In the SAP Identity Management 8.0 Release Highlights blog I mentioned about the improved security model and now will make a short detour to elaborate a bit on that.
Developer Studio connects to the IdM Developer Studio Service running on SAP NetWeaver AS Java. The service then uses AS Java UME for authentication, that’s why you should have the respective users in the UME and in addition it is required that this user also exists in the Identity Management database with the same username as in the UME. Then the service connects to the Identity store(s) and verifies all incoming requests so that the developer actually no longer needs to know the database credentials. All authorized IdM developers are stored in the IdM database in the configuration tables e.g. MC_USERS but not in the Identity store meaning that a developer does not have MX_PERSON entry. These tables in IdM database are only writable by mxmc_admin user which is created during install or upgrade and thus prevent developers from modifying them. This is done for security reasons – as developers have access to the identity store and might easily break the security and authorization model. Therefore, the mxmc_rt user which is used by the runtime components also does not have the permissions to modify that.
Having created a Developer admin user you are ready to go.
Once you open Eclipse you would need to go to Window/Open Perspective/Other and switch to SAP Identity Management Developer Studio perspective to be able to take full advantage of the IdM Development Studio plug-in features.
Then you would create Identity store. The Developer Admin user can also add developer users given that they are created in the UME first. Developer administrator can add or remove users, create identity store, create package, modify identity store schema and manage the package access rights. As Developer administrator you have the ability to suspend/resume or stop a dispatcher remotely from the Developer Studio Eclipse plug-in – another feature that was appreciated by our early customers as you do not need operating system level access to the runtime machine. Of course you can use the new dispatcher utility.
Developers have access to one or more packages. If a developer is owner of a package, she can grant access to other users. Developer can modify anything, but Layout Developer can only modify form layout. Import authorization would allow overwriting by importing. View authorization allows read only. Access to each package can be modified by the administrator or the owner. This can be done only if the package is checked in.
Then you would import the SAP Provisioning Framework packages and it is worth to mention few here:
- Engine – contains the core provisioning flow which is responsible for triggering the necessary processes (Provision, De-provision and Modify) as well as common scripts used by all packages so most other packages depend on it.
- At least one connector package – The package for each connector contains the specific processes for provisioning to a specific system e.g. com.sap.idm.connector.abap.idmpck which includes ABAP specific repository type, processes, jobs and scripts.
- Custom package (com.sap.idm.connector.custom.idmpck) – is package with default settings and configurations, default constants and scripts and customers can make customizations in this package so that it is less likely to modify SAP delivered packages and preserve their easy upgradability in future. Connectors have extension points which can be implemented in these custom packages. Currently extension points are a given set and we would need feedback to see what else has to be added as extension points.
- One of the new connectors we deliver with this release is SuccessFactors connector and you will find a bit more in this blog article of Ralitsa Chipeva.
- Forms package – The forms package contains the definition of all User Interface tasks for CRUD operations (create, read, update, delete) on different entry types
- Notification package – The notification package contains the notification task and the notification templates that are used to send notifications from the SAP Provisioning framework, approval and attestation tasks
Finally the workflow diagram editor allows you to view existing processes in a more convenient way and model new ones with the mouse. Actually “drag-and-drop” implies drag, but actually you do not need to drag, rather you click on the palette element and then put it where you wish – usually over an arrow. I found this convenient once got used to it. Also it has got nice Auto layout function.
ℹ Now the Eclipse plugin is available on the central update site also known as SAP Release Train for Eclipse. You can see how to access it here: SAP Development Tools for Eclipse