Policies are highly configurable for use within any business environment.
The default driver is configured to be primarily a Subscriber channel driver. This means the primary purpose is to create SAP User accounts using information collected in the Identity Vault. The default configuration does allow basic bidirectional User create, delete, and modify functionality.
You must modify policies and the filter to work with your specific business environment. We recommend that you make modifications in this order:
Modify the Filter (publish and subscribe options) to include additional attributes you want synchronized.
Modify the Mapping policy to include all attributes specified in the Subscriber and Publisher channel filters.
Modify the InputTransform policy
Modify the OutputTransform policy
Modify the Publisher policies
Modify the Subscriber policies
Setting attributes in the filter to “publish” specifies which classes and attributes are published from the SAP system to eDirectory.
The default driver configuration publishes the following User class attributes in the filter.
Setting attributes in the filter to “subscribe” specifies which classes and attributes are synchronized from eDirectory to the SAP system.
The default driver configuration subscribes to the following User class attributes in the filter:
The Schema Mapping policy is referenced by the driver object and applies to both the Subscriber and Publisher channel. The purpose of the Schema Mapping policy is to map schema names (particularly attribute names and class names) between eDirectory and the SAP User database. Any modification or removal of existing entries in the Schema Mapping policy could destroy the default configuration and policies processing behavior. Adding new attribute mappings is discretionary.
NOTE:The Application Schema definition in the default driver configuration is from a SAP R/3 version 4.7 system with Web Application Server version 6.40. If the target SAP system is a different version, the actual User object schema might be different. Refresh application schema using the iManager Schema Mapping editor to obtain the actual schema of the target server.
The following class mapping is included with the default driver configuration:
The User class is configured to synchronize bidirectionally between SAP and eDirectory. A change made in one system will transfer to the other system.
All attributes in the Publisher and Subscriber filters should be mapped unless they are used only for policy processing.
SAP User field values can be arranged in three types:
Simple fields: These values are not grouped with other fields. The syntax in the schema map is <field name>.
Structure fields: These values are grouped with other pieces of data that describe a larger collection of single-instance data. The syntax for these fields in the schema map is <structure name>:<field name>. For example, ADDRESS:TELEPHONE.
Table fields: These values are similar to Structure fields, but there can be multiple instances of the structured data. The syntax for these fields in the schema map is <table name>:<field name>. For example, ADDTEL:TELEPHONE.
The following table includes common attribute mappings for the User class and their descriptions, assuming that only the primary piece of structure communication data is required (such as ADDTEL:TELEPHONE). If fields of a table are to be mapped, you should specify only the Table name in the mapping (such as LOCACTIVITYGROUPS). If you do this, the driver generates all table field values in structured format. For more information, see Section C.0, Structured Format Examples. On the Publisher channel, the structured data must be transformed to string format.
The Schema Mapping policy is highly dependent on the extension of the standard eDirectory schema. The extensions used by the driver come in the form of an LDIF file created by SAP for use with the SAP directory interfaces for user management. A Novell-standard .sch version of the file is also provided. These files are included with the driver. Refer to Extending the Schema for more information.
The default mappings for the driver are as follows:
The SAP User driver can be queried for ACTIVITYGROUP objects and all other PDOBJECTS in the SAP User database so that they may be synchronized into eDirectory, and used by the administrator through a browse interface. To do this, the default class mapping must be manually changed to the following:
eDirectory Class |
SAP User Field Description |
SAP User Field(s) |
---|---|---|
Organizational Role |
PDOBJECT |
Organizational Role |
The following sections explain what you need to do, to allow support for querying of the Organizational Role class:
To edit the Global Configuration Values (GCV), follow these steps:
In iManager, browse to the driver, and click the upper right corner of the driver icon.
Select the
link.The Driver Configuration window is displayed.
Click the
tab.A list of the existing GCV values is displayed.
Click the
tab to open the XML Editor window.Select the
checkbox and add the following XML code:
<definition display-name="Organizational Role Placement"
dn-space="dirxml" dn-type="slash" name="sap-pdobject-placement" type="dn">
<description>
The name of the Organizational Role object under which published SAP Organizational Roles will be placed.
</description>
<value> </value>
</definition>
Click
and to save the changes.The updated GCV is now displayed in the list.
Browse and select the container in eDirectory you want to place Organizational Role in.
Click
A new rule is required in the placement policy, to place the Organizational Role object in. Follow these steps to create the new rule:
In iManager, click on the driver icon.
The Identity Manager Overview screen is displayed.
In the publisher channel, click on the Placement Policies icon.
The Publisher Placement policy window is displayed.
Click the existing default publisher placement policy.
The Policy Rules screen is displayed.
Click the Edit XML tab.
The XML Editor window is displayed.
Select the
checkbox and add the following XML code:
<rule>
<description>Organizational Role Placement</description>
<conditions>
<or>
<if-class-name op="equal">
Organizational Role
</if-class-name>
</or>
<or>
<if-op-attr name="CN" op="available"/>
</or>
</conditions>
<actions>
<do-set-op-dest-dn>
<arg-dn>
<token-global-variable name="sap-pdobject-placement"/>
<token-text xml:space="preserve">\</token-text>
<token-escape-for-dest-dn>
<token-op-attr name="CN"/>
</token-escape-for-dest-dn>
</arg-dn>
</do-set-op-dest-dn>
</actions>
</rule>
Click
and to save the changes.Click
to close the Publisher Placement Policy window.The XSLT file must be modified so that it triggers events only for the USER class. To modify the XSLT file, follow these steps:
From the Identity Manager Driver Overview page, click on the Creation Policies icon on the publisher channel of the driver.
The Publisher Creation Policy window is displayed.
Click the
link.The XML Editor window is displayed.
Search for the following XML code: <xsl:template match="add">
Replace it with the following code:
<xsl:template match="add[@class-name='User']">
Click
and to save the changes .Click
to close the Publisher Placement Policy window.To add the Organizational Role class, and to change the default class mapping, follow these steps:
From the Identity Manager Driver Overview page, click the ‘Driver Filter’ icon in the publisher channel.
Click the
tab.A pop-up window is displayed.
Click the
link.A list of the available classes is displayed in alphabetical order.
Scroll down to the class Organizational Role, and click on it.
In the
field on the right, browse and select the SAP User class PDOBJECT that will be mapped to Organizational Role.Click
to confirm the mapping.From the filter window, select Organizational Role, and click on the
tab.A list of the available attributes is displayed.
Select the
attribute and clickIn the
field on the right, browse and select the SAP attributeSelect Organizational Role again and click the
tab.Select the
attribute and click .In the Application Name field on your right, browse and select the
attribute.Click
In the Filter window, select the Organizational Role class.
In the text field on the right, delete PDOBJECT and replace it with AG.
Click
to save the changes.Click
and select the option in the publisher channel.Click the
attribute and select the option in the publisher channel.Click the
attribute and select the option in the publisher channel.Click
and to save the changes, and close the Filter window.To migrate ACTIVITYGROUP objects into the Identity Vault, ensure that the driver is running and follow these steps:
From the Identiy Manager Driver Overview window, click on
.The Migrate Data into the Identity Vault window is displayed.
To migrate a single ACTIVITYGROUP object, follow these steps:
Click the
tab.The Edit Migration Criteria dialog box is displayed.
Select the Organizational Role class from the list on the left side of the window.
Select the
attribute and click .The Attribute Value dialog box is displayed.
Enter a valid value for the
attribute and clickExample of a valid attribute: SAP_ESSUSER
Click
to confirm the entered value, and close the dialog box.Click
again in the Migrate Data into the Identity Vault window, to start the migration.You will see that the
box is now checked, indicating that migration has started.To migrate all ACTIVITYGROUP objects, follow these steps:
Click the
tab.The Edit Migration Criteria dialog box is displayed.
Select the Organizational Role class from the list, and click
.Click
again in the Migrate Data into the Identity Vault window, to start the migration.NOTE:To verify that the objects you selected have been migrated successfully, you can browse to the container that you specified in the Organizational Role placement policy. Successful migration can also be verified by looking at the DSTRACE window.
You modify the Input Transform policy to implement your specific business rules. The Input Transform policy is applied to affect a transformation of the data received from the driver shim.
The policy is applied as the first step of processing an XML document received from the driver shim. The Input Transform policy converts the syntax of the SAP attributes into the syntax for eDirectory.
The default driver configuration includes two rules that perform the following functions:
Transforming LOCACTIVITYGROUPS from structured format to string format.
Transforming LOCPROFILES from structured format to string format.
You modify the Output Transform policy to implement your specific business rules. The Output Transformation policy is referenced by the driver object and applies to both the Subscriber channel and to the Publisher channel. The purpose of the Output Transformation policy is to perform any final transformation necessary on XML documents sent to the driver by Identity Manager.
The default driver configuration:
Transforms LOCACTIVITYGROUPS from string format to structured format.
Transforms LOCPROFILES from string format to structured format.
Adds the driver’s LOCACTIVITYGROUPS attribute to Modify events with the from-merge attribute set.
Transforms the pseudo-attribute LOCKUSER value from a true/false format to a 1/0 format.
Transforms ADDFAX:FAX values from structured format to string format.
Adds USERNAME:BAPIBNAME to the Queries style sheet (invokes the driver’s wildcard search functionality; see Section E.0, Using Wildcard Search Capabilities.)
The Publisher Placement policy is applied to an Add Object event document to determine the placement of the new object in the hierarchical structure of eDirectory.
The Placement policy places all User objects in an eDirectory container that you specify during installation. You can also modify this location by using the Publisher User Placement Global Configuration Variable (GCV.)
The default driver configuration:
Appends <remove-association> to Delete events; it’s used in conjunction with the Publisher Command Transformation policy.
The Publisher Matching policy is applied to a Modify Object event document. Matching policies establish links between an existing entry in eDirectory and an existing entry in the SAP system. The Matching policy attempts to find an existing object that matches the object generating the event by the criteria specified in the policy.
The default driver checks for matches based on the sapUsername attribute. A fallback policy is also provided that checks for matches on the Given Name and Surname attributes.
The Publisher Create policy is applied when a new object is to be added to eDirectory. The default driver configuration:
Creates a User object (Surname and Given Name attributes are required)
Generates a unique CN based on Given Name and Surname attributes
Sets the initial account password on creation. Allows an administrator or user to reset or change passwords.
The Subscriber Matching policy is applied to a Modify Object event document. Matching policies establish links between an existing entry in the Identity Vault and an existing entry in the SAP system. The Matching policy attempts to find an existing object that matches the object generating the event by the criteria specified in the policy.
The default driver checks for matches based on the values of the Given Name, Surname, and sapUsername attributes.
If you do not have an association in your query, the SAP system performs a full table scan of the user table. This might cause a long delay in receiving a reply from the matching query.
If the specified user name is known in SAP, adding an association value reduces the query to a single object. You can use the following Output Transformation policy to add the association.
<rule> <description>Add association value to matching queries</description> <conditions> <and> <if-operation op="equal">query</if-operation> <if-xpath op="not-true">association</if-xpath> <if-xpath op="true">search-attr[@attr-name="USERNAME:BAPIBNAME"]/value</if-xpath> </and> </conditions> <actions> <do-append-xml-element expression="." name="association"/> <do-append-xml-text expression="association"> <arg-string> <token-text xml:space="preserve">USd</token-text> <token-upper-case> <token-xpath expression='search-attr[@attr-name="USERNAME:BAPIBNAME"]/value/text()'/> </token-upper-case> </arg-string> </do-append-xml-text> </actions> </rule>
The Subscriber Create policy is applied when you want to add a new object to eDirectory. The default driver configuration:
Ensures that the Surname and Given Name attributes are present.
Generates an unique CN based on the Given name and Surname attributes.
Appends the sapUserType attribute with a value of A.
Sets the initial password (the driver can also set and manage persistent passwords in the SAP system.)
Sets a default sapRoles value of SAP_ESSUSER.
Sets a default sapProfiles value of SAP_NEW.
Adds the following sample DirXML-sapLocRole values: DRVCLNT100:, ADMCLNT100:SAP_EMPLOYEE, and ADMCLNT500:SAP_ESSUSER.
Adds the following sample DirXML-sapLocProfiles values: DRVCLNT100:, ADMCLNT100:SAP_ALL, and ADMCLNT500:SAP_NEW.