IBM Tivoli Security and SAP Solutions

Embed Size (px)

Citation preview

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    1/82

    ibm.com/redbooks

    Redpaper

    Front cover

    IntegratingIBM Tivoli Securityand SAP Solutions

    Axel BueckeIvy Ch

    Ingo Dressle

    Anthony Ferguso

    David Moor

    Zoran Radenkov

    SAP business solutions, security, and theuser and role management concepts

    IBM Tivoli Identity Manager and

    SAP integration aspects

    Use cases and

    best practices

    http://www.redbooks.ibm.com/http://www.redbooks.ibm.com/http://www.redbooks.ibm.com/http://www.redbooks.ibm.com/
  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    2/82

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    3/82

    International Technical Support Organization

    Integrating IBM Tivoli Security and SAP Solutions

    March 2010

    REDP-4616-00

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    4/82

    Copyright International Business Machines Corporation 2010. All rights reserved.Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule

    Contract with IBM Corp.

    First Edition (March 2010)

    This edition discusses several software applications from IBM and SAP. The applicable versions are describedin the individual chapters of this publication.

    Note: Before using this information and the product it supports, read the information in Notices on page v.

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    5/82

    Copyright IBM Corp. 2010. All rights reserved.iii

    Contents

    Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .v

    Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

    Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiThe team who wrote this paper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiNow you can become a published author, too! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiiComments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ixStay connected to IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

    Chapter 1. SAP systems and applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.1 SAP Business Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

    1.2 SAP NetWeaver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2.1 SAP NetWeaver Application Server ABAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2.2 SAP NetWeaver Application Server Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

    Chapter 2. SAP security and SAP user and role management concept . . . . . . . . . . . . 72.1 SAP NetWeaver AS ABAP User Repository. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.2 SAP NetWeaver AS Java User Repository: UME. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.3 SAP Central User Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.4 SAP NetWeaver Identity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122.5 SAP BusinessObjects GRC management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

    Chapter 3. SAP user management integration options and interfaces. . . . . . . . . . . . 133.1 Business Application Programming Interfaces (BAPI) . . . . . . . . . . . . . . . . . . . . . . . . . 153.2 Remote Function Calls (RFC). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163.3 Synchronous versus asynchronous integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

    Chapter 4. IBM Tivoli identity management and SAP . . . . . . . . . . . . . . . . . . . . . . . . . . 194.1 IBM Tivoli Identity Manager concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204.2 Tivoli Identity Manager adapter concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204.3 Adapter operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.4 Tivoli Directory Integrator adapter framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

    Chapter 5. Tivoli identity management integration offerings for SAP . . . . . . . . . . . . . 235.1 Tivoli Identity Manager interoperability and integrations for SAP . . . . . . . . . . . . . . . . . 24

    5.1.1 Tivoli Identity Manager Adapter for SAP NetWeaver . . . . . . . . . . . . . . . . . . . . . . 245.1.2 Tivoli Identity Manager Adapter for SAP NetWeaver Application Server Java . . . 265.1.3 Tivoli Identity Manager adapter for SAP BusinessObjects Access Controls. . . . . 26

    5.2 Tivoli Directory Integrator with SAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

    5.2.1 Functional component for SAP NetWeaver Application Server ABAP . . . . . . . . . 295.2.2 User Registry Connector for SAP NetWeaver Application Server ABAP . . . . . . . 305.2.3 HR/Business Object Repository Connector for SAP NetWeaver AS ABAP . . . . . 315.2.4 IDOC Connector for SAP ERP and SAP NetWeaver AS ABAP . . . . . . . . . . . . . . 31

    5.3 IBM Tivoli Directory Server with SAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325.4 Tivoli Identity Manager Adapter for SAP ABAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335.5 Tivoli Identity Manager Adapter for SAP NetWeaver . . . . . . . . . . . . . . . . . . . . . . . . . . 33

    5.5.1 Adapter architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335.5.2 Add operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355.5.3 Modify operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    6/82

    iv Integrating IBM Tivoli Security and SAP Solutions

    5.5.4 Delete, suspend, resume, and change password operations . . . . . . . . . . . . . . . . 385.5.5 Reconciliation operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

    5.6 Extending the Tivoli Identity Manager Adapter for SAP NetWeaver . . . . . . . . . . . . . . . 395.6.1 Adapter customization types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405.6.2 Supporting new attribute customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405.6.3 Change adapter functionality customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

    Chapter 6. Use cases and best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516.1 Sample scenarios and use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

    6.1.1 Stand-alone SAP ABAP target server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526.1.2 CUA target server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

    6.1.3 Multiple SAP ABAP stand-alone target servers . . . . . . . . . . . . . . . . . . . . . . . . . . 536.1.4 Stand-alone ABAP target with HR modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546.1.5 CUA target environment with HR modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556.1.6 Single sign-on password management in a stand-alone setup. . . . . . . . . . . . . . . 556.1.7 Single sign-on password management with a CUA target . . . . . . . . . . . . . . . . . . 566.1.8 Account locking extension for CUA and non-CUA setup . . . . . . . . . . . . . . . . . . . 57

    6.2 Best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576.2.1 Deployment of Tivoli Directory Integrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

    6.2.2 Performance issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596.2.3 High availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596.2.4 A global SAP infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606.2.5 SAP Secure Network Communications (SNC) . . . . . . . . . . . . . . . . . . . . . . . . . . . 626.2.6 SAP version mixture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636.2.7 Unicode and non-Unicode support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636.2.8 SAP message server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

    Appendix A. Tivoli Security: Beyond IBM Tivoli Identity Manager for SAP . . . . . . . . . 65IBM Tivoli Access Manager for e-business with SAP NetWeaver AS ABAP . . . . . . . . . . . . 66

    IBM Tivoli Access Manager for e-business with SAP NetWeaver AS Java. . . . . . . . . . . . . 66IBM Tivoli Federated Identity Manager with SAP NetWeaver AS . . . . . . . . . . . . . . . . . . . . 66

    IBM Tivoli Access Manager for Enterprise Single Sign-On with SAP GUI . . . . . . . . . . . . . . 67IBM Tivoli Compliance Insight Manager with SAP AS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    7/82

    Copyright IBM Corp. 2010. All rights reserved.v

    Notices

    This information was developed for products and services offered in the U.S.A.

    IBM may not offer the products, services, or features discussed in this document in other countries. Consultyour local IBM representative for information on the products and services currently available in your area. Anyreference to an IBM product, program, or service is not intended to state or imply that only that IBM product,program, or service may be used. Any functionally equivalent product, program, or service that does notinfringe any IBM intellectual property right may be used instead. However, it is the user's responsibility toevaluate and verify the operation of any non-IBM product, program, or service.

    IBM may have patents or pending patent applications covering subject matter described in this document. Thefurnishing of this document does not give you any license to these patents. You can send license inquiries, inwriting, to:IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A.

    The following paragraph does not apply to the United Kingdom or any other country where suchprovisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATIONPROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR

    IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer ofexpress or implied warranties in cer tain transactions, therefore, this statement may not apply to you.

    This information could include technical inaccuracies or typographical errors. Changes are periodically madeto the information herein; these changes will be incorporated in new editions of the publication. IBM may makeimprovements and/or changes in the product(s) and/or the program(s) described in this publication at any timewithout notice.

    Any references in this information to non-IBM Web sites are provided for convenience only and do not in anymanner serve as an endorsement of those Web sites. The materials at those Web sites are not part of thematerials for this IBM product and use of those Web sites is at your own risk.

    IBM may use or distribute any of the information you supply in any way it believes appropriate without incurringany obligation to you.

    Information concerning non-IBM products was obtained from the suppliers of those products, their publishedannouncements or other publicly available sources. IBM has not tested those products and cannot confirm theaccuracy of performance, compatibility or any other claims related to non-IBM products. Questions on thecapabilities of non-IBM products should be addressed to the suppliers of those products.

    This information contains examples of data and reports used in daily business operations. To illustrate themas completely as possible, the examples include the names of individuals, companies, brands, and products.All of these names are fictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

    COPYRIGHT LICENSE:

    This information contains sample application programs in source language, which illustrate programmingtechniques on various operating platforms. You may copy, modify, and distribute these sample programs in

    any form without payment to IBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operating platform for which the sampleprograms are written. These examples have not been thoroughly tested under all conditions. IBM, therefore,cannot guarantee or imply reliability, serviceability, or function of these programs.

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    8/82

    vi Integrating IBM Tivoli Security and SAP Solutions

    Trademarks

    IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business MachinesCorporation in the United States, other countries, or both. These and other IBM trademarked terms aremarked on their first occurrence in this information with the appropriate symbol ( or ), indicating USregistered or common law trademarks owned by IBM at the time this information was published. Such

    trademarks may also be registered or common law trademarks in other countries. A current list of IBMtrademarks is available on the Web at http://www.ibm.com/legal/copytrade.shtml

    The following terms are trademarks of the International Business Machines Corporation in the United States,other countries, or both:

    AIXDB2IBM

    RedbooksRedpaperRedbooks (logo)

    TivoliWebSphere

    The following terms are trademarks of other companies:

    ABAP, BAPI, SAP NetWeaver, SAP R/3, SAP, and SAP logos are trademarks or registered trademarks of SAPAG in Germany and in several other countries.

    VMware, the VMware "boxes" logo and design are registered trademarks or trademarks of VMware, Inc. in theUnited States and/or other jurisdictions.

    Java, and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, othercountries, or both.

    Microsoft, Windows, and the Windows logo are trademarks of Microsoft Corporation in the United States,other countries, or both.

    Other company, product, or service names may be trademarks or service marks of others.

    http://www.ibm.com/legal/copytrade.shtmlhttp://www.ibm.com/legal/copytrade.shtml
  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    9/82

    Copyright IBM Corp. 2010. All rights reserved.vii

    Preface

    Many large and medium sized organizations have made strategic investments in the SAP

    NetWeaver product suite as the primary application platform. In fact, SAP software is used tomanage many core business processes and data. As a result, it is critical for all organizationsto manage the life cycle of user access to the SAP applications while adhering to security andrisk compliance requirements.

    In this IBM Redpaper publication, we discuss the integration points into SAP that aresupported by the IBM Tivoli identity management product suite. IBM Tivoli security softwareoffers a range of identity management (IdM) adapters and components for SAP that areavailable with IBM Tivoli Identity Manager and IBM Tivoli Directory Integrator. The adaptersand components can enable access and provisioning of user accounts and human resources(HR) personnel records in SAP.

    This IBM Redpaper is a valuable resource for security officers, consultants, administrators,

    and architects who want to understand and implement an identity management solution for anIBM Cognos environment.

    The team who wrote this paper

    This paper was produced by a team of specialists from around the world working togetherwith the International Technical Support Organization (ITSO), Austin Center.

    Axel Bueckeris a Certified Consulting Software IT Specialist at the ITSO, Austin Center. Hewrites extensively and teaches IBM classes worldwide on areas of software securityarchitecture and network computing technologies. He holds a degree in Computer Sciencefrom the University of Bremen, Germany. He has 23 years of experience in a variety of areasrelated to workstation and systems management, network computing, and e-businesssolutions. Before joining the ITSO in March 2000, Axel worked for IBM in Germany as aSenior IT Specialist in Software Security Architecture.

    Ivy Chiuis a Software Developer at the IBM Australian Development Lab (ADL), Gold Coast.She has four years of experience specializing in the testing and development of IBM TivoliIdentity Manager adapters. Her experiences cover testing of the Tivoli Identity ManagerAdapter for SAP NetWeaver, Tivoli Identity Manager Adapter for SAP ABAP, and TivoliIdentity Manager Adapter for SAP GRC. She holds a degree in Information Technology fromthe Queensland University of Technology, Australia.

    Ingo Dressleris a Certified Security Consultant at the IBM SAP International CompetenceCenter, Walldorf, Germany. He has 16 years of IT experience, including ten years ofexperience in the information security field. He holds a degree in Computer Science from theUniversity of Cooperative Education of Dresden. His areas of expertise include SOA securityand user-centric identity and access management. By joining the research and developmentdivision of IBM Germany in 2004, he specialized on the security integration aspects of SAPtechnology-based architectures.

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    10/82

    viii Integrating IBM Tivoli Security and SAP Solutions

    Anthony Fergusonis a Software Developer at the IBM Australian Development Lab (ADL),Gold Coast. He has seven years of software development and support experience. He startedhis career as a Developer in the IBM Global Security Kit component team and then movedinto the Tivoli Access Manager for e-business Level-3 support team. He currently works as aLevel-3 Support Lead for the IBM Tivoli Integration Factory. He holds a degree in InformationTechnology from the University of Central Queensland, Australia.

    David Mooreis a Software Developer at the IBM Tivoli Security Development Lab, GoldCoast, Australia. He has 14 years of software development experience. David's primary areasof expertise are middleware, security, identity, and governance, risk, and compliance (GRC)integration with a particular focus on SAP technologies. David holds a Computer Sciencedegree from Griffith University.

    Zoran Radenkovicis a member of the IBM Tivoli Integration Factory located in Australia. Forthe last seven years he has been a Technical Leader for the Tivoli Identity Manager Adapterdevelopment team. Zoran has more than 20 years of experience in software development andprior to joining IBM he developed software for cryptography, real-time operating systems,embedded systems, cryptography accelerators and HSM, distributed files systems, Internetsearch engines, voice-compressions, networking, and ASIC design tools.

    Thanks to the following people for their contributions to this project:

    Diane ShermanInternational Technical Support Organization, Austin Center

    Gunter Jahn, David Mackenzie, Brian MatthiesenIBM

    Frank Buchholz, Martin RaeppleSAP AG

    Florian DamssFirstAttribute GmbH

    Now you can become a published author, too!

    Here's an opportunity to spotlight your skills, grow your career, and become a publishedauthor - all at the same time! Join an ITSO residency project and help write a book in yourarea of expertise, while honing your experience using leading-edge technologies. Your effortswill help to increase product acceptance and customer satisfaction, as you expand yournetwork of technical contacts and relationships. Residencies run from two to six weeks inlength, and you can participate either in person or as a remote resident working from yourhome base.

    Find out more about the residency program, browse the residency index, and apply online at:ibm.com/redbooks/residencies.html

    http://www.redbooks.ibm.com/residencies.htmlhttp://www.redbooks.ibm.com/residencies.htmlhttp://www.redbooks.ibm.com/residencies.htmlhttp://www.redbooks.ibm.com/residencies.html
  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    11/82

    Prefaceix

    Comments welcome

    Your comments are important to us!

    We want our papers to be as helpful as possible. Send us your comments about this paper orother IBM Redbooks publications in one of the following ways:

    Use the online Contact usreview Redbooks form found at:

    ibm.com/redbooks

    Send your comments in an e-mail to:

    [email protected]

    Mail your comments to:

    IBM Corporation, International Technical Support OrganizationDept. HYTD Mail Station P0992455 South RoadPoughkeepsie, NY 12601-5400

    Stay connected to IBM Redbooks

    Find us on Facebook:

    http://www.facebook.com/pages/IBM-Redbooks/178023492563?ref=ts

    Follow us on twitter:

    http://twitter.com/ibmredbooks

    Look for us on LinkedIn:

    http://www.linkedin.com/groups?home=&gid=2130806

    Explore new Redbooks publications, residencies, and workshops with the IBM Redbooksweekly newsletter:

    https://www.redbooks.ibm.com/Redbooks.nsf/subscribe?OpenForm

    Stay current on recent Redbooks publications with RSS Feeds:

    http://www.redbooks.ibm.com/rss.html

    http://www.redbooks.ibm.com/http://www.redbooks.ibm.com/http://www.redbooks.ibm.com/contacts.htmlhttp://www.facebook.com/pages/IBM-Redbooks/178023492563?ref=tshttp://twitter.com/ibmredbookshttp://www.linkedin.com/groups?home=&gid=2130806https://www.redbooks.ibm.com/Redbooks.nsf/subscribe?OpenFormhttp://www.redbooks.ibm.com/rss.htmlhttp://www.redbooks.ibm.com/rss.htmlhttps://www.redbooks.ibm.com/Redbooks.nsf/subscribe?OpenFormhttp://www.linkedin.com/groups?home=&gid=2130806http://twitter.com/ibmredbookshttp://www.facebook.com/pages/IBM-Redbooks/178023492563?ref=tshttp://www.redbooks.ibm.com/contacts.htmlhttp://www.redbooks.ibm.com/http://www.redbooks.ibm.com/
  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    12/82

    x Integrating IBM Tivoli Security and SAP Solutions

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    13/82

    Copyright IBM Corp. 2010. All rights reserved.1

    Chapter 1. SAP systems and applications

    SAP is one of the leading providers of business software. Its product portfolio for enterpriseapplication software is organized around the following key offerings:

    The SAP Business Suite applications for large organizations and internationalcorporations. The applications support core business operations ranging from supplierrelationships to production to warehouse management, sales, and all administrativefunctions, through to customer relationships. The suite can address specific solutions for25 industries, such as banking, insurance, chemicals, health-care, retail, consumerproducts, and the public sector.

    SAP Business All-in-One solutions, the SAP Business ByDesign solution, and the SAPBusiness One application, which address the needs of small businesses and midsizecompanies.

    The SAP NetWeaver technology platform, which integrates information and businessprocesses across diverse technologies and organizational structures.

    The SAP BusinessObjects portfolio with solutions for business users who need softwarefor analyses, reports, and support in rapidly making strategic decisions, and for relief withadministrative tasks. The SAP BusinessObjects portfolio also includes solutions forgovernance, risk, and compliance (GRC) management to help ensure that customershave the proper processes and controls in place to realize transparent GRC.

    Let us look more closely at the SAP Business Suite and the SAP NetWeaver technologyplatform.

    1

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    14/82

    2 Integrating IBM Tivoli Security and SAP Solutions

    1.1 SAP Business Suite

    The SAP Business Suite is a family of adaptive business applications that are based on theSAP NetWeaver platform.

    From an application point of view, the SAP Business Suite consists of Enterprise Resource

    Planning (ERP), Central Components (ECC), and Business Suite components:

    SAP ERP

    SAP Customer Relationship Management (CRM)

    SAP Product Lifecycle Management (PLM)

    SAP Supplier Relationship Management (SRM)

    SAP Supply Chain Management (SCM)

    This portfolio is complemented by industry-specific solutions that also run asplatform-independent. See Figure 1-1for an overview of the SAP architecture.

    Figure 1-1 SAP architecture overview (source: SAP AG)

    In typical scenarios, a combination of the previously mentioned application components areused. Those landscapes consist of more than one SAP ECC installation, each with its own

    database; SAP ECC cannot be installed individually. As Java becomes more important andis used for new developments, both ABAP and Java components might be included. In such acase, at least two databases are installed.

    To keep these environments manageable, SAP recommends using SAP Solution Manager, acentralized solution management toolset that facilitates technical support for distributed SAPsystems, with functionality that covers solution deployment and operation, for example, tokeep track of patch levels.

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    15/82

    Chapter 1. SAP systems and applications3

    The SAP ERP (Enterprise Resource Planning) product has evolved considerably in therecent past. The original architecture, where the SAP R/3 product ran on the SAP Basis layer,has been changed to one in which ERP is now part of SAP ERP Central Component (ECC)and runs on the SAP NetWeaver Application Server (AS). Figure 1-2summarizes thechanges.

    Figure 1-2 Evolution of SAP Architecture (source: SAP AG)

    SAP ERP also includes four individual solutions that support key functional areas: SAP ERPFinancials, SAP ERP Human Capital Management (HCM, also known as SAP HR), SAP ERPOperations, and SAP ERP Corporate Services.

    1.2 SAP NetWeaver

    SAP NetWeaver is a market branding for a range of software technology, applications, andplatform components. The SAP NetWeaver family is built on two foundation technologystacks. These stacks are often referred to as SAP NetWeaver Application Server ABAP(AS ABAP) and SAP NetWeaver Application Server Java (AS Java). As the names suggest,the stacks are essentially application servers or platforms. The Advanced BusinessApplication Programming (ABAP) stack is derived from the SAP R/3 heritage. The Java stackis a fully J2EE compliant application runtime container. All of the SAP business applicationssuch as SAP ERP, SAP ECC, SAP CRM, and so on have components that rely on, and aredeployed to one or both of the SAP AS ABAP and SAP AS Java.

    The application server platforms provide many common infrastructure services includingsecurity authentication, authorization, and user account management. Besides theapplication server, SAP NetWeaver also includes other runtime elements such as portal andintegration layer for processes, information and people.

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    16/82

    4 Integrating IBM Tivoli Security and SAP Solutions

    Figure 1-3provides a conceptual illustration of the SAP NetWeaver platform.

    Figure 1-3 SAP NetWeaver technology capabilities (source: SAP AG)

    1.2.1 SAP NetWeaver Application Server ABAP

    SAP NetWeaver Application Server ABAP provides the development and runtimeenvironment for ABAP-based applications. It also enables selected SAP Java applications torun in the same work process (VM Container).

    All ABAP application servers, including the message server, represent the application layer ofthe multitier architecture of an ABAP-based SAP System. These application servers executeABAP applications and communicate with the presentation components, the database, andalso with each other, using the message server.

    In addition to several work processes, whose number and type are determined at the startupof SAP NetWeaver AS ABAP, and that run the actual ABAP program, each ABAP applicationserver contains a dispatcher, a gateway, and the shared memory.

    The dispatcher distributes the requests to the work processes. If all the processes areoccupied, the requests are stored in the dispatcher queue. The SAP Gateway provides theRemote Function Call (RFC) interface between the SAP instances (within an SAP system andbeyond system boundaries).

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    17/82

    Chapter 1. SAP systems and applications5

    1.2.2 SAP NetWeaver Application Server Java

    SAP NetWeaver Application Server Java provides a Java 2 Enterprise Edition (J2EE) 1.5compliant environment for developing and running Java EE programs.

    An SAP AS Java standalone system consists of a database, the central services, and a Java

    instance. The central services run on one physical machine and are a special type of Javainstance; it forms the basis of communication and synchronization for Java cluster. It consistsof message service and the enqueue services. Central service is always required when aJava cluster is installed, and they are identified by system ID and an instance number (forexample, C01). A Java instance is a unit in the SAP Web Java cluster, which runs on onephysical machine and consists of a Java Dispatcher to dispatch the client request to one ofthe servers, one or several server processes to run the J2EE application itself, and aninstance identified by the system ID.

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    18/82

    6 Integrating IBM Tivoli Security and SAP Solutions

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    19/82

    Copyright IBM Corp. 2010. All rights reserved.7

    Chapter 2. SAP security and SAP user and

    role management conceptFrom the administration perspective, SAP application security is mainly implemented on thetechnology side with SAP NetWeaver. In this construct, the SAP NetWeaver-based SAPapplications can make use of the underlying security functionality. This is especially true foruser handling and application authorizations where the concept and use of roles play a vitalrole.

    The administration of this implementation is organized around profiles and authorizationobjects. Object permissions are the lowest level of access granted to users providing read,write and other access. They cannot be assigned directly to users but can be grouped in any

    combination to provide the appropriate access to an application. In this case roles can becreated which are containers for the authorization objects and at this level the users areassigned to the specific access granted by the role contents.

    For an ABAP application user, a role correlates to a number of transactions that can executewithin an application to again use a certain program.

    Authorizations in Java are enforced in the User Management Engine(UME) usingpermissions, actions, and roles where as an action is a collection of permissions that can begrouped together into roles. Internally in their Java code, applications define UMEpermissions and use them for access control.

    2

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    20/82

    8 Integrating IBM Tivoli Security and SAP Solutions

    The relation of user-role-permission is il lustrated in Figure 2-1.

    Figure 2-1 SAP role and authorization hierarchy

    To actually perform an operation in an SAP system, a user might need several authorizations.Basically users can log on to the system if they have a user master record with a password. Auser menu and authorizations are also assigned to the user master record through one ormore roles. To create and assign authorizations in ABAP, the Profile Generator is used toautomatically generate and assign authorization profiles (transaction PFCG). Theadministrator can also create authorization profiles manually. The assignment of the roles andprofile to a user record then happens through transaction SU01 for dedicated SAP systemsand through the Central User Administration (CUA) for multiple systems. For Java systems,the AS Java Visual Administrator1or the UME configuration and identity management tool

    can be used to manage J2EE security roles or to manage the user rights for resources of theAS Java.

    The tools in Table 2-1are available from SAP to perform native local user administrationfunctions for SAP systems and applications.

    Table 2-1 SAP user administration tools

    1 The Visual Administrator is only used on Java Stacks 6.40 and 7.00. It is no longer supported in 7.10 (and later)and is replaced by SAP NetWeaver Administrator (Web Dynpro-based UI).

    SAP user administration Description

    Transaction SU01 User maintenance

    Transaction SU02 Maintain Authorization Profiles

    Transaction SU10 Mass changes in user maintenance

    Transaction PFCG Role and authorization maintenance

    Transaction SCUA and SU01 Central User Administration (CUA)

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    21/82

    Chapter 2. SAP security and SAP user and role management concept9

    To administer the user accounts on a certain SAP system, you have to know the systemspecifications, such as whether it is an ABAP or Java environment, and the systemconnection details (host name and address, SID), and you must have the authorization oradministrative privileges to modify the user master record. To perform local user managementthese requirements apply to every SAP system and client. In total that can be a number ofapplications including test, training, development, QA, and production environments for everySAP ERP, BW, FI/CO, Portal, and so on. Figure 2-2shows a sample deployment.

    Figure 2-2 SAP user representation: sample deployment

    Let us look more closely at the following items:

    SAP NetWeaver AS ABAP User Repository SAP NetWeaver AS Java User Repository: UME SAP Central User Administration SAP NetWeaver Identity Management SAP BusinessObjects GRC management

    Transaction SUIM User Information System

    Visual Administrator SAP J2EE Engine user management using the VisualAdministratora

    UME Console User Management Engine (UME) administration console(Web-based)

    a. The Visual Administrator is used only on Java Stacks 6.40 and 7.00. It is no longer supportedin 7.10 (and later) and is replaced by SAP NetWeaver Administrator (Web Dynpro-based UI).

    SAP user administration Description

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    22/82

    10 Integrating IBM Tivoli Security and SAP Solutions

    2.1 SAP NetWeaver AS ABAP User Repository

    For SAP ABAP environments, there is the concept of multiple clients that allows splitting anSAP system into multiple logical sub-systems (clients). This approach is to isolate thesesub-systems and operate them as separate business units, for example, to have eachcustomer mapped to exactly one client. All data in a system with multiple clients is located ina common database. An SAP solution can operate with multiple clients if each customer hasexclusive access to their data in an installation with a shared system platform, database, andcentral services. The SAP system itself has separate sets of master data and set of databasetables for each client. Only for client-independent objects and cross client tables does achange in one client affect all other clients. All other data is client specific such as the usermaster record. The user administration function itself is an ABAP kernel service and is tightlyintegrated to the ABAP process administration. The data resides on a database system,consisting of a database management system (DBMS) and the database itself. The ABAPapplications do not communicate directly with the database. Instead, they use the kerneladministration services including the user and process services.

    In a multi-client ABAP environment with a user that needs access to multiple clients, that user

    must be configured separately, even if that user resides on the same physical system. Thiscan be achieved to run the transactions such as SU01, as listed previously, for local useradministration and for each client and user master record.

    Multiple ABAP clients can be grouped as child systems for central administration of the userdata through a CUA master system.

    The ABAP user repository and also the CUA Central System can be configured tosynchronize with directory services through LDAP.

    2.2 SAP NetWeaver AS Java User Repository: UME

    The SAP User Management Engine (UME) is the user repository and user administrationenvironment for all SAP NetWeaver Application Server Java based applications. It can beconfigured to read and write user-related data from and to multiple data sources. The UMEitself runs as a service in the J2EE Engine of the AS Java and is set up as the default userstore of the J2EE Engine.

    Alternatively, the UME can be configured to use another persistence user data source:

    The SAP NetWeaver Application Server ABAP User Repository can be used for UME userrepository in dual stack implementations (ABAP and Java). Note that as of SAP BusinessSuite 7, you can no longer install Dual Stack Application Systems.

    The UME can be configured to use a Lightweight Directory Access Protocol (LDAP)directory server as user persistence store.

    2.3 SAP Central User Administration

    For SAP NetWeaver Application Server ABAP-based application's user management, SAPprovides tools in the form of transactions such as SU01 for user master record creation andmaintenance. For large and complex environments, especially when spanned in variousbusiness units, managing users and following company policies is difficult because each SAPinstance and client has its own user repository (which again is necessary to gain access to

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    23/82

    Chapter 2. SAP security and SAP user and role management concept11

    specific SAP applications). To avoid duplicated effort, users can either be managed centrallyor get synchronized across all instances. To achieve this on SAP ABAP systems, you can usethe SAP module Central User Administration (CUA).

    Several SAP CUA characteristics include:

    It is available with SAP R/3 release 4.6.

    It should be a separate SAP instance (CUA Central System or CUA Master) from thebusiness system for the sole purpose of user administration for all other ABAP instances(CUA child systems). An existing systems management solution, such as the SAPSolution Manager, can be used.

    It uses a standard SAP ABAP transaction-based user interface.

    CUA is based on SAP Application Link Enabling (ALE) distribution model to connect SAPCUA master and child systems.

    CUA data is distributed asynchronously between the application systems in an ALEenvironment.

    It requires that a person have an identical user ID on all managed instances.

    The use of CUA only works with SAP systems. However, the standard capability tosynchronize user data with LDAP directories can be used in a CUA environment, too.

    CUA only works for transaction SU01-like activities to synchronize that with target SAPsystems. There are no additional approval workflows or identity processes defined.

    Before implementing CUA, decide about the following issues:

    Whether or not to enable local user management at the instance level

    However, you may define, on a per attribute basis, whether the attribute should be able tobe maintained centrally, locally or redistributed if changed locally or initially be set asproposal.

    Whether SAP HCM should be used to drive user administration based on HR roles

    Using CUA and HR for position-based user administration requires that CUA should becarefully designed. Especially the organization has to decide whether position-based roleassignments should be managed as decentralized (preferred), or centrally in the CUAmaster system.

    However, creation of a flexible environment, in which users of several instances are managedcentrally and local administrators have full control over their instances, cannot be solved withCUA. Other reasons for not using CUA for certain SAP systems can include:

    Requirements for separate user IDs on specific SAP instances

    Local user administration required on certain SAP instances

    Use of different entitlements for user accounts for same user on multiple SAP systems

    Password synchronization

    Reduced complexity and staying flexible for future changes

    Workflow scenarios for user management involving the employees and the managers forcreation or approving requests

    Rule-based role assignments

    Integration with user management with non SAP systems

    For these scenarios, a product such as IBM Tivoli Identity Manager can come into play,enabling you to integrate an existing CUA environment as well as SAP stand-alone systems.

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    24/82

    12 Integrating IBM Tivoli Security and SAP Solutions

    As of SAP NetWeaver 7.00, the CUA module entered maintenance mode, which means thatno further development or product enhancements will occur, but is still available as a productand is fully supported. The SAP strategic product to maintain multiple user records is SAPNetWeaver Identity Management, a product that was acquired from MaXware in 2007.

    2.4 SAP NetWeaver Identity ManagementWith the introduction of the SAP NetWeaver Identity Management product, SAP closed a gapin the product portfolio to provide a tool that allows maintaining user information that spansSAP systems, including both ABAP and Java platforms. The limitations of the CUA, listedpreviously, are solved also. SAP NetWeaver Identity Management is offered as an additionalinstallation to ABAP and UME local user administration, and CUA. It also providesfunctionality to integrate third-party identity management tools and non-SAP applications.SAP offers SAP NetWeaver Identity Management services and interfaces for partners toimplement solutions, enabling the integration of heterogeneous environments.

    The basic components of SAP NetWeaver Identity Management are the Identity Center withthe Identity Store and the Virtual Directory Server, which provides the interfaces to third-partyidentity management vendors.

    2.5 SAP BusinessObjects GRC management

    With the acquisition of Virsa Systems in 2006, SAP started to consolidate its products aroundgovernance, risk, and compliance (GRC) management. Since 2008 all the related productsreside under the umbrella of the BusinessObjects business unit within SAP.

    SAP BusinessObjects GRC is an integrated set of applications that can help to document andmanage risks and controls across the enterprise. They can help to automate controls andalso minimize the likelihood and impact of r isks.

    The SAP GRC portfolio includes tools for operational and financial risk management, accesscontrol, process control, global trade services and environment, health, and safetymanagement. In combination with enterprise identity management solutions, SAP GRCprovides capabilities to define and verify policies and rules for the handling and compliance ofidentity data. As such, the SAP BusinessObjects Access Control application enforcesseparation of duties (SoD) across applications and prevents improper access to IT systems.

    A GRC integration with Tivoli Identity Manager can be found in 5.1.3, Tivoli Identity Manageradapter for SAP BusinessObjects Access Controls on page 26.

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    25/82

    Copyright IBM Corp. 2010. All rights reserved.13

    Chapter 3. SAP user management

    integration options andinterfaces

    There are several methods for connecting or integrating with SAP back-end systems. Each ofthe application server platforms provides a graphical interface and API for user accountmanagement.

    For the ABAP stack, transactions SU01, SU10, and PFCG enable management of useraccounts and security roles and profiles. Information that is managed by the transaction is

    stored in the underlying SAP database.

    On the Java stack, the User Management Engine (UME) provides the native usermanagement functions for SAP. The UME provides an abstraction layer, enabling manageddata to be persisted in one of relational database, LDAP directory, or an ABAP applicationserver.

    As a summary, the connection methods, shown in Table 3-1, come into play when in thecontext of SAP user account management.

    3

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    26/82

    14 Integrating IBM Tivoli Security and SAP Solutions

    Table 3-1 SAP interfaces for user management

    Let us have a closer look at the following details:

    Business Application Programming Interfaces (BAPI) Remote Function Calls (RFC) Synchronous versus asynchronous integration

    Interface Description

    BAPI Business Application Programming Interfaces provide accessto SAP Business Objects such as the user master record.BAPIs are stored as RFC-capable function modules. SAPsuser object and BAPIs are defined in the Business Object

    Repository.

    RFC Remote Function Calls interface allows for remote callsbetween SAP systems or an SAP and a non-SAP system.

    J2EE Security API Package com.sap.security.api is Web Service for SAP usermanagement with NetWeaver AS Java and SAP NetWeaverPortal through the User Management Engine.

    BC-USR-LDAP Provides integration with SAP user repositories throughLightweight Directory Access Protocol (LDAP)

    Persistence User Store for UME

    User data synchronization for ABAP user master records,CUA, or SAP HCM (HR)

    SPML Service Provisioning Markup Language is an XML-basedframework for UME based user account management

    ALE/IDOC Application Link Enabling implements BAPIs for distributedscenarios with asynchronous connections. IntermediateDocuments are used to exchange data and informationbi-directionally between SAP applications and non-SAPsystems.

    JCo SAP Java Connector is an interface layer for Java programsto access SAP BAPIs/RFC connections.

    GRC-AC-IDM Web Services provided by the SAP BusinessObjects AccessControl product Compliant User Provisioning (CUP), enables

    you to integrate for compliance provisioning of user accountsand role assignments into SAP ABAP servers while ensuringcompliance with policy rules and auditing requirements.

    SAP NetWeaver Identity Services Interface of SAP NetWeaver Identity Management VirtualDirectory Server provides support for multiple inbound andoutbound protocols: LDAP, SPML, Web Services.

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    27/82

    Chapter 3. SAP user management integration options and interfaces15

    3.1 Business Application Programming Interfaces (BAPI)

    BAPIs are the standard SAP interfaces to exchange data between SAP components, andbetween SAP and non-SAP components. BAPIs can be used for an asynchronous type ofintegration as well as for synchronous integrations.

    BAPIs areRemote Function Calls(RFCs) that represent an object-oriented view of SAPbusiness objects stored in the business objects repository(BOR). The BAPI module accessesthe corresponding method that applies to the object.

    For example, the RFC module BAPI_USER_GET_DETAIL implements the GetDetail()method for the business object USER.

    The business object USER contains user data, such as the logon data or address andcommunication data. It also contains a read-only reference to the AddressOrg businessobject.

    User management BAPIs are available for:

    User inquiry:

    BAPI_USER_GETLIST (to obtain a list of users)

    BAPI_USER_GET_DETAIL (to obtain detailed information about a user, to obtain a list ofrole assignments and to obtain list of profile assignments)

    Create users:

    BAPI_USER_CREATE1

    Modify users:

    BAPI_USER_CHANGE

    Delete users:

    BAPI_USER_DELETE

    Set initial passwords:

    BAPI_USER_CHANGE with flag Passwordx and the password in the password field

    BAPI BAPI_USER_CREATE1 will set an initial password

    Lock and unlock users:

    BAPI_USER_LOCK / BAPI_USER_UNLOCK

    Assign roles:

    BAPI_USER_ACTGROUPS_ASSIGN1

    Delete role assignment:

    BAPI_USER_ACTGROUPS_DELETE

    Assign profiles:

    BAPI_USER_PROFILES_ASSIGN1

    Delete profile assignments:

    BAPI_USER_PROFILES_DELETE

    1 In the case of a CUA environment, other BAPIs are used: BAPI_USER_LOC_ACTGROUPS_READ,BAPI_USER_LOCACTGROUPS_ASSIGN, BAPI_USER_LOCPROFILES_ASSIGN.

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    28/82

    16 Integrating IBM Tivoli Security and SAP Solutions

    For functionality that is not provided by standard SAP BAPIs, writing custom BAPI code inABAP is possible. To load that code into an SAP system in a controlled manner, SAP providesthe mechanism of transports. A transport is special formatted package consisting of severalfiles that include required information and the code itself to implement the new features. Thetransport import is organized through the transport management system (transaction STMS).

    3.2 Remote Function Calls (RFC)

    A BAPI represents a business object; an RFC is the actual functional code and the callinginterface for ABAP programs. An RFC enables remote clients to execute ABAP functions.

    For certain tasks, use RFCs instead of BAPIs. For example, you cannot useBAPI_USER_CHANGE to change a production (and not the initial) password. For thispurpose, you can use the function module SUSR_USER_CHANGE_PASSWORD_RFC.

    3.3 Synchronous versus asynchronous integration

    The kind of integration to use with an SAP system to modify user account informationdepends on a number of criteria. Considerations include the programming language of thecalling system, the SAP platform, and whether the request is inbound or outbound. The use ofa specific interface also depends on whether the data should be exchanged synchronously orasynchronously.

    To explain the alternatives, Table 3-2shows the example of using an SAP HCM/HR-drivenidentity feed.

    Table 3-2 SAP HR feed alternatives

    Compared to the synchronous integration variants, the asynchronous alternatives provide the

    benefit that the exchange of data can be controlled much better by the SAP system, but makeit more difficult to debug a user provisioning workflow from identity management perspective.

    The alternatives in rows 1 - 4 provide the best separation of tasks and distinction betweenSAP and external processes; row 1 provides best separation and row 3 provides most controlfrom SAP point of view. Variant in row 5 provides the best real-time integration and does notrequire SAP expertise to setup if the integration is developed that way.

    Data exchange Description

    Data Export SAP triggered export of data to an external storage, for example,database, LDAP or file.

    RFC/BAPI Access SAP RFC program that delivers the requested data per request.

    ALE/IDOC Remote access from an ALE destination to a queued IDOC file thathas been created per pre-defined event or scheduled.

    IDOC through RFC request The data will be delivered through IDOC when requested throughRFC program.

    Direct Access Direct access to SAP database (Business Object Repository).

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    29/82

    Chapter 3. SAP user management integration options and interfaces17

    In many cases, the incremental approach is requested: deliver all changes that happened fora certain time period. That approach is difficult to implement because changes in SAP areoften scheduled and take effect only at a definite time. For that reason, a daily feed is mostfeasible when, for example, IBM Tivoli Identity Manager accepts only the modified records.

    Figure 3-1shows an example of an SAP HR feed-based SAP ERP user account provisioningimplementation. In this example, the HR data is exchanged through ALE/IDOC by using IBMTivoli Directory Integrator (TDI, in the figure), asynchronously. IBM Tivoli Identity Manager(TIM, in the figure) provides the approval workflow process and the provisioning policy for theuser provisioning to the target SAP system based on the information of the HR record tocreate or update the SAP ERP user account, synchronously.

    Figure 3-1 SAP HR triggered SAP user provisioning example

    In the following chapters we discuss the SAP integration options and capabilities through IBMTivoli Directory Integrator and IBM Tivoli Identity Manager in more detail.

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    30/82

    18 Integrating IBM Tivoli Security and SAP Solutions

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    31/82

    Copyright IBM Corp. 2010. All rights reserved.19

    Chapter 4. IBM Tivoli identity management

    and SAPIn this chapter, we describe the integration points and capabilities that are offered byIBM Tivoli Security software for identity management of an SAP environment.

    4

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    32/82

    20 Integrating IBM Tivoli Security and SAP Solutions

    4.1 IBM Tivoli Identity Manager concept

    Tivoli Identity Manager enables centralized management and administration of users withinthe IT environment of an enterprise. Management and administration functions that areprovided by Tivoli Identity Manager include:

    User account provisioning User account password management

    Account request approval workflows

    Account recertification

    User access role and group membership management

    A large inventory of adapter components enables Tivoli Identity Manager to manage separatedistinct IT applications and resources within heterogeneous environments. Adapters aredeployed as separate installable units within the infrastructure.

    4.2 Tivoli Identity Manager adapter concept

    Adapters are the primary integration point that enables Tivoli Identity Manager tocommunicate with target IT systems and resources. Adapters translate Tivoli IdentityManager user account provisioning requests into specific actions on a target IT resource.

    Adapters decouple Tivoli Identity Manager from the specific implementation concerns of atarget IT resource and vice versa. Adapters typically leverage a remote enabled API of atarget resource when executing provisioning requests. Tivoli Identity Manager provides anadapter framework which assists in the development and deployment of adapters.

    The generalized adapter architecture is illustrated in Figure 4-1.

    Figure 4-1 General Tivoli Identity Manager adapter architecture

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    33/82

    Chapter 4. IBM Tivoli identity management and SAP21

    4.3 Adapter operations

    Ideally, Tivoli Identity Manager adapters support all of the provisioning operations which maybe issued by the Tivoli Identity Manager server. These operations include:

    Add new user account.

    Modify existing user account.

    Delete existing user account.

    Suspend (lock) user account.

    Restore (unlock) user account.

    Change user account password.

    Search for one or more user accounts and return the account details.

    Reconcile supporting attribute data values which may be selected when creating aprovisioning request in Tivoli Identity Manager.

    Test connection to both the adapter and the target resource.

    The ability of an adapter to support these operations is significantly dependant on thecapabilities exposed and supported by a target resource and the target resource API.

    4.4 Tivoli Directory Integrator adapter framework

    The preferred framework for new adapter development is based on Tivoli Directory Integratorand the RMI Dispatcher. Communication between Tivoli Identity Manager and an adapter isbased on Java Remote Method Invocation (RMI). Adapter implementations are embodied byTivoli Directory Integrator AssemblyLines. AssemblyLines ideally use one or more TivoliDirectory Integrator connectors or function components to facilitate target resource interfacingwith additional Java or JavaScript processing components.

    Conventionally, each adapter operation is delegated to a specific AssemblyLine thatspecializes in a given operation type. The dispatcher loads Tivoli Directory IntegratorAssemblyLine configurations, transferred from Tivoli Identity Manager server to thedispatcher. AssemblyLine configurations are represented in an XML format. The possibilityexists for a single dispatcher instance to host multiple Tivoli Identity Manager adaptersinstances at runtime. The RMI provider is the peer component of the dispatcher running in theTivoli Identity Manager server.

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    34/82

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    35/82

    Copyright IBM Corp. 2010. All rights reserved.23

    Chapter 5. Tivoli identity management

    integration offerings for SAPTivoli security software offers various components and adapters designed to integrate andalign with the primary identity management interfaces exposed by SAP.

    Tivoli security offers integrations with SAP NetWeaver Application Server ABAP, SAPNetWeaver Application Server Java User Management Engine (UME), and SAPBusinessObjects Governance Risk and Compliance (GRC) Access Controls.

    The following Tivoli components and adapters enable identity management integration withSAP technologies:

    Tivoli Identity Manager adapter for SAP NetWeaver (SAP Certified)

    Tivoli Identity Manager adapter for SAP NetWeaver Application Server Java

    Tivoli Identity Manager adapter for SAP BusinessObjects Access Controls

    Tivoli Directory Integrator SAP NetWeaver Application Server ABAP Component Suite:

    Function component for SAP NetWeaver Application Server ABAP

    User Registry Connector for SAP NetWeaver Application Server ABAP

    Human Resources/Business Object Repository Connector for SAP NetWeaverApplication Server ABAP

    ALE Intermediate Document (IDOC) Connector for SAP NetWeaver Application ServerABAP

    5

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    36/82

    24 Integrating IBM Tivoli Security and SAP Solutions

    5.1 Tivoli Identity Manager interoperability and integrations forSAP

    In this section, we describe the Tivoli Identity Manager adapters for SAP.

    5.1.1 Tivoli Identity Manager Adapter for SAP NetWeaver

    The Tivoli Identity Manager Adapter for SAP NetWeaver allows the administration andprovisioning of user accounts between Tivoli Identity Manager and SAP NetWeaver ABAPbased applications. This adapter is used to provision user accounts and access to SAPbusiness application modules that are deployed on, or use the security infrastructure servicesof the SAP ABAP server. The adapter has gained formal SAP integration certification. Theadapter supports the following Tivoli Identity Manager provisioning operations:

    User account creation

    User account modification

    User account deletion

    User account suspension (lock)

    User account restoration (unlock)

    Retrieval of user account details

    Password management

    Retrieval of user supporting data, for example, role names that can be assigned to a user

    Linking and retrieval of HR Infotype 0105 (Communication) subtypes to SAP HRpersonnel records. This is an optional feature and requires SAP HR modules to beinstalled on a system of the SAP environment.

    The adapter enables administration of a significant subset of the user account attributes that

    can be natively managed using the SAP ABAP User Administration transaction SU01. Themanageable attributes include:

    Basic user details, first and last name, country, department name, room number and floor

    Communication details, the language that is used to communicate, telephone number, faxnumber, and e-mail addresses

    SNC name

    Logon data, account validity, and user type

    Account defaults, logon language, output device, decimal notation, and date format

    CUA logical systems associated with the account

    Authorization roles, profiles and groups assignment

    License data associated with the user

    Architecture overviewThe adapter supports two distinct SAP architectural deployments. The adapter can bedeployed against, and administer users directly to a standalone SAP ABAP server. Thestandalone system manages its own user, role, and profile registry. The adaptercommunicates directly to this standalone system. Figure 5-1 on page 25illustrates the TivoliIdentity Manager adapter for the SAP ABAP standalone environment.

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    37/82

    Chapter 5. Tivoli identity management integration offerings for SAP25

    Figure 5-1 Tivoli Identity Manager adapter for SAP NetWeaver for standalone ABAP

    Alternatively, the adapter can be deployed against a Central User Administration (CUA) SAParchitecture. The adapter dynamically determines if the environment is CUA enabled, and theadapter must be configured against the central CUA master server if enabled.

    A CUA architecture manages all users from a central master SAP NetWeaver ApplicationServer ABAP system. This master system is assigned child systems. Generally, the mastersystem forwards user administration request actions to the child systems, for example, createuser X on child system A. Also possible is for certain actions to flow in the reverse direction

    from a child system to the master system. This possibility ensures that user accountinformation is synchronized at the central master systems and the child systems within theCUA environment.

    Figure 5-2provides a general architectural overview of the adapter when configured into aCUA environment.

    Figure 5-2 Tivoli Identity Manager adapter for SAP NetWeaver for CUA

    The adapter relies on BAPI and Remote Function Call (RFC) to communicate to an SAPABAP server and does not need to be deployed on a local SAP ABAP server.

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    38/82

    26 Integrating IBM Tivoli Security and SAP Solutions

    5.1.2 Tivoli Identity Manager Adapter for SAP NetWeaver Application ServerJava

    Tivoli Identity Manager Adapter for SAP NetWeaver Application Server (AS) Java and TivoliIdentity Manager Adapter for SAP NetWeaver are complementary components. Tivoli IdentityManager Adapter for SAP NetWeaver AS Java, however, enables the management of user

    identities in the User Management Engine (UME) on the SAP AS Java server.

    The Tivoli Identity Manager Adapter for SAP AS Java is deployed directly onto the SAPNetWeaver AS Java system as a J2EE Web application archive. This promotes a consistentJ2EE deployment model and experience but does so at the cost of adapter functionality thatis specific to Tivoli Identity Manager and that is normally provided by the Tivoli IdentityManager adapter framework. An additional consequence is that all user provisioning requestsare executed directly against the UME itself, using the processing resources of the hostingapplication server. Figure 5-3illustrates the architectural overview of the Tivoli IdentityManager adapter for SAP AS Java.

    Figure 5-3 Tivoli Identity Manager Adapter for SAP NetWeaver Application Server Java

    The adapter supports the following Tivoli Identity Manager provisioning operations:

    User account creation

    User account modification

    User account deletion

    User account suspension (lock)

    User account restoration (unlock)

    Retrieval of user account details

    Password management

    Authorization roles and groups assignment

    5.1.3 Tivoli Identity Manager adapter for SAP BusinessObjects AccessControls

    The traditional focus of identity management and identity management tools, such as TivoliIdentity Manager, has been to address operational optimization of IT functions. A criticalcomponent of this is full life cycle management of systems and application accounts andaccess. Recent industry trends and evolution have expanded this focus to include concernsgenerically referred to asgovernance, risk, and compliance(GRC).

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    39/82

    Chapter 5. Tivoli identity management integration offerings for SAP27

    Arguably, a foundation of any successful GRC program and technology deployment is identitymanagement supporting the follow criteria:

    User account provisioning that enables auditing of account actions

    Attestation and approval of system access and role assignments at the IT operational orbusiness level

    Enforcement of polices, at the time or point of account provisioning, designed to preventoccurrence of separation of duties (sod) and other risk violations

    IBM and SAP recognize the identity management foundation, and have collaborativelydeveloped integration points between IBM Tivoli Identity Manager and SAP BusinessObjectsAccess Controls. The result is a Tivoli Identity Manager adapter that enables provisioning ofSAP accounts through the SAP BusinessObjects Access Controls suite. Figure 5-4illustratesthe integration.

    Figure 5-4 Tivoli Identity Manager Adapter for SAP BusinessObjects Access Controls

    The adapter converts Tivoli Identity Manager provisioning requests into SAPBusinessObjects Access Controls access requests. The adapter uses the SAPBusinessObjects Access Controls Web service interface to submit the access request. The

    Web service interface exposes the same features and functions as the Request submissionpage of the Compliant User Provisioning Web interface, shown in Figure 5-5 on page 28.

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    40/82

    28 Integrating IBM Tivoli Security and SAP Solutions

    Figure 5-5 Compliant User Provisioning Access Request form

    After an access request has been submitted, the SAP BusinessObjects Access Controlsworkflow takes control of target system account provisioning. Approvers may exploit the risk

    analysis and remediation features of GRC Compliant Provisioning to modify the request priorto submitting their approval. After all workflow approvals have been accepted, GRCCompliant Provisioning will provision the account into the target SAP system.

    The Tivoli Identity Manager adapter for SAP GRC is able to submit the following accessrequests to SAP GRC Compliant User Provisioning:

    New account Modify account Suspend account Restore account Delete account Retrieve account

    5.2 Tivoli Directory Integrator with SAP

    Tivoli Directory Integrator is a lightweight framework that enables simplified access andsynchronization of data among disparate data sources and stores. It is primarily intended foridentity related data integration, but is flexible for any type of data. It has a substantialcatalogue of connectivity components for various data stores. Included in the catalogue is asuite of components and connectors for SAP NetWeaver Application Sever ABAP basedintegration.

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    41/82

    Chapter 5. Tivoli identity management integration offerings for SAP29

    5.2.1 Functional component for SAP NetWeaver Application Server ABAP

    The Tivoli Directory Integrator SAP RFC Function Component enables a Tivoli DirectoryIntegrator AssemblyLine to access SAP data by executing SAP ABAP code exposed by aRemote Enabled Function Module (RFC). RFCs are code modules implemented in SAP'sABAP programming language. RFCs can be invoked by external processes and other

    connected SAP servers. Depending on the requirements and design, an RFC module canread or write data into the SAP database. This point is significant, because SAP does notsupport access to its database other than through ABAP code modules. SAP does notsupport processes that directly access the underlying database tables. SAP supports anextensive range of RFC modules for all types of data. The Tivoli Directory Integrator RFCFunction Component can invoke any of these standard or custom modules.

    The RFC Function Component projects an XML representation of the RFC parameterinterface into the Tivoli Directory Integrator AssemblyLine. The component dynamicallyretrieves the RFC interface metadata from SAP. The metadata is then used to parse andprocess the XML. After the RFC module has been invoked and resulting data returned fromSAP, the interface metadata is again used to serialize the data into an XML format forAssemblyLine consumption.

    To invoke an RFC using the function component, the AssemblyLine must create an XMLdocument consisting of the RFCs import parameters. Import parameters can be simple orstructured data types. The RFC might require the caller to supply table parameters, which aresimilar to arrays and may be required as input to the call. A generalized RFC XML request isshown in Example 5-1.

    Example 5-1 Generalized RFC XML request representation

    value

    valuevalue

    valuevalue

    valuevalue

    The RFC Function Component returns a similar XML format with the exception that the RFCsexport and tables parameters are present, as shown in Example 5-2 on page 30.

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    42/82

    30 Integrating IBM Tivoli Security and SAP Solutions

    Example 5-2 Generalized RFC XML response representation

    value

    valuevalue

    valuevalue

    valuevalue

    valuevalue

    valuevalue

    Although Tivoli Directory Integrator is an IBM Tivoli security product, the RFC FunctionComponent can integrate with any security or non-security related data in SAP that is

    exposed through an RFC interface. It can be considered a low-level technology accesscomponent. It is suited to scenarios that require maximum control and flexibility of solutiondesign. Use of this component typically requires the user to have some ABAP skill, andcertainly enough knowledge and understanding of the RFC interfaces which are to be called.

    5.2.2 User Registry Connector for SAP NetWeaver Application Server ABAP

    The Tivoli Directory Integrator User Registry Connector for SAP NetWeaver ApplicationServer ABAP enables management and provisioning of SAP AS ABAP accounts. It supportsthe basic CRUD (create, read, update, delete) operations for ABAP user accounts and can bedeployed in any of the following standard Tivoli Directory Integrator connector modes:

    Add Only For creating new ABAP user accounts

    Update For modifying ABAP user accounts

    Delete For removing ABAP user accounts

    Lookup For reading individual ABAP user account data

    Iterator For reading user account data for all users on an ABAP server

    The connector integrates with SAP ABAP servers using SAP's RFC API and networkprotocol. The connector provisions ABAP user accounts by invoking the standard SAPBusiness APIs (BAPIs) for identity management. As a result, the connector does not requiredeployment of custom RFC ABAP code onto the target ABAP server.

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    43/82

    Chapter 5. Tivoli identity management integration offerings for SAP31

    The connector projects an XML representation of ABAP user account data into the TivoliDirectory Integrator AssemblyLine. For each connector mode, one or more XSLT style sheetstransform and map parts of the user XML representation into RFC/BAPI calls. The connectoruses the lower level Tivoli Directory Integrator RFC Function Component to execute theactual RFC call against the target ABAP server.

    The User Registry Connector has much functional overlap with the Tivoli Identity Manageradapter for SAP NetWeaver in terms of pure provisioning capability. However, it is first andforemost a Tivoli Directory Integrator connector. It is intended for users who want to take moreresponsibility and gain flexible and customized control of provisioning of SAP ABAP accounts.

    5.2.3 HR/Business Object Repository Connector for SAP NetWeaver AS ABAP

    The Tivoli Directory Integrator SAP Human Resources/Business Object RepositoryConnector (HR/BOR Connector) enables Tivoli Directory Integrator AssemblyLines tosynchronously access any SAP Master Data. It does this by leveraging the synchronousBusiness API (BAPI) interfaces of the Business Object Repository (BOR). Among theseinterfaces are SAP HR BAPIs.

    With such a wide range of possible SAP HR Infotype data attributes, and BOR BAPIinterfaces, the Tivoli Directory Integrator connector has been designed for flexibility andcustomization. The flexibility is delivered by strong reliance on XML and XSLT. The connectorprojects an XML representation of SAP BOR data into the Tivoli Directory IntegratorAssemblyLine. The XML data is transformed by XSLT style sheets into BAPI calls which areexecuted on the target SAP ABAP server.

    The default distribution of the Tivoli Directory Integrator SAP HR/BOR Connector ships with,and uses XSLT style sheets that enable access and management of SAP HR Personnel Datadefined by Infotype 0002. Infotype 0002 attributes are considered most relevant to identitymanagement scenarios; however, it is acknowledged that other infotypes are also applicable.In these cases, users of the connector are able to define alternate XSLT style sheets thatdrive the connector to access and manage these data attributes.

    The Tivoli Directory Integrator SAP HR/BOR Connector enables read and write access todata. When deployed in iterator mode, the connector can form the basis of an initial HR Feedbulk load into Tivoli Identity Manager. With sufficient AssemblyLine logic, the connector canalso enable scheduled periodic update of HR identity data in Tivoli Identity Manager.

    Depending on the BAPI interfaces available, the connector is able to support the connectormodes in the following list (all modes listed are supported for default access to Infotype 0002attributes):

    Add Only For creating business objects

    Update For modifying business object

    Delete For removing business objects

    Lookup For reading individual business objects

    Iterator For reading business object instances of a given type

    5.2.4 IDOC Connector for SAP ERP and SAP NetWeaver AS ABAP

    Tivoli Directory Integrator supports integration with SAP ABAP servers through theApplication Link Enabling (ALE) Intermediate Document (IDOC) interface. This interfacesupports asynchronous event style access to SAP Master Data exposed through the BOR.ALE and IDOCs are traditional core technologies defined by SAP, and are supported by

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    44/82

    32 Integrating IBM Tivoli Security and SAP Solutions

    numerous SAP Master Data and application modules. Pushing data updates into an SAPABAP server in the form of an IDOC data representation is possible. Also possible is forregistered listeners to receive IDOC data as the result of a business event or data updateoriginating in the ABAP server. Conceptually, IDOCs are hierarchical data structuresrepresenting the state of an SAP business object. The network transmission of IDOCsbetween two ALE partners is governed by SAPs Transactional RFC protocol. This protocol is

    layered on the standard RFC protocol and ensures IDOCs are delivered at least once, andare not lost during transmission.

    The Tivoli Directory Integrator ALE IDOC Connector is able to receive IDOCs from an SAPABAP server. It cannot send IDOCs to SAP. The connector registers its connection with theSAP gateway service. The connector enables Tivoli Directory Integrator to act as an externalRFC server with respect to SAP. ALE distribution models defined on the SAP ABAP serverdescribe and govern the relationship between two ALE partners. The Tivoli DirectoryIntegrator ALE IDOC Connector may be configured as the destination, or receiving partner inany ALE distribution model. The connector is able to receive and parse any IDOC messagetype. When an IDOC is received by the connector, the connector dynamically retrieves theIDOC schema metadata from SAP, and then converts the IDOC data into an XMLrepresentation. Other components in the Tivoli Directory Integrator AssemblyLine are

    responsible for parsing and processing the IDOC XML as required. The connector supportsiterator mode only.

    SAP has predefined ALE distribution models for SAP HR data. The HR distribution modelsallow HR partners to exchange IDOC message types named HRMD_A. IDOCs of thismessage type are capable of containing many HR Infotypes in a single instance. Thetraditional scenario for an HR distribution model is to enable the synchronization of employeeinformation between head office and regional offices. In a typical example, organizationalstructure and planning would be performed at head office. These changes are pushed out tothe regional office partners by ALE based on a configured distribution model. Hiring, datamaintenance, and termination of employees would be performed in the regional offices.These changes are pushed into the head office by ALE. By defining the Tivoli DirectoryIntegrator connector as a receiving partner, the possibility exists for a Tivoli Directory

    Integrator AssemblyLine to participate in these types of scenarios. From an identitymanagement perspective, participating in HR life cycle scenarios enables integration pointsthat can automate provisioning and de-provisioning of user accounts for employees.

    Given the asynchronous model of ALE, this connector is an excellent fit for solutions thatrequire SAP driven refresh of HR identity data. The connector could enable an HR Feed intoTivoli Identity Manager of updated identity data.

    5.3 IBM Tivoli Directory Server with SAP

    The IBM Tivoli Directory Server integration is a certified integration with SAP

    (BC-USR-LDAP). The integration enables you to synchronize user account informationbetween Tivoli Directory Server and the SAP NetWeaver Application Server ABAP userrepository.

    Tivoli Directory Server can also be configured to be used as the back-end data source for theSAP NetWeaver Application Server Java User Management Engine (UME). The advantage isthat IBM Tivoli Access Manager can also be configured into the same directory server, thussharing the same user details across the two applications.

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    45/82

    Chapter 5. Tivoli identity management integration offerings for SAP33

    This approach provides the advantage of not having to synchronize two directory serverswhen attempting to use Tivoli Access Manager to provide authentication and authorizationfunctionality to the SAP back-end system. Figure 5-6illustrates how this integration may beconfigured.

    Figure 5-6 Tivoli Directory Server integration with SAP

    5.4 Tivoli Identity Manager Adapter for SAP ABAP

    The Tivoli Identity Manager Adapter for SAP ABAP is the predecessor to the Tivoli IdentityManager Adapter for SAP NetWeaver. It is currently supported by Tivoli Identity Managerdevelopment; however, no new features or enhancements will be incorporated into thisadapter. The adapter is supported to SAP Basis version 7.00. New SAP Basis versions arenot supported by this adapter. The adapter is functionally equivalent to the Tivoli IdentityManager Adapter for SAP NetWeaver. It allows the administration of users from Tivoli IdentityManager to SAP ABAP stacks.

    5.5 Tivoli Identity Manager Adapter for SAP NetWeaver

    In this section, we describe the implementation details of the Tivoli Identity Manager Adapterfor SAP NetWeaver and options for customization and extension.

    5.5.1 Adapter architecture

    The Tivoli Identity Manager Adapter for SAP NetWeaver is built on the RMI adapterframework. It is composed of AssemblyLines, which process each of the provisioningrequests sent from Tivoli Identity Manager. The AssemblyLines use custom Tivoli DirectoryIntegrator connectors and function components that are supplied as part of the adapterdistribution package. The connectors and functions components are driven by the

    Important:This adapter has been superseded by the Tivoli Identity Manager Adapter forSAP NetWeaver. The Tivoli Identity Manager Adapter for SAP ABAP is in maintenancemode and should not be used in any new deployments.

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    46/82

    34 Integrating IBM Tivoli Security and SAP Solutions

    configuration of multiple style sheets, which are responsible for formatting and handling RFCcalls against the target SAP ABAP server.

    The SAP Java Connector (JCo) API provides remote connectivity and access to the targetSAP ABAP server. The connectors and function components of the adapter encapsulate theJCo API. The JCo API is a Java-based programming interface that provides standard functioncalls and remote network communications to SAP ABAP systems. The library is owned andmanaged by SAP, and because of licensing requirements, must be downloaded from SAP'ssupport Web site1prior to adapter deployment.

    The adapter can be deployed without the need to deploy ABAP code modules orcustomizations on the target ABAP servers. However, there are often scenarios wherefunctionality is required that is not available with a default installation. Three optionalextension features are included with the adapter:

    Single sign-on password

    A single sign-on password enables the adapter to set a productive password. By default,SAP allows the adapter to set an initial password for a user account. As a result, the useris prompted to change the password at the next logon.

    HR LinkingThis extension provides linking and retrieval of HR Infotype 0105 (Communication)sub-types between SAP HR personnel records and SAP user accounts. This extensionrequires SAP HR modules to be installed on a system the SAP environment.

    Account lock management

    This extension prevents the adapter from unlocking SAP accounts that have been lockedby the local SAP administrator. This extension allows only the adapter to unlock accountsthat have been locked because of failed login attempts. It is usually used in CUAdeployments to prevent the adapter from unlocking accounts on a CUA child memberserver, where a local CUA child administrator may have locked the account.

    Figure 5-7illustrates the adapter architecture.

    Figure 5-7 Tivoli Identity Manager Adapter for SAP NetWeaver architecture

    1 When you connect to the SAP support Web site, you must have an SAP user ID and password in place:http://service.sap.com/connectors

    http://service.sap.com/connectorshttp://service.sap.com/connectors
  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    47/82

    Chapter 5. Tivoli identity management integration offerings for SAP35

    Connection managementConnections and communication between the Tivoli Identity Manager Adapter for SAPNetWeaver and SAP are managed by a layered Tivoli Directory Integrator connector design.As Figure 5-7 on page 34shows, the user connector and the support data connectorencapsulate instances of the RFC function component. The function component is the onlylayer within the architecture that interfaces directly with the JCo API. The JCo API abstracts

    the SAP librfc network API, which performs the actual network socket connections andcommunications. Communications between the adapter and SAP are based on the SAP RFCprotocol. All variations of SAP connection configuration and connection establishment aresupported by the Tivoli Directory Integrator SAP NetWeaver connectors, and are exposedand supported by the adapter.

    The dispatcher is responsible for the life cycle of the Tivoli Directory Integrator connectors.SAP connection parameter information, defined in SAP NetWeaver service configuration inTivoli Identity Manager, is transferred between the Tivoli Identity Manager server and thedispatcher as required. The dispatcher initializes the connectors with the parameter detailsupon connector instantiation. As a consequence, the connectors attempt to establish andmaintain a connection to the target SAP ABAP servers. Connection errors are reported to theTivoli Identity Manager server.

    5.5.2 Add operation

    Tivoli Identity Manager operations for adding new user account provisioning are handled bythe addAssemblyLine of the Tivoli Identity Manager Adapter for SAP NetWeaver. Figure 5-8illustrates the adapter execution in response to an add request from Tivoli Identity Manager.

    Figure 5-8 Tivoli Identity Manager Adapter for SAP NetWeaver add operation

    The account attributes associated with the new account are sent from Tivoli Identity Manager.The dispatcher populates an input work entry and invokes the add AssemblyLine. An instanceof the Tivoli Identity Manager SAP NetWeaver is deployed in add mode. Tivoli DirectoryIntegrator passes the account attributes to the connector.

  • 8/10/2019 IBM Tivoli Security and SAP Solutions

    48/82

    36 Integrating IBM Tivoli Security and SAP Solutions

    The following steps are then executed by the connector within the AssemblyLine (programcode) when deployed with default settings and no Advanced Mapping configuration defined inTivoli Identity Manager service definition:

    1. Input entry is converted to an XML representation.

    2. CUA status of target SAP ABAP server is determined. The SUSR_ZBV_LANDSCAPE_GETRFC is called to make this determination. The result is cached.

    3. If CUA is not enabled, the XSL transforms shown in Table 5-1are applied in sequence tothe input account XML data representation. If the XSL transformation result is not empty(that is, one or more input account attributes were matched), the resulting RFC request isexecuted.

    Table 5-1 Non CUA add XSL and RFC calls

    4. If CUA is enabled, the XSL transforms shown in Table 5-2are applied in sequence to theinput account XML data representation. If the XSL transformation result is not empty (thatis, one or more input account attributes were matched), the resulting RFC request isexecuted.

    Table 5-2 CUA add XSL and RFC calls

    5. The result of each RFC call is cached before executing subsequent RFC calls. If any RFCcall reports a warning, the connector will populate a result work entry with a Tivoli IdentityManager warning status. If any RFC call reports an error, the connector populates a resultwork entry with a Tivoli Identity Manager failure status. All RFC messages areconcatenated and returned to Tivoli Identity Manager.

    5.5.3 Modify operation

    Tivoli Identity Manager operations for modifying existing user account provisioning arehandled by the modifyAssemblyLine of the Tivoli Identity Manager Adapter for SAPNetWeaver. Figure 5-9 on page 37illustrates the adapter execution in response to a m