The HCM Use Case document (see {code:html}http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/f0ad23d3-3664-2a10-8aa7-e9c3c8616...{code}) provided for the SAP NW Identity Management component synchronizes employee data from the HCM system to the Identity Store using the LDAP connector as well as the Virtual Directory Server. If one already uses a Middleware like SAP PI, transferring employee data as well as other relevant objects for rule based role assignment in the SAP NW Identity Management tool can also be done using the standard HR Master Data Distribution mechanisms based on ALE and IDOC by simply running the report RHALEINI with specific variants. You will learn in this blog what has to be done in order to replicate "Organizational Unit" data from an HCM system to the SAP NW Identity Store into a custom entry type within the identity store which afterwards holds organizational data including parent/child relationships using SAP PI instead of LDAP Connector and VDS. {code:html}How To synchronize data from SAP HCM to SAP NetWeaver Identity Center using SAP PI (Part I){code} (published in Calendar Week 9 2008) explains the steps which have to be executed in SAP PI in order to transfer and transform the data from HCM to Identity Center using the standard HR Master Data Extraction. {code:html}How To synchronize data from SAP HCM to SAP NetWeaver Identity Center using SAP PI (Part II){code} (published in Calendar Week 10 2008) explains how to create a new entry type in the Identity Store, how to write the data from the staging area into the ID Store and finally how to create the parent / child relationships for having the hierarchy information available in the identity store. *Part III* (published in Calendar Week 12 2008) finally shows how to integrate the new entry type into the IDM workflow portal. The following *systems* are required: ** SAP XI 3.0 / SAP PI 7.0 installation (I am using SAP PI SPS 10) ** SAP NW Identity Management 7.0 SP01 (I am using 7.0 SP01 Patch 1) *Knowledge / experience* in the following area(s) is helpful: 0.1. ALE / IDOC Scenario Configuration 0.2. SAP XI / SAP PI experience 0.3. Basic SQL knowledge 0.4. Basic JScript knowledge 0.5. SAP NW Identity Management Knowledge h3. Recap Part II In {code:html}How To synchronize data from SAP HCM to SAP NetWeaver Identity Center using SAP PI (Part I){code} of this blog series, you have configured the integration scenario in SAP PI, which gets an IDOC from the HCM system via standard ALE connectivity, runs a transformation which converts the XML-IDOC into a special XML representation used by the SAP PI JDBC adapter to write the information into a Staging Area (a database table) in the identity management database. In {code:html}How To synchronize data from SAP HCM to SAP NetWeaver Identity Center using SAP PI (Part II){code} you have customized the relevant identity store in the identity center for loading the organizational unit data from SAP HCM in a hierarchical structure As outlined above, in *Part III* we are now going to setup the workflow module of the identity center in order to be able to view the Organizational Unit data in the workflow module. Afterwards we will create Business Roles and Dynamic Groups, which subsequently will allow to have a rule based assignment of users to business roles based on their Organizational assignment h3. Additional Prerequisites In addition to the basic Identity Center Setup, you have to setup the Identity Center's workflow module. The workflow module runs on an apache web server (currently not officially supported but successfully deployed for the IDM functionality in several installations) or Microsoft's Internet Information Server. Details for installation and setup of the workflow module can be found in the appropriate {code:html}installation guide (Installing Workflow){code}Custom Header for IDM Blog How to synchronize organizational unit data from HCM to Identity Center using SAP PI (How To synchronize data from SAP HCM to SAP NetWeaver Identity Center using SAP PI (Part I)) | | | | Custom Trailer for IDM Blog How to synchronize organizational unit data from HCM to Identity Center using SAP PI (How To synchronize data from SAP HCM to SAP NetWeaver Identity Center using SAP PI (Part I)) -- None --
| Execute Task on initialize | -- None --| Skip task if audit flag is set | empty |  0.1. Do not change anything on the "Result handling" tab for now.  0.2. Set the properties on the "Attributes" tab. | | Entry Type | ISV_HCM_ORGUNIT | | This task creates a new entry | No | | %6% Attribute | | | *MSKEYVALUE* *DESCRIPTION* *DISPLAYNAME* *MXREF_ISV_HCM_ORGUNIT* *MXMEMBER_ISV_HCM_ORGUNIT* *MXMEMBER_MX_PERSON* Custom Header for IDM Blog How to synchronize organizational unit data from HCM to Identity Center using SAP PI (How To synchronize data from SAP HCM to SAP NetWeaver Identity Center using SAP PI (Part I)) You can view the organizational unit data synchronized from your SAP HCM system here| Trailer | | | | Custom Trailer for IDM Blog How to synchronize organizational unit data from HCM to Identity Center using SAP PI (How To synchronize data from SAP HCM to SAP NetWeaver Identity Center using SAP PI (Part I)) You can view the organizational unit data synchronized from your SAP HCM system here   h3. Check workflow task to View Organizational Unit Data Apply the settings. If you now logon to the Workflow Component of your Identity Store with user "administrator" you should see the newly created task in the task area.  Click on the task "View organizational Unit Data"  Search for specific entries or just leave the Search Field empty to get the 100 oldest entries.   Click on one of the entries. You will now see the Organizaional Unit Data including child and parent organizational units.  h3. Result of the configuration You saw in {code:html}How To synchronize data from SAP HCM to SAP NetWeaver Identity Center using SAP PI (Part I){code} and {code:html}How To synchronize data from SAP HCM to SAP NetWeaver Identity Center using SAP PI (Part II){code}, how easy it is to add new data objects (in our case HCM organizational data) to the identity store even in an hierarchical structure. Having this information in the store and also available in the workflow component, you can use it in the following way: 0.1. When you create entries for entry type MX_PERSON or simply import employee information from HCM (works similar compared with the replication of organizational unit data showed in Part I of the blog - except using object type "P" instead of "O") a reference to the imported org unit can easily be created. 0.2. Having the Organziation Unit information (or any other information from the HCM Org Management) for the specific employee, you can create Dynamic Groups within the Identity Store, which automatically assign the employee to a specific business role (see example below). 0.3. Depending on the information you extract from HCM Org Management, you can manage 80% to 90% of the permissions a user gets by automatically assigning business roles to users using dynamic groups by considering the organizational attributes like "Org Unit" or "Job" or "Position" As an example, the filter definition of a dynamic group, which automatically assigns a specified business role (in the business role you define the linkage to the dynamic group) to a user belonging to the organizational unit "Personal (D)" (MSKEYVALUE: "") would be: | SELECT DISTINCT mskey FROM mxiv_sentries WHERE is_id=5 AND mskey IN ( SELECT mskey FROM mxiv_sentries WHERE is_id=5 AND attrname='MX_ENTRYTYPE' AND searchvalue = 'MX_PERSON' ) AND mskey = ( SELECT aValue FROM mxiv_sentries WHERE is_id=5 AND AttrName='MXMEMBER_MX_PERSON' AND mskey IN ( SELECT DISTINCT mskey FROM mxiv_sentries WHERE is_id=5 AND attrname='MX_ENTRYTYPE' AND searchvalue = 'ISV_HCM_ORGUNIT' ) AND mskey IN ( SELECT DISTINCT mskey FROM mxiv_sentries WHERE is_id=5 AND attrname='MSKEYVALUE' AND searchvalue = 'ORG:HCM:00001001' ) ) | *Note:* This SQL Statement is just an example. There might be other and better ways (in respect to performance) to build the query (e.g. by using an inner join statement) See below the dynamic group configuration for the given example    |
1 Comment
