5 Using the SAP User Management Connector
This chapter is divided into the following sections:
5.1 Guidelines on Configuring Reconciliation
These are the guidelines that you must apply while configuring reconciliation operations.
-
On SAP CUA, an account that is directly created on the target system must be assigned a master system before changes to that account can be detected and brought to Oracle Identity Governance during reconciliation.
-
On a Microsoft Windows platform, if you encounter the org.quartz.SchedulerException exception during a reconciliation run, then download and install the Microsoft Visual C++ 2005 SP1 Redistributable Package from the Microsoft Web site.
5.2 Configuring Reconciliation
You can configure the connector to specify the type of reconciliation and its schedule.
Reconciliation involves duplicating in Oracle Identity Governance the creation of and modifications to user accounts on the target system.
This section provides information on the following topics related to configuring reconciliation:
5.2.1 Performing Full and Incremental Reconciliation
At the end of the reconciliation run, the connector automatically sets the Latest Token
parameter of the job for user record reconciliation to the time stamp at which the run ended. From the next run onward, the connector considers only records created or modified after this time stamp for reconciliation. This is incremental reconciliation.
You can switch from incremental reconciliation to full reconciliation whenever you
want to ensure that all target system records are reconciled in Oracle Identity
Governance. To perform a full reconciliation run, ensure that no value is specified for
the Filter attribute. However, to reconcile user records, set the value for the Latest
token attribute as 0
(Zero) in the scheduled job .
5.2.2 Performing Batched Reconciliation
You can perform batched reconciliation to reconcile a specific number of records from the target system into Oracle Identity Governance.
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.
You can configure batched reconciliation to avoid such problems.
To configure batched reconciliation, you must specify a value for the batchSize parameter of the Advanced Settings section. Use this attribute to specify the number of records that must be included in each batch. By default, this value is empty.
After you configure batched reconciliation, if reconciliation fails during a batched reconciliation run, then you only need to rerun the scheduled task without changing the values of the task parameter.
5.2.3 Performing Limited Reconciliation
You can perform limited reconciliation by creating filters for the reconciliation module, and reconcile records from the target system based on a specified filter criterion.
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. The connector provides a Filter parameter that allows you to use any of the SAP resource attributes to filter the target system records.
The syntax for this parameter is as follows:
Note:
You can use a shortcut for the <and>
and <or>
operators. For example: <filter1> & <filter2>
instead of and
(<filter1>, <filter2>
), analogically replace or
with |
.
syntax = expression ( operator expression )* operator = 'and' | 'or' expression = ( 'not' )? filter filter = ('equalTo' | 'contains' | 'containsAllValues' | 'startsWith' | 'endsWith' | 'greaterThan' | 'greaterThanOrEqualTo' | 'lessThan' | 'lessThanOrEqualTo' ) '(' 'attributeName' ',' attributeValue ')' attributeValue = singleValue | multipleValues singleValue = 'value' multipleValues = '[' 'value_1' (',' 'value_n')* ']'
For example, to limit the number of reconciled accounts to only matching account names, you could use the following expression:
equalTo('FirstName;ADDRESS','AP10A1')
For detailed information about ICF Filters, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.
5.3 Configuring Reconciliation Jobs
Configure reconciliation jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Governance.
You can apply this procedure to configure the reconciliation jobs for users and entitlements.
5.4 Guidelines on Performing Provisioning
5.4.1 Guidelines on Performing Provisioning in Supported Deployment Configuration
These are the guidelines that you must apply while performing provisioning operations in any of the supported deployment configurations.
-
Through provisioning, if you want to create and disable an account at the same time, then you can set the value of the Valid Through attribute to a date in the past. For example, while creating an account on 31-Jul, you can set the Valid Through date to 30-Jul. With this value, the resource provisioned to the OIM User is in the Disabled state immediately after the account is created.
However, on the target system, if you set the Valid Through attribute to a date in the past while creating an account, then the target system automatically sets Valid Through to the current date. The outcome of this Create User provisioning operation is as follows:
-
The value of the Valid Through attribute on Oracle Identity Governance and the target system do not match.
-
On the target system, the user can log in all through the current day. The user cannot log in from the next day onward.
You can lock the user on the target system so that the user is not able to log in the day the account is created.
-
-
Remember that if password or system assignment fails during a Create User provisioning operation, then the user is not created.
-
When you try to provision a multivalued attribute, such as a role or profile, if the attribute has already been set for the user on the target system, then the status of the process task is set to Completed in Oracle Identity Governance. If required, you can configure the task so that it shows the status Rejected in this situation. See Modifying Process Tasks in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance for information about configuring process tasks.
-
When you perform the Lock User or Unlock User provisioning operation, remember that the connector makes the required change on the target system without checking whether the account is currently in the Locked or Unlocked state. This is because the target system does not provide a method to check the current state of the account.
-
The target system does not accept non-English letters in the E-mail Address field. Therefore, during provisioning operations, you must enter only English language letters in the E-mail Address field on the process form.
-
On a Microsoft Windows platform, if you encounter the java.lang.UnsatisfiedLinkError exception during a provisioning operation, then download and install the Microsoft Visual C++ 2005 SP1 Redistributable Package from the Microsoft Web site.
5.4.2 Guidelines on Performing Provisioning After Configuring Access Request Management
These are the guidelines that you must apply while performing provisioning operations after configuring the Access Request Management feature of the connector.
-
During a Create User operation performed when the Access Request Management is configured, first submit process form data. Submit child form data after the user is created on the target system. This is because when Access Request Management is enabled, the connector supports modification of either process form fields or child form fields in a single Modify User operation.
-
The following fields on the process form are mandatory parameters on SAP GRC Access Request Management:
Note:
When the Access Request Management feature is configured, you must enter values for these fields even though some of them are not marked as mandatory fields on Oracle Identity System Administration.
-
AC Manager
-
AC Manager email
-
AC Priority
-
AC System
-
AC Requestor ID
-
AC Requestor email
-
AC Request Reason
The following fields may be mandatory or optional based on the configuration in SAP GRC system:
-
AC Manager First Name
-
AC Manager Last Name
-
AC Manager Telephone
-
AC Request Due Date
-
AC Functional Area
-
AC Business Process
-
AC Requestor First Name
-
AC Requestor Last Name
-
AC Requestor Telephone
-
AC Company
-
-
As mentioned earlier in this guide, SAP GRC Access Request Management does not process passwords. Therefore, any value entered in the Password field is ignored during Create User provisioning operations. After a Create User operation is performed, the user for whom the account is created on the target system must apply one of the following approaches to set the password:
-
To use the Oracle Identity Governance password as the target system password, change the password through Oracle Identity Governance.
-
Directly log in to the target system, and change the password.
-
-
You perform an Enable User operation by setting the Valid From field to a future date. Similarly, you perform a Disable User operation by setting the Valid Through field to the current date. Both operations are treated as Modify User operations.
-
When you delete a user (account) on Oracle Identity System Administration (process form), a Delete User request is created.
-
When you select the Lock User check box on the process from, a Lock User request is created.
-
When you deselect the Lock User check box on the process from, an Unlock User request is created.
-
The Enable User and Disable User operations are implemented through the Valid From and Valid Through fields on the process form.
-
In a Modify User operation, you can specify values for parameters that are mapped with SAP GRC Access Request Management and parameters that are directly updated on the target system. A request is created SAP GRC Access Request Management only for parameters whose mappings are present in these lookup definitions. If you specify values for parameters that are not present in these lookup definitions, then the connector sends them to directly the target system.
-
You cannot perform an assign or revoke groups operation in SAP UM AC account on GRC server. Groups must be managed in the SAP ECC system (backend ABAP system).
5.5 Performing Provisioning Operations
You create a new user in Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.
To perform provisioning operations in Oracle Identity Governance:
- Log in to Identity Self Service.
- Create a user as follows:
- In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
- From the Actions menu, select Create. Alternatively, you can click Create on the toolbar. The Create User page is displayed with input fields for user profile attributes.
- Enter details of the user in the Create User page.
- On the Account tab, click Request Accounts.
- In the Catalog page, search for and add to cart the application instance for the connector that you configured earlier, and then click Checkout.
- Specify value for fields in the application form and then click Ready to Submit.
- Click Submit.
See Also:
Creating a User in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for details about the fields on the Create User page5.6 Performing Provisioning Operations in an SoD-Enabled Environment
Provisioning a resource for an OIM User involves using Oracle Identity Governance to create a target system account for the user.
The following are types of provisioning operations:
-
Direct provisioning
-
Request-based provisioning of accounts
-
Request-based provisioning of entitlements
-
Provisioning triggered by policy changes
This section provides information on the following topics:
5.6.1 Overview of the Provisioning Process in an SoD-Enabled Environment
The following is the sequence of steps that take places during a provisioning operation performed in an SoD-enabled environment:
-
The provisioning operation triggers the appropriate adapter.
-
SAP GRC SoD Invocation Library (SIL) Provider passes the entitlement data to the Web service of SAP GRC.
-
After SAP GRC runs the SoD validation process on the entitlement data, the response from the process is returned to Oracle Identity Governance.
-
The status of the process task that received the response depends on the response itself. If the entitlement data clears the SoD validation process, then the adapter carries provisioning data to the corresponding BAPI on the target system and the status of the process task changes to Completed. This translates into the entitlement being granted to the user. If the SoD validation process returns the failure response, then status of the process task changes to Canceled.
5.6.2 Guidelines on Performing Provisioning Operations in an SoD-Enabled Environment
These are the guidelines that you must apply while performing provisioning operations in an SoD-enabled environment.
-
When you assign a role to a user through provisioning, you set values for the following attributes:
-
Role System Name
-
Role Name
-
Start Date
-
End Date
However, when you update a role assignment, you can specify values only for the Start Date and End Date attributes. You cannot set new values for the Role System Name and Role Name attributes. This also applies to new child forms that you add.
-
-
You can only assign profiles. You cannot update an assigned profile.
5.6.3 Request-Based Provisioning in an SoD-Enabled Environment
In request-based provisioning, an end user creates a request for a resource by using the Administrative and User Console. Administrators or other users can also create requests for a particular user. Requests for a particular resource on the resource can be viewed and approved by approvers designated in Oracle Identity Governance.
The request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The request-based provisioning process described in this section covers steps to be performed by both entities.
In the example used in this section, the end user creates a request for two roles on the target system. The request clears the SoD validation process and is approved by the approver.
The following sections provide more information about request-based provisioning:
See Configuring SoD (Segregation of Duties) for related information.
5.6.3.1 Creating of Request-Based Provisioning by End-Users
The following are types of request-based provisioning:
Request-based provisioning of accounts: OIM Users are created but not provisioned target system resources when they are created. Instead, the users themselves raise requests for provisioning accounts.
Request-based provisioning of entitlements: OIM Users who have been provisioned target system resources (either through direct or request-based provisioning) raise requests for provisioning entitlements.
The following steps are performed by the end user in a request-based provisioning operation:
5.6.3.2 Approving Request-Based Provisioning
This section provides information on the role of the approver in a request-based provisioning operation.
The approver to whom the request is assigned can use the Pending Approvals feature to view details of the request.
In addition, the approver can click the View link to view details of the SoD validation process.
The approver can decide whether to approve or deny the request, regardless of whether the SoD engine accepted or rejected the request. The approver can also modify entitlements in the request.
The following steps are performed by the approver in a request-based provisioning operation:
5.7 Switching Between SAP ERP and SAP CUA Target Systems
You can switch your target systems between SAP ERP and SAP CUA for reconciliation and provisioning.
The following sections provide information about the procedure to switch between the SAP ERP and SAP CUA target systems:
5.7.1 Switching Between the SAP ERP and SAP CUA Target Systems for Reconciliation
To switch between SAP ERP and SAP CUA target systems for reconciliation:
5.7.2 Switching Between the SAP ERP and SAP CUA Target Systems for Provisioning
To switch between SAP ERP and SAP CUA target systems for provisioning:
- If you are switching to SAP CUA, then set the value of the enableCUA entry to
yes
in the Lookup.SAPABAP.Configuration lookup definition. If you are switching to SAP ERP, then set the value tono
. - For every scheduled job used for lookup field synchronization, set the value of required IT resource in the IT Resource Name field and run it individually.
- Start the provisioning operation on Oracle Identity System Administration by selecting the required IT resource.
5.8 Switching From an SAP ERP or SAP CUA Target Systems to an SAP GRC Target System and Vice Versa
You can switch from an SAP ERP or SAP CUA target system to an SAP GRC target system and viceversa.
If you want to switch from an SAP ERP or SAP CUA target system to a SAP GRC target system and vice versa, then perform the following steps:
5.9 Uninstalling the Connector
Uninstalling the SAP UM connector deletes all the account-related data associated with its resource objects.
If you want to uninstall the connector for any reason, then run the Uninstall Connector utility. Before you run this utility, ensure that you set values for ObjectType
and ObjectValues
properties in the ConnectorUninstall.properties file. For example, if you want to delete resource objects, scheduled tasks, and scheduled jobs associated with the connector, then enter "ResourceObject", "ScheduleTask", "ScheduleJob" as the value of the ObjectType
property and a semicolon-separated list of object values corresponding to your connector as the value of the ObjectValues
property.
For example: SAP UM User; SAP UM Group
Note:
If you set values for theConnectorName
and Release
properties along with the ObjectType
and ObjectValue
properties, then the deletion of objects listed in the ObjectValues
property is performed by the utility and the Connector information is skipped.
For more information, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Governance.