The driver’s Publisher channel functionality requires that the driver be configured as a Child logical system in a CUA environment. The configuration documentation describes a configuration as illustrated below.
Figure 9-3 CUA child system configuration
In this configuration, the driver acts as an administrative client to perform User administration, such as User account creation, password set, and role administration, etc., in the CUA Central logical system ADMCLNT100. The Central system is configured to distribute the User account information to the CUA Child logical system DRVCLNT100 that represents the driver. As can be seen from the diagram, the driver acts as both a SAP Client and a Server to obtain full bidirectional synchronization functionality.
After the systems are configured for synchronization, you must set the data attributes that will trigger synchronization. In order to synchronize a User object, you must create a User in SAP Client 100, allow the user to login, and establish synchronization back to the driver.
Surname and Password are required attributes for User creation
Set ADMCLNT100 in the
tab to allow new User to login to Client 100.Set DRVCLNT100 in the
tab to establish data distribution back to the driver.Setting attributes and passwords has been part of the driver functionality since its creation. As of version 1.0.5, you can now set the
tab on the Central system using BAPIs for setting Local ActivityGroups (Roles) and Local Profiles. These BAPIs allow the driver to set specified Roles and Profiles on specified logical systems in the CUA landscape. Because there are two component parameters required for each Local Role and Local Profile, the default configuration use a colon “:” delimited string syntax for the Identity Vault values. The form for these values is <Logical System Name>:<Role or Profile Name>. These values are transformed to and from the SAP structured syntax by the default InputTransform and OutputTransform policies.If you want to set the Role or Profile Name component.
tab for a logical system without setting a Local Role or Local Profile (this should always be done for the driver where SAP Roles and Profiles have no meaning), the string value should be set without theA new field named FORCE_SYSTEM_ASSIGNMENT is available in newer versions of SAP in the BAPI_USER_CREATE1 function. The driver tries to use this for the
tab assignment on the Connected SAP System.The following example shows a Create style sheet template for the setting of only the
tab for logical systems ADMCLNT100 and DRVCLNT100. Note that the attr-name used is DirXML-sapLocRoles. For this purpose, the DirXML-sapLocProfiles attribute could also be used. (In Identity Manager 3, this policy is implemented through Policy Builder.)<xsl:template name="add-systems-tab"> <!-- Sample CUA distribution settings. - Central SAP system is ADMCLNT100 - Driver’s logical system is DRVCLNT100 --> <add-attr attr-name="DirXML-sapLocRoles"> <!-- In a CUA environment, set driver’s LS name with a blank role. This allows the driver to receive events from SAP. --> <value> <xsl:value-of select="’DRVCLNT100:’"/> </value> <!-- Setting the target LS name with a blank CUA role allows the User object to log on to the target child system but receive no rights --> <value> <xsl:value-of select="’ADMCLNT100:’"/> </value> </add-attr> </xsl:template>