Identity Management for SAPSystem Landscapes: Configuration Guide
Document Version 1.2 April 2008
SAP NetWeaver Identity Management 7.0 SPS 2
SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com
Copyright 2008 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. Documentation on SAP Service Marketplace You can find this documentation at service.sap.com/security
T yp o g r a p h i c C o n v e n t i o n s
Type Style Represents
Example Text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.
Cross-references to other documentation.
Example text Emphasized words or phrases in body text, graphic titles, and table titles.
EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.
Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.
Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.
Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.
EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.
I c o n s
Icon Meaning
Caution
Example
Note
Recommendation
Syntax
History of Changes
Version Change
1.2 Provided information for connecting dual-stack systems to the Identity Center. For this case, connect the dual-stack SAP system to the Identity Center using the AS ABAP templates.
Provided information for connecting a central user administration (CUA) to the Identity Center. Connect the CUA system to the Identity Center using the AS ABAP templates. Set the repository constant CUA_MASTER. Also see the other considerations that apply.
Provided information about supporting time-dependent ABAP role assignments. See the considerations and prerequisites that apply.
Provided instructions for updating the provisioning framework from SPS 1.
Minor improvements made throughout the document.
1.1 Error fixed in HR attributes P0002-VORNA, SYHR_A_P0000_AF_HIREDATE, and SYHR_A_P0000_AF_HIREDATE.
Changed the recommendation to deactive the option for automatically creating new attributes as this can lead to indiscrepencies due to minor mistakes such as typing errors. Therefore, deactivate this option and create the attributes used by the provisioning framework manually.
The ABAP connector does support importing derived roles during the initial load. Derived roles are read and provisioned the same way as non-derived ones.
Error fixed in AS Java respository constants for the provisioning, deprovisioning, and modifying user tasks.
Included SNC configuration for connectors to AS ABAP.
Minor improvements made throughout the document.
Changed the title to reflect the content better. Previous title: Provisioning Framework for SAP Systems: Connectivity.
1.0 Original version
Contents
1 INTRODUCTION................................................................................................................ 1 1.1 Prerequisites ............................................................................................................. 1 1.2 Limitations and Considerations................................................................................. 2
2 GETTING STARTED WITH THE PROVISIONING FRAMEWORK FOR SAP SYSTEMS .......................................................................................................................... 6 2.1 Overview ................................................................................................................... 6 2.2 Rules and Recommendations ................................................................................. 10
3 IMPLEMENTATION PROCESS ...................................................................................... 13 3.1 Importing the Provisioning Framework for SAP Systems ....................................... 14 3.2 Adjusting Constants and Assigning Event Tasks.................................................... 18 3.3 Selecting the Use Case to Implement..................................................................... 20 3.4 Setting up the Landscape ....................................................................................... 21 3.5 Performing the Initial Loads .................................................................................... 35 3.6 Cleaning up the Collected Data .............................................................................. 38 3.7 Scheduling the Update Jobs ................................................................................... 39 3.8 Set Up User Interfaces for User Administration (Workflow).................................... 39 3.9 Maintaining Business Roles .................................................................................... 41 3.10 Provisioning............................................................................................................. 41 3.11 Next Steps............................................................................................................... 42
APPENDIX A: REPOSITORY CONSTANTS..................................................................... 45 APPENDIX B: MAPPING BETWEEN IDENTITY CENTER AND AS ABAP
ATTRIBUTES................................................................................................................... 50 APPENDIX C: CONFIGURING THE VIRTUAL DIRECTORY SERVER........................... 54 APPENDIX D: CONFIGURING THE SAP HCM SYSTEM ................................................ 56
D.1 Creating the Query to Use for the Export................................................................ 56 D.2 Specifying the Attribute Mapping Between the HR Fields and LDAP
Synchronization....................................................................................................... 58 D.3 Creating an RFC Destination to Use for the LDAP Connector ............................... 60 D.4 Configuring the Parameters to Use for the Connection to the VDS........................ 60 D.5 Maintain the Attribute Mappings.............................................................................. 62 D.6 Export the Data ....................................................................................................... 65
APPENDIX E: CONFIGURING THE ABAP CONNECTOR TO USE SNC ....................... 66 E.1 Downloading and Installing the SAP Cryptographic Library ................................... 67 E.2 Creating a Personal Security Environment ............................................................. 68 E.3 Creating Credentials ............................................................................................... 70 E.4 Exchanging the Public-Key Certificates .................................................................. 71
E.4.1 E
