Execute Task on initialize | -- None --| Skip task if audit flag is set | empty | 0.1. Do not change anything on the "Result handling" tab for now. 0.2. Set the properties on the "Attributes" tab. | | Entry Type | ISV_HCM_ORGUNIT | | This task creates a new entry | No | | %6% Attribute | | | *MSKEYVALUE* *DESCRIPTION* *DISPLAYNAME* *MXREF_ISV_HCM_ORGUNIT* *MXMEMBER_ISV_HCM_ORGUNIT* *MXMEMBER_MX_PERSON* Custom Header for IDM Blog How to synchronize organizational unit data from HCM to Identity Center using SAP PI (How To synchronize data from SAP HCM to SAP NetWeaver Identity Center using SAP PI (Part I)) You can view the organizational unit data synchronized from your SAP HCM system here| Trailer | | | | Custom Trailer for IDM Blog How to synchronize organizational unit data from HCM to Identity Center using SAP PI (How To synchronize data from SAP HCM to SAP NetWeaver Identity Center using SAP PI (Part I)) You can view the organizational unit data synchronized from your SAP HCM system here h3. Check workflow task to View Organizational Unit Data Apply the settings. If you now logon to the Workflow Component of your Identity Store with user "administrator" you should see the newly created task in the task area. Click on the task "View organizational Unit Data" Search for specific entries or just leave the Search Field empty to get the 100 oldest entries. Click on one of the entries. You will now see the Organizaional Unit Data including child and parent organizational units. h3. Result of the configuration You saw in {code:html}How To synchronize data from SAP HCM to SAP NetWeaver Identity Center using SAP PI (Part I){code} and {code:html}How To synchronize data from SAP HCM to SAP NetWeaver Identity Center using SAP PI (Part II){code}, how easy it is to add new data objects (in our case HCM organizational data) to the identity store even in an hierarchical structure. Having this information in the store and also available in the workflow component, you can use it in the following way: 0.1. When you create entries for entry type MX_PERSON or simply import employee information from HCM (works similar compared with the replication of organizational unit data showed in Part I of the blog - except using object type "P" instead of "O") a reference to the imported org unit can easily be created. 0.2. Having the Organziation Unit information (or any other information from the HCM Org Management) for the specific employee, you can create Dynamic Groups within the Identity Store, which automatically assign the employee to a specific business role (see example below). 0.3. Depending on the information you extract from HCM Org Management, you can manage 80% to 90% of the permissions a user gets by automatically assigning business roles to users using dynamic groups by considering the organizational attributes like "Org Unit" or "Job" or "Position" As an example, the filter definition of a dynamic group, which automatically assigns a specified business role (in the business role you define the linkage to the dynamic group) to a user belonging to the organizational unit "Personal (D)" (MSKEYVALUE: "") would be: | SELECT DISTINCT mskey FROM mxiv_sentries WHERE is_id=5 AND mskey IN ( SELECT mskey FROM mxiv_sentries WHERE is_id=5 AND attrname='MX_ENTRYTYPE' AND searchvalue = 'MX_PERSON' ) AND mskey = ( SELECT aValue FROM mxiv_sentries WHERE is_id=5 AND AttrName='MXMEMBER_MX_PERSON' AND mskey IN ( SELECT DISTINCT mskey FROM mxiv_sentries WHERE is_id=5 AND attrname='MX_ENTRYTYPE' AND searchvalue = 'ISV_HCM_ORGUNIT' ) AND mskey IN ( SELECT DISTINCT mskey FROM mxiv_sentries WHERE is_id=5 AND attrname='MSKEYVALUE' AND searchvalue = 'ORG:HCM:00001001' ) ) | *Note:* This SQL Statement is just an example. There might be other and better ways (in respect to performance) to build the query (e.g. by using an inner join statement) See below the dynamic group configuration for the given example |