Skip to Content

An essential component in creating an Identity Management system is making sure that unique identifiers are created for each entry created in the Identity Store.  If this identifier is used in multiple systems, then it could be considered an “Enterprise Identifier” (Please refer to, for a further discussion of Enterprise Identifiers)

In many organizations, there is a preference to use an Enterprise Identifier (EId) that does not offer any information that identifies who owns the EId. In this case, an alphanumeric string is created to serve as the EId.  When putting this information into the NetWeaver Identity Manager it is usually stored in the MSKEYVALUE attribute. Because there are several different ways of creating an anonymous EId, SAP Net Weaver Identity Manager does not come with a mechanism for creating these values. 

I have created the following script, which will create an EId Consisting of three letters followed by three numbers.  The script will check the alpha based part of the EId against a “Blacklist” database table to make sure that any prohibited values are not used. The script also checks the complete EId against the Identity Store to make sure that there is no inadvertent duplication of EId.  This could happen when Id’s are created manually or via some other independent workflow.  In the case of a Blacklist or duplicate value, the Job log gets an update via uErrMsg, the counters are updated and the script loops until a permissible EId is created.


// Main function: idcreator

// This Job creates unique ID Values that can be used as MSKEYVALUEs in the Identity Store

// Default configuration is to create a 6 Char String consisting of a three character ALPHA

// component and a three digit NUMERIC component.

// Every time the script is executed the numeric component is incremented by 1

// WHEN NUMB = 1000, it is reset to 0 and CHAR3 is incremented by 1

// When CHAR3 = 90 (Z) it is reset to 64 and CHAR2 is incremented by 1

// When CHAR2 = 90 (Z) it is reset to 64 and CHAR1 is incremented by 1

// When CHAR1 = 90 (Z) a warning is placed in the Job Log

// When CHAR3 = 90 (Z) and NUMB = 999, the script will STOP and an error is placed in the log.

// The Alpha component can be checked against a known blacklist.  If a blacklist violation is found,

// CHAR3 is incremented by 1 and a warning is put in the log and the script will run again until the

// conflict no longer occurs.


function idcreator(Par){

// uErrMsg codes:

// 0: Info 1: Warning 2: Error

// Useful Variables:

var InfoName = “IdCREATOR: “;

var INFOMSG = -1;

var IterOK = 1;

// check to see if initial values exist, convert initial values from STRING

var n1 = parseInt(UserFunc.uGetUserVar(“NUMB”, “0”));

var c1 = parseInt(UserFunc.uGetUserVar(“CHAR1”, “65”));

var c2 = parseInt(UserFunc.uGetUserVar(“CHAR2”, “65”));

var c3 = parseInt(UserFunc.uGetUserVar(“CHAR3”, “65”));

// Loop While IterOK = 1.  IterOK is set to 0 (stop looping) this happens if BLACKLIST/MSVALUE are OK

while (IterOK == 1) {

 // provisionally turn off looping, it will be turned back on if needed

 IterOK = 0;

 // increment n1

 n1 = n1 + 1;

 // check to see if n1 is out of bounds, if so, reset n1 and increment c3 by 1

 if (n1 == 1000){

  n1 = 0;

  c3 = c3 + 1;


 // check to see if c3 is out of bounds, if so, reset c3 and increment c2 by 1, Set INFOMSG flag

 if (c3 == 91) {

  c3 = 65;

  c2 = c2 + 1;

  INFOMSG = 3;


 // check to see if c2 is out of bounds, if so, reset c2 and increment c1 by 1, Set INFOMSG flag

   if (c2 == 91) {

  c2 = 65;

  c1 = c1 + 1

  INFOMSG = 2;


 // check to see if less than 1000 potential entries are left, if so send WARNING MESSAGE

 if (c1 == 90) {

  var StatusMsg = ”;

  StatusMsg = InfoName & ‘There are less than 1000 unique IDs remaining.’;

  UserFunc.uErrMsg(1, StatusMsg);


 // check to see if c1 is out of bounds, if so, send ERROR  message, stop script

 if (c1 == 91) {

  UserFunc.uErrMsg(2, InfoName + “No more Unique ID’s available”);

  UserFunc.uStop(InfoName + “Script Stopped”);


 // Build Unique ID

 // Build Alpha part of ID

 var AlphaPart = String.fromCharCode(c1) + String.fromCharCode(c2) + String.fromCharCode(c3);

 // Determine if the numeric part needs to be padded

 var padd = ”;

 if (n1<100) {

  padd = “0”;


 if (n1<10) {

  padd = “00”;


 // Put it all together

 var NewKey = AlphaPart  + padd + (n1 + ”);


 // check to see if character increment warnings need to be sent

 if (INFOMSG > -1) {

  UserFunc.uErrMsg (1, InfoName+ “Unique ID has been incremented at Character: ” + INFOMSG + “.”);

  UserFunc.uErrMsg (1, InfoName+ “Character component now: ” + AlphaPart);


 // Check to see if the Main loop can end.

 // First — Check if AlphaPart is in the BlackList, if EvalBlackList = 1 then it’s no good

 // This means the item was found in the Blacklist

 var BlackListQuery = “SELECT COUNT(*) FROM _Blacklist WHERE (BannedWord = ” + “‘” + AlphaPart +”‘)”;

 var EvalBlackList = parseInt(UserFunc.uSelect(BlackListQuery));


 // if the current AlphaPart is in the Blacklist

 if (EvalBlackList != 0){

 // Increment c3 to keep looping to a minimum

 c3 = c3 + 1;


 // Set a warning in the JobLog

 UserFunc.uErrMsg(1,InfoName+ “BLACKLIST VIOLATION= ” + AlphaPart + “. Alpha ID component will be incremented.”);

 // Make sure we keep looping

 IterOK = 1;


 // Check if this value exists as an MSKEYVALUE

 // NOTE IDENTITY STORE VALUE MUST BE HARD CODED!  NW IDM will not allow IDS Lookup via uGetIDStore outside of action tasks.

 var IDSNumb = “1”;

 var MSKEYQuery = “SELECT COUNT(MSKEY)FROM MXIV_SENTRIES WHERE (IS_ID =” + IDSNumb + “) AND (AttrName = ‘” + “MSKEYVALUE” + “‘) AND (SearchValue LIKE ‘” + NewKey +”‘)”;

 var EvalMSKEY = parseInt(UserFunc.uSelect(MSKEYQuery));

 // if the current NewKey is in the Identity Store

 if (EvalMSKEY != 0){

  // Increment n1

 n1 = n1 + 1;

 // Set a warning in the JobLog

 UserFunc.uErrMsg(1,InfoName+ “DUPLICATE MSKEYVALUE VIOLATION= ” + NewKey + “. Numeric ID component will be incremented.”);

 // Make sure we keep looping

 IterOK = 1;





//Store new values for c1, c2, c3 and n1

 UserFunc.uSetUserVar(“CHAR1″, c1 + ”);

 UserFunc.uSetUserVar(“CHAR2″, c2 + ”);

 UserFunc.uSetUserVar(“CHAR3″, c3 + ”);

 UserFunc.uSetUserVar(“NUMB”, n1 + ”);


 return NewKey;



Certainly, there are many ways in which this script could be expanded and changed based on the needs of the project at hand.

  • Some possibilities would include:
  • Changing the balance of letters and numbers
  • Including some other attribute (Display name, First initial and surname, etc,) rather than a combination of letters and numbers
  • Sending log messages to the NWIDM Administrator via email

I’d also like to hear about other ideas.  Potentially an area can also be set up in the NW IDM Wiki to hold these ideas and the modifications to the script.

As a reminder, if the Blacklist table is used, it must be created in the same database as the other NW IDM tables and needs to have SELECT permissions granted. The schema of the table is not at all complex, simply being one column as indicated in this screenshot.



This script can be executed from any type of pass either as part of the preparation of a feed to the Identity Store, or directly in a To Identity Store pass when creating the new entry. The following screenshot shows its implementation in a To Identity store pass.


To report this post you need to login first.


You must be Logged on to comment or reply to a post.

  1. Matthew Pollicove Post author
    Just to make things a little easier, here’s a SQL Script (MSSQL) to create the “_Blacklist” table:

    /****** Object:  Table [dbo].[_Blacklist]    Script Date: 4/15/2009 12:28:12 PM ******/
    if exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[_Blacklist]’) and OBJECTPROPERTY(id, N’IsUserTable’) = 1)
    drop table [dbo].[_Blacklist]

    /****** Object:  Table [dbo].[_Blacklist]    Script Date: 4/15/2009 12:28:13 PM ******/
    CREATE TABLE [dbo].[_Blacklist] (
         [BannedWord] [char] (10) NULL
    ) ON [PRIMARY]

  2. Ivan Schouppe

    We are trying to change the MSKEYVALUE of an entry in the identity store but this is not working.

    It seems we cannot change MSKEYVALUE in a create pass, is this correct?


    1. Joachim Van Praet

      We found a solution for this problem.
      When you create an entry in the identity store via the webdynpro gui you have to flag the checkbox “This task creates an entry” in the task attributes tab.In this tab you uncheck the checkbox MSKEYVALUE.
      When you uncheck the MSKEYVALUE-checkbox the task will generate one for you, later on we will change this.

      Create a new task in the task which creates your entry. This task will be executed after the creation of the entry. Then add a To Generic pass to this task (and not a to Identity store pass like mentioned in the blog).

      add this script to the “next data entry”-script:
      var CurrentIDStore = uGetIDStore();
      OutString = uIS_SetValue(Par.get(“MSKEY”), CurrentIDStore, “MSKEYVALUE”, Par.get(“MSKEYVALUE”));

      and define the following attributes:
      MSKEYVALUE $FUNCTION.GenerateUserID()$$

      Normally this will work!



Leave a Reply