Most Identity Manager drivers support the User Account entitlement as an entitlement that can only be granted once and does not take any parameters. It is like an on/off switch for the account in the application. There is a one-to-one relationship between the User Account entitlement and one account in the application. The fan-out configuration requires that a single User object in the Identity Vault be granted multiple User Account entitlements for accounts in different systems. A parameter is added to the User Account entitlement, so each time the entitlement is granted it is a unique event. The parameter indicates the system where the account is granted.
This entitlement also has Subscriber policies that define actions to take when the entitlement is revoked. When an entitlement is revoked, there are two actions that can be taken:
Disable: When the entitlement is revoked, the user account is locked in the connected SAP system.
Delete: An attempt is made to delete the account.
To enable this entitlement:
Verify that an entitlement agent that contains your list of criteria to grant or revoke a user’s access to resources in SAP exists. For more information, see Section 8.1, Entitlement Agents.
If you have an existing driver, skip to Step 3; otherwise, during the creation of a driver, select for the option.
This sets the entitlement GCVs to True.
Access the GCVs page for the driver.
Select for the option.
Enable the user account entitlement by selecting .
Select what to do when the user account entitlement is revoked by indicating whether you want the account disabled, deleted, or nothing done to the account.
Click to save the changes.
The entitlement is now enabled. However, a new user account is not provisioned until the entitlement is granted through one of the entitlement agents.
The Role (activity group) entitlement adds users to the SAP roles (activity groups), and it is enabled by default if you selected to use entitlements during the creation of the driver. This entitlement contains parameters, which means it can be granted multiple times. The parameters for the entitlement are roles returned by the entitlement query to the SAP system. When the entitlement is granted with an SAP ActivityGroup as the parameter, the SAP User is added to the corresponding role.
For example, assume there is an RBPM role that contains two role entitlements, one with a parameter of User Admins and the second with a parameter of HR Admin. When the RBPM role is granted and the entitlements are granted, the user is added to the User Admins and the HR Admin roles in the SAP system.
The parameter for this entitlement differs depending upon which entitlement agent you used. Only one agent, the RBPM, supports the fan-out configuration.
RBE: <AG name>
For example: User Admins
This format does not support the fan-out configuration to individual systems or to the CUA child systems.
RBPM: AG=<AG name>|LSNAME=<LSNAME>
For example: AG=User Admins|LSNAME=S7ICLNT800
This format supports the fan-out configuration to individual systems, including the CUA child systems.
With this difference, multiple parameters are supported for multiple systems.
To manually enable this entitlement:
Verify that an entitlement agent that contains your list of criteria to grant or revoke role (ActivityGroup) assignments in SAP exists. For more information, see Section 8.1, Entitlement Agents.
If you have an existing driver, skip to Step 3; otherwise, during the creation of a driver, select for the option.
This sets the entitlement GCVs to True.
Access the GCVs page for the driver.
Select for the option.
Click to save the changes.
The entitlement is now enabled. When a user is granted a role through one of the entitlement agents, the associated ActivityGroup assignments are automatically made for the user by the SAP User Management Fan-Out driver.
The Profile entitlement adds users to the SAP profiles, and it is enabled by default. This entitlement contains parameters, which means it can be granted multiple times. The parameters for the entitlement differs, depending upon which entitlement agent you used. Only one agent supports the fan-out configuration.
RBE: <Profile name>
For example: SAP_NEW
This format does not support the fan-out configuration to individual systems or to the CUA child systems.
RBMP: PROF=<profile name>|LSNAME=<LSNAME>
For example: PROF=SAP_NEW|LSNAME=ADMCLNT301
This format supports the fan-out configuration to individual systems including the CUA child systems.
To manually enable this entitlement:
Verify that an entitlement agent that contains your list of criteria to grant or revoke profile assignments in SAP exists. For more information, see Section 8.1, Entitlement Agents.
If you have an existing driver, skip to Step 3; otherwise, during the creation of a driver, select for the option.
This sets the entitlement GCVs to True.
Access the GCVs page on the driver.
Select for the option.
Click to save the changes.
The entitlement is now enabled. When a user is granted a profile entitlement through one of the entitlement agents, the SAP User Management Fan-Out driver automatically adds the user to the associated profiles.