Quantcast
Channel: SAP Identity Management
Viewing all 172 articles
Browse latest View live

Error while trying to insert new line in Initial load job- Source Tab

February 17, 2016, 3:19 pm
$
0
0

Hello Folks,

 

I was getting error whenever I tried to insert a new line (to add a filter) in source tab of Initial load jobs.

 

After the error I was unable to do anything on SAP IDM MC and able to work again after the close and open the MC again.

 

I was facing this issue again and again whenever I tried to insert a new line (to add a filter) in source tab of Initial load jobs.

After some search I found that, this issue is due to the time-zone difference between the IDM MC server and IDM database server.

 

Requested the DBA to change the timezone of IDM database server as IDM MC server and this issue has been resolved.

 

Hope it will help someone who is getting similar issue.

 

Version - SAP IDM 7.2

 

Screenshot1.png

 

Screenshot2.png

 

Thanks & Regards,

 

C Kumar

Search

Batman PRIVs or Why PRIVs Hide in the Shadows

April 28, 2016, 6:19 am
$
0
0

I recently started a new project and one of the first things I ran into was privilages assigned to a user that weren't showing up in the UI. When you did a search of their complete record in the Identity Store, their MSKEYs were listed on the user's record but you couldn't see them in the UI.

 

Having never encountered this before, I went into investigative mode. I'm the kind of person where unanswered questions bore holes in my brain so, I had to know what was happening here! In short, as it turns out, these PRIVs were inherited from someplace else and the parent was removed but, for whatever reason, the child remained; they were orphans, like Batman. So now, they hide in the shadows, granting their users the rights they shouldn't have but still do because of this failed removal process.

 

Why doesn't the UI show these PRIVs? The user still has it even though he/she shouldn't. Shouldn't it at least still show up if even with some kind of status that shows that it's an orphan? Apparently the UI, when deciding what PRIVs to show on a user's record in the UI, looks at two columns on the IDMV_LINK_EXT view, mcAssignedDirect and mcAssignedInheritCount. If those two columns are both less than or equal to 0, the mcOrphan column goes to 1 and the PRIV stops being shown on the UI. Here's a screenshot to show what I'm talking about:

 

File Apr 28, 9 16 44 AM.png

 

So if you're ever in a spot where the UI isn't showing PRIVs that your user clearly has, this might be why. The clean up? Well, that's up to you to figure out. 

Customer Engagement Initiative on extending SAP Identity Management connectivity

May 16, 2016, 5:24 am
$
0
0

SAP has several channels how customers can influence what we are building. Find an overview here.

We will be starting a new Customer Engagement Initiative on SAP Identity Management connectivity. We are developing SAP Cloud Identity (SCI) connector with the idea that it will provide further connectivity to cloud applications like Ariba, SAP Cloud For Customers and more cloud applications in the future. And we want to prioritize and adjust the capabilities of IdM-SCI connector based on the feedback and needs of more customer scenarios.

At the same time we want to generalize how connectors for SAP IdM are developed. We are working to enable customers and partners to build their own connectors more easily as there are a lot of systems for which there are no existing connectors from SAP IdM and customers either look for partners or start developing connectors on their own.

On one hand we want to validate the needs and the scenarios how existing and future SAP Identity Management customers will use SAP Cloud Identity connector and on the other hand we want to validate the approaches and the content.

You can read more and register for the initial call here.

 

I know that some of you already expressed their desire to participate in preliminary talks some time ago.

If you wish to participate you will be contacted to sign a feedback agreement.

Extending the maintenance period for SAP Identity Management 7.2

June 9, 2016, 6:26 am
$
0
0

This short article is to notify customers and partners that the maintenance period of SAP Identity Management 7.2 will be extended with 1 year.

The new End of Mainstream Maintenance will be 31.12.2018 so you can plan accordingly.

Here is a link to the Product Availability Matrix.

Error while trying to insert new line in Initial load job- Source Tab

February 17, 2016, 3:19 pm
$
0
0

Hello Folks,

 

I was getting error whenever I tried to insert a new line (to add a filter) in source tab of Initial load jobs.

 

After the error I was unable to do anything on SAP IDM MC and able to work again after the close and open the MC again.

 

I was facing this issue again and again whenever I tried to insert a new line (to add a filter) in source tab of Initial load jobs.

After some search I found that, this issue is due to the time-zone difference between the IDM MC server and IDM database server.

 

Requested the DBA to change the timezone of IDM database server as IDM MC server and this issue has been resolved.

 

Hope it will help someone who is getting similar issue.

 

Version - SAP IDM 7.2

 

Screenshot1.png

 

Screenshot2.png

 

Thanks & Regards,

 

C Kumar

Installing the SAP BusinessObjects Connector

July 24, 2016, 12:20 am
$
0
0

This post will explain how to install the SAP IDM connector for SAP BusinessObjects BI Platform. I'll guide you through the installation step-by-step on SAP IDM 7.2 with SAP BusinessObjects BI Platform 4.2.

 

 

Introducing SAP BusinessObjects

 

SAP BusinessObjects BI Platform has numerous options for integrating external user stores, such as Active Directory, LDAP or SAP. In the past, using one of these options was the only way to integrate BI platform into SAP IDM. With AD, for example, IDM provisioned AD users and groups, and BI platform used those users and groups from AD.

 

However, BI platform also has so-called Enterprise users and groups directly in its own database. Managing Enterprise users and groups from SAP IDM, however, used to be a functional white space in the past. The new open source connector for SAP BusinessObjects closes this gap. It's licensed under the Apache license, version 2.0, with full source code available on GitHub. The latest version ships for IDM 7.2, but implementation on IDM 8.0 is already available on a project basis.

 

 

Download and install SAP BI platform Java SDK

 

The connector is built upon SAP's BI platform Java SDK, so you'll need to get that from SAP support portal (S-User required). Browse downloads by category and navigate to:

 

ANALYTICS SOLUTIONS
    / SBOP BUSINESS INTELLIGENCE PLATFROM (SBOP ENTERPRISE)
        / SBOP BI PLATFORM (ENTERPRISE)
            / SBOP BI PLATFORM 4.2
                / SBOP BI PLATFORM 4.2 SP02 CLIENT TOOLS WINDOWS (32B)

 

Select the SDK version that matches your BI platform server release.

 

The client tools download is large (~2GB), with only a small fraction relevant for IDM. To keep the connector's installation footprint as small as possible, I recommend not to install it on SAP IDM directly. If you can, install it on a separate Windows 7/8/10 machine or VM, which I'll refer to as the "client tools machine". During install, deselect everything except "SAP BusinessObjects BI platform Java SDK":

bobj_client_tools_select_features.png

After installation is complete, create a new directory for the SDK JARs on the SAP IDM runtime. I'll assume you'll use C:\IDM_BOBJ_LIBS on the SAP IDM runtime.

 

Copy the below files from C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib on the client tools machine to C:\IDM_BOBJ_LIBS on the SAP IDM runtime machine:


    aspectjrt.jar
    bcm.jar
    ceaspect.jar
    cecore.jar
    celib.jar
    cesession.jar
    corbaidl.jar
    cryptojFIPS.jar
    ebus405.jar
    log4j.jar
    logging.jar
    TraceLog.jar

 

That's it for the client tools machine. All remaining steps will be performed on the SAP IDM runtime.

 

Add SDK JARs to SAP IDM dispatcher classpath

 

To make the SDK JARs visible from SAP IDM, add them to the dispatcher's Java classpath. In the Identity Center Designtime 7.2 (MMC), you can add classpath extension via Tools -> Options -> Java. Add all files listed above.

 

bobj_classpath_extension.png

 

bobj_classpath_select_jars.png

 

After saving your changes, regenerate dispatcher scripts and restart all dispatchers. If you need to do this without the help of MMC, edit property DSECLASSPATH in the dispatcher service property files.

 

 

Download and unpack SAP IDM connector

 

Downloaded the latest stable connector release from https://github.com/foxysoft/idm-connector-bobj/releases/latest.

 

Unzip idm-connector-bobj-<VERSION>.zip into a directory on the SAP IDM runtime. I'll assume you'll use C:\IDM_BOBJ_INSTALL

 

Import SAP IDM global scripts and provisioning tasks

 

Import the connector's global scripts from SAP BOBJ 4.2 Global Scripts.mcc

bobj_global_scripts_import.png

bobj_select_global_scripts_mcc.png

Next, import the connector's provisioning tasks from SAP BOBJ 4.2 Tasks.mcc into the SAP Master identity store ("Enterprise people", by default).

 

This import will create a new provisioning group "SAP BOBJ 4.2 Connector" underneath the folder you're importing into. Choose whatever parent folder fits your content structure best. I'll assume you'll use the top level "Provisioning folder".

bobj_import_into_sap_master_ids.png

bobj_select_tasks_mcc.png

Under advanced import options, make sure to check "Map source dispatchers to target dispatchers" and "Run jobs" for at least one of your dispatchers.

bobj_import_tasks_adv_options.png

 

Import SAP IDM repository and initial load job

 

Create a new SAP IDM repository from template SAP BOBJ 4.2 Repository.rtt. Specify a repository name and connection details of the SAP BusinessObjects Central Management Server (CMS). I'll use BOE as repository name and Administrator as login user. Using a suitable technical user would more advisable, but that's a topic for a separate article.

 

bobj_repository_name.png

 

bobj_repository_details.png

 

If you have access to the BusinessObjects Central Management Console (CMC), you can look up the appropriate Host name of CMS and Name Server Port under  "Servers" => "<yourhostname>.CentralManagementServer", and then "Properties" => "Common Settings".

 

 

bobj_cmc_cms.png

 

bobj_cms_props_common_settings.png

 

You're ready to import the BusinessObjects initial load job now. Choose a suitable job folder, then run the job wizard and use the SAP BOBJ 4.2 Initial Load.dst template:

bobj_run_job_wizard.png

bobj_select_job_template.png

When prompted for a repository, select BOE and finish. Verify that the job has really been created with the repository assigned; if not, add BOE again manually.

 

bobj_select_job_repository.png

bobj_job_saved.png

 

Execute initial load and finalize repository configuration

 

Verify that the initial load job is enabled and has a dispatcher assigned. If all is OK, start it using "Run Now". This should take less than 5 minutes to complete for BusinessObjects systems with <1K users and groups.

 

The job will create one-to-one MX_GROUP and MX_PRIVILEGE pairs in SAP IDM for every BusinessObjects Enterprise group. Like with AD or portal integration, you can assign either of these to MX_PERSON or MX_ROLE. For more background on the group/privilege topic, I recommend Ivar Ness' excellent article and the Group Concepts section of the SAP IDM System Landscape Configuration Guide.

 

Note that this initial load doesn't create new MX_PERSONs in SAP IDM, but only adds account information to existing ones whose MSKEYVALUE equals a BusinessObjects Enterprise user's login.

 

Verify BusinessObjects Enterprise groups have been loaded as expected in the IDM web UI:

bobj_result_privs.png

 

 

Finally, complete BOE's repository configuration by entering PRIV:BOE:ONLY as master privilege:

bobj_repository_master_priv.png

 

 

That's it. Happy provisioning!

PRIVs Not Showing Up in SAP Systems, IDM Shows OK Status

July 28, 2016, 10:59 am
$
0
0

I have a project I’m working on right now where the system is attempting to provision to an SAP repository before the user’s account is created. When this happens, you’d think that IDM would show a, “Failed” status next to the privilege in question but it’s showing an, “OK” status instead. This originally led us to believe that IDM was provisioning to the target system but the SAP function was somehow dropping the request without issuing an error to IDM. When we looked at the change documents on the user’s account, we’d see the privilege wasn’t present and there was no history of the privilege ever being present so the research would support faulty handing on the SAP side.

 

The user’s account privilege and the access privileges were being assigned at the same time so at some point in the provision queue, the assignment of the rights went through before the account privilege which creates the account. Thus, we have an account with no privileges assigned but the PRIVs on the IDM side show, “OK”. How do we fix this?

 

Two things can be done here. First, you could use the MX_REQ_PRIV constant. This is an undocumented constant so, you're welcome. This can be placed as an attribute on the privileges themselves or as a repository constant. Either way, the value should be the MSKEY of the PRIV:$rep.name:ONLY privilege. In theory, you could put any privilege a user must have before they can be provisioned to the target repository. If you want to get creative and use it that way for some other custom work you’re doing, have at it. Whatever repository level add task you have assigned will NOT fire until the user has this required privilege! This is important to note because if you’ve inserted something custom in your provisioning framework, those tasks will never be reached until your user has this required privilege.

 

Second, if you’re assigning a system privilege to a user who doesn’t have an account in that target repository, you might just be assuming you also want the account privilege assigned so the user is created. Write a task to do this and then use the repository constant MX_REQ_PRIV_NOMASTER_TASK, assuming you don’t have a master task assigned at the privilege level, then set the PRIV:$rep.name:ONLY as the master privilege for this repository. The system will check for a master task at the privilege first. If there’s nothing there, this task you created will assign the account privilege and you’re in business. This occurs before the MX_REQ_PRIV constant is checked as well, FYI. Lastly, this task is executed on a timed basis, not at the moment a privilege is assigned to a user in this repository. Any assignments to this repository will queue up and when the timed interval is reached, anything in that proverbial queue will run through the task.

 

I tried to describe this as clearly as possible but I realize some might not follow. Please let me know if you have any questions and perhaps suggestions on how to improve my writing. As always, likes and ratings of this post are appreciated as they just help me get better at blogging! Happy trails y’all!

New Release Highlights: SAP Identity Management 8.0 SP3

August 11, 2016, 7:12 am
$
0
0

Our SP3 release of SAP Identity Management 8.0 is already available in software center.

The essential news in this release are:

  • New connector with SAP Cloud Identity service to enable hybrid scenarios
  • SAP IdM Development Studio works with Eclipse Neon
  • Implemented feedback from customers and fixed issues in:
    • Upgrade from 7.2
    • Development Studio (Eclipse Plug-Ins)

 

The lab preview we showed at TechEd last year was the provisioning from SAP Identity Management 8.0 to SAP Cloud Identity service. Byintegrating with SAP Cloud Identity service, SAP Identity Management 8.0 will be able to manage the identities also for cloud solutions in the future.

The connector is REST-based. As a first version, it supports:

  • Bulk loading users (Initial load) and their attributes to and from SAP Cloud Identity service
  • Creating users on the target system
  • Setting a productive password for a user

SCIConnector1.png

These are the usual constants to be configured

and the package content is:

SCIConnector2.png

 

By this integration, a user, which is provisioned to the cloud, would be able to benefit from a single sign-on experience with their HANA Cloud applications or other applications, which have configured trust with the SAP cloud identity provider available as part of the identity authentication service out-of-the-box.

 

SAP IdM Development Studio works with Eclipse Neon now. Neon requires Java 1.8 and there are some points to take care - I'll share my experience in a separate short blog.


There are some improvements in the lab phase which include readiness for easier installation and enablement for Rapid Deployment Solution for IdM 8.0, which we hope to announce soon. Stay tuned for the coming release of RDS 8.0.

 

Also I'm preparing an upgrade of the ADM920 Identity Management 8.0 training environment to SP3 version.

Search

Transforming SAP IDM Data

September 2, 2016, 6:41 am
$
0
0

Data! Data! Data! I can’t make bricks without clay!

-Sir Arthur Conan Doyle

 

One of the issues that new administrators of IDM need to face understanding how data is organized in the identity store.

 

Certainly an administrator can look at the Schema Document and get an idea of that the attributes are.  Or you can look at the IDM online help to get an idea of how to  Use views to access identity store information. Even better you might review Per Krabsetsve's great Blog entry on IDM SQL Basics #1: Queries against the Identity Store, for even more information. Which will really tell you quite a bit about what's in the various IDM Tables and views.


However, what we are not really told about is how to arrange the data in such a way that it is usable by relational database tools.  At this point you might be wondering, aren't we using SQL Server, Oracle, DB2, or Sybase?  Well yes, you are, but the data is not quite arranged in a  typical relational matter. The IDM database stores information that is "pivoted" which provides a way to facilitate the many to many relationships that occur within the Identity Store.

 

For example, consider the following:

blog1.png


We see a listing that runs up and down identifying all of the information for the entry identifying each attribute and we are differentiating between entries based on a Unique Identifier, which we know as the MSKEY.  This is great since we can by combination of MSKEY and ATTRNAME SQL queries can identify any attribute for any user. Cool. Except when we want to represent this data in another application.


There are a couple of ways that we can make this happen.  One would be to use a ToAscii pass which would allow for the creation of a CSV file that could be processed in any number of ways. However, a more elegant way would be to use a SQL Query which would let us place the data nice and neat into a database.  I've done this before to make the data more easily accessed by applications such as VDS. Consider this query:

blog2.png

When we use this slightly more advanced query, we can "pivot" the information back into a format that is more familiar.  Now the data can be easily consumed by BI tools, VDS, or other database applications.


I've used this query on SQL Server and Oracle with no issues or conversions needed. I hope it is something that is of use to you all!


SAP Identity Management 8.0 SP3 - Installation with Eclipse Neon

September 7, 2016, 4:30 am
$
0
0

I have promised to write a short article on IdM installation in particular with Eclipse Neon, which might be useful to some of you.

Neon.png

The reason is that recently an IDMer was puzzled when he tried installation of all IdM components on one single machine and experienced some challenges in his case.

 

I was following the installation steps and it was going smoothly until the step when I had to install Eclipse Neon.

First it complained with my existing Java 1.7 that it needs Java 1.8 and respectively I installed it.

Continuing with the next step, the IdM installer started to complain and could not run.

I was following the installation procedure, which is supposed to run also in a distributed environment. Moreover, as single machine is a simpler case, it is supposed to work too.

Normally you can have multiple JVMs on one machine and this should not be a problem so I had to dig around and found that Java 8 installation was writing to the Windows registry the following:

HKEY_LOCAL_MACHINE/SOFTWARE/JavaSoft/Java Runtime Environment/Current Version =1.8

I changed this value to 1.7 and then the installation procedure could run happily.

Later I tried to reproduce this once more, installing Java 1.8 to provide some screenshots for this blog and the new installation did not create an entry in Windows registry HKEY_LOCAL_MACHINE/SOFTWARE/JavaSoft/ and the strange is that earlier I installed jre1.8.0_102 while now it is jre1.8.0_101. Not vice versa, as might expect.

 

Then I needed to upgrade the IdM training environment with Eclipse Neon and IdM 8.0 SP3.

Therefore, I decided to reuse my previous observation and instead of running the Java 1.8 installer, I copied the Java installation folder from my previous attempt to my machine and when it came to the step, where Eclipse needed Java 1.8 simply showed where the 1.8 folder is. Then for the rest of the installation process uses the existing Java 1.7 version as usual and goes smoothly and IdM Development Studio works as expected with Neon.

Hope this helps.

SAP Identity Management at SAP TechEd 2016 in Las Vegas, Bangalore and Barcelona

September 9, 2016, 6:55 am
$
0
0

This year in the next weeks and months we will have the three TechEd 2016 editions:

  • Las Vegas– this year is earlier from 19-13 Sept  – you can book sessions and Hands-On Workshop reservations now
  • Bangalore5-7 Oct–   you can browse the session offerings
  • Barcelona8-10 Nov

In the security track (SEC) we have included several SAP Identity Management sessions.

As usual, you will see the SAP Identity Management roadmap (SEC824) session where we will talk about the future plans and would be glad to hear you questions and opinions.

 

We decided that this year we would offer a lecture SAP Identity Management for Beginners (SEC100), which is targeted, to people who have no experience with IDM and want to start learning:

  • how to manage corporate identities and their accounts centrally in heterogeneous system landscapes.
  • how authorization management can be done based on business roles, employee and manager self-services, and associated workflows.
  • how to ensure compliance checks in combination with SAP Access Control.

 

There will be a hands-on exerciseGet SAP Identity Management Running in no Time (SEC260) where attendees will earn how to connect systems and applications to the identity management solution using out-of-the-box connectors, configure workflows and self-services.

For the experienced people, like many of you, as additional path in this hands-on session, we will introduce the new connector framework for creating custom-built connectors and you will be able to create a connector from scratch for those 2 hours.

 

And there will be a short code review session Do your SAP Identity Management installation right (SEC 726) Installation scripts for lot of customers provide space for issues and mistakes. Were the scripts and procedures to install all mandatory components correct? Did you run them all? Was the required initial configuration done? Will show how to do this with Software Provisioning Manager and in few minutes you will be you'll be up & running and able to develop your business related code in Eclipse Development environment.

 

In addition in Barcelona we are organizing a Live Influence session "How to extend connectivity of SAP Identity Management to cloud" (IFL221). Will discuss the functions of SAP Cloud Identity connector and your needs.

 

In addition in Las Vegas there will be the following partner and customers sessions:

 

Also I’d recommend visiting:

The lecture New Security, Governance, Risk and Compliance Functionality for the Cloud (SEC104)

And this hands on exercise : How to Provision Users and Manage Authorizations in SAP Cloud Applications (SEC166)

 

And I think it is very valuable is to meet people in person and you will be able to meet with many of the SAP security people at the dedicated security booth and among them the following SAP IDMers

 

 

 

As always we would be happy to meet with people from the community and exchange thoughts.

SAP TechEd from an IDM Point of View

September 23, 2016, 10:05 am
$
0
0

To boldly go where no man — where no one— has gone… before.

 

I have to tell you, this is how I feel after every TechEd, and I've been to at least six of them now. It's always hard to sum up the TechEd experience, unless, of course, you've been there. It's a whirlwind to say the least, learning, seeing old friends, making new ones, matching faces with email addresses/SCN IDs. At the end of every day it feels like I’ve run a marathon, mentally and physically.  If you’re a step counter, it’s pretty easy to reach your goals. And if you’re head is always spinning with everything you’ve learned.

If previous TechEds have been about specifics such as HANA, Fiori, Hybris, Lumira, this TechEd was certainly centered on Cloud based architectures. Everyone was talking about how their Service, Application, Module, etc. worked with SAP specific clouds or Enterprise based cloud technologies.

 

Learning.  Did a lot of that this week, with some very  good stuff by SAP Security and IDM people such as Plamen Pavlov, Hristo Borisov, Penka Tatarova, and Gerlinde Zibulski discussing issues regarding Cloud Based authentication, and the brand new SAP HANA Cloud Platform Identity Provisioning Service . While I was unable to attend the hands on sessions, I did hear back from several people that this brand new platform shows much promise for provisioning both SAP and non-SAP applications that are the basis of evolving cloud strategies. While attending a roadmap session for the Cloud Platform Identity Provisioning Service, I learned that the two main supported sources are LDAP and SCIM, this makes me think that the Virtual Directory Server could become very popular in enabling other types of applications for Cloud Provisioning. I’m sure I’ll be talking about this more in future blogs.


Roadmap. As always, there were a lot of roadmap sessions for the various identity and security related products. The security portfolio has grown quite large as we see below.

roadmap.jpg

 

There are now 8 products in the portfolio, and as we’ve discussed they are organized into cloud and on premise architectures, but I could not help noticing a new addition, that I thought needed to be there for some time: SAP Access Control. In my opinion this change is long overdue, and from what I hear will lead to a better integration with SAP IDM in the long run.


SAP IDM. Yes, it’s still here and got more than its fair share of attention. The SAP IDM 8.0 RDS add-on is expected to be released before the end of September 2016, and of course, we have heard about the latest service pack. There’s some other new functionality coming for 8.0 in the next couple of SPs, and I’ve heard that we can expect another SP fairly soon. With the reshaping of the security portfolio, I can foresee steps to integrate with the new cloud based modules and the new additions.

 

Another thing that we can count on is that SAP IDM will continue to be further integrated into the overall SAP Landscape. We got to see a fascinating preview of a unified installation process for SAP IDM using SWPM that handles installing the Designtime and Runtime, Keys file, Dispatcher, and of course the SCA files. While that will put BASIS a little more in control of IDM installation and configuration, a comprehensive install process is a huge plus in my book. I am trying to get a little more information on this and will update the blog when I receive it.

 

For those of us still using 7.2, it’s still going to be around for a while yet, but I don’t know that we should expect much more development here, aside from patches.

 

SAP is making the next steps into the future and I think that 8.0 will be fulfilling that soon along with cloud, security, and landscape integration. We will just have to see what will come about at TechEd 2017. I for one am counting the days already until next year!

Viewing all 172 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>