How to Create Reports with SAP NetWeaver Identity ......You can use the report templates delivered with IdM, adapt them to your needs or create your own. Besides using report templates

SAP NetWeaver How-To Guide

How To... Create Reports with SAP NetWeaver Identity Management

Applicable Releases:

SAP NetWeaver Identity Management 7.0

SAP NetWeaver Identity Management 7.1

Topic Area: Security and Identity Management

Capability: Identity and Access Management

Version 1.0

September 2009

© Copyright 2009 SAP AG. All rights reserved.

No part of this publication may be reproduced or

transmitted in any form or for any purpose without the

express permission of SAP AG. The information contained

herein may be changed without prior notice.

Some software products marketed by SAP AG and its

distributors contain proprietary software components of

other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are

registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel

Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390,

OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,

Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix,

i5/OS, POWER, POWER5, OpenPower and PowerPC are

trademarks or registered trademarks of IBM Corporation.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader

are either trademarks or registered trademarks of Adobe

Systems Incorporated in the United States and/or other

countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered

trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame,

WinFrame, VideoFrame, and MultiWin are trademarks or

registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or

registered trademarks of W3C®, World Wide Web

Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems,

Inc., used under license for technology invented and

implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP

NetWeaver, and other SAP products and services

mentioned herein as well as their respective logos are

trademarks or registered trademarks of SAP AG in

Germany and in several other countries all over the world.

All other product and service names mentioned are the

trademarks of their respective companies. Data contained

in this document serves informational purposes only.

National product specifications may vary.

These materials are subject to change without notice.

These materials are provided by SAP AG and its affiliated

companies ("SAP Group") for informational purposes only,

without representation or warranty of any kind, and SAP

Group shall not be liable for errors or omissions with

respect to the materials. The only warranties for SAP

Group products and services are those that are set forth in

the express warranty statements accompanying such

products and services, if any. Nothing herein should be

construed as constituting an additional warranty.

These materials are provided “as is” without a warranty of

any kind, either express or implied, including but not

limited to, the implied warranties of merchantability,

fitness for a particular purpose, or non-infringement.

SAP shall not be liable for damages of any kind including

without limitation direct, special, indirect, or consequential

damages that may result from the use of these materials.

SAP does not warrant the accuracy or completeness of the

information, text, graphics, links or other items contained

within these materials. SAP has no control over the

information that you may access through the use of hot

links contained in these materials and does not endorse

your use of third party web pages nor provide any warranty

whatsoever relating to third party web pages.

SAP NetWeaver “How-to” Guides are intended to simplify

the product implementation. While specific product

features and procedures typically are explained in a

practical business context, it is not implied that those

features and procedures are the only approach in solving a

specific business problem using SAP NetWeaver. Should

you wish to receive additional information, clarification or

support, please refer to SAP Consulting.

Any software coding and/or code lines / strings (“Code”)

included in this documentation are only examples and are

not intended to be used in a productive system

environment. The Code is only intended better explain and

visualize the syntax and phrasing rules of certain coding.

SAP does not warrant the correctness and completeness of

the Code given herein, and SAP shall not be liable for

errors or damages caused by the usage of the Code, except

if such damages were caused by SAP intentionally or

grossly negligent.

Disclaimer

Some components of this product are based on Java™. Any

code change in these components may cause unpredictable

and severe malfunctions and is therefore expressively

prohibited, as is any decompilation of these components.

Any Java™ Source Code delivered with this product is only

to be used by SAP’s Support Services and may not be

modified or altered in any way.

Document History Document Version Description

1.00 Public Release

Typographic Conventions Type Style Description

Example Text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation

Example text Emphasized words or phrases in body text, graphic titles, and table titles

Example text File and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example text User entry texts. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example text>

Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.

Icons Icon Description

Caution

Note or Important

Example

Recommendation or Tip

Table of Contents

1. Business Scenario ............................................................................................................... 1

2. Background Information ..................................................................................................... 2

3. Prerequisites ........................................................................................................................ 3

4. Identity Center DB – Important Views/Tables ................................................................... 4

4.1 Table “MXI_Attributes” .................................................................................................. 4

4.2 View “MXIV_VALUES” ................................................................................................. 4

4.3 View “MXIV_SENTRIES” .............................................................................................. 5

4.4 View “MXIV_ALL_SENTRIES” ..................................................................................... 5

4.5 View “MXIV_OENTRIES” ............................................................................................. 6

4.6 View “MXUV_ENTRIES” .............................................................................................. 7

4.7 View “MXUV_ALL_SENTRIES” .................................................................................... 8

4.8 View “MXUV_OENTRIES” ............................................................................................ 8

4.9 View “MXUV_ALL_OENTRIES” ................................................................................... 8

4.10 View “MXV_AUDIT” ...................................................................................................... 8

4.11 View “MXPV_Audit” ...................................................................................................... 9

4.12 View “MXPV_Ext_Audit” ............................................................................................... 9

4.13 View “MXWV_ALL_APPROVALS” ............................................................................... 9

4.14 View “MXPV_OLD_APPROVALS” ............................................................................. 10

4.15 View “mcv_repository” ................................................................................................ 10

4.16 Table “mc_language_translations” ............................................................................. 11

4.17 Comparison of Entry Views ........................................................................................ 11

5. Typical SQL Statements ................................................................................................... 12

5.1 Entry type related SQL Queries .................................................................................. 12

5.2 User-related SQL Queries .......................................................................................... 13

5.3 Business Role-related SQL Queries .......................................................................... 14

5.4 Privilege-related SQL Queries .................................................................................... 14

5.5 Schema-related SQL Queries .................................................................................... 14

5.6 Audit-related SQL Queries ......................................................................................... 15

5.7 Repository-related SQL Queries ................................................................................ 15

5.8 Other SQL Queries ..................................................................................................... 15

5.8.1 Translations ................................................................................................... 15

5.8.2 Approvals ....................................................................................................... 15

6. Reporting Possibilities (Examples) ................................................................................. 16

6.1 SAP BusinessObjects Crystal Reports ....................................................................... 16

6.1.1 Setting up Database Connection to IdM ........................................................ 16

6.1.2 Creating a Report Template .......................................................................... 20

6.1.3 Setting up the IdM Runtime ........................................................................... 28

6.1.4 Provide Report Template to the IdM Runtime ............................................... 30

6.1.5 Setting up a Task for Report Creation ........................................................... 30

6.1.6 Executing the Task ........................................................................................ 38

6.2 Jasper Reports and iReport ........................................................................................ 41

6.2.1 Setting up Database Connection to IdM ........................................................ 41

6.2.2 Creating a Report Template .......................................................................... 43

6.2.3 Setting up the IdM Runtime ........................................................................... 49

6.2.4 Provide Report Template to the IdM Runtime ............................................... 50

6.2.5 Setting up a Task for Report Creation ........................................................... 52

6.2.6 Testing the Task ............................................................................................ 57

6.2.7 Adding a Jasper Report as Report entry in 7.1 SP2 ...................................... 59

6.3 Simple HTML with toASCII Pass ................................................................................ 63

How to Create Reports with SAP NetWeaver Identity Management

1. Business Scenario SAP NetWeaver Identity Management (IdM) helps companies to centrally manage their user accounts (identities) in a complex system landscape. This includes both SAP and non-SAP systems. The solution provides an authoritative, single source of user information and enables self-service management of user information and authorizations using workflow technology.

During the implementation of SAP NetWeaver Identity Management typically reporting requirements need to be satisfied like

• What are all the attributes of a given user?

• What are all the business roles assigned to a given user?

• What systems does a given user has access to?

• Which business roles are available in the system?

• How many users/business roles, etc. are available in the system?

In this guide I will first give you some background information about creating reports based on the data available in SAP NetWeaver Identity Management. Then I will show you how you can create a simple report using SAP Busines Objects Crystal Reports (available as of Version 7.1 SP2) and also Jasper Reports (available also in Version 7.0).

September 2009 1


2. Background Information With SAP NetWeaver Identity Management you can create reports using the information which is available in the Identity Center. Typically the creation of reports is done by using report templates. Two kinds of report templates can be used: ...

1. SAP BusinessObjects Crystal Reports (as of SAP NetWeaver Identity Management 7.1 SP2)

2. Jasper Reports (SAP NetWeaver Identity Management 7.0 and 7.1)

Out of the box SAP delivers some sample reports, for example

• Entry report (Jasper and Crystal Reports)

• Line Manager Report (Jasper)

• Privilege Report (Jasper)

• Role Report (Jasper)

You can use the report templates delivered with IdM, adapt them to your needs or create your own.

Besides using report templates you could also create simple reports by using the toASCII pass in Identity Center and create text or HTML files according to your needs. This has the advantage that you can very quickly extract information from your Identity Center into a file. On the other hand you will most likely hit the limits when it comes to a nice and clean formatting of your reports. In this case you will probably start to go the route of creating a report template and use this for creating reports.

In any case it is important to have a basic understanding of the Identity Center database schema since you are required to retrieve the information for your reports from the Identity Store. In Chapter 4 of this guide the most important database views and tables will be introduced. Then this guide lists frequently used database statements which should help you to satisfy the most important reporting needs.

Important The database statements in this guide are for a Microsoft SQL Server database. In case you have a SAP NetWeaver Identity Management installation using an Oracle database you may need to adapt the statements accordingly. Nevertheless the general concepts are independent of the database platform you use.

Chapter 6 will then give you step by step guides about how you can create reports

a. using SAP BusinessObjects Crystal Reports

b. using Jasper Reports and iReport

c. using the toASCII pass in Identity Center

When creating reports you have various options where to store the reports

• as binary attribute assigned to an entry type

• in the file system

• as report entry type (available as of version 7.1 SP2)

Following documents will provide you further information:

• SAP NetWeaver Identity Management – Operation Guide

• SAP NetWeaver Identity Management – Generating Reports using Crystal Reports

Besides this you will always get the latest information on SDN:

• http://www.sdn.sap.com/irj/sdn/nw-identitymanagement

September 2009 2

http://www.sdn.sap.com/irj/sdn/nw-identitymanagement


3. Prerequisites You require the following version of SAP NetWeaver Identity Management for creating the examples in Chapter 6

• SAP NetWeaver Identity Management 7.0 (Jasper and ASCII only)

• SAP NetWeaver Identity Management 7.1 (all reporting possibilities as described)

In addition you require

• For the example with SAP BusinessObjects Crystal Reports 2008

SAP BusinessObjects Crystal Reports 2008

• For the example with Jasper Reports

Jasper 1.3.1 (you get the libraries through the iReports 1.3.1 download)

iReports 1.3.1 link at publication time of HowTo: http://sourceforge.net/project/showfiles.php?group_id=64348&package_id=64215

If you require additional information about SAP NetWeaver Identity Management you will find this through the IdM homepage on SDN: https://www.sdn.sap.com/irj/sdn/nw-identitymanagement

September 2009 3

http://sourceforge.net/project/showfiles.php?group_id=64348&package_id=64215

https://www.sdn.sap.com/irj/sdn/nw-identitymanagement


4. Identity Center DB – Important Views/Tables

4.1 Table “MXI_Attributes” This table contains the attribute definitions for all identity stores.

Important table columns:

View Column Description

Attr_ID Id of the attribute

Attr_Name Name of the attribute

IS_ID Id of the identity store where the attribute is defined in

display_name Display name of the attribute (typically a language key)

4.2 View “MXIV_VALUES” This view provides you access to the current values stored in the Identity Center. Using this view is the best performing way to access information inside the identity store but other views might be more convenient.

Important view columns:


MSKEY MSKEY of the entry to which the attribute belongs to


aValue Value of the attribute

SearchValue Search value of the attributes (indexed!)

IS_ID Id of the identity store where the attribute is stored in

AuditID Audit Id which caused the change of the attribute see also view MXV_AUDIT

Modifytime Modification time of attribute value

ExpiryTime Time when the attribute value expires (e.g. privilege assignment ValidTo)

September 2009 4


4.3 View “MXIV_SENTRIES” This view provides you access to current entries and attributes stored in the Identity Center. Every attribute plus attribute value will be displayed as one row in the SQL query result.

This view will only show active entries which attributes are not expired.





AttrName Name of the attribute

aValue Value of the attribute (don’t use in a WHERE clause!)


display_name Display name of the attribute. This field typically contains the language key of the display name in the form of e.g. “#LANG_KEY”

IS_ID Id of the identity store where the attribute is stored in.


ValueAuditId AuditId from where the change came from


ExpiryTime Time when the attribute value expires (e.g. privilege assignment ValidTo)

Tip This is the typical view to use when you like to retrieve current information about entries inside the identity store where the MSKEYVALUE of referenced entry types (e.g. roles) is not required

Important Do not use aValue in the WHERE clause of a SQL statement or in joins, order by, …. Always use SearchValue instead since it is indexed and therefore avoids performance problems.

4.4 View “MXIV_ALL_SENTRIES” This view is similar to MXIV_SENTRIES but will display all entries, i.e. also inactive and expired entries/attributes.

September 2009 5


4.5 View “MXIV_OENTRIES” This view provides you access to entries and attributes which have been changed/deleted from the Identity Center and have not been archived. Every attribute plus attribute value will be displayed as one row in the SQL query result.


OLD_ID Counter for entries in the view







AuditID Audit Id which caused the change/deletion of the attribute see also view MXV_AUDIT


CreateTime Creation time of attribute value


Changetype Id for type of change

Changename Name for type of change, e.g. “DELETE”

ChangedBy Information about who last changed the attribute, e.g. <MSKEY> of the user changing the attribute through the UI

MultiValue Flag if attribute value belongs to a multi value attribute

• 0: no multi value attribute

• 1: multi value attribute

Tip This is the typical view to use when you like to retrieve historical information about entries.

September 2009 6


4.6 View “MXUV_ENTRIES” Similar to the view MXIV_SENTRIES this view provides you access to entries and attributes stored in the Identity Center. Every attribute plus attribute value will be displayed as one row in the result.

This view will only show active entries which attributes are not expired.

This view differs from the view MXIV_ENTRIES in the respect that it provides extended information about the MSKEY, the attribute and the attribute value. Using this view you can for example directly retrieve the MSKEYVALUE of referenced entry types like for example the MSKEYVALUE of roles. In MXIV_ENTRIES only the MSKEY can be retrieved which is in many cases not sufficient.




ExtMSKEY Contains the MSKEYVALUE of the entry to which the attribute belongs to plus the MSKEY in the format:

<MSKEYVALUE> (<MSKEY>), e.g. mxmc_admin (8)



ExtAttribute Display name of the attribute. In case the display name is not filled it will give the attribute name

This field typically contains the language key of the display name in the form of e.g. “#LANG_KEY”


ExtValue For reference attributes: Contains the MSKEYVALUE of the referenced entry in the format:

<MSKEYVALUE> (<MSKEY>), e.g. PRIV:ROLE:xyz (9)

All other attributes: same as aValue







Important Using this view might be time-consuming with a large amount of data (i.e. many rows in table MXI_VALUES)

September 2009 7


4.7 View “MXUV_ALL_SENTRIES” This view is similar to MXUV_ENTRIES but will display all entries, i.e. also inactive and expired entries

4.8 View “MXUV_OENTRIES” This view provides the same information about modified and deleted attributes as MXIV_OENTRIES plus additional information:

• ExtMSKEY

• ExtAttribute

• ExtValue

4.9 View “MXUV_ALL_OENTRIES” This view provides the same information about modified and deleted attributes as MXIV_OENTRIES plus additional information: from MXIV_ALL_ENTRIES:

• ExtMSKEY

• ExtAttribute

• ExtValue

The additional information is retrieved from MXIV_ALL_SENTRIES which is the difference from MX_UV_OENTRIES. (4.8)

4.10 View “MXV_AUDIT” Whenever a new task hierarchy is started, a new AuditID is allocated, and a new audit record is created.

This view provides information about the audit entries created during task execution.



AuditId Id of the audit entry (automatically created and unique)

MSKey MSKEY of entry which is related to this audit entry

AuditRoot Id of the audit entry which is the root of task executions, i.e. if one task leads to the execution of other tasks the audit entry of the child tasks will reference the root task’s audit entry in the AuditRoot

In case there was no initiating task AuditRoot=AuditId

userid Field that holds the user additional information like user MSKEY, operation, etc. For a detailed description please refer to the product documentation, e.g. available through the MMC via Help – Help Topics or on http://help.sap.com

IDSID Id of the identity store

September 2009 8

http://help.sap.com/


4.11 View “MXPV_Audit” This view provides the same information as MXV_AUDIT but limits the result to the 100 most current entries in the audit.

4.12 View “MXPV_Ext_Audit” This view provides extra audit information in case the option “enable trace” is activated for your identity Center configuration.



Aud_ref Reference to the audit record in MXV_AUDIT. There may be multiple extended audit records for one audit record in MXV_AUDIT

Aud_approver Positive values are the MSKEY of the approver.

Aud_OnEntry MSKEY o f the entry being executed

Aud_datetime The record’s date and time

4.13 View “MXWV_ALL_APPROVALS” This view gives you information about approvals which are currently in process or already finished.



MSKEY MSKEY of the entry which is to be approved

IS_ID Id of the identity store where the approval task has been executed on

TASKID Id of the approval task

AUDITID Related Audit Id from MXV_AUDIT

STATUS Approval status, e.g. “APPROVED”, “DECLINED”

APPROVER MSKEY of the user who approved/declined

REASON Reason for approving/declining the request

ApproveTime Time, when the approval/decline was performed

RefAudit Reference to audit entry which triggered current approval

September 2009 9


4.14 View “MXPV_OLD_APPROVALS” This view gives you information about past approvals.



MSKEY MSKEY of the entry which is to be approved

IS_ID Id of the identity store where the approval task has been executed on

TASKID Id of the approval task

AUDITID Related Audit Id from MXV_AUDIT

STATUS Approval status, e.g. “APPROVED”, “DECLINED”

APPROVER MSKEY of the user who approved/declined

REASON Reason for approving/declining the request

ApproveTime Time, when the approval/decline was performed

4.15 View “mcv_repository” This view provides all repositories which are available in your Identity Center installation.



REP_ID Unique Id of the repository

RepType Type of the repository, e.g. file, directory

REP_NAME Name of the repository as displayed in the management node of the MMC

REP_DESCRIPTION Description of the repository

September 2009 10


4.16 Table “mc_language_translations” This table contains the translation information for texts which are to be displayed in a language dependent manner. If you require e.g. attribute descriptions in a specific language you can look this up using language key, language code and identity store.

Important table columns:

Table Column Description

LangKey Unique language key per identity store.

This key is for example returned in the display_name column of the view mxiv_entries. By reading the respective LangValue in the translation table the language dependent string can be retrieved

LangCode Language code

LangIdStore Number of the identity store for which the translation is relevant

LangValue Language dependent value

4.17 Comparison of Entry Views View Name Attribute

Names Inactive Entries

Expired Attributes

Old/Past Values

MSKEYVALUE of MSKEY

MSKEYVALUE of referenced entries

MXIV_VALUES X X

MXIV_SENTRIES X

MXIV_ALL_SENTRIES X X X

MXIV_OENTRIES X not relevant not relevant X

MXUV_ENTRIES X X X

MXUV_OENTRIES X not relevant not relevant X X X

MXUV_ALL_SENTRIES X X X X* X

MXUV_ALL_OENTRIES X not relevant not relevant X X* X

* extended information retrieved from MXIV_ALL_SENTRIES

September 2009 11


5. Typical SQL Statements This chapter contains typical SQL statements against the Identity Center database which fulfill typical reporting requirements.

5.1 Entry type related SQL Queries -- get MSKEYVALUE of specific MSKEY SELECT aValue as AVALUE FROM MXIV_SENTRIES WHERE (MSKEY=<mskey>) AND (AttrName = 'MSKEYVALUE') -- alternative to get MSKEYVALUE of specific MSKEY (better performance!) SELECT avalue FROM MXIV_VALUES WHERE MSKEY=<mskey> AND Attr_ID=(SELECT Attr_ID FROM MXI_Attributes WHERE AttrName='MSKEYVALUE' AND IS_ID=<id_store>)

-- get DISPLAYNAME of specific MSKEY SELECT aValue FROM MXIV_SENTRIES WHERE (MSKEY = <mskey>) AND (AttrName = 'DISPLAYNAME') -- alternative to get DISPLAYNAME of specific MSKEY (better performance!) SELECT avalue FROM MXIV_VALUES WHERE MSKEY=<mskey> AND Attr_ID=(SELECT Attr_ID FROM MXI_Attributes WHERE AttrName='DISPLAYNAME' AND IS_ID=<id_store>)

-- get MSKEYVALUE, DISPLAYNAME, identity store for specific mskey SELECT MXIV_SENTRIES.AttrName as ATTRNAME, MXIV_SENTRIES.MSKEY, MXIV_SENTRIES.aValue as AVALUE, MXIV_SENTRIES.IS_ID, MXI_IDStores.IdStoreName as IDSTORENAME FROM MXIV_SENTRIES INNER JOIN MXI_IDStores ON MXIV_SENTRIES.IS_ID = MXI_IDStores.IS_ID WHERE (MXIV_SENTRIES.MSKEY = <mskey>) AND (MXIV_SENTRIES.AttrName = 'MSKEYVALUE') OR (MXIV_SENTRIES.MSKEY = <mskey>) AND (MXIV_SENTRIES.AttrName = 'DISPLAYNAME')

-- get attributes of a specific MSKEY at a defined point in the past select MSKEY, AttrName, aValue, ModifyTime, NULL AS CreateTime, NULL as changename from MXIV_SENTRIES where MSKEY=<MSKEY> AND modifyTime < convert(datetime, '2009-04-22',110) UNION ALL select MSKEY, AttrName, aValue, ModifyTime, CreateTime, changename from mxiv_oentries where MSKEY=<MSKEY> AND modifyTime > convert(datetime, '2009-04-21 23:59:59', 120) AND createTime < convert(datetime, '2009-04-22',110)

September 2009 12


5.2 User-related SQL Queries -- get attributes and attribute values (except roles, privileges, audit flags) for specific user (MSKEY) SELECT display_name, ExtAttribute as [Attribute],extvalue as [Value], convert(varchar,modifytime,20) as [Modified],changename as [Operation] FROM mxuv_entries WHERE MSKEY = <mskey> and attrname<>'mxref_mx_role' and attrname<>'mxref_mx_privilege' and attrname<>'mx_autoprivilege' and attrname<>'mx_audit_flags'

-- get historical attributes and attribute values for specific user (MSKEY) SELECT ExtAttribute as [Attribute],Extvalue as [Value], convert(varchar,modifytime,20) as [Modified],changename as [Operation] FROM mxuv_oentries WHERE MSKEY = <mskey>

-- get historical values for a specific user (MSKEY) ordered by creation time SELECT OLD_ID, MSKEY, AttrName, aValue, CreateTime, Modifytime, ChangedBy, Changenumber, Changetype, Changename, ParentAuditId, ValueAuditId, IS_ID, Access_ID, display_name, MultiValue, ProvStatus, AuditID FROM MXIV_OENTRIES WHERE (MSKEY = <mskey>) ORDER BY CreateTime -- get assigned privileges for specific user (MSKEY) SELECT attrname as [Attribute],extvalue as [Value],convert(varchar,modifytime,20) as [Modified], changename as [Operation] FROM mxuv_entries WHERE MSKEY = <mskey> and attrname IN ('mxref_mx_privilege','mx_autoprivilege')

-- get assigned roles for specific user (MSKEY) SELECT extvalue as [Value],convert(varchar,modifytime,20) as [Modified], changename as [Operation] FROM mxuv_entries WHERE MSKEY = <mskey> and attrname='mxref_mx_role'

-- get all repositories where a specific user (MSKEY) is present SELECT SUBSTRING(AttrName,8, LEN(AttrName)) AS [Repository], aValue as [AccountId] FROM MXIV_SENTRIES WHERE mskey=<mskey> and MXIV_SENTRIES.AttrName like 'ACCOUNT%'

-- get all users with defined set of attributes SELECT MSKEY, AttrName, aValue FROM MXIV_SENTRIES WHERE (MSKEY IN (SELECT MSKEY FROM MXIV_SENTRIES WHERE AttrName = 'MX_ENTRYTYPE' AND SearchValue = 'MX_PERSON')) AND (AttrName IN ('MSKEYVALUE','DISPLAYNAME','MX_FIRSTNAME','MX_LASTNAME')) AND (IS_ID =<idstore>) ORDER BY MSKEY

-- line manager report: get all direct reports (mskey) for a specific manager mskey SELECT DISTINCT MSKEY FROM MXIV_SENTRIES WHERE (MSKEY IN (SELECT mskey FROM MXIV_SENTRIES WHERE attrname = 'MX_MANAGER' AND SearchValue = '<mskey>')) ORDER BY MSKEY

September 2009 13


5.3 Business Role-related SQL Queries -- get all business roles SELECT MSKEY, AttrName, aValue FROM MXIV_SENTRIES WHERE (MSKEY IN (SELECT MSKEY FROM MXIV_SENTRIES WHERE AttrName = 'MX_ENTRYTYPE' AND SearchValue = 'MX_ROLE')) AND (AttrName IN ('MSKEYVALUE', 'DISPLAYNAME')) AND (IS_ID =<idstore>) ORDER BY MSKEY

-- get role members for role with specific mskey SELECT extvalue as [Entry name],Convert(varchar,modifytime,20) as [Added] FROM mxuv_entries WHERE mskey=<mskey> and attrname='MXREF_MX_ROLE'

5.4 Privilege-related SQL Queries -- get all privileges SELECT MSKEY, AttrName, aValue FROM MXIV_SENTRIES WHERE (MSKEY IN (SELECT MSKEY FROM MXIV_SENTRIES WHERE AttrName = 'MX_ENTRYTYPE' AND SearchValue = 'MX_PRIVILEGE')) AND (AttrName IN ('MSKEYVALUE','DISPLAYNAME')) AND (IS_ID =1) ORDER BY MSKEY

-- get direct members for privilege with specific mskey SELECT extmskey as [Entry name],Convert(varchar,modifytime,20) as [Added] FROM mxuv_entries WHERE (datatypeid = 5) and searchvalue=cast(<mskey> as varchar) and attrname='MXREF_MX_PRIVILEGE' order by extmskey

-- get properties for specific privilege (MSKEY) SELECT ExtAttribute as [Attribute],extvalue as [Value], convert(varchar,modifytime,20) as [Modified],changename as [Operation] FROM mxuv_entries WHERE MSKEY = <mskey> and attrname<>'mxref_mx_role'

5.5 Schema-related SQL Queries -- get attribute name based on attribute id SELECT AttrName FROM mxiv_allattributes WHERE ATTR_ID=<AttrId>

-- get name of entry type based on entry type id

SELECT OCNAME as "ocname" FROM mxiv_entrytypes WHERE ocid=<EntryTypeId>

September 2009 14


5.6 Audit-related SQL Queries -- get audit flags for specific mskey SELECT extvalue as [Value],convert(varchar,modifytime,20) as [Modified], changename as [Operation] FROM mxuv_entries WHERE MSKEY = <mskey>

and attrname='mx_audit_flags'

-- get audit entries for specific mskey SELECT AuditID as [Audit ID],TaskName as [Task],Provision_status as [Status],convert(varchar,posteddate,20) as [Date],Userid as [User ID],MSG as [Message] FROM mxv_audit WHERE mskey=<mskey>

5.7 Repository-related SQL Queries -- get all repositories in the idm system select REP_NAME from mcv_repository ORDER BY REP_NAME

5.8 Other SQL Queries

5.8.1 Translations -- get language translations SELECT * from mc_language_translations

5.8.2 Approvals -- get approver, status and reason for a finished approval with a specific audit id

select approver, status, reason from mxpv_old_approval where AuditId=<auditid>

-- get information about any approval with a specific audit id

SELECT * FROM MXWV_ALL_APPROVALS where auditid = <auditid>

September 2009 15


6. Reporting Possibilities (Examples) There are various possibilities how you can visualize the data which you retrieve from the Identity Center database. In this chapter I want to introduce the most prominent ones: ...

1. SAP BusinessObjects Crystal Reports

2. Jasper Reports and iReport

3. Simple HTML using the toASCII pass

6.1 SAP BusinessObjects Crystal Reports As of SAP NetWeaver Identity Management 7.1 SP2 you will have the possibility to design your reports using Crystal Reports and then use the report templates for creating reports.

Important If you want to change the layout of the delivered reporting templates or if you want to create your custom reporting template you require a license for SAP BusinessObjects Crystal Reports.

6.1.1 Setting up Database Connection to IdM In order to be able to design and also test your report properly you need to configure the connection to your Identity Center database. Typically you would use an IdM development system for this task.

6.1.1.1 Create Blank Report

September 2009 16


6.1.1.2 Create New Connection

6.1.1.3 Create new JDBC Connection Open the tree for JDBC

September 2009 17


6.1.1.4 Maintain Database Connection Parameters

Parameter Value

Connection URL Provide the JDBC connection URL, for example jdbc:sqlserver://myserver:1433;databasename=mxmc_db

Database Classname Provide the JDBC driver class,. For Microsoft SQL Server 2005 this will be for example: com.microsoft.sqlserver.jdbc.SQLServerDriver

Note In order to make the database driver available to Crystal Reports you need to adapt the Java classpath in the file “CRConfig.xml” which is typically located in the directory “\Program Files\Business Objects\Common\4.0\java”.

September 2009 18


6.1.1.5 Maintain User and Database Information

Parameter Value

User ID Provide the database user which you defined for the runtime. By default this will be mxmc_rt

Password Provide the password for the runtime user

Database Select your Identity Center database

September 2009 19


6.1.2 Creating a Report Template

6.1.2.1 Create a New Command In the Database Expert expand your connection and double click “Add Command”

6.1.2.2 Specify the Command A new window opens where you can type in or paste in a SQL statement which retrieves the information you want to display in your report. In addition you can specify parameters which you want to fill later on.

In this example we want to create a report which shows all business roles and all privileges assigned to a specific user.

The SQL command for this task is as follows:

SELECT ExtMSKEY, AttrName, ExtValue FROM MXUV_ENTRIES WHERE MSKEY=<MSKEY> AND AttrName IN ('MXREF_MX_PRIVILEGE','MX_AUTOPRIVILEGE','MX_AUTOROLE')

September 2009 20


Click on “Create …”

6.1.2.3 Create a new Parameter In the pop-up maintain a new parameter with the name MSKEY, some Prompting Text and Value Type String

Press “OK”

Note If you want to pass more information from Identity Center to the report template you would need to create additional parameters here.

September 2009 21


6.1.2.4 Add the Parameter to your SQL Statement Place your cursor after “MSKEY=” and double-click on MSKEY in the parameter list

This will insert the parameter into your SQL statement in the form of “{?MSKEY}”

Press “OK” to confirm.

September 2009 22


In the next screen enter the MSKEY of the user you want to use for test purposes into the next screen and confirm:

As next step you may want to rename the command. Just click twice on the name and change it:

Now you can close the Database Expert by selecting “OK”

September 2009 23


Note The Database Expert provides a very useful feature which enables you to join/link SQL commands. Once you have more than one command defined a new tab will be displayed called “Links”:

6.1.2.5 Design your Report Now you can design your report by adding static text, images and the return values of your command.

September 2009 24


6.1.2.6 Field Explorer You get access to the results of your command through the Field Explorer

You can simply drag and drop items from the field explorer into your report.

6.1.2.7 Add Information to your Report Here you see an example of a very simple layout with some static text and the information retrieved through the command:

6.1.2.8 Preview your Report You can preview your report by selecting the “Print Preview” button in the toolbar:

September 2009 25


6.1.2.9 Adding Sorting to your Report If you want to sort the information displayed in your report you can add a sorting rule using the Record Sort Expert

In this example we will sort the data displayed in ascending order according to the AttrName returned by the command:

September 2009 26


6.1.2.10 Result You will very quickly be able to see the result of your report design thanks to Crystal Reports:

6.1.2.11 Don’t Forget to Save By the way, don’t forget to save your report since you will need the report template file later on.

September 2009 27


6.1.3 Setting up the IdM Runtime

6.1.3.1 Downloading Libraries for Crystal Reports The Crystal Reports Runtime Libraries are part of Crystal Reports for Eclipse and can be downloaded from http://www.sap.com/solutions/sapbusinessobjects/sme/reporting/eclipse/index.epx. You find further details in the Guide “SAP NetWeaver Identity Management Identity Center – Generating Reports using Crystal Reports”

Following libraries are required for the report generation:

• CrystalReportsRuntime.jar

• CrystalCommon2.jar

• JDBInterface.jar

• DatabaseConnectors.jar

• QueryBuilder.jar

• logging.jar

• log4j.jar

• keycodeDecoder.jar

• commons-configuration-1.2.jar

• commons-lang-2.1.jar

• commons-collections-3.1.jar

• icu4j.jar

September 2009 28

http://www.sap.com/solutions/sapbusinessobjects/sme/reporting/eclipse/index.epx


6.1.3.2 Updating Classpath Settings of Runtime You have to update the Java classpath of your runtimes. You do this via Tools – Options in the Identity Center Management Console on the Java tab.

In case you have distributed dispatchers/runtimes you have to copy your dispatchers’ prop files to your these dispatchers.

Alternatively you can also directly update the DSECLASSPATH property in all prop files in your distributed landscape.

Important When using the Crystal Reports libraries you need to make sure that the j2ee.jar is not contained in your classpath. The j2ee.jar has been distributed until 7.1 SP1.

September 2009 29


6.1.4 Provide Report Template to the IdM Runtime As a next step you now need to copy your report template to a folder on your machine which runs dispatcher and runtime.

You first create a folder for your report; in this case we call it howto. Then you copy your report template (*.rpt file) into it.

6.1.5 Setting up a Task for Report Creation For our custom report template generation task we will use the sample report which comes with SP2 as a starting point.

As a first step you therefore need to import the sample report:

September 2009 30


Select the file Create Report Sample_Task.mcc which is located in the subdirectory Templates\Reporting underneath your installation directory

From here you will need click through the import wizard:

Step 1:

September 2009 31


Step 2:

Step 3:

September 2009 32


After the import you should see a task tree like the one below.

Now please rename the task as well as the job and pass underneath:

September 2009 33


The task for generating reports based on a Crystal Reports template uses references to repository constants. The repository is called Reporting. Please change the constants according to your configuration:

• DATABASEID: please put here the name of your Identity Center database

• DATASOURCE: please put here the JDBC connection string to your Identity Center database

• JDBCDRIVER: please put here the classname of your database driver – for MS SQL Server 2005 this would be com.microsoft.sqlserver.jdbc.SQLServerDriver

• USERID: database user id for the user reading the data from the Identity Center database – typically this will be your <DBPrefix>_rt user (in a default installation mxmc_rt)

• PASSWORD: password of the database user

• REPORT_DIR: path to the directory which contains subdirectories with the report templates

Note All parameters are explained in the documents “Generating Reports using Crystal Reports” as referenced already above.

September 2009 34


In the next step you need to go to the Job constants underneath your new task and maintain the Job constants required for your job. These are:

• REPORT: name of your report template file (*.rpt) – in my case HowTo.rpt

• SUBDIR: name of the subdirectory in the reports directory (as defined in the repository constant REPORT_DIR). In my case howto.

September 2009 35


As a last configuration step, please maintain the access control for the task on the configuration tab Access control. In this case I only allowed my user mxmc_admin to access this task and execute it for anybody in the system.

September 2009 36


Typically you are passing parameters to the report template as we do here with MSKEY:

Note In case you have additional parameters which are used inside your report template you can extend the configuration here and pass values for your additional parameters.

September 2009 37


6.1.6 Executing the Task Once you completed the task configuration you can go into your workflow UI and search for a specific user which you want to create the report for. Once you have selected a user you can press the button Choose Task… .

In the popup window you can now select the task you created in the previous step, in my case the task is called HowTo_Crystal. Then select Choose Task.

September 2009 38


In the next step you will get the option to define a name for the report and then create the report by pressing Save.

Note The texts for the buttons can be customized in the task configuration according to your needs.

You will receive a message that the report generation task has been executed.

Now you can browse to the tab View Reports. Here you will find the report which just has been generated. In order to be able to see the tab your user must be assigned to the privilege MX_PRIV:WD:TAB_REPORT.

September 2009 39


When you click on the link in the Result column your report will open.

September 2009 40


6.2 Jasper Reports and iReport Jasper Reports is the reporting engine which has been used in former versions of SAP NetWeaver Identity Management. This functionality is still available with the latest release (7.1 SP2) and can be used especially if no license for a Crystal Reports Designer is available.

For Jasper Reports there is a designer available which is called iReport. Using iReport gives you the possibility of changing the delivered report templates as well as creating your custom report templates in a kind of WYSIWYG manner.

Important For Jasper Reports as well as iReport you need to make sure to use the “old” version 1.3.0 or 1.3.1 since SAP NetWeaver Identity Management is not compatible with newer versions of the Jasper API.

6.2.1 Setting up Database Connection to IdM Start iReport and create a new database connection

6.2.1.1 Create a new Connection/Data Source In the main menu select Data – Connection/Date Sources

In the popup select New

September 2009 41


6.2.1.2 Maintain name of Connection and connection parameters Now maintain your database connection parameters in the next popup.

Parameter Value

Name Specify the name of your connection

Type of Connection Set it to Database JDBC connection

JDBC Driver Provide the JDBC driver class. For Microsoft SQL Server 2005 this will be for example: com.microsoft.sqlserver.jdbc.SQLServer

JDBC URL Provide the JDBC connection URL, for example jdbc:sqlserver://myserver:1433;databasename=mxmc_db

User Name Provide the database user which you defined for the runtime. By default this will be mxmc_rt

Password Provide the password for the runtime user. For convenience reasons you may tick the box “Save password”. Only use this object if you are operating against a local development system.

September 2009 42


6.2.1.3 Specify your Default Connection Select your Connection and press “Set as Default”

6.2.2 Creating a Report Template Create a New Document

Provide Report Details

September 2009 43


6.2.2.1 Add a new Parameter Create a new parameter for MSKEY

The parameter will be used as input for the database query defined later.

Please tick the box for “Use as Prompt”. This will give you the possibility to specify the value interactively when testing your report.

September 2009 44


6.2.2.2 Define the Database Query In the toolbar select the icon for “Database”

In the next window specify your query.

We use the same SQL query as for the Crystal Reports example:

SELECT ExtMSKEY, AttrName, ExtValue FROM MXUV_ENTRIES WHERE MSKEY=$P{MSKEY} AND AttrName IN ('MXREF_MX_PRIVILEGE','MX_AUTOPRIVILEGE','MX_AUTOROLE')

$P{MSKEY} defines in Jasper Reports the reference to the parameter

September 2009 45


6.2.2.3 Library for Fields Similar to the Field Explorer in Crystal Reports iReport provides you with a library containing fields etc.

You can use these also in a drag and drop manner in order to design your report

6.2.2.4 Add Information to your Report Here you see an example of a very simple layout with some static text and the information retrieved through the database query:

September 2009 46


6.2.2.5 Preview your Report You can preview your report by selecting the button “Execute (with active connection)” button in the iReport toolbar.

As a next step you will be prompted to provide the value for your MSKEY parameter:

Once this is defined you will get the preview of your report:

September 2009 47


6.2.2.6 Don’t Forget to Save By the way, don’t forget to save your report since you will need the report template file later on.

September 2009 48


6.2.3 Setting up the IdM Runtime

6.2.3.1 Downloading Libraries (Jasper Reports, etc.) Your download of iReports 1.3.1 comes with all libraries you require for generating Jasper reports using SAP NetWeaver Identity Management. You find them in the lib\ subdirectory of your iRepaort installation.

Following libraries are required for the report generation:

• jasperreports-1.3.1.jar

• itext-1.3.1.jar

• commons-collections-2.1.jar

• commons-logging-api-1.0.2.jar

6.2.3.2 Updating Classpath Settings of Runtime You have to update the Java classpath of your runtimes. You do this via Tools – Options in the Identity Center Management Console on the Java tab.

In case you have distributed dispatchers/runtimes you have to copy your dispatchers’ prop files to your these dispatchers.

Alternatively you can also directly update the DSECLASSPATH property in all prop files in your distributed landscape.

September 2009 49


6.2.4 Provide Report Template to the IdM Runtime As a next step you now need to copy your report template to a folder on your machine which runs dispatcher and runtime.

You first create a folder for your report; in this case we call it howto.

Then create a subdirectory dist where you copy your *.jasper file into.

September 2009 50


Then create a subdirectory template which holds your *.jrxml file.

Note This step is optional but I consider this as best practice since you now have also the definition file of the report at the same location. You will need the *.jrxml file in case you want to modify your report later on.

September 2009 51


6.2.5 Setting up a Task for Report Creation As a starting point for your custom Jasper report we use a standard report which is delivered with the product.

Create a new task by right-clicking on a folder and then selecting New – Action Task – Run wizard …

Select Java-Generate MSSQL entry report from Templates – Identity Center – Provisioning – Jasper reports.

Note You could also select a different report. We just want to use a template as starting point.

September 2009 52


You do not need to maintain a value for the job constant in the next step if you don’t want to reuse this later on.

Now finish the wizard.

September 2009 53


As a next step you should change the name of the tasks like in this example:

The final step of configuration is now to maintain the parameters and attributes of the pass which I named Generate RoleReport.

You have to maintain following parameters:

• REPORT_DIR: point to the directory where your *.jasper file is stored

• REPORT_DIR: output directory of the report

• REPORT: give the name of your report template (*.jasper file without extension) – here HowTo

and following pass attributes:

• OUTPUT_TYPE: PDF

• MSKEY: this is the parameter used in the report for selecting the data. We pass here the MSKEY of the user for which we want to create the report

• TO_FILE_NAME: name of our report file without file extension

September 2009 54


Here a list of important connector parameters which are available for the Jasper report generation:

Parameter Description

DATASOURCE Connection string to the database, typically %$ddm.identitycenter% will be used here

REPORT_DIR Path to the jasper report file. By default the reports are stored in a subdirectory of %$ddm.path%\Reporting

RESULT_DIR Directory where the result file will be stored. This parameter is not required if the report will be stored at an entry as defined with attribute “TO_MSKEY”

REPORT Name of the report, i.e. name of the .jasper file without the file extension

DEFAULT_LANGUAGE Default language of the report. If nothing is set the report will be generated in English.

September 2009 55


Here a list of important pass attributes which are available for the Jasper report generation:

Attribute Desccription

OUTPUT_TYPE Output type of the report. Valid values are HTML and PDF. HTML is the default.

MSKEY MSKEY of the entry to process. The name of the parameter depends on the name of the input parameter in your jasper report

TO_MSKEY MSKEY of the entry where the report should be attached to. The report will be stored in the entry attribute MX_REPORT_RESULT.

In case you do not run 7.1 SP2 you need to extend the schema for e.g. MX_PERSON to include the a binary attribute MX_REPORT_RESULT.

TO_FILE_NAME Name of the target file without extension (the extension will be added automatically)

The file will be put into the directory as defined in the pass parameter RESULT_DIR

IMAGE_DIR This is a report parameter defining the company logo for the report used by most of the standard reports. This parameter will be used inside the Jasper report templates.

SUBREPORT_DIR This is a report parameter defining the path to subreports used by most of the standard reports. This parameter will be used inside the Jasper report templates.

<Report Parameter> In addition to above attributes any report parameter of your Jasper report can be filled here – like MSKEY above.

September 2009 56


6.2.6 Testing the Task You can now simply test the task by selecting Test provisioning task… in the context menu.

In the popup you define the MSKEYVALUE of the user you want to generate the report for

In the Audit Log window you will see once the task has been finished successfully.

Note If you maintain access control for this task you will also be able to launch it through the UI.

September 2009 57


Then you can go to your result directory and check the generated pdf.

This will give you information similar to this one:

Note In case you want to attach the file to the MX_PERSON entry in the Identity Store you will need to maintain the attribute TO_MSKEY with the user’s MSKEY instead of defining a file name.

September 2009 58


6.2.7 Adding a Jasper Report as Report entry in 7.1 SP2 With SAP NetWeaver Identity Management 7.1 SP2 extended reporting functionality is available.

This comprises for example of

• A new entry type MX_REPORT

• A new task option Report task

• A new tab in the UI named View Reports which makes the MX_REPORT entries available

In order to use this new functionality you need to change your task from before.

Go to the Attributes tab and

• Select Entry type MX_PERSON

• Check the tick box for Report task

• Define a DISPLAYNAME, e.g. HowTo Test 7.1 SP2

September 2009 59


Then go to your pass configuration and change

• MSKEY: %MX_REPORT_ENTRY%

Note Once you select Report task on the task definition the entry you are working with will be MX_REPORT. The entry type MXREPORT will contain the user’s MSKEY in the attribute %MX_REPORT_ENTRY%

• TO_MSKEY: %MSKEY% - this will be the MSKEY of the generated report entry

After defining access control on the task a user can now execute the task on an entry.

September 2009 60


This will bring up a screen where in our case you can adapt the display name (since we defined this attribute in the attribute list as read/write attribute).

When submitting the task the user will get a message.

Note The success message as well as the text for the buttons can be customized on the Presentation tab of your task.

September 2009 61


When you now switch to the View Reports tab in the workflow UI you will see a new report entry in the list which you can open from here.

September 2009 62


6.3 Simple HTML with toASCII Pass Creating a simple HTML report is something which you can achieve by using the toASCII connector of the Identity Center. In this case you do not need any additional libraries. One example of an HTML report is the system report which is available with version 7.1 SP2.

I will not dig into all details here since the procedure is pretty straightforward: ...

1. define database queries which return the information you want to display in the report

2. create a job or task which includes a toASCII pass that writes the information into a text file using HTML markup around.

In order to have a look at the standard system report which comes with 7.1 SP2 proceed as follows:

Create a new job using the job wizard:

Then choose the System report job template which fits your database system:

September 2009 63


Now provide the required connection and output information:

Finish the job creation:

September 2009 64


This will give you a job consisting of a set of passes as below which construct an HTML file containing the information which should be displayed:

September 2009 65

www.sdn.sap.com/irj/sdn/howtoguides

Documents

How to Create Reports with SAP NetWeaver Identity ......You can use the report templates delivered with IdM, adapt them to your needs or create your own. Besides using report templates