Identity Management reporting via SAP Lumira
Managing identities and their permissions is important for the companies. Along with performing specific operations, companies also would like to have details/reports on top of the identity management data. These reports could cover the current state of assigned privileges, for example, or what was the situation last year. Some of the requirements for such reports are common to the different companies, but it is also true that there are company specifics. By creating reports on identity management data, companies could do some analyses and if needed execute proper actions.
In the following article we’ll create, modify and extend an analytical report. For this purpose we’ll get the SAP IdM data and via SAP Lumira we’ll create nice looking reports, share them with colleagues and add options to filter/drill-down into the report so that we could discover the information that is important for us. The described approach is applicable to any IdM version and all supported DBs.
Here are the technical details of our configuration:
- Installed, configured and operational instance of SAP Identity Management 7.2 SP9, which is used to manage identities in a multinational company. As DB for this IdM instance we’ll use MS SQL Server and we have created user with proper select permissions for this DB
- Installed SAP Lumira Desktop, an MS Windows application that will be used for building the analytical report
- Created account in SAP Lumira Cloud, an environment that will be used to publish and after that access the analytical report
We’ll go through:
- Part 1: Create initial version of IdM report via SAP Lumira
- Part 2: Modify initial version of IdM report created via SAP Lumira
- Part 3: Combine information from several DataSets in IdM report created via SAP Lumira
- Part 4: Combine multiple visualizations in IdM report created via SAP Lumira
- Part 5: Provide filtering in IdM report created via SAP Lumira
As a result we’ll create a sample analytical report that combines several information sets inside and provides filtering capabilities. The report is easily accessible and could be used for a daily business. In our case the report is almost real-time – the data could be refreshed based on time schedule or on demand. Last but not least, a similar report could be created on top of any SAP IdM version if you use the public APIs (DB views) that are exposed, the same way we did it here.
Additional information and options for IdM reporting could be found in:
ℹ Recent change in the license policy regarding SAP Identity Management and SAP Lumira integration. Licensee is allowed to use up to 10 of the embedded SAP Lumira Desktop Users Licenses regardless of the number of Identity Management licenses purchased.
It looks quite nice. I am wondering is it in use already from some of our customers - IDM - SAP Lumira integration I mean?
Hi Todor,
Few customers already approached us regarding that integration. I believe that soon their scenarios will be productized.
Yours, Pacho
Thank you for your presentation in Lumira. I feel that reporting in IDM has been a key weakness in IDM 7.2. I have a couple of questions:
1) Do we need HANA for Lumira? We don't have HANA in our shop and does that mean we are out of luck?
2) Is Jasper and Crystal report supported in IDM 8.0?
3) The problem with IDM reporting in 7.2 is that the BW contents are so poorly developed that they are not very useful. From the forum, I know that that some shops are using javascript to generate HTML reports. I feel that this is a rather expensive approach. Does your other customers have better approach?
1) No. Lumira is available w/o HANA.
2) Jasper is open source, so still available. AFAIK, Crystal is no longer suppored.
3) I concur. Yes, HTML is a rather expensive approach, but in RDS for 7.2, there are some HTML reports available: https://service.sap.com/rds-idm
Maybe you could write down your requirements regarding reporting?
Thanks and regards, Jannis
Hi, Jannis
Thanks for the feedback.
1. I have done some research on Lumira. According to an Lumira blog, Lumira is counter productive without Hana. Therefore, we are still dealing one of the main pitfalls w/o BW, repeated heavy queries against the IDM database.
2. Thanks on the confirmation. But we may be using BOBJ instead as I don't see SAP's future direction is Jasper.
3. I understand that RDS provides some reports. However, the reports are not flexible compared to a BW infoset/infocube and you cannot slice and dice the data. Here are some of the requirements that the BW infosets fail to deliver:
- the infosets delta updates don't not work on role deletion in the abap system.
- only direct assignments data in the infosets, not the ones from business roles.
- no historical privilege/role assignment supported in infoset/infocube
- no infosets/infocubes on approvals
I am pretty disappointed when I realized that IDM 8.0 does not have any improvement on IDM reporting. Please advise if you have a different understanding.
Thanks,
Jonathan.
Hi Jonathan,
1) you are able to use lumina reporting for IdM w/o HANA
2) crystal reports seems also not the future direction
3) correct, the HTML reports are fixed.
CHeers, Jannis
Hi, Jannis
1) Yes, I know. But according to a blog written by someone on Lumira w/o Hana, it is not recommended because you will run into performance problems. Lumira is built and tested with Hana in mind.
3) Can you explain what you mean? I checked the service marketplace. There is a new RDS package released for IDM 7.2 but nothing for IDM 8.0. Other than that, I don't see anything has changed on the BW content.
Thanks,
Jonathan.
1) as IdM is not available on HANA, and as you would be able to publish the reports to Lumira Cloud, this question is not really valid.
3) the RDS HTML reports for 7.2 can be changed, but as you already mentioned, they are not replacing anything like BW. afaik, no new BW content is coming with IdM 8.0 (and the BW content is also not really tighten to a IdM version).
Thanks for your comment.