8.3 Using the Driver to Provision a CUA Landscape

The previous example showed a simple CUA environment where the Central system only distributed User data only to the driver’s logical system. This is not a typical environment. In most CUA environments, a Central system distributes data to SAP Child logical systems on multiple application servers. A small example of a typical CUA landscape looks more like this:

Figure 8-4 A central system distributing data to SAP child logical systems on multiple application servers

As with the previous example, the driver can set the distribution of User account information to the additional CUA Child systems by setting the Systems tab for them. However, the real power of the driver is realized when you use access controls to the various SAP clients based on the driver’s policies. For example, all employees can receive employee Self-Service rights on the HR system, but an employee identified as an HR Administrator could also be granted rights to the HR administration functions. The following example shows a Create Stylesheet template for the setting of the Systems tab for logical system ADMCLNT100 and DRVCLNT100, setting the SAP_ESSUSER Role on logical system HR1CLNT100, and setting the SAP_ALL Profile on logical system ADMCLNT500. (In Identity Manager 3, this policy is implemented through Policy Builder.)

<xsl:template name="add-cua-auths">
     <!--
     Sample CUA distribution settings.
     - Central SAP system is ADMCLNT100
     - Child SAP systems are: ADMCLNT500 and HR1CLNT100
     - Driver’s logical system is DRVCLNT100 
     -->
        <add-attr attr-name="DirXML-sapLocRoles">
           <!--
         In a CUA environment, set driver’s LS name with a    
                blank role. This allows the driver to receive events
                from SAP.
        -->
             <value>
                    <xsl:value-of select="’DRVCLNT100:’"/>
             </value>
             <!--
             Setting the target LS name with a blank CUA role 
                     allows the User object to log on to the target
                     child system but receive no rights.
             -->
            <value>
                    <xsl:value-of select="’ADMCLNT100:’"/>
            </value>
            <!--
             The third value shows how to set a ’real’ CUA role
                    for a child logical system.  This causes 
                    distribution from the Central system to the child
                    system and sets the Employee Self-Service role.
            -->
            <value>
                   <xsl:value-of
select="’HRCLNT100:SAP_ESSUSER’"/>
            </value>
      </add-attr>
  <!--
  Example of setting a ’real’ CUA profile.
  -->
      <add-attr attr-name="DirXML-sapLocProfiles">
             <value>
                    <xsl:value-of select="’ADMCLNT500:SAP_ALL’"/>
             </value>
      </add-attr>
</xsl:template>