No	No
Floor	FLOOR_P;ADDRESS;FLOOR_P;ADDRESSX	String	No	Yes	Yes	No	No
Function	FUNCTION;ADDRESS	String	No	Yes	Yes	No	No
Group Name	CLASS;LOGONDATA	String	No	Yes	Yes	No	No
Department	DEPARTMENT;ADDRESS	String	No	Yes	Yes	No	No
Accounting Number	accno;UserInfo	String	No	Yes	Yes	No	No
Cost Center	costcenter;UserInfo	String	No	Yes	Yes	No	No
User Lock	userLock;None	String	No	Yes	Yes	No	No
Logon Language	logonlang;UserInfo	String	No	Yes	Yes	No	No
user Type	userType;UserInfo	String	No	Yes	Yes	No	No
Date Format	dateFormat;UserInfo	String	No	Yes	Yes	No	No
Decimal Notation	decNotation;UserInfo	String	No	Yes	Yes	No	No
Time Zone	TZONE;LOGONDATA	String	No	Yes	Yes	No	No
Start menu	startmenu;UserInfo	String	No	Yes	Yes	No	No
Company	COMPANY;COMPANY	String	No	Yes	Yes	No	No
Contractual User Type (Lookup)	LIC_TYPE;UCLASS\|UCLASSSYS	String	No	Yes	Yes	No	No
Communication Type (Lookup)	COMM_TYPE;ADDRESS	String	No	Yes	Yes	No	No
Language Communication (Lookup)	LANGU_P;ADDRESS	String	No	Yes	Yes	No	No
Unique ID	_UID_	String	No	Yes	Yes	No	No
Personnel Number	PERNR	String	No	Yes	No	No	No
AC Request Id	RequestId	String	No	Yes	No	No	No
AC Request Status	RequestStatus	String	No	Yes	No	No	No
AC Request Type	RequestType	String	No	Yes	No	No	No
AC Manager	manager;UserInfo	String	No	Yes	No	No	No
AC Manager email	managerEmail;UserInfo	String	No	Yes	No	No	No
AC Manager First Name	managerFirstname;UserInfo	String	No	Yes	No	No	No
AC Manager Last Name	managerLastname;UserInfo	String	No	Yes	No	No	No
AC Priority	priority;Header	String	No	Yes	No	No	No
AC Request Reason	requestReason;Header	String	No	Yes	No	No	No
AC Request Due Date(Date)	reqDueDate;Header	String	No	Yes	No	No	No
AC Functional Area (Lookup)	funcarea;Header	String	No	Yes	No	No	No
AC Business Process (Lookup)	bproc;Header	String	No	Yes	No	No	No
AC Requestor ID	requestorId;Header	String	No	Yes	No	No	No
AC Requestor email	email;Header	String	No	Yes	No	No	No

Figure 3-6 shows the default User account attribute mappings.

Figure 3-6 Default Attribute Mappings for SAP AC UM User Account

Description of "Figure 3-6 Default Attribute Mappings for SAP AC UM User Account"

Group Attributes

Table 3-6 lists the group-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP AC UM attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

Table 3-11 Default Attribute Mapping for Groups

Display Name	Target Attribute	Data Type	Mandatory Provisioning Property?	Recon Field	Key Field?	Case Insensitive?
User Group	groups~GROUPS~USERGROUP	String	Yes	Yes	Yes	No

Figure 3-7 shows the group entitlement mappings.

Figure 3-7 Default Attribute Mapping for Groups

Description of "Figure 3-7 Default Attribute Mapping for Groups"

Parameter Entitlements

Table 3-7 lists the parameter-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP AC UM attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

Table 3-12 Default Attribute Mappings for Parameters

Display Name	Target Attribute	Data Type	Mandatory Provisioning Property?	Recon Field?	Key Field?	Case Insensitive?
Parameter Id	parameters~PARAMETER1~PARID	String	No	Yes	Yes	No
Parameter Value	parameters~PARAMETER1~PARVA	String	No	Yes	No	No

Figure 3-8 shows the role entitlement mappings.

Figure 3-8 Default Attribute Mappings for Parameters

Description of "Figure 3-8 Default Attribute Mappings for Parameters"

Profile Attributes

Table 3-9 lists the profile-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP AC UM attributes. The table lists whether a given profile is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

Table 3-13 Default Attribute Mappings for Profiles

Display Name	Target Attribute	Data Type	Mandatory Provisioning Property?	Recon Field?	Key Field?	Case Insensitive?
Profile System Name	profiles~PROFILES~SUBSYSTEM	String	No	Yes	No	No
Profile Name	profiles~PROFILES~PROFILE	String	Yes	Yes	Yes	No

Figure 3-9 shows the profile entitlement mappings.

Figure 3-9 Default Attribute Mappings for Profiles

Description of "Figure 3-9 Default Attribute Mappings for Profiles"

Role Attributes

Table 3-8 lists the role-specific attribute mappings between the process form fields in Oracle Identity Governance and SAP AC UM attributes. The table lists whether a given role is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

Table 3-14 Default Attribute Mappings for Roles

Display Name	Target Attribute	Data Type	Mandatory Provisioning Property?	Recon Field?	Key Field?	Case Insensitive?
Role System Name	roles~ACTIVITYGROUPS~SUBSYSTEM	String	No	Yes	No	No
Role Name	roles~ACTIVITYGROUPS~AGR_NAME	String	Yes	Yes	Yes	No
Start Date	roles~ACTIVITYGROUPS~FROM_DAT	Date	No	Yes	No	No
End Date	roles~ACTIVITYGROUPS~TO_DAT	Date	No	Yes	No	No

Figure 3-10 shows the role entitlement mappings.

Figure 3-10 Default Attribute Mappings for Roles

Description of "Figure 3-10 Default Attribute Mappings for Roles "

3.4 Rules, Situations, and Responses for the Connector

Learn about the predefined rules, responses and situations for target and authoritative applications. The connector use these rules and responses for performing reconciliation.

Predefined Identity Correlation Rules

By default, the SAP UM and SAP AC UM connectors provide a simple correlation rule when you create a Target application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.

Table 3-15 lists the default simple correlation rule for the SAP UM and SAP AC UM connectors. If required, you can edit the default correlation rule or add new rules. You can create complex correlation rules also. For more information about adding or editing simple or complex correlation rules, see Updating Identity Correlation Rule in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-15 Predefined Identity Correlation Rule for the SAP UM and SAP AC UM Connectors

Target Attribute	Element Operator	Identity Attribute	Case Sensitive?
__NAME__	Equals	User Login	No

In this identity rule:

__NAME__ is a single-valued attribute on the target system that identifies the user account.
User Login is the field on the OIG User form.

Figure 3-11 shows the simple correlation rule for the SAP UM and SAP AC UM Connectors.

Figure 3-11 Simple Correlation Rule for the SAP UM and SAP AC UM Connectors

Description of "Figure 3-11 Simple Correlation Rule for the SAP UM and SAP AC UM Connectors"

Predefined Situations and Responses

The SAP UM and SAP AC UM connectors provide a default set of situations and responses when you create a Target application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.

Table 3-16 lists the default situations and responses for the SAP UM and SAP AC UM connectors. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Updating Situations and Responses in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance

Table 3-16 Predefined Situations and Responses for the SAP UM and SAP AC UM Connectors

Situation	Response
One Entity Match Found	Establish Link
One Process Match Found	Establish Link

Figure 3-12 shows the situations and responses that the connector provides by default.

Figure 3-12 Predefined Situations and Responses for the SAP UM and SAP AC UM Connectors

Description of "Figure 3-12 Predefined Situations and Responses for the SAP UM and SAP AC UM Connectors"

3.5 Reconciliation Jobs

These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create the application for your target system.

3.5.1 Reconciliation Jobs for the SAP UM Connector

These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create the application for your target system.

You can either use these predefined jobs or edit them to meet your requirements. Alternatively, you can create custom reconciliation jobs. For information about editing these predefined jobs or creating new ones, see Updating Reconciliation Jobs in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Note:

All of the jobs are prefixed with an application name when you create an application. For example, SAPUM SAPUM UM CommType Lookup Reconciliation where the first SAPUM is the application name.

Full User Reconciliation Job

The SAP UM Target User Reconciliation job is used to fetch all user records from the target system.

Table 3-17 Parameters of the SAP UM Target User Reconciliation Job

Parameter	Description
Application Name	Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value.
Filter	Enter the expression for filtering records that the scheduled job must reconcile. Sample value: `equalTo('__UID__','SEPT12USER1')` Default value: `None` For information about the filters expressions that you can create and use, see ICF Filter Syntax in Developing and Customizing Applications for Oracle Identity Governance.
Incremental Recon Attribute	Time stamp at which the last reconciliation run started Default value: `Last Updated` Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value for this attribute.
Object Type	Type of object you want to reconcile. Default value: `User`
Latest Token	This attribute holds the time stamp (in YYYYMMDDHHMMSS format) at which the last reconciliation run ended. For the next reconciliation run, only target system records that have been added or modified after this time stamp are considered for reconciliation. For consecutive reconciliation runs, the connector automatically enters a value for this attribute. However, you can use this attribute to switch from incremental reconciliation to full reconciliation. Note: The reconciliation engine automatically enters a value in this attribute. Sample value: `20120417123006`
Scheduled Task Name	Name of the scheduled task used for reconciliation. Default value: `SAP UM User Recon`

Incremental User Reconciliation Job

The SAP UM Target Incremental User Reconciliation job is used to fetch the records that are added or modified after the last reconciliation run.

Table 3-18 Parameters of the SAP UM Target Incremental User Reconciliation Job

Parameter	Description
Application Name	Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value.
Sync Token	Enter the expression for filtering records that the scheduled job must reconcile. Sample value: `equalTo('__UID__','SEPT12USER1')` For information about the filters expressions that you can create and use, see ICF Filter Syntax in Developing and Customizing Applications for Oracle Identity Governance.
Object Type	Type of object you want to reconcile. Default value: `User`
Scheduled Task Name	Name of the scheduled task used for reconciliation. Note: For the scheduled job included with this connector, you must not change the value of this attribute. However, if you create a new job or create a copy of the job, then enter the unique name for that scheduled job as the value of this attribute.

Delete User Reconciliation Job

The SAP UM Target User Delete Reconciliation job is used to reconcile user data when for target application.

Table 3-19 Parameters of the SAP UM Target User Delete Reconciliation Job

Parameter	Description
Application Name	Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value.
Object Type	Type of object you want to reconcile. Default value: `User`
Disable User	Enter `yes` if you want the connector to disable accounts (in Oracle Identity Governance) corresponding to accounts deleted on the target system. Enter `no` if you want the connector to revoke accounts in Oracle Identity Governance. Default value: `User`
Scheduled Task Name	Name of the scheduled task used for reconciliation. Default value: `no`
Sync Token	Time stamp at which the last reconciliation run ended in YYYYMMDDHHMMSS format (for example, 20120417123006). For the next reconciliation run, only target system records that have been deleted after this time stamp are considered for reconciliation. If you set this attribute to an empty value, then incremental reconciliation operations fetch all the records (perform full reconciliation). Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute.

Lookup Definitions Synchronized with the Target System

Lookup field synchronization involves copying additions or changes made to specific fields in the target system to lookup definitions in Oracle Identity Manager.

During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you use the Date Format lookup field to select a date format from the list of supported date formats. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are automatically created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.

The following lookup definitions are populated with values fetched from the target system by the scheduled jobs for lookup field synchronization for the SAP UM connector:

SAPUM UM CommType Lookup Reconciliation
SAPUM UM Company Lookup Reconciliation
SAPUM UM ContractUserType Lookup Reconciliation
SAPUM UM DateFormat Lookup Reconciliation
SAPUM UM DecimalNot Lookup Reconciliation
SAPUM UM LangComm Lookup Reconciliation
SAPUM UM Parameter Lookup Reconciliation
SAPUM UM Profile Lookup Reconciliation
SAPUM UM Role Lookup Reconciliation
SAPUM UM Systems Lookup Reconciliation
SAPUM UM TimeZoneLookup Reconciliation
SAPUM UM Title Lookup Reconciliation
SAPUM UM UserGroup Lookup Reconciliation
SAPUM UM UserType Lookup Reconciliation

The parameters for all the reconciliation jobs are the same.

Table 3-20 Parameters of SAP UM Reconciliation Jobs

Parameter	Description
Application Name	Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value.
Lookup Name	This parameter holds the name of the lookup definition that maps each lookup definition with the data source from which values must be fetched. Depending on the reconciliation job you are using, the default values are as follows: For SAPUM UM CommType Lookup Reconciliation: `Lookup.SAPABAP.CommType` For SAPUM UM Company Lookup Reconciliation: `Lookup.SAPABAP.Company` For SAPUM UM ContractUserType Lookup Reconciliation: `Lookup.SAPABAP.ContractualUserType` For SAPUM UM DateFormat Lookup Reconciliation: `Lookup.SAPABAP.DateFormat` For SAPUM UM DecimalNot Lookup Reconciliation: `Lookup.SAPABAP.DecimalNotation` For SAPUM UM LangComm Lookup Reconciliation: `Lookup.SAPABAP.LangComm` For SAPUM UM Parameter Lookup Reconciliation: `Lookup.SAPABAP.Parameter` For SAPUM UM Profile Lookup Reconciliation: `Lookup.SAPABAP.Profile` For SAPUM UM Role Lookup Reconciliation: `Lookup.SAPABAP.Role` For SAPUM UM Systems Lookup Reconciliation: `Lookup.SAPABAP:Systems` For SAPUM UM TimeZoneLookup Reconciliation: `Lookup.SAPABAP.TimeZone` For SAPUM UM Title Lookup Reconciliation: `Lookup.SAPABAP.Title` For SAPUM UM UserGroup Lookup Reconciliation: `Lookup.SAPABAP.UserGroup` For SAPUM UM UserType Lookup Reconciliation: `Lookup.SAPABAP.userType`
Object Type	Enter the type of object whose values must be synchronized. Depending on the scheduled job you are using, the default values are as follows: For SAPUM UM CommType Lookup Reconciliation: `commtype` For SAPUM UM Company Lookup Reconciliation: `company` For SAPUM UM ContractUserType Lookup Reconciliation: `contractualusertype` For SAPUM UM DateFormat Lookup Reconciliation: `dateformat` For SAPUM UM DecimalNot Lookup Reconciliation: `decimalnotation` For SAPUM UM LangComm Lookup Reconciliation: `languagecommunication` For SAPUM UM Parameter Lookup Reconciliation: `parameters` For SAPUM UM Profiles Lookup Reconciliation: `profiles` For SAPUM UM Role Lookup Reconciliation: `activitygroups` For SAPUM UM Systems Lookup Reconciliation: `cuasystems` For SAPUM UM TimeZone Lookup Reconciliation: `timezones` For SAPUM UM Title Lookup Reconciliation: `title` For SAPUM UM UserGroup Lookup Reconciliation: `GROUP` For SAPUM UM UserType Lookup Reconciliation: `usertype`
Code Key Attribute	Enter the name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Depending on the scheduled job you are using, the default values are as follows: For SAPUM UM CommType Lookup Reconciliation: `COMMTYPE` For SAPUM UM Company Lookup Reconciliation: `COMPANY` For SAPUM UM ContractUserType Lookup Reconciliation: `USERTYP` For SAPUM UM DateFormat Lookup Reconciliation: `_LOW` For SAPUM UM DecimalNot Lookup Reconciliation: `_LOW` For SAPUM UM LangComm Lookup Reconciliation: `SPRAS` For SAPUM UM Parameter Lookup Reconciliation: `PARAMID` For SAPUM UM Profiles Lookup Reconciliation: `SUBSYSTEM` For SAPUM UM Role Lookup Reconciliation: `SUBSYSTEM` For SAPUM UM Systems Lookup Reconciliation: `RCVSYSTEM` For SAPUM UM TimeZone Lookup Reconciliation: `TZONE` For SAPUM UM Title Lookup Reconciliation: `TITLE_MEDI` For SAPUM UM UserGroup Lookup Reconciliation: `USERGROUP` For SAPUM UM UserType Lookup Reconciliation: `_LOW`
Decode Attribute	Enter the name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Depending on the scheduled job you are using, the default values are as follows: For SAPUM UM CommType Lookup Reconciliation: `COMMTYPE` For SAPUM UM Company Lookup Reconciliation: `COMPANY` For SAPUM UM ContractUserType Lookup Reconciliation: `UTYPTEXT` For SAPUM UM DateFormat Lookup Reconciliation: `_TEXT` For SAPUM UM DecimalNot Lookup Reconciliation: `_TEXT` For SAPUM UM LangComm Lookup Reconciliation: `SPTXT` For SAPUM UM Parameter Lookup Reconciliation: `PARTEXT` For SAPUM UM Profiles Lookup Reconciliation: `USRSYSPRF` For SAPUM UM Role Lookup Reconciliation: `USRSYSACT` For SAPUM UM Systems Lookup Reconciliation: `RCVSYSTEM` For SAPUM UM TimeZone Lookup Reconciliation: `DESCRIPT` For SAPUM UM Title Lookup Reconciliation: `TITLE_MEDI` For SAPUM UM UserGroup Lookup Reconciliation: `TEXT` For SAPUM UM UserType Lookup Reconciliation: `_TEXT`

While performing a provisioning operation on Oracle Identity System Administration,you select the IT resource for the target system on which you want to perform the operation. When you perform this action, the lookup definitions on the page are automatically populated with values corresponding to the IT resource (target system installation) that you select.

During lookup field synchronization, new entries are appended to the existing set of entries in the lookup definitions. You can switch from an SAP R/3 target to a SAP CUA target, or you can switch between multiple installations of the same target system. Because the IT resource key is part of each entry created in each lookup definition, only lookup field entries that are specific to the IT resource you select during a provisioning operation are displayed.

3.5.2 Reconciliation Jobs for the SAP AC UM Connector

These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create the application for your target system.

Note:

All of the jobs are prefixed with an application name when you create an application. For example, SAPACUMAPP SAP AC UM BusinessProcess Lookup Reconciliation where SAPACUMAPP is the application name.

Full User Reconciliation Job

The SAP AC UM Target User Reconciliation job is used to fetch all user records from the target system.

Table 3-21 Parameters of the SAP AC UM Target User Reconciliation Job

Parameter	Description
Application Name	Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value.
Filter	Enter the expression for filtering records that the scheduled job must reconcile. Sample value: `equalTo('__UID__','SEPT12USER1')` Default value: `None` For information about the filters expressions that you can create and use, see ICF Filter Syntax in Developing and Customizing Applications for Oracle Identity Governance.
Object Type	Type of object you want to reconcile. Default value: `User`
Latest Token	This attribute holds the time stamp (in YYYYMMDDHHMMSS format) at which the last reconciliation run ended. For the next reconciliation run, only target system records that have been added or modified after this time stamp are considered for reconciliation. For consecutive reconciliation runs, the connector automatically enters a value for this attribute. However, you can use this attribute to switch from incremental reconciliation to full reconciliation. Note: The reconciliation engine automatically enters a value in this attribute. Sample value: `20120417123006`
Scheduled Task Name	Name of the scheduled task used for reconciliation. Default value: `SAP UM User Recon`
Incremental Recon Attribute	Time stamp at which the last reconciliation run started Default value: `Last Updated` Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value for this attribute.

Delete User Reconciliation Job

The SAP AC UM Target User Delete Reconciliation job is used to reconcile user data when for target application.

Table 3-22 Parameters of the SAP AC UM Target User Delete Reconciliation Job

Parameter	Description
Application Name	Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value.
Object Type	Type of object you want to reconcile. Default value: `User`
Disable User	Enter `yes` if you want the connector to disable accounts (in Oracle Identity Governance) corresponding to accounts deleted on the target system. Enter `no` if you want the connector to revoke accounts in Oracle Identity Governance. Default value: `no`
Scheduled Task Name	Name of the scheduled task used for reconciliation. Default value: `SAPACUMAPP SAP AC UM User Delete Recon`
Sync Token	Default value is blank. Last modified timestamp of the user account

SAP AC UM Request Status Job

SAP AC UM Request Status Reconciliation job is used to reconcile request status from SAP BusinessObjects AC target system.

Table 3-23 Parameters of the SAP AC UM Request Status Reconciliation Job

Parameter	Description
Application Name	Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value.
Object Type	Type of object you want to reconcile. Default value: `Status`
Custom Lookup Name	Name of the lookup definition. Default value: `Lookup.SAPACABAP.Status.ReconAttrMap`
Resource Object Name	Name of the resource object against which reconciliation runs must be performed. Default value: `SAP AC UM Resource Object`
IT Resource Name	Name of the IT resource instance that the connector must use to reconcile data. Default value: `SAP AC UM IT Resource`
Scheduled Task Name	Name of the scheduled task. Default value: `SAP AC UM Request Status`

Note:

To run the SAP AC UM Request Status reconciliation job, you must update Application Name and IT Resource Name parameters based on the name created while configuring the connector.

For example, if the name of the connector is SAPACUM, then ensure to update the Application name as SAPACUM and the IT Resource Name as SAPACUM.

Lookup Definitions Synchronized with the Target System

Lookup field synchronization involves copying additions or changes made to specific fields in the target system to lookup definitions in Oracle Identity Manager.

The following lookup definitions are populated with values fetched from the targetsystem by the scheduled jobs for lookup field synchronization, for the SAP AC UM connector:

SAP AC UM BusinessProcess Lookup Reconciliation
SAP AC UM CommType Lookup Reconciliation
SAP AC UM Company Lookup Reconciliation
SAP AC UM ContractUserType Lookup Reconciliation
SAP AC UM DateFormat Lookup Reconciliation
SAP AC UM Functional Area Lookup Reconciliation
SAP AC UM ItemProvAction Lookup Reconciliation
SAP AC UM LangComm Lookup Reconciliation
SAP AC UM Parameter Lookup Reconciliation
SAP AC UM DecimalNot Lookup Reconciliation
SAP AC UM Priority Lookup Reconciliation
SAP AC UM Profile Lookup Reconciliation
SAP AC UM ReqInitSystem Lookup Reconciliation
SAP AC UM RequestType Lookup Reconciliation
SAP AC UM Role Lookup Reconciliation
SAP AC UM Systems Lookup Reconciliation
SAP AC UM TimeZoneLookup Reconciliation
SAP AC UM Title Lookup Reconciliation
SAP AC UM UserGroup Lookup Reconciliation
SAP AC UM UserType Lookup Reconciliation

The parameters for all the reconciliation jobs are the same.

Table 3-24 Parameters of the SAP AC UM Reconciliation Jobs

Parameter	Description
Application Name	Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value.
Code Key Attribute	Enter the name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Depending on the scheduled job you are using, the default values are as follows: For SAP AC UM BusinessProcess Lookup Reconciliation: `LCODE` For SAP AC UM CommType Lookup Reconciliation: `COMM_TYPE` For SAP AC UM Company Lookup Reconciliation: `COMPANY` For SAP AC UM ContractUserType Lookup Reconciliation: `USERTYP` For SAP AC UM DateFormat Lookup Reconciliation: `_LOW` For SAP AC UM Functional Area Lookup Reconciliation: `LCODE` For SAP AC UM ItemProvAction Lookup Reconciliation: `LCODE` For SAP AC UM LangComm Lookup Reconciliation: `SPRAS` For SAP AC UM Parameter Lookup Reconciliation: `PARAMID` For SAP AC UM DecimalNot Lookup Reconciliation: `_LOW` For SAP AC UM Priority Lookup Reconciliation: `LCODE` For SAP AC UM Profile Lookup Reconciliation: `SUBSYSTEM` For SAP AC UM ReqInitSystem Lookup Reconciliation: `REQSYSCODE` For SAP AC UM RequestType Lookup Reconciliation: `LCODE` For SAP AC UM Role Lookup Reconciliation: `SUBSYSTEM` For SAP AC UM Systems Lookup Reconciliation: `RCVSYSTEM` For SAP AC UM TimeZoneLookup Reconciliation: `TZONE` For SAP AC UM Title Lookup Reconciliation: `TITLE_MEDI` For SAP AC UM UserGroup Lookup Reconciliation: `USERGROUP` For SAP AC UM UserType Lookup Reconciliation: `_LOW`
Decode Attribute	Enter the name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Depending on the scheduled job you are using, the default values are as follows: For SAP AC UM BusinessProcess Lookup Reconciliation: `LDECODE` For SAP AC UM CommType Lookup Reconciliation: `COMM_TYPE` For SAP AC UM Company Lookup Reconciliation: `COMPANY` For SAP AC UM ContractUserType Lookup Reconciliation: `UTYPTEXT` For SAP AC UM DateFormat Lookup Reconciliation: `_TEXT` For SAP AC UM Functional Area Lookup Reconciliation: `LDECODE` For SAP AC UM ItemProvAction Lookup Reconciliation: `LDECODE` For SAP AC UM LangComm Lookup Reconciliation: `SPTXT` For SAP AC UM Parameter Lookup Reconciliation: `PARTEXT` For SAP AC UM DecimalNot Lookup Reconciliation: `_TEXT` For SAP AC UM Priority Lookup Reconciliation: `LDECODE` For SAP AC UM Profile Lookup Reconciliation: `USRSYSPRF` For SAP AC UM ReqInitSystem Lookup Reconciliation: `REQSYSDECODE` For SAP AC UM RequestType Lookup Reconciliation: `LDECODE` For SAP AC UM Role Lookup Reconciliation: `USRSYSACT` For SAP AC UM Systems Lookup Reconciliation: `RCVSYSTEM` For SAP AC UM TimeZoneLookup Reconciliation: `DESCRIPT` For SAP AC UM Title Lookup Reconciliation: `TITLE_MEDI` For SAP AC UM UserGroup Lookup Reconciliation: `TEXT` For SAP AC UM UserType Lookup Reconciliation: `_TEXT`
Lookup Name	This parameter holds the name of the lookup definition that maps each lookup definition with the data source from which values must be fetched. Depending on the reconciliation job you are using, the default values are as follows: For SAP AC UM BusinessProcess Lookup Reconciliation: `Lookup.SAPACABAP.Bproc` For SAP AC UM CommType Lookup Reconciliation: `Lookup.SAPACABAP.CommType` For SAP AC UM Company Lookup Reconciliation: `Lookup.SAPACABAP.Company` For SAP AC UM ContractUserType Lookup Reconciliation: `Lookup.SAPACABAP.ContractualUserType` For SAP AC UM DateFormat Lookup Reconciliation: `Lookup.SAPACABAP.DateFormat` For SAP AC UM Functional Area Lookup Reconciliation: `Lookup.SAPACABAP.Funcarea` For SAP AC UM ItemProvAction Lookup Reconciliation: `Lookup.SAPACABAP.ItemProvAction` For SAP AC UM LangComm Lookup Reconciliation: `Lookup.SAPACABAP.LangComm` For SAP AC UM Parameter Lookup Reconciliation: `Lookup.SAPACABAP.Parameter` For SAP AC UM DecimalNot Lookup Reconciliation: `Lookup.SAPACABAP.DecimalNotation` For SAP AC UM Priority Lookup Reconciliation: `Lookup.SAPACABAP.Priority` For SAP AC UM Profile Lookup Reconciliation: `Lookup.SAPACABAP.Profile` For SAP AC UM ReqInitSystem Lookup Reconciliation: `Lookup.SAPACABAP.ReqInitSystem` For SAP AC UM RequestType Lookup Reconciliation: `Lookup.SAPACABAP.RequestType` For SAP AC UM Role Lookup Reconciliation: `Lookup.SAPACABAP.Roles` For SAP AC UM Systems Lookup Reconciliation: `Lookup.SAPACABAP.System` For SAP AC UM TimeZoneLookup Reconciliation: `Lookup.SAPACABAP.TimeZone` For SAP AC UM Title Lookup Reconciliation: `Lookup.SAPACABAP.UserTitle` For SAP AC UM UserGroup Lookup Reconciliation: `Lookup.SAPACABAP.UserGroups` For SAP AC UM UserType Lookup Reconciliation: `Lookup.SAPACABAP.UserType`
Object Class	Enter the class of object whose values must be synchronized. Depending on the scheduled job you are using, the default values are as follows: For SAP AC UM BusinessProcess Lookup Reconciliation: `BusProc` For SAP AC UM CommType Lookup Reconciliation: `commtype` For SAP AC UM Company Lookup Reconciliation: `company` For SAP AC UM ContractUserType Lookup Reconciliation: `contractualusertype` For SAP AC UM DateFormat Lookup Reconciliation: `dateformat` For SAP AC UM Functional Area Lookup Reconciliation: `FunctionArea` For SAP AC UM ItemProvAction Lookup Reconciliation: `ItemProvActionType` For SAP AC UM LangComm Lookup Reconciliation: `languagecommunication` For SAP AC UM Parameter Lookup Reconciliation: `parameters` For SAP AC UM DecimalNot Lookup Reconciliation: `decimalnotation` For SAP AC UM Priority Lookup Reconciliation: `PriorityType` For SAP AC UM Profile Lookup Reconciliation: `profiles` For SAP AC UM ReqInitSystem Lookup Reconciliation: `SYSTEM` For SAP AC UM RequestType Lookup Reconciliation: `RequstType` For SAP AC UM Role Lookup Reconciliation: `activityGroups` For SAP AC UM Systems Lookup Reconciliation: `cuaSystems` For SAP AC UM TimeZoneLookup Reconciliation: `timeZones` For SAP AC UM Title Lookup Reconciliation: `title` For SAP AC UM UserGroup Lookup Reconciliation: `GROUP` For SAP AC UM UserType Lookup Reconciliation: `usertype`
Object Type	Enter the type of object whose values must be synchronized. Depending on the scheduled job you are using, the default values are as follows: For SAP AC UM BusinessProcess Lookup Reconciliation: `BusProc` For SAP AC UM CommType Lookup Reconciliation: `commtype` For SAP AC UM Company Lookup Reconciliation: `company` For SAP AC UM ContractUserType Lookup Reconciliation: `contractualusertype` For SAP AC UM DateFormat Lookup Reconciliation: `dateformat` For SAP AC UM Functional Area Lookup Reconciliation: `FunctionArea` For SAP AC UM ItemProvAction Lookup Reconciliation: `ItemProvActionType` For SAP AC UM LangComm Lookup Reconciliation: `languagecommunication` For SAP AC UM Parameter Lookup Reconciliation: `parameters` For SAP AC UM DecimalNot Lookup Reconciliation: `decimalnotation` For SAP AC UM Priority Lookup Reconciliation: `PriorityType` For SAP AC UM Profile Lookup Reconciliation: `profiles` For SAP AC UM ReqInitSystem Lookup Reconciliation: `SYSTEM` For SAP AC UM RequestType Lookup Reconciliation: `RequstType` For SAP AC UM Role Lookup Reconciliation: `activityGroups` For SAP AC UM Systems Lookup Reconciliation: `cuaSystems` For SAP AC UM TimeZoneLookup Reconciliation: `timeZones` For SAP AC UM Title Lookup Reconciliation: `title` For SAP AC UM UserGroup Lookup Reconciliation: `GROUP` For SAP AC UM UserType Lookup Reconciliation: `usertype`

While performing a provisioning operation on Oracle Identity System Administration, you select the IT resource for the target system on which you want to perform the operation. When you perform this action, the lookup definitions on the page are automatically populated with values corresponding to the IT resource (target system installation) that you select.