54
SAP NetWeaver ® Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide Version 7.0 Rev 1

SAP NetWeaver Identity Management Identity Center

  • Upload
    others

  • View
    14

  • Download
    0

Embed Size (px)

Citation preview

Page 1: SAP NetWeaver Identity Management Identity Center

SAP NetWeaver® Identity Management

Identity Center

Provisioning framework for Lotus Notes Configuration Guide

Version 7.0 Rev 1

Page 2: SAP NetWeaver Identity Management Identity Center

© Copyright 2008 SAP AG. All rights reserved.

SAP Library document classification: PUBLIC

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, Excel, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves information purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Page 3: SAP NetWeaver Identity Management Identity Center

i

Preface

The product SAP NetWeaver Identity Management Identity Center is a high-end identity management solution, capable of handling a large amount of repositories containing an unlimited amount of information. The Identity Center offers a robust, flexible and scalable high-availability solution for workflow, provisioning, data synchronization and joining for a large number of data repositories.

Using the Notes connector makes it possible for the SAP NetWeaver Identity Management to provision users and groups to Lotus Notes and Domino server. This is done by implementing a provisioning solution based on templates in the Identity Center. The solution integrates with the Provisioning framework for SAP Systems, facilitating the usage of other backend systems as well.

The reader This manual is intended for people who wish to implement a provisioning solution for Lotus Notes and Domino server using the Provisioning framework for Lotus Notes in the Identity Center.

Prerequisites To get the most benefit from this manual, you should have the following knowledge:

• Knowledge of the Identity Center.

• Knowledge of the Lotus Notes and Domino server.

The following software is required:

• Windows 2000, NT or 2003 server.

• SAP NetWeaver Identity Management Identity Center 7.0 SP2 (or newer) is correctly installed and licensed.

• Lotus Notes 7.0 installed on the same machine as the Identity Center.

• Lotus Domino server.

• The Provisioning framework for SAP Systems is installed and properly configured.

The manual This document describes a process integrating the Lotus Notes/Domino with the SAP NetWeaver Identity Management.

© Copyright 2008 SAP AG. All rights reserved.

Page 4: SAP NetWeaver Identity Management Identity Center

ii

Related documents You can find useful information in the following documents:

• Identity Management for SAP System Landscapes: Architectural Overview

• Identity Management for SAP System Landscapes: Configuration Guide

© Copyright 2008 SAP AG. All rights reserved.

Page 5: SAP NetWeaver Identity Management Identity Center

iii

Table of contents Introduction........................................................................................................................................ 1

Section overview........................................................................................................................................1 Framework overview ......................................................................................................................... 2

Entry types .................................................................................................................................................2 Attributes....................................................................................................................................................3 Tasks and jobs ............................................................................................................................................4

Working with the framework: Process overview............................................................................ 6 The jobs......................................................................................................................................................6 Notes Provisioning .....................................................................................................................................9 Notes Deprovisioning...............................................................................................................................10 Notes Modify ...........................................................................................................................................12

Preparing the import ....................................................................................................................... 14 Lotus Notes setup .....................................................................................................................................14 Preparing the Identity Center for the Lotus Notes integration .................................................................14

Importing the framework................................................................................................................ 22 Importing the Lotus Notes Schema Definition.........................................................................................22 Importing the Provisioning framework for Lotus Notes ..........................................................................23

Configuring the framework ............................................................................................................ 26 Creating and configuring the Notes repository definition........................................................................26 Creating Notes Service jobs .....................................................................................................................29 Adding the repository definition to the tasks ...........................................................................................31 Configuring event triggers .......................................................................................................................32 Configuring the Workflow .......................................................................................................................39

Adding new attributes and objects ................................................................................................. 44 Adding new attributes ..............................................................................................................................44 Adding new objects..................................................................................................................................46

© Copyright 2008 SAP AG. All rights reserved.

Page 6: SAP NetWeaver Identity Management Identity Center

iv

© Copyright 2008 SAP AG. All rights reserved.

Page 7: SAP NetWeaver Identity Management Identity Center

1 Introduction SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Introduction This document describes how you integrate SAP NetWeaver Identity Management and Lotus Notes/Domino.

Using this solution, SAP NetWeaver Identity Management can execute provisioning of users and groups to a Lotus Domino server. The solution integrates with the Provisioning framework for SAP Systems facilitating the usage of the other backend systems as well. The configuration is loosely related to the Provisioning framework for SAP Systems in that it can work without it with some adaptation. This solution will however focus on how to integrate into the framework.

The configuration process described in this document consists of:

• Importing preconfigured objects using templates.

• Manually configuring the imported objects.

Figure 1 Architecture

Section overview Framework overview In this section you get an overview of the framework –

which entry types, attributes, and tasks and jobs it contains.

Working with the framework: Process overview This section describes the provisioning, deprovisioning and modifying processes, and the jobs and tasks that make it possible.

Preparing the import The preparations that are necessary in order to make the import process as smooth as possible are described in this section.

Importing the framework In this section you see how to import the schema definition and the framework.

Configuring the framework The manual configurations after the import are described in this section.

Adding new attributes and objects This section shows how you can add new Notes attributes and objects.

© Copyright 2008 SAP AG. All rights reserved.

Page 8: SAP NetWeaver Identity Management Identity Center

2 Framework overview

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Framework overview The Provisioning framework for Lotus Notes provides a set of templates that you can reference when you implement the provisioning solution for your Lotus Domino server.

Before you start working with the templates and creating the jobs, you should familiarize yourself with the structure and contents of the framework. You should be familiar with:

• The entry types that you will be working with.

• The attributes that describe these entry types.

• Tasks and jobs to work with the entry types.

These aspects are described in the sections that follow.

Entry types The identity store stores the identity data according to a schema that consists of entry types and attributes. The entry types are objects that describe how the different identity-relevant objects are represented in the Identity Center. The schema definition for Lotus Notes provisioning is based on and extends the schema definition for the Provisioning framework for SAP Systems.

The provisioning framework for Lotus Notes provisions users and groups, but due to limitations in the capacity of group members in Lotus Notes, we recommend to handle this limitation by using the role concept in the Identity Center which allows a hierarchical structure. Hence the related MX_PERSON and MX_ROLE entry types have been extended with a minimum set of Notes attributes. An additional entry type MX_NOTES_ADMINP_REQUEST is added, which holds some information about the adminp requests from the Identity Center – it tracks their update status externally in Notes, triggering the updates in the Identity Center.

The entry types used are:

MX_PERSON This is the entry type used for user objects in the system. The entry type has been extended with a minimum set of Notes attributes.

MX_ROLE In general, this is the entry type used for business role objects. However, in the Provisioning framework for Lotus Notes MX_ROLE is also used to store Notes groups. Since Notes groups have a limitation for the number of group members, the hierarchical structure of roles allows for Notes groups to be subdivided. Therefore, Notes groups are also roles.

The entry type has been extended with a minimum set of Notes attributes.

MX_NOTES_ADMINP_REQUEST This entry type holds some information about the adminp requests from the Identity Center. It tracks their update status externally in Notes, triggering the updates in the Identity Center (i.e. a user rename where you do not want to update the Identity Center entry before it has actually taken place in Notes).

© Copyright 2008 SAP AG. All rights reserved.

Page 9: SAP NetWeaver Identity Management Identity Center

3 Framework overview SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Attributes The schema used by the provisioning framework for Lotus Notes contains a number of attributes that are used to describe the entry types. This is only a minimum set of attributes, and additional attributes can be added. Section Adding new attributes and objects, at the end of this document, shows you how. A complete list of the attributes available may be seen in the Identity Center's identity store.

Lotus Notes specific attributes in the schema definition are shown in the tables below: Attribute Description Used by entry type

MX_NOTES_AUTHOR The user that initiated the request. MX_PERSON, MX_ROLE

MX_NOTES_COUNTRYCODE Two-letter country code, i.e. DE. MX_PERSON

MX_NOTES_EVENT_STARTPROCESSING Event trigger attribute; triggers the workflow.

MX_PERSON

MX_NOTES_FULLNAME Entry's full name, which also represents entry's location. I.e. cn=Torkil Torkilsen/o=sap.

MX_PERSON, MX_NOTES_ADMINP_REQUEST

MX_NOTES_LASTNAME Entry's last name (i.e. Torkilsen).

In case an existing user with the same username should exist, a counter is appended to the last name to ensure it is unique.

MX_PERSON

MX_NOTES_MAILDOMAIN Entry's mail domain. MX_PERSON

MX_NOTES_MAILFILE Entry's mail file (i.e. mail\TTork). MX_PERSON

MX_NOTES_MAILSERVER The IP address of the mail server. MX_PERSON

MX_NOTES_MAILSYSTEM The users mail system, such as Notes, CcMail, Vim.

MX_PERSON

MX_NOTES_NEW_PASSWORD Temporary attribute for storing of users new password, during the password change operation.

MX_PERSON

MX_NOTES_NOTEID The ID of the Note in Notes. MX_PERSON, MX_ROLE, MX_NOTES_ADMINP_REQUEST

MX_NOTES_ORG Organization of the user. MX_PERSON

MX_NOTES_ORGUNIT Organization unit of the user. MX_PERSON

MX_NOTES_OWNER Owner of the Notes object. MX_PERSON

MX_NOTES_PATH_IDFILE Local path to users ID-file. MX_PERSON

MX_NOTES_REGFULLNAME Users full name used at initial user registration.

MX_PERSON

MX_NOTES_SHORTNAME Users short name (i.e. TTork). MX_PERSON

MX_NOTES_WORKFLOW_OPERATION Used with MX_NOTES_EVENT_ STARTPROCESSING.

States the type of operation the workflow should execute.

MX_PERSON

MX_NOTES_GROUP_GROUPTYPE Notes group type, such as multi-group. MX_ROLE

MX_NOTES_GROUP_MEMBERCOUNT Number of group members. MX_ROLE

MX_NOTES_EVENT_ADMINP_REQUEST Event trigger attribute. MX_NOTES_ADMINP_REQUEST

MX_NOTES_MODIFIEDTIME Modification time of the adminp operation.

MX_NOTES_ADMINP_REQUEST

MX_NOTES_OLDNAME User's name before name change. MX_NOTES_ADMINP_REQUEST

© Copyright 2008 SAP AG. All rights reserved.

Page 10: SAP NetWeaver Identity Management Identity Center

4 Framework overview

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Attribute Description Used by entry type

MX_NOTES_PROXYACTION Type of adminp operation. Corresponds to the proxyaction value in Notes (admin4.nsf).

MX_NOTES_ADMINP_REQUEST

MX_NOTES_STATUS Status of the adminp request (OK, PENDING, FAILED).

MX_NOTES_ADMINP_REQUEST

ACCOUNTNOTES Used to tell the Provisioning framework for SAP Systems that this is a Notes user.

MX_PERSON

ACCOUNTGROUPNOTES Trigger attribute on Notes groups to initiate the provisioning of the group.

MX_ROLE

Tasks and jobs

Task templates The provisioning framework for Lotus Notes provides a set of task templates that you can refer to when creating the tasks to use for identity management. These templates are divided into the following categories:

• User Forms

This group contains task templates for tasks that are used for setting up the Workflow user interface. The tasks represent the user forms visible from the Workflow interface.

• Application Actions

This group includes task templates that are specific to the Lotus Notes. The tasks in this group interact directly with the Lotus Notes.

• Workflow

This group contains task templates for tasks that constitute the logic of the provisioning framework.

Job templates The framework also provides a set of templates that you can use for setting up jobs. The following jobs are supported:

• NOTES – Initial role and privileges

This job will create manager and system roles, and privileges for user and group provisioning.

• NOTES – Initial load

The initial load job retrieves the identity information from the Notes repository and stores it in the identity store in the Identity Center.

• NOTES – Check adminp requests

The job will check Notes for any changes on each pending adminp request and update changes to the Identity Center if the adminp request has finished processing.

• Java-Read Notes table Person

© Copyright 2008 SAP AG. All rights reserved.

Page 11: SAP NetWeaver Identity Management Identity Center

5 Framework overview SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

This Java-job will read person objects from the Notes table Person.

• Windows-Read from Notes address book

This Windows-job reads all the objects from the Notes address book.

• Windows-Write to Notes address book

This job will write objects to the Notes address book.

© Copyright 2008 SAP AG. All rights reserved.

Page 12: SAP NetWeaver Identity Management Identity Center

6 Working with the framework: Process overview

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Working with the framework: Process overview Before executing the framework configuration itself, we take a look at the processes that take place in the provisioning solution offered by this framework – the jobs and tasks behind, that make it possible.

The jobs The Provisioning framework for Lotus Notes provides templates for setting up the jobs. Three jobs are central: NOTES – Initial roles and privileges, NOTES – Initial load and NOTES – Check adminp requests. Running those will get you started when building your provisioning solution for Lotus Notes.

Initial roles and privileges The execution of the job NOTES - Initial role and privileges is a prerequisite for proper functioning of the rest of the framework. You have to execute this job once, and it should be run as the part of the configuration process before loading the identity store with data. The job will do the following:

• Create a user privilege used for provisioning users to Lotus Notes with the Provisioning framework for SAP Systems.

• Create a system role for Notes user assignment.

The job template also inserts three passes in the job, which by default are disabled – "Create Notes Group Privilege", "Create Manager Role" and "Set NOTE_ROLEMANAGER on manager". These are optional and can be enabled if needed. When enabled, these passes will:

• Create a Notes group privilege (PRIV:NOTES:GROUP) for group provisioning.

© Copyright 2008 SAP AG. All rights reserved.

Page 13: SAP NetWeaver Identity Management Identity Center

7 Working with the framework: Process overview SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

After the creation of the PRIV:NOTES:GROUP privilege, select "Identity store metadata"

in the console tree, and then select "Privileges". Double-click on the PRIV:NOTES:GROUP privilege and select the "Tasks" tab. Under "Modify task trigger attributes", select the attributes MX_NOTES_GROUP_GROUPTYPE, MXMEMBER_MX_PERSON and any other MX_ROLE attribute you want to initiate group updates with. Choose "OK" to save the changes.

• Create a manager role for accessing the Workflow.

• And give the idmadm (administrator) user a membership to the manager role. Creating of the idmadm user is explained in the section Configuring the identity store.

Initial load The execution of the job NOTES – Initial load will read users and groups from the Notes repository definition to populate the identity store. It is optional, whether you choose to do this only once or run this as a schedule job synchronizing your Notes and identity store data.

It will do the following:

• Read Notes users and write them to the identity store.

• Read Notes groups and write them to the identity store.

• Append Notes membership to the groups (which actually are roles in the Identity Center).

Alternatively you may read your users from other repositories, and then provision them to Notes by assigning them the role NOTES_SYSTEM_ROLE.

© Copyright 2008 SAP AG. All rights reserved.

Page 14: SAP NetWeaver Identity Management Identity Center

8 Working with the framework: Process overview

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

The job template also inserts the passes "Reset user deltas" and "Delete user entries", which by default are disabled. Enable those when needed.

Checking of adminp requests The NOTES – Check adminp requests job should be scheduled to run at some desired interval.

The job will check Notes for any changes on each pending adminp request and update changes to the Identity Center if the adminp request has finished processing. In this framework we illustrate this concept with adminp rename requests – where the rename request from the Identity Center is not immediate, but only updated after the Lotus Notes has successfully renamed the user in Notes.

To set the schedule rule select the job in the console tree and select the wanted rule from the menu in the job's details pane as illustrated below:

Choose "Apply" to confirm your choice of schedule rule.

© Copyright 2008 SAP AG. All rights reserved.

Page 15: SAP NetWeaver Identity Management Identity Center

9 Working with the framework: Process overview SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Notes Provisioning

Whenever a user entry is assigned a PRIV:NOTES:ONLY privilege (either when a user is added or modified in the identity store), the following happens:

• Based on the privilege property MX_PRIVILEGE_TYPE, the framework obtains the repository definition where the connection information is configured. In this particular case, the relevant privilege is of type "NOTES", hence the deduced repository definition is NOTES.

• Each repository definition in the framework contains a variable MX_PROVISIONTASK. In this particular case, it contains the number of the subtask of the Notes Provision folder (from the Workflow folder under the Lotus Notes Provisioning Framework) in the console tree.

This subtask (Check NOTEID for existence) checks if the object already has a Notes ID. If so, it would imply that the object already exists in the Lotus Domino server and no need for provisioning should be required.

If the ID does not exist, the next step checks which object type is being provisioned. If it is a user entry, the provisioning starts by pre-initializing the user entry by constructing some attributes that will be required for the user registration.

After the pre-initialization, the creation of the Notes user can take place. If the request succeeds the Post process user task will set the request to successful. Then the delta information on the user object will be updated. This is important since both pre and post processing of the user entry triggers unnecessary modification requests on the user object. This is also why the modification runs with a delay before startup.

© Copyright 2008 SAP AG. All rights reserved.

Page 16: SAP NetWeaver Identity Management Identity Center

10 Working with the framework: Process overview

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Provisioning a Notes group can be done in two ways. It can be done directly by appending the ACCOUNTGROUPNOTES trigger attribute to the user entry, or optionally by assigning the PRIV:NOTES:GROUP privilege, which contains the MX_PROVISONTASK information itself. In both cases, the provisioning task will be triggered directly without going through the Provisioning framework for SAP Systems.

Notes Deprovisioning

The similar process to the one described above happens whenever a privilege is removed from a user entry:

• Based on the privilege property MX_PRIVILEGE_TYPE, the proper repository definition is obtained (NOTES).

• The task pointed to by the variable MX_DEPROVISIONTASK in the repository definition is executed, the subtask of the Notes Deprovision folder.

This subtask (Check Deprovision MX_ENTRYTYPE) will first check which object type is to be deprovisioned. If it is a user entry, it will first run a pre-operation where the status is set to DELETE in order to mark the request operation.

Next, the adminp delete operation is carried out towards the Notes server.

© Copyright 2008 SAP AG. All rights reserved.

Page 17: SAP NetWeaver Identity Management Identity Center

11 Working with the framework: Process overview SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

You should at this stage be able to see the adminp delete operation being processed in the admin4.nsf database:

After this, a lookup will be carried out to see if the user has been deleted, and if so the MX_NOTES_WORKFLOW_OPERATION attribute will be set to DELETED.

The next task is a conditional task, demonstrating how we could check if the user was actually deleted. This task has however been disabled, as we most likely would like to keep our users even if they are deprovisioned from Notes.

A Notes group is deprovisioned directly by removing the ACCOUNTGROUPNOTES trigger attribute from the user entry, or optionally by revoking the PRIV:NOTES:GROUP. In both cases, the subtask of the Notes Deprovision folder (that is pointed to by the attribute MX_DEPROVISIONTASK stored on the privilege itself) is executed without going through the Provisioning framework for SAP Systems.

You should also here be able to observe the process in admin4.nsf database.

© Copyright 2008 SAP AG. All rights reserved.

Page 18: SAP NetWeaver Identity Management Identity Center

12 Working with the framework: Process overview

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Notes Modify

Whenever a user entry is changed, the Modify event configured on MX_PERSON entry type is triggered and the configured task Modify User is executed. The configured task belongs to the Provisioning framework for SAP Systems. This task, through global script sap_ModifyUser and the type of the repository (extracted from ACCOUNT<NAME> attribute on user entry), executes the following tasks:

• The corresponding provisioning and deprovisioning tasks for changed privileges, if any.

• The configured MX_MODIFYTASK for all other "normal" attributes (Notes Modify user).

The first thing the subtask Check Modify MX_ENTRYTYPE will do is check which object type has been modified.

© Copyright 2008 SAP AG. All rights reserved.

Page 19: SAP NetWeaver Identity Management Identity Center

13 Working with the framework: Process overview SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

If a Notes group is modified, the ACCOUNTGROUPNOTES is time stamped and the attribute triggers the modification update of the group directly without going through the Provisioning framework for SAP Systems. Optionally, if the PRIV:NOTES:GROUP privilege is in use, then if any of the modify trigger attributes defined on the privilege PRIV:NOTES:GROUP have changed, then the attribute MX_MODIFYTASK (stored on the privilege) makes sure that the subtask of the Notes Modify folder is executed directly without going through the Provisioning framework for SAP Systems.

If object being modified is a user object, the subtask will first check if this is a password change request. It does so by checking if the attribute MX_NOTES_NEW_PASSWORD has been temporarily set. If this is the case, then adminp request will be sent to change the password. The change password request requires both the old and the new password (this is why the password provisioning must be enabled), and the local id-file. If the password request completes without errors, the new password will be stored in the user object and the temporary password erased.

The next step is to check whether it is a rename or a valid modify request. Basically, this is done by comparing the user object against two delta tables. If valid attributes for a rename request have been set, the MX_NOTES_WORKFLOW_OPERATION will be set to RENAME and the trigger attribute MX_NOTES_EVENT_STARTPROCESSING will trigger the rename request.

Similar if it is a modify request, the MX_NOTES_WORKFLOW_OPERATION will be set to EDIT and the MX_NOTES_EVENT_STARTPROCESSING will trigger the modify request.

The MX_NOTES_EVENT_STARTPROCESSING triggers the subtask of Workflow/Person folder (under the Lotus Notes Framework). This checks the workflow operation.

If it is a modify request, the operation is carried out directly. If it is a rename request, then a new object MX_NOTES_ADMINP_REQUEST is created, which contains the essential information about the user and the adminp operation taking place. The object's status is set to pending and the adminp rename request is sent to the Lotus Domino server.

You should be able to see the process taking place in admin4.nsf:

Since the rename request is not immediate, and we cannot know for sure whether the request will be processed ok, we do not rename the user distinguished name before the request has been successfully completed. Instead we frequently poll all the pending adminp requests until their status changes. This is done by the NOTES - Check adminp requests job.

When the status changes, this generates a new modify request of the object MX_NOTES_ADMINP_REQUEST. This checks the ProxyAction variable in order to determine the type of adminp request. Number eight is a rename request. Update adminp rename request is executed, which checks the adminp log to see if the request has completed. If so, it changes the name of the users and sets the adminp request to status ok.

© Copyright 2008 SAP AG. All rights reserved.

Page 20: SAP NetWeaver Identity Management Identity Center

14 Preparing the import

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Preparing the import In order to make the import process and execution of necessary steps as smooth as possible, we need to do some preparations. This section covers

• Lotus Notes setup, and

• Preparing the Identity Center for the Lotus Notes integration.

Lotus Notes setup You should already have an installed version of the Lotus Notes client library. In order to prepare it for usage by the Identity Center do the following:

• The Lotus Notes framework will generate ID files for the users provisioned to Lotus Notes and maintain them locally. For this we should create a folder reserved for this ID file (i.e. C:\Lotus\IDS\<host>\users).

• It will also be necessary to obtain an ID and CERT file for the Identity Management system. For a small test system you can use the admin.id and cert.id generated from the server installation. In the real world scenarios you would likely be given a user with manager privileges and would have to contact your local notes administrator for access.

• Please verify your Notes connectivity and the ID files through the Lotus Domino Administrator console.

• In order for the Lotus Notes connector to run unattended you must do as follows: Copy the file MXEXTPWD.DLL from the Identity Center installation directory (C:\Program Files\SAP\IdM\Identity Center) to the Notes installation directory.

• Add the following line under "[Notes]" section of the file Notes.ini (the file located in the Notes installation directory):

EXTMGR_ADDINS=MXEXTPWD.DLL

Preparing the Identity Center for the Lotus Notes integration In order to make the import process and execution of necessary steps as smooth as possible, we need to do some preparations in the Identity Center.

Adding the global constant EXTPWD Add the constant "EXTPWD", containing the login password for Notes, in "Global constants" under the "Data Synchronization Engine" node in the Identity Center console tree.

© Copyright 2008 SAP AG. All rights reserved.

Page 21: SAP NetWeaver Identity Management Identity Center

15 Preparing the import SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Defining a valid dispatcher Ensure that you have at least one valid dispatcher. The name should be unique for all your identity store configurations. Both Windows and Java jobs should be defined for it. To make sure that this is the case, do the following:

1. Select "Dispatchers" under the "Management" node in the console tree and expand it.

2. Select the valid dispatcher to reveal its details pane.

3. Select the "Options" tab.

Make sure that the boxes "Run provisioning jobs" and "Run regular jobs" are checked for

both the Windows runtime engine and Java runtime engine.

4. Choose "Apply".

© Copyright 2008 SAP AG. All rights reserved.

Page 22: SAP NetWeaver Identity Management Identity Center

16 Preparing the import

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Enabling imported jobs To enable the imported jobs, do the following:

1. Select your Identity Center node in the console tree to review the details pane.

2. Select the "Options" tab in the details pane and do the following:

Check "Enable imported jobs". This will ensure that the imported jobs are enabled. It is

possible to enable those later but the number of jobs is too large.

Select the valid dispatcher in the "Default dispatcher" field.

3. Choose "Apply".

© Copyright 2008 SAP AG. All rights reserved.

Page 23: SAP NetWeaver Identity Management Identity Center

17 Preparing the import SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Configuring the identity store For the Identity store where you want to configure the Lotus Notes integration, do the following:

1. Select the "General" tab in the identity store's details pane.

Check "Automatically create attributes".

2. Select the "Workflow" tab.

Select the "Identity store" as the authentication method in the "Authentication method"

field.

© Copyright 2008 SAP AG. All rights reserved.

Page 24: SAP NetWeaver Identity Management Identity Center

18 Preparing the import

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

3. Choose "Add user…" that opens the "Add Identity store user" dialog box and fill in as shown below:

4. Choose "OK" to close the dialog box, and then choose "Apply".

Enabling triple DES encryption of the user passwords The Lotus Notes will use triple DES encryption for the Notes user password, in order to recover the password for change password requests. This should be done in the Identity Center:

1. In the identity store's details pane, select the "Password policy" tab.

Check "Enable password provisioning".

2. Choose "Apply".

© Copyright 2008 SAP AG. All rights reserved.

Page 25: SAP NetWeaver Identity Management Identity Center

19 Preparing the import SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

3. Select Tools/Options… from the toolbar in the general pane.

Select "3DES" as the encryption algorithm in the "Encryption algorithm" field.

4. Choose "OK".

You will also need to install the key file. This is installed with the Workflow by default, and you can basically copy the Key folder from the directory C:\Program Files\SAP\IdM\Workflow\configs into the Identity Center home directory (C:\Program Files\SAP\IdM\Identity Center). For more details on key file configuration, review the document SAP NetWeaver Identity Management Identity Center: Installing Identity Center Workflow.

Provisioning framework for SAP Systems Verify that the Provisioning framework for SAP Systems is imported and configured.

For more information about the Provisioning framework for SAP Systems, see https://www.sdn.sap.com/irj/sdn/nw-identitymanagement.

© Copyright 2008 SAP AG. All rights reserved.

Page 26: SAP NetWeaver Identity Management Identity Center

20 Preparing the import

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Adding a new value to the MX_PRIVILEGE_TYPE attribute To add a new value to the MX_PRIVILEGE_TYPE attribute:

1. Expand "Identity store schema" in the console tree and select "Attributes".

2. Find the attribute MX_PRIVILEGE_TYPE and double-click to open the properties dialog

box.

Select the "Attribute values" tab in the dialog box and add the legal attribute value

"NOTES":

3. Choose "Add" and then "OK" to add the value and close the dialog box.

© Copyright 2008 SAP AG. All rights reserved.

Page 27: SAP NetWeaver Identity Management Identity Center

21 Preparing the import SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

The global constant SAP_MASTER_IDS_ID Make sure that the global constant SAP_MASTER_IDS_ID points to the correct identity store.

MXVBNotes.dll and MXNotes.dll Note that if you are upgrading your Identity Center, you need to make sure that there are no old versions of MXVBNotes.dll and MXNotes.dll on your system. Default they are copied to %SYSTEM_ROOT% by the installation script.

© Copyright 2008 SAP AG. All rights reserved.

Page 28: SAP NetWeaver Identity Management Identity Center

22 Importing the framework

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Importing the framework In this section we will import the schema definition, with the entry types and their attributes.

We will also import the specific tasks for the Lotus Notes provisioning, which are divided into three subfolders User Forms, Application Actions and Workflow.

Since the provisioning framework is extended with only a minimum of Notes attributes, the section Adding new attributes and objects describes how you extend the framework with additional Notes attributes and objects.

Importing the Lotus Notes Schema Definition To import the schema provided with the Provisioning Framework for Lotus Notes, do the following:

1. Select the "Identity store schema" in the console tree and select "Import schema…" from the context menu.

2. Browse to the integration package files, select the file Lotus_Notes_Related_Schema.mcc and choose "Open". This will open the dialog box below:

3. Choose "Select all", and then "Import".

Note: You will be prompted with questions about the entry types that already exist in the schema (MX_PERSON and MX_ROLE). Select "Overwrite" and choose "Next >" for those two entry types. You will also be prompted with questions about the attributes that already exist in the schema, which are a few. Here it is better to select the "Overwrite" button and then check "Use this for all matching attributes" before choosing "Next >". A dialog box appears where you have to confirm this. Choose "Yes" to close the dialog box and continue the schema import.

© Copyright 2008 SAP AG. All rights reserved.

Page 29: SAP NetWeaver Identity Management Identity Center

23 Importing the framework SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

4. Check the import log and choose "Finish".

Importing the Provisioning framework for Lotus Notes To import the specific tasks for the Lotus Notes Provisioning, do the following:

1. Select the identity store, where you want to import the framework in the console tree and choose "Import…" from the context menu.

2. Locate the folder Identity Center\Templates\Identity Center\SAP Provisioning framework in the IdM installation folder (C:\Program Files\SAP\IdM).

3. Select the file Lotus_Notes_Provisioning_Framework.mcc and choose "Open".

Make sure that "Import" is selected. Select the "Advanced" tab to ensure that a dispatcher is

assigned to the tasks.

© Copyright 2008 SAP AG. All rights reserved.

Page 30: SAP NetWeaver Identity Management Identity Center

24 Importing the framework

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

4. Choose "Next >".

Select "Update attributes with event tasks".

5. Choose "Import".

6. When the import is finished, verify the log and then choose "Finish".

© Copyright 2008 SAP AG. All rights reserved.

Page 31: SAP NetWeaver Identity Management Identity Center

25 Importing the framework SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

The result of this operation is a Lotus Notes Provisioning Framework with three subfolders User Forms, Application Actions and Workflow, as shown below:

All tasks are enabled and connected to the dispatcher which you selected during import.

Make sure that the global constant NOTES_ID_IDS points to the correct identity store.

© Copyright 2008 SAP AG. All rights reserved.

Page 32: SAP NetWeaver Identity Management Identity Center

26 Configuring the framework

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Configuring the framework After the import, we need to perform some manual configuration to complete the integration.

Creating and configuring the Notes repository definition In order to create a Notes repository definition, do the following:

1. Select "Repositories" under the "Management" node in the console tree, and select New/Repository… from the context menu.

2. Choose "Next >".

Select the repository template "Notes".

© Copyright 2008 SAP AG. All rights reserved.

Page 33: SAP NetWeaver Identity Management Identity Center

27 Configuring the framework SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

3. Choose "Next >".

Select "NOTES" as a repository name.

4. Choose "Next >".

Fill in the values according to the description below:

Domino Server Hostname of the default Lotus Domino server to be used for provisioning.

Database The database you provision to – by default Names.nsf.

Domain Default provisioning domain.

The IdM Manager The administrator/manager user.

Admin database Database for adminp requests, which by default is Admin4.nsf.

© Copyright 2008 SAP AG. All rights reserved.

Page 34: SAP NetWeaver Identity Management Identity Center

28 Configuring the framework

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Adminp cert id file Full path to the default certifier file used for IdM provisioning.

Adminp password The certifier file password.

User cert path Path to the user certificate folder, where the system will store the ID files.

5. Choose "Next >", and then "Finish". The Notes repository definition is created.

6. Expand the new repository definition Notes and select "Constants" in the console tree.

7. Modify the following constants:

MX_DEPROVISIONTASK Set the constants value to the number of the subtask of the Notes Deprovision folder from "Lotus Notes Provisioning Framework" (under the subfolder Workflow) in the console tree.

MX_PROVISIONTASK Set the constants value to the number of the subtask of the Notes Provision folder from "Lotus Notes Provisioning Framework" (under the subfolder Workflow) in the console tree.

MX_MODIFYTASK Set the constants value to the number of the subtask of the Notes Modify folder from "Lotus Notes Provisioning Framework" (under the subfolder Workflow) in the console tree.

Additional constants exist in the repository definition:

USER_PREFIX Notes users created in Notes will be prefixed with MSKEYVALUE=USER_PREFIX+NOTEID after creation in Notes. The value is LN by default.

GROUP_PREFIX Notes groups created in Notes will be prefixed with MSKEYVALUE=GROUP_PREFIX+NOTEID after creation in Notes. The value is LNG by default.

© Copyright 2008 SAP AG. All rights reserved.

Page 35: SAP NetWeaver Identity Management Identity Center

29 Configuring the framework SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

DOMINO_DNTEMPLATE

Notes allows for flat, hierarchical and abbreviated naming schemes of full name. By default, this is interpreted in the naming order: CN/OU/O/C. However, in some cases it makes sense to, for example, have the "O" above the country ("C"). This might be changed by setting the value to CN/OU/C/O.

Creating Notes Service jobs To import the final part of the framework, do the following:

1. Create a new folder "Notes Service jobs" (or rename the empty "Job folder" if you have one).

2. Select "Notes Service jobs" in the console tree and select New/Run job wizard… from the context menu.

3. Choose "Next >".

Select the "NOTES – Initial role and privileges" template.

4. Choose "Next >".

© Copyright 2008 SAP AG. All rights reserved.

Page 36: SAP NetWeaver Identity Management Identity Center

30 Configuring the framework

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Select the NOTES repository definition.

5. Choose "Next >", and then "Finish" to add the job.

6. Enable the job and connect it to the valid dispatcher, then choose "Apply".

Now repeat the procedure for the jobs NOTES – Initial load and NOTES – Check adminp requests.

For the job NOTES – Initial load, you need to set two job constants in the job wizard – Domino server (hostname of the server to be used for provisioning) and Destination database (Names.nsf by default):

The result of this operation is a job folder with the Notes integration specific jobs (in this example the folder Notes Service jobs).

© Copyright 2008 SAP AG. All rights reserved.

Page 37: SAP NetWeaver Identity Management Identity Center

31 Configuring the framework SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

If you used a different admin user than idmadm, under the preparation of the Identity Center, edit the pass "Set NOTE_ROLEMANAGER on manager" (of the job NOTES – Initial role and privileges) and change all occurrences of idmadm to match your user.

Adding the repository definition to the tasks For the tasks underneath the Application Actions folder in the Lotus Notes Provisioning Framework folder, it is necessary to explicitly set the NOTES repository definition:

1. Select the task in the console tree to reveal the details pane.

2. Select the "Options" tab and select NOTES in the "Repository" field:

© Copyright 2008 SAP AG. All rights reserved.

Page 38: SAP NetWeaver Identity Management Identity Center

32 Configuring the framework

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

3. Choose "Apply".

Repeat this procedure for the tasks:

• Preinitilize user task located under Lotus Notes Provisioning Framework/Workflow/ Notes Provision/Check NOTEID for existence/false/Check Provision MX_ENTRYTYPE/ MX_PERSON/OG Provision notes user.

• Register person task located under Lotus Notes Provisioning Framework/User Forms/ Lotus Notes: Provision person.

Configuring event triggers In the sections below, we configure event triggering attributes and entries to have a sensible behavior and trigger the correct tasks.

Configuring the attribute MX_NOTES_EVENT_STARTPROCESSING Every time the attribute MX_NOTES_EVENT_STARTPROCESSING is added or modified, the task Check MX_NOTES_WORKFLOW_OPERATION (under the folder Lotus Notes Provisioning Framework/Workflow/Person) is triggered. To configure this behavior, do the following:

1. Under the identity store you use, expand "Identity store schema" and select "Attributes".

2. View the properties of the attribute MX_NOTES_EVENT_STARTPROCESSING.

© Copyright 2008 SAP AG. All rights reserved.

Page 39: SAP NetWeaver Identity Management Identity Center

33 Configuring the framework SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

3. Select the "Event tasks" tab.

Select the tasks to be executed for the Add and Modify events. To do this, choose "…" to

the right of the "Add" field to open "Select task" dialog box:

Navigate to the Check MX_NOTES_WORKFLOW_OPERATION task and select it.

4. Choose "OK" and repeat the procedure for the "Modify" field.

5. Choose "OK" to save the changes to the MX_NOTES_EVENT_STARTPROCESSING attribute.

© Copyright 2008 SAP AG. All rights reserved.

Page 40: SAP NetWeaver Identity Management Identity Center

34 Configuring the framework

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Configuring the attribute MX_NOTES_EVENT_ADMINP_REQUEST Every time the attribute MX_NOTES_EVENT_ADMINP_REQUEST is added or modified, the task Is request pending is triggered. To configure this behavior, do the following:

1. Under the identity store you use, expand "Identity store schema" and select "Attributes".

2. View the properties of the attribute MX_NOTES_EVENT_ADMINP_REQUEST.

3. Select the "Event tasks" tab.

Select the tasks to be executed for the Add and Modify events. To do this, choose "…" to

the right of the "Add" field to open the "Select task" dialog box:

Navigate to the Is request pending task and select it.

4. Choose "OK" and repeat the procedure for the "Modify" field.

5. Choose "OK" to save the changes to the MX_NOTES_EVENT_ADMINP_REQUEST attribute.

© Copyright 2008 SAP AG. All rights reserved.

Page 41: SAP NetWeaver Identity Management Identity Center

35 Configuring the framework SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Configuring the attribute ACCOUNTGROUPNOTES Every time the attribute ACCOUNTGROUPNOTES is added, modified or deleted, the tasks pointed to by attributes MX_PROVSIONTASK, MX_MODIFYTASK and MX_DEPROVISONTASK (from the NOTES repository definition) are triggered. To configure this behavior, do the following:

1. Under the identity store you use, expand "Identity store schema" and select "Attributes".

2. View the properties of the attribute ACCOUNTGROUPNOTES.

3. Select the "Event tasks" tab.

Select the tasks to be executed for the Add, Modify and Delete events. To do this, choose

"…" to the right of the "Add" field to open the "Select task" dialog box:

Navigate to the Check NOTEID for existence task and select it.

© Copyright 2008 SAP AG. All rights reserved.

Page 42: SAP NetWeaver Identity Management Identity Center

36 Configuring the framework

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

4. Choose "OK" and repeat the procedure for the "Modify" field (with the task Check Modify MX_ENTRYTYPE) and the "Delete" field (with the task Check Deprovision MX_ENTRYTYPE):

5. Choose "OK" to save the changes to the ACCOUNTGROUPNOTES attribute.

Configuring the entry type MX_PERSON It is necessary to configure the Add and Modify events of the MX_PERSON entry type. Do the following:

1. Under the identity store you use, expand "Identity store schema" and select "Entry types".

2. View the properties of the entry type MX_PERSON.

3. Select the "Event tasks" tab.

© Copyright 2008 SAP AG. All rights reserved.

Page 43: SAP NetWeaver Identity Management Identity Center

37 Configuring the framework SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Select the tasks to be executed for the Add and Modify events. To do this, choose "…" to

the right of the "Add" field to open the "Select task" dialog box:

Navigate to the Create Delta on Add – MX_PERSON task and select it.

4. Choose "OK" and repeat the procedure for the "Modify" field (with the task ModifyUser from the SAP Provisioning Framework folder):

5. Choose "OK" to save the changes to the MX_PERSON entry type.

© Copyright 2008 SAP AG. All rights reserved.

Page 44: SAP NetWeaver Identity Management Identity Center

38 Configuring the framework

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Configuring the entry type MX_ROLE It is necessary to configure the Add event of the MX_ROLE entry type. Do the following:

1. Under the identity store you use, expand "Identity store schema" and select "Entry types".

2. View the properties of the entry type MX_ROLE.

3. Select the "Event tasks" tab.

Select the tasks to be executed for the Add event. To do this, choose "…" to the right of the

"Add" field to open the "Select task" dialog box:

Navigate to the Create Delta on Add – MX_ROLE task and select it.

4. Choose "OK" to add the task and close the "Select task" dialog box.

5. Choose "OK" to save the changes to the MX_ROLE entry type.

© Copyright 2008 SAP AG. All rights reserved.

Page 45: SAP NetWeaver Identity Management Identity Center

39 Configuring the framework SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Configuring the Workflow Using the Workflow is optional. It largely depends on whether the deployment will just be used for migration of users and groups from one system to another, or if an additional level of interaction is desired. The Provisioning framework for Lotus Notes comes with workflow forms that might be enabled to get an immediate, interactive interface to the framework.

Editing the config.xml file To configure the Workflow, you need to:

1. Go to your Identity Center node in the console tree and select "Edit Workflow configuration file…" from the context menu:

2. Select the file config.xml and choose "Open".

Add the connection details to your Lotus Notes identity store installation.

3. Choose "OK" to save the changes made and close the Workflow configuration.

For more details on Workflow configuration, see the document SAP NetWeaver Identity Management Identity Center: Installing Identity Center Workflow.

© Copyright 2008 SAP AG. All rights reserved.

Page 46: SAP NetWeaver Identity Management Identity Center

40 Configuring the framework

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Running the NOTES – Initial role and privileges job To run the job NOTES – Initial role and privileges and complete the configuration process, do the following:

1. Select the job in the console tree to display the details pane.

Run the job by choosing the "Run now" button in the "Options" tab of the details pane.

2. The job log can be inspected to check for errors or warnings.

You should now be able to logon to the Workflow interface with you idmadm user, and interactively create and provision users and groups to Lotus Notes.

© Copyright 2008 SAP AG. All rights reserved.

Page 47: SAP NetWeaver Identity Management Identity Center

41 Configuring the framework SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Optional: NOTES_ROLE_MANAGER access type The job NOTES – Initial role and privileges contains five passes, of which the three ("Create Notes Group Privilege", "Create Manager Role" and "Set NOTE_ROLEMANAGER on manager") are disabled by default. For that reason, the process we show in this section is optional. To be able to complete this section, you need to enable the two passes "Create Manager Role" and "Set NOTE_ROLEMANAGER on manager", and run the job again.

For each subtask located in Lotus Notes Provisioning Framework/User Forms/Lotus Notes: Provision person and Lotus Notes Provisioning Framework/User Forms/Lotus Notes: Provision groups, do the following:

1. In each task's details pane, select the "Access control" tab:

2. Choose "Add...".

The "Access control" dialog box will appear. Fill in the following values:

© Copyright 2008 SAP AG. All rights reserved.

Page 48: SAP NetWeaver Identity Management Identity Center

42 Configuring the framework

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Allow access for Select "Logged-in user or identity store entry".

ID store Select the correct identity store. Here we use identity store Enterprise People.

Name Type NOTES_ROLE_MANAGER and choose "Check name".

3. Choose "OK" to close the dialog box.

4. Choose "Apply".

5. Repeat this procedure for other form tasks.

Limiting the possible group members The Add notes group (form) and Modify notes group (form) tasks have been configured to allow group membership assignment only for already provisioned Notes users. It is the task access task under the User forms folder that is used to add this limitation on these tasks. Or more specifically on the group member attribute for these tasks (MXMEMBER_MX_PERSON). In other words access task will act as a filter, returning a list of legal attribute values for the group member attribute MXMEMBER_MX_PERSON which in this case is a list of Notes users only.

© Copyright 2008 SAP AG. All rights reserved.

Page 49: SAP NetWeaver Identity Management Identity Center

43 Configuring the framework SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

To observe (or alter) this behavior go to the Add notes group (form)/Modify notes group (form) task and select the "Attributes" tab. Then view the properties of the attribute MXMEMBER_MX_PERSON. In the "Attribute values (Task specific)" tab you will find the linkage to access task.

© Copyright 2008 SAP AG. All rights reserved.

Page 50: SAP NetWeaver Identity Management Identity Center

44 Adding new attributes and objects

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Adding new attributes and objects The Provisioning framework for Lotus Notes has only included a small set of attributes and objects. However you may extend the number of both attributes and objects.

Adding new attributes If we inspect the "Read notes users" pass of the NOTES – Initial load job, you will see that in the "Destination" tab, there are a lot of additional attributes on the user entry.

© Copyright 2008 SAP AG. All rights reserved.

Page 51: SAP NetWeaver Identity Management Identity Center

45 Adding new attributes and objects SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

We can append the attribute "Owner" to the user object:

1. Select the "Write users to database" pass in the NOTES – Initial load job.

2. Select the "Destination" tab of the "Write users to database" pass and create an attribute "NOTES_OWNER" like shown below:

Insert the attribute value by selecting "Owner" from the "Source attributes" in the context

menu.

3. Choose "Apply".

Given that you have "Automatically create attributes" checked on your identity store details pane ("General" tab), you may now just rerun the part and the attribute NOTES_OWNER is appended to your user object.

© Copyright 2008 SAP AG. All rights reserved.

Page 52: SAP NetWeaver Identity Management Identity Center

46 Adding new attributes and objects

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

Adding new objects We can add a new Notes object to the Identity Center. Say that we want to include the server object into our database.

1. Go to the "Read notes users" pass in the NOTES – Initial load job. We want to use this pass as a template.

2. Select "Copy" from the context menu and paste the copy in the job.

Rename the copy to "Read notes servers".

3. Select the "Source" tab.

© Copyright 2008 SAP AG. All rights reserved.

Page 53: SAP NetWeaver Identity Management Identity Center

47 Adding new attributes and objects SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

4. Choose "Edit…" to the right of the "Open data source" field.

Scroll down to where you find the construction of the formula statement. Replace the

Formula = "SELECT Form = ""Person""" with Formula = "SELECT Form = ""Server""".

If you are wondering which forms are available in the Notes pass, you may choose to get all objects by using the SELECT @ALL statement. You may also have to set the SERVER and DATABASE variables explicitly in the code for this to work.

5. Choose "OK" to save the changes and close the function window.

6. Select the "Destination" tab.

Fill in a new database table name, i.e. NotesServers.

Choose "Insert template" and "Data source template". When prompted whether you want to clear the definitions section, choose "Yes".

© Copyright 2008 SAP AG. All rights reserved.

Page 54: SAP NetWeaver Identity Management Identity Center

48 Adding new attributes and objects

SAP NetWeaver Identity Management Identity Center Provisioning framework for Lotus Notes Configuration Guide

7. Now construct a To-pass where you define the NotesServers table from the Identity Center database as the source (with a SQL statement, for example SELECT * FROM NotesServers). And in the "Destination" tab, you include your desired attributes as described in the above section Adding new attributes.

© Copyright 2008 SAP AG. All rights reserved.