Click here to load reader

SAP NetWeaver Identity Management Identity Center Tutorial ... · SAP NetWeaver Identity Management Identity Center is the primary component for identity management. The Identity

  • View
    260

  • Download
    1

Embed Size (px)

Text of SAP NetWeaver Identity Management Identity Center Tutorial ... · SAP NetWeaver Identity Management...

  • SAP NetWeaver Identity Management

    Identity Center

    Tutorial - Provisioning

    Version 7.1 Rev 4

  • Copyright 2010 SAP AG. All rights reserved.

    No part of this publication may be reproduced or transmitted in any form or for any purpose without the expresspermission of SAP AG. The information contained herein may be changed without prior notice.

    Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors.

    Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

    IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10,System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400,S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5,POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect,RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli andInformix are trademarks or registered trademarks of IBM Corporation.

    Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

    Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of AdobeSystems Incorporated in the United States and/or other countries.

    Oracle is a registered trademark of Oracle Corporation.

    UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

    Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registeredtrademarks of Citrix Systems, Inc.

    HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium,Massachusetts Institute of Technology.

    Java is a registered trademark of Sun Microsystems, Inc.

    JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented andimplemented by Netscape.

    SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and other countries.

    Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, WebIntelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respectivelogos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries.Business Objects is an SAP company.

    All other product and service names mentioned are the trademarks of their respective companies. Data contained in thisdocument serves informational purposes only. National product specifications may vary.

    These materials are subject to change without notice. These materials are provided by SAP AG and its affiliatedcompanies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAPGroup shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products andservices, if any. Nothing herein should be construed as constituting an additional warranty.

  • i

    Copyright 2010 SAP AG. All rights reserved.

    Preface

    The productSAP NetWeaver Identity Management Identity Center is the primary component for identitymanagement. The Identity Center includes functions for identity provisioning, workflow,password management, logging and reporting. It uses a centralized repository, called theidentity store, to provide a uniformed view of the data, regardless of the data's original source.

    The readerThis manual is written for people who need an introduction to the provisioning in the IdentityCenter.

    PrerequisitesTo get the most benefit from this manual, you should have the following knowledge:

    Knowledge of LDAP.

    Knowledge of Microsoft SQL Server or Oracle.

    General knowledge about the Identity Center and job definitions, for instance as describedin the SAP NetWeaver Identity Management Identity Center Tutorial: Basic synchronizationand SAP NetWeaver Identity Management Identity Center Initial configuration.

    The following software is required:

    SAP NetWeaver Identity Management Identity Center 7.1 SP2, or newer, correctly installedand licensed.

    SAP NetWeaver Identity Management User Interface must be installed and configured forthis Identity Center and identity store (according to SAP NetWeaver Identity ManagementIdentity Center: Installing the Identity Management User Interface).

    A directory server with the external object classes top, person and inetOrgPerson (asdefined in RFC 2798). The credentials necessary to add, modify and delete entries in thedirectory server are also required.

    An Identity Center where at least one dispatcher has been configured and is running (seeSAP NetWeaver Identity Management Identity Center Initial configuration).

    An LDAP client to view the contents of the directory.

    The manualThis tutorial consists of eleven (11) sections containing information about how you build a taskstructure and run a provisioning system.

    This tutorial is not a substitution for training.

    Person names used in this tutorial are fictional.

  • ii

    Copyright 2010 SAP AG. All rights reserved.

    Related documentsYou can find useful information in the following documents:

    SAP NetWeaver Identity Management Identity Center: Installation overview

    SAP NetWeaver Identity Management Identity Center: Installing the Identity ManagementUser Interface

    SAP NetWeaver Identity Management Identity Center Initial configuration

    SAP NetWeaver Identity Management Identity Center Tutorial: Basic synchronization

    For information on SAP NetWeaver see http://help.sap.com.

    http://help.sap.com/
  • iii

    Copyright 2010 SAP AG. All rights reserved.

    Table of contentsIntroduction .................................................................................................................................. 1

    The repositories .................................................................................................................................... 1The data flow and task structure ............................................................................................................ 2Preparations .......................................................................................................................................... 3Section overview ................................................................................................................................ 10

    Section 1: Building the identity store ......................................................................................... 11Defining a repository definition for the hr.csv file ............................................................................... 11Disabling automatic attribute creation ................................................................................................. 14Reading the HR data into the identity store.......................................................................................... 15Verifying the contents of the identity store .......................................................................................... 20Enabling the delta ............................................................................................................................... 22

    Section 2: Preparing the repositories ......................................................................................... 24Adding a repository definition for the LDAP server ............................................................................ 24Defining additional repository constants.............................................................................................. 27Creating the organization .................................................................................................................... 28Adding a repository definition for the file system folder ...................................................................... 31

    Section 3: Adding the create and update LDAP user tasks ....................................................... 33Creating a folder for the LDAP tasks................................................................................................... 33Adding task: #LDAP_AddEntry.......................................................................................................... 34Adding link to existing task: Change entry reference and attribute value on PVO ................................ 36Adding task: Create LDAP entry ......................................................................................................... 37Adding task: #LDAP_UpdateEntry ..................................................................................................... 41

    Section 4: Adding the PRIV:LDAP privilege ............................................................................. 44Creating the PRIV:LDAP privilege ..................................................................................................... 44Updating the repository definition Tutorial-LDAP .............................................................................. 45Hiding the "Provisioning folder" ......................................................................................................... 46Creating a folder for User Interface tasks ............................................................................................ 46Creating the User Interface task .......................................................................................................... 47Adding the privilege to the identity store entry .................................................................................... 50

    Section 5: Adding the remove LDAP user tasks ........................................................................ 55Adding task: #LDAP_RemoveEntry ................................................................................................... 55Adding link to existing task: Change entry reference and attribute value on PVO ................................ 57Adding task: Set LDAP entry to inactive ............................................................................................. 58Adding task: Remove LDAP entry ...................................................................................................... 60Updating the repository definition Tutorial-LDAP .............................................................................. 62Removing the privilege from the identity store entry ........................................................................... 63

    Section 6: Resetting the tutorial data ......................................................................................... 66Resetting the directory server .............................................................................................................. 66Emptying the identity store ................................................................................................................. 67Resetting the delta information............................................................................................................ 69Removing the pending value objects ................................................................................................... 70Running the job .................................................................................................................................. 72

  • iv

    Copyright 2010 SAP AG. All rights reserved.

    Section 7: Automatically assigning the privilege........................................................................ 73Updating the "HR to identity store" job ............................................................................................... 73Running the job .................................................................................................................................. 74

    Section 8: Adding the file system tasks....................................................................................... 75Adding task: #FILE_AddEntry ........................................................................................................... 75Adding link to existing task: Change entry reference and attribute value on PVO ................................ 77Adding task: Add file .......................................................................................................................... 78Adding task: #FILE_UpdateEntry ....................................................................................................... 80Adding task: #FILE_RemoveEntry ..................................................................................................... 82Adding link to existing task: Change entry reference and attribute value on PVO ................................ 84Adding task: Remove file .................................................................................................................... 85Updating the "Reset tutorial data" job ................................................................................................. 87

    Section 9: Adding the PRIV:File privilege ................................................................................. 89Creating the PRIV:File privilege ......................................................................................................... 89Updating the repository definition Tutorial-FILE ................................................................................ 90Testing the tasks ................................................................................................................................. 91Automatically assigning the PRIV:File privilege to the entries ............................................................ 92Running the system ............................................................................................................................. 94

    Section 10: Handling deleted entries .......................................................................................... 96Setting the deleted entries to inactive .................................................................................................. 96Testing the mechanism........................................................................................................................ 97

    Section 11: Adding the telephone numbers ................................................................................ 99Adding a repository definition for the tel.csv file ................................................................................. 99Adding the telephone numbers .......................................................................................................... 100Updating the identity store ................................................................................................................ 103Updating the "#LDAP_UpdateEntry" task ......................................................................................... 105Running the job ................................................................................................................................ 105Enabling the delta ............................................................................................................................. 106Removing deleted attributes .............................................................................................................. 108Updating the "Reset tutorial data" job ............................................................................................... 110Running the provisioning system ...................................................................................................... 110What's next? ..................................................................................................................................... 111

  • v

    Copyright 2010 SAP AG. All rights reserved.

  • 1IntroductionSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    IntroductionThe purpose of this tutorial is to show how to configure the Identity Center and build a taskstructure for provisioning and de-provisioning of employees. This involves building an identitystore where information about all employees is stored, defining the different data sources asrepositories in the Identity Center, and defining the tasks and jobs that perform the provisioning.

    You will also see how to reset the identity store and provisioning system for testing purposes.

    The repositoriesFor the sake of simplicity, this tutorial has as few external dependencies as possible. Thepurpose is to show how to create an identity data flow, more than showing how to connect to anumber of different repository types.

    For this reason, the repositories are ASCII files, with the exception of a directory server, whichcan also be replaced by ASCII files.

    The ASCII repositories can be replaced by other types of repositories to achieve a more realisticscenario. The From ASCII file passes that are used to read the ASCII files must then be replacedby a pass type suitable to read the type of data source in question.

    The following figure gives an overview of the repositories involved in this tutorial:

    Below is a description of the repositories:

    hr.csv An ASCII file in CSV format containing entries from an HR system.

    tel.csv An ASCII file in CSV format containing telephone numbers.

    Directory Server The users will be written to this directory server as part of the provisioningprocess.

    File system This is a folder in the file system where the contents of the identity store are storedwith one file per user.

    The files are stored together with this tutorial.

    The tutorial shows how data is read from the files hr.csv and tel.csv into the identity store. Fromthere, tasks in the provisioning system are used to update the target repositories.

  • 2Introduction

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    The data flow and task structureThe following diagram illustrates the data flow that we are going to implement in this tutorial:

    There are two jobs that read the data from the repositories and update the entries in the identitystore. The entry type for these entries is MX_PERSON.

    We create two privileges (PRIV:LDAP and PRIV:File) that we assign to the entries. Theprivileges contain a link (reference) to a repository definition, which contains links to the tasksthat are executed when the privilege is assigned or removed, or when an entry that has theprivilege assigned is modified.

    The task structure is shown in the illustration above. There are separate task structures for eachof the target repositories.

    For the add member and remove member tasks, a pending value object is created. These tasks,defined on the repository definition, operate on the entry by default (but may operate on apending object by selecting "Retrieve attributes from pending value" on the "Source" tab of thepass) and can be used for approval processing or any other task to be performed before theprivilege is assigned or removed. This distinguishes the add member and remove member eventtasks from the provisioning, deprovisioning and modify event tasks, in which case the pendingvalue object is not created (operate on the entry only i.e. not on a pending value object). Usingthe add member event task ensures that a privilege is not added to the user until execution of thetask has successfully completed. Using the remove member task ensures that the privilege is notremoved until after the resource is removed by the connected task.

    The add member task will not be executed for users which already have the privilege.

    Note:Both add member event task and the provisioning event task (and accordingly, remove memberevent task and the deprovisioning event task) can be specified. Then the add member event task(and remove member event task) will be executed first, i.e. the provisioning and thedeprovisioning event tasks are not executed until the add member and remove member taskshave completed, and the privilege actually is assigned/removed.

  • 3IntroductionSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    PreparationsBefore you proceed with the tutorial, there are a couple of things that must be specified.

    Defining the global constant TUTORIAL_SOURCEWe create a global constant containing the path to the directory where the data source fileshr.csv and tel.csv (downloaded together with this tutorial) are to be stored. To define the globalconstant:

    1. Select the "Global constants" node in the console tree and choose New/Constant fromthe context menu (right-click the node to open the context menu):

    Specify the name of the constant and the directory where the file is to be stored. Make surethat the directory actually exists (create the folders Tutorial and Source).

    2. Choose "OK" to close the dialog box and add the constant.

    Note:Store the files hr.csv and tel.csv (downloaded together with this tutorial) in the folder.

    Defining the global constant TUTORIAL_TARGETTo be able to reference the files created in this tutorial in a uniform way, we create a globalconstant containing the path to the directory where the target repository files are to be placed.To define the global constant:

    1. Select "Global constants" in the console tree and choose New/Constant from the contextmenu (right-click the node to open the context menu):

    Specify the name of the constant and the directory where the folders are to be stored. Makesure that the directory actually exists (create the folder Target).

    2. Choose "OK" to close the dialog box and add the constant.

  • 4Introduction

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Specifying the system log levelTo be able to view the log information shown in this tutorial, you must make sure that the loglevel for the system log is set to "Info". If necessary, change the log level and choose "Apply".

  • 5IntroductionSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Creating a task to change attributes on pending value objectFor event tasks on privileges and roles, e.g. MX_ADD_MEMBER_TASK orMX_DEL_MEMBER_TASK, when a new assignment (de-assignment) is requested and thistask is present then a pending value object (PVO) is created and the task executed on this object.The same task is executed regardless of which way the assignment (de-assignment) is done,either by adding/removing a user (MXMEMBER_MX_PERSON) to/from a privilege/role or byadding/ removing a privilege (MXREF_MX_PRIVILEGE) or role (MXREF_MX_ROLE)to/from a user. In other words, the attributes MXMEMBER_MX_PERSON andMXREF_MX_PRIVILEGE/MXREF_MX_ROLE are defining the same link between a personobject and a privilege/role object but creating different pending value objects (with a differentset of attributes), while the same task is executed in both cases.

    The table below illustrates the differences on the pending value objects and their attributes inthe two abovementioned cases:

    Pending value object attribute Attribute value whenadding/removing aprivilege/role to/from a user

    Attribute value whenadding/removing a user to/froma privilege/role

    MX_ENTRY_REFERENCE of MX_PERSONobject

    of MX_PRIVILEGEor MX_ROLE object

    MX_ATTRIBUTE_NAME MXREF_MX_PRIVILEGE orMXREF_MX_ROLE

    MXMEMBER_MX_PERSON

    MX_ATTRIBUTE_VALUE of MX_PRIVILEGEor MX_ROLE object

    of MX_PERSONobject

    When executing the task on the pending value object two options exist:

    Access the attributes from the pending value object itself.

    Access attributes from the owner entry referenced by the attributeMX_ENTRY_REFERENCE on the pending value object.

    This is selected on the "Source" tab of the job pass of the task to be executed on the pendingvalue object. To retrieve attributes from the pending value object, make sure that "Retrieveattributes from pending value" is selected. To retrieve attributes from an entry type other thanMX_PENDING_VALUE, deselect "Retrieve attributes from pending value" and select thesource entry type (MX_PERSON by default, i.e. if the "Source entry type" field is empty).

    For some users, it may be of interest to have a predictable behavior for the pending value objectcreation, e.g. to make sure that the entry referenced from the pending value object(MX_ENTRY_REFERENCE), when adding and removing user/privilege and user/role links,always is MX_PERSON (with the corresponding values for attributesMX_ATTRIBUTE_NAME and MX_ATTRIBUTE_VALUE as described in the table above).In this section we are creating a task that calls a script to make sure that the links are defined bythe MXREF_... attribute, both when adding/removing a privilege/role to/from a user and whenadding/removing a user to/from a privilege/role, giving the same pending value object andreferenced object (here MX_PERSON) in both cases.

  • 6Introduction

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    To create the task, do the following:

    1. Select any task folder on the identity store (here we choose Provisioning folder onEnterprise People identity store) and choose New/Ordered task group from the contextmenu.

    Modify the name of the ordered task group in the console tree, here named Change entryreference and attribute value on PVO.

    2. Select the ordered task group just created and choose New/Action task/Empty job to createa task.

  • 7IntroductionSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    3. Select the job in the console tree.

    Modify the job properties:

    EnabledSelect this check box to enable the job to be run by a dispatcher.

    Run by dispatchersSelect a dispatcher that should be responsible for running this job.

    4. Choose "Apply".

    5. Select "Scripts" for the job and choose New/Script from the context menu to create ascript.

    Enter the name for the script, here ChangeEntryREFandAttrVALUEonPVO.

  • 8Introduction

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    6. Choose "OK".

    Define the following script (you can copy and paste the script defined under and replace thetemplate definition):

    // Main function: ChangeEntryREFandAttrVALUEonPVO

    function ChangeEntryREFandAttrVALUEonPVO(Par){

    CurrentEntryID = UserFunc.uGetEntryID();CurrentIDStore = UserFunc.uGetIDStore();

    attrName = UserFunc.uIS_GetValue(CurrentEntryID, CurrentIDStore,"MX_ATTRIBUTE_NAME");AttrName = new java.lang.String(attrName);

    if (AttrName.startsWith("MXMEMBER")) {// --- 'normal' ... the attribute are behind:// UserMskeyAttr = "MX_ENTRY_REFERENCE";// PrivMskeyAttr = "MX_ATTRIBUTE_VALUE";

    UserFunc.uErrMsg(1, "PVO " + CurrentEntryID + " will be patched!");

    // --- Change the content of the two attributes above (reference and value)

    PrivMskeyAttr = UserFunc.uIS_GetValue(CurrentEntryID, CurrentIDStore,"MX_ENTRY_REFERENCE" );

    UserFunc.uErrMsg(1, "Original MX_ENTRY_REFERENCE was (points to privilege): "+ PrivMskeyAttr );

    UserMskeyAttr = UserFunc.uIS_GetValue(CurrentEntryID, CurrentIDStore,"MX_ATTRIBUTE_VALUE" );

  • 9IntroductionSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    UserFunc.uErrMsg(1, "Original MX_ATTRIBUTE_VALUE was (points to user): " +UserMskeyAttr );

    OutString = uIS_SetValue(CurrentEntryID, CurrentIDStore,"MX_ENTRY_REFERENCE", UserMskeyAttr);

    OutString = uIS_SetValue(CurrentEntryID, CurrentIDStore,"MX_ATTRIBUTE_VALUE", PrivMskeyAttr);

    UserMskeyAttr = UserFunc.uIS_GetValue(CurrentEntryID, CurrentIDStore,"MX_ENTRY_REFERENCE" );

    UserFunc.uErrMsg(1, "New MX_ENTRY_REFERENCE was (points to user): " +UserMskeyAttr );

    PrivMskeyAttr = UserFunc.uIS_GetValue(CurrentEntryID, CurrentIDStore,"MX_ATTRIBUTE_VALUE" );

    UserFunc.uErrMsg(1, "New MX_ATTRIBUTE_VALUE was (points to privilege): " +PrivMskeyAttr );

    // --- Change the content of the NAMING attribute

    MskeyValueOfTheObject = UserFunc.uIS_GetValue(PrivMskeyAttr, CurrentIDStore,"MX_ENTRYTYPE" );

    UserFunc.uErrMsg(1, "Entrytype of the assigned object: " +MskeyValueOfTheObject );

    ConcatValue = "MXREF_" + MskeyValueOfTheObject;

    OutString = uIS_SetValue(CurrentEntryID, CurrentIDStore, "MX_ATTRIBUTE_NAME",ConcatValue );

    UserFunc.uErrMsg(1, "New MX_ATTRIBUTE_NAME is: " + ConcatValue );

    }}

    7. Choose "OK" and the script is added.

    8. Select the job in the console tree and choose New/To Generic from context menu to createa pass. Select the "Destination" tab:

    Modify the properties:

    Select the script "ChangeEntryREFandAttrVALUEonPVO" in the "Next data entry" field.

    Enter the attribute "MSKEYVALUE" with the value "%MSKEYVALUE%".

    9. Choose "Apply".

  • 10Introduction

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    The task Change entry reference and attribute value on PVO is now created. It will be used bytasks that create, update and remove LDAP users (LDAP) and files (file system). The task willproduce a warning every time the attributes are changed on the pending value object, giving theadditional information about the change (as will be seen in the job log on page 98).

    Section overviewThe tutorial consists of the following sections:

    Section 1: Building the identity store In this section the contents of the file hr.csv are readinto the identity store.

    Section 2: Preparing the repositories This section describes how to prepare and define thetarget repositories.

    Section 3: Adding the create and update LDAPuser tasks

    Here, the task structure for the tasks that update theLDAP server is build.

    Section 4: Adding the PRIV:LDAP privilege In this section the privilege is added. A User Interfacetask that is used to add the privilege to the entries in theidentity store is also created.

    Section 5: Adding the remove LDAP user tasks This section describes how to add the tasks forremoving a user in the directory server. The privilege isalso updated to contain a link to a member event task.

    Section 6: Resetting the tutorial data The section describes how to create a job that resets allthe generated data.

    Section 7: Automatically assigning the privilege In this section we will see how we can automaticallyassign the privilege when the users are added to theidentity store.

    Section 8: Adding the file system tasks This section shows how to add the tasks for updatingthe file system.

    Section 9: Adding the PRIV:File privilege In this section a privilege for the file system folder isadded.

    Section 10: Handling deleted entries This section describes how to handle entries that aredeleted from the master data source.

    Section 11: Adding the telephone numbers The last section describes how to add the telephonenumbers and e-mail addresses from the second datasource, the file tel.csv.

  • 11Section 1: Building the identity storeSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Section 1: Building the identity storeIn this section we are going to read the contents of the file hr.csv into the identity store.

    Here we use and populate the default identity store Enterprise People. Make sure that theIdentity Management User Interface is installed and configured for the Identity Center you areusing and the default identity store according to SAP NetWeaver Identity Management IdentityCenter: Installing and configuring the Identity Management User Interface. It also implies theadministrator user with access to at least "Self Services", "Monitoring" and "Manage" tabs inthe User Interface.

    Defining a repository definition for the hr.csv fileA repository definition is used to hold constants and variables which are common for one datasource (repository). The repository constants can be accessed from the context menu in the sameway as global constants.

    1. Start the repository wizard by selecting "Repositories" (under "Management") in theconsole tree, and choosing New/Repository from the context menu.

    2. Choose "Next >".

    Navigate to the "Repositories" sub-directory and select "File".

  • 12Section 1: Building the identity store

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    3. Choose "Next >".

    Enter a name and description of the repository definition.

    4. Choose "Next >".

    Use the context menu to insert the global constant we added and add the name of the file(hr.csv).

    5. Choose "Next >" and then "Finish" to complete the wizard.

  • 13Section 1: Building the identity storeSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    The repository definition is added to the console tree:

    Expanding the "Repositories" node in the console tree, you might view the created repositorydefinition's constants:

  • 14Section 1: Building the identity store

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Disabling automatic attribute creationDisable the automatic attribute creation. This option is used to control what happens when anattribute which does not exist or an attribute which is not defined as a legal attribute on an entrytype is written to the identity store.

    If the "Automatically create new attributes" is enabled, the new attribute is created and added tothe entry type. If the option is disabled, an error is returned. To disable the automatic attributecreation on the identity store Enterprise People, do the following:

    1. Select the identity store "Enterprise People" in the console tree.

    Deselect "Automatically create attributes".

    2. Choose "Apply".

  • 15Section 1: Building the identity storeSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Reading the HR data into the identity storeWe have now created a repository definition for the hr.csv file and defined an identity store thatwe can use when creating the job which will read the source data to the identity store.

    Creating the folder and jobFirst, we are going to create a folder for the jobs in the tutorial, and the job definition for thisjob.

    1. Create a folder called "Provisioning tutorial" that can be used to hold the jobs. Select theIdentity Center node (not identity store) in the console tree and choose New/Folder fromthe context menu to create the folder.

    2. Create a job by selecting the created folder and choosing New/Empty job from the contextmenu.

    Modify the name of the job in the console tree.

    Enable the job and select a dispatcher.

    3. Choose "Apply".

    This job will contain two passes; one to read the ASCII file (hr.csv) into the temporary table(tutorial_HR), and another to read from this table into the identity store. This must be done in asingle job. The reason is that the first pass will delete the temporary table every time it executes,and then fill it with the data from the hr.csv file. If the second pass was a separate job (whichcould then be run asynchronously from the first), it could start just when the table was deleted orjust partly filled, and then remove the missing people from the identity store.

  • 16Section 1: Building the identity store

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Reading the ASCII fileFirst, we will create the pass that reads the ASCII file:

    1. Select the job in the console tree and choose New/From ASCII file from the context menu.

    Enter "Read HR" as the name of the pass in the console tree.

    RepositorySelect the "Tutorial-HR" in the "Repository" list.

    2. Select the "Source" tab:

  • 17Section 1: Building the identity storeSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    File nameUse the context menu to insert the repository constant %$rep.FILENAME% that refers tothe file name.

    Field separatorEnter a comma sign (,) as the field separator.

    Header lineMake sure that "Header line" is selected.

    3. Select the "Destination" tab:

    Fill in the fields with the following values:

    DatabaseUse the context menu to insert the system parameter %$ddm.identitycenter% that refers theIdentity Center database.

    Table nameEnter "tutorial_HR" as the table name.

    Note:Do not use hyphen in table names, as this will cause problems with some database drivers.

    DefinitionsChoose "Insert template" and select "Data source template" to create the pass definitions.

    4. Choose "Apply".

    Running the jobAt this point, we are ready to test the pass. Run the job by viewing the job properties andchoosing "Run now".

  • 18Section 1: Building the identity store

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    View the job log to verify that the job ran successfully, and that a number of entries have beenprocessed:

    Updating the identity storeThe next step is to create the pass that writes the data to the identity store:

    1. Select the "Read HR" pass and choose New/To Identity store from the context menu andselect the "Source" tab:

  • 19Section 1: Building the identity storeSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Modify the pass name in the console tree.

    DatabaseUse the context menu to insert the system parameter %$ddm.identitycenter%.

    SQL statementEnter the SQL statement to select all rows from the table created in the previous pass(SELECT * FROM tutorial_HR).

    2. Select the "Destination" tab:

    Identity storeMake sure that the "Enterprise People" identity store is selected.

    Entry typeSelect the entry type "MX_PERSON".

    DefinitionsChoose "Insert template" and select "Data source template" to insert the definitions for thepass.

    Note:The insert template will only work if you actually executed the job with the pass "Read HR"as explained in the previous section.

    Modify the definition to use the attributes from the entry type. You can use the contextmenu to find the destination attributes.

    3. Choose "Apply".

    Running the jobRun the job and open the job log to verify that 50 entries were added (100 entries processed).

  • 20Section 1: Building the identity store

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Verifying the contents of the identity storeIf everything has gone well, the identity store should now contain all entries from the hr.csv filewhich can be observed in the SAP NetWeaver Identity Management User Interface.

    Note:Make sure that the User Interface is installed and configured for the Identity Center and theidentity store you are using according to SAP NetWeaver Identity Management Identity Center:Installing the Identity Management User Interface.

    To access the User Interface do the following:

    1. Enter http://:/idm in your browser.

    Provide the credentials in the log-in window (of the user with access to "Manage" tab in theUser Interface).

    2. Choose "Log on".

  • 21Section 1: Building the identity storeSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    3. Select the "Manage" tab.

    4. Make sure that the "Person" is selected in the "Show" field and choose "Go".

    5. Verify that the entries are present in the identity store.

  • 22Section 1: Building the identity store

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Enabling the deltaWe now have two working passes. The next step is to ensure that only modified entries in thedata source are written to the identity store. This is done by enabling the delta mechanism on the"To Identity store" pass of the "HR to identity store" job (and not on the "Read HR" pass sincethe entire ASCII file hr.csv needs to be read each time anyway):

    1. Select the "HR to ID store" pass and select the "Delta" tab:

    Fill in the fields with the following values:

    Enable deltaSelect this check box to enable delta on this pass.

    Delta databaseUse the context menu to insert the system parameter %$ddm.identitycenter% to specify thatyou want to use the Identity Center database for the delta database.

    Delta identifierEnter "TUTORIALHR" as the delta identifier. This must be unique within one deltadatabase.

    Delta keyThis is automatically filled in with the value from the first line of the definitions on the"Destination" tab.

    2. Choose "Apply".

  • 23Section 1: Building the identity storeSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Run the job a couple of times and view the job log:

    The first time the job is run after the delta is enabled, 50 entries are modified, while the nexttime, the job detects that the entries are unmodified.

    Note:The count is the total for the job, including the entries handled by the "Read HR" pass. Theseentries are always included in the "Add" column, as no delta has been defined for this pass.

  • 24Section 2: Preparing the repositories

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Section 2: Preparing the repositoriesWe are going to update two target repositories:

    An LDAP server meeting the requirements described in the preface.

    A file system folder. This is used to show an alternative type of repository. One file will becreated for each user, containing information about the user.

    Both these repositories will be added as repository definitions in the Identity Center. Therepository definitions are then referenced from the jobs and tasks we create.

    Adding a repository definition for the LDAP serverBefore we can provision the entries to the LDAP server, we must add a repository definition forthe LDAP server and create the organization where we will add the entries.

    To add a repository definition for the LDAP server:

    1. Start the repository wizard by selecting "Repositories" in the console tree, and choosingNew/Repository from the context menu.

    2. Choose "Next >".

    Navigate to the "Repositories" sub-directory and choose "Directory".

  • 25Section 2: Preparing the repositoriesSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    3. Choose "Next >".

    Enter "Tutorial-LDAP" as the name of the repository definition.

    4. Choose "Next >".

    Fill in information about your directory server as shown above (leave the field "Namingattribute" as it is). The user must have access to create an organization below the specifiedstarting point.

    5. Choose "Next >" and then "Finish".

  • 26Section 2: Preparing the repositories

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    The repository definition is added to the console tree with the following repository constants:

  • 27Section 2: Preparing the repositoriesSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Defining additional repository constantsIn addition to the constants created by the wizard, we need to create some additional repositoryconstants:

    The name of the organization.

    The DN of the organization.

    The DN of the entries within the organization.

    Adding a repository constant for the organizationTo add the constant:

    1. Select the Tutorial-LDAP repository definition's "Constants" node in the console tree andchoose New/Constant from the context menu:

    This constant contains the name of the organization you are going to add to the directoryserver.

    2. Choose "OK".

    Adding the repository constant for the organization DNAdd the DN constant in the same way as the previous constant with the following values:

    Use the context menu to insert the repository constants.

  • 28Section 2: Preparing the repositories

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Adding the repository constant for the entries' DNAdd the constant for the DN of the entries that we will add to the organization:

    You have to enter the first part (%MSKEYVALUE%) manually, as the source attributes are notavailable from the context menu at this point.

    Creating the organizationBefore we can run the tasks, we must create the organization in the directory server.

    This pass will be part of a job that is used to reset the tutorial data; the identity store,repositories and delta. This is often necessary during a development phase. In addition, this willverify access to the directory server.

    1. Select the folder "Provisioning tutorial" in the console tree and choose New/Empty jobfrom the context menu.

    Rename the job in the console tree to "Reset tutorial data".

  • 29Section 2: Preparing the repositoriesSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Modify the job properties:

    EnabledSelect this check box to enable the job.

    Run by dispatchersSelect a dispatcher that is responsible for running this job.

    2. Choose "Apply".

    3. Create the pass by selecting the job and choosing New/Run pass wizard to start the passwizard.

    4. Choose "Next >".

    Navigate to the folder "Generic directory" in the Identity Center tree and select the "CreateLDAP organization" template.

    5. Choose "Next >".

    Select the repository definition "Tutorial-LDAP".

  • 30Section 2: Preparing the repositories

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    6. Choose "Next >".

    Leave the field "Organization name" empty as we will reference the repository constantdirectly.

    The other fields are disabled to show that the values are retrieved from the repositorydefinition.

    7. Choose "Next >" and then "Finish".

    8. Select the pass in the console tree and select the "Destination" tab:

    The repository constants you specified when running the wizard are inserted in the fields.

    Replace the values for "dn" and "o" with the repository constants you added.

    9. Choose "Apply".

  • 31Section 2: Preparing the repositoriesSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Running the jobRun the job and verify that the organization is created in the directory server. Use an LDAPclient to view the contents of the directory server.

    If the job fails, inspect the log files, verify that you have specified the correct credentials for thedirectory server.

    Adding a repository definition for the file system folderCreate a folder in the file system where you want to store the files that we create for each entryin the identity store. Here we create a folder files in C:\Tutorial\Target.

    The file system folder is added as a generic repository definition:

    1. Select the Identity Center's "Repositories" node and choose New/Repository from thecontext menu. Choose "Next >".

    Navigate to the "Repositories" directory and select the "Generic repository" template.

  • 32Section 2: Preparing the repositories

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    2. Choose "Next >".

    Specify the repository definition name.

    3. Choose "Next >" twice and then "Finish" to complete the wizard.

    4. Add one repository constant:

    Name the constant "PATH" and enter the path to the folder as the value. You can use theglobal constant as part of the folder name. Use the context menu to insert the globalconstant.

    Note:Make sure that this folder (files) exists.

    5. Choose "OK" to close the dialog box.

  • 33Section 3: Adding the create and update LDAP user tasksSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Section 3: Adding the create and update LDAP user tasksIn this section we will add the tasks for creating and updating a user in the directory server. Thetop-level task will be called as the add member event task from the Tutorial-LDAP repositorydefinition referenced from the PRIV:LDAP privilege (created later) assigned to a user. To easilyidentify the tasks that are called from the privilege, we use the following syntax:

    #_

    For instance:#LDAP_AddEntry#LDAP_UpdateEntry#FILE_RemoveEntryetc

    Creating a folder for the LDAP tasksFirst, we create a folder that we will use for the tasks for the LDAP server.

    1. Select the identity store "Enterprise People" and choose New/Folder from the contextmenu.

    Enter "LDAP" as name for the folder.

    2. Choose "OK". The folder is included in the console tree.

    Deselect "Show folder in User Interface" as the tasks in this folder should not be displayedin the User Interface.

    3. Choose "Apply".

  • 34Section 3: Adding the create and update LDAP user tasks

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Adding task: #LDAP_AddEntryNext, we create the ordered task group #LDAP_AddEntry.

    1. Select the folder you just created and choose New/Ordered task group from the contextmenu.

    Modify the task name in the console tree.

    Fill in the fields with the following values:

    RepositorySelect "Tutorial-LDAP" from the list.

  • 35Section 3: Adding the create and update LDAP user tasksSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    2. Select the "Result handling" tab:

    Fill in the following:

    Wait for event tasksSelect "Wait for event tasks" to make sure that the pending value objects are automaticallyremoved when completed.

    3. Choose "Apply".

  • 36Section 3: Adding the create and update LDAP user tasks

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Adding link to existing task: Change entry referenceand attribute value on PVOHere we link the task Change entry reference and attribute value on PVO created previously.To link the task, do the following:

    1. Select the ordered task group "#LDAP_AddEntry" and choose New/Link to existingtask from the context menu and select the task Change entry reference and attributevalue on PVO.

    The task link is created.

  • 37Section 3: Adding the create and update LDAP user tasksSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Adding task: Create LDAP entryThe next step is to create the action task Create LDAP entry. This task is creating the user in theLDAP directory, although without any attributes except the mandatory sn. The other attributesare added by the #LDAP_UpdateEntry task.

    Note:This sample shows usage of an iPlanet directory server. If you are using another directoryserver, you may need to use different values.

    1. Select the task "#LDAP_AddEntry" and choose New/Action task/Run wizard to startthe job wizard.

    2. Choose "Next >".

    Navigate to the "Generic directory" folder in the "Identity Center" tree and select the"Create LDAP InetOrgPerson" template.

    3. Choose "Next >".

    Select the "Tutorial-LDAP" repository definition.

  • 38Section 3: Adding the create and update LDAP user tasks

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    4. Choose "Next >".

    The values for most constants are retrieved from the corresponding repository constants.

    You only need to supply the name of the organization. Use the context menu to insert therepository constant referencing the organization name.

    5. Choose "Next >" and then "Finish".

    The task is included in the console tree:

    Rename this task to "Create LDAP entry".

    Although you selected a repository definition for this task, this is not included in the"Repository" field. This is because the parent task already contains a reference to thisrepository definition.

  • 39Section 3: Adding the create and update LDAP user tasksSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    6. Select the job in the console tree:

    Modify the job name in the console tree.

    Modify the job properties:

    EnabledSelect this check box to enable the job to be run by a dispatcher.

    Run by dispatchersSelect a dispatcher that should be responsible for running this job.

    7. Choose "Apply".

  • 40Section 3: Adding the create and update LDAP user tasks

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    8. Select the pass in the console tree and select the "Source" tab:

    Deselect "Retrieve attributes from pending value".

    9. Select the "Destination" tab:

    Modify the pass name in the console tree.

    Modify the definition created by the template in the following way:dn: %$rep.DN%objectClass: top|person|organizationalPerson|inetOrgPersonsn: %MX_LASTNAME%

    Use the context menu to insert the source attributes and the constants used in the definitions.

    The prefix . (period) in front of objectClass ensures that this attribute will not be updated ina Modify operation.

  • 41Section 3: Adding the create and update LDAP user tasksSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Remove the redundant lines created by the template.

    Add the line:changeType: Add

    This line ensures that the job fails if trying to create an already existing entry.

    10. Choose "Apply".

    Adding task: #LDAP_UpdateEntryWe continue by adding a task to modify the LDAP attributes. For this purpose, we create thetask #LDAP_UpdateEntry.

    Create the task in the same way as the Create LDAP entry task:

    1. Select the "#LDAP_AddEntry" task in the console tree and choose New/Action task/Runwizard from the context menu. Use the "Create LDAP InetOrgPerson" template. Use therepository definition "Tutorial-LDAP" and the repository constant as the organization name.

    Modify the task name in the console tree.

    The #LDAP_UpdateEntry task is now part of the #LDAP_AddEntry ordered task group, i.e.executing #LDAP_AddEntry will also execute #LDAP_UpdateEntry.

    Select "Public task" as we are going to call this task from the repository definition later on.

    2. Choose "Apply".

  • 42Section 3: Adding the create and update LDAP user tasks

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    3. Select the job in the console tree:

    Modify the job name in the console tree.

    Enable the job, and select the correct dispatcher.

    4. Choose "Apply".

    5. Select the pass in the console tree and select the "Source" tab.

    Deselect "Retrieve attributes from pending value".

  • 43Section 3: Adding the create and update LDAP user tasksSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    6. Select the "Destination" tab:

    Modify the pass name in the console tree.

    Remove the redundant lines and modify the remaining pass definitions as shown above.

    The definition changeType=Modify indicates that this pass will always perform a modifyoperation.

    7. Choose "Apply".

  • 44Section 4: Adding the PRIV:LDAP privilege

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Section 4: Adding the PRIV:LDAP privilegeIn this section we will add the privilege that contains a link to the repository definition Tutorial-LDAP, which again contains links to the created add member and modify event tasks. In thissection we will also create a User Interface task that is used to add the privilege PRIV:LDAP tothe entries in the identity store and see that the task is executed.

    Creating the PRIV:LDAP privilegeTo add the privilege:

    1. Select "Privileges" in the console tree, under "Identity store metadata", and chooseNew/Privilege from the context menu.

    Modify the following properties:

    NameEnter "PRIV:LDAP" as name of the privilege.

    RepositorySelect the repository definition "Tutorial-LDAP".

    2. Choose "OK" to close the dialog box and create the privilege.

  • 45Section 4: Adding the PRIV:LDAP privilegeSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Updating the repository definition Tutorial-LDAPDefine the created tasks #LDAP_AddEntry and #LDAP_UpdateEntry on the repositorydefinition Tutorial-LDAP referenced from the tasks and the privilege.

    1. Select the repository definition "Tutorial-LDAP" (under Management\Repositories) in theconsole tree.

    2. Select the "Event tasks" tab:

    Modify the following properties:

    Add member taskAdd the task "#LDAP_AddEntry". Choose "" to the right of the field to select the task.

    Modify taskAdd the task "#LDAP_UpdateEntry". Choose "" to the right of the field to select the task.

    3. Choose "Apply".

  • 46Section 4: Adding the PRIV:LDAP privilege

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Hiding the "Provisioning folder"We will not use this folder, and we can hide it so it doesn't show in the User Interface.

    1. Select the "Provisioning folder" in the console tree.

    Deselect "Show folder in User Interface".

    2. Choose "Apply".

    Creating a folder for User Interface tasksWe will create a separate folder for the tasks showing in the User Interface:

    1. Select the identity store "Enterprise People" in the console tree and choose New/Folderfrom the context menu.

    Enter "User Interface tasks" as name for the folder.

    2. Choose "OK".

  • 47Section 4: Adding the PRIV:LDAP privilegeSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    The folder is included in the console tree:

    Creating the User Interface taskThe next step is to create the User Interface task that we will use to add the privilege to theentries in the identity store:

    1. Select the "User Interface tasks" folder and choose New/Ordered task group from thecontext menu.

    Modify the task name in the console tree.

  • 48Section 4: Adding the PRIV:LDAP privilege

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    2. Select the "Attributes" tab:

    Select "MX_PERSON" as entry type. The following dialog box will appear when changingthe entry type:

    3. Choose "Yes" to close the dialog box and change the entry type.

    4. Configure the attributes for the task as displayed above.

    5. Choose "Apply".

  • 49Section 4: Adding the PRIV:LDAP privilegeSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    6. Select the "Access control" tab and choose "Add".

    Select "Logged-in user or identity store entry" in the "Allow access for" list.

    Make sure that the correct identity store is selected.

    Enter the name of the identity store user with access to the "Manage" tab in the UserInterface.

    Make sure that "Everybody" is selected in the "On behalf of" field.

    7. Choose "OK" and the resulting access control is displayed in the details pane:

    8. Choose "Apply".

  • 50Section 4: Adding the PRIV:LDAP privilege

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Adding the privilege to the identity store entryDo the following:

    1. Access the User Interface (enter http://:/idm in your browser, provide thecredentials and log in).

    2. Select the "Manage" tab.

    3. Make sure that the "Person" is selected in the "Show" field and choose "Go" to list allMX_PERSON entries available in the identity store.

  • 51Section 4: Adding the PRIV:LDAP privilegeSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    4. Select one of the entries, for instance entry "3001".

    5. Choose "Choose Task".

    Expand the "User Interface tasks" folder and select "Manage privileges".

  • 52Section 4: Adding the PRIV:LDAP privilege

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Note:Choosing "Add to Favorites" you can add a task button for easier access to the task:

    6. Choose "Choose Task" and the task will open in a new window.

  • 53Section 4: Adding the PRIV:LDAP privilegeSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Choose "Search" in the left pane (Available) to list all the available privileges that can beassigned to the entry.

    7. Select the privilege "PRIV:LDAP" and choose "Add":

    8. Choose "Save" to save the changes and then close the task.

    Verify that the entry is added to the directory server and that the jobs have completedsuccessfully by inspecting the Identity Center's job log in the console tree.

  • 54Section 4: Adding the PRIV:LDAP privilege

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    TroubleshootingIf any problem should occur during the execution, you can check some of the following:

    Verify that the dispatcher is running and that it is enabled for provisioning jobs.

    Verify that all tasks and jobs are enabled.

    Verify that the job has been defined for the given dispatcher.

    Verify that "Retrieve attributes from pending value" is deselected on the tasks.

    Verify that the directory server is available, and that the correct credentials are used.

    Verify that the repository definition is defined on the tasks.

    View the logs.

    System logVerify that the dispatcher has requested the given job.

    Job logView any error messages in the job log to see if you can find the cause of the problem.

    If you need to investigate a job more thoroughly, you can specify a different log file namefor the job in the "Logging" tab of the job properties. You can also deselect the check box"Reset output file" to avoid overwriting the log file each time the job is run. This can beuseful when debugging a provisioning job that may be run several times in sequence.

    If you need more logging info from a specific job, you can create a specific dispatcher andincrease the log level in the dispatcher's .prop file. Specify that the job is to be run by thisspecific dispatcher. Make sure that the dispatcher is not running. To run the job, start thedispatcher from the command line with the following command:

    dispatcher_service_ test runonce

    The job will then be run once and a detailed log file will be created.

  • 55Section 5: Adding the remove LDAP user tasksSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Section 5: Adding the remove LDAP user tasksIn this section we add the tasks for removing a user in the directory server. We will also updatethe repository definition to contain a link to #LDAP_RemoveEntry task.

    Adding task: #LDAP_RemoveEntryFirst, we create the ordered task group #LDAP_RemoveEntry:

    1. Select the "LDAP" folder and choose New/Ordered task group from the context menu.

    Rename the task name in the console tree.

    Select "Tutorial-LDAP" from the list.

  • 56Section 5: Adding the remove LDAP user tasks

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    2. Select the "Result handling" tab:

    Fill in the following:

    Wait for event tasksSelect "Wait for event tasks" to make sure that the pending value objects are automaticallyremoved when completed.

    3. Choose "Apply".

  • 57Section 5: Adding the remove LDAP user tasksSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Adding link to existing task: Change entry referenceand attribute value on PVOHere we link the task Change entry reference and attribute value on PVO created previously.To link the task, do the following:

    1. Select the ordered task group "#LDAP_RemoveEntry" and choose New/Link to existingtask from the context menu and select the task Change entry reference and attributevalue on PVO.

    The task link is created.

  • 58Section 5: Adding the remove LDAP user tasks

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Adding task: Set LDAP entry to inactiveThis task is used to set an entry to inactive. As there is no concept of inactive in an LDAPdirectory, we change the displayName of the user, by adding the prefix "INACTIVE:". This is tovisualize that the user has been set to inactive.

    Note:If you are using an LDAP client that does not show the displayName attribute, you may want tomodify a different attribute.

    An easy way of creating this task is to copy the Create LDAP entry task:

    1. Select the "Create LDAP entry" task in the console tree and choose Copy from the contextmenu.

    2. Select the "#LDAP_RemoveEntry" task and choose Paste from the context menu.

    3. Select the task in the console tree:

    Rename the task to "Set LDAP entry to inactive".

  • 59Section 5: Adding the remove LDAP user tasksSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    4. Select the job in the console tree:

    Rename the job to "Set LDAP entry to inactive", then enable the job and select a dispatcher.

    5. Choose "Apply".

    6. Select the pass in the console tree and select the "Destination" tab:

    Rename the pass to "Set LDAP entry to inactive".

    Modify the pass properties in the following way:

    Remove the "objectClass" and "sn" attributes and their values.

    Enter the attribute value "Modify" for the attribute "changeType".

    Add the attribute "displayName" and add the text "INACTIVE: " in front of the displayname enter the value: INACTIVE: %MX_FIRSTNAME% %MX_LASTNAME%.

  • 60Section 5: Adding the remove LDAP user tasks

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Note that this is used only to indicate that the entry is inactive and it will not actually set theentry itself to inactive. Some directory servers may have option to disable an entry.

    7. Choose "Apply".

    Adding task: Remove LDAP entryThe next task is Remove LDAP entry:

    1. Copy and paste the "Set LDAP entry to inactive" task.

    2. Rename the task to "Remove LDAP entry".

    3. Select the job:

    Rename the job to "Remove LDAP entry".

    Enable the job and select a dispatcher.

    4. Choose "Apply".

  • 61Section 5: Adding the remove LDAP user tasksSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    5. Select the "Destination" tab of the pass:

    Rename pass to "Remove LDAP entry".

    Modify the attributes as shown above (changeType=Delete specifies that the entry is deletedfrom the directory server).

    6. Choose "Apply".

    Specifying a delayAdditionally, we add a delay between marking user for deletion and the actual delete. Normally,this may be several days or even weeks, but in this case we specify one minute delay.

    1. Select the "Remove LDAP entry" task.

  • 62Section 5: Adding the remove LDAP user tasks

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Modify the task properties:

    Delay before startEnter "1" and make sure that "Minutes" is selected in the list.

    2. Choose "Apply".

    The tasks for removing of LDAP user are now implemented. The next step is to add reference tothe task #LDAP_RemoveEntry on the repository definition Tutorial-LDAP.

    Updating the repository definition Tutorial-LDAPWe can now add the reference to the #LDAP_RemoveEntry task on the Tutorial-LDAPrepository definition:

    1. View the properties of the Tutorial-LDAP repository definition and select the "Event tasks"tab:

    Modify the following properties:

    Remove member taskAdd the task "#LDAP_RemoveEntry". Choose "" to the right of the field to select thetask.

    2. Choose "Apply".

    Now, all tasks for this provisioning system are defined on the repository definition Tutorial-LDAP.

  • 63Section 5: Adding the remove LDAP user tasksSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Removing the privilege from the identity store entryWe can now remove the privilege PRIV:LDAP from the previously created user (a user with anentry ID that exists in the directory server), to test that the task #LDAP_RemoveEntry functionscorrectly.

    1. Access the User Interface (enter http://:/idm in your browser, provide thecredentials and log in).

    2. Select the "Manage" tab.

    3. Make sure that the "Person" is selected in the "Show" field and choose "Go".

  • 64Section 5: Adding the remove LDAP user tasks

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    4. Select the entry "3001" and choose the task "Manage privileges".

    Select the privilege "PRIV:LDAP" in the right pane (Assigned).

    5. Choose "Delete", and then "Save" to confirm the action.

    6. Close the task.

  • 65Section 5: Adding the remove LDAP user tasksSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Note:There will be a delay of one minute between "Set LDAP entry to inactive" and "Remove LDAPentry".

    Observe that the display name of the entry is changed to, for instance, "INACTIVE: LisaAndersson" then verify that the entry is removed after a minute and that the jobs havecompleted successfully by inspecting the Identity Center's job log in the console tree.

  • 66Section 6: Resetting the tutorial data

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Section 6: Resetting the tutorial dataDuring testing, the Identity Center database and the repositories fill up with data. Especially thedelta information may cause confusing results. Before we continue, we will reset the following:

    The directory server

    The identity store

    The delta information

    The pending value objects (we will remove all pending value objects in the identity store)

    As we add more repositories to the configuration, they need to be reset, too.

    Note:Since this job will reset the repositories, be careful using it in the production environment.

    Resetting the directory serverWe already have a job with a pass that creates the organization in the directory server. We aregoing to extend this job to reset all the data for the tutorial.

    1. Copy the "Create LDAP organization" pass and ensure that the copy is placed above theoriginal pass.

    2. Select the new pass in the console tree and select the "Destination" pass:

    Modify the pass name in the console tree.

    Modify the pass definition.

    3. Choose "Apply".

    Note:changeType=DeleteSubtree is a very powerful function, which removes an entire subtree withinan organization, with no warnings and no possibility to undo the deletion. Please use with care.

  • 67Section 6: Resetting the tutorial dataSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Emptying the identity storeThere is a stored procedure in the Identity Center database that can be used to remove entriesfrom the identity store. As a delete of a user would execute event tasks on the entry type andattributes, as well as saving the old values, the stored procedure deletes the entries without anyevent tasks being run. The entries are also removed from the historic data.

    The stored procedure mc_reset_ids_mskey can be called from a "To Database" pass.

    The syntax for the stored procedure is:Microsoft SQL Server: execute mc_reset_ids_mskey Oracle: call mc_reset_ids_mskey()

    mc_reset_ids_mskey has one parameter, the mskey to the entry that is to be removed. You canuse the "Source" tab to define the selection and use %MSKEY% to call the procedure for eachMSKEY that is found.

    1. Select the "Create LDAP organization" pass and choose New/To Database from the contextmenu. Select the "Source" tab.

    Modify the pass name in the console tree to "Empty identity store".

    Select "Use identity store" (and make sure that the identity store Enterprise People isselected).

    2. Choose "Build SQL query".

    Fill in the following values to specify that all entries with entry type MX_PERSON will beremoved from the identity store, but not the entry with MSKEYVALUE "Administrator" (theuser that was given access to the User Interface task).

    Select "MX_ENTRYTYPE" from the "Attribute name" list and "MX_PERSON" from the"Filter" list.

    Select "AND" from the "Operator" list, "MSKEYVALUE" in the "Attribute name" list,select the "Not" option button and enter "Administrator" in the "Filter" field.

    Select "Include inactive entries" to make sure that any inactive entries also are removedfrom the identity store.

    3. Choose "OK".

  • 68Section 6: Resetting the tutorial data

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    The resulting query will look like this:

    4. Select the "Destination" tab and fill in the following information:

    DatabaseUse the context menu to insert the system parameter %$ddm.identitycenter%.

    SQL updatingSelect this check box to specify that the definitions are SQL statements.

  • 69Section 6: Resetting the tutorial dataSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    DefinitionsEnter execute mc_reset_ids_mskey %MSKEY%. This definition calls the stored proceduremc_reset_ids_mskey with the correct parameters.

    Note:The syntax shown above is for Microsoft SQL Server. The syntax for Oracle iscall mc_reset_ids_mskey(%MSKEY%)

    5. Choose "Apply".

    Resetting the delta informationWe have defined a delta database for the pass "HR to ID store". The delta database must bereset to avoid confusing results when testing the jobs and tasks. There is a stored procedure forremoving all delta and audit trail information, mc_reset_delta_nostatus.

    This stored procedure has one parameter, the delta identifier. You will find this name in the passproperties.

    1. Select the "Empty identity store" pass and choose New/To Database from the contextmenu.

    2. Select the "Destination" tab:

    Rename the pass in the console tree.

    Fill in the pass properties:

    DatabaseUse the context menu to insert the system parameter %$ddm.identitycenter%.

    SQL updatingSelect this check box to specify that the definitions are SQL statements.

    DefinitionsEnter execute mc_reset_delta_nostatus 'TUTORIALHR'. This line calls the stored proceduremc_reset_delta_nostatus with the correct parameters.

  • 70Section 6: Resetting the tutorial data

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Note:The syntax shown above is for Microsoft SQL Server. The syntax for Oracle iscall mc_reset_delta_nostatus('TUTORIALHR')

    3. Choose "Apply".

    Removing the pending value objectsDuring the testing of the provisioning system, failed pending value (MX_PENDING_VALUE)objects (PVOs) might be queued causing irregular behavior of the system and its tasks. To avoidthis, a pass for removing all pending value objects is created.

    An easy way of creating this pass is to copy the "Empty identity store" pass created previously,which is quite similar:

    1. Select the "Empty identity store" pass in the console tree and choose Copy from the contextmenu.

    2. Select the "Empty delta database" pass and choose Paste from the context menu. Select the"Source" tab.

    Modify the pass name in the console tree to "Remove all PVOs".

    3. Choose "Build SQL query".

    Fill in the following values to specify that all entries with entry typeMX_PENDING_VALUE will be removed from the identity store:

    Select "MX_ENTRYTYPE" from the "Attribute name" list and "MX_PENDING_VALUE"from the "Filter" list.

    Select "Include inactive entries".

    4. Choose "OK".

    5. Deselect "Use identity store" and enter " %$ddm.identitycenter%" as the value in the"Database" field. Use the context menu to insert the system parameter.

  • 71Section 6: Resetting the tutorial dataSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    The resulting query will look like this:

    6. Select the "Destination" tab and make sure that the following is defined:

    Note:The syntax shown above is for Microsoft SQL Server. The syntax for Oracle iscall mc_reset_ids_mskey(%MSKEY%)

    7. Choose "Apply".

  • 72Section 6: Resetting the tutorial data

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Running the jobTo run the job, view the job properties and choose "Run now". View the job log to verify thatno errors occur during the execution of job.

    The Identity Center's system log contains messages from the stored procedures confirming thatthe identity store and the delta information have been reset.

    By enabling and disabling passes in the job, you can reset only selected parts.

  • 73Section 7: Automatically assigning the privilegeSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Section 7: Automatically assigning the privilegeIn this section we will see how we can automatically assign the privilege when the users areadded to the identity store instead of using the User Interface task to manually assign theprivilege.

    Updating the "HR to identity store" jobIf we add the privilege to the entries when they are written to the identity store, they willautomatically be created in the directory server when they are added to the identity store.

    To do this, we must update the job that writes the entries to the identity store:

    1. Select the "Destination" tab of the "HR to ID store" pass in the "HR to identity store" job:

    Add the last line in the "Definitions" section:

    AttributeYou can choose "Destination attributes" from the context menu to retrieve the attributeMXREF_MX_PRIVILEGE that is the attribute containing the links to the privileges.

    ValueEnter "" as the value. "PRIV:LDAP" is the name (MSKEYVALUE) of theprivilege we are using. By enclosing the value in brackets < >, you can reference theMSKEYVALUE directly. Otherwise you would have to reference the MSKEY.

    2. Choose "Apply".

  • 74Section 7: Automatically assigning the privilege

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Running the jobIf necessary, run the reset job to ensure that the identity store and directory server are empty.

    Then run the "HR to identity store" job to create the entries in the identity store and verify thatthey are created in the directory server as well.

  • 75Section 8: Adding the file system tasksSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Section 8: Adding the file system tasksThis section shows how to add the tasks for updating the file system. For the example, this willbe a folder in the file system, where files are created, written and deleted using the action tasks.

    Adding task: #FILE_AddEntryCreate the task structure:

    1. First, we create a folder for the tasks below the identity store node. Name the folder "File"and specify that it will not be displayed in the User Interface (make sure that "Show folderin User Interface" is deselected).

    2. Create an ordered (task) group in this folder:

    Rename the task in the console tree to "#FILE_AddEntry".

    Select "Tutorial-FILE" as repository definition for the task.

  • 76Section 8: Adding the file system tasks

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    3. Select the "Result handling" tab:

    Fill in the following:

    Wait for event tasksSelect "Wait for event tasks" to make sure that the pending value objects are automaticallyremoved when completed.

    4. Choose "Apply".

  • 77Section 8: Adding the file system tasksSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Adding link to existing task: Change entry referenceand attribute value on PVOHere we link the task Change entry reference and attribute value on PVO created previously.To link the task, do the following:

    1. Select the ordered task group "#FILE_AddEntry" and choose New/Link to existing taskfrom the context menu and select the task Change entry reference and attribute value onPVO.

    The task link is created.

  • 78Section 8: Adding the file system tasks

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Adding task: Add fileThis task is used to create the file for the given user. The EmployeeID will be used as file name.

    1. Select the "#FILE_AddEntry" task and choose New/Action task/Empty job from thecontext menu.

    Rename the task to "Add file" in the console tree.

    This task will inherit the repository definition from the parent task.

    2. Select the job in the console tree:

    Rename the job to "Add file" in the console tree.

    Enable the job and select a dispatcher.

    3. Choose "Apply".

  • 79Section 8: Adding the file system tasksSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    4. Select the job and choose New/Shell execute from the context menu to add a pass to thejob. Select the "Source" tab:

    Deselect "Retrieve attributes from pending value".

    5. Select the "Destination" tab:

    Enter the following definitions:cmd /c echo User created %$ddm.date% %$ddm.time% > "%$rep.PATH%\%MSKEYVALUE%.txt"

    Note:The file name must be enclosed by double quotes.

    This command will add the text "User created " (e.g. User created17.06.2009 14:30:17) as the content to a file with MSKEYVALUE of the given user as filename, for example 3001.txt for Lisa Andersson.

  • 80Section 8: Adding the file system tasks

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    Note:This will be different if running the job on a different platform than Microsoft Windows.

    6. Choose "Apply".

    Adding task: #FILE_UpdateEntryThis task is very similar to the Add file task, which we can copy and modify to create the#FILE_UpdateEntry task.

    1. Make a copy of the "Add file" task.

    2. Select the task "#FILE_AddEntry" in the console tree and paste the copied "Add file" task.

    Modify the task name in the console tree.

    Select "Public task" as this task will be called from the privilege as the modify task definedon the repository definition.

    3. Choose "Apply".

  • 81Section 8: Adding the file system tasksSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    4. Select the job:

    Rename the job in the console tree.

    Enable the job and select a dispatcher.

    5. Choose "Apply".

    6. Select the "Destination" tab of the pass:

    Rename the pass in the console tree.

    Enter the following definitions:cmd /c echo User modified %$ddm.date% %$ddm.time% > "%$rep.PATH%\%MSKEYVALUE%.txt"cmd /c echo User name: %MX_FIRSTNAME% %MX_LASTNAME% >>"%$rep.PATH%\%MSKEYVALUE%.txt"cmd /c echo Email: %MX_MAIL_PRIMARY% >> "%$rep.PATH%\%MSKEYVALUE%.txt"

  • 82Section 8: Adding the file system tasks

    SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning

    Copyright 2010 SAP AG. All rights reserved.

    We have still not added the e-mail address, so this information will be empty at the moment,but will be included when it is available.

    7. Choose "Apply".

    This will replace the existing contents of the file.

    Adding task: #FILE_RemoveEntryThe final step is to create the #FI