Provisioning users in SAP Personas 1.0/2.0 from SAP Netweaver Identity Management
The standard Personas Administration transaction allows us the ability to create users of SAP Personas. In addition we can assign SAP Personas roles to users and assign users to groups.Then we can assign flavors and roles to groups of users enmasse. However, this is all accomplished outside the standard SU01 transaction and some companies have external software for the provisioning of users. SAP has its own software for this called SAP Netweaver Identity Management(IdM). You may want to provision additional attributes or trigger a specific event when an identity is created or modified. In our example we will extend SAP Netweaver Identity Management to create a group in SAP Personas with all of the users assigned to specific PFCG role as well as create a user in and assign that user a SAP Personas role (i.e. RENDER_ONLY).
For ABAP based systems, you can implement Business Add-In(BADi) interface IF_BADI_EXTEND_IDENTITY. This interface is available for use with the enhanced SAP Business Suite use case for provisioning framework for SAP systems.
In a little bit more detail here is what will be accomplished with this code:
- By passing a system, client and PFCG role to the function module the code will create a group in Personas with the name of the PFCG role as the name of the group and assign all the users that have that PFCG role to the newly created group. If the group already exists it will update the group with any new users that may have been assigned to that role. In short, it is the same as hitting the create/maintain button in Mass Group Maintenance of the Personas admin transaction
- Pass a userid and Personas role to the function module and it will create the user in Personas with the role. (I.E. user id KOZIOLR and Personas role FULL_EDIT_ACCESS). In short it is the same as adding a user via the Personas admin transaction User Maintenance.
The following are the necessary steps / components to achieve this:
Implementation of BADi BADI_EXTEND_IDENTITY
As with any standard BADi we first need to create an implementation of the BADi. I won’t go in to the details of how to create the BADi but here is a sample if what my BADi looked like. Don’t sweat the fact that the systems states my BADi will note be called, some of these screen shots I had to rebuild.
This particular BADi is enabled for multiple use so we will add a filter to ensure our method is only called from IdM (Identity Management)
Now we need to maintain the filter in the DB table IDM_BADI_FILTER via transaction SM30.
Ok so up to this point we have done the necessay steps to implement our BADi. Now we need to actually find the place to implement our code.
The implementing class for our BADi is ZCL_BADI_EXTEND_IDENTITY. Within this class there is a method named POST_MODIFY_IDENTITY. Looking at the signature of that method you can see there are plenty of parameters that can be configured in IdM and passed in. In our example we are using the IT_ADDITIONAL_ATTRIBUTES. The structure of the this internal table is name/value pair. I asked the IdM consultant to pass me 5 name/value pairs. So for example:
Now armed with our input parameters from IdM we are ready to call the function module and update SAP Personas. I call my function module from within the POST_MODIFY_IDENTITY method.
DATA: ls_add_attr TYPE sim_st_additional_attribute,
lv_role TYPE /persos/rolename,
lv_usr TYPE bname,
lv_system TYPE /persos/syssetid,
lv_pfcg_role TYPE agr_name,
lv_client TYPE mandt,
lt_return TYPE STANDARD TABLE OF bapiret2.
LOOP AT it_additional_attributes INTO ls_add_attr.
lv_role = ls_add_attr–attr_value.
lv_usr = ls_add_attr–attr_value.
lv_system = ls_add_attr–attr_value.
lv_pfcg_role = ls_add_attr–attr_value.
lv_client = ls_add_attr–attr_value.
CALL FUNCTION ‘ZCLFM_IDM_PERSONAS’
iv_role = lv_role
iv_usr = lv_usr
iv_system = lv_system
iv_pfcg_role = lv_pfcg_role
iv_client = lv_client
return = lt_return.
See the attachment for the ZCLFM_IDM_PERSONAS code. Too much to post right here.
Couple of items about the code in the FM ZCLFM_IDM_PERSONAS. First thing you may notice is that it looks an awful lot like the standard code. That would be because I leveraged the SAP standard code. So lets not slam the blogger for some of the coding techniques 🙂 Also, you’ll note that this code is doing some direct table updates. I would attribute this to Personas being a relatively new product. Yes I could have created my own function modules and done the ‘right thing’ surrounding the DB updates but as with most projects I was under a time crunch. Plus its standard code so it is ok. RIght? 😉 Maybe when I post this blog 2.0 I will clean up the code. This code is tested and you can download it and it should compile and run (provided you have SAP Personas installed our your system).
That’s it. We can now call a function module from IdM and update groups and create users in Personas