1. Configuring the SAP User Management Application
  2. Using the SAP User Management Connector

5 Using the SAP User Management Connector

You can use the SAP UM connector for performing reconciliation and provisioning operations after configuring the application to meet your requirements.

This chapter is divided into the following sections:

5.1 Guidelines on Configuring Reconciliation

These are the guidelines that you must apply while configuring reconciliation operations.

  • On SAP CUA, an account that is directly created on the target system must be assigned a master system before changes to that account can be detected and brought to Oracle Identity Governance during reconciliation.

  • On a Microsoft Windows platform, if you encounter the org.quartz.SchedulerException exception during a reconciliation run, then download and install the Microsoft Visual C++ 2005 SP1 Redistributable Package from the Microsoft Web site.

5.2 Configuring Reconciliation

You can configure the connector to specify the type of reconciliation and its schedule.

Reconciliation involves duplicating in Oracle Identity Governance the creation of and modifications to user accounts on the target system.

This section provides information on the following topics related to configuring reconciliation:

5.2.1 Performing Full and Incremental Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Governance. After you create the application, you must first perform full reconciliation.

At the end of the reconciliation run, the connector automatically sets the Latest Token parameter of the job for user record reconciliation to the time stamp at which the run ended. From the next run onward, the connector considers only records created or modified after this time stamp for reconciliation. This is incremental reconciliation.

You can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Governance. To perform a full reconciliation run, ensure that no value is specified for the Filter attribute. However, to reconcile user records, set the value for the Latest token attribute as 0 (Zero) in the scheduled job .

5.2.2 Performing Batched Reconciliation

You can perform batched reconciliation to reconcile a specific number of records from the target system into Oracle Identity Governance.

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.

You can configure batched reconciliation to avoid such problems.

To configure batched reconciliation, you must specify a value for the batchSize parameter of the Advanced Settings section. Use this attribute to specify the number of records that must be included in each batch. By default, this value is empty.

After you configure batched reconciliation, if reconciliation fails during a batched reconciliation run, then you only need to rerun the scheduled task without changing the values of the task parameter.

5.2.3 Performing Limited Reconciliation

You can perform limited reconciliation by creating filters for the reconciliation module, and reconcile records from the target system based on a specified filter criterion.

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. The connector provides a Filter parameter that allows you to use any of the SAP resource attributes to filter the target system records.

The syntax for this parameter is as follows:

Note:

You can use a shortcut for the <and> and <or> operators. For example: <filter1> & <filter2> instead of and (<filter1>, <filter2>), analogically replace or with |. 

syntax = expression ( operator expression )* 
operator = 'and' | 'or' 
expression = ( 'not' )? filter 
filter = ('equalTo' | 'contains' | 'containsAllValues' | 'startsWith'
| 'endsWith'  | 'greaterThan' | 'greaterThanOrEqualTo' | 'lessThan' 
| 'lessThanOrEqualTo' )  '(' 'attributeName' ',' attributeValue ')' 
attributeValue = singleValue  |  multipleValues
singleValue = 'value'
multipleValues = '[' 'value_1' (',' 'value_n')* ']'

For example, to limit the number of reconciled accounts to only matching account names, you could use the following expression:

equalTo('FirstName;ADDRESS','AP10A1')

For detailed information about ICF Filters, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

5.3 Configuring Reconciliation Jobs

Configure reconciliation jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Governance.

You can apply this procedure to configure the reconciliation jobs for users and entitlements.

To configure a reconciliation job:
  1. Log in to Identity System Administration.
  2. In the left pane, under System Management, click Scheduler.
  3. Search for and open the scheduled job as follows:
    1. In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
    2. In the search results table on the left pane, click the scheduled job in the Job Name column.
  4. On the Job Details tab, you can modify the parameters of the scheduled task:
    • Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
    • Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type. See Creating Jobs in Oracle Fusion Middleware Administering Oracle Identity Governance.

    In addition to modifying the job details, you can enable or disable a job.

  5. On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.

    Note:

    Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

  6. Click Apply to save the changes.

    Note:

    You can use the Scheduler Status page in Identity System Administration to either start, stop, or reinitialize the scheduler.

5.4 Guidelines on Performing Provisioning

These are the guidelines that you must apply while performing provisioning.
This section provides information on the following guidelines related to provisioning:

5.4.1 Guidelines on Performing Provisioning in Supported Deployment Configuration

These are the guidelines that you must apply while performing provisioning operations in any of the supported deployment configurations.

  • Through provisioning, if you want to create and disable an account at the same time, then you can set the value of the Valid Through attribute to a date in the past. For example, while creating an account on 31-Jul, you can set the Valid Through date to 30-Jul. With this value, the resource provisioned to the OIM User is in the Disabled state immediately after the account is created.

    However, on the target system, if you set the Valid Through attribute to a date in the past while creating an account, then the target system automatically sets Valid Through to the current date. The outcome of this Create User provisioning operation is as follows:

    • The value of the Valid Through attribute on Oracle Identity Governance and the target system do not match.

    • On the target system, the user can log in all through the current day. The user cannot log in from the next day onward.

    You can lock the user on the target system so that the user is not able to log in the day the account is created.

  • Remember that if password or system assignment fails during a Create User provisioning operation, then the user is not created.

  • When you try to provision a multivalued attribute, such as a role or profile, if the attribute has already been set for the user on the target system, then the status of the process task is set to Completed in Oracle Identity Governance. If required, you can configure the task so that it shows the status Rejected in this situation. See Modifying Process Tasks in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance for information about configuring process tasks.

  • When you perform the Lock User or Unlock User provisioning operation, remember that the connector makes the required change on the target system without checking whether the account is currently in the Locked or Unlocked state. This is because the target system does not provide a method to check the current state of the account.

  • The target system does not accept non-English letters in the E-mail Address field. Therefore, during provisioning operations, you must enter only English language letters in the E-mail Address field on the process form.

  • On a Microsoft Windows platform, if you encounter the java.lang.UnsatisfiedLinkError exception during a provisioning operation, then download and install the Microsoft Visual C++ 2005 SP1 Redistributable Package from the Microsoft Web site.

5.4.2 Guidelines on Performing Provisioning After Configuring Access Request Management

These are the guidelines that you must apply while performing provisioning operations after configuring the Access Request Management feature of the connector.

  • During a Create User operation performed when the Access Request Management is configured, first submit process form data. Submit child form data after the user is created on the target system. This is because when Access Request Management is enabled, the connector supports modification of either process form fields or child form fields in a single Modify User operation.

  • The following fields on the process form are mandatory parameters on SAP GRC Access Request Management:

    Note:

    When the Access Request Management feature is configured, you must enter values for these fields even though some of them are not marked as mandatory fields on Oracle Identity System Administration.

    • AC Manager

    • AC Manager email

    • AC Priority

    • AC System

    • AC Requestor ID

    • AC Requestor email

    • AC Request Reason

    The following fields may be mandatory or optional based on the configuration in SAP GRC system:

    • AC Manager First Name

    • AC Manager Last Name

    • AC Manager Telephone

    • AC Request Due Date

    • AC Functional Area

    • AC Business Process

    • AC Requestor First Name

    • AC Requestor Last Name

    • AC Requestor Telephone

    • AC Company

  • As mentioned earlier in this guide, SAP GRC Access Request Management does not process passwords. Therefore, any value entered in the Password field is ignored during Create User provisioning operations. After a Create User operation is performed, the user for whom the account is created on the target system must apply one of the following approaches to set the password:

    • To use the Oracle Identity Governance password as the target system password, change the password through Oracle Identity Governance.

    • Directly log in to the target system, and change the password.

  • You perform an Enable User operation by setting the Valid From field to a future date. Similarly, you perform a Disable User operation by setting the Valid Through field to the current date. Both operations are treated as Modify User operations.

  • When you delete a user (account) on Oracle Identity System Administration (process form), a Delete User request is created.

  • When you select the Lock User check box on the process from, a Lock User request is created.

  • When you deselect the Lock User check box on the process from, an Unlock User request is created.

  • The Enable User and Disable User operations are implemented through the Valid From and Valid Through fields on the process form.

  • In a Modify User operation, you can specify values for parameters that are mapped with SAP GRC Access Request Management and parameters that are directly updated on the target system. A request is created SAP GRC Access Request Management only for parameters whose mappings are present in these lookup definitions. If you specify values for parameters that are not present in these lookup definitions, then the connector sends them to directly the target system.

  • You cannot perform an assign or revoke groups operation in SAP UM AC account on GRC server. Groups must be managed in the SAP ECC system (backend ABAP system).

5.5 Performing Provisioning Operations

You create a new user in Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.

To perform provisioning operations in Oracle Identity Governance:

  1. Log in to Identity Self Service.
  2. Create a user as follows:
    1. In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
    2. From the Actions menu, select Create. Alternatively, you can click Create on the toolbar. The Create User page is displayed with input fields for user profile attributes.
    3. Enter details of the user in the Create User page.
  3. On the Account tab, click Request Accounts.
  4. In the Catalog page, search for and add to cart the application instance for the connector that you configured earlier, and then click Checkout.
  5. Specify value for fields in the application form and then click Ready to Submit.
  6. Click Submit.

See Also:

Creating a User in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for details about the fields on the Create User page

5.6 Performing Provisioning Operations in an SoD-Enabled Environment

Provisioning a resource for an OIM User involves using Oracle Identity Governance to create a target system account for the user.

The following are types of provisioning operations:

  • Direct provisioning

  • Request-based provisioning of accounts

  • Request-based provisioning of entitlements

  • Provisioning triggered by policy changes

This section provides information on the following topics:

5.6.1 Overview of the Provisioning Process in an SoD-Enabled Environment

The following is the sequence of steps that take places during a provisioning operation performed in an SoD-enabled environment:

  1. The provisioning operation triggers the appropriate adapter.

  2. SAP GRC SoD Invocation Library (SIL) Provider passes the entitlement data to the Web service of SAP GRC.

  3. After SAP GRC runs the SoD validation process on the entitlement data, the response from the process is returned to Oracle Identity Governance.

  4. The status of the process task that received the response depends on the response itself. If the entitlement data clears the SoD validation process, then the adapter carries provisioning data to the corresponding BAPI on the target system and the status of the process task changes to Completed. This translates into the entitlement being granted to the user. If the SoD validation process returns the failure response, then status of the process task changes to Canceled.

5.6.2 Guidelines on Performing Provisioning Operations in an SoD-Enabled Environment

These are the guidelines that you must apply while performing provisioning operations in an SoD-enabled environment.

  • When you assign a role to a user through provisioning, you set values for the following attributes:

    • Role System Name

    • Role Name

    • Start Date

    • End Date

    However, when you update a role assignment, you can specify values only for the Start Date and End Date attributes. You cannot set new values for the Role System Name and Role Name attributes. This also applies to new child forms that you add.

  • You can only assign profiles. You cannot update an assigned profile.

5.6.3 Request-Based Provisioning in an SoD-Enabled Environment

In request-based provisioning, an end user creates a request for a resource by using the Administrative and User Console. Administrators or other users can also create requests for a particular user. Requests for a particular resource on the resource can be viewed and approved by approvers designated in Oracle Identity Governance.

The request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The request-based provisioning process described in this section covers steps to be performed by both entities.

In the example used in this section, the end user creates a request for two roles on the target system. The request clears the SoD validation process and is approved by the approver.

The following sections provide more information about request-based provisioning:

See Configuring SoD (Segregation of Duties) for related information.

5.6.3.1 Creating of Request-Based Provisioning by End-Users

The following are types of request-based provisioning:

Request-based provisioning of accounts: OIM Users are created but not provisioned target system resources when they are created. Instead, the users themselves raise requests for provisioning accounts.

Request-based provisioning of entitlements: OIM Users who have been provisioned target system resources (either through direct or request-based provisioning) raise requests for provisioning entitlements.

The following steps are performed by the end user in a request-based provisioning operation:

  1. Log in to Oracle Identity System Administration.
  2. On the Welcome page, click Advanced on the top right corner of the page.
  3. On the Welcome to Identity Governance Advanced Administration page, click the Administration tab, and then click the Requests tab.
  4. From the Actions menu on the left pane, select Create Request.

    The Select Request Template page is displayed.

  5. From the Request Template list, select Provision Resource and then click Next.
  6. On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specified is displayed in the Available Users list.
  7. From the Available Users list, select the user to whom you want to provision the account.

    If you want to create a provisioning request for more than one user, then from the Available Users list, select the users to whom you want to provision the account.

  8. Click Move or Move All to include your selection in the Selected Users list, and then click Next.
  9. On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.
  10. From the Available Resources list, select SAP UM Resource Object, move it to the Selected Resources list, and then click Next.
  11. On the Resource Details page, enter details of the account that must be created on the target system. and then click Next.
  12. On the Justification page, you can specify values for the following fields, and then click Finish:

    • Effective Date

    • Justification

    On the resulting page, a message confirming that your request has been sent is displayed along with the Request ID.

  13. If you click the request ID, then the Request Details page is displayed.
  14. On the Resource tab of the Request Details page, click the View Details link in the row containing the resource for which the request was created. The Resource Details page in displayed in a new window.

    One of the fields on this page is the SODCheckStatus field. The value in this field can be SoD Check Not Initiated or SoDCheckCompleted. When the request is placed, the SODCheckStatus field contains the SoDCheckCompleted status.

  15. To view details of the approval, on the Request Details page, click the Approval Tasks tab.

    On this page, the status of the SODChecker task is pending.

5.6.3.2 Approving Request-Based Provisioning

This section provides information on the role of the approver in a request-based provisioning operation.

The approver to whom the request is assigned can use the Pending Approvals feature to view details of the request.

Description of req_prov11_adm_appr.gif follows
Description of the illustration req_prov11_adm_appr.gif

In addition, the approver can click the View link to view details of the SoD validation process.

The approver can decide whether to approve or deny the request, regardless of whether the SoD engine accepted or rejected the request. The approver can also modify entitlements in the request.

The following steps are performed by the approver in a request-based provisioning operation:

  1. Log in to Oracle Identity System Administration.
  2. On the Welcome page, click Self-Service in the upper-right corner of the page.
  3. On the Welcome to Identity Governance Self Service page, click the Tasks tab.
  4. On the Approvals tab, in the first region, you can specify a search criterion for the request task that is assigned to you.
  5. From the search results table, select the row containing the request you want to approve, and then click Approve Task.

    A message confirming that the task has been approved is displayed and the request status is changed to Obtaining Operation Approval.

  6. Select the row containing the request which is approved, and then click Approve Task.

    A message confirming that the task has been approved is displayed and the request status is changed to Request Completed.

  7. Click the Administration tab and search for the user(s) for whom the request is completed.
  8. Select the user.

    The user detail information is displayed in the right pane.

  9. Click the Resources tab to view the resource being provisioned.
  10. Select the resource being provisioned, and then click Open to view the resource details.
  11. On the Resources tab of the User Details page, from the Action menu, select Resource History to view the resource provisioning tasks.

5.7 Switching Between SAP ERP and SAP CUA Target Systems

You can switch your target systems between SAP ERP and SAP CUA for reconciliation and provisioning.

The following sections provide information about the procedure to switch between the SAP ERP and SAP CUA target systems:

5.7.1 Switching Between the SAP ERP and SAP CUA Target Systems for Reconciliation

To switch between SAP ERP and SAP CUA target systems for reconciliation:

  1. If you are switching to SAP CUA, then set the value of the enableCUA entry to yes in the Lookup.SAPABAP.Configuration lookup definition. If you are switching to SAP ERP, then set the value to no.
  2. In the SAP UM User Recon and SAP UM User Delete Recon scheduled jobs, set values for the following attributes:

    • IT Resource Name: Enter the name of the required IT resource.

    • Latest Token: Enter 0 as the value of this attribute. Alternatively, if you have saved the time stamp value from the previous reconciliation run on the same target system, then you can enter that value in the Time Stamp attribute.

5.7.2 Switching Between the SAP ERP and SAP CUA Target Systems for Provisioning

To switch between SAP ERP and SAP CUA target systems for provisioning:

  1. If you are switching to SAP CUA, then set the value of the enableCUA entry to yes in the Lookup.SAPABAP.Configuration lookup definition. If you are switching to SAP ERP, then set the value to no.
  2. For every scheduled job used for lookup field synchronization, set the value of required IT resource in the IT Resource Name field and run it individually.
  3. Start the provisioning operation on Oracle Identity System Administration by selecting the required IT resource.

5.8 Switching From an SAP ERP or SAP CUA Target Systems to an SAP GRC Target System and Vice Versa

You can switch from an SAP ERP or SAP CUA target system to an SAP GRC target system and viceversa.

If you want to switch from an SAP ERP or SAP CUA target system to a SAP GRC target system and vice versa, then perform the following steps:

  1. Ensure that you have set the environment variable for running the MDS Delete utility. In the weblogic.properties file, ensure that values are set for the wls_servername, application_name, and metadata_files properties. See Exporting All MDS Data for Oracle Identity Governance in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance for detailed information about setting up the environment for MDS utilities.
  2. Delete the existing request datasets using the following command:

    • On Microsoft Windows

      weblogicDeleteMetadata.bat

    • On UNIX

      weblogicDeleteMetadata.sh
  3. Run the PurgeCache utility to clear the cache for the content category Metadata.
  4. Import the request datasets for the target system to which you want to switch.
  5. Run the PurgeCache utility to clear the cache for the content category Metadata.

5.9 Uninstalling the Connector

Uninstalling the SAP UM connector deletes all the account-related data associated with its resource objects.

If you want to uninstall the connector for any reason, then run the Uninstall Connector utility. Before you run this utility, ensure that you set values for ObjectType and ObjectValues properties in the ConnectorUninstall.properties file. For example, if you want to delete resource objects, scheduled tasks, and scheduled jobs associated with the connector, then enter "ResourceObject", "ScheduleTask", "ScheduleJob" as the value of the ObjectType property and a semicolon-separated list of object values corresponding to your connector as the value of the ObjectValues property.

For example: SAP UM User; SAP UM Group

Note:

If you set values for the ConnectorName and Release properties along with the ObjectType and ObjectValue properties, then the deletion of objects listed in the ObjectValues property is performed by the utility and the Connector information is skipped.

For more information, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Governance.