Skip to Content

As outlined in my previous blog, one of the major improvements in SAP Identity Management 8.0 is the new design time Developer Studio which is an Eclipse plug-in which replaces Identity Center Management Console. And although this change might seem big the feedback we got from early users was that for the users with background in earlier versions it was easy to get used to the new one and in addition were pleased by some of the features Eclipse brings with it e.g. to be able to work with more than one entity at the same time, JavaScript code coloring and code completion.

In the SAP Identity Management 8.0 Release Highlights blog I mentioned about the improved security model and now will make a short detour to elaborate a bit on that.

Developer Studio connects to the IdM Developer Studio Service running on SAP NetWeaver AS Java. The service then uses AS Java UME for authentication, that’s why you should have the respective users in the UME and in addition it is required that this user also exists in the Identity Management database with the same username as in the UME. Then the service connects to the Identity store(s) and verifies all incoming requests so that the developer actually no longer needs to know the database credentials. All authorized IdM developers are stored in the IdM database in the configuration tables e.g. MC_USERS but not in the Identity store meaning that a developer does not have MX_PERSON entry. These tables in IdM database are only writable by mxmc_admin user which is created during install or upgrade and thus prevent developers from modifying them. This is done for security reasons – as developers have access to the identity store and might easily break the security and authorization model. Therefore, the mxmc_rt user which is used by the runtime components also does not have the permissions to modify that.

IDMDevStudioUsercreateInEclipse.png

Having created a Developer admin user you are ready to go.

Once you open Eclipse you would need to go to Window/Open Perspective/Other and switch to SAP Identity Management Developer Studio perspective to be able to take full advantage of the IdM Development Studio plug-in features.

Then you would create Identity store. The Developer Admin user can also add developer users given that they are created in the UME first. Developer administrator can add or remove users, create identity store, create package, modify identity store schema and manage the package access rights. As Developer administrator you have the ability to suspend/resume or stop a dispatcher remotely from the Developer Studio Eclipse plug-in – another feature that was appreciated by our early customers as you do not need operating system level access to the runtime machine. Of course you can use the new dispatcher utility.

Developers have access to one or more packages. If a developer is owner of a package, she can grant access to other users. Developer can modify anything, but Layout Developer can only modify form layout. Import authorization would allow overwriting by importing. View authorization allows read only. Access to each package can be modified by the administrator or the owner. This can be done only if the package is checked in.

Then you would import the SAP Provisioning Framework packages and it is worth to mention few here:

  • Engine – contains the core provisioning flow which is responsible for triggering the necessary processes (Provision, De-provision and Modify) as well as common scripts used by all packages so most other packages depend on it.
  • At least one connector package – The package for each connector contains the specific processes for provisioning to a specific system e.g. com.sap.idm.connector.abap.idmpck which includes ABAP specific repository type, processes, jobs and scripts.
  • Custom package (com.sap.idm.connector.custom.idmpck) – is package with default settings and configurations, default constants and scripts and customers can make customizations in this package so that it is less likely to modify SAP delivered packages and preserve their easy upgradability in future. Connectors have extension points which can be implemented in these custom packages. Currently extension points are a given set and we would need feedback to see what else has to be added as extension points.
  • One of the new connectors we deliver with this release is SuccessFactors connector and you will find a bit more in this blog article of Ralitsa Chipeva.
  • Forms package – The forms package contains the definition of all User Interface tasks for CRUD operations (create, read, update, delete) on different entry types
  • Notification package – The notification package contains the notification task and the notification templates that are used to send notifications from the SAP Provisioning framework, approval and attestation tasks

PackagesInEclipse.png

Finally the workflow diagram editor allows you to view existing processes in a more convenient way and model new ones with the mouse. Actually “drag-and-drop” implies drag, but actually you do not need to drag, rather you click on the palette element and then put it where you wish – usually over an arrow. I found this convenient once got used to it. Also it has got nice Auto layout function.

ℹ Now the Eclipse plugin is available on the central update site also known as SAP Release Train for Eclipse. You can see how to access it here: SAP Development Tools for Eclipse

EclipseUpdateSite.png

To report this post you need to login first.

7 Comments

You must be Logged on to comment or reply to a post.

  1. Daniel Rothmund

    Hi Fedya ,

    one question about it . We are ramp up customer….

    And I have the problem that after the installation of the plugin into my eclipse,

    after each switch between the perspectives f.e. from idm to j2ee or abap.

    The eclipse always ask to reset my perspective. After uninstall of the sap idm plugin the problem was gone….

    Can I disable it ?  btw the first look of the sap idm in eclipse is great !

    Regards

    Daniel

    (0) 
  2. Manuel Bujan

    Hi Fedya,

    We just recently upgraded our IDM System to version 8.0 SP1 on our development system. The existing provisioning framework from 7.2 was placed inside the default package.

    We would like to use the new provisioning network and packages.

    Do you know if there is a guide or something containing everything we need to take into consideration to make the Switch from the old Provisioning Framework to the new one?

    Appreciated some guidance,

    Manuel

    (0) 
    1. Fedya Toslev Post author

      Hi Manuel,

      There is a demand by our customers for this and we need to do some enhancements to be able to do the transition from one old repository type to a new one.

      Currently I’d recommend to work with your migrated package and wait until we enable more efficient transition.

      Meanwhile you can use the new packages for connectiong to new repositories besides the migrated package.

      Best wishes,

      Fedya

      (0) 
  3. Nick McEwen

    Hello,

    Please help, we would like to install Eclipse Mars or Neon with the IdM plugin however it appears you can only install the Plugin online and not offline.

    Our situation is that we are in a secure network with no internet access and the only way to download software is either with the SAP download manager via a proxy or through a very secure transport process.

    Is there any way we can retrieve the offline install files for the Identity Management Plugin for Eclipse Mars or Neon?

     

    (0) 

Leave a Reply