The HCM Use Case document (see http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/f0ad23d3-3664-2a10-8aa7-e9c3c8616d48) provided for the SAP NW Identity Management component synchronizes employee data from the HCM system to the Identity Store using the LDAP connector as well as the Virtual Directory Server.
If one already uses a Middleware like SAP PI, transferring employee data as well as other relevant objects for rule based role assignment in the SAP NW Identity Management tool can also be done using the standard HR Master Data Distribution mechanisms based on ALE and IDOC by simply running the report RHALEINI with specific variants.
You will learan in this blog what has to be done in order to replicate “Organisational Unit” data from an HCM system to the SAP NW Identity Store into a custom entry type within the identity store which afterwards holds organizational data including parent/child relationships using SAP PI instead of LDAP Connector and VDS.
How To synchronize data from SAP HCM to SAP NetWeaver Identity Center using SAP PI (Part I) (published in Calendar Week 9 2008) explains the steps which have to be executed in SAP PI in order to transfer and transform the data from HCM to Identity Center using the standard HR Master Data Extraction.
Part II (published in Calendar Week 10 2008) explains how to create a new entry type in the Identity Store, how to write the data from the staging area into the ID Store and finally how to create the parent / child relationships for having the hierarchy information available in the identity store.
How To synchronize data from SAP HCM to SAP NetWeaver Identity Center using SAP PI (Part III) (published in Calendar Week 12 2008) finally shows how to integrate the new entry type into the IDM workflow portal.
The following systems are required:
- HR/HCM System (I am working with an IDES ECC 6.0 installation)
- SAP XI 3.0 / SAP PI 7.0 installation (I am using SAP PI SPS 10)
- SAP NW Identity Management 7.0 SP01 (I am using 7.0 SP01 Patch 1)
Knowledge / experience in the following area(s) is helpful:
- ALE / IDOC Scenario Configuration
- SAP XI / SAP PI experience
- Basic SQL knowledge
- Basic JScript knowledge
- SAP NW Identity Management Knowledge
Recap Part I
In Part I of this blog series, you have configured the integration scenario in SAP PI, which gets an IDOC from the HCM system via standard ALE connectivity, runs a transformation which converts the XML-IDOC into a special XML representation used by the SAP PI JDBC adapter to write the information into a Staging Area (a database table) in the identity management database. Atfer triggering the transfer using the report RHALEINI in transaction SE38, the organisational unit data should now be present in the specific databsae table. First step will now be to check, if organisational unti data has been transferred to the database as expected.
As outlined above, in Part II we are going to setup the identity center in order to be able to load Organisational Unit data, which subsequently can be used in your scenario to assign business roles based on rules.
Check existence of data in database table ISV_HCM_ORG_DATA_FROM_SAPXI
Open the “MS SQL Server Management Studio” and connect to your MS SQL Server database used for your Identity Center installation. in my case, the relevant database is called sbx_db (since I have more than one Identity Center databeas instances on my system, I had to change the database prefix of my test instance. I therefore changed it to “sbx”, which stands for “Sandbox”)
Expand the database. Expand the Tables Section and navigate to the entry for the table ISV_HCM_ORG_DATA_FROM_SAPXI. Right-Click on the table ISV_HCM_ORG_DATA_FROM_SAPXI and select “Open table …” from the context sensitive menue in order to display the content of the table.
If the scenario setup in SAP PI is correct and the connection of the JDBC adapter to the MS SQL server database was successful, the database table should now contain the following details concerning the organisational data from HCM:
- The Object ID from HCM
- The language key for the provided Organisational Name
- The Organisational Name
- Parent organisations
- Child organisations (Multi-Valued; Separator: Pipe)
Create a new entry type for HCM Organisational Data
Open the Identity Center Console. In this example, I will use an empty Identity Store starting with its creation from scratch.
Create an Identity Store named “IDM Blog ID Store” and take a note of the Identity Store ID.
Add a global constant with name “ISV_IDMBLOG_IDS_ID” holding the ID of the newly created identity store “IDM Blog ID Store” (in my case this is 5);
Navigate to the Identity Store => Identity Store Schema => Entry Types.
Right-Click on “Entry Types” and select “New => Entry Type …” from the context sensitive menu.
Specify the following attributes:
After saving and re-opening the new entry type, the “Attribites” tab looks as follows:
Create Job and Passes to Move Organisational Unit Data to Identity Store
Create a new Folder named “IDM Blog Folder” in your Identity Center Database.
Within this folder, create an Empty Job.
Right-Click on “IDM Blog Folder” and select “New => Empty Job …” from the context sensitive menu.
Give the job the name “HCM Organisational Data to Identity Store”
Create the first pass of this Job. This pass will read the organisational unit data records from the database table ISV_HCM_ORG_DATA_FROM_SAPXI and write the data to the Identity store specified in the pass properties.
Right-Click on “HCM Organisational Data to Identity Store” and select “New => To Identity Store” from the context sensitive menu. Give the pass speaking name like “Move HR Org Data to Identity Store”
Specify the following attributes:
For the job, create a new script.
Right-Click on “HCM Organisational Data to Identity Store => Scripts” and select “New => Script …” from the context sensitive menu. Enter the following Java Script Coding …
|// Main function: isv_getParentRoleMSKEY
var temp = Par.split(“!!”);
SQL = “SELECT MSKEY from MXIV_SENTRIES WHERE AttrName=’MSKEYVALUE’ AND IS_ID=” + temp + ” AND aValue='” + temp + “:” + temp + “‘”;
var mskey = UserFunc.uSelect(SQL);
Script Name: “isv_getParentRoleMSKEY”
Create the second pass of this Job. This pass will read the organisational unit data records (and their relations) from the database table ISV_HCM_ORG_DATA_FROM_SAPXI and add realtionship data to the Identity store specified in the pass properties.
Right-Click on “HCM Organisational Data to Identity Store” and select “New => To Identity Store …” from the context sensitive menu. Give the pass speaking name like “Create HR Org Relations”
Specify the following attributes:
Test the implementation
Enable the job, assign a dispatcher and run the job
In the job log, you should see, that both passes have been executed successfully. In my case, I transferred 1016 HCM organizational units. In the first pass, they have been aqdded to the Identity Store, in the second pass, the relationships have been created. Therefore we see 1016 adds and 1016 modifications for the job in the log.
Check the content of the identity store. Therefore execute the following SQL Statements on the MS SQL Server database (Please adjust the Identity Store ID – in my case it was 5 – according to your setup):
(IS_ID = 5)
The second SQL statement now selects all information from the ID Store, which is available for one of the Org Items from HCM. (Please adjust the MSKEY value accordingly. You can use one of the MSKEY values retrieved by the first query).
(MSKEY = 39121)
The organizational information which has been replicated to the Identity Store by running the created job can now be used to define and create rules for automatic business role based assignment. In the next chapter of this blog series, you will learn how the organizational data can be integrated into the workflow module and how it can be used to enable automatic role assignment.