One of the benefits of SAP NetWeaver IDM is how it embraces not only SAP Systems, but other systems that can be found in the typical enterprise IT department. In a previous post, I described how one can use the embedded IDM scripting functions to search for an entry in the LDAP. However there is more that you can do with LDAP besides searching. Probably one of the LDAP functions I use the most is called modRDN (Some detailed definitions and examples can be found here and here). In a nutshell, executing a modRDN operation allows for changes to be made in the Relative Domain Name. This is always a unique value in the DIT structure; and usually one that changes during the Stages of Identity. These changes usually take one of two forms which I have specified below:

1. A change to the common name (cn) component of the distinguished name. The classic use case is the change of surname after a person gets married[1]: cn=Deanna Troi,ou=USS Enterprise,dc=StarFleet,dc=com becomes cn=Deanna Riker, ou=USS Enterprise,dc=StarFleet,dc=com. For our purposes, we’ll call this a name change.
2. A change in the ou or container component of the distinguished name. This is usually a departmental or geographic change such as: cn=Deanna Riker,ou=USS Titan,dc=StarFleet,dc=com. For our purposes, we’ll call this an organizational change.
   
   Note: This process is also used frequently as part of the deprovisioning process. There is typically a requirement to move the newly separated used into a “holding container” for some period of time (usually 30-180 days) so as to keep access to linked email accounts, contact information or regulatory reasons.

It’s not too hard to see why this would be an important operation during IDM related operations. People change names with some frequency and will change departments, locations and other defining components with greater frequency. So let’s take a moment and describe how this happens in IDM:

Image may be NSFW.
Clik here to view.

This screenshot comes from the IDM Job Wizard, which can be accessed after creating a new active task under any workflow task node (New->Job Wizard->Identity Center->Jobs->Active Directory->Modify RDN Active Directory.

Image may be NSFW.
Clik here to view.

You’ll notice that this is a pretty generic setup as with most of the included IDM templates. Before using the modRDN enabled task for the first time, make sure you set the correct repository (It is supposed to be set during the Wizard, but did not for me in a To LDAP pass using SAP IDM 7.2, SP4) and that your starting point is correct as the Wizard takes a slight Active Directory bias by defaulting to cn=users. 

Image may be NSFW.
Clik here to view.Then all that needs to be done is setting up for your use case, name  change or organizational change. Let’s take a look at the name change  scenario setup:

Image may be NSFW.
Clik here to view.

So what do we have?

• We have to specify the dn of the user in the directory. Don’t forget to make sure that the cn component is correctly specified. This might be MSKEYVALUE, it might be firstname.sn, it might be first initial, last name, or it might be anything, so make sure you know for sure!
• The changetype is specified next which, as we know, is modrdn, and is not case sensitive.
• The newrdn will tell us what we are changing in this entry. This value must be unique within the directory.
• Since this operation creates a new RDN, we should get rid of the old one. By setting deleteoldrdn to 1 we will remove the old RDN that exists in the directory.
• Finally we’ll set the new (if any) balance of the RDN through the newsuperior value. In this case we are not since this is a name change only.

This brings up a couple of other points that we should make about the modRDN function as it pertains to the Directory Service and to SAP IDM in general. First off, this process will not change the MSKEYVALUE or any other IDM attribute in your Identity Store. If you want that done, it will have to happen in subsequent passes / tasks. Nor will this process change other Directory Service attributes such as the Active Directory sAMAccountName. If there is a need to change the MSKEYVALUE, information can be found here; similarly if the sAMAccountName needs to be changed, that information can be found here. Also it’s a good idea to make sure that you update your IDM attribute that holds the dn with the new value (ACCOUNT$rep.$NAME).

Now if you need to make an organizational change, it would look like this:

  Image may be NSFW.
Clik here to view.

Everything is pretty much the same here except for the newsuperior value which now reflects Will Riker’s transfer. Incidentally, I guess standards are different on the new ship since he also has a changed cn as well.  This also shows that we can change multiple parts of the RDN in the same modRDN operation.

I hope that during this article I’ve been able to shed a little light on some things that you can do with your IDM and a connected Directory Service. 

• [1] This is not my favorite Star Trek series or character for that matter, but it serves as an example. Please don’t ask where I would have placed Wesley  Image may be NSFW.
  Clik here to view.

The latest Support Package for SAP NetWeaver Identity Management 7.2 is now available for download from the SAP Service Marketplace (login required). 

Go to the related Release Note for more information on the enhancements and fixes shipped with Support Package 6.

New projects, new issues (or as I like to think of them, learning opportunities Image may be NSFW.
Clik here to view.)

While setting up the GRC / IDM integration, we encountered the following error when executing the Risk Analysis task:

Exception: (GRC RiskAnalysis:1 Exception in GRC WS API call:Bad version number in .class file).

This error message appeared in both IDM and VDS. In IDM an LDAP: error code 1 was also found. The LDAP Error 1 is listed as an Operations Error, which doesn't mean a whole heck of a lot, it's more of a catchall error encountered when back end processes fail.

After some checking with some knowlegable Java developers I found out a few things. Basically every compiled java class has (deep down) a specific number that tells something about the version (or compliance) of the compiler.

• Java 1.4 = 48
• Java 1.5 = 49
• Java 1.6 = 60

After some investigation, we found that VDS was running Java 1.5.  Pointing VDS to Java 1.6 solved the problem.

SAP complements its identity management solution with support for another database: In addition to Microsoft SQL Server and Oracle databases, SAP NetWeaver Identity Management now also integrates with IBM's DB2.

The following software and configuration is required: SAP NetWeaver Identity Management Identity Center 7.2 SP6 or later, and DB2 10.1 FP1 for Linux, UNIX and Windows.

For more information, read the new How-To Guide available on the SAP Service Marketplace (login required).

Also take a look at the Product Availability Matrix (SMP login required) for SAP NetWeaver Identity Management to review product details.

One of the most dynamic and popular ways to load data into attributes is to use the SQL Query method of providing attribute values. I've seen these hold State Names, Organizational Data, even mail server names! Attributes can even be linked together as I have written here.

The most import thing to remember here is that if the data is loaded by an IDM job, then you will need to add additional access to the mxmc_prov account.  This account handles the interface between the run-time and the presentation UI (PHP in version 7.0 and WebDynPro in 7.1 and beyond). It used to be that I would go and ask the DBAs to add this access as I thought something special needed to happen behind the scenes.  However, after talking to a knowledgeable person, I was informed that this can be done programatically.

It's actually quite easy to do in a To Database pass type, which I illustrate below for updating a table in a Microsoft SQL Server 2008 R2 database:

Image may be NSFW.
Clik here to view.

Note that by selecting the "SQL Updating" option actual SQL Code can be passed from IDM to the back end database. Interestingly enough this is even somewhat simpler in an Oracle Database since the user reference is mxmc_prov.

Two things I've noticed along the way with this functionality:

1. In some Oracle Database scenarios, I had to "re-grant" the SELECT privilege every time I updated the table. I suspect that this is because I am using the "Delete table before loading" Option.  This is not a big deal. I've displayed the job outline below:

Image may be NSFW.
Clik here to view.

I'm not sure if this can happen in SQL Server or if it will always happen in Oracle, but it's a good idea to keep this in mind.  Until I realized what was happening I thought I was loosing my mind and I'm pretty sure the BASIS person who was granting the access again and again thought so too! Image may be NSFW.
Clik here to view.

2. Even though you can make these changes via IDM automatically, it's still a good idea to let the DBAs and other System Administrators aware of what you have done. These changes are made to systems outside of IDM, so it's best that they know these are "legal" and not to view these changes as a potential security breach.

Dear community,

please find here a noteworthy presentation about Identity Management Best Practices and the Rapid Deployment Solution, read by Kåre Indrøy.

http://www.sapvirtualevents.com/teched/sessiondetails.aspx?sId=3411

Cheers, Jannis

Saw an interesting issue recently where we did an initial load from an ECC system to IDM in the DEV environment. After the load was executed the security group received several calls and emails about users who lost their access to various DEV SAP systems.

Needless to say, this had me a little concerned.

Ultimately we found out that role assignments were being re-written for all users and that certain types of roles were being overwritten.

During the postmortem process we discovered that there were some issues with Z* roles and Y* roles, so I put some filters on to make sure that we never processed the Y* roles, which were basically escalated roles that would be conferred through GRC Firefighter. This helped to make sure that we were not trying to “update” them but we still had a few small issues. What it came down to is that we needed to make sure that when we executed the initial load no existing user would be updated.

Fortunately in IDM this is something that is easy to accomplish.Image may be NSFW.
Clik here to view.

Using the " . " prefix on the WriteABAPUsersProfilePrivilegeAssignments and the WriteABAPUsersRolePriviegeAssignments meant that we would only write IDM privilege information from the initial load for new users only. This would let the IDM/Security team do initial loads to bring in the new Security roles that we needed to access while keeping the accounts of our development team safe from being overwritten.  We will need to create something a little more flexible for Production, but this got us through an important part of the project.

SAP IDM - How to handle SAP roles

I’m working on an IDM project and like many of you I had to solve the issue with SAP roles.

What were the issues in my case:

• If you attach a role to a person in SAP, next role just replaces it.
• If you have to first remove and then add same role in SAP, in some cases adding action passes before deletion and finally person has no roles attached in SAP

The first issue was easy to be solved. My solution includes some java scripting, but in simple cases can be handled with several tasks arranged in ordered task group or even with only one task. The idea is as follows:

• Get currently attached privileges  for SAP
• Get pending privileges for adding in SAP
• Merge two lists
• Set the result list of privileges in SAP

In order to speed things up I’m using grouping by "operation" for SAP privileges and get pending values in group script. This way I can handle all privileges per operation at once.

There are two ways to get currently attached privileges for person in IDM.

• The first one is using custom SQL select in IDMV_LINK_EXT2. I’m using this one, because it contains MSKEYs and MSKEYVALUEs of person, pivileges and contexts together at one place. 
• The second one is to use standard “TO IDENTITY STORE” pass functionality to "get" instead of "set" values from MXREF_MX_PRIVILEGE attribute. Something like following:

          %{VALIDTO!!VALIDFROM!!MSKEYVALUE}MXREF_MX_PRIVILEGE%

This will return VALIDTO, VALIDFROM, MSKEYVALUE and MSKEY of all privileges attached to a person. Of course different set of parameters is possible and for more information please check IDM help. There is a very good explanation there.

The second issue looks hard to implement at first glance, but finally my solution is as follows:

• In attach privileges to SAP provisioning I’ve just added a check if there are pending values for deletion for current person.
• If there are such than just use uSkip(1,1). This will skip all following tasks in ordered task group for this person and this way - the attachment of privileges, until all privileges for removal are done and you won’t see any red lines in log file.
• When there are no more pending privileges for remove, the attachment of new privileges will be executed at regular bases.
• In order to loop I’ve set in case of fail task to be executed 20 times in interval of 5 minutes. Of course you should experiment with this values in order to find the right once for your scenario. 

As a conclusion in my scenario the steps are two: first delete old privileges, than add new once. But it is possible in simple cases to merge these two steps in only one. In this case the grouping of privileges will be not by "action", but by "application" and then each pending value might be analyzed if it is for deletion, then remove it from list with already attached privileges and if it is for add –
just add it to this list. At the end of analysis just set the result list in SAP and that is it.

I hope that everything is clear, but if it is not and you want help or you’ve got any remarks or additional questions, don’t hesitate to contact me.

Best Regards,

Ivan

SAP IDM UI - how to create custom UI for Reports:

In order to create a needed functionality  for a customer, I had to do additional development for IDM UI.

The case was:

1. ·  I had to create a custom UI for  Reporting
2. ·  The generated reports are : User’s data, Privileges attached to the users, Roles attached to the uses and report for the created  requests
3. ·  Export Person Data:  Image may be NSFW.
   Clik here to view.  
   • Ø Export Person is used to choose from a list with users
   • Ø File name is used to set the name of the file for export
   • Ø Check for export is used to specify the files for export

Image may be NSFW.
Clik here to view.

1. What I did to create the UI above was:
   • I added a new entry(CCH_EXPORT_UI_DATA) to hold the information for this UI:

Image may be NSFW.
Clik here to view.

• Because this is an Entry type that create a new entry, I have to add a mandatory
  attribute to hold a MSKEY  of the user executed the Report

Image may be NSFW.
Clik here to view.

• Ø Only after the comment is added the user can successfully make a Report.

• I added a couple of tasks to react on the check box(Check for export).

Image may be NSFW.
Clik here to view.

• Ø If a check box is selected I have a script to check and execute a next task on TRUE, if not – nothing happens

• I used a task to set the file name and the trigger that  exports the files
• To make possible for users to search for a Person, I added in the attribute (in Attribute Values) a SQL query

Image may be NSFW.
Clik here to view.

• ØIf you want to have a report for all user, you just execute the report with("_%” in the field – Export Person) and the
  generated files will have an information for all users.
• The tricky part was how to export the correct data. So I added a flag to check, if
  the export is executed or not . If (yes) I deleted the  flag and for this report  won’t be generated more than one file.
• For the file name I have made a script, to check if we have a file name, if not I generate one.
• I have a problem also with a select made for exporting Requests, after I added
  ValidFrom and ValidTo attributes. At first, when I tried to set a date and
  export it, the exported data wasn’t correct until I made the attributes Data type - Datetime

Image may be NSFW.
Clik here to view.

• Finally in the Job folder  I  execute the jobs that are exporting the files:

Image may be NSFW.
Clik here to view.

• Ø As you can see here, Check for export  is selected, only this way you can generate a
  report for the needed  information.

SAP IDM - How to call web service from IDM

Despite my answers on questions like “How to call web service from IDM”, there was a demand for detailed explanation, so here it is.

There is a simple way to call web service from IDM. All we need is JavaScript function and Java based web service. I’ve prepared myself a simple example just as an example.

So let’s get started.

This is my Java based web service:

Image may be NSFW.
Clik here to view.

Deploy you web servise. What is important is that the JAR file should be copied to server where the IDM console is and added in console class path extension, like this:

Image may be NSFW.
Clik here to view.

Then of course the dispatchers scripts should be regenerated and reinstalled. Of course if all web services will use only one dispatcher then you should regenerate and reinstall only it.

Now the IDM part follows.

I’ve used job in job folder with To Generic pass:

Image may be NSFW.
Clik here to view.

In scripts add the following script:

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

Set the destination tab as follows:

Image may be NSFW.
Clik here to view.

And you are ready to go. Just run the job and here it is the result:

Image may be NSFW.
Clik here to view.

Of course you can use JavaScript code from other passes including provisioning ones, but it should be reworked a little bit in parameters part and should look like this:

Image may be NSFW.
Clik here to view.

If you wonder why I’m using new String(Par) instead of Par directly. It is better this way, because from my personal experience sometimes Par is not recognized as string and then when you try to parse it this way instead of array{String1,String2} you will receive array{ S,t,r,i,n,g,1,S,t,r,i,n,g,2}.
So in order to avoid this behavior always create a new string of Par and then parse it.

I conclusion, if you feel that something is not clear enough or you have unanswered questions, or recommendations please feel free to post
them here or contact me.

Best Regards,

Ivan

          1. The  scenario -  if I want to call a job from a provisioning framework with some parameters, I can do it this way:

Image may be NSFW.
Clik here to view.

1. Ø1. After the order task group is executed, the first task set some entry data
2. Ø2. Then in the second task I can set the values we needed in the temporary table(TEST_TEMP_TABLE):

Image may be NSFW.
Clik here to view.

1. Ø3.At the end I call the job(in the job folder):
   Image may be NSFW.
   Clik here to view.

               2. Here is the Job I call from the provisioning framework:

Image may be NSFW.
Clik here to view.

1. ØIn step 1(Source tab) – I can select the needed information from the temporary table

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

In this blog post I would like to share with the community some experiences regarding the IdM 7.2 <-> GRC10 integration.

This integration can easily turn out to be a tedious topic, in particular if things don't go smoothly from the beginning. The documentation (I'm referring to

SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration Guide)

contains some charts how the communication flow goes and where which protocol is used (e.g. in the chapter "Introduction"). Then, it also explains in detail the purpose of the various tasks which is certainly very helpful (in the chapter "Task execution process description" starting on page 35). Here in this document, I'd like to focus on 2 things to clarify things a bit more:

• How does the communication between IdM and GRC really work? We'll have a detailed look at that.
• Something goes wrong with the communication between IdM and GRC. What should I do?

Let's start with the first point. We know from the documentation that when IdM communicates to GRC it performs an LDAP write operation to the VDS. The VDS "translates" this call into a web service call to GRC (compare again chapter "introduction" of the documentation). But how does this really work?

Image may be NSFW.
Clik here to view.

In the above screenshot you can see the toLDAP pass that creates the GRC request.

Now the VDS will take the parameters IdM provides (user first name, lastname, requested roles, validity dates) in the LDAP call and submit a web service client call to GRC10. If all goes well, GRC10 will reply SUCCESS and provide the request ID in GRC10. And now comes the tricky part. What will VDS do with this information? The toLDAP pass type doesn't allow to handle complex return information. It only tells you "write operation successful" or "write operation failed". This is why the VDS doesn't send the information back to the IdM runtime. Instead, the VDS will write all return information from the web services directly to the IdM database as context variables. If the runtime needs it, say for a check in a conditional task then it needs to go to the database and read it (using either a SQL query for mxpv_audit_variables or the script function uGetContextVar). So the information flow between 7.2 and GRC10 is like in the below figure.

Image may be NSFW.
Clik here to view.

When IdM is querying information from GRC then the information can be returned to the IdM runtime. But even in that case the GRC provisioning framework uses context variables to store the information in the database.

2 examples

• If the CUP request creation is successful the VDS creates the context variable MX_GRC_REQUEST_ID. In the above screenshot check the task "Write Request Id and opt. start polling" (the one right below "Submit AC Request") will execute the script sap_grc10_WriteRequestId2PVO. The first thing this script does is to read the context variable and store it in the attribute MX_AC_REQUESTID of the pending value.
• See the below screenshot. When IdM polls for the status (in this blog I only consider the polling scenario) it performs a LDAP read operation. The result is stored in the context variable GRCSTATUS where the subsequent conditional task picks it up. The SQL query is "SELECT VarValue FROM mxpv_audit_variables WHERE VarName='GRCSTATUS' and AuditID=%AUDITID%".

Image may be NSFW.
Clik here to view.

So much about the IdM part of this interface. We'll see in the second part how we can get more insight into the web services area. I'd like to mention that in the GRC provisioning framework there is a quite complex encapsulation of what we describe here with pending values and approval tasks etc. (for more information check one of my earlier blog posts). I guess the purpose of this encapsulation is to create a smooth integration with the privilege assignment process in IdM. But from a technical perspective you can also use the above toLDAP pass to create a CUP request independently of privilege assignments and pending values in IdM. I have done this for 2 customers. There, the GRC integrates into a custom request workflow scenario and the GRC part works completely without pending values. So much about part 1.

Now let's cover the second item in our list: Something goes wrong with the communication between IdM and GRC. What should I do?

To illustrate how this can look like I've copied an error message I had to deal with a lot recently:

Image may be NSFW.
Clik here to view.

The error message doesn't really tell you much. Unfortunately, there is no more specific information about what precisely went wrong. In addition, it is impossible to see how the data is manipulated before it is sent to GRC and which arguments in IdM map to which parameters in the web services.

If you get a very unspecific error message like above in the IdM log you should first open the VDS log. If configured appropriately (debug mode, see below screenshot) the VDS will print out the entire web service communication to the operations log.

Image may be NSFW.
Clik here to view.

Open the operations log at <VDS install directory>\configurations\<your config name>\log\operation.trc, search for "<GracIdmUsrAccsReqServices" and you should get the below hit:

Image may be NSFW.
Clik here to view.

What you see in the screenshot is the xml document that the VDS sends to GRC for creating the CUP request. It contains all information about the user, his attributes, the requested roles and so on. If you look at the trace file e.g. with Notepad you will have to check everything quite carefully because the xml document is stored as one big long string. Here is what it looks like if you configure notepad to use word wrap:

Image may be NSFW.
Clik here to view.

Wouldn't it be great to have this as well formatted xml file so that we can study it easily?

So what we could do is copy this xml into a text file, save it with file extension .xml and open it with Internet Explorer. If you do this, it will look like this:

Image may be NSFW.
Clik here to view.

We can have a look now in detail which data is sent which is a good thing. But there is something missing here. If I know that with the values in the xml GRC will send back an error message I'd like to have a possibility to change these values slightly and resubmit in order to see if that also changes the result in GRC. So how can I do that?

This is where soapUI comes into the picture. soapUI is a tool which allows you to submit web service client calls. It also allows you to do a lot more than that but what we'd like to do here is to submit the web service call to GRC ourselves. So please go ahead and download the free version of soapUI (http://www.soapui.org/). In order to leverage the power of soapUI we need one more small thing: The WSDL URL of the web service call that creates request in CUP. In order to get it, proceed as follows:

• Log on to the GRC box with SAPGui
• Start transaction soamanager
• A browser window opens. Log on and then click on Web Service Configuration

Image may be NSFW.
Clik here to view.

• Enter "GRAC*" in the search field and hit search. In the result list select "GRAC_USER_ACCES_WS" and press "Apply Selection"

Image may be NSFW.
Clik here to view.

• Click on "Show / Hide selected bindings or ..."

Image may be NSFW.
Clik here to view.

• WSDL URL is displayed. Take it into the clipboard

Image may be NSFW.
Clik here to view.

Now let's get back to soapUI. Now we can create a soapUI project with this WSDL URL. Start soapUI and then proceed as follows:

• In the main menu, select File -> New soapUI project

Image may be NSFW.
Clik here to view.

• Select a name, "Create CUP Request", for instance, and enter the WSDL URL in the second field.

Image may be NSFW.
Clik here to view.

• Press Ok. You're asked to provide logon data. Then you should see something like in the screenshot.

Image may be NSFW.
Clik here to view.

• Double click on "Request 1". Now a window opens that shows you the xml structure.

Image may be NSFW.
Clik here to view.

For every question mark in the xml document you can enter a value. But we're not going to find out which values we need to enter here. We're simply going to use the xml document from above. So let's replace the xml in the text pane by the xml we copied from the VDS operation log (see following screenshot):

Image may be NSFW.
Clik here to view.

The xml is now again one long text line. Fortunately, we can format the xml by right-clicking in the document and then "Format XML":

Image may be NSFW.
Clik here to view.

Now, we're almost there. We only need to maintain log on data:

Image may be NSFW.
Clik here to view..

Then we can start the call by clicking the green arrow:

Image may be NSFW.
Clik here to view.

With the request data from my test system I get an error message saying:

Processing Error. More details in WS Error Log (transaction SRT_UTIL) by selection with UTC timestamp 20130402125633

Image may be NSFW.
Clik here to view.

This is not a full explanation what went wrong but it gives me at least some information I can use to follow up. Furthermore, if I have a suspicion what the problem is I can modify the request and try again (in my example the problem is the German umlaut charater "ü" in the name which is wrongly encoded (see the last name in the screenshot)). I replace it by "u" and try again:

Image may be NSFW.
Clik here to view.

This time it worked. What is a simple change and retry with soapUI would have been a lengthy procedure in IdM: Change the identity, clean up failed assignments in the person record, reassign the privilege.

Summary

This post shows you some insight how IdM communicates with GRC, how the web service calls are encapsulated by IdM and the VDS and how you can get more information about what actually happens on the web service channel and how to debug it.

This is my first blog in IdM and on the onset I would like to thanks members of the SCN IdM Community for their support in assisting with various questions.

In this blog I will explain how I had created and transported the Business Roles and the privilege assignments from DEV to QA. When we use the Transport Tool, it copies all the Repository, Tasks, Jobs etc. It does not copy the Business Roles and Privileges from DEV to QA system. This came as a surprise initially, but later I could understand the reasoning.

I have tried to make it very basic for beginners to follow. In most of the projects, there would be an excel sheet which has got the list of Business Roles and Privileges. I used this as my source.

Upload of Business Roles

Create a flat file with the Business Role name and its description as below.

Image may be NSFW.
Clik here to view.

Create an Empty Job and have two passes within it. The first pass called "Read Business Roles From File" which is a "From ASCII File" type and the second called "Add the Business Roles to Identity Store" which is a "To Identity Store" type.

Image may be NSFW.
Clik here to view.

In the "Read Business Roles From File" pass refer the repository to a newly created FILE repository.

Image may be NSFW.
Clik here to view.

In the FILE repository, under constants, create one called FILENAME_1 and provide a folder location in IdM server. The delimiter is ',' and I have included a Header Line.

Image may be NSFW.
Clik here to view.

In the Destination, select the Identity center from the context menu and provide a Temporary table name called "read_roles". Maintain the column names (in the input file header) under Target as shown below.

Image may be NSFW.
Clik here to view.

The execution of this pass would pull the records from the flat file and store them into a Temporary table. Notice the table setting "Delete table before loading".

Maintain the details for the next pass "Add the Business Roles to Identity Store" as shown below. Select the Database (which Is the Identity Center) from the context menu. Issue an SQL command which reads all the record from the temporary table which was created in the previous step.

Image may be NSFW.
Clik here to view.

In the Destination tab, select Entry type as "MX_ROLE" as we are dealing with creation of Roles. Maintain the Attribute list as shown below. The MSKEYVALUE will refer to the actual role name provided in the file.

Image may be NSFW.
Clik here to view.

changeType can either be add, modify or delete. In our case, it will be "add" for creation of role.

Save all your changes and navigate to the Job and click on "Run now" as shown below. This should run both the passes within it to create the Business Roles from the flat file.

Image may be NSFW.
Clik here to view.

Navigate to the IdM UI and search for these roles.

Image may be NSFW.
Clik here to view.

Assignment of Privileges to Business Roles

Now that the Business Roles are created, you would have to assign Privileges to them. Ensure that an Initial load job has been executed.. Only after this, you will be able to see your backend roles as Privileges in IdM.

Create an input file as shown below. It consists of Business Role name and Privilege name.

Image may be NSFW.
Clik here to view.

Create an empty job and attach two passes to it. The first one being a "From ASCII File" and the next one being "To Identity Store" type like the previous ones created at the top.

Image may be NSFW.
Clik here to view.

Maintain the information for the pass "Read assignments from File" and point it to the FILE repository.

Image may be NSFW.
Clik here to view.

Create a constant FILENAME_2 under the FILE repository with the file location and refer it as shown below.

Image may be NSFW.
Clik here to view.

Maintain the attribute list as below providing a temporary table name "assign_privs"

Image may be NSFW.
Clik here to view.

For the pass "Add the assignments to Identity Store", issue an SQL statement to select all records from assign_privs table.

Image may be NSFW.
Clik here to view.

In the destination tab, set changeType to modify as we are modifying an existing Business Role. For the attribute MXMEMBER_MX_PRIVILEGE provide the field name with < >.  This attribute by default expects a privilege number (MSKEY). Since we only have the name of the Privilege, provide the name with < >.

Image may be NSFW.
Clik here to view.

Save the changes and run the job.

Image may be NSFW.
Clik here to view.

After execution of the job, navigate to the IdM UI to see the changes.

Image may be NSFW.
Clik here to view.

With these steps,one would have created Business Roles and performed the assignments in DEV system.

Once the Transports are pushed into the QA system, an Initial load job should be run in the QA system to bring the Privileges from the backend system. After this step, we can run the same job with the same input file in the QA system to create Business Role and assign the Privileges to them.

Hope you found this informative.

I have seen many people posting questions on how to copy User Roles and Privileges to a new user. In AS ABAP systems there is an option to do this using Transaction SU01. Its also there in AS Java systems too. I have seen this as common practice in many clients where when a new started joins the organization, the security team gets a reference user and creates a copy of that user. I thought I will share my experience on how I achieved this.

Navigate to Attributes and create a new one called " Z_REFERENCE_USER".

Image may be NSFW.
Clik here to view.

Maintain each of the tabs as shown below. In the "Storage" tab, set the below values

Data type = Entry Reference

Reference Entry Type = MX_PERSON

Image may be NSFW.
Clik here to view.

In the "Presentation" tab, set the value for Presentation to "Referral". This will give you two buttons like Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

In the "Entry Types" tab allow it to appear for MX_PERSON.

Image may be NSFW.
Clik here to view.

Create a new Ordered Task group, task, Job  and attach a pass called "Copy Roles to a New User" of "To Identity Store" type.

Image may be NSFW.
Clik here to view.

Below are the setting for the Task Group. Mark it as a UI Task and ensure that it is enabled.

Image may be NSFW.
Clik here to view.

In the Attributes, select the Entry Type as "MX_PERSON" and maintain the attributes as shown below. Notice that the new attribute "Z_REFERENCE_USER" is also selected.

Image may be NSFW.
Clik here to view.

Provide values for access control

Image may be NSFW.
Clik here to view.

Maintain the Presentation

Image may be NSFW.
Clik here to view.

Below are the settings for the Task under the Task Group.

Image may be NSFW.
Clik here to view.

Maintain the Entry Type as "MX_PERSON" under attributes.

Image may be NSFW.
Clik here to view.

Maintain the access controls

Image may be NSFW.
Clik here to view.

Finally, lets look at the settings for the Job under this task.

Image may be NSFW.
Clik here to view.Image may be NSFW.
Clik here to view.

Under Scripts, create a new function called "getmskeyvalue"

Image may be NSFW.
Clik here to view.

The purpose of this function is to take MSKEY as input and provide MSKEYVALUE as output. This will be used in the pass which I discussed below.

Image may be NSFW.
Clik here to view.

The pass "Copy Roles to a new User" is maintained with the below settings. MX_PERSON is the source entry type.

Image may be NSFW.
Clik here to view.

In the destination tab, refer MX_PERSON as the entry type and maintain the below settings.

Image may be NSFW.
Clik here to view.

Apply all the changes and navigate to the IdM UI and select a user who has got Business Roles/Privileges. In my example, the user is "TEST_PORTAL". Click on "Choose task" and from the pop-up you should be able to find the new task called "Copy Roles to New User". After you select this task, you would see the below screen

Image may be NSFW.
Clik here to view.

Notice the "Copy to User" field at the bottom. This field is referring to the new attribute "Z_REFERENCE_USER" created in the above steps. Click on the "Select" button, it will give a pop-up and you can search of all users. In my case, TEST4 is a new user without any roles and Privileges. Hence I select User Test4.

Image may be NSFW.
Clik here to view.

"Copy to User" field actually would return the MSKEY of the Test4 user. Hence, I have used a function to obtain the MSKEYVALUE for this Test4 user.

Image may be NSFW.
Clik here to view.

To elaborate more on the  above Pass, The MSKEYVALUE at runtime will be "Test4" because of the custom function. changeType is Modify as we are modifying the user identity Test4. In order to copy the selected users Roles and Privileges, use %MXREF_MX_PRIVILEGE% and %MXREF_MX_ROLE% . Use {A} operator in the front to indicate that this is an addition.

Image may be NSFW.
Clik here to view.

You could have one more pass at the end to clear the value of attribute "Z_REFERENCE_USER" so that next time when you open the above screen, the previous value will not remain.

In an IdM 7.2 - GRC 10.0 Integration, ideally all role assignments would go to GRC-AC (Access Control) for Risk Analysis (SoD Checks). There would need to be a GRC Admin who evaluates each requests and takes action accordingly. If there are no risks, the GRC Admin would approve the request and ultimately the roles would get assigned to the user in the back end systems. if there are risks, the GRC Admin would either reject the request or approve it after creating mitigation controls in GRC-AC.

Once the GRC Provisioning framework is imported, it would create a new repository called GRC10. Under the constants, there would be one called "GRC_MANAGER_ID". If you maintain a valid user ID (which is present in GRC system), all the User Access Request from IdM will go to this particular user in GRC. I don't think it is ideal to hard code a GRC Admin user ID as people keep changing positions and jobs.

Image may be NSFW.
Clik here to view.

The other option is, to leave "GRC_MANAGER_ID" blank. The system will try and do two things. It will first look for a Manager assigned to this Person (in IdM) requesting roles. If Manager is maintained for this user, the request will be forwarded to this Manager in the GRC Inbox. I don't think this is a good approach as it is not necessary that every manager knows how to do Risk Analysis in GRC and moreover it is not their job function.

The next thing which the system will try and do (if even the Manager is not maintained for the person) is look for the default manager settings in GRC-AC. I prefer this approach.

Below is the configuration for MSMP Workflow for Access Request in GRC-AC. This needs to be activated for IdM requests to flow into GRC.

Image may be NSFW.
Clik here to view.

There is a standard agent "GRAC_MANAGER" which is used by default in the "Maintain Path". This agent can be ignored and a new custom agent can be created which refers to a backend role.

Image may be NSFW.
Clik here to view.

In the below screen, you can see a custom agent being created of type "PFCG Roles" and Agent Purpose as "Approval". This agent is linked in the "Maintain Path" stage.

Image may be NSFW.
Clik here to view.

Z_SECURITY_TEAM is a backend PFCG role and it needs to be assigned to GRC Administrators. Hence, all the users who have this backend role, will be able to see the User Access requests and action them.

I would like to share my experience when I bumped into a strange issue while I was transporting my IdM configuration. I will also detail the process in case someone needs it. We had initially installed IdM 7.2 SP3 on source and target servers. At a later stage we had to upgrade to SP6 version as there was a requirement.

I used the Transport Tool to do a complete export of the configuration from Source using the below screen. This can be accessed from http://<hostname_source>:<port_source>/idm/admin

Image may be NSFW.
Clik here to view.

I saved the xml configuration file in a folder in Source system.

I switched to the Target system and navigated to the Transport Tool as shown below and used the Import Configuration option. I provided the xml configuration file obtained in the Source system. Make sure you hit the “Check” and “Import” button. In the Log entries you will see messages when the objects are copied.

Image may be NSFW.
Clik here to view.

You could modify Global constants from the below screen. I didn’t have a need thou.

Image may be NSFW.
Clik here to view.

I had to modify Repository Constants using the below screen as the host names change

Image may be NSFW.
Clik here to view.

I saved the changes and opened the Identity Center in the target. Surprisingly, the Web enabled tasks in the Target system did not have any Layout attributes (Tab, Line ,Section, Column etc). Below screen is the “Modify Identity” Ordered Task Group.

Image may be NSFW.
Clik here to view.

Whereas in my Source system, I was able to see them

Image may be NSFW.
Clik here to view.

Later, SAP suggested modifying the Time stamp of all the tasks in the Target system using a command in the Target database and re-import the XML configuration.

update mxp_tasks set taskchanged='2012-04-14 00:00:00.000'

This did an overwrite of all the objects in the Target system and the issue got resolved.

I was recently setting up a test system and as a part of that install included Java 7. I installed 64 bit Java for IDM and 32 bit for my other applications. I know that there are some who feel that SAP Java is better, but I've always had better experience from the Sun / Oracle version. In due course I installed Java, Database Drivers and IDM.  As is my usual practice, I generated the dispatchers and proceeded to try them in Test Mode. It's an easy way to check your dispatcher setup and can be used for troubleshooting jobs and workflows   Try it out sometime.  It's lots of fun.

So typical of a new system install, nothing worked.  When troubleshooting dispatcher startup problems, one of the first things I do is check my Java settings. Here's what I saw:

Image may be NSFW.
Clik here to view.

The paths to java.exe and jvm.dll point to two different locations! How can this be?  So I went and found the new location of the jvm.dll.

Image may be NSFW.
Clik here to view.

So I regenerated the dispatchers and tried again. Still no luck.  I then downgraded to Java 6 patch 41 and went through the same steps again to make sure that the jvd.dll pointed to the 64 bit server directory like so:

Image may be NSFW.
Clik here to view.

Once again, I regenerated the dispatcher and everything ran just fine.

Hope this saves you some time and trouble later on.

Dear IdM experts,

in this video (duration: 00:09:24), I demonstrate JavaScript development for SAP NetWeaver(R) Identity Management using a customized version of the popular open source editor GNU Emacs.

Working on a simple, yet realistic scripting use case, I show some nice features in action:

• Code completion anywhere for IdM built-in functions, view/table names, Identity Center attribute names and more
• Basic JavaScript syntax checks as you type and on request
• Automatic indentation as you type and on request re-indentation of your complete script
• Eclipse-like splitting up of strings into multi-line, concatenated strings by pressing Enter inside any string
• Minimal start-up time using Emacs client/server architecture

In the hope that these customizations might be interesting or even useful to others as well, I published them as open source under the terms of the GNU General Public License (GPL v3). The complete source code of all customizations and Emacs extensions required to get started with scripting like in the video is available at GitHub in the IDMacs repository.

If you want to try it out, just follow the installation instructions in the project's README file. It's reasonably easy to set up.

Happier scripting!

Lambert

Recently I came across an interesting question on how to deal with situations when you may have several companies or groups within your organization which are using the same Identity Store. In such cases, there would be requirements to prevent users of different companies/groups to see each other’s data.

Typically, there would be an administrator for Group A to manage the users and roles for Group A. This administrator would not be given access to view and manage details of Group B. In order to achieve this, you would need an attribute which can distinguish users and business roles. If you already have such an attribute in your system, that would be a perfect candidate for this. If not, you could create one as below.

Let’s consider the groups being referred to as countries (say France and Germany). Create a Multivalue attribute called Country as shown below.

Image may be NSFW.
Clik here to view.

Make sure it is selected for the Entry Types – MX_PERSON and MX_ROLE

Image may be NSFW.
Clik here to view.

Now, all the users and roles have to be populated with the attribute Country. You could either do it manually using the IdM UI (if entries are less) or use a file upload to update users and roles. Usually users would belong to one location. But a role could be reused for several locations. Hence, I had created the Country attribute as Multivalue.

I have added the country attribute to the Change Business Role UI task and provided both the country as values as this is a common role across all groups.

Image may be NSFW.
Clik here to view.

After the data is maintained, navigate to the Entry Type MX_PERSON and maintain the Access Limitations section. Repeat the same for MX_ROLE.

Image may be NSFW.
Clik here to view.

Navigate to the IdM UI and login as Group A Administrator. Under Manage Tab, you should be only able to see users/roles belonging to Group A. However, both the Administrators would be able to see the business role Accounts Payable as it has been populated with both the countries.

In this way you could restrict access within different groups. Hope you found this information useful.

Very often we require tracing how a particular process is executed. At times, it takes considerable effort going through the standard tasks delivered by SAP trying to understand what tasks are being called and the SQL Statements being issued at various stages. I would like to show how easy it is to setup a tracing on Entry objects to achieve lot of information which are getting processed within IdM. This option is available as of IdM 7.2

Navigate to http://<hostname_source>:<port_source>/idm/adminand under the Tab “Trace” you can provide the entry which we would like to trace. You can either provide the MSKEY or MSKEYVALUE with the bracket <> as shown below. This is the same as setting the Global Constant MX_TRACE_ENTRY in the Identity Centre.

Image may be NSFW.
Clik here to view.

I have put a trace on the user 8995555 and I navigate to the Change Identity task UI to modify the department, Building Code, Floor attributes and save the details.

Image may be NSFW.
Clik here to view.

Navigate back to the Trace screen and click on “Refresh” button. This should bring up a big list as shown below. Notice that the modified attributes along with the values are also displayed.

Image may be NSFW.
Clik here to view.

Click on the link “Download trace (as CSV)”. This gives more flexibility to filter based on components. Since I have selected the checkbox “Enable Trace from Runtime components”, this should also display messages for Dispatcher and DSE components. In the below screens you should be able to notice the execution flow – which details on the sequence in which the tasks were called, the messages displayed at each step and also the SQL/Stored procedures which were executed.

Image may be NSFW.
Clik here to view.Image may be NSFW.
Clik here to view.

There is also a good wiki post by Christopher Leonard on the different tracing options available in IdM - http://wiki.sdn.sap.com/wiki/display/Security/Tracing+in+IDM