SAP NetWeaver Identity Management Identity …a248.g.akamai.net/n/248/420835/062da58d472e3d2d71d1d855e...2015/07/02 · These materials are provided by SAP AG and its affiliated companies

SAP NetWeaver® Identity ManagementIdentity Center

Identity store schema - Technical reference

Version 7.2 Rev 14e

© 2014 SAP AG or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. Theinformation contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation orwarranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing hereinshould be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark informationand notices.

http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark

i

© Copyright 2015 SAP AG. All rights reserved.

Preface

The productSAP NetWeaver Identity Management Identity Center is a high-end identity managementsolution, capable of handling a large amount of repositories containing an unlimited amount ofinformation. The Identity Center offers a robust, flexible and scalable high-availability solutionfor workflow, provisioning, data synchronization and joining for a large number of datarepositories.

The readerThis manual is written for people who are implementing and/or maintaining the SAPNetWeaver Identity Management Identity Center, and others requiring a deeper understandingof the identity store schema.

PrerequisitesTo get the most benefit from this manual, you should have the following knowledge:

Thorough knowledge of the Identity Center.

This document is written according to SAP NetWeaver Identity Management Identity Centerversion 7.2 SP10.

The manualThis document describes the schema definition in the SAP NetWeaver Identity ManagementIdentity Center's identity store – the entry types and attributes contained in the identity store.

ii


iii


Table of contentsIntroduction .......................................................................................................................................... 1Section 1: Entry types ........................................................................................................................... 2Section 2: Attribute specifications ....................................................................................................... 25Section 3: User defined attributes ........................................................................................................ 98Section 4: Repository constants ........................................................................................................... 99

iv


1IntroductionSAP NetWeaver Identity Management Identity Center Identity store schema - Technical reference


IntroductionThis document gives an overview of the schema definition in the SAP NetWeaver IdentityManagement Identity Center's identity store – the purpose is to document the existing entrytypes and attributes, their descriptions and use.

The identity storeThe identity store stores the identity data according to a schema that consists of entry types andattributes. The entry types describe how the different identity-relevant objects are represented inthe Identity Center. Each entry type has a number of attributes containing values for each entryof the specific entry type.

The identity store is the hub between all components in Identity Center. Provisioning is basedon the identity data stored in the identity store. Workflows are processing based on this data aswell. Business roles and privileges are stored here. Meta directory operations will keep theinformation up-to-date.

Properties of the identity store are:

Keep historical data and full audit to support compliance

Temporary attributes for tracking time critical values

Roles and privileges - time to live definable

Events on attributes trigger workflow tasks

Rollback of identity data

2Section 1: Entry types

SAP NetWeaver Identity Management Identity Center Identity store schema - Technical reference


Section 1: Entry typesThe identity store stores the identity data according to a schema that consists of entry types andattributes. The entry types are objects that describe how the different identity-relevant objectsare represented in the Identity Center.

The entry types used are:

MX_APPLICATION

MX_ASYNC_REQUEST

MX_COMPANY_ADDRESS

MX_DYNAMIC_GROUP

MX_GROUP

MX_PENDING_VALUE

MX_PERSON

MX_PRIVILEGE

MX_REPORT

MX_ROLE

MX_SAML_PROVIDER

Entry type MX_APPLICATION

DescriptionThis optional entry type holds the information about an application. It is one of the three entrytypes being used by Identity Services when performing its operations (the other two areMX_PERSON and MX_PRIVILEGE).

MX_APPLICATION can be used to organize the privileges by grouping them by application(the application level, which is only an informational level and does not represent any physicalrepository). An application can also have a link to a repository, but is otherwise only a way toorganize the privileges.

AttributesThis entry type contains the following twelve attributes:

Attribute Mandatory (Yes/No) Available as of SAP NetWeaver IdentityManagement version

DESCRIPTION No 7.2

DISPLAYNAME No 7.2

MSKEYVALUE Yes 7.2

MX_APPLICATION_CATEGORY No 7.2

MX_APPLICATION_ID No 7.2

MX_APPLICATION_TYPE No 7.2

MX_AUDIT_FLAGS No 7.2

3Section 1: Entry typesSAP NetWeaver Identity Management Identity Center Identity store schema - Technical reference



MX_ENTRYTYPE Yes 7.2

MX_MANAGER No 7.2

MX_OWNER No 7.2

MX_REPOSITORYNAME No 7.2

MXMEMBER_MX_PRIVILEGE No 7.2

RelationsOne MX_APPLICATION object can reference multiple MX_PRIVILEGE objects, while oneMX_PRIVILEGE object belongs to only one MX_APPLICATION object.

Special considerationsNone.

Entry type MX_ASYNC_REQUEST

DescriptionThe Identity Services solution makes use of the MX_ASYNC_REQUEST entry type and itsattributes.

The imported Identity Services provisioning framework must be connected to the entry typeMX_ASYNC_REQUEST in order to automatically process incoming requests.

AttributesThe following attributes are defined for this entry type:

Attribute Mandatory (Yes/No) Available as of SAP NetWeaverIdentity Management version

DESCRIPTION No 7.2

DISPLAYNAME No 7.2

MSKEYVALUE Yes 7.2

MX_ACADEMIC_TITLE_1 No 7.2

MX_ADDRESS_CITY No 7.2

MX_ADDRESS_POBOX No 7.2

MX_ADDRESS_POBOX_POSTAL_CODE No 7.2

MX_ADDRESS_REGION No 7.2

MX_ADDRESS_STREETADDRESS No 7.2

MX_ASYNC_IDENTIFIER No 7.2

MX_ASYNC_MSKEYVALUE No 7.2

MX_ASYNC_OBJECTCLASS No 7.2





MX_ASYNC_ORIG_OPERATION No 7.2

MX_ASYNC_PRIVILEGE No 7.2

MX_ASYNC_REQUEST_ID No 7.2

MX_ASYNC_ROLE No 7.2


MX_CERTIFICATE No 7.2

MX_DEPARTMENT No 7.2


MX_FAX_PRIMARY No 7.2

MX_FIRSTNAME No 7.2

MX_INITIALS No 7.2

MX_LANGUAGE No 7.2

MX_LASTNAME No 7.2

MX_MAIL_PRIMARY No 7.2

MX_MANAGER No 7.2

MX_MOBILE_PRIMARY No 7.2

MX_OWNER No 7.2

MX_PAGER_ADDITIONAL No 7.2

MX_PASSWORD No 7.2

MX_PHONE_ADDITIONAL No 7.2

MX_PHONE_PRIMARY No 7.2

See also section The ASYNC attributes on page 63.

RelationsNone.




Entry type MX_COMPANY_ADDRESS

DescriptionThis is the entry type for company address. It is nearly a 1:1 mapping of the COMPANY objectin ABAP.

AttributesThis entry type has the following attributes defined:


DESCRIPTION No 7.2

DISPLAYNAME No 7.2

MSKEYVALUE Yes 7.2

MX_ADDRESS_BUILDING No 7.2

MX_ADDRESS_CHECKSTATUS No 7.2


MX_ADDRESS_CITY_NO No 7.2

MX_ADDRESS_CO_NAME No 7.2

MX_ADDRESS_COMPANY_POSTAL_CODE No 7.2

MX_ADDRESS_COUNTRY No 7.2

MX_ADDRESS_DIFFERENT_CITY No 7.2

MX_ADDRESS_DIFFERENT_CITY_NO No 7.2

MX_ADDRESS_DISTRICT No 7.2

MX_ADDRESS_DISTRICT_NO No 7.2

MX_ADDRESS_FLOOR No 7.2

MX_ADDRESS_HOUSE_NO No 7.2

MX_ADDRESS_HOUSE_NO_SUPPLEMENT No 7.2

MX_ADDRESS_LANGUAGE No 7.2

MX_ADDRESS_NAME_1 No 7.2




MX_ADDRESS_NOTES No 7.2


MX_ADDRESS_POBOX_CITY No 7.2

MX_ADDRESS_POBOX_CITY_NO No 7.2

MX_ADDRESS_POBOX_COUNTRY No 7.2


MX_ADDRESS_POBOX_REGION No 7.2

MX_ADDRESS_POBOX_WITHOUT_NUMBER No 7.2





MX_ADDRESS_POSTAL_CODE No 7.2

MX_ADDRESS_REASON_DONT_USE_POBOX_ADDRESS No 7.2

MX_ADDRESS_REASON_DONT_USE_STREET_ADDRESS No 7.2


MX_ADDRESS_REGION_GROUP No 7.2

MX_ADDRESS_ROOM_NO No 7.2

MX_ADDRESS_STREET_1 No 7.2





MX_ADDRESS_STREET_NO No 7.2

MX_ADDRESS_TAX_JURISDICTION_CODE No 7.2

MX_ADDRESS_TIME_ZONE No 7.2

MX_ADDRESS_TITLE No 7.2

MX_ADDRESS_TRANSPORT_ZONE No 7.2



MX_FAX_PRIMARY No 7.2 SP7

MX_MAIL_PRIMARY No 7.2 SP7

MX_MANAGER No 7.2

MX_OWNER No 7.2

MX_PHONE_PRIMARY No 7.2 SP7

MX_SEARCH_TERM_1 No 7.2


MXMEMBER_MX_PERSON No 7.2

SAP_CHANGENUMBER No 7.2

RelationsOne MX_COMPANY_ADDRESS object can reference multiple MX_PERSON objects, whileone MX_PERSON object can reference only one MX_COMPANY_ADDRESS object.




Entry type MX_DYNAMIC_GROUP

DescriptionThis entry type is used to hold the dynamic group attributes. Dynamic groups were establishedto have a way of selecting people based on attribute values, for example title and location, or acombination of these.

A dynamic group can for example be used as a source in a To-pass, or as auto-member andconstraints criteria on the MX_ROLE entry type.

AttributesThe attributes defined for this entry type are:


DESCRIPTION No 7.2

DISPLAYNAME Yes 7.2

MSKEYVALUE Yes 7.2


MX_DG_ATTRIBUTE No 7.2

MX_DG_AUTORESOLVE_INTERVAL No 7.2


MX_INACTIVE No 7.2

MX_MANAGER No 7.2

MX_OWNER No 7.2

MX_TARGET_AND No 7.2

MX_TARGET_DYNAMIC_GROUP No 7.2

MX_TARGET_ENTRY No 7.2

MX_TARGET_FILTER No 7.2

MX_TARGET_PRIVILEGE No 7.2

MX_TARGET_SUBTREE No 7.2

MXAC_ENTRY No 7.2

MXAC_MEMBERS No 7.2


RelationsOne MX_DYNAMIC_GROUP object can reference multiple MX_PERSON objects, and oneMX_PERSON object can reference more than one MX_DYNAMIC_GROUP object.




Special considerationsThe attributes MX_TARGET_AND, MX_TARGET_DYNAMIC_GROUP,MX_TARGET_ENTRY, MX_TARGET_PRIVILEGE and MX_TARGET_SUBTREE are forfuture use and are not in use in the current version.

The MX_TARGET_FILTER attribute is used to define the members of the dynamic group.

The members of a MX_DYNAMIC_GROUP are automatically added when the filter isresolved. Any users added manually to the dynamic group will be removed unless they satisfythe filter.

When using dynamic groups, please consider carefully the performance of the SQL statementused to resolve the group members. Extensive use of dynamic groups is not recommended dueto their impact on performance.

See also section Dynamic group attributes on page 64.

Entry type MX_GROUP

DescriptionThis entry type is used to hold a group hierarchy.

AttributesThe entry type holds the following attributes:


DESCRIPTION No 7.2

DISPLAYNAME Yes 7.2

MSKEYVALUE Yes 7.2


MX_AUTOPRIVILEGE No 7.2

MX_AUTOROLE No 7.2


MX_INACTIVE No 7.2

MX_MANAGER No 7.2

MX_NOTES_GROUP_GROUPTYPE No 7.2 SP5

MX_NOTES_GROUP_GROUPTYPE_ DISPLAY No 7.2 SP5

MX_NOTES_GROUP_LISTNAME No 7.2 SP5

MX_NOTES_INACTIVE No 7.2 SP5

MX_NOTES_NOTEID No 7.2 SP5

MX_NOTES_OID No 7.2 SP5

MX_NOTES_UNID No 7.2 SP5

MX_OWNER No 7.2

MX_PRIVILEGES_EXISTS No 7.2




MXMEMBER_MX_GROUP No 7.2


MXREF_MX_GROUP No 7.2

MXREF_MX_PRIVILEGE No 7.2

MXREF_MX_ROLE No 7.2

RelationsOne MX_GROUP object can reference multiple MX_GROUP and MX_PERSON objects. OneMX_PERSON object can reference more than one MX_GROUP object.

MX_GROUP object can be referenced to from MX_ROLE and MX_PRIVILEGE objects.

Special considerationsThis entry type is used to hold a group hierarchy (the group and its members) and does notprovide any inheritance.

Entry type MX_PENDING_VALUE

DescriptionThis entry type is used to hold a value which may be added to the entry in the future, either aspart of an approval process at a given time, or by a manual operation.

The MX_ENTRY_REFERENCE attribute holds the reference to the owner entry, whileMX_ATTRIBUTE_NAME and MX_ATTRIBUTE_VALUE hold the values to be written tothe entry when the MX_PENDING_VALUE is applied.

AttributesThis entry type contains the following attributes:


DESCRIPTION No 7.2

DISPLAYNAME No 7.2

MSKEYVALUE Yes 7.2

MX_AC_REQUESTID No 7.2 SP6

MX_AC_RESULT No 7.2 SP6

MX_APPROVAL_EXPIRY No 7.2 SP4

MX_APPROVAL_REASON No 7.2 SP1

MX_APPROVAL_TIMEOUT No 7.2 SP4





MX_APPROVALS No 7.2

MX_APPROVERS No 7.2

MX_ASSIGNER No 7.2

MX_ATTR_STATE No 7.2

MX_ATTRIBUTE_DELETE No 7.2

MX_ATTRIBUTE_NAME No 7.2

MX_ATTRIBUTE_VALUE No 7.2


MX_CTX No 7.2

MX_ENTRY_REFERENCE No 7.2


MX_ESCALATION_APPROVERS_1 No 7.2 SP4



MX_ESCALATION_TIMEOUT_1 No 7.2 SP4



MX_LINK_REFERENCE No 7.2

MX_MANAGER No 7.2

MX_MODIFY_BY No 7.2

MX_MODIFY_REASON No 7.2

MX_OPERATION No 7.2

MX_OPERATION_TASKID No 7.2 SP3

MX_OWNER No 7.2

MX_PRIV_GROUP_ATTR_OPERATION No 7.2

MX_PRIV_GROUPING_APPLICATION No 7.2

MX_PRIV_GROUPING_ATTR_VALUE No 7.2

MX_PRIV_GROUPING_GUID No 7.2

MX_PRIV_USERID No 7.2 SP3

MX_REASON No 7.2


MX_VALIDATE_OPERATION No 7.2

MX_VALIDFROM No 7.2

MX_VALIDFROM_NEW No 7.2

MX_VALIDTO No 7.2

MX_VALIDTO_NEW No 7.2



RelationsThe MX_PENDING_VALUE entry type uses the MX_ENTRY_REFERENCE attribute toreference the entry it belongs to.

Special considerationsWhen the date and time defined by MX_VALIDFROM occur, the values held by the attributesMX_ATTRIBUTE_NAME and MX_ATTRIBUTE_VALUE are written to the entry before theMX_PENDING_VALUE object is removed.

See also section Pending value object attributes on page 75.

Entry type MX_PERSON

DescriptionThis entry type is used to store information about person objects.

AttributesThe attributes are:


DESCRIPTION No 7.2

DISPLAYNAME Yes 7.2

MSKEYVALUE Yes 7.2



MX_ACCESSIBILITYLEVEL No 7.2

MX_ACCOUNTING_NUMBER No 7.2


MX_ADDRESS_COUNTRY No 7.2



MX_ADDRESS_POSTAL_CODE No 7.2


MX_ADDRESS_STREETADDRESS No 7.2

MX_ADMIN_UNIT No 7.2

MX_APPROVALS No 7.2

MX_APPROVERS No 7.2 SP7

MX_ASSERTION_TICKET_ENABLED No 7.2 SP9

MX_ASSIGNMENT No 7.2 SP2






MX_AUTHQ_001 No 7.2

MX_AUTHQ_002 No 7.2

MX_AUTHQ_003 No 7.2

MX_AUTHQ_004 No 7.2

MX_AUTHQ_005 No 7.2

MX_AUTODELEGATE_MESSAGE No 7.2 SP6

MX_AUTODELEGATE_MSKEY No 7.2 SP6


MX_AUTOROLE No 7.2

MX_AUTOROLE_DYNAMIC_GROUP No 7.2

MX_BIRTHNAME No 7.2

MX_CATT_TEST_STATUS No 7.2

MX_CERTIFICATE No 7.2

MX_CHANGEONFIRST No 7.2

MX_COMMUNICATION_LANGUAGE No 7.2

MX_COMMUNICATION_METHOD No 7.2

MX_COSTCENTER No 7.2

MX_CTX_AUTO_VALUES No 7.2

MX_DATEFORMAT No 7.2

MX_DEPARTMENT No 7.2

MX_DISABLED No 7.2

MX_ENCRYPTED_PASSWORD No 7.2


MX_FAILEDLOGIN No 7.2

MX_FAILEDRECOVER No 7.2

MX_FAVORITE_TASKS No 7.2

MX_FAX_ADDITIONAL No 7.2

MX_FAX_PRIMARY No 7.2

MX_FIRSTNAME No 7.2

MX_FS_ACADEMIC_TITLE_1_ID No 7.2

MX_FS_BP_PERSON_ID No 7.2

MX_FS_BUSINESS_AREA No 7.2

MX_FS_BUSINESS_AREA_ID No 7.2

MX_FS_CENTRALPERSON_ID No 7.2

MX_FS_COMPANY_CODE No 7.2

MX_FS_COMPANY_CODE_ID No 7.2

MX_FS_COST_CENTER No 7.2

MX_FS_COST_CENTER_ID No 7.2

MX_FS_CRM_BP_PERSON_NUMBER No 7.2




MX_FS_CRM_BP_ROLE_CAT_PERS No 7.2

MX_FS_EMPLOYEE_GROUP No 7.2

MX_FS_EMPLOYEE_GROUP_ID No 7.2

MX_FS_EMPLOYEE_SUBGROUP No 7.2

MX_FS_EMPLOYEE_SUBGROUP_ID No 7.2

MX_FS_EMPLOYMENT_STATUS No 7.2

MX_FS_EMPLOYMENT_STATUS_ID No 7.2

MX_FS_HCM_PERSONID_EXT No 7.2

MX_FS_IDENTITY_TYPE No 7.2

MX_FS_JOB No 7.2

MX_FS_JOB_ID No 7.2

MX_FS_ORGANIZATIONAL_UNIT No 7.2

MX_FS_ORGANIZATIONAL_UNIT_ID No 7.2

MX_FS_PERNR_IS_MANAGER No 7.2

MX_FS_PERSONNEL_AREA No 7.2

MX_FS_PERSONNEL_AREA_ID No 7.2

MX_FS_PERSONNEL_NUMBER No 7.2

MX_FS_PERSONNEL_NUMBER_OF_MANAGER No 7.2

MX_FS_PERSONNEL_SUBAREA No 7.2

MX_FS_PERSONNEL_SUBAREA_ID No 7.2

MX_FS_POSITION No 7.2

MX_FS_POSITION_ID No 7.2

MX_FS_SALUTATION_ID No 7.2

MX_FS_SCMEWM_PRR_ID No 7.2

MX_FS_SCMSNC_BP_ORG_ID No 7.2

MX_FS_SCMSNC_VISIBILITY_PROFILE No 7.2

MX_FS_SCMTMS_BP_ORG_ID No 7.2

MX_FS_SLCM_CAMPUS_ID No 7.2

MX_FS_SLCM_GRADUATION_STATUS No 7.2

MX_FS_SLCM_HOLDS No 7.2

MX_FS_SLCM_PRIMARY_ORG_UNIT_ID No 7.2

MX_FS_SLCM_PRIVACY_LEVEL No 7.2

MX_FS_SLCM_PROGRAM_TYPE No 7.2

MX_FS_SLCM_STATUS No 7.2

MX_FS_SLCM_STUDENT_GROUP No 7.2

MX_FS_SLCM_STUDENT_ID No 7.2

MX_FS_SOURCE_SYSTEM No 7.2

MX_FS_SRM_BP_ROLE_CAT_ORG No 7.2

MX_FS_SRM_BP_ROLE_CAT_PERS No 7.2





MX_FS_WORK_CONTRACT No 7.2

MX_FS_WORK_CONTRACT_ID No 7.2

MX_GRC_CHANGES_DETECTED No 7.2

MX_GRC_REQUESTS_FAILED No 7.2

MX_GRC_REQUESTS_OK No 7.2

MX_GRC_REQUESTS_PENDING No 7.2

MX_HCM_SYSUNAME No 7.2

MX_IDENTITY_CATEGORY No 7.2

MX_IDENTITYUUID No 7.2

MX_INACTIVE No 7.2

MX_INHOUSE_MAIL No 7.2

MX_INITIALS No 7.2

MX_JOB_FUNCTION No 7.2

MX_KERBEROS_ENABLED No 7.2 SP9

MX_KERBEROS_IDENTITY No 7.2 SP9

MX_LANGUAGE No 7.2

MX_LANGUAGE_COUNTRY No 7.2

MX_LANGUAGE_VARIANT No 7.2

MX_LASTMODIFIER No 7.2

MX_LASTMODTIME No 7.2

MX_LASTNAME No 7.2

MX_LOCKED No 7.2

MX_LOGINADDR No 7.2

MX_LOGINTIME No 7.2

MX_LOGON_TICKET_ENABLED No 7.2 SP9

MX_LOGONALIAS No 7.2

MX_MAIL_ADDITIONAL No 7.2

MX_MAIL_PRIMARY No 7.2

MX_MANAGER No 7.2

MX_MIDDLENAME No 7.2

MX_MOBILE_ADDITIONAL No 7.2

MX_MOBILE_PRIMARY No 7.2

MX_NAMCOUNTRY No 7.2

MX_NAME_ABBREVIATION No 7.2

MX_NAME_PREFIX_1 No 7.2

MX_NAME_PREFIX_2 No 7.2

MX_NAMEFORMAT No 7.2

MX_NICKNAME No 7.2

MX_NOTES_CERTIFIER_FILE No 7.2 SP5




MX_NOTES_CERTIFIER_PWD No 7.2 SP5

MX_NOTES_CLIENTTYPE No 7.2 SP5

MX_NOTES_COUNTRYCODE No 7.2 SP5

MX_NOTES_EXPIRATIONDATE No 7.2 SP5

MX_NOTES_FULLNAME No 7.2 SP5

MX_NOTES_IDFILE No 7.2 SP5

MX_NOTES_INACTIVE No 7.2 SP5

MX_NOTES_IN_VAULT No 7.2 SP9

MX_NOTES_MAILDOMAIN No 7.2 SP5

MX_NOTES_MAILFILE No 7.2 SP5

MX_NOTES_MAILSERVER No 7.2 SP5

MX_NOTES_MAILSYSTEM No 7.2 SP5

MX_NOTES_NOTEID No 7.2 SP5

MX_NOTES_OID No 7.2 SP5

MX_NOTES_OLD_PASSWORD No 7.2 SP5

MX_NOTES_OLDFULLNAME No 7.2 SP5

MX_NOTES_ORG No 7.2 SP5

MX_NOTES_ORGUNIT No 7.2 SP5

MX_NOTES_OWNER No 7.2 SP5

MX_NOTES_PATH_IDFILE No 7.2 SP5

MX_NOTES_POLICY No 7.2 SP5

MX_NOTES_REGFULLNAME No 7.2 SP5

MX_NOTES_ROAMINGSERVER No 7.2 SP5

MX_NOTES_SERVERNAME No 7.2 SP5

MX_NOTES_SHORTNAME No 7.2 SP5

MX_NOTES_UNID No 7.2 SP5

MX_NUMBERFORMAT No 7.2

MX_OWNER No 7.2

MX_PAGER_ADDITIONAL No 7.2

MX_PAGER_PRIMARY No 7.2

MX_PARAMETER No 7.2

MX_PASSWORD No 7.2

MX_PASSWORD_DISABLED No 7.2

MX_PERSONUUID No 7.2

MX_PHONE_ADDITIONAL No 7.2

MX_PHONE_PRIMARY No 7.2

MX_PRINTERSETTINGS_SPDA No 7.2

MX_PRINTERSETTINGS_SPDB No 7.2

MX_PRINTERSETTINGS_SPLD No 7.2





MX_PRINTERSETTINGS_SPLG No 7.2

MX_PRIVILEGES_EXISTS No 7.2

MX_PRT_ADDITIONAL No 7.2

MX_PRT_PRIMARY No 7.2

MX_REFERENCE_USER No 7.2

MX_RML_ADDITIONAL No 7.2

MX_RML_PRIMARY No 7.2

MX_SALUTATION No 7.2

MX_SAML_ENABLED No 7.2 SP9

MX_SAML_MAPPING No 7.2 SP9



MX_SECONDNAME No 7.2

MX_SEMAPHORE No 7.2

MX_SNC_FLAG No 7.2

MX_SNC_NAME No 7.2

MX_SPML_CALLER_LANGUAGE No 7.2

MX_SPML_CALLER_MODIFIER No 7.2

MX_SPML_CALLER_SYSTEM No 7.2

MX_SSF_ADDITIONAL No 7.2

MX_SSF_PRIMARY No 7.2

MX_START_MENU No 7.2

MX_TIMEFORMAT No 7.2

MX_TIMEZONE No 7.2

MX_TITLE No 7.2

MX_TITLE_SUPPLEMENT No 7.2

MX_TLX_ADDITIONAL No 7.2

MX_TLX_PRIMARY No 7.2

MX_TRIGGER_NOTIFICATION No 7.2

MX_TTX_ADDITIONAL No 7.2

MX_TTX_PRIMARY No 7.2

MX_URI_ADDITIONAL No 7.2

MX_URI_PRIMARY No 7.2

MX_USER_CATEGORY No 7.2

MX_USER_PARAMS No 7.2 SP9

MX_USER_PICTURE No 7.2 SP7

MX_USER_PREFS No 7.2

MX_USERTYPE No 7.2

MX_VALIDFROM No 7.2




MX_VALIDTO No 7.2

MX_WF_LOGIN_RUN_TASK No 7.2

MX_WF_MENU_APPROVALS No 7.2

MX_WF_MENU_CHANGEPWD No 7.2

MX_WF_MENU_HISTORY No 7.2

MX_WF_MENU_LOGOUT No 7.2

MX_WF_WELCOME_APPROVALS No 7.2

MX_WF_WELCOME_TASKS No 7.2

MX_WORKPLACE_BUILDING No 7.2

MX_WORKPLACE_FLOOR No 7.2

MX_WORKPLACE_FLOORPLAN_P No 7.2

MX_WORKPLACE_FUNCTION No 7.2

MX_WORKPLACE_ROOM No 7.2

MX_X400_ADDITIONAL No 7.2

MX_X400_PRIMARY No 7.2

MX_X509_ENABLED No 7.2 SP9

MX_X509_MAPPING No 7.2 SP9

MXREF_MX_COMPANY_ADDRESS No 7.2

MXREF_MX_DYNAMIC_GROUP No 7.2

MXREF_MX_GROUP No 7.2



SAP_CHANGENUMBER No 7.2

RelationsThe MX_PERSON object can be referenced to from the objects MX_COMPANY_ADDRESS,MX_DYNAMIC_GROUP, MX_GROUP, MX_PRIVILEGE and MX_ROLE.





Entry type MX_PRIVILEGE

DescriptionThis entry type is to hold privileges.

AttributesThe entry type contains the following attributes:


DESCRIPTION No 7.2

DISPLAYNAME Yes 7.2

MSKEYVALUE Yes 7.2

MX_AC_ROLEID No 7.2 SP6

MX_AC_ROLETYPE No 7.2 SP6

MX_ACCESS_CONTROL No 7.2

MX_ADD_MEMBER_TASK No 7.2

MX_ADDMEM_DISABLE_POLICY No 7.2

MX_APPLICATION_ID No 7.2

MX_APPROVAL_TASK No 7.2

MX_APPROVALS No 7.2 SP7

MX_APPROVERS No 7.2

MX_ATTEST_ACTIVE No 7.2 SP9

MX_ATTEST_LASTDATE No 7.2 SP9

MX_ATTEST_NEXTDATE No 7.2 SP9

MX_ATTEST_TASK No 7.2 SP9

MX_ATTESTER No 7.2 SP9


MX_BUSINESS_AREA No 7.2 SP7

MX_CTX_AUTO_STRATEGY No 7.2

MX_CTX_CONDITIONAL No 7.2

MX_CTX_TYPE No 7.2

MX_DEL_MEMBER_TASK No 7.2

MX_DELMEM_DISABLE_POLICY No 7.2

MX_DEPROVISIONTASK No 7.2

MX_EDIT_ATTRIBUTES No 7.2

MX_EDIT_MEMBERSHIP No 7.2











MX_GROUPING_DISABLED No 7.2

MX_HANA_ROLE_TYPE No 7.2 SP9

MX_INACTIVE No 7.2

MX_INHERIT No 7.2

MX_IS_ACCOUNT No 7.2

MX_LINK_EXPIRY_NOTIFICATION No 7.2

MX_MANAGER No 7.2

MX_MOD_VALIDITY_TASK No 7.2

MX_MODIFYTASK No 7.2

MX_MODIFYTASK_ATTR No 7.2

MX_OFFSET_ADD_MEMBER No 7.2

MX_OFFSET_LINK_EXPIRY No 7.2

MX_OFFSET_VALIDATE_ADD No 7.2

MX_OWNER No 7.2

MX_PRIVILEGE_TYPE No 7.2

MX_PROVISIONTASK No 7.2

MX_RBAC_DIRECT_PRIVILEGE No 7.2

MX_RBAC_REVERSE_PRIVILEGE No 7.2

MX_REPOSITORY_ADD_MEMBER No 7.2

MX_REPOSITORY_DEL_MEMBER No 7.2

MX_REPOSITORY_VALIDATE No 7.2


MX_REQ_PRIV No 7.2

MX_REQ_PRIV_INTERVAL No 7.2

MX_REQ_PRIV_NOMASTER_TASK No 7.2

MX_REQ_PRIV_PCYADD_MISSING No 7.2

MX_REQ_PRIV_PCYADD_PENDING No 7.2

MX_REQ_PRIV_PCYADD_REMOVING No 7.2

MX_REQ_PRIV_TIMEOUT No 7.2

MX_SEMAPHORE No 7.2

MX_TARGET_ALL No 7.2

MX_TARGET_DYNAMIC_GROUP No 7.2

MX_TARGET_SELF No 7.2

MX_VALID_MEMBERS No 7.2

MX_VALIDATE_ADD_TASK No 7.2





MX_VALIDATE_DEL_TASK No 7.2

MX_VALIDATE_MOD_VALIDITY_TASK No 7.2

MX_VIEW_ATTRIBUTES No 7.2

MXAC_ENTRY No 7.2

MXAC_MEMBERS No 7.2



MXMEMBER_MX_ROLE No 7.2

MXREF_MX_APPLICATION No 7.2


RelationsOne MX_PRIVILEGE object can reference multiple MX_GROUP, MX_PERSON andMX_ROLE objects. One MX_GROUP/MX_PERSON/MX_ROLE object can reference morethan one MX_PRIVILEGE object.

MX_PRIVILEGE object can be referenced to from MX_APPLICATION object.

Special considerationsAttributes MX_ACCESS_CONTROL, MX_EDIT_ATTRIBUTES,MX_EDIT_MEMBERSHIP, MX_TARGET_ALL, MX_TARGET_DYNAMIC_GROUP,MX_TARGET_SELF and MX_VIEW_ATTRIBUTES are for future use and are not in use atpresent time.

Although the MX_GROUP_INHERITANCE attribute is an allowed attribute for the entry typeMX_PRIVILEGE, it is not in use. It is replaced by MX_INHERIT.

The name of a privilege must be unique within the identity store (MSKEYVALUE). Therecommended syntax is PRIV:<Application name>.

See also section Role and privilege attributes on page 89.



Entry type MX_REPORT

DescriptionEntry type MX_REPORT is entry type for report requests.



DESCRIPTION No 7.2

DISPLAYNAME No 7.2

MSKEYVALUE Yes 7.2


MX_OWNER No 7.2

MX_REPORT_DATE No 7.2

MX_REPORT_DESTINATION No 7.2

MX_REPORT_ENTRY No 7.2

MX_REPORT_ERRORTEXT No 7.2

MX_REPORT_FILTERING No 7.2

MX_REPORT_FORMAT No 7.2

MX_REPORT_LANGUAGE No 7.2

MX_REPORT_LOCALE No 7.2

MX_REPORT_RESULT No 7.2

MX_REPORT_RESULT_REF No 7.2

MX_REPORT_SORTING No 7.2

See also section Report request attributes on page 88.

RelationsNone.





Entry type MX_ROLE

DescriptionThe entry type MX_ROLE holds the role information.



DESCRIPTION No 7.2

DISPLAYNAME Yes 7.2

MSKEYVALUE Yes 7.2

MX_ADD_MEMBER_TASK No 7.2

MX_ADDMEM_DISABLE_POLICY No 7.2

MX_APPROVAL_TASK No 7.2

MX_APPROVALS No 7.2 SP7

MX_APPROVERS No 7.2

MX_ATTEST_ACTIVE No 7.2 SP9

MX_ATTEST_LASTDATE No 7.2 SP9

MX_ATTEST_NEXTDATE No 7.2 SP9

MX_ATTEST_TASK No 7.2 SP9

MX_ATTESTER No 7.2 SP9



MX_BUSINESS_AREA No 7.2 SP7

MX_CTX_TYPE No 7.2

MX_DEL_MEMBER_TASK No 7.2

MX_DELMEM_DISABLE_POLICY No 7.2








MX_EXCLUDEROLE No 7.2

MX_INACTIVE No 7.2

MX_LINK_EXPIRY_NOTIFICATION No 7.2

MX_MANAGER No 7.2




MX_MOD_VALIDITY_TASK No 7.2

MX_OFFSET_ADD_MEMBER No 7.2

MX_OFFSET_LINK_EXPIRY No 7.2

MX_OFFSET_VALIDATE_ADD No 7.2

MX_OWNER No 7.2

MX_RECONCILE_ALWAYS No 7.2

MX_RECONCILE_PENDING No 7.2

MX_REPOSITORY_ADD_MEMBER No 7.2

MX_REPOSITORY_DEL_MEMBER No 7.2

MX_REPOSITORY_VALIDATE No 7.2


MX_ROLE_ALLOW_CHILD_CUTOFF No 7.2

MX_ROLE_ALLOWED_FOR No 7.2

MX_ROLE_ALLOWED_FOR_REVERSE No 7.2

MX_ROLE_AUTOASSIGN_TO No 7.2

MX_SEMAPHORE No 7.2

MX_VALIDATE_ADD_TASK No 7.2

MX_VALIDATE_DEL_TASK No 7.2

MX_VALIDATE_MOD_VALIDITY_TASK No 7.2

MXAC_ENTRY No 7.2

MXAC_MEMBERS No 7.2



MXMEMBER_MX_PRIVILEGE No 7.2

MXMEMBER_MX_ROLE No 7.2



See also section Role and privilege attributes on page 89.

RelationsOne MX_ROLE object can reference multiple MX_GROUP, MX_PERSON, MX_PRIVILEGEand MX_ROLE objects. One MX_GROUP/MX_PERSON/MX_PRIVILEGE/MX_ROLEobject can reference more than one MX_ROLE object.

Special considerationsThe name of a role must be unique within the identity store (MSKEYVALUE). Therecommended syntax is ROLE:<Role name>.




Entry type MX_SAML_PROVIDER

DescriptionThis entry type is used to hold the information about the SAML providers in the landscape. Theattribute MX_SAML_TARGET_SYSTEM holds the names of the repositories where theSAML provider is connected.

The entry type is available in the schema as of SAP NetWeaver Identity Management version7.2 SP10.



DESCRIPTION No 7.2

DISPLAYNAME No 7.2

MSKEYVALUE Yes 7.2


MX_SAML_TARGET_SYSTEM No 7.2 SP10

RelationsEach SAML provider is associated with one or more repositories through the attributeMX_SAML_TARGET_SYSTEM.

Special considerationsA connector may use this entry type and the link to the repository is used to determine to whichsystems the SAML ID should be provisioned (see the attribute MX_SAML_MAPPING on page53).

25Section 2: Attribute specificationsSAP NetWeaver Identity Management Identity Center Identity store schema - Technical reference


Section 2: Attribute specificationsThe schema contains a number of attributes holding information about each entry of the givenentry type.

The following format for attribute description is used:Attributename

Description Type # ofvalues

ABAP mapping Comments

<attributename>

<short descriptionof what the attributedescribes>

<given in text>

Types used:* String* Boolean* Numeric (i.e. Integer)* Binary* Date (Time)* Task reference* Entry reference* Attribute reference* Privilege reference* Role reference

<Single/Multivalue>

<ABAP attributethe given attributeis mapped to, ifthis mappingexists>

<comments orexamples ofattributedefinition>

BooleanThe attribute value is presented as Boolean but stored as String.

BinaryThe binary attribute value is used to hold binary data, for example a PDF report.

DateDate, time or both. Always written on ISO8601 format, i.e. YYYY-MM-DD or YYYY-MM-DDThh:mm:ss.

Task referenceThe task reference might be defined in two ways: 1) It can be TaskID (Numeric) or 2) TaskGUID (String).

Attribute referenceThe value is the name of the referenced attribute.

Privilege and role referenceThese references are always defined by their MSKEY.

Entry referenceAlways defined by its MSKEY. If the reference is to a container entry type, it is actually areference to the defined entry type's members.

A container entry type is here an entry type that is able to have other entry types as members,for instance a group with persons as members. Examples are MX_(DYNAMIC_)GROUP,MX_ROLE, MX_PRIVILEGE etc.

Attributes needing further and deeper description will be presented in own sections.

26Section 2: Attribute specifications



Alphabetical list of attributes with ABAP mappingThis is the alphabetical list of attributes in the identity store that are used by the ABAPconnector:

Attribute name Description Type # ofvalues


DISPLAYNAME User friendlyname

String Single displayname This attribute isused by IdM UIand IdentityCenterManagementConsole, and isdisplayedwhenevershowing areference to theentry.

MSKEYVALUE Unique entryidentifier, which isalso used for IdMUI login.

String Single logonuid Default logon id.Must be unique inthe identity store(across all entrytypes).

For moreinformation, seesection describingMSKEYVALUEon page 68.

MX_ACADEMIC_TITLE_1 Academic title String Single AddressTitleAca1 Languagespecific, CHAR4field. Readcustomizing table(TSAD2):

100 0001 Dr.100 0002 Prof.100 0003 Prof.Dr.100 0004 B.A.100 0005 MBA100 0006 Ph.D.

MX_ACADEMIC_TITLE_2 2nd academic title String Single AddressTitleAca2 Languagespecific, CHAR4field. Readcustomizing table(TSAD2):

100 0001 Dr.100 0002 Prof.100 0003 Prof.Dr.100 0004 B.A.100 0005 MBA100 0006 Ph.D.

MX_ACCESSIBILITYLEVEL User accessibilitylevel

Boolean Single WebAccessibility Represented as 0and 1.





MX_ACCOUNTING_NUMBER Account number(id)

String Single LogondataAccnt CHAR12. Freelyselectable accountname or number(entering a user'scost center orcompany coderecommended).The user's systemusage is assignedto this account ifusing the SAPaccountingsystem. Alwaysenter an accountname or number ifusing the SAPaccountingsystem, otherwisethe user's usagewill be assignedto a collective"No account"category by theaccountingsystem.

MX_ADDRESS_BUILDING Building code String Single AddressBuildLong

MX_ADDRESS_CHECKSTATUS City file test status String Single AddressChckstatus CHAR1 field.Legal values:<space> notcheckedC checkedagainst city indexD differs fromcity index

MX_ADDRESS_CITY City String Single AddressCity CHAR40

MX_ADDRESS_CITY_NO City code forcity/street file

String Single AddressCityNo CHAR12 field –no furtherrestrictions.Usually a tablewith customerspecific values(customizingtable).

MX_ADDRESS_CO_NAME c/o String Single AddressCOName

MX_ADDRESS_COMPANY_POSTAL_CODE

Company postalcode

String Single AddressPostlCod3 For largecustomers.CHAR10 field –no furtherrestrictions.

MX_ADDRESS_COUNTRY Country key String Single AddressCountryISO Contains the ISOentry of thecountry (2-character) – ISO3166. For more,see page 95.

MX_ADDRESS_DIFFERENT_CITY

Different city String Single AddressHomeCity






MX_ADDRESS_DIFFERENT_CITY_NO

City code String Single AddressHomecityno CHAR12 field –no furtherrestrictions.Usually a tablewith customerspecific values(customizingtable).

MX_ADDRESS_DISTRICT District String Single AddressDistrict

MX_ADDRESS_DISTRICT_NO District number String Single AddressDistrctNo CHAR8 field – nofurtherrestrictions.Usually a tablewith customerspecific values(customizingtable).

MX_ADDRESS_FLOOR Floor String Single AddressFloor

MX_ADDRESS_HOUSE_NO House number String Single AddressHouseNo CHAR10 field.

MX_ADDRESS_HOUSE_NO_SUPPLEMENT

Supplement String Single AddressHouseNo2

MX_ADDRESS_LANGUAGE Language key String Single AddressLanguISO LANG1 field.Legal values: ISO639. See page 95for more.

MX_ADDRESS_NAME_1 Name String Single AddressName

MX_ADDRESS_NAME_2 Name 2 String Single AddressName2



MX_ADDRESS_NOTES Notes String Single AddressAdrNotes CHAR50 field –no furtherrestrictions.

MX_ADDRESS_POBOX PO box String Single AddressPoBox

MX_ADDRESS_POBOX_CITY PO box city String Single AddressPoBoxCit

MX_ADDRESS_POBOX_CITY_NO

City PO box code String Single AddressPboxcitNo CHAR12 field –no furtherrestrictions.Usually a tablewith customerspecific values(customizingtable).

MX_ADDRESS_POBOX_COUNTRY

PO box country String Single AddressPoboxCtry CHAR3 field –ISO 3166 as legalvalues. For more,see page 95.

MX_ADDRESS_POBOX_POSTAL_CODE

PO box postalcode

String Single AddressPostlCod2





MX_ADDRESS_POBOX_REGION

PO box region(Country, State,Province etc)

String Single AddressPoBoxReg CHAR3 field – nofurtherrestrictions.Usually a tablewith customerspecific values(customizingtable).

MX_ADDRESS_POBOX_WITHOUT_NUMBER

Flag: PO box w/ono

String Single AddressPoWONo CHAR1 field – nofurtherrestrictions.

MX_ADDRESS_POSTAL_CODE Postal code String Single AddressPostlCod1

MX_ADDRESS_REASON_DONT_USE_POBOX_ADDRESS

PO Box addressundeliverable flag

String Single AddressDontUseP CHAR4 field – nofurtherrestrictions.Usually a tablewith customerspecific values(customizingtable).

MX_ADDRESS_REASON_DONT_USE_STREET_ADDRESS

Street addressundeliverable flag

String Single AddressDontUseS CHAR4 – nofurtherrestrictions.Usually a tablewith customerspecific values(customizingtable).

MX_ADDRESS_REGION Region String Single AddressRegion

MX_ADDRESS_REGION_GROUP

Regional structuregrouping

String Single AddressRegiogroup CHAR8 – nofurtherrestrictions.Usually a tablewith customerspecific values(customizingtable).

MX_ADDRESS_ROOM_NO Room orapartment number

String Single AddressRoomNo

MX_ADDRESS_STREET_1 Street String Single AddressStreet

MX_ADDRESS_STREET_2 Street 2 String Single AddressStrSuppl1



MX_ADDRESS_STREET_5 Street 5 String Single AddressLocation






MX_ADDRESS_STREET_NO Street number String Single AddressStreetNo CHAR12 field.This is a numberthat the postalservice of acountry issues forall streets of thecountry, e.g. in adirectoryavailable on a CD.It is used toidentify streets forenhanced checkfunctionality.

MX_ADDRESS_TAX_JURISDICTION_CODE

Tax jurisdiction String Single AddressTaxjurcode CHAR15 field –no furtherrestrictions.Usually a tablewith customerspecific values(customizingtable).

MX_ADDRESS_TIME_ZONE Time zone String Single AddressTimeZone

MX_ADDRESS_TITLE Form-of-addresskey

String Single AddressTitle CHAR4 field – nofurtherrestrictions.Usually a tablewith customerspecific values(customizingtable).

MX_ADDRESS_TRANSPORT_ZONE

Transportationzone to or fromwhich the goodsare delivered

String Single AddressTranspzone CHAR10 field –no furtherrestrictions.Usually a tablewith customerspecific values(customizingtable).





MX_ADMIN_UNIT User group forauthorizationcheck – used foradministrativetasks in ABAP.Defined onMX_PERSON

String Single companyid CHAR12: Readsystem specificgroups (548 inBCE) from tableUSGRP and/orlanguage specifictexts fromUSGRPTcustomizing table.If you assign auser to this group,you can distributeuser maintenancetasks amongseveral useradministrators.The systemadministrator canassign therespective useradministrator theright to create andchange users in agroup. Users thatare not assignedto any of thegroups can bemaintained by alladministrators.

MX_BIRTHNAME Name at birth String Single AddressBirthName

MX_CATT_TEST_STATUS CATT: CheckIndicator

String Single DefaultsCattIndicator CHAR1 field.Possible values:"X" or " "(domain for radiobuttonapplications (X orblank)).

MX_COMMUNICATION_LANGUAGE

Communicationlanguage key

String Single AddressLanguPISO LANG1 field.Legal values: ISO639. Use fix listof 240 entries ofT002 systemtable. See page 95for more.

MX_COMMUNICATION_METHOD

Comm. method(key)

String Single AddressCommType CHAR3 field – nofurtherrestrictions.Usually a tablewith customerspecific values(customizingtable).

MX_COSTCENTER Cost center String Single DefaultsCostcenter CHAR8






MX_DATEFORMAT User date format String Single dateformat CHAR1. Use fixedlist in the IdentityCenter. Legalvalues:1: DD.MM.YYYY2: MM/DD/YYYY3: MM-DD-YYYY4: YYYY.MM.DD5: YYYY/MM/DD6: YYYY-MM-DD7: GYY.MM.DD(Japanese Date)8: GYY/MM/DD(Japanese Date)9: GYY-MM-DD(Japanese Date)A: YYYY/MM/DD(Islamic Date 1)B: YYYY/MM/DD(Islamic Date 2)C: YYYY/MM/DD(Iranian Date)

DomainXUDATFM.

MX_DEPARTMENT Department String Single department CHAR40

MX_ENCRYPTED_PASSWORD Encryptedpassword used forpasswordprovisioning

String Single password Used with MX_PASSWORD, if"Enable passwordprovisioning" isselected in the"Password policy"tab of the identitystore details panein the IdentityCenterManagementConsole. Storedas a hexadecimalrepresentation ofthe encryptedstring

MX_FAX_ADDITIONAL Additional faxnumbers

String Multi additionalFaxes

MX_FAX_PRIMARY Primary faxnumber

String Single primaryFax This attribute isavailable for entrytypesMX_ASYNC_REQUEST andMX_PERSON.As of version 7.2SP7 it is availablefor entry typeMX_COMPANY_ADDRESS tosupport SAP UI5framework.

MX_FIRSTNAME User first name String Single firstname





MX_FS_ACADEMIC_TITLE_1_ID

Identifier forAcademic Title

String Single Part of ToSAPIdentityaddInfo

Languagespecific. Value isprovided fromHCM Titles in theIdentity Centerand map to ABAPattribute via scriptwhenprovisioningcustomizing table.

MX_FS_BP_PERSON_ID Person identifierfor BusinessPartner


MX_FS_BUSINESS_AREA Text for BusinessArea


MX_FS_BUSINESS_AREA_ID Identifier forBusiness Area


MX_FS_CENTRALPERSON_ID Identifier forCentral Person


MX_FS_COMPANY_CODE Text for CompanyCode


MX_FS_COMPANY_CODE_ID Identifier forCompany Code


MX_FS_COST_CENTER Text for CostCenter


MX_FS_COST_CENTER_ID Identifier for CostCenter


MX_FS_CRM_BP_PERSON_NUMBER

CRM Businesspartner number forperson. Shouldcorrelate toMX_FS_BP_PERSON_ID


MX_FS_CRM_BP_ROLE_CAT_PERS

BP role categoryfor a person

String Multi Part of ToSAPIdentityaddInfo

MX_FS_EMPLOYEE_GROUP Text for EmployeeGroup


MX_FS_EMPLOYEE_GROUP_ID

Identifier forEmployee Group


MX_FS_EMPLOYEE_SUBGROUP

Text for EmployeeSubgroup


MX_FS_EMPLOYEE_SUBGROUP_ID

Identifier forEmployeeSubgroup


MX_FS_EMPLOYMENT_STATUS

Text forEmploymentStatus


Used to detectdeletions. LDAPentry will bedeleted by HR.

MX_FS_EMPLOYMENT_STATUS_ID

Identifier forEmploymentStatus


Used to detectdeletions. LDAPentry will bedeleted by HR.






MX_FS_HCM_PERSONID_EXT External personID. Unique for anemployee


MX_FS_IDENTITY_TYPE Type of identity String Single Part of ToSAPIdentityaddInfo

Employee

MX_FS_JOB Text for job String Single Part of ToSAPIdentityaddInfo

MX_FS_JOB_ID Identifier for job String Single Part of ToSAPIdentityaddInfo

MX_FS_ORGANIZATIONAL_UNIT

Text forOrganizationalUnit


Long text.

MX_FS_ORGANIZATIONAL_UNIT_ID

Identifier forOrganizationalUnit Text


MX_FS_PERNR_IS_MANAGER Triggers if a userassignment formanagement tasksis fine or not(calculated field)

Boolean Single Part of ToSAPIdentityaddInfo

MX_FS_PERSONNEL_AREA Text for personnelarea


MX_FS_PERSONNEL_AREA_ID

Identifier forpersonnel area


MX_FS_PERSONNEL_NUMBER Personnel number String Single Part of ToSAPIdentityaddInfo

Employeenumber.

MX_FS_PERSONNEL_NUMBER_OF_MANAGER

Personnel numberof next-levelmanager


May be used inrules like"approve by next-level manager",which simplifiesthe workflows.

MX_FS_PERSONNEL_SUBAREA

Text for personnelsub-area


MX_FS_PERSONNEL_SUBAREA_ID

Identifier forpersonnel sub-area


MX_FS_POSITION Text for position String Single Part of ToSAPIdentityaddInfo

MX_FS_POSITION_ID Identifier forposition


MX_FS_SALUTATION_ID Form-of-Address-Key


MX_FS_SCMEWM_PRR_ID Identifier forEWM Processor


MX_FS_SCMSNC_BP_ORG_ID Organizationidentifier for SNCBusiness Partner


MX_FS_SCMSNC_VISIBILITY_PROFILE

SNC VisibilityProfiles assignedto a user

Entryreference

Multi Part of ToSAPIdentityaddInfo





MX_FS_SCMTMS_BP_ORG_ID Identifier of theBusiness Partnerof typeOrganization(TSP), to whichthe identity has tobe assigned to


MX_FS_SLCM_CAMPUS_ID Campus String Single Part of ToSAPIdentityaddInfo

MX_FS_SLCM_GRADUATION_STATUS

Graduation status String Multi Part of ToSAPIdentityaddInfo

MX_FS_SLCM_HOLDS All holds on thestudent


MX_FS_SLCM_PRIMARY_ORG_UNIT_ID

Primaryorganizational unitof student


MX_FS_SLCM_PRIVACY_LEVEL

Privacy level String Single Part of ToSAPIdentityaddInfo

MX_FS_SLCM_PROGRAM_TYPE

Program type String Multi Part of ToSAPIdentityaddInfo

MX_FS_SLCM_STATUS All statuses ofstudent, e.g.graduation,alumnus etc


MX_FS_SLCM_STUDENT_GROUP

Student group String Single Part of ToSAPIdentityaddInfo

MX_FS_SLCM_STUDENT_ID Student object ID String Single Part of ToSAPIdentityaddInfo

MX_FS_SOURCE_SYSTEM Source system String Single Part of ToSAPIdentityaddInfo

Employeesimported from theEG4 client 000will have thevalue EG4000.

MX_FS_SRM_BP_ROLE_CAT_PERS

BP role categoryfor an organization


MX_FS_SRM_BP_ROLE_CAT_ORG

BP role categoryfor a person


MX_FS_WORK_CONTRACT Text for contract String Single Part of ToSAPIdentityaddInfo

Personnelassignment text.

MX_FS_WORK_CONTRACT_ID

Identifier forcontract


Personnelassignment

MX_IDENITITYUUID Identity UUID String Single identityuuid For future use.

MX_INHOUSE_MAIL Internal mail String Single AddressInhouseMl

MX_INITIALS Initials String Single AddressInitials CHAR10

MX_JOB_FUNCTION A shortdescription of theposition.

String Single jobfunction CHAR40

Not in use(replaced byMX_WORKPLACE_FUNCTION).






MX_LANGUAGE User language String Single locale Exported fixed listof 41 entries oftable T002 (Y7Dclient 000) systemtable. Values: ISO639. For more,see page 95.

MX_LASTMODIFIER MSKEY of theuser that changedthe entry (inABAP) last

Entryreference

Single LastmodifiedModifier CHAR12

MX_LASTMODTIME The last date/timethe user waschanged (inABAP)

Date (Time) Single LastmodifiedModdateandLastmodifiedModtime

MX_LASTNAME User last name String Single lastname

MX_LOCKED Account is locked Boolean Single islocked When set, thelogon is notpossible.

This attribute isnot in use anymore. Will beremoved in futureversions.

MX_LOGONALIAS Alias for logon String Single useralias

MX_MAIL_ADDITIONAL Additional e-mailaddresses

String Multi additionalMails

MX_MAIL_PRIMARY Primary e-mailaddress

String Single primaryMail This attribute isavailable for entrytypesMX_ASYNC_REQUEST andMX_PERSON.As of version 7.2SP7 it is availablefor entry typeMX_COMPANY_ADDRESS tosupport SAP UI5framework.

MX_MIDDLENAME 2nd forename String Single AddressMiddlename CHAR40

MX_MOBILE_ADDITIONAL Additional mobilenumbers

String Multi additionalMobiles

MX_MOBILE_PRIMARY Primary mobilenumber

String Single primaryMobile

MX_NAMCOUNTRY Country for nameformat rule

String Single AddressNamCountry Read systemspecificNamCountry (252in BCE) fromcustomizing tableT005 and/orT005TSPRASLAND1LANDX





MX_NAME_ABBREVIATION Short name String Single AddressInitsSig

MX_NAMEFORMAT Name format String Single AddressNameFormat Read systemspecificNameFormat (10in BCE) fromcustomizing tableT005N:LAND1NAMEFORMAT.

MX_NAME_PREFIX_1 Name prefix String Single AddressPrefix1 CHAR20, readcustomizing table(TSAD4).

MX_NAME_PREFIX_2 2nd name prefix String Single AddressPrefix2 Read customizingtable (TSAD4).

MX_NICKNAME Nickname/nameused

String Single AddressNickname

MX_NUMBERFORMAT User numberformat

String Single numberformat CHAR1, fixed listin the IdentityCenter. Legalvalues: : 1.234.567,89X: 1,234,567.89Y: 1 234 567,89

MX_PAGER_ADDITIONAL Additional pagernumbers

String Multi additionalPagers

MX_PAGER_PRIMARY Primary pagernumber

String Single primaryPager

MX_PARAMETER System specificparameter ID

String Multi parameter1 Set/Get parameterid. Read systemspecificparameters fromtable TPARA(Paramid, Partext)(1751 in BCE000)customizing table.

MX_PASSWORD_DISABLED User password isdisabled

Boolean Single ispassworddisabled Set-only. Thisattribute iscurrently not inuse.

MX_PERSONUUID Person UUID String Single personuuid Not in use bydefault.Potentiallysystem-specific.Occurs in theinitial load joband userprovisioning tasksfor BusinessSuite, but iscommented out.

MX_PHONE_ADDITIONAL Additionaltelephone numbers

String Multi additionalPhones






MX_PHONE_PRIMARY Primary telephonenumber

String Single primaryPhone This attribute isavailable for entrytypesMX_ASYNC_REQUEST andMX_PERSON.As of version 7.2SP7 it is availablefor entry typeMX_COMPANY_ADDRESS tosupport SAP UI5framework.

MX_PRINTERSETTINGS_SPDA Delete after output String Single DefaultsSpda Print parameter 3.CHAR1 field.Values:H (Hold)D (Delete)

MX_PRINTERSETTINGS_SPDB Print immediately String Single DefaultsSpdb Print parameter 2.CHAR1 field.Values:K (Keep)G (Go)

MX_PRINTERSETTINGS_SPLD Spool: Outputdevice

String Single DefaultsSpld Read (clientindependent)Printers (7428 inBCE000) fromtable TSP03:PADEST (Spool:Output Device),PATYPE (Spool:Device typename),PASTANDORT(Spool: Locationand naming of anoutput device)

TSP03T: does notcontain texts butTray-Information

MX_PRINTERSETTINGS_SPLG Print parameter 1 String Single DefaultsSplg CHAR1 field.

MX_PRT_ADDITIONAL Additional printeraddress data

String Multi additionalPRT add ABAP fieldsare combined intostring value.

MX_PRT_PRIMARY Primary printeraddress data

String Single primaryPRT add ABAP fieldsare combined intostring value.

MX_REFERENCE_USER User reference Entryreference

Single ReferenceUser Reference toMX_PERSONonly. Systemspecific user ids.

MX_RML_ADDITIONAL Additional remotemail addresses

String Multi additionalRML add ABAP fieldsare combined intostring value.

MX_RML_PRIMARY Primary remotemail address

String Single primaryRML add ABAP fieldsare combined intostring value.





MX_SALUTATION Title String Single salutation Languagespecific. Readcustomizing table(TSAD3,TSAD3T)

MX_SEARCH_TERM_1 Search term 1 String Single AddressSort1(P)

MX_SEARCH_TERM_2 Search term 2 String Single AddressSort2(P)

MX_SECONDNAME 2nd family name String Single AddressSecondname

MX_SNC_FLAG SNC flag forpermission of non-securedcommunications

Boolean Single SNCFlag CHAR1 field.Only displayed ifusing SecureNetworkCommunications.Represented as 0and 1 (checkbox-X or blank).

MX_SNC_NAME SNC printablename

String Single SNCName CHAR255 field.Only displayed ifusing SecureNetworkCommunications.

MX_SPML_CALLER_LANGUAGE

System languageof the callingSPML request


MX_SPML_CALLER_MODIFIER

Last modifier viaSPML interface


MX_SPML_CALLER_SYSTEM System name andclient of thecalling SPMLrequest


MX_SSF_ADDITIONAL Additional SSFaddresses

String Multi additionalSSF add ABAP fieldsare combined intostring value.

MX_SSF_PRIMARY Primary SSFaddress

String Single primarySSF add ABAP fieldsare combined intostring value.

MX_START_MENU Start menu String Single DefaultsStartMenu System specific.Read systemspecific startmenus from tableTSTC and/orlanguage specifictexts from TSTCTcustomizing table.






MX_TIMEFORMAT User time format String Single timeformat Use fixed list inthe IdentityCenter. DomainXUTIMEFM.Legal values:

0: 24 hour format(12:05:10)1: 12 hour format(12:05:10 PM)2: 12 hour format(12:05:10 pm)3: Hours 0 to 11(00:05:10 PM)4: Hours 0 to 11(00:05:10 pm)

MX_TIMEZONE User time zone String Single timezone Use fixed list of101 entries (Y7Dclient 000) ofTTZZ systemtable.

MX_TITLE_SUPPLEMENT Name supplement,e.g. noble title(key)

String Single AddressTitleSppl CHAR4 field.Languagespecific. Readcustomizing table(TSAD5).

MX_TLX_ADDITIONAL Additional telexaddresses

String Multi additionalTLX add ABAP fieldsare combined intostring value.

MX_TLX_PRIMARY Primary telexaddress

String Single primaryTLX add ABAP fieldsare combined intostring value.

MX_TTX_ADDITIONAL Additional teletexaddresses

String Multi additionalTTX add ABAP fieldsare combined intostring value.

MX_TTX_PRIMARY Primary teletexaddress

String Single primaryTTX add ABAP fieldsare combined intostring value.

MX_URI_ADDITIONAL Additional URIaddress data

String Multi additionalURI add ABAP fieldsare combined intostring value.

MX_URI_PRIMARY Primary URIaddress data

String Single primaryURI add ABAP fieldsare combined intostring value.

MX_USER_CATEGORY User category String Multi groups Table of groups(table of structureBAPIGROUPS).Read systemspecific groups(548 in BCE)from tableUSGRP and/orlanguage specifictexts fromUSGRPTcustomizing table.





MX_USERTYPE User type String Single securitypolicy User types aredefined as hard-coded values for theattributes (fixed listfor ABAP andJava):A: Dialog = Javatype "default"B: System = Javatype "technical"C: CommunicationL: ReferenceS: ServiceU: UME ServiceUser

MX_VALIDFROM Time when theentry is valid from

Date (Time) Single validfrom UTC format. Seepage 76 for more.

MX_VALIDTO Time when theentry is no longervalid

Date (Time) Single validto UTC format. Seepage 76 for more.

MX_WORKPLACE_BUILDING Building code String Single AddressBuildingP

MX_WORKPLACE_FLOOR Floor String Single AddressFloorP

MX_WORKPLACE_FLOORPLAN_P

Workplace floorplan

String Single For future use.

MX_WORKPLACE_FUNCTION Function String Single jobfunction CHAR40.

ReplacingMX_JOB_FUNCTION.

MX_WORKPLACE_ROOM Room number String Single AddressRoomNoP

MX_X400_ADDITIONAL Additional X.400attributes

String Multi additionalX400 add ABAP fieldsare combined intostring value.

MX_X400_PRIMARY Primary X.400address

String Single primaryX400 add ABAP fieldsare combined intostring value.

MXREF_MX_COMPANY_ADDRESS

Reference to entrytypeMX_COMPANY_ADDRESS

Entryreference(MX_COMPANY_ADDRESS)

Single Company See page 68 formore.

MXREF_MX_PRIVILEGE Reference to entrytypeMX_PRIVILEGE

Entryreference(MX_PRIVILEGE)

Multi roles/profiles Tables of roles(table of structureBAPIAGR).Indirectlyassigned ABAProles. See page 68for more.




Alphabetical list of non-ABAP attributesHere is the list of all non-ABAP attributes in the identity store, in alphabetical order.


Comments

DESCRIPTION Entry description String Single Example: <All employees withTrondheim location.>

MX_AC_REQUESTID Request identifier String Single For more, see section describing theGRC attributes on page 66.

MX_AC_RESULT Result String Single For more, see section describing theGRC attributes on page 66.

MX_AC_ROLEID Role identifier String Single For more, see section describing theGRC attributes on page 66.

MX_AC_ROLETYPE Role type String Single For more, see section describing theGRC attributes on page 66.

MX_ACCESS_CONTROL Entry used foraccess control

Boolean Single For future use – not in use at presenttime.

MX_ADD_MEMBER_TASK Task to beexecuted whenadding attributevalue

Task reference Single This single-value task reference attributeholds a reference to a task which isexecuted when a member entry is added.For more information, see sectiondescribing the privilege and roleassignment attributes on page 82 andapproval attributes on page 58.

MX_ADDMEM_DISABLE_POLICY

Bitmap indicatingwhich assignmentsto turn pendingvalue generationand task executionoff for

Numeric(Integer)

Single Legal values: Bit 0 (0x1)=direct, Bit 1(0x2)=inherited, Bit 2 (0x4)=viadynamic group (assignment).

See section describing the role andprivilege attributes on page 89 for more.

MX_ADDRESS_STREETADDRESS

Address String Single This attribute is calculated from streetaddress components. Calculate fromABAP attributes:AddressStreet + AddressHouseNo +AddressHouseNo2 + AddressStrSuppl1-3.

MX_APPLICATION_CATEGORY

Applicationcategory

String Single Attribute related to the Identity Services.

The application category. Informativestring. Examples: <DB>, <LDAP>

MX_APPLICATION_ID Applicationidentifier

String Single Attribute related to the Identity Services.

The unique ID of the application,available for entry typesMX_APPLICATION andMX_PRIVILEGE. It may later be usedin the listprivileges command and/orother operations where filtering on theapplication is possible. Example:<App1>.

MX_APPLICATION_TYPE Application type String Single Attribute related to the Identity Services.

The application type. Informative string– no predefined values. Examples:<MSSQL>, <Oracle>, <AD>,<ADAM>, <SunONE>, …




Comments

MX_APPROVAL_EXPIRY Holds the expiry ofan approval(number of secondsuntil expiry)

Numeric(Integer)

Single In use as of 7.2 SP6. For more, seesection describing the approval attributeson page 58.

MX_APPROVAL_REASON Holds the reasonwhy the request(approval) is eitherapproved ordeclined

String Single For more, see section describing theapproval attributes on page 58.

MX_APPROVAL_TASK Approval task – atask reference fromMX_ROLE orMX_PRIVILEGE

Task reference Single This attribute is replaced byMX_ADD_MEMBER_TASK. Formore, see section describing theprivilege and role assignment attributeson page 82 and approval attributes onpage 58.

MX_APPROVAL_TIMEOUT Holds the numberof seconds until theapproval times out

Numeric(Integer)


MX_APPROVALS Approval attributewith approvalinformation

String Multi Some approval values:STATUS=DECLINED!!TASK=<42>!!AUDITID=<5143>!!APPROVER=<423>!!REASON=Don’tcare

STATUS=WAIT!!TASK=<32>!!AUDITID=<455>!!APPROVER=<0>!!REASON=

STATUS=APPROVED!!TASK=<422>!!AUDITID=<534>!!APPROVER=<4>!!REASON=

Notice that there will be no line-breaksin the actual strings. For more, see page59.

This attribute should not be altered.

MX_APPROVERS List of approvers ofthis entry, listedwith theirMSKEYs

Entry reference Multi For more, see page 60.

MX_ASSERTION_TICKET_ENABLED

SAP AssertionTicketauthentication

Boolean Single Authentication method.

Used by SAP Provisioning Framework(SAP HANA connector).

MX_ASSIGNER Reference to theuser who assignedthe role

Entry reference Single For more, see section describing thepending object attributes on page 75 formore.

MX_ASSIGNMENT Holds all theassignments for agiven user, bothroles andprivileges.

Entry reference Multi Attribute defined for the MX_PERSONentry type. Only available to UserInterface tasks. For more, see page 87.

MX_ASYNC_IDENTIFIER Identifier of theASYNC entry

String Single See section describing the ASYNCattributes on page 63. Example:<cn=John Parrot, ou=people,o=myorg>

MX_ASYNC_MSKEYVALUE ASYNC entryunique identifier,MSKEYVALUE

String Single See section describing the ASYNCattributes on page 63. Example: <JohnParrot>





Comments

MX_ASYNC_OBJECTCLASS ASYNC objectclasses

String Multi See section describing the ASYNCattributes on page 63.

MX_ASYNC_ORIG_OPERATION

ASYNC originaloperation

String Single See section describing the ASYNCattributes on page 63. Examples: <Add>,<Modify>

MX_ASYNC_PRIVILEGE ASYNC privileges String Multi See section describing the ASYNCattributes on page 63. Example:<Archive, Server_Room>

MX_ASYNC_REQUEST_ID Identifier of theASYNC request

String Single See section describing the ASYNCattributes on page 63. Examples: <112>,<00001134>

MX_ASYNC_ROLE ASYNC roles String Multi See section describing the ASYNCattributes on page 63. Examples:<ROLE:IT>, <ROLE:Employee>

MX_ATTEST_ACTIVE Currently activeattestation

Boolean Single See section describing the attestationattributes on page 64.

MX_ATTEST_LASTDATE Last attestationinitiated

Date (Time) Single See section describing the attestationattributes on page 64.

MX_ATTEST_NEXTDATE Date for nextattestation

Date (Time) Single See section describing the attestationattributes on page 64.

MX_ATTEST_TASK Attestation task Task reference Single See section describing the attestationattributes on page 64.

MX_ATTESTER Attester Entry reference Single See section describing the attestationattributes on page 64.

MX_ATTR_STATE State of thisattribute

Numeric(Integer)

Single For more, see section describing thepending object attributes on page 75.Examples: <0>, <1>

MX_ATTRIBUTE_DELETE Indicates deletionwhen applyingpending value

Boolean Single See page 75 for more.

MX_ATTRIBUTE_NAME Attribute name –reference to theattribute beingstored in thispending valueattribute

String Single For more, see section describing thepending object attributes on page 75.Examples: <MXREF_ MX_ROLE>,<MX_TITLE>

MX_ATTRIBUTE_VALUE Attribute value (thevalue being stored)

String Single Examples: <ROLE:IT>, <SystemEngineer>

MX_AUDIT_FLAGS Attribute holds thenumeric values ofthe audit flags

Numeric(Integer)

Multi This attribute exists for all entry types.

MX_AUTHQ_001 Password resetquestion 1

String Single See page 73 for more.












Comments

MX_AUTODELEGATE_MESSAGE

Reason forautomaticdelegation

String Single For more, see section describing theapproval attributes on page 58.

MX_AUTODELEGATE_MSKEY User toautomaticallydelegate to

Entry reference Single For more, see section describing theapproval attributes on page 58.

MX_AUTOPRIVILEGE Inherited privileges Privilegereference

Multi For more, see section describing some ofthe role and privilege attributes on page89.


MX_AUTOROLE This attribute holdsall the roleassignments, bothdirectly assignedand inherited

Role reference Multi For more, see section describing some ofthe role and privilege attributes on page89.


MX_AUTOROLE_DYNAMIC_GROUP

Roles assigned bydynamic groupmembership



MX_BUSINESS_AREA Business area String Multi This MX_PRIVILEGE and MX_ROLEattribute is a "Multi-select" presentationtype and language dependent. It is usedto display business area when requestinga role.

The attribute is added to support SAPUI5 framework.

MX_CERTIFICATE Certificate String Multi

MX_CHANGEONFIRST Password change Boolean Single If the attribute is set the user has tochange the password on next login.

MX_CTX Reference to thecontext entry

Entry reference Single For more, see section describing thepending object attributes on page 75 formore.

MX_CTX_AUTO_STRATEGY Strategy forassigning auto-assigned contextvalues

String Single For more, see section describing theassignment context attributes on page 61.

MX_CTX_AUTO_VALUES Auto-assignedcontexts for a user

Entry reference Multi For more, see section describing theassignment context attributes on page 61.

MX_CTX_CONDITIONAL Context that mustbe present for aprivilege to beassigned

Entry reference Multi For more, see section describing theassignment context attributes on page 61.

MX_CTX_TYPE Context typeshandled by arole/privilege

String Multi For more, see section describing theassignment context attributes on page 61.

MX_DEL_MEMBER_TASK Task to beexecuted whendeleting attributevalue

Task reference Single The attributeMX_DEL_MEMBER_TASK is a single-value task reference attribute whichindicates that a task shall be executedwhen an attribute is removed. Seesection describing the privilege and roleassignment attributes on page 82.





Comments

MX_DELMEM_DISABLE_POLICY

Bitmap indicatingwhich removals toturn pending valuegeneration and taskexecution off for

Numeric(Integer)

Single Legal values: 0x1=direct, 0x2=inherited,0x4=via dynamic group (assignment).

For more, see section describing the roleand privilege attributes on page 89.

MX_DEPROVISIONTASK Task to performde-provisioning

Task reference Single For more, see section describing theprivilege and role assignment attributeson page 82.

MX_DG_ATTRIBUTE Attribute identifiersused for resolvingthe dynamic group

Attributereference

Multi For more, see section describing thedynamic group attributes on page 64.Example: <MX_ ENTRYTYPE>,<MX_ADDRESS_CITY>

MX_DG_AUTORESOLVE_INTERVAL

Number of secondsbefore theautomatic resolveof the dynamicgroup

Numeric(Integer)

Single For more, see section describing thedynamic group attributes on page 64.Examples: <NULL>, <1> (day), <20>(minutes)

MX_DISABLED Entry is disabled Boolean Single Attribute used only by MX_PERSONentry type. User is not able to login toIdM UI when disabled. For more, seepage 93.

MX_EDIT_ATTRIBUTES The followingattributes areeditable. Noattributes areeditable at default

Attributereference

Multi For future use – not in use at presenttime.

MX_EDIT_MEMBERSHIP Allowed to edit themembership ofgroups and othercontainer objects


MX_ENTRY_REFERENCE Entry reference(MSKEY)

Entry reference Single Used in pending value object and holds areference to the entry owning theattribute stored inMX_ATTRIBUTE_NAME.

MX_ENTRYTYPE Type of entry String Single <MX_ROLE>, <MX_ PERSON>


MX_ESCALATION_APPROVERS_1

Holds the first levelescalationapprovers

Entry reference Multi For more, see section describingapproval attributes on page 58.


Holds the secondlevel escalationapprovers



Holds the thirdlevel escalationapprovers


MX_ESCALATION_TIMEOUT_1

Holds the timeout(in days) for level 1escalation

Numeric(Integer)




Numeric(Integer)




Numeric(Integer)





Comments

MX_EXCLUDEROLE A list of roles thatcannot becombined with thecurrent role

Role reference Multi Valid only for the entry typeMX_ROLE. For more, see sectiondescribing some of the role and privilegeattributes on page 89.

MX_FAILEDLOGIN Number of failedlogin attempts

Numeric(Integer)

Single

MX_FAILEDRECOVER Number of failedpassword resetattempts

Numeric(Integer)

Single See page 74 for more.

MX_FAVORITE_TASKS List of favoritetasks

Task reference Multi The attribute is used by the UserInterface to display user's favorite tasks.

MX_GRC_CHANGES_DETECTED

GRC changesdetected flag

Boolean Single See section describing the GRCattributes on page 66.

MX_GRC_REQUESTS_FAILED Failed GRCrequests

String Multi See section describing the GRCattributes on page 66.

MX_GRC_REQUESTS_OK Successful GRCrequests


MX_GRC_REQUESTS_PENDING

Pending GRCrequests


MX_GROUP_INHERITANCE Group inheritance String Single Not in use (replaced by MX_INHERIT).

MX_GROUPING_DISABLED Used to disableprivilege grouping

Boolean Single See section describing the privilegeassignment grouping attributes on page79 for more.

MX_HANA_ROLE_TYPE SAP HANA roletype

String Single The attribute is used to distinguishbetween different SAP HANA role types(SAP HANA roles are mapped toprivileges in the Identity Management).

MX_HCM_SYSUNAME HCM System username

String Single If the attribute is set, this value should beused as logon ID for the HCM system(proposal for MSKEYVALUE/accountname if set).

MX_IDENTITY_CATEGORY Category of theidentity

Numeric(Integer)

Single For more information, see page 94.

MX_INACTIVE The entry isinactive when thisattribute is set

Boolean Single An entry set to inactive is "invisible" toall tasks and jobs, unless explicitlydefined that disabled entries shall behandled. User is also not able to login toIdM UI when inactive. For more, seepage 94.

MX_INHERIT Indicates howprivileges areinherited in therole/grouphierarchy

String Single ReplacingMX_GROUP_INHERITANCE. Formore, see section describing some of therole and privilege attributes on page 89.Examples: <One>, <Base>, <Sub>

MX_IS_ACCOUNT Indicates whether aprivilege is anaccount privilegeor not.

Boolean Single Attribute used by SAP ProvisioningFramework.

MX_KERBEROS_ENABLED Kerberosauthentication







Comments

MX_KERBEROS_IDENTITY Kerberos ID String Single External identity of the user.


MX_LANGUAGE_COUNTRY Country forlanguage

String Single Values: ISO 3166. For more, see page95.

MX_LANGUAGE_VARIANT Variant of thelanguage

String Single Example: <Nynorsk>, <Bokmål>

MX_LINK_EXPIRY_NOTIFICATION

Notify about a linkthat is about toexpire


MX_LINK_REFERENCE Reference to a linktable

Numeric(Integer)

Single Attribute on entry typeMX_PENDING_VALUE.

MX_LOGINADDR Client's IP address String Single Not in use.

MX_LOGINTIME Time of last login Date (Time) Single Not in use.

MX_LOGON_TICKET_ENABLED

SAP Logon Ticketauthentication



MX_MANAGER Manager of entry Entry reference Multi

MX_MOD_VALIDITY_TASK Modify validitytask – used toperform a changein validity


MX_MODIFY_BY Information aboutwho (MSKEY)modified this entry

String Single For more, see section describing thepending object attributes on page 75 formore.

MX_MODIFY_REASON Reason formodification

String Single For more, see section describing thepending object attributes on page 75 formore.

MX_MODIFYTASK Task to performwhen privilege ismodified


MX_MODIFYTASK_ATTR Attributesactivating themodify task

Attributereference

Multi For more, see section describing theprivilege and role assignment attributeson page 82.

MX_NOTES_CERTIFIER_FILE Certifier file String Single For more, see section describing theLotus Notes attributes on page 69.

MX_NOTES_CERTIFIER_PWD Certifier password String Single For more, see section describing theLotus Notes attributes on page 69.

MX_NOTES_CLIENTTYPE Client type String Single For more, see section describing theLotus Notes attributes on page 69.

MX_NOTES_COUNTRYCODE Country code String Single For more, see section describing theLotus Notes attributes on page 69.

MX_NOTES_EXPIRATIONDATE

Expiration date Date (Time) Single For more, see section describing theLotus Notes attributes on page 69.

MX_NOTES_FULLNAME Entry's full name String Single For more, see section describing theLotus Notes attributes on page 69.

MX_NOTES_GROUP_GROUPTYPE

Lotus Notes grouptypes

String Single For more, see section describing theLotus Notes attributes on page 69.

MX_NOTES_GROUP_GROUPTYPE_ DISPLAY

Displayed LotusNotes group types





Comments

MX_NOTES_GROUP_LISTNAME

Group name String Single For more, see section describing theLotus Notes attributes on page 69.

MX_NOTES_IDFILE ID file String Single For more, see section describing theLotus Notes attributes on page 69.

MX_NOTES_INACTIVE Inactive user/group String Single For more, see section describing theLotus Notes attributes on page 69.

MX_NOTES_IN_VAULT User in vault String Single For more, see section describing theLotus Notes attributes on page 69.

MX_NOTES_MAILADDRESS Entry's mailaddress


MX_NOTES_MAILDOMAIN Entry's maildomain


MX_NOTES_MAILFILE Entry's mail file String Single For more, see section describing theLotus Notes attributes on page 69.

MX_NOTES_MAILSERVER IP address of themail server


MX_NOTES_MAILSYSTEM Entry's mail system String Single For more, see section describing theLotus Notes attributes on page 69.

MX_NOTES_NOTEID Notes ID on theLotus Dominoserver


MX_NOTES_OID Originator ID String Single For more, see section describing theLotus Notes attributes on page 69.

MX_NOTES_OLD_PASSWORD Old password String Single For more, see section describing theLotus Notes attributes on page 69.

MX_NOTES_OLDFULLNAME Entry's full namebefore the namechange


MX_NOTES_ORG Entry'sorganization


MX_NOTES_ORGUNIT Entry'sorganization unit


MX_NOTES_OWNER Owner of the LotusNotes object.

Entry reference Multi For more, see section describing theLotus Notes attributes on page 69.

MX_NOTES_PATH_IDFILE Local path toentry's ID file


MX_NOTES_POLICY Server policy String Single For more, see section describing theLotus Notes attributes on page 69.

MX_NOTES_REGFULLNAME Entry's full name atregistration


MX_NOTES_ROAMINGSERVER

Roaming server String Single For more, see section describing theLotus Notes attributes on page 69.

MX_NOTES_SERVERNAME Full server name String Single For more, see section describing theLotus Notes attributes on page 69.

MX_NOTES_SHORTNAME Entry's short name String Single For more, see section describing theLotus Notes attributes on page 69.

MX_NOTES_UNID Unified identifier String Single For more, see section describing theLotus Notes attributes on page 69.

MX_OFFSET_ADD_MEMBER Offset for the addmember task

Numeric(Integer)

Single For more, see section describing theprivilege and role assignment attributeson page 82.





Comments

MX_OFFSET_LINK_EXPIRY Offset for the linkexpiry task

Numeric(Integer)


MX_OFFSET_VALIDATE_ADD Offset for thevalidate add task

Numeric(Integer)


MX_OPERATION The operation thatthe pending valueobject is created for

String Single For more, see section describing thepending value object attributes on page75.

MX_OPERATION_TASKID Task ID of the taskdefined on thepending valueobject to beexecuted for thegiven operation

String Single See section describing the privilege/roleassignment grouping attributes on page79 for more.

MX_OWNER Owner(s) of theentry

Entry reference Multi See section describing the access controlattributes on page 56 for more.

MX_PASSWORD IdentityManagement UserInterface(Workflow) loginpassword

String Single Used for authentication in a previousversion of the SAP NetWeaver IdentityManagement (version 7.0). Kept forbackwards compatibility. Hashedaccording to the defined hashingalgorithm in the Identity CenterManagement Console.

MX_PRIV_GROUP_ATTR_OPERATION

Attribute operationused by privilegegrouping

Numeric(Integer)

Single For more, see section describing theprivilege assignment grouping attributeson page 79.

MX_PRIV_GROUPING_APPLICATION

Reference toapplication used byprivilege grouping

Entry reference(MX_APPLICATION)

Single For more, see section describing theprivilege assignment grouping attributeson page 79.

MX_PRIV_GROUPING_ATTR_VALUE

Attribute valueused by privilegegrouping

String Single For more, see section describing theprivilege assignment grouping attributeson page 79.

MX_PRIV_GROUPING_GUID GUID set byprivilege grouping

String Single For more, see section describing theprivilege assignment grouping attributeson page 79.

MX_PRIV_USERID Processinformation. Analternative toAuditID, when theAuditID is notavailable

String Single See section describing the privilege/roleassignment grouping attributes on page79 for more.

MX_PRIVILEGE_TYPE An attribute onMX_PRIVILEGEdescribing the typeof privilege

String Single Distinguishes if the privilege representse.g. a technical role or a technical profilein the target system (repository).Examples: e.g. ROLE, PROFILE,NOTES, …

MX_PRIVILEGES_EXISTS Attribute onMX_PERSONrepresentingassignments ofprivileges

Entry reference(MX_PRIVILEGE)

Multi System internal attribute likeMXREF_MX_PRIVILEGE – representsprivilege references via MX_GROUPmembership. Will be set by tasks in theSAP provisioning framework itself.

MX_PROVISIONTASK Task to performprovisioning





Comments

MX_RBAC_DIRECT_PRIVILEGE

Direct reference torole (noinheritance)


MX_RBAC_REVERSE_PRIVILEGE

Reference to rolewith reverseinheritance


MX_REASON Reason for requestof role or privilege

String Single

MX_RECONCILE_ALWAYS Always reconcileimmediately



MX_RECONCILE_PENDING Reconcile ispending



MX_REPORT_DATE Date used forreporting onhistoric data

Date (Time) Single See section describing the report requestattributes on page 88.

MX_REPORT_DESTINATION Destination wherethe resulting reportis stored

Numeric(Integer)

Single See section describing the report requestattributes on page 88.

MX_REPORT_ENTRY Object to bereported on

Entry reference Single See section describing the report requestattributes on page 88.

MX_REPORT_ERRORTEXT Additional reportinformation, ifreport fails

String Single See section describing the report requestattributes on page 88.

MX_REPORT_FILTERING Report filtering String Single For future use – not in use at presenttime.

See section describing the report requestattributes on page 88.

MX_REPORT_FORMAT Report format String Single Formats: PDF, HTML, DOC etc.


MX_REPORT_LANGUAGE Report language String Single See section describing the report requestattributes on page 88.

MX_REPORT_LOCALE Report locale (i.e.date format)

String Single For future use – not in use at presenttime.


MX_REPORT_RESULT The full reportresult

Binary Single See section describing the report requestattributes on page 88.

MX_REPORT_RESULT_REF Reference to thereport result, if it isstored on a fileserver



MX_REPORT_SORTING Report sorting String Single For future use – not in use at presenttime.






Comments

MX_REPOSITORY_ADD_MEMBER

Name of the targetrepositorydefinition used forassignment of theprivilege

String Single This setting overrides the value set byMX_REPOSITORYNAME.

If not given, the value of attributeMX_REPOSITORYNAME is used.

See section describing the privilege androle assignment attributes on page 82.

MX_REPOSITORY_DEL_MEMBER

Name of the targetrepositorydefinition used forde-assignment ofthe privilege




MX_REPOSITORY_VALIDATE Name of the targetrepositorydefinition used forvalidation of theprivilege operation




MX_REPOSITORYNAME Repository name String Single Link to a repository definition fromprivilege. Also available forMX_APPLICATION. Available forMX_PENDING_VALUE andMX_ROLE.

MX_REQ_PRIV Reference tomaster privilege

Entry reference Single See section describing the privilegedependencies attributes on page 81.

MX_REQ_PRIV_INTERVAL Check interval inseconds whenwaiting for masterprivilege

Numeric(Integer)

Single Not in use (as of SAP NetWeaverIdentity Management 7.2 SP9).

MX_REQ_PRIV_NOMASTER_TASK

Task executedwhen policy isWait (1) and themaster privilege ismissing

Task reference Single See section describing the privilegedependencies attributes on page 81.

MX_REQ_PRIV_PCYADD_MISSING

Policy when masterprivilege is notassigned

Numeric(Integer)


MX_REQ_PRIV_PCYADD_PENDING

Policy when masterprivilege is beingassigned

Numeric(Integer)


MX_REQ_PRIV_PCYADD_REMOVING

Policy when masterprivilege is beingremoved

Numeric(Integer)


MX_REQ_PRIV_TIMEOUT Max number ofseconds to wait forthis masterprivilege whenpolicy is Wait (1)

Numeric(Integer)

Single See section describing the privilegedependencies attributes on page 81.

MX_ROLE_ALLOW_CHILD_CUTOFF

Allow ignoringchild roleassignment ifconflict

Boolean Single Attribute is no longer in use/obsolete asof SAP NetWeaver Identity Managementversion 7.2 SP3.




Comments

MX_ROLE_ALLOWED_FOR References toentries which mayhave this role

Entry reference Multi For more, see section describing some ofthe role and privilege attributes on page89.

MX_ROLE_ALLOWED_FOR_REVERSE

When set,MX_ROLE_ALLOWED_FORindicates whichentries are NOTallowed to havethis role

Boolean Single For more, see section describing some ofthe role and privilege attributes on page89.

MX_ROLE_AUTOASSIGN_TO Dynamic groupreferring entrieswhich must havethis role

Entry reference Single For more, see section describing some ofthe role and privilege attributes on page89.

MX_SAML_ENABLED SAMLauthentication



MX_SAML_MAPPING SAML mapping String Multi SAML user mapping. The expectedformat for SAML mapping attribute is<provider name>= =<external identity>,for example:AC_SAML_PROVIDER= =John.


MX_SAML_TARGET_SYSTEM SAML targetsystem

String Multi The attribute holds the name of therepository for the SAML identityprovider.

MX_SEMAPHORE MX_SEMAPHOREholds the names ofall semaphoreswhich are set

String Multi Semaphores restrict access to sharedresources – only one process at a timeperforms an operation

The semaphores are stored on each entry

MX_TARGET_ALL Indicates that allentries arereferenced by thisprivilege – othertarget attributes areignored


MX_TARGET_AND Indicates that thetargets arecombined withAND, meaning thatthe entries must bepresent in alltargets

Boolean Single If the attribute is true, only memberswhich are present in all of the targetreferences are returned.

For future use – not in use at presenttime.

MX_TARGET_DYNAMIC_GROUP

Reference to one ormore dynamicgroups, creating adynamic grouphierarchy

Entry reference Multi For future use – not in use at presenttime.

MX_TARGET_ENTRY Reference to targetentries

Entry reference Multi Returns the selected list of entries.

For future use – not in use at presenttime.





Comments

MX_TARGET_FILTER SQL filter String Single Used in the dynamic group definition toresolve entries. Note that this may makeauditing more complex

MX_TARGET_PRIVILEGE Returns all entrieswith givenprivileges

Entry reference(to MX_PRIVILEGEentry)


MX_TARGET_SELF Indicates that thelogged-in user isreferenced by thisprivilege – othertarget attributes areignored


MX_TARGET_SUBTREE Reference to targetsub-trees (includesall entries in thesub-trees,excluding the rootentries).

Entry reference Multi For future use – not in use at presenttime.

MX_TITLE Title of user String Single

MX_TRIGGER_NOTIFICATION Holds a timestampof when anotification processis triggered

String Single Attribute used by SAP ProvisioningFramework.

MX_USER_PICTURE User picture Binary Single This MX_PERSON attribute storesuser's picture.

The attribute is added to support SAPUI5 framework.

MX_USER_PARAMS User parameters String Multi Generic user parameters.

Except for e-mail address, locale, andtimezone user parameters, the mappingfor the general purpose user parametersfollows the pattern <parametername>= =<value>.


MX_USER_PREFS User specificpreferences

String Single Pairs of Key=Value

For more, see page 96.

MX_VALID_MEMBERS Reference to anyentry indicating thevalid members

Entry reference Multi A privilege-attribute.

MX_VALIDATE_ADD_TASK Reference to thetask that willexecute thevalidation of therequested add-operation

Task reference Single If defined, a successful execution of thistask is prerequisite for execution of theMX_ADD_MEMBER_TASK.

If not defined, inherited from therepository definition attributeMX_REPOSITORY_VALIDATE.

For more, see section describing theprivilege and role assignment attributeson page 82.




Comments

MX_VALIDATE_DEL_TASK Reference to thetask that willexecute thevalidation of therequested delete-operation

Task reference Single If defined, a successful execution of thistask is prerequisite for execution of theMX_DEL_MEMBER_TASK.

If not defined, inherited from therepository definition attributeMX_REPOSITORY_VALIDATE.

For more, see section describing theprivilege and role assignment attributeson page 82.

MX_VALIDATE_MOD_VALIDITY_TASK

Validate modifyvalidity task – usedto validate achange in validity


MX_VALIDATE_OPERATION Reference (on apending valueobject) to the(original) operationcausing thevalidation process


MX_VALIDFROM_NEW New time for whenthe entry is validfrom

Date (Time) Single Used in case of modify of validity. Formore, see section describing the pendingobject attributes on page 75 for more.

MX_VALIDTO_NEW New time for whenthe entry is nolonger valid

Date (Time) Single Used in case of modify of validity. Formore, see section describing the pendingobject attributes on page 75 for more.

MX_VIEW_ATTRIBUTES The followingattributes arevisible. Allattributes arevisible by default

Attributereference


MX_X509_ENABLED X509authentication



MX_X509_MAPPING X509 mapping String Multi X509 user mapping. The expectedformat for X509 mapping attribute is<subject DN>= =<issuer DN>.


MXAC_ENTRY Access control forthe entry – defineswho can see theentry

Numeric(Integer)

Single See section describing the access controlattributes on page 56 for more.

MXAC_MEMBERS Access control forthe entry members– defines who cansee the members ofthe role (membervisibility)

Numeric(Integer)

Single Not in use (as of version 7.2 SP6).

MXMEMBER_MX_GROUP Member referenceto entry typeMX_GROUP

Entry reference(MX_ GROUP)

Multi See section describing theMXMEMBER and MXREF attributes onpage 68 for more.

MXMEMBER_MX_PERSON Member referenceto entry typeMX_PERSON

Entry reference(MX_ PERSON)






Comments

MXMEMBER_MX_PRIVILEGE Member referenceto entry typeMX_PRIVILEGE

Entry reference –MX_PRIVILEGE


MXMEMBER_MX_ROLE Member referenceto entry typeMX_ROLE

Entry reference(MX_ROLE)


MXREF_MX_APPLICATION Reference to entrytype MX_APPLICATION

Entry reference(MX_APPLICATION

Single See section describing theMXMEMBER and MXREF attributes onpage 68 for more.

MXREF_MX_DYNAMIC_GROUP

Reference to entrytypeMX_DYNAMIC_GROUP

Entry reference(MX_DYNAMIC_GROUP)


MXREF_MX_GROUP Reference to entrytype MX_GROUP

Entry reference(MX_GROUP)


MXREF_MX_ROLE Reference to entrytype MX_ROLE

Entry reference(MX_ROLE)


SAP_CHANGENUMBER SAP changenumber

Numeric(Integer)

Single System internal attribute onMX_PERSON used for modification ofMX_PERSON. Also available for entrytype MX_COMPANY_ADDRESS.

Access control attributesThe access control is implemented using the following attributes:

MX_OWNER – References the owner of the entry.

MXAC_ENTRY – Defines the access control to the entry itself.

The list below shows where in the workflow access is checked:

Executing a delegated task. Only entries which the user has access to are visible in thesearch result.

Assigning a value to a reference attribute (for example MXREF_MX_ROLE orMX_OWNER). When trying to reference a container entry (for example defining a childrole to a role, or defining a role membership for a person, or setting the MX_MEMBERattribute to point to a privilege), only roles/privileges which are visible to the user areshown.



MX_OWNERThis attribute is a multi-value entry reference – a reference to the owner(s) of the entry. Theattribute can be added to any entry type and it will normally reference (but is not limited to) auser entry. In fact, this can be a reference to one of the following entry types:

User/MX_PERSON

MX_PRIVILEGE

MX_ROLE

MX_DYNAMIC_GROUP

This attribute can be used to handle approvals, by defining that the approval should be done bythe owner.

If MX_OWNER is a container entry (for example a role), then all the members of the containerentry will be considered the owner.

MXAC_ENTRYMXAC_ENTRY is a single-value numeric attribute (on MX_DYNAMIC_GROUP,MX_PRIVILEGE and MX_ROLE). It is used to indicate the access control used for the entry.The following values are legal:

0All. Also used if the attribute is not present.

1Owner + Members.

2Owner only.

All other values are for future use.




Approval attributesApprovals can be implemented in two ways – either by making the approval task a part of yourworkflow (in an ordered task group, for instance), or they can be event based.

In the first case, where a regular workflow execution enters an approval task, the basicapprovals are performed and no pending value object is created.

The other scenario is assignment approvals which are triggered when a role, or a privilege,assignment is attempted to a role which requires approval (an MX_ROLE entry or a privilegewith either the MX_VALIDATE_ADD_TASK, MX_VALIDATE_DEL_TASK orMX_VALIDATE_MOD_VALIDITY_TASK attribute defined). Then anMX_PENDING_VALUE entry is automatically created and added to the approval queue andthe task references are executed on this entry.

Assignment approvals are handled top down, which means that in a hierarchy the topmostapproval is done first and the workflow will not continue until this approval is completed. Forinstance, the child roles will not be added until the parent role is approved. A child role which isdeclined will never cause the user to lose the parent role.

Role constraints are checked before doing the approval for the role. If the role is not allowed forthe user to see/get, the approval will be automatically declined. If the role is not allowed for theuser that is defined as the approver, the user will be removed from the list of approvers. And ifthen there are no approvers left defined for the approval, the approval will be declined.

As of SAP NetWeaver Identity Management 7.2 SP4, the mechanisms and the correspondingattributes for handling of timeouts and escalations are implemented.

As of SAP NetWeaver Identity Management 7.2 SP6, the mechanisms and the correspondingattributes for handling of approval delegation, including the automatic delegation.

MX_APPROVAL_TASKThis task reference attribute (on an MX_ROLE or MX_PRIVILEGE entry type) indicates thatan approval is required, and holds the GUID of the task which is used for approval.

The approval task will be started in the following cases:

When a new role is added

When modifying the expiry time

When modifying validFrom or validTo on a pending role entry, and the entry is alreadyapproved

The MX_ADD_MEMBER_TASK attribute should be used instead (i.e.MX_ADD_MEMBER_TASK is replacing MX_APPROVAL_TASK). Alternatively useattributes MX_VALIDATE_ADD_TASK and MX_VALIDATE_DEL_TASK. For more, seesection describing the privilege and role assignment attributes on page 82.



MX_APPROVALSThe approval information is stored as one multi-value attribute on the entry –MX_APPROVALS attribute (on MX_PENDING_VALUE for assignment approval and onMX_PERSON for basic approval). Available for entry types MX_PRIVILEGE and MX_ROLEas of version 7.2 SP7. For each approval, the following information is required:

Parameter Description

Task This is the ID of the task (TaskID number)

AuditId This is the audit ID (AuditID number)

Status This is the status of the approval. There are three legal valuefor the approval status: <WAIT>, <APPROVED> and<DECLINED>. <WAIT> means that it has not yet beenapproved.

Approver This is the MSKEY of the entry which has approved ordeclined the task (MSKEY of the approver).

Reason This is the reason (descriptive text) why the role is requested

The approval information must be encoded within the MX_APPROVALS attribute. The syntaxcontains keywords to be used in a SQL LIKE statement for getting all approvals with a givenstatus, as well as all approvals for a given AuditId, Task and Approver. The maximum length ofone approval information is 400 bytes.

The entire string will be stored in upper case, except the Reason:Approval ::= Status "!!" Task "!!" Audit "!!"

Approver "!!" Reason

Task ::= "TASK=" TaskIdTaskId ::= "<" integer ">"

Audit ::= "AUDITID=" AuditIdAuditId ::= "<" integer ">"

Status ::= "STATUS=" StatusValueStatusValue ::= "WAIT" / "APPROVED" / "DECLINED"

Approver ::= "APPROVER=" ApproverIdApproverId ::= "<" integer ">"

-- Use 0 to indicate no approver

Reason ::= "REASON=" StringString ::= *CharChar ::= <Any character except the !! combination>

-- Empty string allowed




MX_APPROVAL_EXPIRYThe attribute is a numeric (Integer), single-value attribute defined for theMX_PENDING_VALUE entry type that holds the approval expiry. If the expiry is reached, theapproval is always declined.

The approval may expire either if the assignment has timed out, or it has gone too many loops inthe approval task. The approval expiry is used as a safeguard to prevent eternal loops in theapproval.

MX_APPROVAL_TIMEOUTThe MX_APPROVAL_TIMEOUT attribute is a numeric (Integer), single-value attributedefined for the MX_PENDING_VALUE entry type. This is a timeout for the given approver,and it holds the number of seconds until the approval times out. It is normally used forescalation to another approver, or to automatically decline the approval.

MX_APPROVAL_REASONThis single-value, String attribute defined for the entry type MX_PENDING_VALUE holds theinformation about the reason why the approval request was approved or declined respectively.

MX_APPROVERSThis multi-value entry reference attribute holds a list of legal approvers of this entry. Approversare always listed with their MSKEYs. The attribute does not necessarily need to hold areference to a MX_PERSON entry type. A reference could be to a MX_ROLE,MX_PRIVILEGE or a MX_DYNAMIC_GROUP entry type. In this case, the members of theseentry types are the actual approvers.

This attribute can be set (changed) on the pending value object (MX_PENDING_VALUE entrytype), role/privilege (MX_ROLE/MX_PRIVILEGE entry type) and as of version 7.2 SP7 onMX_PERSON entry type.

MX_AUTODELEGATE_MESSAGEThis is a single-value, String attribute defined for the MX_PERSON entry type. The attributeholds the reason for the automatic delegation. Whenever an automatic delegation takes place,the delegate should receive an e-mail and the content of the attributeMX_AUTODELEGATE_MESSAGE is a part of the e-mail, as the reason. The message is alsologged.

MX_AUTODELEGATE_MSKEYThe attribute is a single-value, entry reference to the MX_PERSON entry type. The attributeholds the MSKEY value of the user to whom the approval is automatically delegated. Whenevera user receives an approval, the approval is automatically delegated to a delegate, unless thedelegate has already approved or declined, in which case he/she is removed as an approver. Inother words, any user that already is or has been an approver is not accepted as the delegate.



MX_ESCALATION_APPROVERS_1/2/3The default number of escalation levels possible after an approval has timed out is three (3),although more can be defined. The three multi-value, entry reference attributes (each defined forboth entry type MX_ROLE, MX_PRIVILEGE and MX_PENDING_VALUE) hold the list ofescalation approvers defined for each escalation level.

The attribute can be set (changed) on the pending value object.

MX_ESCALATION_TIMEOUT_1/2/3The numeric (Integer), single-value attribute defined for the entry types MX_PRIVILEGE,MX_ROLE and MX_PENDING_VALUE holds the timeout (in days) for the escalation.

Assignment context attributesAn assignment context is defined for a direct assignment of roles/privileges. One typicalexample is that the role is "Project manager" and the context is "Project <name>". It is thenpossible to have the project manager role for one or more projects, without having to create anew role for each project. In addition to projects, the context type may also be a store, a costcenter etc. Each defined context type is an entry type in the Identity Center's identity store.

When assigning a role or a privilege with a context, any inherited role and privilege assignmentsreceive the same context. If the same child role is inherited from two different parents with theadditional context reference(s) on the assignment, the child assignment receives the contextfrom both parents.

The assignment context information will never be inherited for the following types ofassignments:

An auto-assigned role.

A master privilege assignment.

If there are multiple contexts for a role/privilege assignment, the contexts are stored as multipleMX_PENDING_VALUE objects, each with a separate validity and status. The event tasks areexecuted for each pending value object (PVO). The context of the assignment is not allowed tobe modified, but the existing assignment can be removed and replaced by a new one with a newcontext.

Each role or privilege may have a set of supported context types (MX_CTX_TYPE).

A user is able to hold a set of contexts per context type, which are known as auto-assignedcontexts. These may or may not be auto-assigned depending on the auto-assign strategy defined.If the contexts are updated, the assignments are updated too, to reflect the new values.

Note:It is not recommended to change the context types (attribute MX_CTX_TYPE) and auto-assigncontext policy/strategy (MX_CTX_AUTO_STRATEGY) settings once assigned. There is noautomatic reconciliation process which will detect this, as the context types are assumed to beunchanged.




MX_CTX_TYPEThis multi-value entry reference attribute, defined on both MX_ROLE and MX_PRIVILEGEentries, defines which context types are handled by the role/privilege. If the attribute is notdefined, then the role/privilege does not support contexts and no context type can be assigned tothe role/privilege. The context type information is used for the following purposes:

By the User Interface to decide which context types to display when selecting whichcontexts to assign.

To determine the auto-assigned contexts from the user entry.

During inheritance, assignments with unsupported context types are ignored.

Note:The attribute value should not be altered once defined.

As of version 7.2 SP7, the reconciliation of "dirty" entries is done regularly with a scheduledprocedure executed by the dispatcher. For more, see the topic About the identity store in theHelp File. The reconciliation of the attribute MX_CTX_TYPE needs to be handled differently.The "dirty" flag, usually set for the altered attributes/entries, will not be set when changing thisattribute value. An entry can be set "dirty" explicitly by using the function uIS_SetDirty. Amanual reconciliation for the affected entries can be initiated by using the internal functionuIS_PrivReconcile (the affected entries will be all users assigned to all parent roles of the role(or privilege) where you do the change). The function uIS_PrivReconcile has the MSKEY as aparameter, and will perform any reconciliation for the defined entry.

MX_CTX_CONDITIONALThe multi-value privilege attribute MX_CTX_CONDITIONAL is an entry reference to thecontext that must be present in the assignment context information for this privilege, in order forthe privilege to be assigned. If changing the attribute MX_CTX_CONDITIONAL for aprivilege, the context assignments will be recalculated.

MX_CTX_AUTO_STRATEGYThis single-value privilege attribute holds the strategy for assigning the auto-assigned contextvalues. The legal values for this attributes are:

<Empty>: Same as "NONE".

0: "NONE" – Never add any auto-assigned contexts.

1: "IFMISSING" – Add auto-assigned contexts only if none are defined (are missing) on thelink.

2: "ALWAYS" – Always add the auto-assigned contexts to the user, possibly in addition tothe already manually assigned contexts.

Note:The attribute value should not be altered once defined.



As of version 7.2 SP7, the reconciliation of "dirty" entries is done regularly with a scheduledprocedure executed by the dispatcher. For more, see the topic About the identity store in theHelp File. The reconciliation of the attribute MX_CTX_AUTO_STRATEGY needs to behandled differently. The "dirty" flag, usually set for the altered attributes/entries, will not be setwhen changing this attribute value. An entry can be set "dirty" explicitly by using the functionuIS_SetDirty. A manual reconciliation for the affected entries can be initiated by using theinternal function uIS_PrivReconcile (the affected entries will be all users assigned to all parentroles of the role (or privilege) where you do the change). The function uIS_PrivReconcile hasthe MSKEY as a parameter, and will perform any reconciliation for the defined entry.

MX_CTX_AUTO_VALUESThis multi-value, entry type reference attribute defined for the MX_PERSON entry, holds theauto-assigned contexts for a user, i.e. the contexts which will be automatically assigned to auser. Changing this attribute for a person will result in recalculating of the context assignments.

The ASYNC attributesThe Identity Services solution makes use of the ASYNC attributes described below. For moreon the Identity Services, see documents SAP NetWeaver Identity Management Identity Services– Architectural overview and SAP NetWeaver Identity Management Identity Services –Configuration Guide.

MX_ASYNC_REQUEST_IDAll requests coming to the Identity Services are given a unique request ID held by theMX_ASYNC_REQUEST_ID attribute.

Identity Services extracts the request ID from the request. If the value is not given by therequestor, the Identity Services will generate a new value.

Since the requests are handled in asynchronous mode, after each provisioning operation therequestor must (regularly) check the status of the operation by executing the special IdentityService operation for obtaining the result of a provisioning operation. TheMX_ASYNC_REQUEST_ID attribute is used in this context. Information about all subsequentprocessing of the request is stored together with the request ID, making it possible to keep thetrack of the request.

MX_ASYNC_MSKEYVALUE and MX_ASYNC_IDENTIFIERThe Identity Services accepts and processes SPML requests with valid SPML identifiers. Avalid SPML identifier consists of two different parts, a unique part that gives the uniquedescription of the object and a naming context that gives the position of the object in the givenstructure.

In the SPML identifier:

CN=John Parrot,OU=people,O=myorg

CN=John Parrot is the unique part of the identifier, while OU=people,O=myorg is the suffix andtells where the object (given by the unique part) is placed in the overall naming context.

The MX_ASYNC_MSKEYVALUE attribute stores the objects distinguished name, in this caseMX_ASYNC_MSKEYVALUE = John Parrot.




The MX_ASYNC_IDENTIFIER attribute stores the valid SPML identifier, in this caseMX_ASYNC_IDENTIFIER = cn=John Parrot,ou=people,o=myorg.

To simplify the work with the solution, Identity Services accepts identifiers that do not fullycomply with the rules of a valid SPML identifier. In that case, the Identity Services constructs avalid SPML identifier that will be used for operation execution. For list of accepted identifierformats, see the document SAP NetWeaver Identity Management Identity Services –Architectural overview.

MX_ASYNC_OBJECTCLASSThe MX_ASYNC_OBJECTCLASS holds the entry type of the object the operation is to beexecuted on. The entry type MX_PERSON is the only legal values for this attribute.

MX_ASYNC_ROLE and MX_ASYNC_PRIVILEGEMX_ASYNC_ROLE and MX_ASYNC_PRIVILEGE are holding the object's roles andprivileges respectively.

MX_ASYNC_ORIG_OPERATIONThis attribute holds the information about the original operation requested. It can be any of theprovisioning operations – standard SPML operations Add, Modify and Delete. Other types ofoperations exist and can be submitted:

Special operationsOperations used to discover the systems, applications and privileges of the system. Also used toview the result of the provisioning operation.

Search operationsOperations used to list and view information about entries.

For more on operations, review the document SAP NetWeaver Identity Management IdentityServices – Architectural overview.

Attestation attributesThe purpose of attestation is to periodically confirm users' access rights to critical resources.Such rights are normally controlled by assigning specific roles, and it is a risk if these roles areassigned to the wrong people. Assignment to these roles should periodically be verified bysomeone who is responsible for the resource or assignment.

This verification is done by executing an attestation task for each role (or privilege). For onegiven assignment, there is one (and only one) attester. The attester will only see the assignmentsfor which he or she is responsible. The attester has the option to confirm or reject theassignments, as well as delegating the responsibility to another person.

All attestation operations are logged, so that they can later be audited.

The attributes MX_ATTEST_TASK, MX_ATTEST_NEXTDATE and MX_ATTESTER areused to configure the attestation. These values can be added either by a job or from a taskcontaining these attributes. Attributes MX_ATTEST_ACTIVE andMX_ATTEST_LASTDATE are attributes which are providing the status information, updatedby the system procedures (i.e. not used to configure the attestation behavior).



For more information about the attestation and its configuration, see the Identity Center HelpFile.

MX_ATTEST_ACTIVEThis Boolean attribute indicates the status of the attestation - if the attestation is currently activeor not. The attribute is updated by the internal system procedures and should not be changed.

MX_ATTEST_LASTDATEThe attestation attribute MX_ATTEST_LASTDATE holds the date and time when theattestation was initiated last time. The attribute is updated by the internal system procedures andshould not be changed.

MX_ATTEST_NEXTDATEThis attribute holds the date (and time) for the next attestation, i.e. set this attribute to the datewhen the attestation is to be performed for this role.

MX_ATTEST_TASKThe attribute holds a reference (task GUID) to the attestation task to be executed.

MX_ATTESTERThis single-value entry reference attribute holds a reference to (an MSKEYVALUE) theattester.

The configuration on the attestation task determines how to find the attesters. They can bedefined on the role/privilege, the attestation task, it can be the users' managers or user defined (itis possible to define different attester for each assignment, which is done with a script in a pre-processing task).

Dynamic group attributesDynamic groups were established to have a way of selecting people based on attribute values,for example title and location, or a combination of these.

Whenever a dynamic group is resolved (when the filter determining its members is resolved),the MXREF_MX_DYNAMIC_GROUP attribute is set on all the group members. This makes iteasy to check dynamic group membership.

For other MX_DYNAMIC_GROUP attributes, see:

section describing the access control attributes on page 56.

MX_APPROVER attribute in section describing the approval attributes on page 58.

MX_INACTIVE attribute on page 94.




MX_DG_ATTRIBUTEMX_DG_ATTRIBUTE is a multi-value attribute reference. It is a list of attribute identifiers andis used for resolving the dynamic group – the list will be used to determine whether the dynamicgroup must be resolved when an attribute changes for a user.

When an attribute is changed, LastChanged time is altered.

This will not be checked if MX_DG_CACHE_TIME is 0.

MX_DG_AUTORESOLVE_INTERVALThis attribute indicates the interval for resolving the dynamic group. A positive numberindicates the number of seconds, while zero means that the dynamic group will never beautomatically resolved. The groups are also resolved automatically if the last_modified for thisattribute is <NULL>. The automatic resolve is done by the dispatcher.

Event based resolve of the dynamic group is done by setting theMX_DG_AUTORESOLVE_INTERVAL.last_modified to <NULL> if any attribute referencedby the dynamic group is changed. This will force a resolve by the dispatcher.

MX_TARGET_FILTERThis attribute is used to determine the members of the dynamic group. A filter is an SQL-querywhich might look something like this:

SELECT DISTINCT mskey FROM MXIV_SENTRIES WHERE is_id=2 AND((mskey IN (SELECT mskey FROM MXIV_SENTRIES WHERE attrname='MX_DEPARTMENT' ANDsearchvalue = 'DEVELOPMENT')))

The example above will create a dynamic group with Development department employees asmembers.

The GRC attributesIntegrating the SAP NetWeaver Identity Management and the GRC Access Control, the SAPNetWeaver Identity Management can execute the compliant provisioning to multiple targetsystems which are controlled by the GRC Access Control.

For more on the GRC integration, see SAP NetWeaver Identity Management GRC Integration –Configuration Guide.

MX_AC_REQUESTIDThe attribute MX_AC_REQUESTID is a single-value, String attribute defined for the entry typeMX_PENDING_VALUE that holds the request ID retrieved from the context variableMX_GRC_REQUEST_ID.



MX_AC_RESULTThis is a single-value, String attribute defined for the entry type MX_PENDING_VALUE. Itholds the necessary request status information received from SAP Business Objects AccessControl after request processing, and saved by the Identity Services. The information valuestored in the attribute consist of the status (which can be either APPROVED or REJECTED),the reason regarding the status received from the Access Control, and in the case of the statusbeing APPROVED (i.e. not REJECTED) the list of approved roles.

MX_AC_ROLEIDThe single-value, String attribute defined for the entry type MX_PRIVILEGE contains the rolename as it is retrieved from the Access Control system, which again is converted to a privilegeon the Identity Management side.

MX_AC_ROLETYPEThe single-value, String attribute defined for the entry type MX_PRIVILEGE contains the roletype as retrieved from the Access Control system.

MX_GRC_CHANGES_DETECTEDIf any of GRC relevant attributes is modified, the time-stamp is set on the user entry. Theattribute MX_GRC_CHANGES_DETECTED is used as the time-stamp. Modify and add eventsare configured on this attribute. Every time the attribute is set or modified, the execution of thespecial task that will send the changed information over to GRC is triggered.

MX_GRC_REQUESTS_PENDINGWhenever a successful request submission to GRC Access Control takes place, a new attributeon the user entry is created – MX_GRC_REQUESTS_PENDING. If the attribute already exists,only the value of the attribute is changed.

The MX_GRC_REQUESTS_PENDING attribute is a multi-value attribute, since multiplerequests can be submitted to GRC for the same entry before they are acknowledged.

MX_GRC_REQUESTS_OKFor each pending GRC-request in the queue, the status information is obtained. If the obtainedstatus is "OK", then the MX_GRC_REQUESTS_OK is created and theMX_GRC_REQUESTS_PENDING attribute is removed.

If there are multiple values, only the relevant value is removed.

MX_GRC_REQUESTS_FAILEDFor each pending GRC-request in the queue, the status information is obtained. If the obtainedstatus is "FAILED", then the MX_GRC_REQUESTS_FAILED attribute is created and theattribute MX_GRC_REQUESTS_PENDING is removed.

If there are multiple values, only the relevant value is removed.




MSKEYVALUE - the unique ID attributeThe attribute MSKEYVALUE is a unique entry identifier and is used as a default logon id (forIdentity Management User Interface login). The attribute must be unique in the identity store,across all entry types.

It is allowed to create an entry with an empty MSKEYVALUE, in which case theMSKEYVALUE will be set to MX_<mskey>.

You should never start a user defined MSKEYVALUE with "MX_".

Giving a unique name to roles and privileges, the recommended syntax is:

ROLE:<Role name>

PRIV:<Application name>

Only the first 400 characters of the MSKEYVALUE are significant, when checking foruniqueness. If the first difference between two MSKEYVALUEs is in the 401st character theywill be considered the same, and creating a new entry with this MSKEYVALUE will fail.

MXMEMBER and MXREF attributesAll attributes starting with MXMEMBER and MXREF are entry reference attributes. In theidentity store, all references go from the child to the parent using the MXREF_ <parent entrytype> attribute. While to reference child entries, the syntax MXMEMBER_<entry type> is used.It can also be said that MXMEMBER attribute group refers to "assigned entry type(s)", whileMXREF attribute group refers to "members of entry type(s)". It is important to mention that theMXMEMBER_<entry type> attribute will only show direct assigned members, which does notinclude inherited roles or privileges.

Whenever adding a new MXREF_<entry type> attribute to an entry, the correspondingMXMEMBER_<entry type> attribute will automatically be added to the container entry andvice versa.



Note that there are different MXMEMBER attributes for different member entries, indicatingwhat type of member is being pointed to:

MXMEMBER attributes MXREF attributes

MXMEMBER_MX_GROUP MXREF_MX_APPLICATION

MXMEMBER_MX_PERSON MXREF_MX_COMPANY_ADDRESS

MXMEMBER_MX_PRIVILEGE MXREF_MX_DYNAMIC_GROUP

MXMEMBER_MX_ROLE MXREF_MX_GROUP

MXREF_MX_PRIVILEGE

MXREF_MX_ROLE

In cases where you need or want more information about the assignments than provided byattributes MXREF_MX_ROLE and MXREF_MX_PRIVILEGE, use the attributeMX_ASSIGNMENT described on page 87.

Lotus Notes attributesThe Lotus Notes connector uses a number of attributes that are used to describe the entry types.This is only a minimum set of attributes, and additional attributes can be added. For moreinformation about the Lotus Notes connector, see the document SAP NetWeaver IdentityManagement Identity Center Lotus Notes connector for SAP Provisioning frameworkConfiguration Guide.

MX_NOTES_CERTIFIER_FILEThis single value String attribute defined for the entry type MX_PERSON holds the certifier fileused for creating the user.

MX_NOTES_CERTIFIER_PWDThis single value String MX_PERSON attribute holds the certifier password for the certifierfile.

MX_NOTES_CLIENTTYPEThe single value String attribute is defined for entry type MX_PERSON and maps the clienttype field in the Lotus Notes address book.

MX_NOTES_COUNTRYCODEThis single value String attribute, defined for the MX_PERSON entry type, holds the countrycode of the full name, where the user was created.

MX_NOTES_EXPIRATIONDATEThe attribute holds the user ID file expiration date. The attribute is a single value Date (Time)attribute defined for the MX_PERSON entry type.




MX_NOTES_FULLNAMEThe attribute holds the entry's full name, which also represents entry's location. E.g. cn=TorkilTorkilsen/o=sap. The attribute is a single value String attribute defined for the MX_PERSONentry type.

MX_NOTES_GROUP_GROUPTYPEThis single value String attribute defined for the MX_GROUP entry type holds the informationabout the Lotus Notes group types. Legal values for this attribute are:

0: Access Control List only

1: Deny List only

2: Mail only

3: Multi-purpose

4: Server only

Only the numerical values are visible.

MX_NOTES_GROUP_GROUPTYPE_ DISPLAYThis attribute is a single value String attribute defined for the MX_GROUP entry type. Theattribute holds the Lotus Notes group types in textual form (the textual form of the group typevalues held by the attribute MX_NOTES_GROUP_GROUPTYPE described above). Legalvalues for this attribute:

Access Control List only

Deny List only

Mail only

Multi-purpose

Server only

MX_NOTES_GROUP_LISTNAMEThe attribute holds the name of the group in Lotus Notes. This attribute is a single value Stringattribute defined for the entry type MX_GROUP.

MX_NOTES_IDFILEThis attribute holds the ID file of the user. The attribute is a single value String attribute definedfor the MX_PERSON entry type.

MX_NOTES_INACTIVEThis single value String attribute, defined for entry types MX_PERSON and MX_GROUP,holds a flag that indicates whether a given user (or a group) has been deleted or not in LotusNotes (the user/group is deleted when the flag is set).



MX_NOTES_IN_VAULTA single value String attribute, defined on MX_PERSON. The attribute holds a flag thatindicates whether a given user is a vault user existing in the ID vault on the Lotus Dominoserver or not. If the flag is set (the attribute has a value "1"), then the user exists in the vault.Otherwise, the user is not a vault user.

MX_NOTES_MAILADDRESSThe attribute is a single value String attribute defined for the entry type MX_PERSON. Theattribute holds the information from the mail address field in the Lotus Notes address book.

MX_NOTES_MAILDOMAINThis attribute holds the entry's mail domain. The attribute is a single value String attributedefined for the MX_PERSON entry type.

MX_NOTES_MAILFILEThe attribute holds the entry's mail file (e.g. mail\TTork). This is a single value String attributedefined for the entry type MX_PERSON.

MX_NOTES_MAILSERVERThis single value String attribute, defined for the entry type MX_PERSON, holds the IP addressof the mail server.

MX_NOTES_MAILSYSTEMThis is a single value String attribute defined for the entry type MX_PERSON. The attributeholds the information about the user's mail system, such as Lotus Notes, CcMail, Vim, etc.

MX_NOTES_NOTEIDThis single value String attribute, defined for entry types MX_PERSON and MX_GROUP,holds the ID of the note (Lotus Notes object) on the Lotus Notes server.

MX_NOTES_OIDThis single value String attribute, defined for entry types MX_PERSON and MX_GROUP,holds the originator ID in Lotus Notes.

MX_NOTES_OLD_PASSWORDThis is a single value String attribute defined for the entry type MX_PERSON. The attribute isused to hold the old password (encrypted) of the user's ID file.

MX_NOTES_OLDFULLNAMEThis single value String attribute, defined for the entry type MX_PERSON, holds the user'sname before the name change.




MX_NOTES_ORGThe attribute is used to hold the information about the user's organization. It is a single valueString attribute defined for the MX_PERSON entry type.

MX_NOTES_ORGUNITThis single value String attribute, defined for the entry type MX_PERSON, holds theinformation about the user's organization unit.

MX_NOTES_OWNERThis is a multi-value Entry reference attribute defined for the entry type MX_PERSON. Theattribute holds the reference to the owner of the Lotus Notes object (reference to theMX_PERSON entry type).

MX_NOTES_PATH_IDFILEThis single value String attribute, defined for the entry type MX_PERSON, holds theinformation about the local path to user's ID file.

MX_NOTES_POLICYThis is a single value String attribute defined for the entry type MX_PERSON. The attribute isused to hold a server policy, if a user with a specific server policy is created.

MX_NOTES_REGFULLNAMEThe attribute is used to hold the user's full name entered during the initial user registration. Thisis a single value String attribute defined for the entry type MX_PERSON.

MX_NOTES_ROAMINGSERVERThe attribute is used to hold the information about the roaming server, in cases where roaminguser is created. The attribute is a single value String attribute defined for the entry typeMX_PERSON.

MX_NOTES_SERVERNAMEThis single value String attribute, defined for the MX_PERSON entry type, holds the full nameof the server.

MX_NOTES_SHORTNAMEThe attribute holds the user's short name (e.g. TTork). This is a single value String attributedefined for the MX_PERSON entry type.



MX_NOTES_UNIDThis single value String attribute, defined for entry types MX_PERSON and MX_GROUP, isused to hold the unique ID for the Lotus Notes object in Lotus Notes.

Password reset attributesPassword reset is used by end users if the password is forgotten. The user will be asked foridentification by answering authentication questions.

The password reset process consists of the following three (3) steps:

Say who you are: In this step, the user will be asked for the unique identifier, the default isMSKEYVALUE. Other options are to ask for another unique attribute (for example theemail address) in addition to or instead of the MSKEYVALUE. This is configured in theManagement Console.

Authenticate: The user answers some question(s) only he/she knows the answer to. It will bepossible to define any number of questions on a system, using the attributes on the formatMX_AUTHQ_nnn (e.g. MX_AUTHQ_001, MX_AUTHQ_002 etc). Five (5) attributes aredefined by default, but any implementation may add additional attributes following thenaming syntax. These attributes are hashed according to the defined hashing algorithm inthe Identity Center Management Console. In a task showing these questions, the user maybe required to answer a minimum number of these questions, i.e. you can define how manyof the defined questions the user has to answer.

Get a new password: A new password is provided to user, either as input by the user (storedin MX_PASSWORD) or system generated. In either case, the password is validated towardsUME, and a task is started. This task can then perform any desired operations, e.g. sendingthe new password to the user via e-mail or SMS, provision the password (the password isthen encrypted and stored in the MX_ENCRYPTED_PASSWORD attribute) etc.

Every failed attempt of password reset is logged, and a task is executed. For security reasons,the user is not told why a password reset attempt failed.

The questions used for password reset are system specific, i.e. all users in the same identitystore will have the same questions available.

Password reset attributes on the MX_PERSON entry type are described below.

MX_AUTHQ_001This single-value String attribute is hashed according to defined hashing algorithm in theIdentity Center Management Console. The display name of this attribute is the question whichthe user will see.

The default password reset question 1 is: What is your favorite color?


The default password reset question 2 is: What make of car do you drive?





The default password reset question 3 is: What is your pet's name?


The default password reset question 4 is: What is your mother's maiden name?


The default password reset question 5 is: What street did you grow up on?

MX_FAILEDRECOVEREvery failed attempt of password reset is logged. The attribute MX_FAILEDRECOVER holdsthe number of failed password reset attempts. If the attribute is missing, zero (0) is assumed.

If the value of the MX_FAILEDRECOVER is higher than the MaxLoginAttempts parameterdefined in the identity store, then the password reset will never be successful even though thecorrect information is supplied.

For security reasons, the user is not told why a password reset attempt failed. It may fail for oneof the following reasons:

The user unique ID (MSKEYVALUE and/or some other attribute) provided as input in thepassword reset step one (1) is invalid.

At least one of the authentication questions (in the password reset step two (2)) was notanswered correctly.

Too many attempts of password reset have been made(MX_FAILEDRECOVER > IDStore.MaxLoginAttempts).

The user does not have enough questions answered.

If all of the above are correct the password reset process will continue to step three (3).



Pending value object attributesThe pending attribute value objects support and enable the processing of the time limitedattributes (primarily for roles), general disabling of the attributes, several time schedules for atime limited attributes and approval of role assignments.

Entry type MX_PENDING_VALUE holds attributes of an entry, which is waiting for

Approval

validFrom

Explicit enabling

For other pending value object attributes, see:

MX_OWNER attribute in section describing the access control attributes on page 56.

MX_APPROVALS attribute in section describing the approval attributes on page 58.

section describing the privilege assignment grouping attributes on page 79.

MX_ENTRY_REFERENCEThis attribute holds the reference to the entry owning this pending value object.

MX_ATTR_STATEThis attribute indicates the state of the attribute on the pending value object. Normally the valueshould not be changed, except when wanting to have a task which automatically declines anapproval. The attribute can have one of the following values:

0Disabled (no reason)

1Pending approval: This value is added when a Validate-Add/Del/Modify task is started, and theinitial value is 1. When the task is about to complete, it checks the value of theMX_ATTR_STATE attribute. If at that time the value is still 1, the assignment is consideredapproved.

2Pending enable (i.e. waiting for validFrom): The value is used when setting future values fornon-reference attributes. For reference attributes the future values are stored in the mxi_linktable.

3Declined approval: During the processing of a Validate-Add/Del/Modify task, the value ischanged to 3 if the operation is declined. It is also possible to create a task which (based onsome information) declines the approval. This is then done by setting the value of theMX_ATTR_STATE attribute to 3. This is the only time the MX_ATTR_STATE attributeshould be changed.

MX_ATTRIBUTE_DELETEMX_ATTRIBUTE_DELETE is added on the pending value object to be able to remove multi-value attributes, for example role assignments.




MX_ATTRIBUTE_NAMEThis attribute holds the attribute name – reference to the attribute being stored in this pendingvalue attribute. This should be the name of the attribute and not the attribute identifier, to allowsmoother import/export of data.

MX_ATTRIBUTE_VALUEThis attribute holds the value that is to be written to the entry when the pending value is applied.

MX_ASSIGNERThis single-value entry reference attribute on the pending value object is holding a reference tothe user (MSKEY) who assigned a role. The following negative values for the MSKEYs havespecial meaning and are also handled:

-1: Unknown

-2: Admin UI

-3: DSE (runtime engines)

-4: Reconcile

-5: Dynamic group expansion

-6: VDS

-7: Pending value applied

-8: SyncUtil (Configuration Copy Tool)

-9: Transport

-10: Dispatcher

-11: JMX

-12: WebUI (Identity Management User Interface)

-13: Procedure

-14: REST API

MX_CTXThis single-value entry reference attribute is holding a reference to the context entry on thepending value object.

MX_VALIDFROM and MX_VALIDTOThese two attributes are used to:

Hold the information about the validity of the MX_PERSON entry, i.e. the period of timewhen the user is permitted to use a system.

Hold the information about the validity of the future assignments on the pending valueobject (MX_PENDING_VALUE entry), i.e. when in the future time an entry is valid (andthus enabled) and when the entry is no longer valid (and needs to be removed) respectively.



Future values for reference attributes however are stored directly in the link table (the attributesMX_VALIDFROM/VALIDTO are not used for anything other than the information purposes).

Note that the date/time should always be written on ISO8601 format, i.e.

YYYY-MM-DD or

YYYY-MM-DDThh:mm:ss

If the time is omitted, 00:00:00 is assumed for both the MX_VALIDFROM attribute and theMX_VALIDTO attribute (i.e. start of the day on the given date by default). The attributesshould always be stored in UTC. Define both date and time for the attributes, in the abovementioned format, if the validity involves a specific time other than 00:00:00. For example, youwould maybe like the entry to be valid until the end of the day on a given date, in which case theMX_VALIDTO would hold a value e.g. 2013-12-12T23:59:59.

MX_VALIDFROM/VALIDTO attributes are not to be confused with the attribute validityproperties validFrom and validTo, used to set the validity during e.g. the role/privilegeassignment. The following is true about the relationship between the attributesMX_VALIDFROM/VALIDTO and the attribute properties validFrom/validTo:

For non-reference attributes with the validFrom value set to a date/time in future, a pendingvalue object is created. Among others, the attribute MX_VALIDFROM is set on thepending value object holding the value from the validFrom property. If the validTo propertyexists, also attribute MX_VALIDTO is defined on the pending value object holding thevalue of the validTo property.

Note:If the validFrom property is not defined for the attribute, then the attribute is consideredimmediately valid, i.e. no pending value object is created and thus no use ofMX_VALIDFROM/VALIDTO is necessary.

In other words, the attributes MX_VALIDFROM/VALIDTO are holding the values of attributeproperties validFrom/validTo on the pending value object, in cases where it needs to be created.Although this is usually the way the attributes MX_VALIDFROM/VALIDTO are used, youmay also set these attributes directly.

Note:For the attribute properties validFrom and validTo, if the time is omitted (i.e. if only the date isspecified) then time 00:00:00 is assumed for the validFrom property and 23:59:59 for thevalidTo property. When the attributes MX_VALIDFROM/VALIDTO are holding the values ofthese attribute properties, this will then be valid for them too. Only when setting the attributesdirectly, you need to take into the consideration that the time 00:00:00 is used by default if onlythe date is specified. For more information about the attribute validity and the properties, seethe topic About attribute validity in Help File.

When the time defined in validFrom property (held by the MX_VALIDFROM attribute on thepending value object) is reached, the attribute value will be added to the entry. The procedurerunning the enable attribute must be aware of the time zone in which the operation takes place.Initially, there will be one global time zone on the system and it should probably be stored in ahidden global constant.

If the validTo time (then held by the MX_VALIDTO attribute on the pending value object) isdefined, this is set as the expiry time (expiryTime property) for the attribute, which again meansthat the attribute will be deleted at this time.

The pending value object that was holding the information is then deleted (but kept inold_values).

It is possible to handle overlapping time schedules, for example one value being enabled beforethe previous is disabled. No special handling is needed.




Note:If validTo on the new attribute is earlier than the expiry time on the existing attribute, the expirytime is not overwritten.

Note:For future values for the reference attributes, no pending value object is created. Thisinformation is stored in the link table, i.e.to see the future values for reference attributes use theview idmv_link_ext. During the provisioning, when the event task is executed, the pending valueobject is created and the attributes MX_VALIDFROM/VALIDTO (holding the values of theattribute properties validFrom/validTo) are defined for information purposes – i.e. changing thevalues for these attributes has no function.

MX_VALIDFROM_NEW and MX_VALIDTO_NEWThese two attributes hold the new values for validity – when the entry is valid (and thusenabled) and when the entry is no longer valid (and needs to be removed) respectively. Thesame format and behavior as for the attributes MX_VALIDFROM and MX_VALIDTOdescribed above apply.

MX_MODIFY_BYThis attribute holds the information about who (MSKEY) modified this entry – the contents willbe copied to the ChangedBy field when attribute is enabled. The following negative values havespecial meaning for the ChangedBy field:

-1: Unknown

-2: Admin UI

-3: Runtime engines (DSE)

-4: Reconcile

-5: Dynamic group expansion

-6: VDS

-7: Pending value applied

-8: SyncUtil (Configuration Copy Tool)

-9: Transport

-10: Dispatcher

-11: JMX

-12: WebUI (Identity Management User Interface)

-13: Procedure

-14: REST API

MX_MODIFY_REASONThis String attribute on the pending value object holds the reason for the modification of theentry validity.



MX_OPERATIONThis attribute is introduced to hold the information about the operation that the pending valueobject is created for. Legal values of this attribute are:

VALIDATE-ADD

ADD

VALIDATE-MODIFY

MODIFY

VALIDATE-DELETE

DELETE

REQUEST-COMPLETE

NOTIFY-EXPIRY

MX_REPOSITORYNAMEHandling of privilege assignments and de-assignments as of SAP NetWeaver IdentityManagement version 7.2 demands information about the repository definition available on thepending value object. The attribute MX_REPOSITORYNAME (available forMX_APPLICATION, MX_PENDING_VALUE, MX_PRIVILEGE and MX_ROLE) holds thereference to the repository definition used for execution of the task(MX_ADD_MEMBER_TASK, MX_DEL_MEMBER_TASK, MX_VALIDATE_ADD_TASKor MX_VALIDATE_DEL_TASK).

Privilege assignment grouping attributesFour attributes – MX_PRIV_GROUP_ATTR_OPERATION,MX_PRIV_GROUPING_APPLICATION, MX_PRIV_GROUPING_GUID andMX_PRIV_GROUPING_ATTR_VALUE, exist in the identity store and the for the entry typeMX_PENDING_VALUEwith the purpose of handling the privilege assignment grouping. Theattribute MX_GROUPING_DISABLED is added for the entry type MX_PRIVILEGE with thesame purpose.

As of SAP NetWeaver Identity Management 7.2 SP3, two attributes are defined for the entrytype MX_PENDING_VALUE for handling of grouping across repository definitions –MX_OPERATION_TASKID and MX_PRIV_USERID.

When performing a role assignment which leads to multiple privilege assignments for users, theadd member task of each privilege will be executed individually resulting in multiple requests tothe target system. Privilege assignment grouping is meant to improve privilege assignments bygrouping the privileges by repository definition or application, thus reducing the number ofunnecessary requests to the system.

Privilege assignment grouping is used mainly for GRC at the moment. For more informationabout GRC and grouping, see the document SAP NetWeaver Identity Management Compliantprovisioning using SAP Access Control Configuration Guide.




MX_GROUPING_DISABLEDThis MX_PRIVILEGE attribute has legal values "True" or "False" (Boolean). When thisattribute is set on a privilege, then the grouping is disabled for that privilege regardless of othergrouping settings.

MX_PRIV_GROUP_ATTR_OPERATIONThis attribute holds the attribute operation used by privilege grouping. Legal values for theattribute are:

1=Add

2=Delete

3=Modify

MX_PRIV_GROUPING_APPLICATIONThis attribute holds the reference to the application (MX_APPLICATION entry type) used byprivilege grouping.

MX_PRIV_GROUPING_ATTR_VALUEAny privilege attribute may be used for grouping. This pending value object attribute keeps theinformation about which attribute it is. The attribute in question (referenced to) must be asingle-value attribute.

MX_PRIV_GROUPING_GUIDThis attribute holds the value that groups the pending value objects. All pending value objects(PVOs) in the same group will get the same GUID.

MX_OPERATION_TASKIDThis single-value String attribute holds a task ID for the task defined on the pending valueobject to be executed for the given operation. It is used when grouping privilege/roleassignments across repository definitions. Pending assignments (pending value objects)belonging to different repository definitions but with the same MX_OPERATION_TASKIDvalue can be grouped together (i.e. even if they don't belong to the same repository definitions).

MX_PRIV_USERIDThis attribute is a single-value String attribute is defined on the MX_PENDING_VALUE entrytype with the purpose of grouping privilege/role assignments across repository definitions, moreprecisely to group all assignments executed in the same transaction regardless of their repositorydefinitions. The value of MX_PRIV_USERID is used to distinguish jobs executed in the sametransaction in cases when AuditID is not available.



Privilege dependencies attributesTypically within one repository definition, there is one privilege which is used to create theaccount within the target application, and other privileges which are used to grant various accessrights to that account. The account must be created before any access rights are granted. Usingprivilege dependencies it can be guaranteed that the account is created before the access right isassigned. The following two terms are of importance:

Master privilege: This refers to any privilege on which other privileges depend, e.g. anaccount privilege.

Sub-privilege: This refers to any privilege which depends on the presence of anotherprivilege, e.g. an e-mail account or access to group Managers will both be sub-privileges.

With the new functionality it will be possible to ensure that the master privilege task is executedto completion before running any of the sub-privilege tasks.

Privilege dependencies attributes defined on MX_PRIVILEGE entry type are described below.

MX_REQ_PRIVThis attribute holds a reference to the master privilege.

When assigning the privilege which is defined as the master privilege in the repository, nochecking for master privilege is done and the privilege is assigned.

MX_REQ_PRIV_NOMASTER_TASKThis attribute holds a reference to a task which is executed when a privilege with a dependencyto another (master) privilege (a sub-privilege) is being assigned and the master privilege is notpresent (missing). If defined, the task will create a new assignment to the master task, forexample by assigning the privilege or a role (a direct assignment). There is no check for statuson this task, and no waiting for this task to finish. However, as this is an event task, the wait-for-task result handling will wait for this task.

Note that there is no automatic removal of the master privilege when all the dependent sub-privileges are removed.

The assignment of the privilege with the dependency (sub-privilege) will not proceed until themaster privilege is assigned. The sub-privilege assignment will fail if the timeout (see attributeMX_REQ_PRIV_TIMEOUT) is reached before the master privilege is assigned.

If no task is defined in MX_REQ_PRIV_NOMASTER_TASK, the sub-privilege assignmentwaits until the timeout is reached and then fails, unless the master privilege becomes present inthe meantime due to some other process.

MX_REQ_PRIV_TIMEOUTThis attribute is used to specify the maximum number of seconds the sub-privilege assignmentwill wait for the master privilege. If you don't define a value for the timeout, the default value is2 weeks (14*86400 seconds), i.e. the timeout is always defined with the default value unlessyou specify a value yourself. The sub-privilege assignment will fail if the defined timeout isreached before the master privilege is assigned.




Privilege and role assignment attributesWhen assigning/de-assigning a privilege or role to/from an entry, the privilege (role) will hold areference to the repository definition used for the execution of the defined add member/removemember event task, and thus the assignment/de-assignment of the privilege (role). Prior to SAPNetWeaver Identity Management 7.2, attributes involved in adding and removing the privilegesor roles to/from an entry are MX_ADD_MEMBER_TASK, MX_PROVISIONTASK,MX_DEL_MEMBER_TASK, MX_DEPROVISIONTASK, MX_MODIFYTASK,MX_MODIFYTASK_ATTR and MX_REPOSITORYNAME. The first five attributes contain areference to a task. This task reference can be either the task number or the task GUID. Inaddition, there are attributes to handle modifying. It was assumed that both add member andremove member event tasks were defined on the same repository definition.

The process of executing MX_ADD_MEMBER_TASK (MX_DEL_MEMBER_TASK) prior toSAP NetWeaver Identity Management 7.2 is:

1. The existence of MX_ADD_MEMBER_TASK (MX_DEL_MEMBER_TASK) is checked.

2. If the task does not exist, then MX_PROVISIONTASK (MX_DEPROVISIONTASK) isexecuted (non-pending value object assignment).

3. If the task exists, check for the repository definition defined on the privilege,MX_REPOSITORYNAME.

4. Create a pending value object and execute the MX_ADD_MEMBER_TASK(MX_DEL_MEMBER_TASK) defined on the repository definition discovered in theprevious step and that is capable of utilizing the information in the pending value object.

As of SAP NetWeaver Identity Management 7.2, the mechanisms (a several additionalattributes) for the two member event tasks to be executed on different repository definitions areimplemented. A task for validation of the add member and remove member tasks is alsointroduced. Also validation task can be defined on an own repository definition (not on the samerepository definition as add member/remove member event task). The new attributes are:MX_REPOSITORY_ADD_MEMBER, MX_REPOSITORY_DEL_MEMBER,MX_REPOSITORY_VALIDATE, MX_VALIDATE_ADD_TASK,MX_VALIDATE_DEL_TASK, MX_MOD_VALIDITY_TASK,MX_VALIDATE_MOD_VALIDITY_TASK, MX_LINK_EXPIRY_NOTIFICATION,MX_OFFSET_VALIDATE_ADD, MX_OFFSET_ADD_MEMBER andMX_OFFSET_LINK_EXPIRY.

In SAP NetWeaver Identity Management 7.2, the process of executing an assignment/de-assignment, involves executing the following tasks and in the following order:

1. MX_VALIDATE_ADD_TASK/MX_VALIDATE_DEL_TASK.

2. MX_ADD_MEMBER_TASK/MX_DEL_MEMBER_TASK.

3. MX_PROVISIONTASK (just after the assignment request has becomeactive)/MX_DEPROVISIONTASK (just after the de-assignment request has becomeinactive).

In cases where an active assignment expires (ValidTo expires), the following tasks are executedand in the following order:

1. MX_LINK_EXPIRY_NOTIFICATION (usually N days before ValidTo expires).

2. MX_DEL_MEMBER_TASK (only if the validity is not modified after the givennotification, as shown below).

3. MX_DEPROVISIONTASK (only if the validity is not modified after the given notification,as shown below).



When modifying the validity of an assignment (ValidFrom and ValidTo), then the followingtasks are executed and in the following order:

1. MX_VALIDATE_MOD_VALIDITY_TASK

2. MX_MOD_VALIDITY_TASK

It is checked for the existence of every task. Any tasks which are not defined (do not exist) areomitted, and the next task in order is executed. If a validate task fails or indicates that theoperation is rejected, the subsequent tasks are not executed.

The offset attributes MX_ MX_OFFSET_VALIDATE_ADD, MX_OFFSET_ADD_MEMBERand MX_OFFSET_LINK_EXPIRY hold the time for the execution of theMX_VALIDATE_ADD_TASK, MX_ADD_MEMBER_TASK andMX_LINK_EXPIRY_NOTIFICATION respectively.

Normally, the tasks are defined on the repository definition, referenced to from therole/privilege using the attribute MX_REPOSITORYNAME (default) orMX_REPOSITORY_ADD_MEMBER/MX_REPOSITORY_DEL_MEMBER/MX_REPOSITORY_VALIDATE. It is always possible to override any task or offset by settingthe attribute directly on the role or privilege.

There is also a possibility to define a privilege with a task reference indicating that no taskshould be executed, even though the task reference is defined on the repository definition. Thisfunctionality is added to simplify functions in the provisioning framework and should behandled for all the task references (MX_PROVISIONTASK, MX_DEPROVISIONTASK,MX_MODIFYTASK, MX_ADD_MEMBER_TASK and MX_DEL_MEMBER_TASK) on aprivilege and a repository definition.

On the privilege, the following values are legal for the task references:

Task GUID: execute the task (return error if the task does not exist).

Task ID: execute the task (return error if the task does not exist).

-1: do nothing.

<task reference missing>: check the repository definition.

On the repository definition the same is defined, except:

<task reference missing>: do nothing (i.e. the same as for value "-1").

MX_ADD_MEMBER_TASKIf the MX_PRIVILEGE and MX_ROLE attribute MX_ADD_MEMBER_TASK is set, thereference to the object will not be set immediately. Instead a pending value object(MX_PENDING_VALUE) is created and the referenced task is executed on this pending valueobject. This task will perform its operations, for example request an approval or create anauthorization in a target application. Depending on the status of the operations, the privilege willor will not be assigned to the entry.

The privilege is not assigned until the task has completed.

The attribute is also used as an approval attribute. The attribute replaced theMX_APPROVAL_TASK attribute (see section Approval attributes on page 58 for more). Itindicates that an approval is required and holds the GUID of the task which is used for approval.

The approval task will be started in the following cases:

When a new role is added

When modifying the expiry time




When modifying validFrom or validTo on a pending role entry, and the entry is alreadyapproved

An alternative is to use attributes MX_VALIDATE_ADD_TASK andMX_VALIDATE_DEL_TASK.

MX_OFFSET_ADD_MEMBERThe numeric single-value attribute MX_OFFSET_ADD_MEMBER holds the time for theexecution of the MX_ADD_MEMBER_TASK. The legal values for this attribute are:

0: On ValidFrom

-1: Immediately

N: N days before ValidFrom

MX_REPOSITORY_ADD_MEMBERThis MX_PRIVILEGE attribute holds the reference to the repository definition used for theexecution of the add member event task and thus the assignment of the privilege.

MX_DEL_MEMBER_TASKIf the MX_PRIVILEGE and MX_ROLE attribute MX_DEL_MEMBER_TASK is defined, theprivilege will not be removed immediately. Instead a pending value object(MX_PENDING_VALUE) is created, and the task is executed on this object. The task will thenfor instance revoke the authorizations in the target system before the privilege is physicallyremoved for the object – the privilege is not removed until the task has completed. TheMX_DEL_MEMBER_TASK is executed "Immediately" if an external event and "OnValidTo"for a timed event.

MX_REPOSITORY_DEL_MEMBERThis MX_PRIVILEGE attribute holds the reference to the repository definition used for theexecution of the remove member event task and thus the de-assignment of the privilege.

MX_PROVISIONTASKThis is a task reference attribute defined on the MX_PRIVILEGE entry type and in therepository templates. The attribute holds the number of the task to be executed when theprivilege is assigned to the user.

If both MX_ADD_MEMBER_TASK and MX_PROVISIONTASK are set, then theMX_ADD_MEMBER_TASK will be checked first. The task referenced fromMX_PROVISIONTASK will not be started until the task referenced fromMX_ADD_MEMBER_TASK has completed and the privilege actually is assigned, i.e. the taskreferenced from MX_PROVISIONTASK is executed only after the privilege has been assigned.



MX_DEPROVISIONTASKThis is a task reference attribute defined on the MX_PRIVILEGE entry type and in therepository templates. The attribute holds the number of the task to be executed when theprivilege is removed from the user object, i.e. the task is only executed after the task referencedfrom MX_DEL_MEMBER_TASK has completed and the privilege has been removed.

MX_MODIFYTASKThis is a task reference attribute defined on the MX_PRIVILEGE entry type and in therepository templates. It is called when the entry is modified and the user has the given privilege.The attribute holds the number of the task to be executed.

The modify task will only be started if:

The MX_PROVISIONTASK is not defined, or the last execution of the provisioning taskhas status OK.

The MX_MODIFYTASK_ATTR is missing, or one of the changed attributes is on the listof defined attributes.

MX_MODIFYTASK_ATTRThis attribute is a multi-value attribute reference holding a list of attributes which shouldstart/trigger the modify task. The modify task will be executed only if one of the attributes onthe list is modified. The attribute is only defined on the MX_PRIVILEGE entry type (notsupported on the repository definition).

MX_REPOSITORYNAMEUsing the attribute MX_REPOSITORYNAME, the privileges can reference the repositorydefinitions. Repository definitions again can hold references to provisioning tasks, which makesthe provisioning processes more efficient. Repository definitions hold among others thefollowing constants:

MX_ADD_MEMBER_TASK,MX_DEL_MEMBER_TASK,MX_VALIDATE_ADD_TASKMX_VALIDATE_DEL_TASKMX_PROVISIONTASK,MX_DEPROVISIONTASK andMX_MODIFYTASK.

MX_VALIDATE_ADD_TASKThis MX_PRIVILEGE attribute holds the reference to the task used for validation of the addmember event task. It is checked whether the authorization for the execution of the task and thusthe privilege assignment exists, i.e. the task is used to verify that the add operation is allowedfor the given entry. This can be done through an approval where a list of approvers is definedfor the task (an alternative to using MX_ADD_MEMBER_TASK for approvals), or a requestsent to GRC Access Control.




Legal values of the attribute are:

<NULL> (empty/not defined): The task does not exist, meaning that it should be inheritedfrom the validation repository definition given by MX_REPOSITORY_VALIDATE (ifany).

<-1>: Do not validate (independent of other validation settings).

<TASK NUMBER>: Execute this task as the validation task for add member event task.The add member event task will not be performed unless this task completes successfully.

The task returns either true or false.

MX_OFFSET_VALIDATE_ADDThe numeric single-value attribute MX_OFFSET_VALIDATE_ADD holds the time for theexecution of the MX_VALIDATE_ADD_TASK. The legal values for this attribute are:

0: On ValidFrom

-1: Immediately

N: N days before ValidFrom

MX_VALIDATE_DEL_TASKThis MX_PRIVILEGE attribute holds the reference to the task used for validation of the removemember event task. It is checked whether the authorization for the execution of the task and thusthe privilege de-assignment exists, i.e. the task is used to verify that the remove operation isallowed for the given entry. This may be done through an approval where a list of approvers isdefined for the task (an alternative to using MX_ADD_MEMBER_TASK for approvals – seesection Approval attributes on page 58), or a request sent to GRC Access Control.

<NULL> (empty/not defined): The task does not exist, meaning that it should be inheritedfrom the validation repository definition given by MX_REPOSITORY_VALIDATE (ifany).

<-1>: Do not validate (independent of other validation settings).

<TASK NUMBER>: Execute this task as the validation task for remove member event task.The remove member event task will not be performed unless this task completessuccessfully.

The task returns either true or false. MX_VALIDATE_DEL_TASK is always executed"Immediately".

MX_REPOSITORY_VALIDATEThis MX_PRIVILEGE attribute holds the reference to the repository definition used for theexecution of the validation task (validating the add member/remove member event task).

MX_MOD_VALIDITY_TASKThis single-value task reference attribute is used to perform a change in validity and update alltarget systems.

Each assignment has a separate validity and it is possible to have multiple validities for the sameassignment. When inheriting assignments with validity, overlapping validities are combined.



MX_VALIDATE_MOD_VALIDITY_TASKThe single-value task reference attribute MX_VALIDATE_MOD_VALIDITY_TASK is usedto validate whether the validity modification defined is allowed or not. The task is alwaysexecuted "Immediately".

MX_LINK_EXPIRY_NOTIFICATIONThis single-value task reference attribute is used to notify about the active assignment (linkuser/role or user/privilege) which is about to expire, e.g. informing a user (by e-mail forexample) so he/she can react or automatically send to a manager for re-approval.

MX_OFFSET_LINK_EXPIRYThe numeric single-value attribute MX_OFFSET_LINK_EXPIRY holds the time for theexecution of the MX_LINK_EXPIRY_NOTIFICATION. The legal values for this attribute are:

0: On ValidTo

-1: Immediately

N: N days before ValidTo

MX_ASSIGNMENTThe MX_ASSIGNMENT is an entry reference, multi-value attribute defined for the entry typeMX_PERSON. Its purpose is to hold all assignments for a given user, both roles and privileges.The attribute is used by User Interface tasks only and is recommended in cases where you eitherneed or want more information about the assignments than provided by attributesMX_AUTOROLE, MX_AUTOROLE_DYNAMIC_GROUP, MX_AUTOPRIVILEGE,MXREF_MX_ROLE and MXREF_MX_PRIVILEGE. MX_ASSIGNMENT can be configured(filters can be applied) to display the following information:

Direct assignments only: If this is set, only the direct assignments are shown. Otherwise, allassignments will be shown (direct, inherited and automatic).

Show future: If this is set, only future assignments will be shown and other filters areignored.

Status, to show entries with given status:

Any (0): shows any status value (i.e. all assignments).

Assigned (1): shows only the assignments that are completed and OK (i.e. assigned).

Not assigned (2): shows only the assignments that have failed for some reason (i.e.pending not included).

This configuration can be done either on the MX_ASSIGNMENT attribute or on the taskattribute (i.e. different settings for different tasks for this attribute). In the User Interface, theuser can override these values by selecting "Advanced search".

Display of the extended attribute properties context and assignment status in the IdentityManagement User Interface is possible to define (enable/disable) for this attribute (in addition tovalidity). Display of the extended attribute property role diagram is not possible to define(enable/disable).




Report request attributesEntry type MX_REPORT and the corresponding MX_REPORT_ attributes are introduced forreport request purposes. The report is executed as an action task on the MX_REPORT entrytype. As the report is a task, the task status indicates the progress of the report, i.e. pending, okor error. Note that the task hierarchy may fail before the actual report task is executed, in whichcase the task status will be set to error. If it is required to set the error status on the report, thismust be done by an "OnError" task or similar. Ordering a report will result in the followingprocess:

The report task will always create a new entry of type MX_REPORT, regardless of theentry type of the task.

The user interface will display the MX_REPORT form, with a header identifying the entryselected for reporting.

Some other values are added automatically:

MX_OWNER: this attribute is set to be the user ordering the report.

MX_REPORT_STATUS: this attribute is hard-coded to "Pending" (if this is used).

MX_REPORT_ENTRY: the attribute is set to reference the selected entry to reporton.

Usage of some of the attributes depends on the task created for executing of the report.

MX_REPORT_DATEDate when the report was requested.

MX_REPORT_DESTINATIONThis attribute holds the destination where the resulting report is stored. When a report isgenerated, the result is stored directly in the report object (as one file in the attributeMX_REPORT_RESULT).

MX_REPORT_ENTRYThis attribute holds an entry reference to the object to be reported on.

MX_REPORT_ERRORTEXTThe attribute holds the additional information about the report, in case the report fails.

MX_REPORT_FORMATThis attribute is used by the user to define the format of the report. The possible formats arePDF, HTML, DOC etc. Initially, only the PDF format is supported.

Contents are defined by the reports.

MX_REPORT_LANGUAGEHere the language of the report result is defined.



MX_REPORT_RESULTThis attribute holds the full report result.

MX_REPORT_RESULT_REFThis attribute holds a reference to the report result, in case it is stored on a file server.

This will also require a new presentation type.

The attribute is not in use (for future use).

Role and privilege attributesThe privileges are by default inherited upwards in the hierarchy, from the roles lower in thehierarchy (bottom-up, normal inheritance). But it is also possible for privileges to be inheritedtop-down (reverse inheritance). Three types of privilege references exist:

Inherit down (top-down)

Inherit up (bottom-up)

Inherit none. In this case, you will only get the privilege if the role is assigned directly.

There are two ways a privilege can be assigned to a role:

Role assignment: In this case, the privilege is assigned to the role (by writing theMXREF_MX_PRIVILEGE attribute on the role). The privilege is never inherited to non-role entry types. In this case, the attribute MX_INHERIT on the MX_PRIVILEGE objectindicates the inheritance of the privilege in the role hierarchy.

Role member assignment: In this case, the privilege is assigned to the role by defining oneof the three attributes on the privilege, one of them being MXREF_MX_ROLE (theprivilege is then inherited to members of any child roles). For the other two attributes, seebelow (MX_RBAC_DIRECT_PRIVILEGE and MX_RBAC_REVERSE_PRIVILEGE). Inall cases, the privileges are given to the members of the roles, and not to the rolesthemselves.

Restrictions to role assignments can be done by using a defined set of attributes. The followingfunctionality is found on a role:

Automatic members ("Must have")

Allowed members ("Can have")

Both references are checked whenever users are added or removed from the entry types inquestion.

Special rules must be applied when changing role constraints or modifying the role hierarchy. Arule is applied, which dictates that a parent role's constraints must always allow the same ormore users than any child role. The role constraints must always be checked when the constraintattributes or the role hierarchy being modified.

Deleting a dynamic group is always OK, as it will not change the "balance" in the parent-childconstraints.

Using the attribute MX_REPOSITORYNAME, the privileges can reference the repositorydefinitions. Repository definitions again can hold references to provisioning tasks, which makesthe provisioning processes more efficient.




The name of a role and a privilege must be unique within the identity store (MSKEYVALUE).The recommended syntax is:

ROLE:<Role name>

PRIV:<Application name>

Normally, role or privilege assignments are processed immediately on all users that are affectedby changes. In most cases, this is the desired behavior. When doing structural changes to rolesand privileges that affect multiple entries however, this may be very time consuming andprocess intensive. One example is a change to a role hierarchy with a large number of roles andthousands of users, which all are assigned inherited roles. In this case, the processing of the datashould be controlled and done at a time with low load on the system. The affected entries willbe marked with a "dirty" flag to indicate that there are changes involving this entry that must beprocessed at a later time (reconciliation). As of version 7.2 SP7, the reconciliation of "dirty"entries is done regularly with a scheduled procedure executed by the dispatcher. This means thatafter a change, it may take some time until all the users affected by the change are updated.Prior to version 7.2 SP7, this behavior was controlled by the global constantMX_RECONCILE, which as of 7.2 SP7 is not in use any more. For more information about thereconciliation and "dirty" flags, see the topic About the identity store in the Help File. For otherrole and privilege attributes see:

section describing the access control attributes on page 56.

section describing the approval attributes on page 58.

section describing the privilege dependencies attributes on page 81.

section describing the privilege and role assignment attributes on page 82.

section describing the assignment context attributes on page 61.

MX_INACTIVE attribute described on page 94.

MX_GROUPING_DISABLED in section describing the privilege assignment groupingattributes on page 79.

MX_ADDMEM_DISABLE_POLICY andMX_DELMEM_DISABLE_POLICYThese attributes are used to indicate that the MX_ADD_MEMEBER_TASK andMX_DEL_MEMBER_TASK should not be executed in the given case(s). Legal values are:

1: do not execute MX_ADD_MEMBER_TASK/MX_DEL_MEMBER_TASK on directassignment.

2: do not execute MX_ADD_MEMBER_TASK/MX_DEL_MEMBER_TASK on inheritedassignment.

4: do not execute MX_ADD_MEMBER_TASK/MX_DEL_MEMBER_TASK on auto-assignment (via dynamic group).

The values can also be combined to define more complex disable policies, e.g. setting "6"(values "2" and "4" combined) as the value for the attributes gives the disable policy whereMX_ADD_MEMBER_TASK/MX_DEL_MEMBER_TASK is not executed on inheritedassignment and auto-assignment (via dynamic group).

The intention with the function is to allow for better performance, by turning off the pendingvalue object creation when not needed. A typical use case is handling of approvals, where theapprovals are wanted on direct but not on indirect (i.e. inherited/auto) assignments.



MX_AUTOROLEThis is a multi-value role reference attribute holding a complete list of all roles assigned to anentry. The attribute is maintained by the system and should never be updated by externalapplications.

Note:Do not edit this attribute.

As of SAP NetWeaver Identity Management version 7.2 SP2, the display of the extendedattribute properties context, assignment status and role diagram in the Identity ManagementUser Interface is possible to define (enable/disable) for this attribute (in addition to validity).

In cases where you need or want more information about the assignments than provided by thisattribute, use the attribute MX_ASSIGNMENT described on page 87.

MX_AUTOROLE_DYNAMIC_GROUPThis is a multi-value role reference attribute holding a list of roles which are assigned as a resultof dynamic group memberships.


The display of the extended attribute properties context, assignment status and role diagram inthe Identity Management User Interface is not possible to define (enable/disable) for thisattribute, i.e. only validity available.


MX_AUTOPRIVILEGEThis is a multi-value privilege reference attribute that holds a list of automatically addedprivileges on the entry (e.g. inherited privileges).


As of SAP NetWeaver Identity Management version 7.2 SP2, the display of the extendedattribute properties context and assignment status in the Identity Management User Interface ispossible to define (enable/disable) for this attribute (in addition to validity). Display of theextended attribute property role diagram is not possible to define (enable/disable).


MX_INHERITThis attribute is replacing the MX_GROUP_INHERITANCE attribute and it indicates how theprivilege is inherited in the role hierarchy. It is a string, which can have one of the followingvalues:

Base: The privilege is only given to role. (Default, used if the attribute is missing)

One: The privilege is given to the role and all immediate children.

Sub: The privilege is given to all child roles in the hierarchy.




Reverse-one: The privilege is given to the role and all immediate children, but in theopposite direction of the direction of "One".

Reverse-sub: The privilege is given to all child roles in the hierarchy, but in the oppositedirection of the direction of "Sub".

MX_RBAC_DIRECT_PRIVILEGEMX_RBAC_DIRECT_PRIVILEGE is a multi-value role reference attribute defined on aprivilege. It indicates that the privilege has a direct reference to the role(s) (no inheritance) andthus the privilege is given to the members of the specified role(s) only. The global constantMX_DIRECT_PRIVILEGE specifies whether the direct privilege inheritance is used in theconfiguration or not. If not used, the global constant is set to FALSE (set to FALSE by defaultfor new installations). It is strongly recommended to avoid using direct privilege inheritance andset the MX_DIRECT_PRIVILEGE to FALSE for performance optimization. For moreinformation, see the topic About performance optimization in the Help File.

MX_RBAC_REVERSE_PRIVILEGEMX_RBAC_REVERSE_PRIVILEGE is a multi-value role reference attribute defined on aprivilege. It indicates that the privilege is inherited to members of any parent roles. Due toperformance considerations, this should only be used if explicitly necessary. The reverseinheritance is disabled by default for new installations, i.e. the global constantMX_PRIVILEGE_REVERSE is set to FALSE for performance reasons. To enable the reverseinheritance set the global constant to TRUE, but this is not recommended as it degrades thesystem performance. For more information, see the topic About performance optimization in theHelp File.

MX_ROLE_AUTOASSIGN_TOThis attribute is a multi-value reference to a MX_DYNAMIC_GROUP object, and referencesthe entries which MUST have this role – a list of users for which the given role is mandatory.This means that it should be assigned automatically for a user satisfying the given criteria(automatic members).

A dynamic group can only be referenced by one role using this attribute.

Note that if a user is not an allowed member (due to not being member of the allowed memberslist/being member of the not-allowed members list), then this has precedence over the automaticmembers.

The changes made to this attribute will result in a "dirty" flag being set on all user entriesaffected by the change, indicating reconciliation at a later time (performed by scheduledprocedure, executed by the dispatcher). For more, see the topic About the identity store in theHelp File.



MX_ROLE_ALLOWED_FORRestrictions to role assignments can be done using the attribute MX_ROLE_ALLOWED_FOR.This multi-value attribute holds references to entries that may have this role ("Can have"), a listof MSKEYS for which this role is allowed.

If the reference is pointing to roles, privileges or (dynamic) groups, this means the members ofthe given object. As long as a user is a member of at least one role/privilege/group, the role isallowed for that user.

Note that the allowed members list is in addition to the exclusive roles ("Segregation of duties").Even though a user is on the allowed-list, the role may not be allowed, as a result of theexclusive roles.

Note also that if a user is not an allowed member (due to not being member of the allowedmembers list), then this has precedence over the automatic members.


MX_ROLE_ALLOWED_FOR_REVERSEThis is a reverse operator for MX_ROLE_ALLOWED_FOR.MX_ROLE_ALLOWED_FOR_REVERSE is a flag, a Boolean value that negates the allowedfor-attribute. In other words, when set it indicates that the MX_ROLE_ALLOWED_FORshould hold a list of MSKEYS of users for which the given role is not allowed ("Can't have").

Note that if a user is not an allowed member (due to being member of the not-allowed memberslist), then this has precedence over the automatic members.


MX_EXCLUDEROLEThe MX_EXCLUDEROLE is a multi-value role reference attribute. It is used to implement thesegregation of duties – it indicates other roles which cannot be added to a user simultaneously.

Other attributes

MX_DISABLEDThe main purpose of MX_DISABLED (on MX_PERSON entry type) is to enable/disable logonin general.

Therefore setting this attribute should usually trigger a lock-account-task to all target systems ofthe identity - at least to the AS Java which is used for the SAP NW IdM User Interface.




MX_IDENTITY_CATEGORYThis single-value, numeric MX_PERSON attribute is used in regard with the licensingmeasurement reporting, reporting the number of identities in use in the system. For moreinformation about license auditing services, e.g. System Measurement (USMM) and LicenseAdministration Workbench (LAW), see URL http://service.sap.com/licenseauditing on SAPService Marketplace (select "Documentation" link on the page for process overview andMeasurement Guides).

The attribute stores identity category information about a user being internal or external. Thefollowing numeric values are valid:

0 (or missing): identity category undefined

1: internal identity

2: external identity

>2: for future use

By default, the entry type MX_PERSON is used to hold identities, but it is possible to createown entry types for this purpose. When creating a new entry type in the Identity CenterManagement Console, it is possible to define whether the new entry type will be holding theidentity or not. If you create a new identity entry type, make sure that you add the attributeMX_IDENTITY_CATEGORY to the entry type.

MX_INACTIVEThe main purpose of the MX_INACTIVE attribute is to define identity entries (entries with theentry type MX_PERSON or a custom entry type defined as an "Identity" entry type) asinactive. This can be done in a User Interface task or in a pass which uses the identity store asthe source.

Setting an entry to inactive has the same effect as deleting it, i.e. the attribute triggers the de-provisioning task for all target systems of the identity. Depending on the type of a specific targetsystem, the de-provisioning task deletes or locks the user account.

An inactive entry will be invisible, except when explicitly asked for otherwise (e.g. throughtasks implemented for managing the inactive entries).

Note:You cannot login to User Interface with an inactive identity entry.

Note:Inactive entries may have roles and privileges.

As of SAP NetWeaver Identity Management 7.2 SP9 inactive entries may be updated, forinstance to maintain information while an employee is on leave of absence. The following rulesapply when updating inactive entries:

No event tasks (attributes/entry types/member event handling) are executed as a result of theupdates until the entry is reactivated.

When maintaining assignments, the role is assigned to the user, but no further processing isdone until the entry is reactivated.

When the entry is reactivated, the assignments are recalculated based on the role hierarchy at thetime of reactivation.

To restore an entry, remove the MX_INACTIVE attribute, either by updating the entry with atask in the Identity Management User Interface or by setting the value to an empty string in a Toidentity store pass.

http://service.sap.com/licenseauditing



When running a job where the identity store is the source, you must specify whether you wantinactive entries included or not. This regards the User Interface tasks as well.

MX_(ADDRESS_/COMMUNICATION_)LANGUAGELegal values for the attribute MX_LANGUAGE are ISO 639, a two letter language codes.Some examples are presented in the table below.

Language code Name of language

no Norwegian

nn Norwegian (Nynorsk)

nb Norwegian (Bokmål)

en English

de German

fr French

it Italian

es Spanish

ja Japanese

ru Russian

sv Swedish

da Danish

The same legal values apply for the attributes MX_ADDRESS_LANGUAGE (onMX_COMPANY_ADDRESS) and MX_COMMUNICATION_LANGUAGE (onMX_PERSON).

MX_LANGUAGE_COUNTRY, MX_ADDRESS_COUNTRY andMX_ADDRESS_POBOX_COUNTRYThe legal values of these three attributes are defined by ISO 3166, which are a 2-letter countrycodes. Some examples are presented in the table below.

Country code Name of country

NO Norway

DE Germany

GB United Kingdom

FR France

ES Spain

SE Sweden

DK Denmark

IT Italy




Country code Name of country

JP Japan

RU Russian Federation

US United States of America (USA)

BR Brazil

NL The Netherlands

CA Canada

MX_LANGUAGE_COUNTRY is defined on MX_PERSON entry type,MX_ADDRESS_COUNTRY on MX_COMPANY_ADDRESS and MX_PERSON entry types,and MX_ADDRESS_POBOX_COUNTRY on MX_COMPANY_ADDRESS entry type.

MX_USER_PREFSThe attribute MX_USER_PREFS (on MX_PERSON entry type) is defined to hold user specificpreferences in the SAP NW IdM User Interface.

The generic syntax for user preferences is:UserPreferences ::= *[UserPreference]UserPreference ::= Key "=" Value NEWLINE

Key ::= KeyStringKeyString ::= 'A'..'Z' | 'a'..'z' | '.' | '-' | '_'

-- Case is ignored for Key

Value ::= String

The information is normally updated by the User Interface but can be edited as text informationin any task.

The defined keys will use the Java property file syntax and are the following:

Name Key Comments

Favorite tasks Favorite.<Entry type>.<Num> This key is used to hold the informationabout favorite button.

<Entry type> is the MSKEYVALUE of theentry type.

<Num> is a numeric value.

.TaskID This parameter holds the numeric taskidentifier.

.Caption The parameter holds the caption for thefavorite. This may also be a string startingwith #MX_, in which case the User Interfacewill look up in the language file.

If this parameter is missing, the display nameof the task will be used.



Name Key Comments

.Position This parameter indicates the order of thefavorite buttons. It is a numeric value where1 indicates the leftmost button.

If the parameter is missing, the button will beadded at the rightmost position.

Examples:Favorite.MX_PERSON.1.TaskId=42Favorite.MX_PERSON.1.Caption=Edit userFavorite.MX_PERSON.1.Position=1Favorite.MX_PERSON.2.TaskId=24

98Section 3: User defined attributes



Section 3: User defined attributesIn addition to Identity Center defined attributes, it is possible to define your own attributes.Adding user defined attributes to identity store is straightforward. Select Identity storeschema\Attributes under the desired identity store in your Identity Center user interface, andthen New\Identity store attribute… to provide the necessary information and add the userdefined attribute.

When adding user defined attributes, you should:

Never let the attribute name start with the "MX" or "SAP" (never start a user definedMSKEYVALUE with "MX_"). You would typically make your own prefix to all userdefined attributes.

Show caution when, and avoid in general, changing the attribute definitions of alreadyexisting attributes.

99Section 4: Repository constantsSAP NetWeaver Identity Management Identity Center Identity store schema - Technical reference


Section 4: Repository constantsWhen defining a repository definition using a template in SAP NetWeaver Identity ManagementIdentity Center, the specified values are stored as repository constants (or variables). The valuesfor the repository constants are used to access the data source and they are available from thecontext menu in the passes that reference this repository definition, or any pass that inherits arepository definition from one of its parent tasks.

Repository constants are only available within the Identity Center and they are called using thefollowing syntax:

%rep.<constant>%

From scripts, the repository constants can only be referenced by using uGetConstant function.

Below, the available core common repository constants in the Identity Center are listed:

Constant name Description/Values P(rivilege)/R(ole)

MX_ADD_MEMBER_TASK See page 83. P/R

MX_CTX_AUTO_STRATEGY See page 62. P

MX_DEL_MEMBER_TASK See page 84. P/R

MX_DEPROVISIONTASK See page 85. P

MX_LINK_EXPIRY_NOTIFICATION See page 87. P/R

MX_MOD_VALIDITY_TASK See page 86. P/R

MX_MODIFYTASK See page 85. P/R

MX_OFFSET_ADD_MEMBER See page 84. P/R

MX_OFFSET_LINK_EXPIRY See page 87. P/R

MX_OFFSET_VALIDATE_ADD See page 86. P/R

MX_PRIV_GROUPING_RULE Used to define the grouping for theprivileges for given repositorydefinition. Legal values:- 0: No grouping- P:0 All grouped in one request- P:1 Grouped by operation- P:2 Grouped by system- P:3 Grouped by system and operation- P:4 Grouped by privilege propertyonly- P:5 Grouped by privilege property andoperation- P:6 Grouped by privilege property andsystem- P:7 Grouped by privilege property,system and operation

See section Grouping of privileges indocument SAP NetWeaver IdentityManagement Compliant provisioningusing SAP Access ControlConfiguration Guide for more.

-

MX_PROVISIONTASK See page 84. P/R

100Section 4: Repository constants



Constant name Description/Values P(rivilege)/R(ole)

MX_REQ_PRIV See section on privilege dependenciesattributes on page 81.

P

MX_REQ_PRIV_INTERVAL Not in use (as of SAP NetWeaverIdentity Management 7.2 SP9).

P

MX_REQ_PRIV_NOMASTER_TASK See section on privilege dependenciesattributes on page 81.

P

MX_REQ_PRIV_PCYADD_MISSING Not in use (as of SAP NetWeaverIdentity Management 7.2 SP9).

P

MX_REQ_PRIV_PCYADD_PENDING Not in use (as of SAP NetWeaverIdentity Management 7.2 SP9).

P

MX_REQ_PRIV_PCYADD_REMOVING Not in use (as of SAP NetWeaverIdentity Management 7.2 SP9).

P

MX_REQ_PRIV_TIMEOUT See section on privilege dependenciesattributes on page 81.

P

MX_VALIDATE_ADD_TASK See page 85. P/R

MX_VALIDATE_DEL_TASK See page 86. P/R

MX_VALIDATE_MOD_VALIDITY_TASK See page 87. P/R

REPOSITORY_TYPE String value indicating the type ofrepository definition. Value examples:LDAP, ABAP, SUN, JAVA,DUALABAP, GRC, NOTIFICATION.

-

Repository constants for repository definitions used by SAP provisioning framework come inaddition. For more information about repository constants for the SAP provisioning framework,see Appendix A: Repository constants in document SAP NetWeaver Identity ManagementIdentity Management for SAP System Landscapes: Configuration Guide.

Documents

SAP NetWeaver Identity Management Identity …a248.g.akamai.net/n/248/420835/062da58d472e3d2d71d1d855e...2015/07/02 · These materials are provided by SAP AG and its affiliated companies