SAP NetWeaver Identity Management Identity Center Tutorial ... · SAP NetWeaver Identity Management Identity Center is the primary component for identity management. The Identity

SAP NetWeaver Identity Management

Identity Center

Tutorial - Provisioning

Version 7.1 Rev 4

Copyright 2010 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the expresspermission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10,System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400,S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5,POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect,RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli andInformix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of AdobeSystems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registeredtrademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium,Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented andimplemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, WebIntelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respectivelogos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries.Business Objects is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in thisdocument serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliatedcompanies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAPGroup shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products andservices, if any. Nothing herein should be construed as constituting an additional warranty.

i


Preface

The productSAP NetWeaver Identity Management Identity Center is the primary component for identitymanagement. The Identity Center includes functions for identity provisioning, workflow,password management, logging and reporting. It uses a centralized repository, called theidentity store, to provide a uniformed view of the data, regardless of the data's original source.

The readerThis manual is written for people who need an introduction to the provisioning in the IdentityCenter.

PrerequisitesTo get the most benefit from this manual, you should have the following knowledge:

Knowledge of LDAP.

Knowledge of Microsoft SQL Server or Oracle.

General knowledge about the Identity Center and job definitions, for instance as describedin the SAP NetWeaver Identity Management Identity Center Tutorial: Basic synchronizationand SAP NetWeaver Identity Management Identity Center Initial configuration.

The following software is required:

SAP NetWeaver Identity Management Identity Center 7.1 SP2, or newer, correctly installedand licensed.

SAP NetWeaver Identity Management User Interface must be installed and configured forthis Identity Center and identity store (according to SAP NetWeaver Identity ManagementIdentity Center: Installing the Identity Management User Interface).

A directory server with the external object classes top, person and inetOrgPerson (asdefined in RFC 2798). The credentials necessary to add, modify and delete entries in thedirectory server are also required.

An Identity Center where at least one dispatcher has been configured and is running (seeSAP NetWeaver Identity Management Identity Center Initial configuration).

An LDAP client to view the contents of the directory.

The manualThis tutorial consists of eleven (11) sections containing information about how you build a taskstructure and run a provisioning system.

This tutorial is not a substitution for training.

Person names used in this tutorial are fictional.

ii


Related documentsYou can find useful information in the following documents:

SAP NetWeaver Identity Management Identity Center: Installation overview

SAP NetWeaver Identity Management Identity Center: Installing the Identity ManagementUser Interface

SAP NetWeaver Identity Management Identity Center Initial configuration

SAP NetWeaver Identity Management Identity Center Tutorial: Basic synchronization

For information on SAP NetWeaver see http://help.sap.com.
http://help.sap.com/

iii


Table of contentsIntroduction .................................................................................................................................. 1

The repositories .................................................................................................................................... 1The data flow and task structure ............................................................................................................ 2Preparations .......................................................................................................................................... 3Section overview ................................................................................................................................ 10

Section 1: Building the identity store ......................................................................................... 11Defining a repository definition for the hr.csv file ............................................................................... 11Disabling automatic attribute creation ................................................................................................. 14Reading the HR data into the identity store.......................................................................................... 15Verifying the contents of the identity store .......................................................................................... 20Enabling the delta ............................................................................................................................... 22

Section 2: Preparing the repositories ......................................................................................... 24Adding a repository definition for the LDAP server ............................................................................ 24Defining additional repository constants.............................................................................................. 27Creating the organization .................................................................................................................... 28Adding a repository definition for the file system folder ...................................................................... 31

Section 3: Adding the create and update LDAP user tasks ....................................................... 33Creating a folder for the LDAP tasks................................................................................................... 33Adding task: #LDAP_AddEntry.......................................................................................................... 34Adding link to existing task: Change entry reference and attribute value on PVO ................................ 36Adding task: Create LDAP entry ......................................................................................................... 37Adding task: #LDAP_UpdateEntry ..................................................................................................... 41

Section 4: Adding the PRIV:LDAP privilege ............................................................................. 44Creating the PRIV:LDAP privilege ..................................................................................................... 44Updating the repository definition Tutorial-LDAP .............................................................................. 45Hiding the "Provisioning folder" ......................................................................................................... 46Creating a folder for User Interface tasks ............................................................................................ 46Creating the User Interface task .......................................................................................................... 47Adding the privilege to the identity store entry .................................................................................... 50

Section 5: Adding the remove LDAP user tasks ........................................................................ 55Adding task: #LDAP_RemoveEntry ................................................................................................... 55Adding link to existing task: Change entry reference and attribute value on PVO ................................ 57Adding task: Set LDAP entry to inactive ............................................................................................. 58Adding task: Remove LDAP entry ...................................................................................................... 60Updating the repository definition Tutorial-LDAP .............................................................................. 62Removing the privilege from the identity store entry ........................................................................... 63

Section 6: Resetting the tutorial data ......................................................................................... 66Resetting the directory server .............................................................................................................. 66Emptying the identity store ................................................................................................................. 67Resetting the delta information............................................................................................................ 69Removing the pending value objects ................................................................................................... 70Running the job .................................................................................................................................. 72

iv


Section 7: Automatically assigning the privilege........................................................................ 73Updating the "HR to identity store" job ............................................................................................... 73Running the job .................................................................................................................................. 74

Section 8: Adding the file system tasks....................................................................................... 75Adding task: #FILE_AddEntry ........................................................................................................... 75Adding link to existing task: Change entry reference and attribute value on PVO ................................ 77Adding task: Add file .......................................................................................................................... 78Adding task: #FILE_UpdateEntry ....................................................................................................... 80Adding task: #FILE_RemoveEntry ..................................................................................................... 82Adding link to existing task: Change entry reference and attribute value on PVO ................................ 84Adding task: Remove file .................................................................................................................... 85Updating the "Reset tutorial data" job ................................................................................................. 87

Section 9: Adding the PRIV:File privilege ................................................................................. 89Creating the PRIV:File privilege ......................................................................................................... 89Updating the repository definition Tutorial-FILE ................................................................................ 90Testing the tasks ................................................................................................................................. 91Automatically assigning the PRIV:File privilege to the entries ............................................................ 92Running the system ............................................................................................................................. 94

Section 10: Handling deleted entries .......................................................................................... 96Setting the deleted entries to inactive .................................................................................................. 96Testing the mechanism........................................................................................................................ 97

Section 11: Adding the telephone numbers ................................................................................ 99Adding a repository definition for the tel.csv file ................................................................................. 99Adding the telephone numbers .......................................................................................................... 100Updating the identity store ................................................................................................................ 103Updating the "#LDAP_UpdateEntry" task ......................................................................................... 105Running the job ................................................................................................................................ 105Enabling the delta ............................................................................................................................. 106Removing deleted attributes .............................................................................................................. 108Updating the "Reset tutorial data" job ............................................................................................... 110Running the provisioning system ...................................................................................................... 110What's next? ..................................................................................................................................... 111

v


1IntroductionSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning


IntroductionThe purpose of this tutorial is to show how to configure the Identity Center and build a taskstructure for provisioning and de-provisioning of employees. This involves building an identitystore where information about all employees is stored, defining the different data sources asrepositories in the Identity Center, and defining the tasks and jobs that perform the provisioning.

You will also see how to reset the identity store and provisioning system for testing purposes.

The repositoriesFor the sake of simplicity, this tutorial has as few external dependencies as possible. Thepurpose is to show how to create an identity data flow, more than showing how to connect to anumber of different repository types.

For this reason, the repositories are ASCII files, with the exception of a directory server, whichcan also be replaced by ASCII files.

The ASCII repositories can be replaced by other types of repositories to achieve a more realisticscenario. The From ASCII file passes that are used to read the ASCII files must then be replacedby a pass type suitable to read the type of data source in question.

The following figure gives an overview of the repositories involved in this tutorial:

Below is a description of the repositories:

hr.csv An ASCII file in CSV format containing entries from an HR system.

tel.csv An ASCII file in CSV format containing telephone numbers.

Directory Server The users will be written to this directory server as part of the provisioningprocess.

File system This is a folder in the file system where the contents of the identity store are storedwith one file per user.

The files are stored together with this tutorial.

The tutorial shows how data is read from the files hr.csv and tel.csv into the identity store. Fromthere, tasks in the provisioning system are used to update the target repositories.

2Introduction

SAP NetWeaver Identity Management Identity Center Tutorial - Provisioning


The data flow and task structureThe following diagram illustrates the data flow that we are going to implement in this tutorial:

There are two jobs that read the data from the repositories and update the entries in the identitystore. The entry type for these entries is MX_PERSON.

We create two privileges (PRIV:LDAP and PRIV:File) that we assign to the entries. Theprivileges contain a link (reference) to a repository definition, which contains links to the tasksthat are executed when the privilege is assigned or removed, or when an entry that has theprivilege assigned is modified.

The task structure is shown in the illustration above. There are separate task structures for eachof the target repositories.

For the add member and remove member tasks, a pending value object is created. These tasks,defined on the repository definition, operate on the entry by default (but may operate on apending object by selecting "Retrieve attributes from pending value" on the "Source" tab of thepass) and can be used for approval processing or any other task to be performed before theprivilege is assigned or removed. This distinguishes the add member and remove member eventtasks from the provisioning, deprovisioning and modify event tasks, in which case the pendingvalue object is not created (operate on the entry only i.e. not on a pending value object). Usingthe add member event task ensures that a privilege is not added to the user until execution of thetask has successfully completed. Using the remove member task ensures that the privilege is notremoved until after the resource is removed by the connected task.

The add member task will not be executed for users which already have the privilege.

Note:Both add member event task and the provisioning event task (and accordingly, remove memberevent task and the deprovisioning event task) can be specified. Then the add member event task(and remove member event task) will be executed first, i.e. the provisioning and thedeprovisioning event tasks are not executed until the add member and remove member taskshave completed, and the privilege actually is assigned/removed.



PreparationsBefore you proceed with the tutorial, there are a couple of things that must be specified.

Defining the global constant TUTORIAL_SOURCEWe create a global constant containing the path to the directory where the data source fileshr.csv and tel.csv (downloaded together with this tutorial) are to be stored. To define the globalconstant:

1. Select the "Global constants" node in the console tree and choose New/Constant fromthe context menu (right-click the node to open the context menu):

Specify the name of the constant and the directory where the file is to be stored. Make surethat the directory actually exists (create the folders Tutorial and Source).

2. Choose "OK" to close the dialog box and add the constant.

Note:Store the files hr.csv and tel.csv (downloaded together with this tutorial) in the folder.

Defining the global constant TUTORIAL_TARGETTo be able to reference the files created in this tutorial in a uniform way, we create a globalconstant containing the path to the directory where the target repository files are to be placed.To define the global constant:

1. Select "Global constants" in the console tree and choose New/Constant from the contextmenu (right-click the node to open the context menu):

Specify the name of the constant and the directory where the folders are to be stored. Makesure that the directory actually exists (create the folder Target).

2. Choose "OK" to close the dialog box and add the constant.

4Introduction



Specifying the system log levelTo be able to view the log information shown in this tutorial, you must make sure that the loglevel for the system log is set to "Info". If necessary, change the log level and choose "Apply".



Creating a task to change attributes on pending value objectFor event tasks on privileges and roles, e.g. MX_ADD_MEMBER_TASK orMX_DEL_MEMBER_TASK, when a new assignment (de-assignment) is requested and thistask is present then a pending value object (PVO) is created and the task executed on this object.The same task is executed regardless of which way the assignment (de-assignment) is done,either by adding/removing a user (MXMEMBER_MX_PERSON) to/from a privilege/role or byadding/ removing a privilege (MXREF_MX_PRIVILEGE) or role (MXREF_MX_ROLE)to/from a user. In other words, the attributes MXMEMBER_MX_PERSON andMXREF_MX_PRIVILEGE/MXREF_MX_ROLE are defining the same link between a personobject and a privilege/role object but creating different pending value objects (with a differentset of attributes), while the same task is executed in both cases.

The table below illustrates the differences on the pending value objects and their attributes inthe two abovementioned cases:

Pending value object attribute Attribute value whenadding/removing aprivilege/role to/from a user

Attribute value whenadding/removing a user to/froma privilege/role

MX_ENTRY_REFERENCE of MX_PERSONobject

of MX_PRIVILEGEor MX_ROLE object

MX_ATTRIBUTE_NAME MXREF_MX_PRIVILEGE orMXREF_MX_ROLE

MXMEMBER_MX_PERSON

MX_ATTRIBUTE_VALUE of MX_PRIVILEGEor MX_ROLE object

of MX_PERSONobject

When executing the task on the pending value object two options exist:

Access the attributes from the pending value object itself.

Access attributes from the owner entry referenced by the attributeMX_ENTRY_REFERENCE on the pending value object.

This is selected on the "Source" tab of the job pass of the task to be executed on the pendingvalue object. To retrieve attributes from the pending value object, make sure that "Retrieveattributes from pending value" is selected. To retrieve attributes from an entry type other thanMX_PENDING_VALUE, deselect "Retrieve attributes from pending value" and select thesource entry type (MX_PERSON by default, i.e. if the "Source entry type" field is empty).

For some users, it may be of interest to have a predictable behavior for the pending value objectcreation, e.g. to make sure that the entry referenced from the pending value object(MX_ENTRY_REFERENCE), when adding and removing user/privilege and user/role links,always is MX_PERSON (with the corresponding values for attributesMX_ATTRIBUTE_NAME and MX_ATTRIBUTE_VALUE as described in the table above).In this section we are creating a task that calls a script to make sure that the links are defined bythe MXREF_... attribute, both when adding/removing a privilege/role to/from a user and whenadding/removing a user to/from a privilege/role, giving the same pending value object andreferenced object (here MX_PERSON) in both cases.

6Introduction



To create the task, do the following:

1. Select any task folder on the identity store (here we choose Provisioning folder onEnterprise People identity store) and choose New/Ordered task group from the contextmenu.

Modify the name of the ordered task group in the console tree, here named Change entryreference and attribute value on PVO.

2. Select the ordered task group just created and choose New/Action task/Empty job to createa task.



3. Select the job in the console tree.

Modify the job properties:

EnabledSelect this check box to enable the job to be run by a dispatcher.

Run by dispatchersSelect a dispatcher that should be responsible for running this job.

4. Choose "Apply".

5. Select "Scripts" for the job and choose New/Script from the context menu to create ascript.

Enter the name for the script, here ChangeEntryREFandAttrVALUEonPVO.

8Introduction



6. Choose "OK".

Define the following script (you can copy and paste the script defined under and replace thetemplate definition):

// Main function: ChangeEntryREFandAttrVALUEonPVO

function ChangeEntryREFandAttrVALUEonPVO(Par){

CurrentEntryID = UserFunc.uGetEntryID();CurrentIDStore = UserFunc.uGetIDStore();

attrName = UserFunc.uIS_GetValue(CurrentEntryID, CurrentIDStore,"MX_ATTRIBUTE_NAME");AttrName = new java.lang.String(attrName);

if (AttrName.startsWith("MXMEMBER")) {// --- 'normal' ... the attribute are behind:// UserMskeyAttr = "MX_ENTRY_REFERENCE";// PrivMskeyAttr = "MX_ATTRIBUTE_VALUE";

UserFunc.uErrMsg(1, "PVO " + CurrentEntryID + " will be patched!");

// --- Change the content of the two attributes above (reference and value)

PrivMskeyAttr = UserFunc.uIS_GetValue(CurrentEntryID, CurrentIDStore,"MX_ENTRY_REFERENCE" );

UserFunc.uErrMsg(1, "Original MX_ENTRY_REFERENCE was (points to privilege): "+ PrivMskeyAttr );

UserMskeyAttr = UserFunc.uIS_GetValue(CurrentEntryID, CurrentIDStore,"MX_ATTRIBUTE_VALUE" );



UserFunc.uErrMsg(1, "Original MX_ATTRIBUTE_VALUE was (points to user): " +UserMskeyAttr );

OutString = uIS_SetValue(CurrentEntryID, CurrentIDStore,"MX_ENTRY_REFERENCE", UserMskeyAttr);

OutString = uIS_SetValue(CurrentEntryID, CurrentIDStore,"MX_ATTRIBUTE_VALUE", PrivMskeyAttr);

UserMskeyAttr = UserFunc.uIS_GetValue(CurrentEntryID, CurrentIDStore,"MX_ENTRY_REFERENCE" );

UserFunc.uErrMsg(1, "New MX_ENTRY_REFERENCE was (points to user): " +UserMskeyAttr );

PrivMskeyAttr = UserFunc.uIS_GetValue(CurrentEntryID, CurrentIDStore,"MX_ATTRIBUTE_VALUE" );

UserFunc.uErrMsg(1, "New MX_ATTRIBUTE_VALUE was (points to privilege): " +PrivMskeyAttr );

// --- Change the content of the NAMING attribute

MskeyValueOfTheObject = UserFunc.uIS_GetValue(PrivMskeyAttr, CurrentIDStore,"MX_ENTRYTYPE" );

UserFunc.uErrMsg(1, "Entrytype of the assigned object: " +MskeyValueOfTheObject );

ConcatValue = "MXREF_" + MskeyValueOfTheObject;

OutString = uIS_SetValue(CurrentEntryID, CurrentIDStore, "MX_ATTRIBUTE_NAME",ConcatValue );

UserFunc.uErrMsg(1, "New MX_ATTRIBUTE_NAME is: " + ConcatValue );

}}

7. Choose "OK" and the script is added.

8. Select the job in the console tree and choose New/To Generic from context menu to createa pass. Select the "Destination" tab:

Modify the properties:

Select the script "ChangeEntryREFandAttrVALUEonPVO" in the "Next data entry" field.

Enter the attribute "MSKEYVALUE" with the value "%MSKEYVALUE%".

9. Choose "Apply".

10Introduction



The task Change entry reference and attribute value on PVO is now created. It will be used bytasks that create, update and remove LDAP users (LDAP) and files (file system). The task willproduce a warning every time the attributes are changed on the pending value object, giving theadditional information about the change (as will be seen in the job log on page 98).

Section overviewThe tutorial consists of the following sections:

Section 1: Building the identity store In this section the contents of the file hr.csv are readinto the identity store.

Section 2: Preparing the repositories This section describes how to prepare and define thetarget repositories.

Section 3: Adding the create and update LDAPuser tasks

Here, the task structure for the tasks that update theLDAP server is build.

Section 4: Adding the PRIV:LDAP privilege In this section the privilege is added. A User Interfacetask that is used to add the privilege to the entries in theidentity store is also created.

Section 5: Adding the remove LDAP user tasks This section describes how to add the tasks forremoving a user in the directory server. The privilege isalso updated to contain a link to a member event task.

Section 6: Resetting the tutorial data The section describes how to create a job that resets allthe generated data.

Section 7: Automatically assigning the privilege In this section we will see how we can automaticallyassign the privilege when the users are added to theidentity store.

Section 8: Adding the file system tasks This section shows how to add the tasks for updatingthe file system.

Section 9: Adding the PRIV:File privilege In this section a privilege for the file system folder isadded.

Section 10: Handling deleted entries This section describes how to handle entries that aredeleted from the master data source.

Section 11: Adding the telephone numbers The last section describes how to add the telephonenumbers and e-mail addresses from the second datasource, the file tel.csv.

11Section 1: Building the identity storeSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning


Section 1: Building the identity storeIn this section we are going to read the contents of the file hr.csv into the identity store.

Here we use and populate the default identity store Enterprise People. Make sure that theIdentity Management User Interface is installed and configured for the Identity Center you areusing and the default identity store according to SAP NetWeaver Identity Management IdentityCenter: Installing and configuring the Identity Management User Interface. It also implies theadministrator user with access to at least "Self Services", "Monitoring" and "Manage" tabs inthe User Interface.

Defining a repository definition for the hr.csv fileA repository definition is used to hold constants and variables which are common for one datasource (repository). The repository constants can be accessed from the context menu in the sameway as global constants.

1. Start the repository wizard by selecting "Repositories" (under "Management") in theconsole tree, and choosing New/Repository from the context menu.

2. Choose "Next >".

Navigate to the "Repositories" sub-directory and select "File".

12Section 1: Building the identity store



3. Choose "Next >".

Enter a name and description of the repository definition.

4. Choose "Next >".

Use the context menu to insert the global constant we added and add the name of the file(hr.csv).

5. Choose "Next >" and then "Finish" to complete the wizard.



The repository definition is added to the console tree:

Expanding the "Repositories" node in the console tree, you might view the created repositorydefinition's constants:




Disabling automatic attribute creationDisable the automatic attribute creation. This option is used to control what happens when anattribute which does not exist or an attribute which is not defined as a legal attribute on an entrytype is written to the identity store.

If the "Automatically create new attributes" is enabled, the new attribute is created and added tothe entry type. If the option is disabled, an error is returned. To disable the automatic attributecreation on the identity store Enterprise People, do the following:

1. Select the identity store "Enterprise People" in the console tree.

Deselect "Automatically create attributes".

2. Choose "Apply".



Reading the HR data into the identity storeWe have now created a repository definition for the hr.csv file and defined an identity store thatwe can use when creating the job which will read the source data to the identity store.

Creating the folder and jobFirst, we are going to create a folder for the jobs in the tutorial, and the job definition for thisjob.

1. Create a folder called "Provisioning tutorial" that can be used to hold the jobs. Select theIdentity Center node (not identity store) in the console tree and choose New/Folder fromthe context menu to create the folder.

2. Create a job by selecting the created folder and choosing New/Empty job from the contextmenu.

Modify the name of the job in the console tree.

Enable the job and select a dispatcher.

3. Choose "Apply".

This job will contain two passes; one to read the ASCII file (hr.csv) into the temporary table(tutorial_HR), and another to read from this table into the identity store. This must be done in asingle job. The reason is that the first pass will delete the temporary table every time it executes,and then fill it with the data from the hr.csv file. If the second pass was a separate job (whichcould then be run asynchronously from the first), it could start just when the table was deleted orjust partly filled, and then remove the missing people from the identity store.




Reading the ASCII fileFirst, we will create the pass that reads the ASCII file:

1. Select the job in the console tree and choose New/From ASCII file from the context menu.

Enter "Read HR" as the name of the pass in the console tree.

RepositorySelect the "Tutorial-HR" in the "Repository" list.

2. Select the "Source" tab:



File nameUse the context menu to insert the repository constant %$rep.FILENAME% that refers tothe file name.

Field separatorEnter a comma sign (,) as the field separator.

Header lineMake sure that "Header line" is selected.

3. Select the "Destination" tab:

Fill in the fields with the following values:

DatabaseUse the context menu to insert the system parameter %$ddm.identitycenter% that refers theIdentity Center database.

Table nameEnter "tutorial_HR" as the table name.

Note:Do not use hyphen in table names, as this will cause problems with some database drivers.

DefinitionsChoose "Insert template" and select "Data source template" to create the pass definitions.

4. Choose "Apply".

Running the jobAt this point, we are ready to test the pass. Run the job by viewing the job properties andchoosing "Run now".




View the job log to verify that the job ran successfully, and that a number of entries have beenprocessed:

Updating the identity storeThe next step is to create the pass that writes the data to the identity store:

1. Select the "Read HR" pass and choose New/To Identity store from the context menu andselect the "Source" tab:



Modify the pass name in the console tree.

DatabaseUse the context menu to insert the system parameter %$ddm.identitycenter%.

SQL statementEnter the SQL statement to select all rows from the table created in the previous pass(SELECT * FROM tutorial_HR).


Identity storeMake sure that the "Enterprise People" identity store is selected.

Entry typeSelect the entry type "MX_PERSON".

DefinitionsChoose "Insert template" and select "Data source template" to insert the definitions for thepass.

Note:The insert template will only work if you actually executed the job with the pass "Read HR"as explained in the previous section.

Modify the definition to use the attributes from the entry type. You can use the contextmenu to find the destination attributes.

3. Choose "Apply".

Running the jobRun the job and open the job log to verify that 50 entries were added (100 entries processed).




Verifying the contents of the identity storeIf everything has gone well, the identity store should now contain all entries from the hr.csv filewhich can be observed in the SAP NetWeaver Identity Management User Interface.

Note:Make sure that the User Interface is installed and configured for the Identity Center and theidentity store you are using according to SAP NetWeaver Identity Management Identity Center:Installing the Identity Management User Interface.

To access the User Interface do the following:

1. Enter http://:/idm in your browser.

Provide the credentials in the log-in window (of the user with access to "Manage" tab in theUser Interface).

2. Choose "Log on".



3. Select the "Manage" tab.

4. Make sure that the "Person" is selected in the "Show" field and choose "Go".

5. Verify that the entries are present in the identity store.




Enabling the deltaWe now have two working passes. The next step is to ensure that only modified entries in thedata source are written to the identity store. This is done by enabling the delta mechanism on the"To Identity store" pass of the "HR to identity store" job (and not on the "Read HR" pass sincethe entire ASCII file hr.csv needs to be read each time anyway):

1. Select the "HR to ID store" pass and select the "Delta" tab:


Enable deltaSelect this check box to enable delta on this pass.

Delta databaseUse the context menu to insert the system parameter %$ddm.identitycenter% to specify thatyou want to use the Identity Center database for the delta database.

Delta identifierEnter "TUTORIALHR" as the delta identifier. This must be unique within one deltadatabase.

Delta keyThis is automatically filled in with the value from the first line of the definitions on the"Destination" tab.

2. Choose "Apply".



Run the job a couple of times and view the job log:

The first time the job is run after the delta is enabled, 50 entries are modified, while the nexttime, the job detects that the entries are unmodified.

Note:The count is the total for the job, including the entries handled by the "Read HR" pass. Theseentries are always included in the "Add" column, as no delta has been defined for this pass.

24Section 2: Preparing the repositories



Section 2: Preparing the repositoriesWe are going to update two target repositories:

An LDAP server meeting the requirements described in the preface.

A file system folder. This is used to show an alternative type of repository. One file will becreated for each user, containing information about the user.

Both these repositories will be added as repository definitions in the Identity Center. Therepository definitions are then referenced from the jobs and tasks we create.

Adding a repository definition for the LDAP serverBefore we can provision the entries to the LDAP server, we must add a repository definition forthe LDAP server and create the organization where we will add the entries.

To add a repository definition for the LDAP server:

1. Start the repository wizard by selecting "Repositories" in the console tree, and choosingNew/Repository from the context menu.

2. Choose "Next >".

Navigate to the "Repositories" sub-directory and choose "Directory".

25Section 2: Preparing the repositoriesSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning


3. Choose "Next >".

Enter "Tutorial-LDAP" as the name of the repository definition.

4. Choose "Next >".

Fill in information about your directory server as shown above (leave the field "Namingattribute" as it is). The user must have access to create an organization below the specifiedstarting point.

5. Choose "Next >" and then "Finish".




The repository definition is added to the console tree with the following repository constants:



Defining additional repository constantsIn addition to the constants created by the wizard, we need to create some additional repositoryconstants:

The name of the organization.

The DN of the organization.

The DN of the entries within the organization.

Adding a repository constant for the organizationTo add the constant:

1. Select the Tutorial-LDAP repository definition's "Constants" node in the console tree andchoose New/Constant from the context menu:

This constant contains the name of the organization you are going to add to the directoryserver.

2. Choose "OK".

Adding the repository constant for the organization DNAdd the DN constant in the same way as the previous constant with the following values:

Use the context menu to insert the repository constants.




Adding the repository constant for the entries' DNAdd the constant for the DN of the entries that we will add to the organization:

You have to enter the first part (%MSKEYVALUE%) manually, as the source attributes are notavailable from the context menu at this point.

Creating the organizationBefore we can run the tasks, we must create the organization in the directory server.

This pass will be part of a job that is used to reset the tutorial data; the identity store,repositories and delta. This is often necessary during a development phase. In addition, this willverify access to the directory server.

1. Select the folder "Provisioning tutorial" in the console tree and choose New/Empty jobfrom the context menu.

Rename the job in the console tree to "Reset tutorial data".




EnabledSelect this check box to enable the job.

Run by dispatchersSelect a dispatcher that is responsible for running this job.

2. Choose "Apply".

3. Create the pass by selecting the job and choosing New/Run pass wizard to start the passwizard.

4. Choose "Next >".

Navigate to the folder "Generic directory" in the Identity Center tree and select the "CreateLDAP organization" template.

5. Choose "Next >".

Select the repository definition "Tutorial-LDAP".




6. Choose "Next >".

Leave the field "Organization name" empty as we will reference the repository constantdirectly.

The other fields are disabled to show that the values are retrieved from the repositorydefinition.


8. Select the pass in the console tree and select the "Destination" tab:

The repository constants you specified when running the wizard are inserted in the fields.

Replace the values for "dn" and "o" with the repository constants you added.

9. Choose "Apply".



Running the jobRun the job and verify that the organization is created in the directory server. Use an LDAPclient to view the contents of the directory server.

If the job fails, inspect the log files, verify that you have specified the correct credentials for thedirectory server.

Adding a repository definition for the file system folderCreate a folder in the file system where you want to store the files that we create for each entryin the identity store. Here we create a folder files in C:\Tutorial\Target.

The file system folder is added as a generic repository definition:

1. Select the Identity Center's "Repositories" node and choose New/Repository from thecontext menu. Choose "Next >".

Navigate to the "Repositories" directory and select the "Generic repository" template.




2. Choose "Next >".

Specify the repository definition name.

3. Choose "Next >" twice and then "Finish" to complete the wizard.

4. Add one repository constant:

Name the constant "PATH" and enter the path to the folder as the value. You can use theglobal constant as part of the folder name. Use the context menu to insert the globalconstant.

Note:Make sure that this folder (files) exists.

5. Choose "OK" to close the dialog box.

33Section 3: Adding the create and update LDAP user tasksSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning


Section 3: Adding the create and update LDAP user tasksIn this section we will add the tasks for creating and updating a user in the directory server. Thetop-level task will be called as the add member event task from the Tutorial-LDAP repositorydefinition referenced from the PRIV:LDAP privilege (created later) assigned to a user. To easilyidentify the tasks that are called from the privilege, we use the following syntax:

#_

For instance:#LDAP_AddEntry#LDAP_UpdateEntry#FILE_RemoveEntryetc

Creating a folder for the LDAP tasksFirst, we create a folder that we will use for the tasks for the LDAP server.

1. Select the identity store "Enterprise People" and choose New/Folder from the contextmenu.

Enter "LDAP" as name for the folder.

2. Choose "OK". The folder is included in the console tree.

Deselect "Show folder in User Interface" as the tasks in this folder should not be displayedin the User Interface.

3. Choose "Apply".

34Section 3: Adding the create and update LDAP user tasks



Adding task: #LDAP_AddEntryNext, we create the ordered task group #LDAP_AddEntry.

1. Select the folder you just created and choose New/Ordered task group from the contextmenu.

Modify the task name in the console tree.


RepositorySelect "Tutorial-LDAP" from the list.



2. Select the "Result handling" tab:

Fill in the following:

Wait for event tasksSelect "Wait for event tasks" to make sure that the pending value objects are automaticallyremoved when completed.

3. Choose "Apply".




Adding link to existing task: Change entry referenceand attribute value on PVOHere we link the task Change entry reference and attribute value on PVO created previously.To link the task, do the following:

1. Select the ordered task group "#LDAP_AddEntry" and choose New/Link to existingtask from the context menu and select the task Change entry reference and attributevalue on PVO.

The task link is created.



Adding task: Create LDAP entryThe next step is to create the action task Create LDAP entry. This task is creating the user in theLDAP directory, although without any attributes except the mandatory sn. The other attributesare added by the #LDAP_UpdateEntry task.

Note:This sample shows usage of an iPlanet directory server. If you are using another directoryserver, you may need to use different values.

1. Select the task "#LDAP_AddEntry" and choose New/Action task/Run wizard to startthe job wizard.

2. Choose "Next >".

Navigate to the "Generic directory" folder in the "Identity Center" tree and select the"Create LDAP InetOrgPerson" template.

3. Choose "Next >".

Select the "Tutorial-LDAP" repository definition.




4. Choose "Next >".

The values for most constants are retrieved from the corresponding repository constants.

You only need to supply the name of the organization. Use the context menu to insert therepository constant referencing the organization name.


The task is included in the console tree:

Rename this task to "Create LDAP entry".

Although you selected a repository definition for this task, this is not included in the"Repository" field. This is because the parent task already contains a reference to thisrepository definition.



6. Select the job in the console tree:

Modify the job name in the console tree.


EnabledSelect this check box to enable the job to be run by a dispatcher.

Run by dispatchersSelect a dispatcher that should be responsible for running this job.

7. Choose "Apply".




8. Select the pass in the console tree and select the "Source" tab:

Deselect "Retrieve attributes from pending value".



Modify the definition created by the template in the following way:dn: %$rep.DN%objectClass: top|person|organizationalPerson|inetOrgPersonsn: %MX_LASTNAME%

Use the context menu to insert the source attributes and the constants used in the definitions.

The prefix . (period) in front of objectClass ensures that this attribute will not be updated ina Modify operation.



Remove the redundant lines created by the template.

Add the line:changeType: Add

This line ensures that the job fails if trying to create an already existing entry.

10. Choose "Apply".

Adding task: #LDAP_UpdateEntryWe continue by adding a task to modify the LDAP attributes. For this purpose, we create thetask #LDAP_UpdateEntry.

Create the task in the same way as the Create LDAP entry task:

1. Select the "#LDAP_AddEntry" task in the console tree and choose New/Action task/Runwizard from the context menu. Use the "Create LDAP InetOrgPerson" template. Use therepository definition "Tutorial-LDAP" and the repository constant as the organization name.


The #LDAP_UpdateEntry task is now part of the #LDAP_AddEntry ordered task group, i.e.executing #LDAP_AddEntry will also execute #LDAP_UpdateEntry.

Select "Public task" as we are going to call this task from the repository definition later on.

2. Choose "Apply".





Modify the job name in the console tree.

Enable the job, and select the correct dispatcher.

4. Choose "Apply".

5. Select the pass in the console tree and select the "Source" tab.






Remove the redundant lines and modify the remaining pass definitions as shown above.

The definition changeType=Modify indicates that this pass will always perform a modifyoperation.

7. Choose "Apply".

44Section 4: Adding the PRIV:LDAP privilege



Section 4: Adding the PRIV:LDAP privilegeIn this section we will add the privilege that contains a link to the repository definition Tutorial-LDAP, which again contains links to the created add member and modify event tasks. In thissection we will also create a User Interface task that is used to add the privilege PRIV:LDAP tothe entries in the identity store and see that the task is executed.

Creating the PRIV:LDAP privilegeTo add the privilege:

1. Select "Privileges" in the console tree, under "Identity store metadata", and chooseNew/Privilege from the context menu.

Modify the following properties:

NameEnter "PRIV:LDAP" as name of the privilege.

RepositorySelect the repository definition "Tutorial-LDAP".

2. Choose "OK" to close the dialog box and create the privilege.

45Section 4: Adding the PRIV:LDAP privilegeSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning


Updating the repository definition Tutorial-LDAPDefine the created tasks #LDAP_AddEntry and #LDAP_UpdateEntry on the repositorydefinition Tutorial-LDAP referenced from the tasks and the privilege.

1. Select the repository definition "Tutorial-LDAP" (under Management\Repositories) in theconsole tree.

2. Select the "Event tasks" tab:


Add member taskAdd the task "#LDAP_AddEntry". Choose "" to the right of the field to select the task.

Modify taskAdd the task "#LDAP_UpdateEntry". Choose "" to the right of the field to select the task.

3. Choose "Apply".




Hiding the "Provisioning folder"We will not use this folder, and we can hide it so it doesn't show in the User Interface.

1. Select the "Provisioning folder" in the console tree.

Deselect "Show folder in User Interface".

2. Choose "Apply".

Creating a folder for User Interface tasksWe will create a separate folder for the tasks showing in the User Interface:

1. Select the identity store "Enterprise People" in the console tree and choose New/Folderfrom the context menu.

Enter "User Interface tasks" as name for the folder.

2. Choose "OK".



The folder is included in the console tree:

Creating the User Interface taskThe next step is to create the User Interface task that we will use to add the privilege to theentries in the identity store:

1. Select the "User Interface tasks" folder and choose New/Ordered task group from thecontext menu.





2. Select the "Attributes" tab:

Select "MX_PERSON" as entry type. The following dialog box will appear when changingthe entry type:

3. Choose "Yes" to close the dialog box and change the entry type.

4. Configure the attributes for the task as displayed above.

5. Choose "Apply".



6. Select the "Access control" tab and choose "Add".

Select "Logged-in user or identity store entry" in the "Allow access for" list.

Make sure that the correct identity store is selected.

Enter the name of the identity store user with access to the "Manage" tab in the UserInterface.

Make sure that "Everybody" is selected in the "On behalf of" field.

7. Choose "OK" and the resulting access control is displayed in the details pane:

8. Choose "Apply".




Adding the privilege to the identity store entryDo the following:

1. Access the User Interface (enter http://:/idm in your browser, provide thecredentials and log in).


3. Make sure that the "Person" is selected in the "Show" field and choose "Go" to list allMX_PERSON entries available in the identity store.



4. Select one of the entries, for instance entry "3001".

5. Choose "Choose Task".

Expand the "User Interface tasks" folder and select "Manage privileges".




Note:Choosing "Add to Favorites" you can add a task button for easier access to the task:

6. Choose "Choose Task" and the task will open in a new window.



Choose "Search" in the left pane (Available) to list all the available privileges that can beassigned to the entry.

7. Select the privilege "PRIV:LDAP" and choose "Add":

8. Choose "Save" to save the changes and then close the task.

Verify that the entry is added to the directory server and that the jobs have completedsuccessfully by inspecting the Identity Center's job log in the console tree.




TroubleshootingIf any problem should occur during the execution, you can check some of the following:

Verify that the dispatcher is running and that it is enabled for provisioning jobs.

Verify that all tasks and jobs are enabled.

Verify that the job has been defined for the given dispatcher.

Verify that "Retrieve attributes from pending value" is deselected on the tasks.

Verify that the directory server is available, and that the correct credentials are used.

Verify that the repository definition is defined on the tasks.

View the logs.

System logVerify that the dispatcher has requested the given job.

Job logView any error messages in the job log to see if you can find the cause of the problem.

If you need to investigate a job more thoroughly, you can specify a different log file namefor the job in the "Logging" tab of the job properties. You can also deselect the check box"Reset output file" to avoid overwriting the log file each time the job is run. This can beuseful when debugging a provisioning job that may be run several times in sequence.

If you need more logging info from a specific job, you can create a specific dispatcher andincrease the log level in the dispatcher's .prop file. Specify that the job is to be run by thisspecific dispatcher. Make sure that the dispatcher is not running. To run the job, start thedispatcher from the command line with the following command:

dispatcher_service_ test runonce

The job will then be run once and a detailed log file will be created.

55Section 5: Adding the remove LDAP user tasksSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning


Section 5: Adding the remove LDAP user tasksIn this section we add the tasks for removing a user in the directory server. We will also updatethe repository definition to contain a link to #LDAP_RemoveEntry task.

Adding task: #LDAP_RemoveEntryFirst, we create the ordered task group #LDAP_RemoveEntry:

1. Select the "LDAP" folder and choose New/Ordered task group from the context menu.

Rename the task name in the console tree.

Select "Tutorial-LDAP" from the list.

56Section 5: Adding the remove LDAP user tasks






3. Choose "Apply".




1. Select the ordered task group "#LDAP_RemoveEntry" and choose New/Link to existingtask from the context menu and select the task Change entry reference and attributevalue on PVO.





Adding task: Set LDAP entry to inactiveThis task is used to set an entry to inactive. As there is no concept of inactive in an LDAPdirectory, we change the displayName of the user, by adding the prefix "INACTIVE:". This is tovisualize that the user has been set to inactive.

Note:If you are using an LDAP client that does not show the displayName attribute, you may want tomodify a different attribute.

An easy way of creating this task is to copy the Create LDAP entry task:

1. Select the "Create LDAP entry" task in the console tree and choose Copy from the contextmenu.

2. Select the "#LDAP_RemoveEntry" task and choose Paste from the context menu.

3. Select the task in the console tree:

Rename the task to "Set LDAP entry to inactive".




Rename the job to "Set LDAP entry to inactive", then enable the job and select a dispatcher.

5. Choose "Apply".

6. Select the pass in the console tree and select the "Destination" tab:

Rename the pass to "Set LDAP entry to inactive".

Modify the pass properties in the following way:

Remove the "objectClass" and "sn" attributes and their values.

Enter the attribute value "Modify" for the attribute "changeType".

Add the attribute "displayName" and add the text "INACTIVE: " in front of the displayname enter the value: INACTIVE: %MX_FIRSTNAME% %MX_LASTNAME%.




Note that this is used only to indicate that the entry is inactive and it will not actually set theentry itself to inactive. Some directory servers may have option to disable an entry.

7. Choose "Apply".

Adding task: Remove LDAP entryThe next task is Remove LDAP entry:

1. Copy and paste the "Set LDAP entry to inactive" task.

2. Rename the task to "Remove LDAP entry".

3. Select the job:

Rename the job to "Remove LDAP entry".


4. Choose "Apply".



5. Select the "Destination" tab of the pass:

Rename pass to "Remove LDAP entry".

Modify the attributes as shown above (changeType=Delete specifies that the entry is deletedfrom the directory server).

6. Choose "Apply".

Specifying a delayAdditionally, we add a delay between marking user for deletion and the actual delete. Normally,this may be several days or even weeks, but in this case we specify one minute delay.

1. Select the "Remove LDAP entry" task.




Modify the task properties:

Delay before startEnter "1" and make sure that "Minutes" is selected in the list.

2. Choose "Apply".

The tasks for removing of LDAP user are now implemented. The next step is to add reference tothe task #LDAP_RemoveEntry on the repository definition Tutorial-LDAP.

Updating the repository definition Tutorial-LDAPWe can now add the reference to the #LDAP_RemoveEntry task on the Tutorial-LDAPrepository definition:

1. View the properties of the Tutorial-LDAP repository definition and select the "Event tasks"tab:


Remove member taskAdd the task "#LDAP_RemoveEntry". Choose "" to the right of the field to select thetask.

2. Choose "Apply".

Now, all tasks for this provisioning system are defined on the repository definition Tutorial-LDAP.



Removing the privilege from the identity store entryWe can now remove the privilege PRIV:LDAP from the previously created user (a user with anentry ID that exists in the directory server), to test that the task #LDAP_RemoveEntry functionscorrectly.

1. Access the User Interface (enter http://:/idm in your browser, provide thecredentials and log in).


3. Make sure that the "Person" is selected in the "Show" field and choose "Go".




4. Select the entry "3001" and choose the task "Manage privileges".

Select the privilege "PRIV:LDAP" in the right pane (Assigned).

5. Choose "Delete", and then "Save" to confirm the action.

6. Close the task.



Note:There will be a delay of one minute between "Set LDAP entry to inactive" and "Remove LDAPentry".

Observe that the display name of the entry is changed to, for instance, "INACTIVE: LisaAndersson" then verify that the entry is removed after a minute and that the jobs havecompleted successfully by inspecting the Identity Center's job log in the console tree.

66Section 6: Resetting the tutorial data



Section 6: Resetting the tutorial dataDuring testing, the Identity Center database and the repositories fill up with data. Especially thedelta information may cause confusing results. Before we continue, we will reset the following:

The directory server

The identity store

The delta information

The pending value objects (we will remove all pending value objects in the identity store)

As we add more repositories to the configuration, they need to be reset, too.

Note:Since this job will reset the repositories, be careful using it in the production environment.

Resetting the directory serverWe already have a job with a pass that creates the organization in the directory server. We aregoing to extend this job to reset all the data for the tutorial.

1. Copy the "Create LDAP organization" pass and ensure that the copy is placed above theoriginal pass.

2. Select the new pass in the console tree and select the "Destination" pass:


Modify the pass definition.

3. Choose "Apply".

Note:changeType=DeleteSubtree is a very powerful function, which removes an entire subtree withinan organization, with no warnings and no possibility to undo the deletion. Please use with care.

67Section 6: Resetting the tutorial dataSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning


Emptying the identity storeThere is a stored procedure in the Identity Center database that can be used to remove entriesfrom the identity store. As a delete of a user would execute event tasks on the entry type andattributes, as well as saving the old values, the stored procedure deletes the entries without anyevent tasks being run. The entries are also removed from the historic data.

The stored procedure mc_reset_ids_mskey can be called from a "To Database" pass.

The syntax for the stored procedure is:Microsoft SQL Server: execute mc_reset_ids_mskey Oracle: call mc_reset_ids_mskey()

mc_reset_ids_mskey has one parameter, the mskey to the entry that is to be removed. You canuse the "Source" tab to define the selection and use %MSKEY% to call the procedure for eachMSKEY that is found.

1. Select the "Create LDAP organization" pass and choose New/To Database from the contextmenu. Select the "Source" tab.

Modify the pass name in the console tree to "Empty identity store".

Select "Use identity store" (and make sure that the identity store Enterprise People isselected).

2. Choose "Build SQL query".

Fill in the following values to specify that all entries with entry type MX_PERSON will beremoved from the identity store, but not the entry with MSKEYVALUE "Administrator" (theuser that was given access to the User Interface task).

Select "MX_ENTRYTYPE" from the "Attribute name" list and "MX_PERSON" from the"Filter" list.

Select "AND" from the "Operator" list, "MSKEYVALUE" in the "Attribute name" list,select the "Not" option button and enter "Administrator" in the "Filter" field.

Select "Include inactive entries" to make sure that any inactive entries also are removedfrom the identity store.

3. Choose "OK".




The resulting query will look like this:

4. Select the "Destination" tab and fill in the following information:


SQL updatingSelect this check box to specify that the definitions are SQL statements.



DefinitionsEnter execute mc_reset_ids_mskey %MSKEY%. This definition calls the stored proceduremc_reset_ids_mskey with the correct parameters.

Note:The syntax shown above is for Microsoft SQL Server. The syntax for Oracle iscall mc_reset_ids_mskey(%MSKEY%)

5. Choose "Apply".

Resetting the delta informationWe have defined a delta database for the pass "HR to ID store". The delta database must bereset to avoid confusing results when testing the jobs and tasks. There is a stored procedure forremoving all delta and audit trail information, mc_reset_delta_nostatus.

This stored procedure has one parameter, the delta identifier. You will find this name in the passproperties.

1. Select the "Empty identity store" pass and choose New/To Database from the contextmenu.


Rename the pass in the console tree.

Fill in the pass properties:


SQL updatingSelect this check box to specify that the definitions are SQL statements.

DefinitionsEnter execute mc_reset_delta_nostatus 'TUTORIALHR'. This line calls the stored proceduremc_reset_delta_nostatus with the correct parameters.




Note:The syntax shown above is for Microsoft SQL Server. The syntax for Oracle iscall mc_reset_delta_nostatus('TUTORIALHR')

3. Choose "Apply".

Removing the pending value objectsDuring the testing of the provisioning system, failed pending value (MX_PENDING_VALUE)objects (PVOs) might be queued causing irregular behavior of the system and its tasks. To avoidthis, a pass for removing all pending value objects is created.

An easy way of creating this pass is to copy the "Empty identity store" pass created previously,which is quite similar:

1. Select the "Empty identity store" pass in the console tree and choose Copy from the contextmenu.

2. Select the "Empty delta database" pass and choose Paste from the context menu. Select the"Source" tab.

Modify the pass name in the console tree to "Remove all PVOs".

3. Choose "Build SQL query".

Fill in the following values to specify that all entries with entry typeMX_PENDING_VALUE will be removed from the identity store:

Select "MX_ENTRYTYPE" from the "Attribute name" list and "MX_PENDING_VALUE"from the "Filter" list.

Select "Include inactive entries".

4. Choose "OK".

5. Deselect "Use identity store" and enter " %$ddm.identitycenter%" as the value in the"Database" field. Use the context menu to insert the system parameter.



The resulting query will look like this:

6. Select the "Destination" tab and make sure that the following is defined:

Note:The syntax shown above is for Microsoft SQL Server. The syntax for Oracle iscall mc_reset_ids_mskey(%MSKEY%)

7. Choose "Apply".




Running the jobTo run the job, view the job properties and choose "Run now". View the job log to verify thatno errors occur during the execution of job.

The Identity Center's system log contains messages from the stored procedures confirming thatthe identity store and the delta information have been reset.

By enabling and disabling passes in the job, you can reset only selected parts.

73Section 7: Automatically assigning the privilegeSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning


Section 7: Automatically assigning the privilegeIn this section we will see how we can automatically assign the privilege when the users areadded to the identity store instead of using the User Interface task to manually assign theprivilege.

Updating the "HR to identity store" jobIf we add the privilege to the entries when they are written to the identity store, they willautomatically be created in the directory server when they are added to the identity store.

To do this, we must update the job that writes the entries to the identity store:

1. Select the "Destination" tab of the "HR to ID store" pass in the "HR to identity store" job:

Add the last line in the "Definitions" section:

AttributeYou can choose "Destination attributes" from the context menu to retrieve the attributeMXREF_MX_PRIVILEGE that is the attribute containing the links to the privileges.

ValueEnter "" as the value. "PRIV:LDAP" is the name (MSKEYVALUE) of theprivilege we are using. By enclosing the value in brackets < >, you can reference theMSKEYVALUE directly. Otherwise you would have to reference the MSKEY.

2. Choose "Apply".

74Section 7: Automatically assigning the privilege



Running the jobIf necessary, run the reset job to ensure that the identity store and directory server are empty.

Then run the "HR to identity store" job to create the entries in the identity store and verify thatthey are created in the directory server as well.

75Section 8: Adding the file system tasksSAP NetWeaver Identity Management Identity Center Tutorial - Provisioning


Section 8: Adding the file system tasksThis section shows how to add the tasks for updating the file system. For the example, this willbe a folder in the file system, where files are created, written and deleted using the action tasks.

Adding task: #FILE_AddEntryCreate the task structure:

1. First, we create a folder for the tasks below the identity store node. Name the folder "File"and specify that it will not be displayed in the User Interface (make sure that "Show folderin User Interface" is deselected).

2. Create an ordered (task) group in this folder:

Rename the task in the console tree to "#FILE_AddEntry".

Select "Tutorial-FILE" as repository definition for the task.

76Section 8: Adding the file system tasks






4. Choose "Apply".




1. Select the ordered task group "#FILE_AddEntry" and choose New/Link to existing taskfrom the context menu and select the task Change entry reference and attribute value onPVO.





Adding task: Add fileThis task is used to create the file for the given user. The EmployeeID will be used as file name.

1. Select the "#FILE_AddEntry" task and choose New/Action task/Empty job from thecontext menu.

Rename the task to "Add file" in the console tree.

This task will inherit the repository definition from the parent task.


Rename the job to "Add file" in the console tree.


3. Choose "Apply".



4. Select the job and choose New/Shell execute from the context menu to add a pass to thejob. Select the "Source" tab:



Enter the following definitions:cmd /c echo User created %$ddm.date% %$ddm.time% > "%$rep.PATH%\%MSKEYVALUE%.txt"

Note:The file name must be enclosed by double quotes.

This command will add the text "User created " (e.g. User created17.06.2009 14:30:17) as the content to a file with MSKEYVALUE of the given user as filename, for example 3001.txt for Lisa Andersson.




Note:This will be different if running the job on a different platform than Microsoft Windows.

6. Choose "Apply".

Adding task: #FILE_UpdateEntryThis task is very similar to the Add file task, which we can copy and modify to create the#FILE_UpdateEntry task.

1. Make a copy of the "Add file" task.

2. Select the task "#FILE_AddEntry" in the console tree and paste the copied "Add file" task.


Select "Public task" as this task will be called from the privilege as the modify task definedon the repository definition.

3. Choose "Apply".



4. Select the job:

Rename the job in the console tree.


5. Choose "Apply".

6. Select the "Destination" tab of the pass:

Rename the pass in the console tree.

Enter the following definitions:cmd /c echo User modified %$ddm.date% %$ddm.time% > "%$rep.PATH%\%MSKEYVALUE%.txt"cmd /c echo User name: %MX_FIRSTNAME% %MX_LASTNAME% >>"%$rep.PATH%\%MSKEYVALUE%.txt"cmd /c echo Email: %MX_MAIL_PRIMARY% >> "%$rep.PATH%\%MSKEYVALUE%.txt"




We have still not added the e-mail address, so this information will be empty at the moment,but will be included when it is available.

7. Choose "Apply".

This will replace the existing contents of the file.

Adding task: #FILE_RemoveEntryThe final step is to create the #FI

SAP NetWeaver Identity Management Identity Center Tutorial ... · SAP NetWeaver Identity Management Identity Center is the primary component for identity management. The Identity

Text of SAP NetWeaver Identity Management Identity Center Tutorial ... · SAP NetWeaver Identity Management...

SAP NetWeaver Identity Management Password Hook ...a248.g.akamai.net/n/248/420835/20a8b8e19d8fcd5b112a7cdd...SAP NetWeaver Identity Management Password Hook Configuration Guide ©

SCI104 How to Migrate From SAP CUA to SAP NetWeaver Identity Management 7.1

SAP NetWeaver Identity Management Identity Center Intial Configurtion

Identity Management for SAP System Landscapes ... · Identity Management for SAP System Landscapes: Configuration Guide Document Version 7.2 Rev 3 October 2011 SAP NetWeaver Identity

Identity Management with SAP NetWeaver IdM - · PDF fileIdentity Management with SAP NetWeaver IdM ... ABAP SAP XI ABAP Java SAP Java SAP HR ABAP SAP FI ABAP SAP Portal ... (HR/Org

SCI262_exercise-Compliant Identity Management With SAP NetWeaver ID Management and SAP Business Objects Access Control 2

SAP NetWeaver Identity Management Identity Center Installing and Configuring the Identity

SAP NetWeaver Cloud Security Tutorial - …a248.g.akamai.net/n/248/420835/b02a52b84f434d2c5d90201b16b7bde… · SAP NetWeaver Cloud Security Tutorial. Single Sign-On and Identity

Sci261- Sap Netweaver Identity Management - Workflow Configuration

SAP NetWeaver Identity Management Identity Center Tutorial - Context-Based Assignments

SAP NetWeaver Identity Management - Procatsprocats.de/akNord/images/cm/SAP_NW_IdM4DSAG_Demo_Extern.pdf · SAP NetWeaver Identity Management 7.0 Web App. Legacy App. Lotus Notes Databanken

IBM Tivoli Identity Manager: Adapter for SAP NetWeaver AS ABAP Installation and Configuration

0. SAP NetWeaver Identity Management Sizing Guide

SAP NetWeaver Identity Management Virtual Directory Server Using SSL for LDAP ...a248.g.akamai.net/n/248/420835/07aff44b36ce74efc56ea9e52... · 2016-01-22 · SAP NetWeaver® Identity

SAP NetWeaver Process Integration 7.1 Principal ... · SAP NetWeaver Process Integration 7.1 4 Goal: Securely pass the identity of user ‘U’ across SAP PI to receiver system Run

How to Create Reports With SAP NetWeaver Identity Management

SAP Cloud Identity Overview Presentation · SAP HANA Platform SAP NetWeaver Application Server SAP Access Control SAP Identity Management ... Product overview SAP Cloud Identity service:

SAP NetWeaver Identity Management Identity Center ... document describes how the Java class is implemented as a project in the SAP NetWeaver Developer Studio, how the class is deployed

SAP NetWeaver Identity Management Virtual Directory Server ......The SAP NetWeaver Identity Management Virtual Directory Server can logically represent information from a number of

SAP NetWeaver Identity Management Identity Services ...a248.g.akamai.net/n/248/420835/32ae37ca1751ec381f62c27b8084a724465966... · SAP NetWeaver® Identity Management Identity Services

SAP Sourcing / CLM Webcast Series Security concepts · SAP Sourcing (Service Provider) Identity Provider . SAP Netweaver IDM (SAP Identity Management 7.1 SP5+ and 7.2) App Server

SAP NetWeaver Identity Management Scenarios

SAP NetWeaver Identity Management Identity Services Configuration Guide · 2019. 11. 12. · Configuration guide. xSAP NetWeaver Identity Management Compliant provisioning using SAP

How to Deploy SAP NetWeaverHow to Deploy SAP NetWeaver Deployment Recommendations for SAP NetWeaver 7.0 - SAP NetWeaver Business Warehouse - Dirk Anthony, SAP NetWeaver Solution Management

SAP BusinessObjects GRC 10.0 Integration Guide – Access Control 10.0 and NetWeaver Identity Management

SAP NetWeaver Identity Management Identity Providersanty.wdfiles.com/local--files/singlesignon/SAP_SSO_IdentityGuide.pdf · Implementation Guide SAP NetWeaver Identity Management

SAP NetWeaver Identity Management Identity Center ... NetWeaver...attributes on the formatMX_AUTHQ_nnn (e.g. MX_AUTHQ_001, MX_AUTHQ_002 etc). Five (5) attributes are defined by default,

SAP NetWeaver Identity Management- IDM Connector Overview

SAP NetWeaver Identity Management Compliant provisioning ... · SAP NetWeaver® Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

New Features and Functions in SAP NetWeaver Identity ...a248.g.akamai.net/n/248/420835/51ecd02f24bbd947084c6aa6be27d3…New Features and Functions in SAP NetWeaver Identity Management

Documents

SAP NetWeaver Identity Management Identity Center Tutorial ... · SAP NetWeaver Identity Management Identity Center is the primary component for identity management. The Identity

Text of SAP NetWeaver Identity Management Identity Center Tutorial ... · SAP NetWeaver Identity Management...