Download pdf - SAP NetWeaver Identity Management Identity Center User … · 2019-11-12 · existing in the identity store) in the identity store. This pass will also assign users the privilege

SAP NetWeaver® Identity Management

Identity Center

User management for the IdentityManagement User Interface

Version 7.1 Rev 1

© Copyright 2009 SAP AG. All rights reserved.

SAP Library document classification: PUBLIC

No part of this publication may be reproduced or transmitted in any form or for any purpose without the expresspermission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors.

Microsoft, Windows, Outlook, Excel, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400,iSeries, pSeries, xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS,AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPowerand PowerPC are trademarks or registered trademarks of IBM Corporation.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of AdobeSystems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registeredtrademarks of Citrix Systems, Inc.

HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium,Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented andimplemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentionedherein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in severalother countries all over the world. All other product and service names mentioned are the trademarks of their respectivecompanies. Data contained in this document serves information purposes only. National product specifications mayvary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliatedcompanies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAPGroup shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products andservices, if any. Nothing herein should be construed as constituting an additional warranty.

i


Preface

The productSAP NetWeaver Identity Management Identity Center is a high-end identity managementsolution, capable of handling a large amount of repositories containing an unlimited amount ofinformation. The Identity Center offers a robust, flexible and scalable high-availability solutionfor workflow, provisioning, data synchronization and joining for a large number of datarepositories. The Identity Center provides a framework for a number of jobs.

The readerThis manual is written for people who are to configure the authentication for the Identity Centerand the Identity Management User Interface. The manual describes the process of establishingthe link between the UME (User Management Engine) users and the Identity ManagementIdentity Center users in order to use the Identity Management User Interface.

PrerequisitesBefore configuring for the user management for the Identity Management User Interface, makesure that the following prerequisites are present:

SAP NetWeaver AS Java as of Release 7.0.0 SP14 or higher, or Enhancement Package 1 forSAP NetWeaver Composition Environment 7.1, must be correctly installed and licensed.

SAP NetWeaver Identity Management Identity Center version 7.1, or newer, correctlyinstalled and licensed.

SAP NetWeaver Identity Management User Interface must be installed and configured(according to SAP NetWeaver Identity Management Identity Center: Installing the IdentityManagement User Interface).

Basic knowledge about the SAP NetWeaver AS Java and its tools.

Some knowledge about the SAP NetWeaver Identity Management Identity Center isrequired.

The manualThis tutorial describes how you perform the user management for the Identity ManagementUser Interface.

Related documentsYou can find useful information in the following documents:

SAP NetWeaver Identity Management Identity Center: Installation overview

SAP NetWeaver Identity Management Identity Center: Installing the Management Console

SAP NetWeaver Identity Management Identity Center: Installing the Runtime Components

ii


SAP NetWeaver Identity Management Identity Center: Installing the database (MicrosoftSQL Server/Oracle)

SAP NetWeaver Identity Management Identity Center: Installing the Identity ManagementUser Interface

Identity Management for SAP System Landscapes: Configuration Guide

For UME Security Policy seehttp://help.sap.com/saphelp_nw70/helpdata/EN/0a/065e4278636255e10000000a155106/frameset.htm.

For information on SAP NetWeaver see http://help.sap.com.

http://help.sap.com/saphelp_nw70/helpdata/EN/0a/065e4278636255e10000000a155106/frameset.htm


http://help.sap.com/

iii


Table of contentsIntroduction .................................................................................................................................. 1

Authentication ......................................................................................................................................1The scenarios ........................................................................................................................................1Privileges..............................................................................................................................................2Tasks and jobs ......................................................................................................................................2

Preparing the import .................................................................................................................... 4Preparing the Identity Center.................................................................................................................4Preparing the UME ...............................................................................................................................5

Importing the tasks and jobs to the Identity Center.................................................................... 6Importing the tasks ...............................................................................................................................6Importing the jobs.................................................................................................................................8

Configuring the imported tasks, jobs and constants.................................................................... 9Modifying repository constants .............................................................................................................9Creating the privileges and referencing the tasks .................................................................................11Modifying the global constants ...........................................................................................................13

Managing the privileges.............................................................................................................. 15Creating a folder for the User Interface task ........................................................................................15Adding the "Edit user" task.................................................................................................................16

Scenario 1: All users initially in the Identity Center ................................................................. 19Creating a user in UME with general access to User Interface .............................................................19Verifying the provisioned user and its access to the User Interface ......................................................23Giving access to the "Monitoring" tab.................................................................................................25Provisioning several users at a time.....................................................................................................26

Scenario 2: All users initially in the UME.................................................................................. 30Synchronizing the UME users to the identity store ..............................................................................30Managing the synchronized UME users in the Identity Center.............................................................31

iv


1IntroductionSAP NetWeaver Identity Management Identity Center User management for the Identity Management User Interface


IntroductionTo be able to use the Identity Management User Interface, the user must be defined in both theUME and in the Identity Center's identity store. The link between the users is the UME "UserID" and the user's MSKEYVALUE in the identity store. These must match (casing is ignored).

This manual leads you through the process of establishing the link between the UME (UserManagement Engine) users and the Identity Management Identity Center users in order to usethe Identity Management User Interface. In this document you are going to import a set of tasksand jobs to your Identity Center that provide some basic mechanisms connecting the two userdatabases and keeping them up to date.

The document requires that the prerequisite software is installed as described in the SAPNetWeaver Identity Management Identity Center: Installation overview and the IdentityManagement User Interface configured as in the SAP NetWeaver Identity Management IdentityCenter: Installing and configuring the Identity Management User Interface.

The SAP provisioning framework provides the mechanisms for user management for the UserInterface, and they are described in Identity Management for SAP System Landscapes:Configuration Guide. This manual however describes how to manage users, in order to use theUser Interface, independently of the SAP provisioning framework.

AuthenticationIn version 7.0 of the Identity Management Identity Center, the authentication is done by theWorkflow interface, by using the MSKEYVALUE and the MX_PASSWORD attributes. TheMonitoring authentication is done by using the database user.

In version 7.1 of the Identity Center, the authentication is done by the UME for the IdentityManagement User Interface, which has both the previously Workflow interface and Monitoringfunctionality.

The scenariosTwo scenarios are described in this document:

Scenario 1: All users are initially stored in the Identity Management Identity Center and theUME needs to be populated. Using a privilege which is assigned to the Identity Center usersand a set of imported tasks, users are provisioned to the UME. Another privilege is used togive users access to Monitoring (the "Monitoring" tab in the Identity Management UserInterface).

Scenario 2: All users are initially stored in the UME and the Identity Center needs to bepopulated. The only difference with this scenario compared to the first one is the use of asynchronization job which is run only once in order to populate the Identity Center withUME users. After the synchronization job is run, managing the users is the same as for thescenario 1.

2Introduction

SAP NetWeaver Identity Management Identity Center User management for the Identity Management User Interface


In both scenarios, the users are managed in the Identity Center through some basic jobs andprovisioning tasks. In this manual, you are going to import these jobs and tasks to your IdentityCenter and learn how to use them.

PrivilegesTwo privileges are defined in this document:

PRIV:UME This privilege will provision the assigned user to the UME.If the SAP NetWeaver Identity Management User Interfaceis installed and configured according to SAP NetWeaverIdentity Management Identity Center: Installing theIdentity Management User Interface, the"idm.authenticated" role which gives the general access tothe Identity Management User Interface will be assignedto all UME users.

PRIV:MonitoringAdmin The privilege gives the user access to Monitoring (the"Monitoring" tab in the Identity Management UserInterface).

Tasks and jobsIn this document you will import five tasks and two jobs, contained in two separate .MCC files.The files are stored together with this document.

JobsThe file UsrMngment_IdMUI_jobs.mcc contains two jobs.

Initial load job

The imported job Initial load of UME users to identity store is a job that is run only once, toload the UME users to your Identity Center and the identity store. The job consists of twopasses; the pass ReadLocalJavaUsers and the pass WriteLocalUsers.

The ReadLocalJavaUsers pass reads all UME users to a table in the Identity Center databasenamed ume_users.

The pass WriteLocalUsers reads the table ume_users and creates all users (all users not alreadyexisting in the identity store) in the identity store. This pass will also assign users the privilegePRIV:UME. If not all users need this privilege, the line can be commented.

Privilege assignment job

The job Add privilege to users is meant to make it easier to assign privileges to more than oneuser at once. In the pass Add privileges, define users that need the privilege by defining an SQLstatement in the "Source" tab of the pass, and define which privilege to assign in the"Destination" tab of the pass.

3IntroductionSAP NetWeaver Identity Management Identity Center User management for the Identity Management User Interface


TasksThe file UsrMngment_IdMUI_tasks.mcc contains five tasks, where three of them are referencedfrom the privilege PRIV:UME and two from the privilege PRIV:MonitoringAdmin (theseprivileges need to be created in the Identity Center).

The three tasks referenced from the PRIV:UME privilege are:

"#Create UME user" as the provisioning task.

"#Delete UME user" as the de-provisioning task.

"#Modify UME user" as the modify task.

The two tasks referenced from the PRIV:MonitoringAdmin privilege are:

"#Add UME monitoring role" as the provisioning task. The task will add the UME createdrole "idm.monitoring.administration" to the user and thus the access to the "Monitoring" tabin the User Interface.

"#Delete UME monitoring role" as the de-provisioning task, which will remove the accessto the "Monitoring" tab.

4Preparing the import



Preparing the importBefore importing the jobs and tasks, make sure that the environment, both the Identity Centerand the UME, is configured correctly.

Preparing the Identity CenterBefore importing the jobs and tasks for managing the users to the Identity Center, you need to:

Configure the import options.

Enabling imported jobsTo ensure that the imported jobs are enabled and have a dispatcher defined, do the following:

1. Select the Identity Center node in the console tree to open the details pane.

2. Select the "Options" tab in the details pane and do the following:

Select "Enable imported jobs". This will ensure that the imported jobs are enabled.

Select a valid dispatcher in the "Default dispatcher" field.

3. Choose "Apply".

5Preparing the importSAP NetWeaver Identity Management Identity Center User management for the Identity Management User Interface


Preparing the UMEBefore importing the jobs and tasks, the following needs to be done:

Make sure that all users have general access to the Identity Management User Interfaceaccording to SAP NetWeaver Identity Management Identity Center: Installing andconfiguring the Identity Management User Interface. This means that the UME role"idm.authenticated" needs to be created with the UME action"sap.com_tc~idm~jmx~ump.idm_authenticated" assigned to it. The "idm.authenticated"role will be assigned to all users.

Using the same procedure, create the UME role "idm.monitoring.administration" with theUME action "sap.com_tc~idm~jmx~ump.idm_monitoring_administration" assigned to it.

6Importing the tasks and jobs to the Identity Center



Importing the tasks and jobs to the Identity CenterIn this section we will import the specific tasks and jobs for provisioning users to the UME. Thetwo .MCC files (one for the tasks and one for the two jobs) contain basic tasks and jobs. Youcan modify and extend these tasks and jobs if needed.

Importing the tasksTo import the tasks:

1. Select the identity store where you want to import the tasks in the console tree and choose"Import…" from the context menu.

2. Locate and select the file UsrMngment_IdMUI_tasks.mcc containing the tasks and choose"Open".

Make sure that "Import" is selected. Select the "Advanced" tab to ensure that a dispatcher isassigned to the tasks.

3. Choose "Next >" and then "Import".

4. When the import is finished, choose "Finish". To inspect the log select "View logfile"before choosing "Finish".

7Importing the tasks and jobs to the Identity CenterSAP NetWeaver Identity Management Identity Center User management for the Identity Management User Interface


The result of this operation is a folder UME tasks containing the five tasks as shown below:

All tasks should be enabled and a dispatcher selected for the action tasks.

In addition to the tasks, the following is added:

The global constants SAP_MASTER_IDS_ID and DEFAULT_PASSWORD.

The repository definition UME.

A global JScript encrypt.

8Importing the tasks and jobs to the Identity Center



Importing the jobsTo import the jobs:

1. Select the Identity Center database where you want to import the jobs in the console treeand choose "Import…" from the context menu.

2. Locate and select the file UsrMngment_IdMUI_jobs.mcc containing the jobs and choose"Open". Then follow the same import procedure as described above.

The result of this is a folder UME-Jobs containing the two jobs as shown below:

In addition to the tasks, the following is added:

Three global JScripts: sap_checkSPMLValidDate, sap_isLocked andsap_removeSPMLPrefix.

9Configuring the imported tasks, jobs and constantsSAP NetWeaver Identity Management Identity Center User management for the Identity Management User Interface


Configuring the imported tasks, jobs and constantsBefore using the imported tasks and jobs, the following needs to be done:

Modify the constants of the imported repository definition UME.

Create the privileges PRIV:UME and PRIV:MonitoringAdmin.

Reference the tasks from the privileges.

Modify the global constant SAP_MASTER_IDS_ID.

Modify the global constant DEFAULT_PASSWORD.

How to do this is described in details in the following sections.

Modifying repository constantsThe repository definition UME is used to connect to the User Management Engine (UME). Thismust be updated with the correct connection details and credentials to connect to your UMEserver.

The following repository constants exist for the repository definition UME:

HTTP_PROTOCOL – the protocol used.

APPLICATION_HOST – server name or address.

HTTP_PORT – port number for SPML calls.

SERVLET_URL – URL composed of constants HTTP_PROTOCOL, APPLICATION_HOSTand HTTP_PORT, among other things.

HTTP_AUTH_USER – name of the authentication user (when accessing the UME).

HTTP_AUTH_PWD – authentication password (for accessing the UME).

To modify the repository constants:

1. Select the UME repository definition's "Constants" node in the console tree.

2. View the constant properties and enter the correct value:

Make sure that "Encrypt value" is selected for the authentication password.

When using this constant (HTTP_AUTH_PWD) in a pass, it is referenced to as%$rep.HTTP_AUTH_PWD%.

3. Choose "OK".

10Configuring the imported tasks, jobs and constants



4. Repeat the process for the other constants. The constant SERVLET_URL must not bechanged. It should always be:

%rep.HTTP_PROTOCOL%://%rep.APPLICATION_HOST%:%rep.HTTP_PORT%/spml/provisioning

When modified, all six constants can be referenced from the jobs and tasks.



Creating the privileges and referencing the tasksThe privilege PRIV:UME is used to provision users to UME. This privilege must be created,and the corresponding tasks for creating, modifying and removing users must be defined toensure that users are created when the privilege is assigned to users, modified, and removedfrom the UME when the privilege is removed. The privilege PRIV:MonitoringAdmin needs alsoto be created and the corresponding tasks defined.

To create the privilege and reference the tasks, do the following:

1. In the Management Console, go to Identity store metadata\Privileges for your identity storeand select New/Privilege… from the context menu.

2. Select the "General" tab:

Name the privilege "PRIV:UME".




3. Select the "Tasks" tab:

Fill in the following:

Provisioning taskAdd "#Create UME user" as the provisioning task. Choose "…" to the right of the"Provisioning task" field to browse for the task.

Deprovisioning taskAdd "#Delete UME user" as the de-provisioning task. Choose "…" to the right of the"Deprovisioning task" field to browse for the task.

Modify taskAdd "#Modify UME user" as the modify task. Choose "…" to the right of the "Modify task"field to browse for the task.

4. Choose "OK" to close the privilege properties and add the new privilege.

5. Now repeat the same procedure to create the PRIV:MonitoringAdmin privilege. Define thefollowing tasks for the privilege:

Provisioning task: "#Add UME monitoring role"

De-provisioning task: "#Delete UME monitoring role"



The two created privileges are now added:

Modifying the global constantsThe global constants SAP_MASTER_IDS_ID and DEFAULT_PASSWORD need to be updatedbefore the imported tasks and jobs can be used.

Modifying SAP_MASTER_IDS_IDThe global constant SAP_MASTER_IDS_ID contains the ID number of the identity store.Update the constant to contain the ID number of your identity store. You find this by selectingthe ID store and viewing the "ID/Name" field in the details pane. Do the following:

1. Select the "Global constants" entry in the console tree (under "Management").

2. Select the constant SAP_MASTER_IDS_ID and view the properties:

Enter the correct value.

3. Choose "OK" to close the dialog box and insert the changes.

The global constant SAP_MASTER_IDS_ID is now modified.




Modifying DEFAULT_PASSWORDThe constant DEFAULT_PASSWORD contains the initial password the users log in with thefirst time. This password needs to be changed after the first login.

To modify the global constant DEFAULT_PASSWORD, do the following:

1. Select the "Global constants" entry in the console tree.

2. Select the constant DEFAULT_PASSWORD and view the properties:

Enter the initial password value according to UME Security Policy (for example "initial1")and make sure that "Encrypt value" is selected.

2. Choose "OK" to close the dialog box and insert the changes.

The global constant DEFAULT_PASSWORD is now modified.


15Managing the privilegesSAP NetWeaver Identity Management Identity Center User management for the Identity Management User Interface


Managing the privilegesYou need a task where you can assign privileges to and remove them from the users in the UserInterface. For this purpose, the "Edit user" task needs to be created. The task is accessible fromthe "Manage" tab in the User Interface.

Creating a folder for the User Interface taskBefore creating the User Interface task, create a separate folder for it:

1. Select your identity store in the console tree and choose New/Folder… from the contextmenu.

Enter "IdM UI" as name for the folder.

2. Choose "OK".

The folder is included in the console tree:

16Managing the privileges



Adding the "Edit user" taskTo define the task Edit user, do the following:

1. Select the "IdM UI" folder and choose New/Unordered task group from the context menu.

Modify the task name in the console tree.

2. Select the "Attributes" tab:

Select "MX_PERSON" as entry type.

17Managing the privilegesSAP NetWeaver Identity Management Identity Center User management for the Identity Management User Interface


Note:A dialog box will appear asking you to confirm your choice. Choose "Yes" to confirm and toclose the dialog box.

Configure the attributes for the task as displayed above. Use "Up" (or "Down") to place theattributes in the exact same order as shown in the picture above.

3. Choose "Apply".

4. Select the "Access control" tab and choose "Add…".

Select "Logged-in user or identity store entry" in the "Allow access for" list.

Make sure that the correct identity store is selected in the "ID store" field.

Enter the name of the identity store user with access to the "Manage" tab in the UserInterface. Use the Administrator user created when installing and configuring the UserInterface as described in SAP NetWeaver Identity Management Identity Center: Installingand configuring the Identity Management User Interface). Choose "Check name" to makesure that the name you entered is correct and exists. This allows the admin-user to manageusers (assign and remove assigned privileges).

Make sure that "Everybody" is selected in the "On behalf of" field.

5. Choose "OK".

6. Choose "Apply".

18Managing the privileges



The resulting access control is displayed in the details pane:

19Scenario 1: All users initially in the Identity CenterSAP NetWeaver Identity Management Identity Center User management for the Identity Management User Interface


Scenario 1: All users initially in the Identity CenterThis section shows how to provision the Identity Center users to the UME by using theprivileges PRIV:UME and PRIV:MonitoringAdmin, and the imported tasks and jobs.

Note:If you in a test phase start with an empty identity store and need some dummy users to test with,see for instance the Section 1 in SAP NetWeaver Identity Management Identity Center Tutorial– Provisioning for populating of the identity store.

Creating a user in UME with general access to UserInterfaceTo provision a user to the UME, do the following:

1. Enter http://<host>:<port>/idm in your browser and log in to the Identity Management UserInterface (with a user that has access to the "Manage" tab).

2. Select the "Manage" tab.

Note:If the "Manage" tab doesn't show, it means that the "admin" user does not have theprivilege MX_PRIV:WD:TAB_MANAGE. See the document SAP NetWeaver IdentityManagement Identity Center: Installing and configuring the Identity Management UserInterface on how to configure this.

20Scenario 1: All users initially in the Identity Center



3. Make sure that "Person" is selected in the "Show" field and choose "Go" to list all users inthe identity store.

Select the user you want to provision to the UME.

4. Choose "Choose task".

Expand the "IdM UI" folder and select "Edit user" task.



5. Choose "Choose task".

The task opens in a new window.

Note:If you are using Internet Explorer 7, you might open the task in a new tab instead of the newwindow. To enable this option in your browser, choose Tools/Internet Options…, and in theTabs section of the "General" tab choose "Settings" where you select the option "Alwaysopen pop-ups in a new tab".

In the left pane (Available):

Choose "Search" to list the privileges it is possible to link to the user.

6. Select the privilege "PRIV:UME" and choose "Add".

The assigned privilege will show in the right pane (Assigned):

7. Choose "Save" and then "Close".




You can also add a shortcut button for the task "Edit user" by adding the task to favourites.When the tasks available for the entry type MX_PERSON are displayed (under the "IdM UI"folder), select the task "Edit user".

Choose "Add to Favorites" and then "Cancel". You can now observe the shortcut button forthe task "Edit user" next to "Create".



You can view that the tasks are executed without error in your identity store's job log:

Verifying the provisioned user and its access to theUser InterfaceTo verify that the created UME user has access to the User Interface, do the following:

1. Enter http://<host>:<port>/idm in your browser and log in to the Identity Management UserInterface with the provisioned user and its credentials. The provisioned user gets an initialpassword defined by the global constant DEFAULT_PASSWORD (here "initial1").




2. Choose "Log on".

The initial password needs to be changed the first time user is logging in to the IdentityManagement User Interface.

3. Enter the old and the new password (according to UME Security Policy), and choose"Change".

The user is now logged in to the User Interface with general access (only the "Self Services"tab):

If no self-service tasks are defined, the list will be empty.




Giving access to the "Monitoring" tabTo give the provisioned user access to the "Monitoring" tab, assign the user the privilege"PRIV:MonitoringAdmin" using the same procedure as when assigning the privilege"PRIV:UME" (on page 19).

When logging in to the User Interface, the user should now have a menu looking something likethis:




Provisioning several users at a timeThe imported job "Add privilege to users" makes it possible to assign privileges to more thanone user at a time.

To assign the privilege PRIV:UME to all employees working in the Development department inyour identity store and thus provision them to the UME, do the following:

1. Select the job "Add privilege to users" in the console tree to view the details pane. Makesure that the job is enabled and that the dispatcher is defined.

2. Select the pass "Add privileges" and select the "Source" tab.

3. Choose "Build SQL query…" to define the SQL statement.

The default statement selects only one user, but you can change it to include any users youwant to have enabled. The illustration above shows how to create an SQL statement thatselects all employees working in development department.



Note:If you experience any problems when choosing "Build SQL query..." remove%$glb.SAP_MASTER_IDS_ID% from the "Identity store" field in the "Source" tab andselect the correct identity store. Then choose the "Build SQL query…" button again anddefine the SQL statement.

4. Choose "OK" to close the dialog box and add the SQL statement.

Note:After the SQL statement is added, enter %$glb.SAP_MASTER_IDS_ID% in the "Identitystore" field again.

5. In the first line of the SQL statement replace is_id=1 withis_id=%$glb.SAP_MASTER_IDS_ID%:

6. Choose "Apply".

7. Select the job in the console tree to review the details pane and choose "Run now".




Inspect the job log to make sure the job has run with no errors:

Inspect also your UME to view the provisioned users:

To assign the privilege PRIV:UME to all employees in your identity store and thus provisionthem to the UME, enter the following SQL statement:

SELECT DISTINCT mskey FROM MXIV_SENTRIES WHERE is_id=%$glb.SAP_MASTER_IDS_ID% AND((mskey IN (SELECT mskey FROM MXIV_SENTRIES WHERE attrname='MX_ENTRYTYPE' ANDsearchvalue = 'MX_PERSON')))



The SQL statement is a result of building the following SQL query:

30Scenario 2: All users initially in the UME



Scenario 2: All users initially in the UMEThis section shows how to update the Identity Center's identity store with the UME users byusing the imported synchronization job. Once the UME users are in your identity store, they canbe managed in the Identity Center.

Synchronizing the UME users to the identity storeThe imported job "Initial load of UME users to identity store" is a job you only need to runonce, to load the UME users to the Identity Center. To run the job, do the following:

1. Select the job "Initial load of UME users to identity store" in the console tree to view thedetails pane. Make sure that the job is enabled and that the dispatcher is defined.

Note:Before running the job, review the "Destination" tab in both of the passes to make sure thatthe attributes you need are selected. Here you can add additional attributes or delete theattributes you don't need. Additional privileges which the user should have can be added inthe "Destination" tab of the pass "WriteLocalUsers".

2. Choose "Run now".

Inspect the job log to see whether the job has run with errors.

Note:All UME users not already existing in your identity store will be added to the identity storeby the job pass "WriteLocalUsers". The job "Initial load of UME users to identity store"will fail (display an error) for each UME user that already exists in the identity store.

31Scenario 2: All users initially in the UMESAP NetWeaver Identity Management Identity Center User management for the Identity Management User Interface


Using the User Interface, you can view the UME users in the "Manage" tab:

Make sure that "Person" is selected in the "Show" field and choose "Go" to list all users in theidentity store.

Managing the synchronized UME users in the IdentityCenterOnce the UME users are in your identity store, they can be managed in the Identity Center byusing the privileges PRIV:UME and PRIV:MonitoringAdmin, and the imported tasks and jobs(as shown in section describing scenario 1 on page 19).

32Scenario 2: All users initially in the UME

