Novell Doc: Identity Manager 3.6.1 Driver for SAP User Management Implementation Guide

7.1 Modifying Policies and the Filter

You must modify policies and the filter to work with your specific business environment. We recommend that you make modifications in this order:

Modify the Filter (publish and subscribe options) to include additional attributes you want synchronized.
Modify the Mapping policy to include all attributes specified in the Subscriber and Publisher channel filters.
Modify the InputTransform policy
Modify the OutputTransform policy
Modify the Publisher policies
Modify the Subscriber policies

Refer to the following sections for information:

7.1.1 Filter Publish Options

Setting attributes in the filter to publish specifies which classes and attributes are published from the SAP system to the Identity Vault.

The default driver configuration publishes the following User class attributes in the filter.

Class	Attributes
User	DirXML-sapLocRoles DirXML-sapLocProfiles Given Name Surname sapProfiles sapRoles sapUsername

7.1.2 Filter Subscribe Options

Setting attributes in the filter to subscribe specifies which classes and attributes are synchronized from the Identity Vault to the SAP system.

The default driver configuration subscribes to the following User class attributes in the filter:

Class	Attributes
User	buildingName costCenter firstPrefix floor Full Name Given Name Initials Internet Email Address Login Disabled OU pager sapGroups sapProfiles sapRoles Surname Telephone Number Title

7.1.3 Schema Mapping Policy

The Schema Mapping policy is referenced by the driver object and applies to both the Subscriber and Publisher channel. The purpose of the Schema Mapping policy is to map schema names (particularly attribute names and class names) between the Identity Vault and the SAP User database. Any modification or removal of existing entries in the Schema Mapping policy could destroy the default configuration and policies processing behavior. Adding new attribute mappings is discretionary.

NOTE:The Application Schema definition in the default driver configuration is from a SAP R/3 version 4.7 system with Web Application Server version 6.40. If the target SAP system is a different version, the actual User object schema might be different. Refresh application schema using the iManager Schema Mapping editor to obtain the actual schema of the target server.

The following class mapping is included with the default driver configuration:

Identity Vault Class	SAP Class	SAP Description
User	US	USER

The User class is configured to synchronize bidirectionally between SAP and the Identity Vault. A change made in one system will transfer to the other system.

All attributes in the Publisher and Subscriber filters should be mapped unless they are used only for policy processing.

SAP User field values can be arranged in three types:

Simple fields: These values are not grouped with other fields. The syntax in the schema map is <field name>.
Structure fields: These values are grouped with other pieces of data that describe a larger collection of single-instance data. The syntax for these fields in the schema map is <structure name>:<field name>. For example, ADDRESS:TELEPHONE.
Table fields: These values are similar to Structure fields, but there can be multiple instances of the structured data. The syntax for these fields in the schema map is <table name>:<field name>. For example, ADDTEL:TELEPHONE.

The following table includes common attribute mappings for the User class and their descriptions, assuming that only the primary piece of structure communication data is required (such as ADDTEL:TELEPHONE). If fields of a table are to be mapped, you should specify only the Table name in the mapping (such as LOCACTIVITYGROUPS). If you do this, the driver generates all table field values in structured format. For more information, see Section F.0, Structured Format Examples. On the Publisher channel, the structured data must be transformed to string format.

The default mappings for the driver are as follows:

Identity Vault Attribute	SAP User Field Description	SAP User Field(s)
DirXML-sapLocRoles	Role for specified CUA logical system	LOCACTIVITYGROUPS:SUBSYSTEM LOCACTIVITYGROUPS:AGR_NAME
DirXML-sapLocProfiles	Profile for specified CUA logical system	LOCPROFILES:SUBSYSTEM LOCPROFILES:PROFILE
DirXML-sapVClass	License type classification	UCLASS:LIC_TYPE
DirXML-sapLocVClass	License type classification for specified CUA Logical System	UCLASSSYS:RCVSYSTEM UCLASSSYS:LIC_TYPE
birthName	Name of person at birth	ADDRESS:BIRTH_NAME
buildingName	Building (number or code)	ADDRESS:BUILDING_P
commType	Communication type (key) (Central address management)	ADDRESS:COMM_TYPE
company	Company address, cross-system key	COMPANY:COMPANY
costCenter	Cost center	DEFAULTS:KOSTL
Facsimile Telephone Number	Fax number: dialing code+number	ADDFAX:FAX
firstPrefix	Name prefix	ADDRESS:PREFIX1
floor	Floor in building	ADDRESS:FLOOR_P
Full Name	Complete personal name	ADDRESS:FULLNAME
Given Name	First name	ADDRESS:FIRSTNAME
inHouseMail	Int. mail postal code	ADDRESS:INHOUSE_ML
Initials	Middle Initial or personal initials	ADDRESS:INITIALS
InitialsSig	Short name for correspondence	ADDRESS:INITS_SIG
Internet EMail Address	Internet mail (SMTP) address	ADDSMPT:E_MAIL
Login Disabled	Lock User account	LOCKUSER The LOCKUSER attribute does not actually exist in SAP. This pseudo-attribute is used by the driver to determine when to call USER_LOCK and USER_UNLOCK BAPI functions.
middleName	Middle name or second forename of a person	ADDRESS:MIDDLENAME
nickname	Nickname or name used	ADDRESS:NICKNAME
OU	Department	ADDRESS:DEPARTMENT
pager	Pager number	ADDPAG:PAGER
personalTitle	Title text	ADDRESS:TITLE_P
roomNumber	Room or apartment number	ADDRESS:ROOM_NO_P
sapAlias	Internet user alias	ALIAS:USERALIAS
sapCATT	CATT: Test status	DEFAULTS:CATTKENNZ
sapClass	User group in user master maintenance	LOGONDATA:CLASS
sapDateFormat	Date format	DEFAULTS:DATFM
sapDecimalFormat	Decimal Notation	DEFAULTS:DCPFM
sapGroups	User group in user master maintenance	GROUPS:USERGROUP
sapLoginLanguage	Language	DEFAULTS:LANGU
sapParameters	Get/Set parameter ID and parameter values	PARAMETER:PAR10
sapPrintParam1	Print parameter 1	DEFAULTS:SPLG
sapPrintParam2	Print parameter 2	DEFAULTS:SPDB
sapPrintParam3	Print parameter 3	DEFAULTS:SPDA
sapProfiles	Profile name	PROFILES:BAPIPROF
sapRefUser	User name in user master record	REF_USER:REF_USER
sapRoles	Role Name	ACTIVITYGROUPS:AGR_NAME
sapSncGuiFlag	Unsecure communication permitted flag	SNC:GUIFLAG
sapSncName	Secure network communication printable name	SNC:PNAME
sapSpool	Spool: Output device	DEFAULTS:SPLD
sapStartMenu	Start Menu	DEFAULTS:START_MENU
sapTimeZone	Time zone	LOGONDATA:TZONE
sapUsername	User Name	USERNAME:BAPIBNAME
sapUserType	User Type	LOGONDATA:USTYP
sapValidFrom	User valid from	LOGONDATA:GLTGV
sapValidTo	User valid to	LOGONDATA:GLTGB
secondName	Second surname of a person	LOGONDATA: SECONDNAME
secondPrefix	Name prefix	ADDRESS:PREFIX2
Surname	Last name	ADDRESS:LASTNAME
Telephone Number	Telephone no.: dialing code+number	ADDTEL:TELEPHONE
telexNumber	Telex Number	ADDTLX:TELEX_NO
Title	Function	ADDRESS:FUNCTION
titleAcademic1	Academic title: written form	ADDRESS:TITLE_ACA1
titleAcademic2	Academic title: written form	ADDRESS:TITLE_ACA2

7.1.4 Input Transform Policy

You modify the Input Transform policy to implement your specific business rules. The Input Transform policy is applied to affect a transformation of the data received from the driver shim.

The policy is applied as the first step of processing an XML document received from the driver shim. The Input Transform policy converts the syntax of the SAP attributes into the syntax for the Identity Vault.

The default driver configuration includes two rules that perform the following functions:

Transforming LOCACTIVITYGROUPS from structured format to string format.
Transforming LOCPROFILES from structured format to string format.

7.1.5 Output Transform Policy

You modify the Output Transform policy to implement your specific business rules. The Output Transformation policy is referenced by the driver object and applies to both the Subscriber channel and to the Publisher channel. The purpose of the Output Transformation policy is to perform any final transformation necessary on XML documents sent to the driver by Identity Manager.

The default driver configuration:

Transforms LOCACTIVITYGROUPS from string format to structured format.
Transforms LOCPROFILES from string format to structured format.
Adds the driver’s LOCACTIVITYGROUPS attribute to Modify events with the from-merge attribute set.
Transforms the pseudo-attribute LOCKUSER value from a true/false format to a 1/0 format.
Transforms ADDFAX:FAX values from structured format to string format.
Adds USERNAME:BAPIBNAME to the Queries style sheet (invokes the driver’s wildcard search functionality; see Section H.0, Using Wildcard Search Capabilities.)

7.1.6 Publisher Placement Policy

The Publisher Placement policy is applied to an Add Object event document to determine the placement of the new object in the hierarchical structure of the Identity Vault.

The Placement policy places all User objects in an Identity Vault container that you specify during installation. You can also modify this location by using the Publisher User Placement Global Configuration Variable (GCV.)

The default driver configuration:

Appends <remove-association> to Delete events; it’s used in conjunction with the Publisher Command Transformation policy.

7.1.7 Publisher Matching Policy

The Publisher Matching policy is applied to a Modify Object event document. Matching policies establish links between an existing entry in the Identity Vault and an existing entry in the SAP system. The Matching policy attempts to find an existing object that matches the object generating the event by the criteria specified in the policy.

The default driver checks for matches based on the sapUsername attribute. A fallback policy is also provided that checks for matches on the Given Name and Surname attributes.

7.1.8 Publisher Create Policy

The Publisher Create policy is applied when a new object is to be added to the Identity Vault. The default driver configuration:

Creates a User object (Surname and Given Name attributes are required)
Generates a unique CN based on Given Name and Surname attributes
Sets the initial account password on creation. Allows an administrator or user to reset or change passwords.

7.1.9 Subscriber Matching Policy

The Subscriber Matching policy is applied to a Modify Object event document. Matching policies establish links between an existing entry in the Identity Vault and an existing entry in the SAP system. The Matching policy attempts to find an existing object that matches the object generating the event by the criteria specified in the policy.

The default driver checks for matches based on the values of the Given Name, Surname, and sapUsername attributes.

If you do not have an association in your query, the SAP system performs a full table scan of the user table. This might cause a long delay in receiving a reply from the matching query.

If the specified user name is known in SAP, adding an association value reduces the query to a single object. You can use the following Output Transformation policy to add the association.

<rule>
<description>Add association value to matching queries</description>
<conditions>
<and>
<if-operation op="equal">query</if-operation>
<if-xpath op="not-true">association</if-xpath>
<if-xpath
op="true">search-attr[@attr-name="USERNAME:BAPIBNAME"]/value</if-xpath>
</and>
</conditions>
<actions>
<do-append-xml-element expression="." name="association"/>
<do-append-xml-text expression="association">
<arg-string>
<token-text xml:space="preserve">USd</token-text>
<token-upper-case>
<token-xpath
expression='search-attr[@attr-name="USERNAME:BAPIBNAME"]/value/text()'/>
</token-upper-case>
</arg-string>
</do-append-xml-text>
</actions>
</rule>

7.1.10 Subscriber Create Policy

The Subscriber Create policy is applied when you want to add a new object to the Identity Vault. The default driver configuration:

Ensures that the Surname and Given Name attributes are present.
Generates an unique CN based on the Given name and Surname attributes.
Appends the sapUserType attribute with a value of A.
Sets the initial password (the driver can also set and manage persistent passwords in the SAP system.)
Sets a default sapRoles value of SAP_ESSUSER.
Sets a default sapProfiles value of SAP_NEW.
Adds the following sample DirXML-sapLocRole values: DRVCLNT100:, ADMCLNT100:SAP_EMPLOYEE, and ADMCLNT500:SAP_ESSUSER.
Adds the following sample DirXML-sapLocProfiles values: DRVCLNT100:, ADMCLNT100:SAP_ALL, and ADMCLNT500:SAP_NEW.