Using the SAP User Management Engine Connector

5 Using the SAP User Management Engine Connector

You can use the connector for performing reconciliation and provisioning operations after configuring the application to meet your requirements.

This chapter is divided into the following sections:

5.1 Configuring Reconciliation

You can configure the connector to specify the type of reconciliation and its schedule.

Reconciliation involves duplicating in Oracle Identity Governance the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

5.1.1 Performing Full Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Governance. After you create the application, you must first perform full reconciliation.

To perform a full reconciliation run, remove (delete) any value currently assigned to the Filter parameter of the SAP UME Target User Reconciliation job.

5.1.2 Performing Limited Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.

The connector provides a Filter parameter that allows you to use any of the SAP UME resource parameters to filter the target system records.

The syntax for this parameter is as follows:

Note:

You can use a shortcut for the <and> and <or> operators. For example: <filter1> & <filter2> instead of and (<filter1>, <filter2>), analogically replace or with |.

syntax = expression ( operator expression )* 
operator = 'and' | 'or' 
expression = ( 'not' )? filter 
filter = ('equalTo' | 'contains' | 'containsAllValues' | 'startsWith'
| 'endsWith'  | 'greaterThan' | 'greaterThanOrEqualTo' | 'lessThan' 
| 'lessThanOrEqualTo' )  '(' 'attributeName' ',' attributeValue ')' 
attributeValue = singleValue  |  multipleValues
singleValue = 'value'
multipleValues = '[' 'value_1' (',' 'value_n')* ']'

For example, to limit the number of reconciled accounts to only those in which the account name starts with "a" letter, you could use the following expression:

startsWith('__NAME__', 'a')

For a more advanced search, where you want to filter only those account names that end with 'z', you could use the following filter:

startsWith('__NAME__', 'a') & endsWith('__NAME__', 'z')

5.2 Configuring Reconciliation Jobs

Configure reconciliation jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Governance.

You can apply this procedure to configure the reconciliation jobs for users and entitlements.

To configure a reconciliation job:

Log in to Identity System Administration.
In the left pane, under System Management, click Scheduler.
Search for and open the scheduled job as follows:
1. In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
2. In the search results table on the left pane, click the scheduled job in the Job Name column.
On the Job Details tab, you can modify the parameters of the scheduled task:
- Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
- Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type. See Creating Jobs in Oracle Fusion Middleware Administering Oracle Identity Governance.
In addition to modifying the job details, you can enable or disable a job.
On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.

Note:

Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.
Click Apply to save the changes.

Note:

You can use the Scheduler Status page in Identity System Administration to either start, stop, or reinitialize the scheduler.

5.3 Configuring Provisioning

You can configure the provisioning operation for the SAP UME and SAP AC UME connectors.

This section provides information on the following topics:

5.3.1 Guidelines on Performing Provisioning

These are the guidelines that you must apply while performing provisioning operations.

5.3.1.1 Guidelines for Performing Provisioning Operations in Supported Deployment Configurations

The following are guidelines that you must apply while performing provisioning operations in any of the supported deployment operations:

If an ABAP data source is configured in SAP User Management Engine, then ABAP roles are shown as groups in SAP User Management Engine. However, SAP User Management Engine does not allow assigning such groups to user accounts in some configurations.

To assign groups that represent the AS ABAP role, create a new AS Java role in the User Administration tool of SAP User Management Engine. Then, assign the group that represents the AS ABAP role to the newly created AS Java role in Oracle Identity Governance.
If you disable a user account in Oracle Identity Governance, the connector updates the value of the Valid Through parameter with yesterday's date. If the user has logged in to the target system today, or if the password of the user was changed today, then SAP User Management Engine updates the Valid Through parameter with today's date and lock the user.

Ensure that the dates on Oracle Identity Governance and the SAP User Management Engine target system are in sync.
The length of the Logon Name field varies in the target system based on the data source configuration. If a target system allows 15 characters, and if you enter more than 15 characters for the Logon Name field in Oracle Identity Governance, then an error is encountered. Therefore, the length of the Logon Name field must be limited to 15 characters in Oracle Identity Governance.
Through provisioning, if you want to create and disable an account at the same time, then you can set the value of the Valid Through parameter to a date in the past. For example, while creating an account on 31-Jul, you can set the Valid Through date to 30-Jul. With this value, the resource provisioned to the OIG User is in the Disabled state immediately after the account is created.

However, on the target system, if you set the Valid Through parameter to a date in the past while creating an account, then the target system automatically sets Valid Through to the current date. The outcome of this Create User provisioning operation is as follows:
- The value of the Valid Through parameter on Oracle Identity Governance and the target system do not match.
- On the target system, the user can log in all through the current day. The user cannot log in from the next day onward.
You can lock the user on the target system so that the user is not able to log in the day the account is created.
Remember that if password or system assignment fails during a Create User provisioning operation, then the user is not created.
When you try to provision a multivalued parameter, such as a role or group, if the parameter has already been set for the user on the target system, then the status of the process task is set to Completed in Oracle Identity Governance. If required, you can configure the task so that it shows the status Rejected in this situation. See Modifying Process Tasks in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance for information about configuring process tasks.
When you perform the Lock User or Unlock User provisioning operation, remember that the connector makes the required change on the target system without checking whether the account is currently in the Locked or Unlocked state. This is because the target system does not provide a method to check the current state of the account.
The target system does not accept non-English letters in the E-mail Address field. Therefore, during provisioning operations, you must enter only English language letters in the E-mail Address field on the process form.
When you assign a role to a user through provisioning, you set values for the following parameters:
- Datasource
- Role

5.3.1.2 Guidelines for Performing Provisioning Operations After Configuring Access Request Management

The following are guidelines that you must apply while performing provisioning operations after configuring the access request management feature of the connector:

During a Create User operation performed when the Access Request Management is configured, first submit process form data. Submit child form data after the user is created on the target system. This is because when Access Request Management is enabled, the connector supports modification of either process form fields or child form fields in a single Modify User operation.
The following fields on the process form are mandatory parameters on SAP GRC Access Request Management:
- AC Manager
- AC Manager email
- AC Priority
- AC System
- AC Requestor ID
- AC Requestor email
- AC Request Reason
Note:

When the Access Request Management feature is configured, you must enter values for these fields even though some of them are not marked as mandatory fields on the Oracle Identity System Administration.
The following fields may be mandatory or optional based on the configuration in SAP GRC Control system:
- AC Manager First Name
- AC Manager Last Name
- AC Manager Telephone
- AC Request Due Date
- AC Functional Area
- AC Business Process
- AC Requestor First Name
- AC Requestor Last Name
- AC Requestor Telephone
- AC Company
SAP GRC Access Request Management does not process passwords. Therefore, during Create User provisioning operations, the system ignores any value entered in the Password field. After a Create User operation is performed, the user for whom the account is created on the target system must apply one of the following approaches to set the password:
- To use the Oracle Identity Governance password as the target system password, change the password through Oracle Identity Governance.
- Directly log in to the target system, and change the password.
You perform an Enable User operation by setting the Valid From field to a future date. Similarly, you perform a Disable User operation by setting the Valid Through field to the current date. Both operations are treated as Modify User operations.
When you delete a user (account) on Oracle Identity System Administration (process form), a Delete User request is created.
When you select the Lock User check box on the process from, a Lock User request is created.
When you deselect the Lock User check box on the process from, an Unlock User request is created.
The Enable User and Disable User operations are implemented through the Valid From and Valid Through fields on the process form.
In a Modify User operation, you can specify values for parameters that are mapped with SAP GRC Access Request Management and parameters that are directly updated on the target system. A request is created in SAP GRC Access Request Management only for parameters whose mappings are present in these lookup definitions. If you specify values for parameters that are not present in these lookup definitions, then the connector sends them to directly the target system.

5.3.2 Performing Provisioning Operations

You create a new user in Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.

To perform provisioning operations in Oracle Identity Governance:

Log in to Identity Self Service.
Create a user as follows:
1. In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
2. From the Actions menu, select Create. Alternatively, you can click Create on the toolbar. The Create User page is displayed with input fields for user profile attributes.
3. Enter details of the user in the Create User page.
On the Account tab, click Request Accounts.
In the Catalog page, search for and add to cart the application instance for the connector that you configured earlier, and then click Checkout.
Specify value for fields in the application form and then click Ready to Submit.
Click Submit.

5.4 Uninstalling the Connector

Uninstalling the SAP UME connector deletes all the account-related data associated with its resource objects.

If you want to uninstall the connector for any reason, then run the Uninstall Connector utility. Before you run this utility, ensure that you set values for ObjectType and ObjectValues properties in the ConnectorUninstall.properties file. For example, if you want to delete resource objects, scheduled tasks, and scheduled jobs associated with the connector, then enter "ResourceObject", "ScheduleTask", "ScheduleJob" as the value of the ObjectType property and a semicolon-separated list of object values corresponding to your connector as the value of the ObjectValues property.

For example: SAP UME User; SAP UME Group

Note:

If you set values for the ConnectorName and Release properties along with the ObjectType and ObjectValue properties, then the deletion of objects listed in the ObjectValues property is performed by the utility and the Connector information is skipped.

For more information, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Governance.