8.1 Using Policies

Policies are highly configurable for use within any business environment.

The default driver is configured to be primarily a Subscriber channel driver. This means the primary purpose is to create SAP User accounts using information collected in the Identity Vault. The default configuration does allow basic bidirectional User create, delete, and modify functionality.

8.1.1 Modifying Policies and the Filter

You must modify policies and the filter to work with your specific business environment. We recommend that you make modifications in this order:

  1. Modify the Filter (publish and subscribe options) to include additional attributes you want synchronized.

  2. Modify the Mapping policy to include all attributes specified in the Subscriber and Publisher channel filters.

  3. Modify the InputTransform policy

  4. Modify the OutputTransform policy

  5. Modify the Publisher policies

  6. Modify the Subscriber policies

Setting the Filter: Publish Options

Setting attributes in the filter to “publish” specifies which classes and attributes are published from the SAP system to eDirectory.

The default driver configuration publishes the following User class attributes in the filter.

Class

Attributes

User

DirXML-sapLocRoles

DirXML-sapLocProfiles

Given Name

Surname

sapProfiles

sapRoles

sapUsername

Setting the Filter: Subscription Options

Setting attributes in the filter to “subscribe” specifies which classes and attributes are synchronized from eDirectory to the SAP system.

The default driver configuration subscribes to the following User class attributes in the filter:

Class

Attributes

User

buildingName

costCenter

firstPrefix

floor

Full Name

Given Name

Initials

Internet Email Address

Login Disabled

OU

pager

sapGroups

sapProfiles

sapRoles

Surname

Telephone Number

Title

The Schema Mapping Policy

The Schema Mapping policy is referenced by the driver object and applies to both the Subscriber and Publisher channel. The purpose of the Schema Mapping policy is to map schema names (particularly attribute names and class names) between eDirectory and the SAP User database. Any modification or removal of existing entries in the Schema Mapping policy could destroy the default configuration and policies processing behavior. Adding new attribute mappings is discretionary.

NOTE:The Application Schema definition in the default driver configuration is from a SAP R/3 version 4.7 system with Web Application Server version 6.40. If the target SAP system is a different version, the actual User object schema might be different. Refresh application schema using the iManager Schema Mapping editor to obtain the actual schema of the target server.

The following class mapping is included with the default driver configuration:

eDirectory Class

SAP Class

SAP Description

User

US

USER

The User class is configured to synchronize bidirectionally between SAP and eDirectory. A change made in one system will transfer to the other system.

All attributes in the Publisher and Subscriber filters should be mapped unless they are used only for policy processing.

SAP User field values can be arranged in three types:

  • Simple fields: These values are not grouped with other fields. The syntax in the schema map is <field name>.

  • Structure fields: These values are grouped with other pieces of data that describe a larger collection of single-instance data. The syntax for these fields in the schema map is <structure name>:<field name>. For example, ADDRESS:TELEPHONE.

  • Table fields: These values are similar to Structure fields, but there can be multiple instances of the structured data. The syntax for these fields in the schema map is <table name>:<field name>. For example, ADDTEL:TELEPHONE.

The following table includes common attribute mappings for the User class and their descriptions, assuming that only the primary piece of structure communication data is required (such as ADDTEL:TELEPHONE). If fields of a table are to be mapped, you should specify only the Table name in the mapping (such as LOCACTIVITYGROUPS). If you do this, the driver generates all table field values in structured format. For more information, see Section C.0, Structured Format Examples. On the Publisher channel, the structured data must be transformed to string format.

The Schema Mapping policy is highly dependent on the extension of the standard eDirectory schema. The extensions used by the driver come in the form of an LDIF file created by SAP for use with the SAP directory interfaces for user management. A Novell-standard .sch version of the file is also provided. These files are included with the driver. Refer to Extending the Schema for more information.

The default mappings for the driver are as follows:

eDirectory Attribute

SAP User Field Description

SAP User Field(s)

DirXML-sapLocRoles

Role for specified CUA logical system

LOCACTIVITYGROUPS:SUBSYSTEM

LOCACTIVITYGROUPS:AGR_NAME

DirXML-sapLocProfiles

Profile for specified CUA logical system

LOCPROFILES:SUBSYSTEM

LOCPROFILES:PROFILE

DirXML-sapVClass

License type classification

UCLASS:LIC_TYPE

DirXML-sapLocVClass

License type classification for specified CUA Logical System

UCLASSSYS:RCVSYSTEM UCLASSSYS:LIC_TYPE

birthName

Name of person at birth

ADDRESS:BIRTH_NAME

buildingName

Building (number or code)

ADDRESS:BUILDING_P

commType

Communication type (key) (Central address management)

ADDRESS:COMM_TYPE

company

Company address, cross-system key

COMPANY:COMPANY

costCenter

Cost center

DEFAULTS:KOSTL

Facsimile Telephone Number

Fax number: dialing code+number

ADDFAX:FAX

firstPrefix

Name prefix

ADDRESS:PREFIX1

floor

Floor in building

ADDRESS:FLOOR_P

Full Name

Complete personal name

ADDRESS:FULLNAME

Given Name

First name

ADDRESS:FIRSTNAME

inHouseMail

Int. mail postal code

ADDRESS:INHOUSE_ML

Initials

Middle Initial or personal initials

ADDRESS:INITIALS

InitialsSig

Short name for correspondence

ADDRESS:INITS_SIG

Internet EMail Address

Internet mail (SMTP) address

ADDSMPT:E_MAIL

Login Disabled

Lock User account

LOCKUSER

The LOCKUSER attribute does not actually exist in SAP. This pseudo-attribute is used by the driver to determine when to call USER_LOCK and USER_UNLOCK BAPI functions.

middleName

Middle name or second forename of a person

ADDRESS:MIDDLENAME

nickname

Nickname or name used

ADDRESS:NICKNAME

OU

Department

ADDRESS:DEPARTMENT

pager

Pager number

ADDPAG:PAGER

personalTitle

Title text

ADDRESS:TITLE_P

roomNumber

Room or apartment number

ADDRESS:ROOM_NO_P

sapAlias

Internet user alias

ALIAS:USERALIAS

sapCATT

CATT: Test status

DEFAULTS:CATTKENNZ

sapClass

User group in user master maintenance

LOGONDATA:CLASS

sapDateFormat

Date format

DEFAULTS:DATFM

sapDecimalFormat

Decimal Notation

DEFAULTS:DCPFM

sapGroups

User group in user master maintenance

GROUPS:USERGROUP

sapLoginLanguage

Language

DEFAULTS:LANGU

sapParameters

Get/Set parameter ID and parameter values

PARAMETER:PAR10

sapPrintParam1

Print parameter 1

DEFAULTS:SPLG

sapPrintParam2

Print parameter 2

DEFAULTS:SPDB

sapPrintParam3

Print parameter 3

DEFAULTS:SPDA

sapProfiles

Profile name

PROFILES:BAPIPROF

sapRefUser

User name in user master record

REF_USER:REF_USER

sapRoles

Role Name

ACTIVITYGROUPS:AGR_NAME

sapSncGuiFlag

Unsecure communication permitted flag

SNC:GUIFLAG

sapSncName

Secure network communication printable name

SNC:PNAME

sapSpool

Spool: Output device

DEFAULTS:SPLD

sapStartMenu

Start Menu

DEFAULTS:START_MENU

sapTimeZone

Time zone

LOGONDATA:TZONE

sapUsername

User Name

USERNAME:BAPIBNAME

sapUserType

User Type

LOGONDATA:USTYP

sapValidFrom

User valid from

LOGONDATA:GLTGV

sapValidTo

User valid to

LOGONDATA:GLTGB

secondName

Second surname of a person

LOGONDATA: SECONDNAME

secondPrefix

Name prefix

ADDRESS:PREFIX2

Surname

Last name

ADDRESS:LASTNAME

Telephone Number

Telephone no.: dialing code+number

ADDTEL:TELEPHONE

telexNumber

Telex Number

ADDTLX:TELEX_NO

Title

Function

ADDRESS:FUNCTION

titleAcademic1

Academic title: written form

ADDRESS:TITLE_ACA1

titleAcademic2

Academic title: written form

ADDRESS:TITLE_ACA2

Adding the Organizational Role Class

The SAP User driver can be queried for ACTIVITYGROUP objects and all other PDOBJECTS in the SAP User database so that they may be synchronized into eDirectory, and used by the administrator through a browse interface. To do this, the default class mapping must be manually changed to the following:

eDirectory Class

SAP User Field Description

SAP User Field(s)

Organizational Role

PDOBJECT

Organizational Role

The following sections explain what you need to do, to allow support for querying of the Organizational Role class:

Editing the Global Configuration Values

To edit the Global Configuration Values (GCV), follow these steps:

  1. In iManager, browse to the driver, and click the upper right corner of the driver icon.

  2. Select the Edit Properties link.

    The Driver Configuration window is displayed.

  3. Click the Global Config Values tab.

    A list of the existing GCV values is displayed.

  4. Click the Edit XML tab to open the XML Editor window.

  5. Select the Enable XML Editing checkbox and add the following XML code: 

    <definition display-name="Organizational Role Placement" 
dn-space="dirxml" dn-type="slash" name="sap-pdobject-placement" type="dn">
    <description>
      The name of the Organizational Role object under which              published SAP Organizational Roles will be placed.
     </description>
<value> </value>
</definition>

  6. Click Apply and OK to save the changes.

    The updated GCV is now displayed in the list.

  7. Browse and select the container in eDirectory you want to place Organizational Role in.

  8. Click Apply and OK.

Adding a New Placement Rule

A new rule is required in the placement policy, to place the Organizational Role object in. Follow these steps to create the new rule:

  1. In iManager, click on the driver icon.

    The Identity Manager Overview screen is displayed.

  2. In the publisher channel, click on the Placement Policies icon.

    The Publisher Placement policy window is displayed.

  3. Click the existing default publisher placement policy.

    The Policy Rules screen is displayed.

  4. Click the Edit XML tab.

    The XML Editor window is displayed.

  5. Select the Enable XML Editing checkbox and add the following XML code: 

    <rule>
   <description>Organizational Role Placement</description>
   <conditions>
      <or>
        <if-class-name op="equal">
           Organizational Role
        </if-class-name>
      </or>
      <or>
       <if-op-attr name="CN" op="available"/>
      </or>
   </conditions>
   <actions>
     <do-set-op-dest-dn>
       <arg-dn>
       <token-global-variable name="sap-pdobject-placement"/>
       <token-text xml:space="preserve">\</token-text>
       <token-escape-for-dest-dn>
       <token-op-attr name="CN"/>
       </token-escape-for-dest-dn>
       </arg-dn>
     </do-set-op-dest-dn>
    </actions>
</rule>

  6. Click Apply and OK, to save the changes.

  7. Click Close to close the Publisher Placement Policy window.

Modifying the XSLT

The XSLT file must be modified so that it triggers events only for the USER class. To modify the XSLT file, follow these steps:

  1. From the Identity Manager Driver Overview page, click on the Creation Policies icon on the publisher channel of the driver.

    The Publisher Creation Policy window is displayed.

  2. Click the Generate User Name Style Sheet link.

    The XML Editor window is displayed.

  3. Search for the following XML code: <xsl:template match="add">

    Replace it with the following code: 

    <xsl:template match="add[@class-name='User']">

  4. Click Apply and OK to save the changes .

  5. Click Close, to close the Publisher Placement Policy window.

Adding the Organizational Role Class to the Driver Filter

To add the Organizational Role class, and to change the default class mapping, follow these steps:

  1. From the Identity Manager Driver Overview page, click the ‘Driver Filter’ icon in the publisher channel.

  2. Click the Add Class tab.

    A pop-up window is displayed.

  3. Click the Show All Classes link.

    A list of the available classes is displayed in alphabetical order.

  4. Scroll down to the class Organizational Role, and click on it.

  5. In the Application Name field on the right, browse and select the SAP User class PDOBJECT that will be mapped to Organizational Role.

  6. Click Apply to confirm the mapping.

  7. From the filter window, select Organizational Role, and click on the Add Attribute tab.

    A list of the available attributes is displayed.

  8. Select the CN attribute and click OK.

  9. In theApplication Name field on the right, browse and select the SAP attribute OBJECTS:EXT_OBJ_ID

  10. Select Organizational Role again and click the Add Attribute tab.

  11. Select the Description attribute and click OK.

  12. In the Application Name field on your right, browse and select the OBJECTS:LONG_TEXT attribute.

  13. Click Apply.

  14. In the Filter window, select the Organizational Role class.

  15. In the text field on the right, delete PDOBJECT and replace it with AG.

  16. Click Apply to save the changes.

  17. Click Organizational Role and select the Synchronize option in the publisher channel.

  18. Click the CN attribute and select the Synchronize option in the publisher channel.

  19. Click the Description attribute and select the Synchronize option in the publisher channel.

  20. Click Apply and OK to save the changes, and close the Filter window.

Migrating Data into the Identity Vault

To migrate ACTIVITYGROUP objects into the Identity Vault, ensure that the driver is running and follow these steps:

  1. From the Identiy Manager Driver Overview window, click on Migrate>Migrate into Identity Vault.

    The Migrate Data into the Identity Vault window is displayed.

  2. To migrate a single ACTIVITYGROUP object, follow these steps:

    1. Click the Edit List tab.

      The Edit Migration Criteria dialog box is displayed.

    2. Select the Organizational Role class from the list on the left side of the window.

    3. Select the CN attribute and click OK.

      The Attribute Value dialog box is displayed.

    4. Enter a valid value for the CN attribute and click OK..

      Example of a valid attribute: SAP_ESSUSER

    5. Click OK to confirm the entered value, and close the dialog box.

    6. Click OK again in the Migrate Data into the Identity Vault window, to start the migration.

      You will see that the Success box is now checked, indicating that migration has started.

  3. To migrate all ACTIVITYGROUP objects, follow these steps:

    1. Click the Edit List tab.

      The Edit Migration Criteria dialog box is displayed.

    2. Select the Organizational Role class from the list, and click OK.

    3. Click OK again in the Migrate Data into the Identity Vault window, to start the migration.

NOTE:To verify that the objects you selected have been migrated successfully, you can browse to the container that you specified in the Organizational Role placement policy. Successful migration can also be verified by looking at the DSTRACE window.

The Input Transform Policy

You modify the Input Transform policy to implement your specific business rules. The Input Transform policy is applied to affect a transformation of the data received from the driver shim.

The policy is applied as the first step of processing an XML document received from the driver shim. The Input Transform policy converts the syntax of the SAP attributes into the syntax for eDirectory.

The default driver configuration includes two rules that perform the following functions:

  • Transforming LOCACTIVITYGROUPS from structured format to string format.

  • Transforming LOCPROFILES from structured format to string format.

Modifying the Output Transform Policy

You modify the Output Transform policy to implement your specific business rules. The Output Transformation policy is referenced by the driver object and applies to both the Subscriber channel and to the Publisher channel. The purpose of the Output Transformation policy is to perform any final transformation necessary on XML documents sent to the driver by Identity Manager.

The default driver configuration:

  • Transforms LOCACTIVITYGROUPS from string format to structured format.

  • Transforms LOCPROFILES from string format to structured format.

  • Adds the driver’s LOCACTIVITYGROUPS attribute to Modify events with the from-merge attribute set.

  • Transforms the pseudo-attribute LOCKUSER value from a true/false format to a 1/0 format.

  • Transforms ADDFAX:FAX values from structured format to string format.

  • Adds USERNAME:BAPIBNAME to the Queries style sheet (invokes the driver’s wildcard search functionality; see Section E.0, Using Wildcard Search Capabilities.)

The Publisher Placement Policy

The Publisher Placement policy is applied to an Add Object event document to determine the placement of the new object in the hierarchical structure of eDirectory.

The Placement policy places all User objects in an eDirectory container that you specify during installation. You can also modify this location by using the Publisher User Placement Global Configuration Variable (GCV.)

The default driver configuration:

  • Appends <remove-association> to Delete events; it’s used in conjunction with the Publisher Command Transformation policy.

The Publisher Matching Policy

The Publisher Matching policy is applied to a Modify Object event document. Matching policies establish links between an existing entry in eDirectory and an existing entry in the SAP system. The Matching policy attempts to find an existing object that matches the object generating the event by the criteria specified in the policy.

The default driver checks for matches based on the sapUsername attribute. A fallback policy is also provided that checks for matches on the Given Name and Surname attributes.

The Publisher Create Policy

The Publisher Create policy is applied when a new object is to be added to eDirectory. The default driver configuration:

  • Creates a User object (Surname and Given Name attributes are required)

  • Generates a unique CN based on Given Name and Surname attributes

  • Sets the initial account password on creation. Allows an administrator or user to reset or change passwords.

The Subscriber Matching Policy

The Subscriber Matching policy is applied to a Modify Object event document. Matching policies establish links between an existing entry in the Identity Vault and an existing entry in the SAP system. The Matching policy attempts to find an existing object that matches the object generating the event by the criteria specified in the policy.

The default driver checks for matches based on the values of the Given Name, Surname, and sapUsername attributes.

If you do not have an association in your query, the SAP system performs a full table scan of the user table. This might cause a long delay in receiving a reply from the matching query.

If the specified user name is known in SAP, adding an association value reduces the query to a single object. You can use the following Output Transformation policy to add the association.

<rule>
<description>Add association value to matching queries</description>
<conditions>
<and>
<if-operation op="equal">query</if-operation>
<if-xpath op="not-true">association</if-xpath>
<if-xpath
op="true">search-attr[@attr-name="USERNAME:BAPIBNAME"]/value</if-xpath>
</and>
</conditions>
<actions>
<do-append-xml-element expression="." name="association"/>
<do-append-xml-text expression="association">
<arg-string>
<token-text xml:space="preserve">USd</token-text>
<token-upper-case>
<token-xpath
expression='search-attr[@attr-name="USERNAME:BAPIBNAME"]/value/text()'/>
</token-upper-case>
</arg-string>
</do-append-xml-text>
</actions>
</rule>

The Subscriber Create Policy

The Subscriber Create policy is applied when you want to add a new object to eDirectory. The default driver configuration:

  • Ensures that the Surname and Given Name attributes are present.

  • Generates an unique CN based on the Given name and Surname attributes.

  • Appends the sapUserType attribute with a value of A.

  • Sets the initial password (the driver can also set and manage persistent passwords in the SAP system.)

  • Sets a default sapRoles value of SAP_ESSUSER.

  • Sets a default sapProfiles value of SAP_NEW.

  • Adds the following sample DirXML-sapLocRole values: DRVCLNT100:, ADMCLNT100:SAP_EMPLOYEE, and ADMCLNT500:SAP_ESSUSER.

  • Adds the following sample DirXML-sapLocProfiles values: DRVCLNT100:, ADMCLNT100:SAP_ALL, and ADMCLNT500:SAP_NEW.