www.sap.

com

SAP Identity Management

Technical Documentation Template
Revision History

Version Changed by / Created by Changed at / Created at

TABLE OF CONTENTS

1 INTRODUCTION............................................................................................................................................4
1.1 Purpose and Scope............................................................................................................................................4
1.2 Generic Rules....................................................................................................................................................4
1.2.1 Rules for new functions......................................................................................................................................4
1.2.2 Workflow diagrams............................................................................................................................................4
1.3 Naming Convention..........................................................................................................................................4
1.4 Relationship to other documents.....................................................................................................................4
1.5 ACL internal IdM roles....................................................................................................................................4
2 ARCHITECTURE (D, Q, P)............................................................................................................................5
3 DATA FLOW (ATTRIBUTES)......................................................................................................................6
4 GENERIC CONFIGURATION......................................................................................................................7
4.1 Operative Handling..........................................................................................................................................7
4.1.1 Transport of configuration..................................................................................................................................7
4.1.2 Creation of new repositories...............................................................................................................................7
4.1.3 Specific customization in productive environment............................................................................................7
4.2 Dispatcher..........................................................................................................................................................7
4.3 Structure of IdM Configuration......................................................................................................................7
4.3.1 Identity Store.......................................................................................................................................................7
4.3.2 Job Folder...........................................................................................................................................................7
4.4 Configuration....................................................................................................................................................7
4.4.1 No Master Tasks.................................................................................................................................................7
4.4.2 Event Tasks.........................................................................................................................................................7
4.4.3 Attribute Eventing...............................................................................................................................................7
4.5 Provisioning Framework..................................................................................................................................8
4.5.1 CORE Tasks.......................................................................................................................................................8
4.6 CONNECTORS................................................................................................................................................8
4.6.1 ABAP..................................................................................................................................................................8
4.6.2 JAVA................................................................................................................................................................11
4.6.3 ADS..................................................................................................................................................................11
4.6.4 HANA...............................................................................................................................................................11
4.7 GRC Framework............................................................................................................................................11
4.7.1 AC Validation...................................................................................................................................................11
4.7.2 AC Polling........................................................................................................................................................11
4.8 Jobs...................................................................................................................................................................12
4.8.1 Initial Load Jobs................................................................................................................................................12
4.8.2 Update Jobs.......................................................................................................................................................12
4.8.3 Other Jobs.........................................................................................................................................................12
4.9 Other Jobs.......................................................................................................................................................12
4.9.1 Notification Jobs...............................................................................................................................................12
4.9.2 General Jobs......................................................................................................................................................12
5 USE CASES.....................................................................................................................................................13
5.1 User creation...................................................................................................................................................13
5.2 Self Service.......................................................................................................................................................13
1 INTRODUCTION

1.1 Purpose and Scope

This document describes the full Identity Management configuration. It should not be used as a How-To-Guide but to
document relationships and the technical logic.
1.2 Generic Rules
1.2.1 Rules for new functions
Every modifications or developments of new functions should be documented here. This is important to ensure the up-
to-date status.
1.2.2 Workflow diagrams
If you want to work with workflow diagrams you may use the existing Microsoft Visio file and add the new diagrams to
it. This is necessary to include a link which connects the diagram with the text of the document.
1.3 Naming Convention

Objects Naming Convention

Standard SAP scripts sap*, custom_*

Standard SAP attributes MX*

CUSTOMER specific scripts

CUSTOMER specific attributes

1.4 Relationship to other documents

Workflow_diagrams.vsd (Microsoft Visio File)
1.5 ACL internal IdM roles
2 ARCHITECTURE (D, Q, P)
3 DATA FLOW (ATTRIBUTES)
4 GENERIC CONFIGURATION

4.1 Operative Handling

4.1.1 Transport of configuration
4.1.2 Creation of new repositories
4.1.3 Specific customization in productive environment
4.1.3.1 UI Tasks
4.2 Dispatcher
4.3 Structure of IdM Configuration
4.3.1 Identity Store
Screenshot and description of the different folders
4.3.2 Job Folder
Screenshot and description of the different folders
4.4 Configuration
4.4.1 No Master Tasks
4.4.1.1 Description
Task name:

Location of task:
4.4.1.2 Relevant custom attributes, constants, scripts, variables, entry types

Custom scripts:
4.4.2 Event Tasks
Every repository uses the following event tasks:
 MX_ADD_MEMBER_TASK
 MX_DEL_MEMBER_TASK
 MX_MODIFYTASK
4.4.3 Attribute Eventing
4.4.3.1 Add/Delete Event on Attribute CUSTOMER_<RepName>_ACCOUNT

4.4.3.1.1 Description
Name of the task:
Handle_CUSTOMER_XXX_ACCOUNT

Location of the task:

This task is responsible for creating users in SAP systems.

4.4.3.1.2 Workflow
1. Event on attribute CUSTOMER_<RepName>_ACCOUNT
2. Event Task Handle_CUSTOMER_ACCOUNT
3. Check Repository Type
4. Check User Exists (Source IdM)
5. Assign Account Privilege

4.4.3.1.3 Workflow diagram

IdM_Workflow.vsd Tab Handle_CUSTOMER_ACCOUNT

4.4.3.1.4 Relevant custom attributes, constants, scripts, variables, entry types

Custom attributes:

Custom Scripts:
 4.5 Provisioning Framework
4.5.1 CORE Tasks
4.5.1.1 Provisioning
Name of task:
Provisioning
Location of task:
Usage of the modified standard provision task which is set at the repository constant
MX_ADD_MEMBER_TASK and inherit to the account privilege. The modification
concerns to set the account attribute.

4.5.1.2 Deprovisioning

4.5.1.2.1 Description
Name of task:
Deprovisioning

Location of task:

4.5.1.3 Modify

4.5.1.3.1 Description

Name of task:
Modify

Location of task:

4.6 CONNECTORS
4.6.1 ABAP
4.6.1.1 MX_HOOK1_TASK Create ABAP User

4.6.1.1.1 Description

Name of task:
1. Create ABAP User

Location of task:

This plugin task is responsible for modification of ABAP User and is linked at an ABAP repository

4.6.1.1.2 Relevant custom attributes, constants, scripts, variables, entry types

Custom Scripts:
Custom attributes:
Global Constants:

4.6.1.2 MX_HOOK2_TASK Modify ABAP User

4.6.1.2.1 Description

Name of task:
2. Modify ABAP User

Location of task:

This plugin task is responsible for modification of ABAP User and is linked at an ABAP repository.
4.6.1.2.2 Relevant custom attributes, constants, scripts, variables, entry types

Custom Scripts:
Custom attributes:
Global Constants:

4.6.1.3 MX_HOOK3_TASK Delete ABAP User

4.6.1.3.1 Description

Name of task:
3. Deactivate ABAP User

Location of task:

This plugin is responsible for deletion of ABAP User. This implementation doesn´t use the standard and don´t delete the
user in backend and delete repository specific attributes.

4.6.1.3.2 Relevant custom attributes, constants, scripts, variables, entry types

Custom attributes:

4.6.1.4 MX_HOOK4_TASK Assign User Membership to ABAP

4.6.1.4.1 Description

Name of task:
4. Assign User Membership to ABAP

Location of task:

This plugin task is responsible for assign ABAP roles or privileges to users with or without delta provisioning related of
the ABAP version.

4.6.1.4.2 Workflow

4.6.1.4.3 Workflow diagram

4.6.1.4.4 Relevant custom attributes, constants, scripts, variables, entry types

Custom Scripts:
Repository Constants:

4.6.1.5 MX_HOOK5_TASK Revoke User Membership to ABAP

4.6.1.5.1 Description

Name of task:
5. Revoke User Membership to ABAP

Location of task:

This plugin task is responsible for assign ABAP roles or privileges to users with or without delta provisioning related to
the ABAP version.

4.6.1.5.2 Relevant custom attributes, constants, scripts, variables, entry types

Custom Scripts:
Repository Constants:

4.6.1.6 MX_HOOK6_TASK_Enable_ABAP_User

4.6.1.6.1 Description

Name of task:
6. Enable_ABAP_User

Location of task:

This plugin task is responsible for enable the user at ABAP Backend and use a repository specific attribute.

4.6.1.6.2 Relevant custom attributes, constants, scripts, variables, entry types

Custom Scripts:
Custom attributes:

4.6.1.7 MX_HOOK7_TASK Disable ABAP User

4.6.1.7.1 Description

Name of task:
7. Disable ABAP User

Location of task:

This plugin task is responsible for disable the user at ABAP Backend and use a repository specific attribute.

4.6.1.7.2 Relevant custom attributes, constants, scripts, variables, entry types

Custom Scripts:
Custom attributes:

4.6.1.8 MX_HOOK8_TASK Set ABAP User Password

4.6.1.8.1 Description

Name of task:
8. Set ABAP User password

Location of task:

This plugin task is responsible for sets a new initial password, remove the password lock and unlock the user.

4.6.1.8.2 Relevant custom attributes, constants, scripts, variables, entry types

Custom Scripts:

4.6.2 JAVA
4.6.3 ADS
4.6.4 HANA
4.7 GRC Framework

The standard configuration of the GRC integration is implemented and is extended for different features.
4.7.1 AC Validation

4.7.1.1 Description

Name of task:
AC Validation

Location of task:

4.7.1.2 Workflow

4.7.1.3 Workflow diagram

4.7.1.4 Relevant custom attributes, constants, scripts, variables, entry types

Custom Scripts:
Custom Attributes:
Custom Stored Procedures:
Global Constants:

4.7.2 AC Polling
4.7.2.1 Description

Name of task:
AC Polling
Location of task:

4.7.2.2 Workflow

1. Read status from GRC via VDS

2. Set context variable GRCSTATUS
3. Decline or approve roles in IdM

4.7.2.3 Workflow diagram

4.7.2.4 Relevant custom attributes, constants, scripts, variables, entry types

Custom Scripts:

4.8 Jobs
4.8.1 Initial Load Jobs
4.8.2 Update Jobs
4.8.3 Other Jobs
4.9 Other Jobs
4.9.1 Notification Jobs
4.9.2 General Jobs
5 Use Cases

5.1 User creation

5.2 Self Service