You are on page 1of 96

SAP NetWeaver® Identity Management Identity Center Tutorial

- Working with roles and privileges

Version 7.0 Rev 2

© Copyright 2008 SAP AG. All rights reserved. SAP Library document classification: PUBLIC

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, Excel, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves information purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

i

Preface
The product
SAP NetWeaver Identity Center is a high-end identity management solution, capable of handling a large amount of repositories containing an unlimited amount of information. The Identity Center offers a robust, flexible and scalable high-availability solution for workflow, provisioning, data synchronization and joining for a large number of data repositories. The Identity Center provides a framework for a number of jobs.

The reader
This manual is written for people who need an introduction to the workflow module of the SAP NetWeaver Identity Management Identity Center and the managing of roles and privileges.

Prerequisites
To get the most benefit from this manual, you should have the following knowledge: General knowledge about the Identity Center and job definitions for instance as described in SAP NetWeaver Identity Management Identity Center Getting Started and SAP NetWeaver Identity Management Identity Center Tutorial: Basic Synchronization. General knowledge about provisioning and task definitions as described in SAP NetWeaver Identity Management Identity Center Tutorial – Provisioning. Knowledge of Microsoft SQL Server or Oracle. The following software is required: SAP NetWeaver Identity Management Identity Center version 7.0 or newer must be correctly installed and licensed. An Identity Center where at least one dispatcher has been configured and is running. An Identity Center Workflow web interface configured for this Identity Center and identity store. The data source used in this tutorial (hr.csv) is included with the installation. The file is located in the \Tutorial\Data source directory. In this tutorial the default installation folder is used, which is C:\Program Files\SAP\IdM\Identity Center.

The manual
The manual is a tutorial giving an introduction to the privileges, roles and workflow functions of the Identity Center. This tutorial is not a substitution for training. Person names used in this tutorial are fictional.

© Copyright 2008 SAP AG. All rights reserved.

All rights reserved. .ii Related documents You can find useful information in the following documents: SAP NetWeaver Identity Management Identity Center: Installing the database (Microsoft SQL Server/Oracle) SAP NetWeaver Identity Management Identity Center Getting Started SAP NetWeaver Identity Management Identity Center Tutorial: Basic Synchronization SAP NetWeaver Identity Management Identity Center Tutorial – Provisioning © Copyright 2008 SAP AG.

...........................................64 Section 7 Use case Physical access control ........25 Section 3: Creating the privileges ...........................................................................................32 Creating the provisioning tasks for the Project repository definition ............................. 81 Direction of the privilege inheritance ............2 Access control on tasks ..........14 Section 2: Building the identity store ..............2 Workflow ..........3 Tasks....................................................1 The identity store .........................................................................................................................................50 Section 6: Creating the roles........................................................................................................................................................................................................................................................... 30 Creating global Jscript GetMskeyvalueFromPriv.............3 Use cases ........................................................................................................................................................................................... 15 Defining a repository definition for the data source ...............................................................................................................................18 Verifying the contents of the identity store ...............................49 Adding the Workflow tasks..................................................................................44 Defining tasks on the repository definitions.............................................................................................................................................................................................................................................................................................................................................................30 Creating the provisioning tasks for the Building repository definition................................................... 66 Building the role hierarchy.......................81 Building the role hierarchy................................................................... 49 Creating the folder ...............................................................................................................................................................................................................................................................................................................................................................................46 Section 5: Creating the Workflow tasks.......................39 Testing the tasks ........................................... 26 Creating folders for privileges........................................66 Adding the privileges .........................................................................................29 Section 4: Creating the provisioning tasks ............................................................................................................................................................................................................................. 62 Starting the Workflow web interface................................................11 Section 1: Creating the identity store ..........23 Enabling the delta ................................................................................................ 1 Roles and role-based provisioning........................................82 © Copyright 2008 SAP AG.................................................................9 Section overview ..........................................................62 Creating the roles...............................................................................................................................................15 Reading the source data into the identity store.............................................................................................27 Creating the privileges ......................................................................................................................................................................................................................................................................................................................................................5 The data source.................................71 Assigning roles/privileges to identity store entries ......................................................................................... All rights reserved...................26 Defining repository definitions for folders..............................9 Preparations .......82 Adding the privilege and implementing the reverse inheritance direction........................................................................................................ ................................................................................................................................................................................iii Table of contents Introduction ................................73 Section 8: Use case Project resources .....................................................................................................12 Configuring the identity store.................................. roles and privileges ............................................................................................................................................................................................................................................................................................................................................................................................ 12 Adding the identity store.............................................................................................8 The data flow and the task structure ........................................................................................................

...........................................iv Provisioning to project folder ....... 87 © Copyright 2008 SAP AG...........................................................................85 Section 9: Deleting roles.... All rights reserved........... ...................................................................................

. All rights reserved.v © Copyright 2008 SAP AG.

.

rules should be the preferred method. if a user entry matches a given set of rules. To handle the remaining 20%. only a limited number of roles should be defined. . the necessary provisioning is done automatically for this user. and the Workflow web interface of the SAP NetWeaver Identity Management Identity Center.Working with roles and privileges Introduction The purpose of this tutorial is to give an introduction to managing and assigning roles and privileges. A role can be defined with a time limit. © Copyright 2008 SAP AG. Roles and role-based provisioning When implementing a provisioning solution. a privilege is assigned and thereby also the required provisioning. The use of temporary roles is also supported for cases where a role should be assigned for a limited time. to grant access or set other information in the required applications. The privileges and provisioning tasks are created directly in the Identity Center user interface. A role hierarchy can be defined. where each role can be assigned any number of privileges. Rule-based provisioning: Some users need privilege assignments which do not easily fit into the roles. and these should be used to handle 80% of the privilege assignments. The tutorial shows how to create roles and privileges. we illustrate role-based provisioning. All rights reserved. These can be assigned by defining rules. the account is automatically de-provisioned. By assigning one or more roles to a user. you can use two different provisioning mechanisms: Role-based provisioning: The Identity Center supports the use of roles to assign privileges to users. In this tutorial. In this case. and when this time limit is reached. We create Workflow tasks to create roles and manage the roles and privileges. Normally. and how to define mechanisms for assigning these to identity store entries using Workflow. although direct assignments are also possible. de-provisioning will ensure that the privileges are removed.1 Introduction SAP NetWeaver Identity Management Identity Center Tutorial . When roles are removed from a user.

MX_PRIVILEGE A privilege entry type that defines a privilege to a given resource. MX_ROLE Roles can be created as a hierarchy. All rights reserved.Working with roles and privileges The identity store The identity store is used to hold any types of entries. the following entry types are used: MX_PERSON A person entry with attributes describing a person. for instance access in a given system. Entry types are used to group these entries.or multi-stage approvals from authorized personnel. or report the outcome of completed tasks. The Identity Center Workflow can be used to: Collect identity information from the specific individuals. Workflow The Identity Center's Workflow is designed and configured through a feature-rich graphical user interface and is tightly integrated with the identity store. each role having a number of privileges. Assigning a role to a user automatically assigns all the privileges of the role to the user. . In addition. In this tutorial. Generate notifications to designated users when manual actions need to be performed. any child roles and privileges are assigned to the user. Enforce single. Execute new workflow tasks (such as notifications and escalation) when pre-defined timeouts are reached. it can be assigned to any number of roles and privileges. Assigning and removing privileges can automatically start tasks to perform provisioning and de-provisioning. either directly or as a result of roles having privileges. © Copyright 2008 SAP AG. such as first name. e-mail address etc. A workflow is started every time a provisioning request is initiated. telephone number. A user can be assigned any number of privileges.2 Introduction SAP NetWeaver Identity Management Identity Center Tutorial . last name. In addition.

We take the following into the consideration: All employees need the access to the building (access right to a main entrance). and other modeling a development project group with access to common (or role specific) project resources. which means that the user doesn't have to be logged-in to be able to execute the task (the task will usually appear on the log-in site). When defining who can execute a task. The IT personnel need access to the server room. . When defining on which (on behalf of which) entries a task can be executed. Also note that multiple access control rules can be defined in each task. The manager needs access to all the building areas mentioned above. privilege or role. Logged-in user or identity store entry (usually a person. a role or a dynamic group as well). but it could be a privilege. The task is available to all users who are referred to by the given referral attribute. all users with the given privilege or all users with the given role. On which entries can the task be executed. meaning that the task can be executed on the given user. The model is kept as simple as possible. Filter – a filter (typically an SQL statement) can be used to define a set of entries on behalf of which the task can be executed. where the access is given through a referral via an attribute specified with the "Referral attribute" field. User or identity store entry/self service – a given user. The administration staff needs access to company's archive room. the following options can be used: Everybody. © Copyright 2008 SAP AG. The access control consists of two components: Who is allowed to execute the task.Working with roles and privileges Access control on tasks The Identity Center Workflow module is based on executing tasks.3 Introduction SAP NetWeaver Identity Management Identity Center Tutorial . Use cases Two use cases are used in this tutorial – one modeling the physical access control in a building (workplace). The MSKEYVALUE of the entry is used for identification. Who is allowed to execute which tasks is controlled by the task access control that can be set individually on each task. Physical access control This use case models a workplace (building) where users (employees) are given access rights to building areas based on their job-role. All rights reserved. it is possible to define one of the following: Anonymous. Referral.

PRIV:ServerRoom and PRIV:ArchiveRoom.4 Introduction SAP NetWeaver Identity Management Identity Center Tutorial . ROLE:Adm and ROLE:Manager. four roles are defined for this use case: ROLE:Employee. ROLE:IT. . the server room and the archives respectively. The defined privileges are PRIV:MainEntrance.Working with roles and privileges Based on the information above. © Copyright 2008 SAP AG. which give the user access rights to the main entrance. All rights reserved.

To keep it simple. ROLE:TestLeader and ROLE:ProjectLeader. ROLE:Doc. where all group members are given access to the resources needed for the project. You can add new or remove existing role members. All rights reserved. The resources used by the project group could be a project archive (physical or non-physical). . The resource is a non-physical project archive. the project group members need access to only one project resource in this scenario. software. This task is used to delete a role.5 Introduction SAP NetWeaver Identity Management Identity Center Tutorial . ROLE:HeadDeveloper. Here we can build the hierarchy by adding child roles and we can assign/connect privileges to the role. ROLE:Tester. roles and privileges The following Workflow tasks are defined to create/manage roles and privileges: Create role This task is used to create roles in the identity store. The access to the project archive is given users by the privilege PRIV:ProjectArchive (the only privilege defined for this use case). It is also possible to add/remove role references and add a short description of the privilege. Six roles are defined for the use case: ROLE:Developer. Assign role Delete role Edit privilege properties This task is used to assign a role to a user. Tasks.Working with roles and privileges Project resources This use case models a typical development project group. © Copyright 2008 SAP AG. Edit role properties This task is used to manage the roles – to modify some information about the role. domain or other tools. MSKEYVALUE is used to identify the roles and the typical value could be ROLE:Employee. This task is primarily used to edit privilege inheritance direction.

In addition. but inherits the privilege PRIV:ProjectArchive from the role ROLE:ProjectLeader. #Building_Deprovisioning #Project_Provisioning #Project_Deprovisioning We define ten roles in this tutorial: ROLE:Employee ROLE:IT ROLE:Adm This role gives the privilege PRIV:MainEntrance. This role inherits the privilege PRIV:ProjectArchive from ROLE:ProjectLeader. it inherits the privilege PRIV:MainEntrance from its child role ROLE:Employee. It has one child role – ROLE:Developer. . ROLE:Developer gives no privileges on its own. The task contains the shell execute pass Delete file from building folder which deletes the previously created file from the building folder. This task is referenced from the Project repository definition using the attribute MX_DEPROVISIONTASK. The task contains the shell execute pass Add file to project folder which creates a file containing the timestamp of when a privilege is assigned to user and provisions it to the project folder. and has no child roles but it is a child role itself. it inherits the privilege PRIV:MainEntrance from its child role ROLE:Employee. and thus inherits the privileges PRIV:MainEntrance. It has one child role – ROLE:Tester. This role inherits the privilege PRIV:ProjectArchive from ROLE:ProjectLeader. a file will be created (containing the timestamp of when the privilege was assigned to the user) and provisioned to the respective folder: #Building_Provisioning This task is referenced from the Building repository definition using the attribute MX_PROVISIONTASK. ROLE:Manager ROLE:Developer ROLE:HeadDeveloper This role inherits the privilege PRIV:ProjectArchive from ROLE:ProjectLeader. Every time a user is given a particular privilege. This role gives the privilege PRIV:ArchiveRoom. ROLE:Tester ROLE:TestLeader ROLE:Tester gives no privileges on its own. but inherits the privilege PRIV:ProjectArchive from the role ROLE:ProjectLeader. In addition. This task is referenced from the Building repository definition using the attribute MX_DEPROVISIONTASK. PRIV:ServerRoom and PRIV:ArchiveRoom. This role has two child roles – ROLE:IT and ROLE:Adm. The task contains the shell execute pass Add file to building folder which creates a file containing the timestamp of when a privilege is assigned to user and provisions it to the building folder. one for provisioning and one for de-provisioning of users for the two repository definitions Building and Project.6 Introduction SAP NetWeaver Identity Management Identity Center Tutorial .Working with roles and privileges Four provisioning tasks are also created. This task is referenced from the Project repository definition using the attribute MX_PROVISIONTASK. and is a child role itself. and is a child role itself. This role gives the privilege PRIV:ServerRoom. All rights reserved. ROLE:Doc © Copyright 2008 SAP AG. The task contains the shell execute pass Delete file from project folder which deletes the previously created file from the project folder.

7 Introduction SAP NetWeaver Identity Management Identity Center Tutorial . Four privileges are defined in this tutorial: PRIV:MainEntrance PRIV:ServerRoom PRIV:ArchiveRoom This privilege gives the users the right to access the building (main entrance). The privilege gives the user access to the archive. ROLE:TestLeader and ROLE:HeadDeveloper. © Copyright 2008 SAP AG. PRIV:ProjectArchive This privilege gives the project members access to common (nonphysical) project archive. The privilege gives the user access to the server room. . Often given to IT personnel. It gives the privilege PRIV:ProjectArchive. Often given to the administration staff. All rights reserved.Working with roles and privileges ROLE:ProjectLeader This role has three child roles – ROLE:Doc.

csv holds the basic information about the person objects (people in the organization). In this tutorial the default installation folder is used. which is C:\Program Files\SAP\IdM\Identity Center. an ASCII file hr. The file is located in the \Tutorial\Data source directory. used in this tutorial is included with the installation.8 Introduction SAP NetWeaver Identity Management Identity Center Tutorial . The ASCII file hr. . This file contains the following attributes: EmployeeID LastName FirstName Title Dep (department) Location © Copyright 2008 SAP AG.Working with roles and privileges The data source The data source.csv. All rights reserved.

we create a global constant containing the path to the directory where the target repositories for the files (folders building and project) are to be placed: 1. Defining a global constant To be able to reference the files created in this tutorial in a uniform way. Preparations Before you proceed with the tutorial. 2. We create four privileges (PRIV:MainEntrance. All rights reserved. there are a couple of things that must be specified. The privileges contain links to the repository definitions which again contain links to the tasks that are executed when the privilege is assigned or removed.csv and updates the entries in the identity store. Select the "Global constants" entry in the console tree and choose New/Constant… from the context menu (right-click the entry to open the context menu): Specify the name of the constant and the directory where the folders are to be stored. Choose "OK" to close the dialog box. PRIV:ArchiveRoom and PRIV:ProjectArchive) that we can assign to the entries. The entry type for these entries is MX_PERSON. PRIV:ServerRoom. The task structure is shown in the illustration above. There are separate task structures for each of the target repositories (the folders building and project).Working with roles and privileges The data flow and the task structure The following diagram illustrates the data flow that we are going to implement in this tutorial: There is a job (Employees to Identity store) that reads the data from the source file hr. .9 Introduction SAP NetWeaver Identity Management Identity Center Tutorial . Make sure that the directory actually exists (create the folder Tutorial). © Copyright 2008 SAP AG.

Working with roles and privileges Specifying the system log level To be able to view the log information shown in this tutorial. If necessary.10 Introduction SAP NetWeaver Identity Management Identity Center Tutorial . . you must make sure that the log level for the system log is set to "Info". All rights reserved. © Copyright 2008 SAP AG. change the log level and choose "Apply".

This section describes how to create the tasks responsible for provisioning and de-provisioning of users. In this section we are going to read the contents of the file hr.11 Introduction SAP NetWeaver Identity Management Identity Center Tutorial . In this section we learn how to delete roles we previously created. This section introduces reverse privilege inheritance direction (top-down inheritance direction).csv into the identity store. Section 5: Creating the Workflow tasks Section 6: Creating the roles Section 7: Use case Physical access control Section 8: Use case Project resources Section 9: Deleting roles © Copyright 2008 SAP AG. All rights reserved. In this section we learn how to assign roles and their privileges to a user. . The section shows the difference between the bottom-up and top-down inheritance direction of the privileges and how to implement reverse inheritance. In this section we create roles by executing the Workflow tasks created in the previous section. using the Workflow interface.Working with roles and privileges Section overview The tutorial consists of the following sections: Section 1: Creating the identity store Section 2: Building the identity store Section 3: Creating the privileges Section 4: Creating the provisioning tasks This section describes how to create the identity store and enable it for workflow. This section shows how to create the Workflow tasks. This section shows how to create the privileges.

.12 Section 1: Creating the identity store SAP NetWeaver Identity Management Identity Center Tutorial . Choose "Next >". . from the context menu to start the Identity store wizard. Enter a name for the identity store.Working with roles and privileges Section 1: Creating the identity store This section describes how you create and initialize the identity store. This option is used to control what happens when an attribute which does not exist or an attribute which is not defined as a legal attribute on an entry type is written to the identity store. and choose New/Identity store. 2. Adding the identity store First. Select the entry "Identity stores" in the console tree. © Copyright 2008 SAP AG. we create the identity store. 1. All rights reserved.. Disable the automatic attribute creation.

. so we do not need any additional entry types. If the option is disabled. Choose "Next >".13 Section 1: Creating the identity store SAP NetWeaver Identity Management Identity Center Tutorial .Working with roles and privileges If the "Automatically create new attributes" is enabled. 4. Choose "Next >" and then "Finish" to complete the wizard. All rights reserved. the new attribute is created and added to the entry type. an error is returned. We will use the MX_PERSON entry type. 3. The new Identity Store is created and added to the console tree: © Copyright 2008 SAP AG.

.14 Section 1: Creating the identity store SAP NetWeaver Identity Management Identity Center Tutorial . 4. 2. © Copyright 2008 SAP AG. Choose "Add user…". Fill in a user name and password you will use to log in to the Workflow interface. 3. All rights reserved.Working with roles and privileges Configuring the identity store To configure the identity store: 1. Select the "PrivRoles" identity store in the console tree and select the "Workflow" tab: Select "Identity store" as the authentication method. Select "MX_PERSON" in the "Entry type" field. Choose "Apply". Choose "OK". This is necessary to be able to log into the workflow.

2.Working with roles and privileges Section 2: Building the identity store In this section we are going to read the contents of the source file hr. Defining a repository definition for the data source A repository definition is used to hold constants and variables which are common for one data source (repository).15 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial . and choosing New/Repository… from the context menu. © Copyright 2008 SAP AG. Select "File" as the repository template.csv into the identity store. 1. Start the repository wizard by selecting the "Repositories" entry in the console tree. All rights reserved. . Choose "Next >". The repository constants can be accessed from the context menu in the same way as global constants.

Working with roles and privileges 3. Choose "Next >". Choose "Next >". click inside the "File name" field and the "…" button will appear. Fill in the file name.16 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial . © Copyright 2008 SAP AG. . To do this. All rights reserved. 4. Name the repository definition Employees.

csv. Choose the "…" button. . Choose "Next >". and then "Finish" to insert the new repository definition.Working with roles and privileges 5.17 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial . 7. Navigate to and select the file hr. © Copyright 2008 SAP AG. All rights reserved. Choose "Open". 6.

and the job definition for this job. Create a job by selecting the folder's entry and choosing New/Empty job from the context menu. This must be done in a single job.Working with roles and privileges Reading the source data into the identity store We have now created a repository definition for the hr.csv into the temporary table (tutorial_employees). Select the Identity Center's entry in the console tree and choose New/Folder… from the context menu to create the folder. Choose "Apply". Create a folder called "PrivRoles job folder" that can be used to hold the jobs. and then fill it with the data from the hr. 1. and another to read from this table into the identity store. All rights reserved. This job will contain two passes. we are going to create a folder for the jobs in the tutorial. If the second pass was a separate job (which could then be run asynchronously from the first).18 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial . . Creating the folder and job First.csv file. Enable the job and select a dispatcher. it could start just when the table was deleted or just partly filled. The reason is that the first pass will delete the temporary table every time it executes. one to read the source (ASCII) file hr. 3. Modify the name of the job in the console tree.csv file and defined an identity store that we can use when creating the job which will read the source data to the identity store. 2. and then remove the missing people from the identity store. © Copyright 2008 SAP AG.

19 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial . Select the job in the console tree and choose New/From ASCI file from the context menu. All rights reserved. Select the "Source" tab and fill in the following: © Copyright 2008 SAP AG.csv) file: 1. Repository Select the "Employees" in the "Repository" list. we will create the pass that reads the source (hr. 2. . Enter Read Employees as the name of the pass in the console tree.Working with roles and privileges Reading the source file First.

Table name Enter tutorial_employees as the table name. View the job log to verify that the job ran successfully.Working with roles and privileges File name Use the context menu to insert the repository constant %$rep. and that a number of entries have been processed. Header line Make sure that "Header line" is selected. Note: Do not use hyphen in table names. Choose "Apply".) as the field separator. Running the job At this point. Field separator Enter a comma sign (.20 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial . Run the job by viewing the job properties and choosing "Run now". Definitions Choose "Insert template" and select "Data source template" to create the pass definitions.identitycenter% that refers to the Identity Center database. . All rights reserved. 3. Select the "Destination" tab: Fill in the fields with the following values: Database Use the context menu to insert the system parameter %$ddm. we are ready to test the pass. © Copyright 2008 SAP AG. as this will cause problems with some database drivers. 4.FILENAME% that refers to the file name.

identitycenter%. All rights reserved.). Database Use the context menu to insert the system parameter %$ddm.Working with roles and privileges Updating the identity store The next step is to create the pass that writes the data to the identity store: 1. . © Copyright 2008 SAP AG. SQL statement Enter the SQL statement to select all rows from the table created in the previous pass (SELECT * FROM tutorial_employees. Select the "Read Employees" pass and choose New/To Identity store from the context menu and select the "Source" tab: Modify the pass name in the console tree.21 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial .

3. Select the "Destination" tab: Identity store Select the "PrivRoles" identity store. Entry type Select the entry type "MX_PERSON". .22 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial . All rights reserved. and add the attribute DISPLAYNAME constructed of employee's first and last name (as shown above). Running the job Run the job and open the job log to verify that 50 entries were added (100 entries processed).Working with roles and privileges 2. Definitions Choose "Insert template" and select "Data source template" to insert the definitions for the pass. Modify the definition to use the attributes from the entry type. You can use the context menu to find the destination attributes. © Copyright 2008 SAP AG. Give the attribute MSKEYVALUE the EmployeeID values. Choose "Apply".

. insert the following line into the config.xml file: <databaseuser>%PREFIX%_user</databaseuser>. Choose "Identity store" in the menu. This user is by default set to mxmc_user. 2. © Copyright 2008 SAP AG.Working with roles and privileges Verifying the contents of the identity store If everything has gone well. To configure the login user. All rights reserved.23 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial . Note: Make sure that the Monitoring web interface is configured for the Identity Center you are using. Start the Monitoring web interface.xml (and needs to be configured by those using a database with prefix other than <mxmc>).csv file. the identity store should now contain all entries from the hr. 1. but can be configured in config. Note: Notice that login to Monitoring is limited to <prefix>_user.

Verify that the entries are present in the identity store.24 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial . Select the "PrivRoles" identity store and then "Search" to return all entries in the identity store.Working with roles and privileges 3. © Copyright 2008 SAP AG. All rights reserved. 4. .

These entries are always included in the "Add" column. 50 entries are modified. while the next time.identitycenter% to specify that you want to use the Identity Center database for the delta database. as no delta has been defined for this pass. including the entries handled by the "Read Employees" pass.25 Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial . Delta identifier Enter Employees_to_IDStore as the delta identifier. Note: The count is the total for the job. Delta key This is automatically filled in with the value from the first line of the definitions on the "Destination" tab. 2.Working with roles and privileges Enabling the delta We now have two working passes. The delta mechanism must be enabled on the "To Identity store" pass (Employees to ID store) of the "Employees to Identity store" job. Select the "Employees to ID store" pass and select the "Delta" tab: Fill in the fields with the following values: Enable delta Select this check box to enable delta on this pass. 1. the job detects that the entries are unmodified. This must be unique within one delta database. Run the job a couple of times and view the job log. You can observe that the first time the job is run after the delta is enabled. Delta database Use the context menu to insert the system parameter %$ddm. © Copyright 2008 SAP AG. The next step is to ensure that only modified entries in the data source are written to the identity store. Choose "Apply". . All rights reserved. Skip unchanged entries and Mark for deletion Make sure that both "Skip unchanged entries" and "Mark for deletion" are selected.

these privileges would create and delete users or grant or revoke access rights in target systems. And we create the folder project where the users with the privilege PRIV:ProjectArchive are provisioned to. Go to C:\Tutorial (the directory which we created a global constant for) and create the two folders. and not so much on configuration of the external systems.Working with roles and privileges Section 3: Creating the privileges In this section you will learn how to create privileges. . So when a user is given a particular privilege. PRIV:ServerRoom and PRIV:ArchiveRoom are provisioned to. a file will be created (containing the timestamp of when the privilege was assigned to the user) and provisioned to the respective folder. We create the folder building where the users assigned the privileges PRIV:MainEntrance. Creating folders for privileges Before creating privileges. create folders where users with the given privilege will be provisioned to. These folders will function as target repositories for the provisioning data.26 Section 3: Creating the privileges SAP NetWeaver Identity Management Identity Center Tutorial . All rights reserved. © Copyright 2008 SAP AG. In a production system. The privileges that need to be created are: PRIV:MainEntrance PRIV:ServerRoom PRIV:ArchiveRoom PRIV:ProjectArchive The focus in this tutorial is to show the principles and mechanisms of working with roles and privileges.

2. Choose "Next".27 Section 3: Creating the privileges SAP NetWeaver Identity Management Identity Center Tutorial . Select "Generic repository" as the repository template. . To create repository definitions for the folders building and project. Start the repository wizard by selecting the "Repositories" entry in the console tree. do the following: 1. and choosing New/Repository… from the context menu.Working with roles and privileges Defining repository definitions for folders Here we will create repository definitions Building and Project for the two target folders building and project. All rights reserved. © Copyright 2008 SAP AG.

. Name the repository definition Building. 6. Repeat the same procedure to define the repository definition for the project folder.Working with roles and privileges 3. Choose "OK" to close the dialog box and insert the constant.28 Section 3: Creating the privileges SAP NetWeaver Identity Management Identity Center Tutorial . 4. and then "Finish".TUTORIAL_PATH%. select "Constants" and choose New/Constant… from the context menu. 5. 7. Name the repository definition Project and define a constant PATH with the value %$glb. Expand the "Building" entry (under Management\Repositories) in the console tree. All rights reserved.TUTORIAL_PATH%\project. Choose "Next >". Use the context menu to insert the constant %$glb. © Copyright 2008 SAP AG. to insert the new repository definition. Specify the name of the constant and the directory where the target repository (folder) is stored. Choose "Next >".

By adding the repository reference to the privilege. PRIV:ArchiveRoom and PRIV:ProjectArchive. 2. 3. Repository Select the correct repository definition for this privilege. Choose "OK" to close the dialog box and insert the new privilege. Repeat the process for privileges PRIV:ServerRoom. select Project in the "Repository" field. Select "Identity store metadata\Privileges" under your identity store in the console tree and choose New/Privilege… from the context menu. you could re-use the tasks for other privileges controlling other folders.29 Section 3: Creating the privileges SAP NetWeaver Identity Management Identity Center Tutorial . . All rights reserved. For the PRIV:ProjectArchive privilege. Name Enter the name of the privilege.Working with roles and privileges Creating the privileges The target folders and their repository definitions are defined and we can now add the privileges: 1. © Copyright 2008 SAP AG.

The global Java script GetMskeyvalueFromPriv is used by the provisioning tasks to obtain the cleaned MSKEYVALUE of the privilege assigned to the user. To create the script. It is also shown how you define these on the repository definitions Building and Project created in previous section. The reason is that it is not possible to use the colon (":") in a file name. Name of the file has the following naming convention: <MSKEYVALUE of the provisioned user>-<cleaned MSKEYVALUE of the privilege>. © Copyright 2008 SAP AG. All rights reserved. Choose New/Script… from the context menu. To easily identify the tasks we use the following syntax: #<Repository name>_<Operation> For instance: #Building_Provisioning #Building_Deprovisioning Before the provisioning tasks are created. 2.txt For instance: 3001-PRIV_MainEntrance.30 Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial . Creating global Jscript GetMskeyvalueFromPriv When a user is given a particular privilege. Go to Management\Global scripts and select "JScript" in the console tree. Name the script "GetMskeyvalueFromPriv".Working with roles and privileges Section 4: Creating the provisioning tasks In this section. do the following: 1. the tasks for provisioning and de-provisioning of users are created. the Java script GetMskeyvalueFromPriv used by the provisioning tasks need to be defined. a file will be created (containing the timestamp of when the privilege was assigned to the user) and provisioned to the respective folder.txt Cleaned MSKEYVALUE of the privilege is MSKEYVALUE where the colon (":") is replaced by the underscore ("_") – for MSKEYVALUE "PRIV:MainEntrance" the cleaned MSKEYVALUE will be "PRIV_MainEntrance". .

First get the AuditID which is currently executing AuditID = UserFunc.AuditID).No values returned. // UserFunc. // --.uErrMsg(1.Split the returned value so that we get the MSKEY temp = ChangeValues.uGetAuditID(). Remove the comment "//" // before these calls to get the information in the log file.This function returns the MSKEVALYE for the privilege which caused this task // to execute. © Copyright 2008 SAP AG.Then get which values were changed // This returns "<Attribute name>:<OPERATION>. . function GetMskeyvalueFromPriv() { // get audit ID.")."ChangeValues:"+ChangeValues)."AuditID:"+AuditID).uErrMsg(1. Choose "OK".uGetChangeValues("!!".Working with roles and privileges 3. We're probably just doing a test if(ChangeValues == "") { return "TestRun". // --.uErrMsg calls are included for debugging. } // --.<New value>!!<Old value>" ChangeValues = UserFunc. // Some UserFunc. All rights reserved. then changevalues which holds the mskey of the privilege added // then get the value of the attribute MSKEYVALUE for that entry // --.split(". // UserFunc. Define the following script (you can copy and paste the script defined under and replace the template definition): // Main function: GetMskeyvalueFromPriv // --.31 Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial .

// UserFunc. .split("!!").uErrMsg(1. Choose "OK" and the global script is added. "Returning MSKEYVALUE:" + PrivMSKEYVALUEclean).Replace : with _ to make it "file-name friendly" PrivMSKEYVALUEclean = UserFunc.Got MSKEY of privilege. // --. you could also rename the already existing folder. Enter Building provisioning folder as the name for the folder. "_"). // --.uErrMsg(1. Instead of creating new folder for provisioning to the Building repository definition. } // --. Select the "PrivRoles" identity store and choose New/Folder… from the context menu.Len(Values[0]). Creating a folder for the Building tasks First create a folder that will be used for the tasks: Note: When creating a new identity store.If privilege was deprovisioned.uIS_GetValue(PrivAssignedMSKEY. } 4.0. All rights reserved. return [1] Val0len = UserFunc. return PrivMSKEYVALUEclean. if (Val0len < 1) { PrivAssignedMSKEY = Values[1]. © Copyright 2008 SAP AG.Working with roles and privileges Values = temp[1]. now get the MSKEYVALUE PrivMSKEYVALUE = UserFunc."MSKEYVALUE"). Creating the provisioning tasks for the Building repository definition Here we create the tasks for provisioning and de-provisioning to the Building repository definition.uReplaceString(PrivMSKEYVALUE. } else { PrivAssignedMSKEY = Values[0]."Values (New/Old):"+Values[0]+"/"+Values[1]).32 Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial . a folder "Provisioning folder" is added to the identity store.uErrMsg(1. // UserFunc. its in Old Value."Lenght of Values[0]:"+Val0len). // UserFunc. 1. ":".

All rights reserved. The folder is included in the console tree. . © Copyright 2008 SAP AG.Working with roles and privileges 2. 3. Choose "Apply". Deselect "Show folder in workflow" as the tasks in this folder should not be displayed in the workflow.33 Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial . Choose "OK".

34

Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges

Adding the task #Building_Provisioning
This task will create a file in the building folder. The contents of the file are date and time when the user was provisioned. Note: Note that this is given as an example only, and that there are no checks for illegal characters in the file name. To create the task "#Building_Provisioning": 1. Select the folder you just created and choose New/Action task/Empty job from the context menu.

Rename this task to #Building_Provisioning. Select the Building repository definition in the "Repository" field. 2. Choose "Apply".

© Copyright 2008 SAP AG. All rights reserved.

35

Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges

3. Select the job in the console tree:

Modify the job name in the console tree. Modify the job properties: Enabled Select this check box to enable the job to be run by a dispatcher. Run by dispatchers Select a dispatcher that should be responsible for running this job. 4. Choose "Apply".

© Copyright 2008 SAP AG. All rights reserved.

36

Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges

5. Select "Script" in the console tree (under the job), then choose New/Link global script and select "GetMskeyvalueFromPriv" to establish the link to the global script GetMskeyvalueFromPriv.

6. Select the job and choose New/Shell execute to create a pass in the console tree.

In a "Destination" tab add the following line to the definitions (you can use the context menu to insert the constants/attributes/scripts or copy and paste the lines below):
cmd /c echo Privilege assigned %$ddm.date% %$ddm.time% > "%$rep.PATH%\%MSKEYVALUE%-$FUNCTION.GetMskeyvalueFromPriv(???)$$.txt"

7. Choose "Apply".
© Copyright 2008 SAP AG. All rights reserved.

Select the Building repository definition in the "Repository" field. Select the folder Building provisioning folder and choose New/Action task/Empty job from the context menu. 2.37 Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial . Select the job in the console tree: © Copyright 2008 SAP AG.Working with roles and privileges Adding the task #Building_Deprovisioning This task will delete the file created by the #Buildling_Provisioning task. Rename this task to #Building_Deprovisioning. All rights reserved. 3. Choose "Apply". . To create the task "#Building_Deprovisioning": 1.

© Copyright 2008 SAP AG. . then choose New/Link global script and select "GetMskeyvalueFromPriv" to establish the link to the global script GetMskeyvalueFromPriv.Working with roles and privileges Modify the job name in the console tree. Select the job and choose New/Shell execute to create a pass in the console tree. Choose "Apply". 4. Run by dispatchers Select a dispatcher that should be responsible for running this job.GetMskeyvalueFromPriv(???)$$.PATH%\%MSKEYVALUE%-$FUNCTION.txt" 7.38 Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial . Choose "Apply". All rights reserved. 6. Select "Script" in the console tree (under the job). Modify the job properties: Enabled Select this check box to enable the job to be run by a dispatcher. In a "Destination" tab add the following line to the definitions (you can use the context menu to insert the constants/attributes/scripts or copy and paste the line below): cmd /c Del "%$rep. 5.

Select the "PrivRoles" identity store and choose New/Folder… from the context menu. © Copyright 2008 SAP AG. Enter Project provisioning folder as name for the folder. 3. Creating a folder for the Project tasks First create a folder that will be used for the tasks: 1. Choose "Apply".39 Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial . All rights reserved. Deselect "Show folder in workflow" as the tasks in this folder should not be displayed in the workflow. . 2. Choose "OK". The folder is included in the console tree.Working with roles and privileges Creating the provisioning tasks for the Project repository definition Here we create the tasks for provisioning and de-provisioning to the Project repository definition.

Choose "Apply". we can copy this task from folder Building provisioning folder to Project provisioning folder: 1. All rights reserved. 3. Copy the #Building_Provisioning task into the Project provisioning folder: 2. Thus. Select the Project repository definition in the "Repository" field. © Copyright 2008 SAP AG.40 Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial . .Working with roles and privileges Adding the task #Project_Provisioning This task is similar to the task "#Building_Provisioning" created previously. Select the task in the console tree: Rename this task to #Project_Provisioning.

Working with roles and privileges 4.41 Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial . Run by dispatchers Select a dispatcher that should be responsible for running this job. 5. Select the job in the console tree: Modify the job name in the console tree. © Copyright 2008 SAP AG. Modify the job properties: Enabled Select this check box to enable the job to be run by a dispatcher. Select the pass in the console tree: Modify the pass name in the console tree. Choose "Apply". 6. All rights reserved. .

we can copy this task from folder Building provisioning folder to Project provisioning folder: 1. Copy the #Building_Deprovisioning task into the Project provisioning folder: 2. Select the task in the console tree: Rename this task to #Project_Deprovisioning. Select the Project repository definition in the "Repository" field. Choose "Apply".Working with roles and privileges Adding the task #Project_Deprovisioning This task is similar to the task "#Building_Deprovisioning" created previously. All rights reserved.42 Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial . © Copyright 2008 SAP AG. Thus. . 3.

Choose "Apply". 6. 5. . Modify the job properties: Enabled Select this check box to enable the job to be run by a dispatcher.43 Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial . © Copyright 2008 SAP AG. Run by dispatchers Select a dispatcher that should be responsible for running this job. Select the job in the console tree: Modify the job name in the console tree.Working with roles and privileges 4. Select the pass in the console tree: Modify the pass name in the console tree. All rights reserved.

We have already assigned the employee ID to the MSKEYVALUE and you can use any of these. You should also make sure to first test the tasks #Building_Provisioning and #Project_Provisioning. Choose "Close" to close the dialog box. 3. View the log as the dispatcher processes the tasks. All rights reserved. 2.44 Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial . Also make sure to use the same MSKEYVALUE when testing the provisioning and de-provisioning tasks. Choose "OK".Working with roles and privileges Testing the tasks You are now ready to test the tasks created: #Building_Provisioning #Building_Deprovisioning #Project_Provisioning #Project_Deprovisioning Note: Make sure that the dispatcher is running. Test the task: 1. . you need to find the MSKEYVALUE of an entry in the identity store that we can use for the test. before testing the tasks #Building_Deprovisioning and #Project_Deprovisioning. This makes it easier to observe that files first are added and then removed from their respective target folders. © Copyright 2008 SAP AG. First. Select the "#Building_Provisioning" task in the console tree and choose "Test provisioning task…" from the context menu: Enter the MSKEYVALUE of one of the entries in the identity store.

All rights reserved. Verify that the job has been defined for the given dispatcher. © Copyright 2008 SAP AG.45 Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial . You can also deselect the check box "Reset output file" to avoid overwriting the log file each time the job is run. you can create a specific dispatcher and increase the log level in the dispatcher's . Following the same procedures.prop file. you can check some of the following: Verify that the dispatcher is running and that it is enabled for provisioning jobs. System log Verify that the dispatcher has requested the given job. you can now test the tasks #Building_Deprovisioning. start the dispatcher from the command line with the following command: dispatcher_service_<dispatcher name> test runonce The job will then be run once and a detailed log file will be created. View the logs.Working with roles and privileges View the contents of the folder to verify that the entry has been created. If you need more logging info from a specific job. This can be useful when debugging a provisioning job that may be run several times in sequence. Verify that all tasks and jobs are enabled. Job log View any error messages in the job log to see if you can find the cause of the problem. To run the job. you can specify a different log file name for the job in the "Logging" tab of the job properties. Troubleshooting If any problems should occur during the execution. . If you need to investigate a job more thoroughly. Make sure that the dispatcher is not running. #Project_Provisioning and #Project_Deprovisioning. Specify that the job is to be run by this specific dispatcher.

Defining tasks on the repository definition Building To define links on the repository definition Building. All rights reserved. do the following: 1. 2. View the constants of the Building repository definition under "Repositories" in the console tree. © Copyright 2008 SAP AG. make sure that you have the correct Task ID for the provisioning task #Building_Provisioning.46 Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial . .Working with roles and privileges Defining tasks on the repository definitions In this section we add links to the provisioning and de-provisioning tasks on the repository definitions Building and Project. which will reference the provisioning task from the repository definition. Before creating the constant MX_PROVISIONTASK.

Enter "MX_PROVISIONTASK" as the name of the repository constant (the name of the constant must be MX_PROVISIONTASK with the exact same casing). Following the same procedure. as shown in picture below (circled in with red). This will define a link to the de-provisioning task "#Building_Deprovisioning".47 Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial . Choose "OK" to add the new constant to the repository definition. 3. Select "Constants" in the console tree and choose New/Constant… from the context menu. All rights reserved. .Working with roles and privileges Note: Task ID is displayed in the "Task ID/Name" field of the task's "Options" tab. 5. 4. Enter the correct Task ID for the provisioning task "#Building_Provisioning". in this case "1". add the repository constant "MX_DEPROVISIONTASK" (the name of the constant must be MX_DEPROVISIONTASK with the exact same casing) with its correct value (here "3"). © Copyright 2008 SAP AG.

Working with roles and privileges Now we have defined links to the provisioning and de-provisioning tasks on the Building repository definition. This will give the following result: © Copyright 2008 SAP AG. follow the same procedure as for the repository definition Building described above.48 Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial . All rights reserved. Defining tasks on the repository definition Project To define the provisioning and de-provisioning tasks on the repository definition Project. .

Enter "Workflow" as name for the folder. Edit privilege properties – this task is primarily used to edit privilege inheritance direction. The folder is included in the console tree: © Copyright 2008 SAP AG.Working with roles and privileges Section 5: Creating the Workflow tasks To be able to define and manage roles and role assignments through the Workflow interface.49 Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial . All rights reserved. It is also possible to add/remove role references and add a short description of the privilege. The task is also used to change role name and it is possible to add a short description of the role. Edit role properties – this task is used to edit role hierarchy by adding child roles and privileges to a role. Delete role – this task deletes the role. We will create the following five Workflow tasks: Create role – task is used to create new roles. create a separate folder for them: 1. Choose "OK". the necessary tasks must be created. . Assign role – task is used to add members to a role. 2. Creating the folder Before creating the Workflow tasks. Select the "PrivRoles" identity store in the console tree and choose New/Folder… from the context menu.

.50 Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial . © Copyright 2008 SAP AG. Adding the Workflow tasks The folder is now created and the next step is to create the Workflow tasks.Working with roles and privileges Select "Automatically expand folder" to specify that the tasks in this folder are automatically displayed when you log on to the Workflow interface. Select "Show on welcome page". Select the "Workflow" folder and choose New/Unordered task group from the context menu. Adding the "Create role" task To define the task Create role. 3. do the following: 1. Modify the task name in the console tree. Choose "Apply". All rights reserved.

4. All rights reserved. © Copyright 2008 SAP AG. Select the "Attributes" tab: Select "MX_ROLE" as entry type and configure the attributes for the task as displayed above. Select "This task creates a new entry".Working with roles and privileges 2. Select "Logged-in user or identity store entry" in the "Allow access for" list. 3. Choose "Apply". . Select the "Access control" tab and choose "Add…".51 Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial .

52 Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial . © Copyright 2008 SAP AG. This allows the "admin" user to create new roles. Choose "OK".Working with roles and privileges Enter the name of the identity store user you added previously (admin). 5. Choose "Apply". You might use "Check name" to ensure that the name you entered is correct and exists. The resulting access control is displayed in the details pane: 6. . All rights reserved.

53 Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial . Select "Show on welcome page". Modify the task name in the console tree. Select the "Workflow" folder and choose New/Unordered task group from the context menu. To define task Edit role properties. The task is also used to change role name and it is possible to add a short description of the role.Working with roles and privileges Adding the "Edit role properties" task The task Edit role properties is used to add child roles and privileges to a role. do the following: 1. All rights reserved. . © Copyright 2008 SAP AG.

Working with roles and privileges 2. All rights reserved. 5. Choose "Apply". Select the "Attributes" tab: Select "MX_ROLE" as entry type and configure the attributes for the task as displayed above. . Select the "Access control" tab and define access for the admin user as done for the previous task (Create role). © Copyright 2008 SAP AG.54 Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial . Choose "Apply". 4. 3.

Select the "Workflow" folder and choose New/Unordered task group from the context menu. All rights reserved. Select the "Attributes" tab: © Copyright 2008 SAP AG.55 Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial . do the following: 1. . Modify the task name in the console tree. To define task Assign role.Working with roles and privileges Adding the "Assign role" task The task Assign role is used to add members to a role. Select "Show on welcome page". 2.

Choose "Apply". All rights reserved. Choose "Apply". Select the "Workflow" folder and choose New/Unordered task group from the context menu. 5. 4. in addition to MSKEYVALUE (which is the employee ID). © Copyright 2008 SAP AG. Modify the task name in the console tree. Select the "Access control" tab and define access for the admin user as done for the previous tasks. 3. Select "Show on welcome page". .56 Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial . do the following: 1. Selecting "List in search result" for the DISPLAYNAME attribute will result in person's name showing in Workflow search list.Working with roles and privileges Select "MX_PERSON" as entry type and configure the attributes for the task as displayed above. Adding the "Delete role" task To define task Delete role.

To be able to actually delete a role. . 3. it is necessary to create a separate action task and job for doing this. Select the "Access control" tab and define access for the admin user as done for the previous tasks.57 Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial .Working with roles and privileges 2. Select the "Attributes" tab: Select "MX_ROLE" as entry type and configure the attributes for the task as displayed above. Choose "Apply". All rights reserved. 5. Choose "Apply". 4. © Copyright 2008 SAP AG.

Working with roles and privileges 6.58 Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial . Choose "Apply". Select the task and choose New/Action task/Empty job from the context menu. . Select the job in the console tree: Enable the job and select the dispatcher to run the job. 8. All rights reserved. © Copyright 2008 SAP AG. 7. The task and the job are inserted in the console tree.

Use the context menu to insert these. Choose "Apply". Modify the definitions as shown above (add MSKEYVALUE and changeType). All rights reserved. 10. In the "Destination" tab do the following: Select "-.59 Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial . Select the MX_ROLE entry type in the "Entry type" field.Working with roles and privileges 9. © Copyright 2008 SAP AG.Self --" in the "Identity store" field. Select the job and choose New/To Identity store from the context menu. This is to optimize the export/import. .

It is primarily used to edit privilege inheritance direction.Working with roles and privileges Adding the "Edit privilege properties" task The last of the five Workflow tasks that we create in this tutorial is the "Edit privilege properties" task. do the following: 1. © Copyright 2008 SAP AG.60 Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial . . Select "Show on welcome page". All rights reserved. but it is also possible to add/remove role references and add a short description of the privilege. To define task Edit privilege properties. Modify the task name in the console tree. Select the "Workflow" folder and choose New/Unordered task group from the context menu.

5. The next step is to create the roles using the Workflow user interface. Choose "Apply". © Copyright 2008 SAP AG. All rights reserved.61 Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial . Select the "Access control" tab and define access for the admin user as done for the previous tasks. Choose "Apply". . 4. 3. Select the "Attributes" tab: Select "MX_PRIVILEGE" as entry type and configure the attributes for the task as displayed above.Working with roles and privileges 2. All Workflow tasks are now created.

2.62 Section 6: Creating the roles SAP NetWeaver Identity Management Identity Center Tutorial .Working with roles and privileges Section 6: Creating the roles You can now create roles using the Workflow tasks. We will now start the Workflow web interface: 1. The following roles will be created: ROLE:Employee ROLE:IT ROLE:Adm ROLE:Manager ROLE:Tester ROLE:TestLeader ROLE:Developer ROLE:HeadDeveloper ROLE:Doc ROLE:ProjectLeader Starting the Workflow web interface Note: Make sure the Workflow web interface is configured for the Identity Center you are using. Fill in user name and password © Copyright 2008 SAP AG. Start the Workflow web interface from the "Start" menu (All Programs/SAP NetWeaver Identity Management/Identity Center Workflow). Choose "Login" in the menu to the left. All rights reserved. .

63 Section 6: Creating the roles SAP NetWeaver Identity Management Identity Center Tutorial . All rights reserved. . Choose "Login".Working with roles and privileges 3. You are now logged in as admin-user and are able to execute the Workflow tasks. © Copyright 2008 SAP AG.

When the task completes successfully. 2. Enter "ROLE:Employee" as role's unique ID (and a short description of a role if you wish). check that your dispatcher is running.Working with roles and privileges Creating the roles In Workflow web interface. Repeat this until you have created all roles. You return to a task list. . If the indicator still doesn't turn green. 3. Choose "OK" to create a role. Choose "Create role" in the list of available tasks. Note: You might have to press the "Refresh" button before the progress indicator turns green. create the role ROLE:Employee and the rest of the roles mentioned above: 1.64 Section 6: Creating the roles SAP NetWeaver Identity Management Identity Center Tutorial . © Copyright 2008 SAP AG. All rights reserved. the progress indicator turns green.

All rights reserved. .Working with roles and privileges In the Identity Center user interface (Identity store metadata\Roles). you can observe the roles you just created: © Copyright 2008 SAP AG.65 Section 6: Creating the roles SAP NetWeaver Identity Management Identity Center Tutorial .

In previous sections. In Workflow web interface.66 Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial . choose "Edit role properties" in the list of available tasks: © Copyright 2008 SAP AG. you have created both privileges and roles needed. Assign roles. to the identity store entries. and thereby privileges. In this use case.Working with roles and privileges Section 7 Use case Physical access control This use case models a workplace (building) where users (employees) are given access rights to building areas based on their job-role. do the following: 1. you will learn how to use the created Workflow tasks to do the following: Build the role hierarchy: Add the link between the roles and the privileges. . All rights reserved. Building the role hierarchy To build the role hierarchy for the Physical access control use case.

This will list all roles available. All rights reserved. Choose "Search".Working with roles and privileges 2. © Copyright 2008 SAP AG. .67 Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial .

Working with roles and privileges 3. 4. Choose "…" to define child roles. 5.68 Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial . © Copyright 2008 SAP AG. Choose "Search" to list all roles. . Select the role "ROLE:Adm". All rights reserved.

7. Choose the "Add" button to the left of ROLE:Employee to add the role to the child role list. 8. © Copyright 2008 SAP AG. All rights reserved.69 Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial . Choose "OK" to confirm and complete the task.Working with roles and privileges 6. You return to a task list. Choose "OK". The role ROLE:Employee is added as the child role of the role ROLE:Adm. When the task completes successfully. the progress indicator turns green. .

70 Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial . . Repeat the steps for other roles to complete the hierarchy: Role name ROLE:IT ROLE:Manager Defined child roles ROLE:Employee ROLE:Adm. you can observe the role hierarchy you just built: © Copyright 2008 SAP AG. ROLE:IT In the Identity Center (Identity store metadata\Roles). All rights reserved.Working with roles and privileges 9.

. Choose "Edit role properties" in the list of available tasks and select "ROLE:Employee" from the list of available roles: 2. All rights reserved.Working with roles and privileges Adding the privileges To add privileges to the roles. Choose "…" to assign privileges and then choose "Search" to list all privileges.71 Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial . do the following: 1. © Copyright 2008 SAP AG.

Repeat the steps for other roles: To the ROLE:IT role. You return to a task list.72 Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial . 4. 6.Working with roles and privileges 3. . Choose "OK" to confirm and complete the task. the progress indicator turns green. The privilege PRIV:MainEntrance is added to the role ROLE:Employee. Choose "OK". 5. Choose the "Add" button to the left of the privilege PRIV:MainEntrance. All rights reserved. add the privilege PRIV:ServerRoom To the ROLE:Adm role. add the privilege PRIV:ArchiveRoom © Copyright 2008 SAP AG. When the task completes successfully.

To assign roles and privileges. 2. and remove those from the entries in the identity store (provisioning and deprovisioning). We can now assign roles and privileges to. Choose "Search" to list all identity store entries.73 Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial . Provisioning to building folder Assigning roles ROLE:Employee.Working with roles and privileges Assigning roles/privileges to identity store entries The necessary tasks and mechanisms are implemented and ready. © Copyright 2008 SAP AG. choose "Assign role" from the list of available tasks. will result in provisioning to the building folder. They are listed with their MSKEYVALUE and display name. ROLE:Adm or ROLE:Manager to users. do the following: 1. In Workflow web interface. ROLE:IT. All rights reserved. .

74 Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial . . Find and select "3001". © Copyright 2008 SAP AG. 4.Working with roles and privileges 3. All rights reserved. Choose "…" to define role(s) and then choose "Search" to list all roles available.

All rights reserved. the progress indicator turns green. © Copyright 2008 SAP AG. Choose "OK" to complete the task and assign the role.75 Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial . Add the role "ROLE:Employee". 7. When the task completes successfully. 6. .Working with roles and privileges 5. Choose "OK". You return to a task list.

This will provision entries to the building folder: © Copyright 2008 SAP AG. All rights reserved. Entry "3004" has three privileges all inherited from the roles lower in the hierarchy – PRIV:MainEntrance inherited from the role ROLE:Employee. Repeat the process for the other roles provisioning to the building folder: Entry "3002" Entry "3003" Entry "3004" ROLE:IT ROLE:Adm ROLE:Manager The result is the following: Entry "3002" has two privileges – PRIV:ServerRoom from the role ROLE:IT and PRIV:MainEntrance inherited from the role ROLE:Employee.76 Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial . PRIV:ServerRoom inherited from the role ROLE:IT and PRIV:ArchiveRoom inherited from the role ROLE:Adm. Entry "3003" has two privileges – PRIV:ArchiveRoom from the role ROLE:Adm and PRIV:MainEntrance inherited form the role ROLE:Employee. 8. .Working with roles and privileges Now you can open the building folder and observe that the user "3001" is given the privilege PRIV:MainEntrance and provisioned to the folder.

77 Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial . and thus removing the (inherited) privilege(s). All rights reserved. will result in de-provisioning from the building folder. choose "Assign role" from the list of available tasks. © Copyright 2008 SAP AG.Working with roles and privileges De-provisioning from building folder Removing the assigned role(s) from the user. do the following: 1. Choose "Search" to list all identity store entries. In Workflow web interface. . To remove assigned role(s).

Choose "Search" under the "Assignments" (on the right side of the pane) to list all roles this entry already is a member of. All rights reserved. © Copyright 2008 SAP AG. Choose "…" to change the role membership.Working with roles and privileges 2. 3. entry "3001" for instance. . Select one of the entries you previously assigned a role to.78 Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial .

and thus remove the privilege PRIV:MainEntrance. the progress indicator turns green. All rights reserved. When the task completes successfully.79 Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial . .Working with roles and privileges 4. 5. You return to a task list. Choose "OK". Choose "OK" to confirm and complete the task which will remove the link between the user and the role. © Copyright 2008 SAP AG. 6. Remove the role ROLE:Employee (choose to do so).

80

Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges

Now open the building folder and observe that the user was de-provisioned (removed) from the folder.

© Copyright 2008 SAP AG. All rights reserved.

81

Section 8: Use case Project resources SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges

Section 8: Use case Project resources
This use case models a typical development project group, where all group members are given access to the resources needed for the project. The use case introduces reverse privilege inheritance direction (top-down inheritance direction) – you learn the difference between the bottom-up and top-down inheritance direction of the privileges and how to implement reverse inheritance.

Direction of the privilege inheritance
The privileges are by default inherited upwards in the hierarchy, from the roles lower in the hierarchy (bottom-up). But it is also possible for privileges to be inherited top-down (reverse). The use case Physical access control, with its roles ROLE:Manager, ROLE:IT, ROLE:Adm and ROLE:Employee and the privileges PRIV:MainEntrance, PRIV:ServerRoom, and PRIV:ArchiveRoom, illustrates the normal privilege inheritance direction (bottom-up). The role ROLE:Manager inherits privileges from its child roles, so the members of this role will have all the three privileges mentioned.

The use case Project resources, however, illustrates the reverse privilege inheritance direction (top-down). The privilege PRIV:ProjectArchive, assigned to the role ROLE:ProjectLeader, will be inherited downwards by all the child roles in the tree until every role member has the privilege.

© Copyright 2008 SAP AG. All rights reserved.

82

Section 8: Use case Project resources SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges

Building the role hierarchy
Using the Workflow tasks build the role hierarchy for this use case:

Use the same procedure as when building the role hierarchy for the use case Physical access control, shown on page 66.

Adding the privilege and implementing the reverse inheritance direction
Since the bottom-up privilege inheritance direction is default, it means that we need to make an explicit change to the privilege inheritance properties after adding a privilege to a role, to obtain the reverse privilege inheritance. To add the privilege PRIV:ProjectArchive to the role ROLE:ProjectLeader and implement the reverse inheritance, do the following: 1. In Workflow web interface, choose "Edit privilege properties" from the list of available tasks.

© Copyright 2008 SAP AG. All rights reserved.

Working with roles and privileges 2.83 Section 8: Use case Project resources SAP NetWeaver Identity Management Identity Center Tutorial . © Copyright 2008 SAP AG. All rights reserved. Select "PRIV:ProjectArchive". . 3. Choose "Search" to list all privileges available.

© Copyright 2008 SAP AG. Choose the "Add" button to the left of the role ROLE:ProjectLeader.84 Section 8: Use case Project resources SAP NetWeaver Identity Management Identity Center Tutorial . . Choose "…" to define role with reverse inheritance and choose "Search" to list all roles available.Working with roles and privileges 4. All rights reserved. 5.

shown on page 73. ROLE:Developer. Now you have implemented the reverse inheritance direction of the privilege PRIV:ProjectArchive. Choose "OK" to confirm and complete the task. ROLE:Doc or ROLE:ProjectLeader to users. You return to a task list.Working with roles and privileges 6.85 Section 8: Use case Project resources SAP NetWeaver Identity Management Identity Center Tutorial . 7. Do the following assignments: Entry "3005" Entry "3006" Entry "3007" Entry "3008" Entry "3009" Entry "3010" ROLE:Tester ROLE:TestLeader ROLE:Developer ROLE:HeadDeveloper ROLE:Doc ROLE:ProjectLeader Use the same procedure as when provisioning users in the use case Physical access control. When the task completes successfully. ROLE:HeadDeveloper. Provisioning to project folder Assigning any of the roles ROLE:Tester. Choose "OK". © Copyright 2008 SAP AG. will result in provisioning to the project folder. . Assigning any of these roles to users will give the user the privilege PRIV:ProjectArchive. ROLE:TestLeader. the progress indicator turns green. All rights reserved.

86 Section 8: Use case Project resources SAP NetWeaver Identity Management Identity Center Tutorial . All rights reserved.Working with roles and privileges This will provision the following to the project folder: © Copyright 2008 SAP AG. .

© Copyright 2008 SAP AG. Choose "Search" to list all roles.Working with roles and privileges Section 9: Deleting roles To delete role. choose "Delete role" from the list of available tasks.87 Section 9: Deleting roles SAP NetWeaver Identity Management Identity Center Tutorial . you must: 1. All rights reserved. . In Workflow web interface.

3. This results in de-provisioning of all users that lost the privilege (all users that were added in the previous section): © Copyright 2008 SAP AG.88 Section 9: Deleting roles SAP NetWeaver Identity Management Identity Center Tutorial . All rights reserved. but here we select the role "ROLE:ProjectLeader"). Select the role "ROLE:ProjectLeader" (you can select any role to delete. Choose "OK" to confirm and complete the task which will delete the role. . Deleting the role ROLE:ProjectLeader will also delete the privilege given to the role.Working with roles and privileges 2. You return to a task list.