8.2 Configuring the Driver as a CUA Child System

The driver’s Publisher channel functionality requires that the driver be configured as a Child logical system in a CUA environment. The configuration documentation describes a configuration as illustrated below.

Figure 8-3 CUA child system configuration

In this configuration, the driver acts as an administrative client to perform User administration, such as User account creation, password set, and role administration, etc., in the CUA Central logical system ADMCLNT100. The Central system is configured to distribute the User account information to the CUA Child logical system DRVCLNT100 that represents the driver. As can be seen from the diagram, the driver acts as both a SAP Client and a Server to obtain full bidirectional synchronization functionality.

After the systems are configured for synchronization, you must set the data attributes that will trigger synchronization. In order to synchronize a User object, you must create a User in SAP Client 100, allow the user to login, and establish synchronization back to the driver.

Setting attributes and passwords has been part of the driver functionality since its creation. As of version 1.0.5, you can now set the Systems tab on the Central system using BAPIs for setting Local ActivityGroups (Roles) and Local Profiles. These BAPIs allow the driver to set specified Roles and Profiles on specified logical systems in the CUA landscape. Because there are two component parameters required for each Local Role and Local Profile, the default configuration use a colon “:” delimited string syntax for the Identity Vault values. The form for these values is <Logical System Name>:<Role or Profile Name>. These values are transformed to and from the SAP structured syntax by the default InputTransform and OutputTransform policies.

If you want to set the Systems tab for a logical system without setting a Local Role or Local Profile (this should always be done for the driver where SAP Roles and Profiles have no meaning), the string value should be set without the Role or Profile Name component.

A new field named FORCE_SYSTEM_ASSIGNMENT is available in newer versions of SAP in the BAPI_USER_CREATE1 function. The driver tries to use this for the Systems tab assignment on the Connected SAP System.

The following example shows a Create style sheet template for the setting of only the Systems tab for logical systems ADMCLNT100 and DRVCLNT100. Note that the attr-name used is DirXML-sapLocRoles. For this purpose, the DirXML-sapLocProfiles attribute could also be used. (In Identity Manager 3, this policy is implemented through Policy Builder.)

<xsl:template name="add-systems-tab">
<!--
  Sample CUA distribution settings.
  - Central SAP system is ADMCLNT100
  - Driver’s logical system is DRVCLNT100 	
                                                         ->
    <add-attr attr-name="DirXML-sapLocRoles">
         <!--    
      In a CUA environment, set driver’s LS name with a blank role. 		                                                                                                                  is allows
     the driver to receive events from SAP.    
     -->
         <value>
            <xsl:value-of select="’DRVCLNT100:’"/>
         </value>
       <!--
         Setting the target LS name with a blank CUA role allows the 
         User object to log on to the target child system but receive no rights
         -->
         <value>
              <xsl:value-of select="’ADMCLNT100:’"/>
         </value>
    </add-attr>
</xsl:template>