Contents

List of Figures

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documents
• Documentation Updates
• Conventions

What's New in Oracle Identity Manager Connector for SAP User Management?

• Software Updates
• Documentation-Specific Updates

1 About the Connector

• 1.1 Certified Components
• 1.2 Certified Languages
• 1.3 Connector Architecture
• 1.4 Features of the Connector
  • 1.4.1 Support for Both SAP R/3 and SAP CUA
  • 1.4.2 Mapping Standard and Custom Attributes for Reconciliation and Provisioning
  • 1.4.3 SoD Validation of Entitlement Requests
  • 1.4.4 Full and Incremental Reconciliation
  • 1.4.5 Limited (Filtered) Reconciliation
  • 1.4.6 Batched Reconciliation
  • 1.4.7 Enabling and Disabling Accounts
  • 1.4.8 Linking of SAP HRMS and SAP R/3 or SAP CUA Accounts
  • 1.4.9 SNC Communication Between the Target System and Oracle Identity Manager
  • 1.4.10 Specifying Accounts to Be Excluded from Reconciliation and Provisioning Operations
  • 1.4.11 Configuring Password Changes for Newly Created Accounts
  • 1.4.12 Specifying the SAP JCo Trace Level
  • 1.4.13 Connection Pooling
  • 1.4.14 Specifying the Use of a Logon Group on the Target System for Connector Operations
  • 1.4.15 Transformation and Validation of Account Data
• 1.5 Lookup Definitions Used During Connector Operations
  • 1.5.1 Lookup Definitions Synchronized with the Target System
  • 1.5.2 Preconfigured Lookup Definitions
• 1.6 Connector Objects Used During Reconciliation
  • 1.6.1 User Attributes for Reconciliation
  • 1.6.2 Reconciliation Rules
    • 1.6.2.1 Reconciliation Rule
    • 1.6.2.2 Viewing Reconciliation Rules in the Design Console
  • 1.6.3 Reconciliation Action Rules
    • 1.6.3.1 Reconciliation Action Rules for Reconciliation
    • 1.6.3.2 Viewing Reconciliation Action Rules in the Design Console
• 1.7 Connector Objects Used During Provisioning
  • 1.7.1 User Provisioning Functions
  • 1.7.2 User Attributes for Provisioning
• 1.8 Roadmap for Deploying and Using the Connector

2 Deploying the Connector

• 2.1 Preinstallation
  • 2.1.1 Preinstallation on Oracle Identity Manager
    • 2.1.1.1 Files and Directories on the Installation Media
    • 2.1.1.2 Determining the Release Number of the Connector
    • 2.1.1.3 Creating a Backup of the Existing Common.jar File
  • 2.1.2 Preinstallation on the Target System
    • 2.1.2.1 Creating a Target System User Account for Connector Operations
    • 2.1.2.2 Using External Code Files
• 2.2 Installation
• 2.3 Postinstallation
  • 2.3.1 Configuring Ports on the Target System
  • 2.3.2 Setting Up the Lookup.SAP.UM.Configuration Lookup Definition in Oracle Identity Manager
    • 2.3.2.1 Linking of SAP HRMS and SAP R/3 or SAP CUA Accounts
    • 2.3.2.2 Configuring Password Changes for Newly Created Accounts
    • 2.3.2.3 Setting Values in the Lookup.SAP.UM.Configuration Lookup Definition
  • 2.3.3 Enabling Request-Based Provisioning
  • 2.3.4 Modifying Dependent Lookup Query Properties for Lookup Fields on Microsoft SQL Server
  • 2.3.5 Changing to the Required Input Locale
  • 2.3.6 Clearing Content Related to Connector Resource Bundles from the Server Cache
  • 2.3.7 Enabling Logging
  • 2.3.8 Setting Up the Lookup.SAP.UM.ExclusionList Lookup Definition
  • 2.3.9 Setting Up the Lookup.SAP.UM.LookupMappings and Lookup.SAP.CUA.LookupMappings Lookup Definitions
  • 2.3.10 Configuring SoD
    • 2.3.10.1 Configuring the SAP GRC to Act As the SoD Engine
    • 2.3.10.2 Specifying Values for SoD-Related Entries in the Lookup.SAP.UM.SoDConfiguration Lookup Definition
    • 2.3.10.3 Modifying the SoD-Related Lookup Definitions
    • 2.3.10.4 Specifying Values for the SAP GRC IT Resource
    • 2.3.10.5 Verifying Entries Created in the Lookup.SAP.UM.System Lookup Definition
    • 2.3.10.6 Specifying a Value for the TopologyName IT Resource Parameter
    • 2.3.10.7 Disabling and Enabling SoD
  • 2.3.11 Configuring SNC to Secure Communication Between Oracle Identity Manager and the Target System
    • 2.3.11.1 Prerequisites for Configuring the Connector to Use SNC
    • 2.3.11.2 Installing the Security Package
    • 2.3.11.3 Configuring SNC
  • 2.3.12 Configuring the IT Resource
    • 2.3.12.1 Parameters for Enabling the Use of a Logon Group
    • 2.3.12.2 Parameters for Enabling SNC-Based Communication
    • 2.3.12.3 Parameters for Enabling Multiple Attempts to Update Multivalued Attributes
    • 2.3.12.4 Mapping New Connection Properties
    • 2.3.12.5 Specifying Values for the IT Resource Parameters

3 Using the Connector

• 3.1 Performing Full Reconciliation
• 3.2 Scheduled Task for Lookup Field Synchronization
• 3.3 Guidelines on Performing Reconciliation
• 3.4 Configuring Reconciliation
  • 3.4.1 Full Reconciliation vs. Incremental Reconciliation
  • 3.4.2 Limited Reconciliation
  • 3.4.3 Reconciliation Scheduled Tasks
    • 3.4.3.1 SAP User Management User Recon
    • 3.4.3.2 SAP User Management Delete Recon
• 3.5 Configuring Scheduled Tasks
• 3.6 Guidelines on Performing Provisioning
• 3.7 Provisioning Operations Performed in an SoD-Enabled Environment
  • 3.7.1 Overview of the Provisioning Process in an SoD-Enabled Environment
  • 3.7.2 Guidelines on Performing Provisioning Operations
  • 3.7.3 Direct Provisioning in an SoD-Enabled Environment
  • 3.7.4 Request-Based Provisioning in an SoD-Enabled Environment
• 3.8 Switching Between SAP R/3 and SAP CUA Target Systems

4 Extending the Functionality of the Connector

• 4.1 Determining the Names of Target System Attributes
• 4.2 Adding New Attributes for Reconciliation
• 4.3 Adding New Standard Multivalued Attributes for Reconciliation
• 4.4 Adding New Standard Attributes for Provisioning
• 4.5 Adding New Standard Multivalued Attributes for Provisioning
• 4.6 Adding Custom Attributes for Provisioning
• 4.7 Configuring Validation of Data During Reconciliation and Provisioning
• 4.8 Configuring Transformation of Data During Reconciliation
• 4.9 Configuring Synchronization of New Lookup Definitions with the Target System
• 4.10 Modifying Field Lengths on the Process Form
• 4.11 Configuring the Connector for Multiple Installations of the Target System

5 Known Issues

A Standard BAPIs Used During Connector Operations

• A.1 Standard BAPIs Used on Both SAP R/3 and SAP CUA
• A.2 Standard BAPIs Used on SAP R/3
• A.3 Standard BAPIs Used on SAP CUA

Index