Skip to Content

The HCM Use Case document (see http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/f0ad23d3-3664-2a10-8aa7-e9c3c8616d48) provided for the SAP NW Identity Management component synchronizes employee data from the HCM system to the Identity Store using the LDAP connector as well as the Virtual Directory Server.

If one already uses a Middleware like SAP PI, transferring employee data as well as other relevant objects for rule based role assignment in the SAP NW Identity Management tool can also be done using the standard HR Master Data Distribution mechanisms based on ALE and IDOC by simply running the report RHALEINI with specific variants.

You will learan in this blog what has to be done in order to replicate “Organisational Unit” data from an HCM system to the SAP NW Identity Store into a custom entry type within the identity store which afterwards holds organizational data including parent/child relationships using SAP PI instead of LDAP Connector and VDS.

How To synchronize data from SAP HCM to SAP NetWeaver Identity Center using SAP PI (Part I) (published in Calendar Week 9 2008) explains the steps which have to be executed in SAP PI in order to transfer and transform the data from HCM to Identity Center using the standard HR Master Data Extraction.

Part II (published in Calendar Week 10 2008) explains how to create a new entry type in the Identity Store, how to write the data from the staging area into the ID Store and finally how to create the parent / child relationships for having the hierarchy information available in the identity store.

How To synchronize data from SAP HCM to SAP NetWeaver Identity Center using SAP PI (Part III) (published in Calendar Week 12 2008) finally shows how to integrate the new entry type into the IDM workflow portal.

The following systems are required:

  • HR/HCM System (I am working with an IDES ECC 6.0 installation)
  • SAP XI 3.0 / SAP PI 7.0 installation (I am using SAP PI SPS 10)
  • SAP NW Identity Management 7.0 SP01 (I am using 7.0 SP01 Patch 1)

Knowledge / experience in the following area(s) is helpful:

  • ALE / IDOC Scenario Configuration
  • SAP XI / SAP PI experience
  • Basic SQL knowledge
  • Basic JScript knowledge
  • SAP NW Identity Management Knowledge

Recap Part I

In Part I of this blog series, you have configured the integration scenario in SAP PI, which gets an IDOC from the HCM system via standard ALE connectivity, runs a transformation which converts the XML-IDOC into a special XML representation used by the SAP PI JDBC adapter to write the information into a Staging Area (a database table) in the identity management database. Atfer triggering the transfer using the report RHALEINI in transaction SE38, the organisational unit data should now be present in the specific databsae table. First step will now be to check, if organisational unti data has been transferred to the database as expected.

As outlined above, in Part II we are going to setup the identity center in order to be able to load Organisational Unit data, which subsequently can be used in your scenario to assign business roles based on rules.

Check existence of data in database table ISV_HCM_ORG_DATA_FROM_SAPXI

Open the “MS SQL Server Management Studio” and connect to your MS SQL Server database used for your Identity Center installation. in my case, the relevant database is called sbx_db (since I have more than one Identity Center databeas instances on my system, I had to change the database prefix of my test instance. I therefore changed it to “sbx”, which stands for “Sandbox”)

Expand the database. Expand the Tables Section and navigate to the entry for the table ISV_HCM_ORG_DATA_FROM_SAPXI. Right-Click on the table ISV_HCM_ORG_DATA_FROM_SAPXI and select “Open table …” from the context sensitive menue in order to display the content of the table.

image

image

If the scenario setup in SAP PI is correct and the connection of the JDBC adapter to the MS SQL server database was successful, the database table should now contain the following details concerning the organisational data from HCM:

  • The Object ID from HCM
  • The language key for the provided Organisational Name
  • The Organisational Name
  • Parent organisations
  • Child organisations (Multi-Valued; Separator: Pipe)

Create a new entry type for HCM Organisational Data

Open the Identity Center Console. In this example, I will use an empty Identity Store starting with its creation from scratch.

Create an Identity Store named “IDM Blog ID Store” and take a note of the Identity Store ID.

image

image

image

image

image

image

Add a global constant with name “ISV_IDMBLOG_IDS_ID” holding the ID of the newly created identity store “IDM Blog ID Store” (in my case this is 5);

image

image

Navigate to the Identity Store => Identity Store Schema => Entry Types.
Right-Click on “Entry Types” and select “New => Entry Type …” from the context sensitive menu.

image

Specify the following attributes:

General Name ISV_HCM_ORGUNIT
Display Name #MX_ISV_HCM_ORGUNIT_DISPLAYNAME
Description This Entry type holds Organisational Unit data from HCM data
Enable Web Management Yes
Event Tasks Add — None —
Modify — None —
Delete — None —
Relations Allow subordinates Yes
Allow multiple superiors of this entry type Yes
Allow subordinate entry types ISV_HCM_ORGUNIT
MX_PERSON
Attributes Allowed Attributes for this Entry Type DESCRIPTION
DISPLAYNAME
MSKEYVALUE (Mandatory)

image

image

image

image

After saving and re-opening the new entry type, the “Attribites” tab looks as follows:

image

Create Job and Passes to Move Organisational Unit Data to Identity Store

Create a new Folder named “IDM Blog Folder” in your Identity Center Database.

image

image

Within this folder, create an Empty Job.
Right-Click on “IDM Blog Folder” and select “New => Empty Job …” from the context sensitive menu.
Give the job the name “HCM Organisational Data to Identity Store”

image

Create the first pass of this Job. This pass will read the organisational unit data records from the database table ISV_HCM_ORG_DATA_FROM_SAPXI and write the data to the Identity store specified in the pass properties.
Right-Click on “HCM Organisational Data to Identity Store” and select “New => To Identity Store” from the context sensitive menu. Give the pass speaking name like “Move HR Org Data to Identity Store”

image

Specify the following attributes:

Repository Source Repository None
Source Use Identity Store No
Database %$ddm.identitycenter%
Encrypt Connection String No
SQL Statement SELECT * from ISV_HCM_ORG_DATA_FROM_SAPXI where ORGSPRACHE=’DE’
Destination Identity Store IDM Blog ID Store
Entry Type ISV_HCM_ORGUNIT
Multi-Value Delimiter |
User Info JobId=%$ddm.mcjob%
Destination Attributes MSKEYVALUE ORG:HCM:%ORGOBJECTID%
DISPLAYNAME %ORGNAME%
MX_LANGUAGE %ORGSPRACHE%
Delta Enable Delta Yes
Delta Database %$ddm.identitycenter%
Encrypt Connection String No
Delta Identifier isv_sapxiHCMOrgs
Delta Key ORG:HCM:%ORGOBJECTID%
Generate Delta Only No
Skip Unchanged Entries Yes
Mark for Deletion Yes
Max Limit for Mark for Deletion 5%
Max Real Updates  
Delete Entries marked for deletion in current job Yes
Delete Entries marked for deletion in earlier jobs Yes
Audit Trail Level None
Maximum Number of entries in Audit Trail Table  
Documentation Documentation  

image

image

image

For the job, create a new script.
Right-Click on “HCM Organisational Data to Identity Store => Scripts” and select “New => Script …” from the context sensitive menu. Enter the following Java Script Coding …

// Main function: isv_getParentRoleMSKEY

function isv_getParentRoleMSKEY(Par){
   //Example calling DSE internal function
   //UserFunc.uStop(“Terminated by user”);

   var temp = Par.split(“!!”);
   var SQL = “”;

   SQL = “SELECT MSKEY from MXIV_SENTRIES WHERE AttrName=’MSKEYVALUE’ AND IS_ID=” + temp[2] + ” AND aValue='” + temp[0] + “:” + temp[1] + “‘”;

   var mskey = UserFunc.uSelect(SQL);

   return mskey;
}

Script Name: “isv_getParentRoleMSKEY”

image

image

Create the second pass of this Job. This pass will read the organisational unit data records (and their relations) from the database table ISV_HCM_ORG_DATA_FROM_SAPXI and add realtionship data to the Identity store specified in the pass properties.
Right-Click on “HCM Organisational Data to Identity Store” and select “New => To Identity Store …” from the context sensitive menu. Give the pass speaking name like “Create HR Org Relations”

image

Specify the following attributes:

Repository Source Repository None
Source Use Identity Store No
Database %$ddm.identitycenter%
Encrypt Connection String No
SQL Statement SELECT * from ISV_HCM_ORG_DATA_FROM_SAPXI where ORGSPRACHE=’DE’
Destination Identity Store IDM Blog ID Store
Entry Type ISV_HCM_ORGUNIT
Multi-Value Delimiter |
User Info JobId=%$ddm.mcjob%
Destination Attributes MSKEYVALUE ORG:HCM:%ORGOBJECTID%
MXREF_MX_ISV_HCMORGUNIT $FUNCTION.isv_getParentRoleMSKEY(ORG:HCM!!%PARENT%!!%$glb.ISV_IDMBLOG_IDS_ID%)$$
Delta Enable Delta Yes
Delta Database %$ddm.identitycenter%
Encrypt Connection String No
Delta Identifier isv_sapxiHCMOrgsRel
Delta Key ORG:HCM:%ORGOBJECTID%
Generate Delta Only No
Skip Unchanged Entries Yes
Mark for Deletion Yes
Max Limit for Mark for Deletion 5%
Max Real Updates  
Delete Entries marked for deletion in current job Yes
Delete Entries marked for deletion in earlier jobs Yes
Audit Trail Level None
Maximum Number of entries in Audit Trail Table  
Documentation Documentation  

image

image

Test the implementation

Enable the job, assign a dispatcher and run the job

image

image

In the job log, you should see, that both passes have been executed successfully. In my case, I transferred 1016 HCM organizational units. In the first pass, they have been aqdded to the Identity Store, in the second pass, the relationships have been created. Therefore we see 1016 adds and 1016 modifications for the job in the log.

Check the content of the identity store. Therefore execute the following SQL Statements on the MS SQL Server database (Please adjust the Identity Store ID – in my case it was 5 – according to your setup):

SELECT
   MSKEY,AttrName,Changenumber,Changename,
   ModifiedBy,Modifytime,aValue,SearchValue,
   AttrType_ID,Owner_ID,ValOwner,Attr_ID,
   ExpiryTime, UserID,display_name,datatypeid,
   MultiValue,IS_ID,ocName,ReferenceObjectClass,
   bCheckSum,ocId,ProvStatus,AuditID,ParentAuditId
FROM
   MXIV_SENTRIES
WHERE
   (IS_ID = 5)

image

The second SQL statement now selects all information from the ID Store, which is available for one of the Org Items from HCM. (Please adjust the MSKEY value accordingly. You can use one of the MSKEY values retrieved by the first query).

SELECT
   MSKEY,AttrName,Changenumber,Changename,
   ModifiedBy,Modifytime,aValue,SearchValue,
   AttrType_ID,Owner_ID,ValOwner,Attr_ID,
   ExpiryTime, UserID,display_name,datatypeid,
   MultiValue,IS_ID,ocName,ReferenceObjectClass,
   bCheckSum,ocId,ProvStatus,AuditID,ParentAuditId
FROM
   MXIV_SENTRIES
WHERE
   (MSKEY = 39121)

image

The organizational information which has been replicated to the Identity Store by running the created job can now be used to define and create rules for automatic business role based assignment. In the next chapter of this blog series, you will learn how the organizational data can be integrated into the workflow module and how it can be used to enable automatic role assignment.

Will be continued in a How To synchronize data from SAP HCM to SAP NetWeaver Identity Center using SAP PI (Part III)

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply