7.2 Adding the Organizational Role Class

The SAP User driver can be queried for ACTIVITYGROUP objects and all other PDOBJECTS in the SAP User database so that they may be synchronized into the Identity Vault, and used by the administrator through a browse interface. To do this, the default class mapping must be manually changed to the following:

Identity Vault Class

SAP User Field Description

SAP User Field(s)

Organizational Role

PDOBJECT

Organizational Role

The following sections explain what you need to do to allow support for querying of the Organizational Role class:

7.2.1 Editing the Global Configuration Values

To edit the Global Configuration Values (GCV), follow these steps:

  1. In iManager, browse to the driver, and click the upper right corner of the driver icon.

  2. Select the Edit Properties link.

    The Driver Configuration window is displayed.

  3. Click the Global Config Values tab.

    A list of the existing GCV values is displayed.

  4. Click the Edit XML tab to open the XML Editor window.

  5. Select the Enable XML Editing checkbox and add the following XML code: 

    <definition display-name="Organizational Role Placement" 
dn-space="dirxml" dn-type="slash" name="sap-pdobject-placement" type="dn">
    <description>
      The name of the Organizational Role object under which              published SAP Organizational Roles will be placed.
     </description>
<value> </value>
</definition>

  6. Click Apply and OK to save the changes.

    The updated GCV is now displayed in the list.

  7. Browse and select the container in the Identity Vault where you want to place the Organizational Role.

  8. Click Apply and OK.

7.2.2 Adding a New Placement Rule

A new rule is required in the placement policy, to place the Organizational Role object in. Follow these steps to create the new rule:

  1. In iManager, click on the driver icon.

    The Identity Manager Overview screen is displayed.

  2. In the publisher channel, click on the Placement Policies icon.

    The Publisher Placement policy window is displayed.

  3. Click the existing default publisher placement policy.

    The Policy Rules screen is displayed.

  4. Click the Edit XML tab.

    The XML Editor window is displayed.

  5. Select the Enable XML Editing checkbox and add the following XML code: 

    <rule>
   <description>Organizational Role Placement</description>
   <conditions>
      <or>
        <if-class-name op="equal">
           Organizational Role
        </if-class-name>
      </or>
      <or>
       <if-op-attr name="CN" op="available"/>
      </or>
   </conditions>
   <actions>
     <do-set-op-dest-dn>
       <arg-dn>
       <token-global-variable name="sap-pdobject-placement"/>
       <token-text xml:space="preserve">\</token-text>
       <token-escape-for-dest-dn>
       <token-op-attr name="CN"/>
       </token-escape-for-dest-dn>
       </arg-dn>
     </do-set-op-dest-dn>
    </actions>
</rule>

  6. Click Apply and OK, to save the changes.

  7. Click Close to close the Publisher Placement Policy window.

7.2.3 Modifying the XSLT

The XSLT file must be modified so that it triggers events only for the USER class. To modify the XSLT file, follow these steps:

  1. From the Identity Manager Driver Overview page, click on the Creation Policies icon on the publisher channel of the driver.

    The Publisher Creation Policy window is displayed.

  2. Click the Generate User Name Style Sheet link.

    The XML Editor window is displayed.

  3. Search for the following XML code: <xsl:template match="add">

    Replace it with the following code: 

    <xsl:template match="add[@class-name='User']">

  4. Click Apply and OK to save the changes .

  5. Click Close, to close the Publisher Placement Policy window.

7.2.4 Adding the Organizational Role Class to the Driver Filter

To add the Organizational Role class, and to change the default class mapping, follow these steps:

  1. From the Identity Manager Driver Overview page, click the ‘Driver Filter’ icon in the publisher channel.

  2. Click the Add Class tab.

    A pop-up window is displayed.

  3. Click the Show All Classes link.

    A list of the available classes is displayed in alphabetical order.

  4. Scroll down to the class Organizational Role, and click on it.

  5. In the Application Name field on the right, browse and select the SAP User class PDOBJECT that will be mapped to Organizational Role.

  6. Click Apply to confirm the mapping.

  7. From the filter window, select Organizational Role, and click on the Add Attribute tab.

    A list of the available attributes is displayed.

  8. Select the CN attribute and click OK.

  9. In theApplication Name field on the right, browse and select the SAP attribute OBJECTS:EXT_OBJ_ID

  10. Select Organizational Role again and click the Add Attribute tab.

  11. Select the Description attribute and click OK.

  12. In the Application Name field on your right, browse and select the OBJECTS:LONG_TEXT attribute.

  13. Click Apply.

  14. In the Filter window, select the Organizational Role class.

  15. In the text field on the right, delete PDOBJECT and replace it with AG.

  16. Click Apply to save the changes.

  17. Click Organizational Role and select the Synchronize option in the publisher channel.

  18. Click the CN attribute and select the Synchronize option in the publisher channel.

  19. Click the Description attribute and select the Synchronize option in the publisher channel.

  20. Click Apply and OK to save the changes, and close the Filter window.

7.2.5 Migrating Data into the Identity Vault

To migrate ACTIVITYGROUP objects into the Identity Vault, ensure that the driver is running and follow these steps:

  1. From the Identity Manager Driver Overview window, click Migrate > Migrate into Identity Vault.

    The Migrate Data into the Identity Vault window is displayed.

  2. To migrate a single ACTIVITYGROUP object, follow these steps:

    1. Click the Edit List tab.

      The Edit Migration Criteria dialog box is displayed.

    2. Select the Organizational Role class from the list on the left side of the window.

    3. Select the CN attribute and click OK.

      The Attribute Value dialog box is displayed.

    4. Enter a valid value for the CN attribute and click OK..

      Example of a valid attribute: SAP_ESSUSER

    5. Click OK to confirm the entered value, and close the dialog box.

    6. Click OK again in the Migrate Data into the Identity Vault window, to start the migration.

      You will see that the Success box is now checked, indicating that migration has started.

  3. To migrate all ACTIVITYGROUP objects, follow these steps:

    1. Click the Edit List tab.

      The Edit Migration Criteria dialog box is displayed.

    2. Select the Organizational Role class from the list, and click OK.

    3. Click OK again in the Migrate Data into the Identity Vault window, to start the migration.

To verify that the objects you selected have been migrated successfully, you can browse to the container that you specified in the Organizational Role placement policy. Successful migration can also be verified by looking at the DSTRACE window.