of 60/60
SAP NetWeaver ® Identity Management Identity Center Tutorial - Context based assignments Version 7.2 Rev 2

SAP NetWeaver Identity Management Identity Center Tutorial - Context-Based Assignments

  • View
    309

  • Download
    13

Embed Size (px)

DESCRIPTION

bcxvbvbn

Text of SAP NetWeaver Identity Management Identity Center Tutorial - Context-Based Assignments

  • SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Version 7.2 Rev 2

  • 2012 SAP AG. All rights reserved.

    No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

    Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

    Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Microsoft Corporation.

    IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation.

    Linux is the registered trademark of Linus Torvalds in the United States and other countries.

    Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and other countries.

    Oracle and Java are registered trademarks of Oracle and its affiliates.

    UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

    Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems Inc.

    HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology.

    Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc.

    IOS is a registered trademark of Cisco Systems Inc.

    RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are trademarks or registered trademarks of Research in Motion Limited.

    Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks of Google Inc.

    INTERMEC is a registered trademark of Intermec Technologies Corporation.

    Wi-Fi is a registered trademark of Wi-Fi Alliance.

    Bluetooth is a registered trademark of Bluetooth SIG Inc.

    Motorola is a registered trademark of Motorola Trademark Holdings LLC.

    Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.

    SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

    Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.

    Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company.

    Crossgate, [email protected] EDDY, B2B 360, and B2B 360 Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company.

    All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

    These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

  • i

    Copyright 2012 SAP AG. All rights reserved.

    Preface

    The product SAP NetWeaver Identity Management Identity Center is the primary component for identity management. The Identity Center includes functions for identity provisioning, workflow, password management, logging and reporting. It uses a centralized repository, called the identity store, to provide a uniformed view of the data, regardless of the data's original source.

    The reader This manual is written for people who need an introduction to the provisioning in the Identity Center using context-based assignments.

    Prerequisites To get the most benefit from this manual, you should have the following knowledge:

    x Knowledge of Microsoft SQL Server or Oracle. x General knowledge about the Identity Center and job definitions, for instance as described

    in the SAP NetWeaver Identity Management Identity Center Tutorial: Basic synchronization and SAP NetWeaver Identity Management Identity Center Initial configuration.

    x General knowledge about provisioning and task definitions as described in SAP NetWeaver Identity Management Identity Center Tutorial Provisioning.

    The following software is required:

    x SAP NetWeaver Identity Management Identity Center 7.2 SP5 or newer, correctly installed and licensed.

    x SAP NetWeaver Identity Management User Interface must be installed and configured for this Identity Center and identity store (according to SAP NetWeaver Identity Management Identity Center: Installing the Identity Management User Interface). It also implies the administrator user with access to at least "Self Services", "Monitoring" and "Manage" tabs in the User Interface.

    x An Identity Center where at least one dispatcher has been configured and is running (see SAP NetWeaver Identity Management Identity Center Initial configuration).

    x The data source used in this tutorial (ContextBasedAssignments_tutorial.csv) is stored together with this document on the SAP Developer Network, SDN (https://www.sdn.sap.com/).

    The manual This tutorial consists of two sections containing information about how you build a task structure and run a context-based provisioning system.

    This tutorial is not a substitution for training.

    Person names used in this tutorial are fictional.

  • ii

    Copyright 2012 SAP AG. All rights reserved.

    Related documents You can find useful information in the following documents:

    x SAP NetWeaver Identity Management Identity Center: Installation overview. x SAP NetWeaver Identity Management Identity Center: Installing and configuring the

    Identity Management User Interface.

    x SAP NetWeaver Identity Management Identity Center Initial configuration. x SAP NetWeaver Identity Management Identity Center Tutorial: Basic synchronization. x SAP NetWeaver Identity Management Identity Center Tutorial Provisioning. x SAP NetWeaver Identity Management Identity Center Tutorial Working with roles and

    privileges.

    x For information on SAP NetWeaver see http://help.sap.com.

  • iii

    Copyright 2012 SAP AG. All rights reserved.

    Table of contents Introduction .................................................................................................................................. 1

    Background .......................................................................................................................................... 1 Context-based assignment - the process................................................................................................. 1 Conditional and default contexts ........................................................................................................... 2 Use cases .............................................................................................................................................. 2 Tasks, roles and privileges .................................................................................................................... 6 The data sources ................................................................................................................................... 9 Section overview ................................................................................................................................ 10

    Section 1: Preparing the configuration ...................................................................................... 11 Defining the global constant TUTORIAL_TARGET........................................................................... 11 Creating repository definition for the target folder ............................................................................... 12 Specifying the system log level ........................................................................................................... 13 Disabling automatic attribute creation ................................................................................................. 13 Creating global JScript CreateFileName .............................................................................................. 14

    Section 2: Building the identity store ......................................................................................... 16 Displaying the details for entries ......................................................................................................... 16 Reading the HR data into the identity store.......................................................................................... 16 Creating a context type ....................................................................................................................... 21 Adding contexts, roles and privileges (reading the CSV file into the identity store) ............................. 23 Creating the guided User Interface assignment tasks ........................................................................... 34 Creating the task #Factory_AddEntry.................................................................................................. 37 Creating the task #Factory_RemoveEntry ........................................................................................... 41

    Section 3: Basic context-based provisioning (use case 1) ........................................................... 44 Section 4: Provisioning using default/automatic context (use case 2) ....................................... 48 Section 5: Provisioning using conditional context (use case 3) .................................................. 52

  • iv

    Copyright 2012 SAP AG. All rights reserved.

  • 1 Introduction SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Introduction The purpose of this tutorial is to give an introduction to assigning roles and privileges using a context-based assignment. The tutorial shows how to configure the contexts and roles/privileges, and the mechanisms for assigning these to users in the identity store.

    Background The context-based assignments involve three entries a person, a role/privilege and a context.

    To any role or privilege assignment it is possible to add a reference to a given context that limits the validity of the assignment to that specific context. A context may be a region, a project or an organizational unit. The typical scenario is project or a store management.

    The main purpose of implementing context-based assignments is to reduce the number of roles (or privileges) required to map the authorizations or rights in the external (backend) system. For instance, if a project manager has different rights based on which projects she manages, the combination of role and context (project) will be mapped to different authorizations in the backend system.

    Each type of context must be created as a separate entry type, for instance Region or Project. Each context is defined as an entry with this entry type. For instance if the context type is Project, each project is defined as an entry with this entry type.

    The specified context will follow the inheritance of the assignment, i.e. if a role is assigned with a given context, then all inherited roles and privileges will also be assigned within the same context.

    The roles or privileges are assigned using an assignment request task.

    Context-based assignment - the process The backend system is updated using member event tasks, typically defined as part of the repository definition. An Add member event task, which e.g. creates an account in the backend system, receives references to the user, the role and the context. It is responsible for assigning the correct authorizations in the backend system, based on the received information.

    The repository definition includes a list of legal contexts types, which will be allowed for assignments to all privileges referencing this repository definition. The context configuration can be overridden by defining the legal context types as part of the privilege properties.

  • 2 Introduction

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    The legal context types must also be defined for the roles that use context. The legal context types are used for two purposes:

    x The Identity Management User Interface will use this information when performing a direct assignment. A search for context will only be done in the defined entry types. When searching for a role or privilege, only the roles/privileges that are relevant for this context type are shown.

    x During inheritance, only roles or privileges that support the same context type as specified in the assignment are inherited. If the context is not allowed, the assignment is silently ignored.

    Unless privilege grouping is defined for the repository definition, the event tasks on the role or privilege are executed for each context for an assignment, and each has a separate approval, execution and status.

    Conditional and default contexts For privileges, it is possible to define a list of conditional contexts on the "Context" tab of the privilege properties (held by the attribute MX_CTX_CONDITIONAL). In this case, the privilege will only be assigned if one of the specified contexts also is part of the assignment. For instance, when assigning a role with a region as context, only those privileges matching the given region will be assigned.

    It is possible to define default context(s) for each user by adding the attribute MX_CTX_AUTO_VALUES to the person entries. This attribute contains the default contexts for each context type. For instance, this can be used to define a default region for each user. This value is then used when assigning a role or privilege that uses region as context type. Only default contexts for the corresponding context type in question will be used.

    The context configuration for a privilege or repository definition includes the policy for how this value is to be used. The check is performed for both direct and inherited contexts, and is only done for privileges (i.e. not for roles).

    Use cases In this tutorial, the context-based provisioning to non-context systems, i.e. systems that are not context aware, is used for the use cases. This means that the add member tasks, which are provisioning the users, need to "translate" the contexts to the system.

    In the tutorial, three use cases are described:

    x Use case 1: Basic context-based provisioning x Use case 2: Provisioning using default context x Use case 3: Provisioning using conditional context All use cases are based on a scenario with employees in a factory which are given rights (roles and privileges) based on their job role. In this tutorial, there is one system for all the factories, represented by a folder FactorySystem and the repository definition FACTORY_SYSTEM in the Identity Center Management Console. The concept of context, when assigning privileges to a user, is introduced to this system by creating files with the naming convention --.txt, e.g. FACTORY_Germany-PRIV_HRAdmin-3001.txt or COUNTRY_France-PRIV_ProductionPlantFR-3003.txt. See more about the cleaned MSKEYVALUE in section Creating global script Jscript CreateFileName on page 14. When a user is given a particular role (and thus one or more privileges) and a context, a file is created (containing the timestamp

  • 3 Introduction SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    of when the privilege was assigned to the user) and provisioned to the FactorySystem folder. The files are representing the authorizations in the factory system.

    Note: The system in this tutorial is represented by a folder FactorySystem for simplicity's sake. It is possible to provision to other systems by replacing the To ASCII file passes used in this tutorial to passes writing to other systems.

    The context and the role(s) for a given person are selected by using a guided User Interface assignment request task created in the Identity Center Management Console.

    Use case 1: Basic context-based provisioning The context type used in this use case is FACTORY, and the following context entries are used:

    x FACTORY:Norway x FACTORY:Germany x FACTORY:France The roles that can be assigned to a person are the following:

    x ROLE:HR_Manager x ROLE:SupplyManager x ROLE:Manager For the basic context-based provisioning, both the context and the role(s) for a given person must be selected, and this is done by using the guided User Interface assignment task "Context-based assignment use case 1 and 2".

    For details about tasks, roles and privileges used in this use case see section Tasks, roles and privileges on page 6.

  • 4 Introduction

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Use case 2: Provisioning using default context This use case is quite similar to the basic context-based provisioning described above. Using default context is a variant of the basic context-based provisioning where the employee to be provisioned has a defined default context (attribute MX_CTX_AUTO_VALUES on the person entry).

    The context, roles and privileges for this use case are the same as for the basic context-based provisioning use case, and are described in section Tasks, roles and privileges on page 6.

    Depending on the selected autoassign context policy on the repository definition FACTORY_SYSTEM, the default context will be added to the user when it is provisioned. The following autoassign context policies are available:

    x None: No autoassign context policy is activated, i.e. if this policy is selected then the default context will not be added to the user when it is provisioned even if it is defined for the user.

    x If missing: The defined default context will be automatically assigned to the user when provisioned, (even) when the context is not selected during the assignment (is missing). But the default context will only be added if a context is not selected during the assignment, i.e. if any context is selected during the assignment then this is the context that is added to the user when it is provisioned and the assignment of the default context is not triggered.

    x Always: The defined default context will always be assigned to the user when provisioned, given that the same context is not already assigned to the user. In other words, if a context is selected for the user during the assignment, then both this context and the default context will be added to the user when provisioned. This also means that the default context is added to the provisioned user even when the context is not selected for the user during the assignment, resulting in two authorizations in the system one with and one without the context. The exception when the default context is not added to the user that is provisioned is when the context selected during the assignment is the same as the one defined as the default context.

  • 5 Introduction SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Use case 3: Provisioning using conditional context This use case, where the conditional context provisioning is used, is slightly different than the two previous. The context type is COUNTRY, and the following context entries are used:

    x COUNTRY:Norway x COUNTRY:Germany x COUNTRY:France As a result, the User Interface assignment request task is different from the task used in the previous use cases as well (as assignment request tasks are defined per entry type). The context and the role(s) for a given person are selected using the guided User Interface assignment task "Context-based assignment use case 3". Only one role can be assigned to the users in this use case:

    x ROLE:ProductionSupervisor For details about tasks, roles and privileges used in this use case see section Tasks, roles and privileges on page 6.

    The purpose of the conditional context is to assign only those privileges for which a given context is present. The attribute MX_CTX_CONDITIONAL is set for each privilege defined for a role. When the user at some point is assigned the role with a given context, then only the privilege that has a matching context will be assigned to the user through the role association (even if this role also has other privileges).

  • 6 Introduction

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Tasks, roles and privileges The following User Interface tasks are defined to assign roles (and thus privileges) to the users:

    Context-based assignment use case 1 and 2

    This task, which is a guided assignment request task, is used to assign roles (and privileges) with a context to the users in the identity store. The User Interface task is the same for use cases 1 and 2 (i.e. basic context-based provisioning and provisioning using default context).

    Context-based assignment use case 3

    This task, which is a guided assignment request task, is used to assign roles (and privileges) with a context to the users in the identity store for use case 3 (conditional context).

    Common for the three use cases are the two provisioning tasks that are created, one for provisioning and one for de-provisioning of users for the repository definition FACTORY_SYSTEM. Every time a user is given a particular privilege, a file will be created (containing the timestamp of when the privilege was assigned to the user) and provisioned to the respective folder:

    #Factory_AddEntry This ordered task group is referenced from the FACTORY_SYSTEM repository definition. It is defined on the "Event tasks" tab as the add member task ("Add task" field) of the repository definition. The task group contains a task Add file to FactorySystem folder which creates a file containing the timestamp of when a privilege is assigned to user and provisions it to the FactorySystem folder.

    #Factory_RemoveEntry This ordered task group is referenced from the FACTORY_SYSTEM repository definition. It is defined on the "Event tasks" tab as the remove member task ("Remove task" field) of the repository definition. The task group contains a task Delete file from FactorySystem folder which deletes the previously created file from the FactorySystem folder.

    Use cases for basic context-based provisioning and for provisioning using default context are based on the same roles, privileges and the role/privilege hierarchy. Use case 3 (provisioning using conditional context) is different.

  • 7 Introduction SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Basic context-based provisioning and provisioning using default context

    There are three privileges defined for the two use cases:

    PRIV:HRAdmin The privilege gives the user access to the necessary information and the human resource management systems.

    PRIV:Purchasing The privilege gives the user the authorization to perform purchasing of the materials and products needed for the production. It also gives access to necessary systems for purchasing.

    PRIV:Distribution The privilege gives the user the authorization to perform the distribution of products produced by the factory. It also gives access to necessary systems for distribution.

    Three roles are also defined:

    ROLE:HR_Manager This role gives the privilege PRIV:HRAdmin.

    ROLE:SupplyManager This role gives the privileges PRIV:Purchasing and PRIV:Distribution.

    ROLE:Manager This role inherits the privileges PRIV:Purchasing and PRIV:Distribution from its child role ROLE:SupplyManager and the privilege PRIV:HRAdmin from its child role ROLE:HR_Manager.

  • 8 Introduction

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Provisioning using conditional context

    Three privileges are defined for this use case:

    PRIV:ProductionPlantNO This privilege gives the users the right to access and use the factory production plant in Norway.

    PRIV:ProductionPlantDE This privilege gives the users the right to access and use the factory production plant in Germany.

    PRIV:ProductionPlantFR This privilege gives the users the right to access and use the factory production plant in France.

    One role is defined for the use case:

    ROLE:ProductionSupervisor This role gives the privilege PRIV:ProductionPlantNO, PRIV:ProductionPlantDE and/or PRIV:ProductionPlantFR.

  • 9 Introduction SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    The data sources There are two data sources used in this tutorial

    x A sample table HR_Sample in the Identity Center database. x A CSV file ContextBasedAssignments_tutorial.csv. The HR_Sample table contains the basic information about the person objects (people in the organization). It contains the following attributes:

    x EmployeeID x LastName x FirstName x Title x Dep (department) x Location x Tel x Fax x Email

  • 10 Introduction

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    The CSV file ContextBasedAssignments_tutorial.csv contains the contexts, privileges and roles needed in this tutorial. It also builds a role (and privilege) hierarchy, sets the contexts allowed for each role and privilege, sets the conditional contexts on privileges for use case 3 (provisioning using conditional context) and defines the repository definitions on the privileges:

    The CSV file does not define the actual context entry types FACTORY and COUNTRY, and the default contexts for users. These have to be defined manually. How to do this is described in the document.

    Section overview Section 1: Preparing the configuration This section describes a couple of things that need to be done

    in order to prepare the configuration before proceeding with the tutorial.

    Section 2: Building the identity store In this section we are going to read the contents of a sample database table HR_Sample into the identity store. We also create the context type, read the contents of the CSV file ContextBasedAssignments_tutorial.csv into the identity store to add contexts, roles and privileges, and create a User Interface assignment request task for the context-based assignments.

    Section 3: Basic context-based provisioning (use case 1)

    This section shows how to perform the basic context-based provisioning and de-provisioning of users to/from a system.

    Section 4: Provisioning using default context (use case 2)

    This section shows how to perform provisioning (and de-provisioning) of users to/from a system using default context.

    Section 5: Provisioning using conditional context (use case 3)

    This section shows how to perform the conditional context-based provisioning and de-provisioning of users to/from a system.

  • 11 Section 1: Preparing the configuration SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Section 1: Preparing the configuration Before you proceed with the tutorial, there are a couple of things that must be done in the configuration. Each of them is described in the following sections:

    x To be able to reference the files created in this tutorial in a uniform way, we create a global constant containing the path to the directory where the target repository for the files (folder FactorySystem) is to be placed.

    x Create the folder FactorySystem, which will be a target repository for the files, and create a repository definition for the folder in the Identity Center.

    x To be able to view the log information shown in this tutorial, you must make sure that the log level for the system log is set to "Info".

    x Make sure to disable the automatic attribute creation option for the identity store. x When a user is given a particular role (and thus one or more privileges) and a context, a file

    is created (containing the timestamp of when the privilege was assigned to the user) and provisioned to the FactorySystem folder. Name of the file has the following naming convention --.txt, e.g. FACTORY_Germany-PRIV_Warehouse-3001.txt. Cleaned MSKEYVALUE of the role/context is MSKEYVALUE where the colon (":") is replaced by the underscore ("_") for MSKEYVALUE "PRIV:Warehouse" the cleaned MSKEYVALUE will be "PRIV_Warehouse", and for "FACTORY:Germany" it will be "FACTORY_Germany". The reason is that it is not possible to use the colon (":") in a file name. The Java script CreateFileName is used for this purpose to construct the file name with cleaned MSKEYVALUEs.

    Defining the global constant TUTORIAL_TARGET To be able to reference the files created in this tutorial in a uniform way, we create a global constant containing the path to the directory where the target repository for the files (folder FactorySystem) is to be placed. To define the global constant:

    1. Select the "Global constants" entry in the console tree and choose New/Constant from the context menu (right-click the entry to open the context menu):

    Specify the name of the constant and the directory where the folders are to be stored. Make

    sure that the directory actually exists (that the folders Tutorial and Target exist and if not, create those).

    2. Choose "OK" to close the dialog box and add the constant.

  • 12 Section 1: Preparing the configuration

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Creating repository definition for the target folder To create the repository definition, do the following:

    1. Create a folder where users will be provisioned to. The folder will function as a target repository for the provisioning data. We create the folder FactorySystem in C:\Tutorial\Target (the directory which we created a global constant for).

    2. Select "Repositories" (under "Management") in the console tree in the Management Console, choose New/Repository from the context menu, and complete the wizard to create a generic repository definition FACTORY_SYSTEM.

    Note: Make sure that no assignment grouping option is enabled for the repository definition (on the "Privilege" tab).

    3. Add a constant PATH with value %$glb.TUTORIAL_TARGET%\FactorySystem to the repository definition. Use the context menu to insert the global constant TUTORIAL_TARGET.

  • 13 Section 1: Preparing the configuration SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Specifying the system log level To be able to view the log information shown in this tutorial, you must make sure that the log level for the system log is set to "Info". If necessary, change the log level and choose "Apply".

    Disabling automatic attribute creation Make sure that the option for the automatic attribute creation on the identity store is disabled. The option "Automatically create attributes" is used to control what happens when an attribute which does not exist or an attribute which is not defined as a legal attribute on an entry type is written to the identity store.

    If the "Automatically create new attributes" is enabled, the new attribute is created and added to the entry type. If the option is disabled, an error is returned.

  • 14 Section 1: Preparing the configuration

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Creating global JScript CreateFileName The global Java script CreateFileName is used by the provisioning tasks to construct the file name using the cleaned MSKEYVALUEs of the privilege and context assigned to the user. Cleaned MSKEYVALUE is MSKEYVALUE where the colon (":") is replaced by the underscore ("_"). The purpose is to make sure that it does not contain characters which are not allowed in a file name (not possible to use the colon (":") in a file name). The file name has the following naming convention --.txt

    To create the script, do the following:

    1. Go to Management\Global scripts and select "JScript" in the console tree.

    2. Choose New/Script from the context menu.

    Name the script "CreateFileName".

    3. Choose "OK".

  • 15 Section 1: Preparing the configuration SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Define the following script (you can copy and paste the script defined under and replace the template definition):

    // Main function: CreateFileName function CreateFileName(Par){ var SQL; var SQLResult; var Result; var CtxMSKEYVALUE; var ReturnValue; var CtxMSKEY; var IdS = uGetIDStore(); SQL = "SELECT mcContextMSKEY, mcThisMSKEYVALUE, mcOtherMSKEYVALUE FROM idmv_link_ext

    WHERE mcUniqueID = " + Par; SQLResult = uSelect(SQL); Result = SQLResult.split("|"); CtxMSKEY = Result[0]; if (CtxMSKEY.equals("null")) { CtxMSKEYVALUE = "null"; } else { CtxMSKEYVALUE = uIS_GetValue(CtxMSKEY, IdS, "MSKEYVALUE"); } // --- Return string, which will return a filename with cleaned MSKEYVALUEs of

    //context and privilege ReturnValue = CtxMSKEYVALUE + "-" + Result[2] + "-" + Result[1] + ".txt"; ReturnValue = uReplaceString(ReturnValue , ":" , "_"); return ReturnValue; } 4. Choose "OK" and the global script is added.

  • 16 Section 2: Building the identity store

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Section 2: Building the identity store Here we use and populate the default identity store Enterprise People.

    Displaying the details for entries If you wish to display the details for an entry in the "Manage" tab of the SAP NetWeaver Identity Management User Interface, import the default display tasks into your identity store. Select the identity store in the console tree and import (choose Import from the context menu) the file Display_Tasks.mcc which is found in the directory /Templates/Identity Center/SAP Provisioning framework. When performing import, make sure that "Link tasks into display- and event properties on entry types and attributes" option is enabled.

    Reading the HR data into the identity store In this section the contents of the sample database table HR_Sample are read into the identity store, by creating a job which will read the source data to the identity store.

    Creating the folder and the job First, we are going to create a folder for the jobs in the tutorial, and the job definition for this job:

    1. Create a folder called e.g. "Context tutorial jobs" that can be used to hold the jobs. Select the Identity Center node (not the identity store) in the console tree and choose New/Folder from the context menu to create the folder.

    2. Create a job by selecting the created folder and choosing New/Empty job from the context menu.

  • 17 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Modify the name of the job in the console tree.

    Enable the job and select a dispatcher.

    3. Choose "Apply".

    This job will contain one pass to read from the sample database table into the identity store.

    Creating a pass to update the identity store The next step is to create the pass that writes the data to the identity store:

    1. Select the job created previously and choose New/To Identity store from the context menu, and then select the "Source" tab:

    Modify the pass name in the console tree.

    Database Use the context menu to insert the system parameter %$ddm.identitycenter%.

    SQL statement Enter the SQL statement to select all rows from the table created in the previous pass (SELECT * FROM HR_Sample).

  • 18 Section 2: Building the identity store

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    2. Select the "Destination" tab:

    Identity store

    Make sure that the "Enterprise People" identity store is selected.

    Entry type Select the entry type "MX_PERSON".

    Definitions Choose "Insert template" and select "Data source template" to insert the definitions for the pass.

    Modify the definition to use the attributes from the entry type. You can use the context menu to find the destination attributes.

    3. Choose "Apply".

  • 19 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Running the job Run the job and open the job log to verify that 50 entries were added:

    Verifying the contents of the identity store If everything has gone well, the identity store should now contain all entries from the HR_Sample table which can be observed in the SAP NetWeaver Identity Management User Interface.

    Note: Make sure that the User Interface is installed and configured for the Identity Center and the identity store you are using according to SAP NetWeaver Identity Management Identity Center: Installing the Identity Management User Interface.

    To access the User Interface do the following:

    1. Enter http://:/idm in your browser.

    Provide the credentials in the log-in window (of the user with access to "Manage" tab in the User Interface).

    2. Choose "Log on".

  • 20 Section 2: Building the identity store

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    3. Select the "Manage" tab.

    Make sure that the "Person" is selected in the "Show" field and choose "Go".

    4. Verify that the entries are present in the identity store.

  • 21 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Creating a context type To create a context, do the following:

    1. Select "Entry types" (under "Identity store schema" for your identity store) in the console tree, and choose New/Entry type from the context menu.

    In the "General" tab fill in the following:

    Name Enter a name for the new context type.

    Context entry type Enable the "Context entry type" option for this entry type.

    Searchable entry type Enable the "Searchable entry type" option for this entry type.

    2. Select the "Attributes" tab.

    Select the attributes for the new context type. Select "Mandatory" for the attribute DISPLAYNAME, and select "Allow" for attribute DESCRIPTION. MSKEYVALUE and MX_ENTRYTYPE are mandatory and will be automatically added as the entry type is saved.

    3. Choose "OK" to save and create the context type.

    The following dialog box will appear:

  • 22 Section 2: Building the identity store

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    4. Choose "No" to close the dialog box. Now the created context type will be displayed in the list of available entry types:

    Make sure then that "List" is selected for the MSKEYVALUE attribute. To do so, view the

    properties of the new entry type "FACTORY" and edit on the "Attributes" tab if necessary.

    5. Verify that the context type is displayed in the SAP NetWeaver Identity Management User Interface verify that FACTORY is available in the list of types for the "Show" field in the "Manage" tab:

    6. Repeat this process and create the context type COUNTRY.

  • 23 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Adding contexts, roles and privileges (reading the CSV file into the identity store) In this section we are creating a job which will read the contents of the CSV file ContextBasedAssignments_tutorial.csv into the identity store. This will create the contexts, privileges, roles and the role and privilege hierarchy, as well as set the context type each role is allowed for, repository definition and the conditional context for the privileges.

    To create the job, do the following:

    1. Create the job by selecting the folder "Context tutorial jobs" and choosing New/Empty job from the context menu.

    Modify the name of the job in the console tree.

    Enable the job and select a dispatcher.

    2. Choose "Apply".

    This job will contain two passes; one to read the ASCII file (ContextBasedAssignments_tutorial.csv) into the temporary table (tutorial_ENTRIES), and another to read from this table into the identity store. This must be done in a single job. The reason is that the first pass will delete the temporary table every time it executes, and then fill it with the data from the CSV file. If the second pass was a separate job (which could then be run asynchronously from the first), it could start just when the table was deleted or just partly filled, and then remove the missing entries from the identity store.

  • 24 Section 2: Building the identity store

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Reading the ASCII file First, we will create the pass that reads the ASCII file:

    1. Select the job in the console tree and choose New/From ASCII file from the context menu.

    Enter "Read data" as the name of the pass in the console tree.

    2. Select the "Source" tab:

    File name

    Enter the path to the CSV file.

    Field separator Enter a comma sign (,) as the field separator.

    Header line Make sure that "Header line" is selected.

  • 25 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    3. Select the "Destination" tab:

    Fill in the fields with the following values:

    Database Use the context menu to insert the system parameter %$ddm.identitycenter% that refers the Identity Center database.

    Table name Enter "tutorial_entries" as the table name.

    Note: Do not use hyphen in table names, as this will cause problems with some database drivers.

    Definitions Choose "Insert template" and select "Data source template" to create the pass definitions.

    4. Choose "Apply".

    Running the job At this point, we are ready to test the pass. Run the job by viewing the job properties and choosing "Run now".

  • 26 Section 2: Building the identity store

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    View the job log to verify that the job ran successfully, and that a number of entries have been processed:

  • 27 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Updating the identity store The next step is to create the pass that writes the data to the identity store:

    1. Select the "Read data" pass and choose New/To Identity store from the context menu and select the "Source" tab:

    Modify the pass name in the console tree. Fill in the following parameters on the "Source"

    tab:

    Database Use the context menu to insert the system parameter %$ddm.identitycenter%.

    SQL statement Enter the SQL statement to select all rows from the table created in the previous pass (SELECT * FROM tutorial_entries).

  • 28 Section 2: Building the identity store

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    2. Select the "Destination" tab:

    Identity store

    Make sure that the "Enterprise People" identity store is selected.

    Entry type Enter "%Entry_type%" as entry type.

    Definitions Choose "Insert template" and select "Data source template" to insert the definitions for the pass.

    Note: The insert template will only work if you actually executed the job with the pass "Read data" as explained in the previous section.

    Modify the definition to use the attributes from the entry type. You can use the context menu to find the destination attributes. Remove the "Entry_type" line.

    3. Choose "Apply".

  • 29 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Running the job and verifying the contents of identity store Run the job and open the job log to verify that entries were processed and added. If everything has gone well, the identity store should now contain all entries from the ContextBasedAssignments_tutorial.csv file. Verify the following:

    x That the privileges PRIV:Purchasing, PRIV:Distribution, PRIV:HRAdmin, PRIV:ProductionPlantNO, PRIV:ProductionPlantDE and PRIV:ProductionPlantFR exist in the Identity Center Management Console, and that the repository definition FACTORY_SYSTEM is defined on the privileges.

    x That the roles ROLE:Manager, ROLE:HR_Manager, ROLE:SupplyManager and ROLE:ProductionSupervisor, and the role hierarchy exist in the Management Console.

    x Inspect the roles in the Management Console to see that the context is defined for each role, and that the following member privileges are defined:

    x For ROLE:Manager none. x For ROLE:HR_Manager PRIV:HRAdmin. x For ROLE:SupplyManager PRIV:Purchasing and PRIV:Distribution. x For ROLE:ProductionSupervisor PRIV:ProductionPlantNO

    PRIV:ProductionPlantDE and PRIV:ProductionPlantFR.

    x Inspect the privileges PRIV:ProductionPlantNO, PRIV:ProductionPlantDE and PRIV:ProductionPlantFR (view the privilege properties, the "Context" tab) in the Identity Center Management Console and see that the conditional context is defined for each of these.

    x For PRIV:ProductionPlantNO conditional context COUNTRY:Norway. x For PRIV:ProductionPlantDE conditional context COUNTRY:Germany. x For PRIV:ProductionPlantFR conditional context COUNTRY:France.

    x In the "Manage" tab in the Identity Management User Interface, make sure that FACTORY:Norway, FACTORY:Germany and FACTORY:France are listed (make sure that "FACTORY" is selected in the "Show" field and choose "Go").

    x In the "Manage" tab in the Identity Management User Interface, make sure that COUNTRY:Norway, COUNTRY:Germany and COUNTRY:France are listed (make sure that "COUNTRY" is selected in the "Show" field and choose "Go").

    Viewing the properties of the tutorial data Reading the contents of the CSV file ContextBasedAssignments_tutorial.csv into the identity store will provide you with most of the data necessary to complete this tutorial for context-based assignments. This section shows the properties and the configuration of the contents read into the identity store.

    Roles and privileges For more details on roles, privileges and their hierarchies, we refer to the document SAP NetWeaver Identity Management Identity Center Tutorial Working with roles and privileges.

  • 30 Section 2: Building the identity store

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Creating/adding context entries In this tutorial we are creating context entries by reading a CSV file. Another way of adding the context entries is to create a User Interface task (ordered task group) in the Identity Center Management Console that creates new entries of a given context type. In this tutorial we are using two context types FACTORY and COUNTRY, which means that two User Interface tasks would need to be created, one for each context type.

    The "Attributes" tab of such a User Interface task would look something like this:

    And its "Access control" tab:

    The access control allows the administrator user to run this task for all users.

  • 31 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Once created, the two User Interface tasks can be used in the Identity Management User Interface to create entries of context types FACTORY and COUNTRY:

    The context entries can also be added using a job with a To Identity store pass, and the following configuration (on the "Destination" tab):

  • 32 Section 2: Building the identity store

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Allowed contexts on privileges/roles After the privileges, roles and their hierarchies are created in the identity store, the allowed contexts for each privilege and roles need to be defined. Allowed contexts for privileges and roles are defined in the Identity Center Management Console, in the "Context" tab of the properties of the privileges (under identity store's Identity store metadata\Privileges in the console tree) or roles (under identity store's Identity store metadata\Roles):

    For privileges the option "Inherited from repository" is deselected.

    Note: The allowed context type can be defined on the repository definiton, and the privilege can inherit this allowed context type from the repository defintion defined for each privilege. In this tutorial there are two context types, and some privileges have one context type as the allowed context and some have the other context type as the allowed context. That is the reason why the allowed contexts are not inherited from the repository definition in this tutorial.

    Allowed context for the privilege/role is selected from the list of context types. The allowed contexts for the privileges are defined in the following way:

    Privilege Allowed context

    PRIV:HRAdmin FACTORY

    PRIV:Distribution FACTORY

    PRIV:Purchasing FACTORY

    PRIV:ProductionPlantDE COUNTRY

    PRIV:ProductionPlantFR COUNTRY

    PRIV:ProductionPlantNO COUNTRY

  • 33 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    The allowed contexts for the roles are defined in the following way:

    Role Allowed context

    ROLE:Manager FACTORY

    ROLE:HR_Manager FACTORY

    ROLE:SupplyManager FACTORY

    ROLE:ProductionSupervisor COUNTRY

    Conditional contexts For the use case 3 (provisioning using conditional context) the conditional contexts are defined for the privileges. There are three privileges for this use case, all defined for ROLE:ProductionSupervisor, and their conditional contexts are the following:

    x PRIV:ProductionPlantDE conditional context COUNTRY:Germany x PRIV:ProductionPlantFR conditional context COUNTRY:France x PRIV:ProductionPlantNO conditional context COUNTRY:Norway The conditional context for a privilege is defined on the "Context" tab of the privilege properties. The conditional context is added by selecting the line with the allowed context type for the privilege to enable the "Add" button and then choosing "Add":

    The context can be searched for and then selected from the result list. Choosing "OK" will add the conditional context to the privilege.

  • 34 Section 2: Building the identity store

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Creating the guided User Interface assignment tasks In this section, we are going to describe how to create the two guided assignment request User Interface tasks used in the three use cases. Before creating these User Interface tasks, create a separate folder or rename the existing Provisioning folder to "User Interface tasks". To create the task, do the following:

    1. Select the folder and choose New/Guided task/Assignment request from the context menu.

    Modify the name of the task in the console tree.

  • 35 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    2. Choose the "Parameters" tab:

    Fill in the following:

    Entry type: Select the entry type this task is available for, the MX_PERSON entry type.

    Context is mandatory: Enable this option if you want the context to be mandatory.

    Context type: Here you can either select a context type, "None" if there is no context (i.e. a regular assignment request), or "User select" to allow user to choose the context types (if more than one context type available). Here we select the context type "FACTORY".

    Multiselect context: Enable this option to be able to multi-select contexts.

    Reference type: Select MX_ROLE or MX_PRIVILEGE as the entry type this assignment request is assigning to the selected entry type (MX_PERSON). Here we will assign a role to a user, i.e. MX_ROLE as a reference type.

    Multiselect reference: Enable this option to be able to multi-select references.

    Ask for validity: Select "Optional" or "Never". Here we select "Optional".

    Ask for reason: Select "Never", "Mandatory" or "Optional, here "Optional".

  • 36 Section 2: Building the identity store

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    3. Select the "Access control" tab:

    Add access control with following options:

    x Logged-in user access type, i.e. "Logged-in user or identity store entry" in the "Allow access for" list.

    x Enter the name of the identity store user with the access to the "Manage" tab in the User Interface (here Administrator). You might use "Check name" to ensure that the name you entered is correct and exists. This allows the administrator user to create new roles.

    x Make sure that "Everybody" is selected in the "On behalf of" field. 4. Choose "Apply".

    5. Create assignment request User Interface task "Context-based assignment use case 3" following the same procedure. Choose context type "COUNTRY" for this task.

  • 37 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Creating the task #Factory_AddEntry In this section, we create provisioning task which is to provision users to a system that does not understand the concept of contexts. It is also shown how you define the task on the repository definition FACTORY_SYSTEM.

    First create a folder that will be used for the tasks:

    1. Select the "Enterprise People" identity store and choose New/Folder from the context menu.

    Enter Factory provisioning as the name for the folder.

    2. Choose "OK". The folder is included in the console tree.

    Deselect "Show folder in User Interface" as the tasks in this folder should not be displayed

    in the User Interface.

    3. Choose "Apply".

    The ordered task group #Factory_AddEntry contains one task, Add file to FactorySystem folder, which operates on the entry type MX_PENDING_VALUE and adds the file with the following naming convention --.txt to a specified directory (the FactorySystem folder). The contents of the file are date and time when the user was provisioned.

  • 38 Section 2: Building the identity store

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Note: This is given as an example only, and that there are no checks for illegal characters in the file name.

    To create the ordered task group "#Factory_AddEntry":

    1. Select the folder you just created and choose New/Ordered task group from the context menu.

    Rename this ordered task group to #Factory_AddEntry.

    Select the FACTORY_SYSTEM repository definition in the "Repository" field.

    2. Choose "Apply".

    The ordered task group is now created and the task Add file to FactorySystem folder can be added.

    Adding the task Add file to FactorySystem folder To add the task to the ordered task group, do the following:

    1. Select the ordered tasks group "#Factory_AddEntry" and choose New/Action task/Empty job from the context menu.

    2. Select the task in the console tree.

    Modify the task name in the console tree (to Add file to FactorySystem folder).

    3. Select the job in the console tree.

    Modify the job name (Add file to FactorySystem folder) and properties:

    Enabled Select this check box to enable the job to be run by a dispatcher.

    Run by dispatchers Select a dispatcher that should be responsible for running this job.

    4. Choose "Apply".

  • 39 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    5. Select "Scripts" in the console tree (under the job), then choose New/Link global script and select "CreateFileName" to establish the link to the global script CreateFileName:

  • 40 Section 2: Building the identity store

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    6. Select the job and choose New/Shell execute to create a pass in the console tree. Select the "Source" tab:

    Make sure that "Retrieve attributes from pending value" is selected.

    7. Select the "Destination" tab:

    Add the following line to the definitions (you can use the context menu to insert the

    constants/attributes/scripts or copy and paste the lines below): cmd /c echo Privilege(s) assigned %$ddm.date% %$ddm.time% > "%$rep.PATH%\$FUNCTION.CreateFileName(%MX_LINK_REFERENCE%)$$"

    8. Choose "Apply".

  • 41 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Defining the task on the repository definition To define the task #Factory_AddEntry to the repository definition FACTORY_SYSTEM, do the following:

    1. Select the FACTORY_SYSTEM repository definition under "Repositories" in the console tree and select the "Event tasks" tab.

    2. Choose "" to the right of the "Add task" field in the "Assignment" section.

    Navigate to and select "#Factory_AddEntry".

    3. Choose "OK".

    4. Choose "Apply".

    Now the link is defined on the FACTORY_SYSTEM repository definition.

    Creating the task #Factory_RemoveEntry In this section, the deprovisioning task is created which is to deprovision users from a system that does not understand the concept of contexts. Make sure to have a User Interface modify user task, where roles/privileges can be removed from the user to trigger the deprovisioning task.

    The ordered task group #Factory_RemoveEntry consists of one task, Delete file from FactorySystem folder, which will delete the previously created file from the folder.

    Note: Note that this is given as an example only, and that there are no checks for illegal characters in the file name.

    To create the ordered task group "#Factory_RemoveEntry":

    1. Select the folder "Factory provisioning" and choose New/Ordered task group from the context menu.

    Rename this ordered task group to #Factory_RemoveEntry.

  • 42 Section 2: Building the identity store

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Select the FACTORY_SYSTEM repository definition in the "Repository" field on the "Options" tab.

    2. Choose "Apply".

    The ordered task group is now created and the task can be added.

    Adding the task Delete file from FactorySystem folder This task is similar to the task Add file to FactorySystem folder created previously. You can copy this task. Do the following:

    1. Select the task "Add file to FactorySystem folder" in the console tree and choose "Copy" from the context menu.

    2. Select the ordered task group "#Factory_RemoveEntry" in the console tree and choose "Paste" from the context menu.

    3. Select the copied task and modify the task name (to Delete file from FactorySystem folder).

    4. Select the job in the console tree.

    Modify the job name (Delete file from FactorySystem folder) and the properties:

    Enabled Select this check box to enable the job to be run by a dispatcher.

    Run by dispatchers Select a dispatcher that should be responsible for running this job.

    5. Choose "Apply".

    6. Select the pass and modify the name (to Delete file from FactorySystem folder).

    7. Select the "Destination" tab:

    Add the following line to the definitions (you can use the context menu to insert the

    constants/attributes/scripts or copy and paste the lines below): cmd /c Del "%$rep.PATH%\$FUNCTION.CreateFileName(%MX_LINK_REFERENCE%)$$"

    8. Choose "Apply".

  • 43 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Now #Factory_RemoveEntry can be defined on the repository definition FACTORY_SYSTEM as the remove task:

  • 44 Section 3: Basic context-based provisioning (use case 1)

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Section 3: Basic context-based provisioning (use case 1) In order to perform a basic context-based provisioning of users, both context and a role (and thus privilege(s)) need to be selected in an assignment request task. This assignment request task is the previously created guided User Interface task "Context-based assignment use case 1 and 2". To provision a user, do the following:

    1. In the Identity Management User Interface, select "Manage" tab. Make sure that the "Person" is selected in the "Show" field and choose "Go".

    2. Select entry "3001" and choose "Choose Task".

    Tasks available for the entry type MX_PERSON will be displayed in the "User Interface

    tasks" folder. Expand the folder and select the task "Context-based assignment use case 1 and 2".

  • 45 Section 3: Basic context-based provisioning (use case 1) SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    3. Choose "Choose Task". The "Context-based assignment use case 1 and 2" task opens in a new window. The task is a guided task consisting of four steps. The first step is to select a context:

    The defined context type is FACTORY, so it will be selected in the "Context Type" field.

    Choose "Search". This lists all available contexts.

    4. Select a context, here the context "FACTORY:Germany", and choose "Next >". The next step is to choose a role:

    Choose "Search to list the roles available.

    5. Choose a role, here the role "ROLE:HR_Manager", and choose "Next>".

    6. The next step is to define validity period and the reason for the role, which is optional. Choose "Next>".

  • 46 Section 3: Basic context-based provisioning (use case 1)

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    7. The last step is a summary of the assignment:

    Review the information and change if necessary.

    8. Choose "Finish" to save and execute the task, and then close the task. The role ROLE:HR_Manager is now assigned user 3001 with the context FACTORY:Germany.

    In the Identity Center Management Console, see that the tasks execute without errors. Assigning ROLE:HR_Manager to an entry, gives the entry the privilege PRIV:HRAdmin. Go to directory C:\Tutorial\Target\FactorySystem and observe the file created for the entry "3001":

    To deprovision the user (run the ordered task group "#Factory_RemoveEntry"), remove the role "ROLE:HR_Manager" from entry "3001", e.g. using a User Interface task for modifying users.

    In the Identity Center Management Console, see that the task executes without errors. Go to directory C:\Tutorial\Target\FactorySystem and observe that the file created for the entry "3001" is now removed.

  • 47 Section 3: Basic context-based provisioning (use case 1) SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Troubleshooting If any problems should occur during the execution, you can check some of the following:

    x Verify that the dispatcher is running and that it is enabled for provisioning jobs. x Verify that all tasks and jobs are enabled. x Verify that the job has been defined for the given dispatcher. x Verify that all paths (for the target system and files) are correct. x View the logs. x System log

    Verify that the dispatcher has requested the given job.

    x Job log View any error messages in the job log to see if you can find the cause of the problem.

    If you need to investigate a job more thoroughly, you can specify a different log file name for the job in the "Logging" tab of the job properties. You can also deselect the check box "Reset log file" to avoid overwriting the log file each time the job is run. This can be useful when debugging a provisioning job that may be run several times in sequence.

    If you need more logging info from a specific job, you can create a specific dispatcher and increase the log level in the dispatcher's .prop file. Specify that the job is to be run by this specific dispatcher. Make sure that the dispatcher is not running. To run the job, start the dispatcher from the command line with the following command:

    dispatcher_service_ test runonce

    The job will then be run once and a detailed log file will be created.

  • 48 Section 4: Provisioning using default/automatic context (use case 2)

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Section 4: Provisioning using default/automatic context (use case 2)

    Provisioning using default (or automatic) context is quite similar to the basic context-based provisioning described above. The difference is that the employee to be provisioned has a defined default context. This is done by defining the context as the value for the attribute MX_CTX_AUTO_VALUES on the person entry. The default context will be automatically added during the assignment due to defined default context for the user. Autoassign context policies used in this use case are "If missing" and "Always".

    To provision users using default/automatic context, do the following:

    1. Use a User Interface task for editing of user properties (a modify task) to define the default context for a given user. Here we define auto-assigned/default context (attribute MX_CTX_AUTO_VALUES) for user 3001 to be FACTORY:Germany.

  • 49 Section 4: Provisioning using default/automatic context (use case 2) SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    2. Define the autoassign context policy to be "If missing" on the repository definition. To do so, select "FACTORY_SYSTEM" under Management\Repositories in the console tree. Select the "Context" tab and define "If missing" in the "Autoassign context policy" field. Choose "Apply".

    3. Provision the user using the User Interface task "Context-based assignment use case 1 and

    2", here the user 3001. The default context for the user is defined. To demonstrate the autoassign context policy "If missing", select no context in the first step of the assignment request task, i.e. proceed directly to step 2 to select the role for the assignment (here ROLE:Manager) and further to complete all steps and execute the task.

  • 50 Section 4: Provisioning using default/automatic context (use case 2)

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    4. In the Identity Center Management Console, see that the tasks execute without errors. Assigning ROLE:Manager to an entry, gives the entry the privilege PRIV:HRAdmin (inherited from ROLE:HR_Manager) and privileges PRIV:Purchasing and PRIV:Distribution (inherited from ROLE:SupplyManager). Go to directory C:\Tutorial\Target\FactorySystem and observe the files created for the entry "3001". Due to "If missing" autoassign context policy, which will assign the default context only if no context is selected during the assignment, the user is provisioned with the defined default context (FACTORY:Germany).

    5. Choose another user and define the default context (here we define default context

    "FACTORY:France" for user "3002"), and now define the autoassign context policy to be "Always" on the repository definition.

  • 51 Section 4: Provisioning using default/automatic context (use case 2) SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    6. Provision a user (3002) using the User Interface task "Context-based assignment use case 1 and 2". The default context for the user is defined. Select a context for the user in the first step of the task (you can select any context but the one that is defined as default for your user). Here we select context "FACTORY:Norway". Then proceed to select the role for the assignment (here we select "ROLE:SupplyManager").

    7. In the Identity Center Management Console, see that the tasks execute without errors.

    Assigning ROLE:SupplyManager to an entry, gives the entry the privileges PRIV:Purchasing and PRIV:Distribution. Go to directory C:\Tutorial\Target\FactorySystem and observe the files created for the entry "3002":

    Due to autoassign context policy "Always", which will always assign the default context unless already assigned, the user is provisioned with the following privileges and contexts:

    x PRIV:Purchasing with context FACTORY:France (the default context) x PRIV:Distribution with context FACTORY:France (the default context) x PRIV:Purchasing with context FACTORY:Norway (context selected during assignment) x PRIV:Distribution with context FACTORY:Norway (context selected during assignment) To deprovision the user(s), remove the roles (here ROLE:Manager for user 3001 and/or ROLE:SupplyManager for user 3002) using a User Interface task for user editing.

  • 52 Section 5: Provisioning using conditional context (use case 3)

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    Section 5: Provisioning using conditional context (use case 3) Provisioning users using conditional contexts is slightly different than the two previous use cases. The purpose of the conditional context is to assign only those privileges for which a given context is present, i.e. when the user is assigned ROLE:ProductionSupervisor with a given context, then only the privilege that has a matching context will be assigned to the user. If the context selected during the assignment is COUNTRY:France then the user will only get assigned the privilege PRIV:ProductionPlantFR which has the context COUNTRY:France as the conditional context.

    To provision user using conditional context, do the following:

    1. Provision a user using the User Interface task "Context-based assignment use case 3". Here we provision the user 3003.

  • 53 Section 5: Provisioning using conditional context (use case 3) SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    2. Select the context and the role for the user. Here we select context COUNTRY:France and the role ROLE:ProductionSupervisor (which is the only role available for this use case). Optionally enter the validity and reason in step 3 ("Enter details") of the assignment task, then review and choose "Finish" to run the tasks.

    3. In the Identity Center Management Console, see that the tasks execute without errors.

    Assigning ROLE:ProductionSupervisor with the context COUNTRY:France to an entry, gives the entry the privilege PRIV:ProductionPlantFR due to the conditional context. Go to directory C:\Tutorial\Target\FactorySystem and observe the file created for the entry "3003":

    To deprovision the user, remove the role (ROLE:ProductionSupervisor) using a User Interface task for editing of user properties (a modify task).

  • 54 Section 5: Provisioning using conditional context (use case 3)

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignments

    Copyright 2012 SAP AG. All rights reserved.

    SAP NetWeaver Identity Management Identity Center Tutorial - Context based assignmentsPrefaceTable of contentsIntroductionBackgroundContext-based assignment - the processConditional and default contextsUse casesUse case 1: Basic context-based provisioningUse case 2: Provisioning using default contextUse case 3: Provisioning using conditional context

    Tasks, roles and privilegesBasic context-based provisioning and provisioning using default contextProvisioning using conditional context

    The data sourcesSection overview

    Section 1: Preparing the configurationDefining the global constant TUTORIAL_TARGETCreating repository definition for the target folderSpecifying the system log levelDisabling automatic attribute creationCreating global JScript CreateFileName

    Section 2: Building the identity storeDisplaying the details for entriesReading the HR data into the identity storeCreating the folder and the jobCreating a pass to update the identity storeRunning the jobVerifying the contents of the identity store

    Creating a context typeAdding contexts, roles and privileges (reading the CSV file into the identity store)Reading the ASCII fileRunning the jobUpdating the identity storeRunning the job and verifying the contents of identity storeViewing the properties of the tutorial dataRoles and privilegesCreating/adding context entriesAllowed contexts on privileges/rolesConditional contexts

    Creating the guided User Interface assignment tasksCreating the task #Factory_AddEntryAdding the task Add file to FactorySystem folderDefining the task on the repository definition

    Creating the task #Factory_RemoveEntryAdding the task Delete file from FactorySystem folder

    Section 3: Basic context-based provisioning (use case 1)Section 3: Basic context-based provisioning (use case 1)Troubleshooting

    Section 4: Provisioning using default/automatic context (use case 2)Section 5: Provisioning using conditional context (use case 3)