The SAP IDM Provisioning Framework 2, which was released in the first half of 2014, offers significant improvement over the original version.  Some of the main benefits of the updated framework include improved performance along with a simplified task structure which makes it easier to understand what is happening under the hood.  In this document we will review how to configure the new framework to provision, update and disable accounts in an ABAP system.


Before you begin this document make sure that SAP IM 7.2 SP9 is installed and correctly configured.  Import the new Provisioning Framework into the Identity Center as well.


In order to manage identities in the target ABAP repository, the following needs to be accomplished:


  1. Create target ABAP repository
  2. Create and run initial ABAP load job in Identity Center
  3. Ensure that the Repository system privilege is correctly configured
  4. Configure the master privilege on the target repository
  5. Configure the correct tasks on the events tab of the target repository
  6. Update the hook tasks in the repository constants (optional)
  7. Create role with Master Privilege and assign to target user


Create Target ABAP repository


Follow the standard process to create a new ABAP repository.  Enter the target system, client and the target credentials as usual.


Create and Run Initial ABAP Load Job in Identity Center


Use the job wizard to create and initial load for the new ABAP system.  Consider limiting the number of users and privileges that are written to the SAP Identity Center.  This can be done by modifying the SQL select statement on the source tab of the pass in question.    Make certain that all passes run including the one entitled “Update System Privilege trigger attributes” are enabled.


Ensure that the Repository system privilege is correctly configured

Go the privileges of the target Identity Center and add “%System%” to the filter.  Now open the properties of the system privilege of the target ABAP system.


SAP_1.png

SAP_2.png

Go to the task tab of the privilege, the item in question should look similar to this example:

SAP_3.png

The important points on this screen are:


  1. The system privilege determines if provisioning, deprovisioning and/or modification tasks will fire.  The various tasks are inherited from the repository settings which we will get to shortly.
  2. IDM will only sync the attributes checked on this privilege to the target ABAP systems.  If for example, “DisplayName” is unchecked then IDM will not sync any changes made in the Identity Center to this ABAP target.
  3. The ABAP initial load job will set all of the pertinent values on the system privilege.  Ensure that the initial load job runs correctly.  You will still need to configure repository level values.


Configure the Master Privilege on the Target Repository


Go to your target repository and select the “privileges” tab.  Ensure that the repository privilege is listed as the “Master Privilege”

SAP_4.png

The repository privilege is separate and distinct from the system privilege discussed in the prior section.  Keep in mind that the system privilege defines behavior contingent upon having the repository Master privilege assigned to the MX_Person record.


This means that you must assign the repository privilege to the target MX_Person in order to provision a new ABAP account, assign additional privileges or synchronize attributes.  The bottom the line is no repository privilege, no action on the given MX_Person record for that ABAP target.


Next, move to the “Events Task” and be sure to set the following.  By default all of these items are blank when a new repository is created so they need to be manually set. 


SAP_5.png

By setting the Assignment and Privilege tasks noted above you are instructing IDM to fire the hook tasks defined at the repository level.  In other words, the event tasks are the entry point to fire the appropriate hook task that are defined the repository constants.


Update the hook tasks in the repository constants (optional)


By default the hook tasks on the repository are set up when you run the new repository wizard.  Most likely you will not have to make any changes to the default hook values.  The exception is if you are upgrading from provisioning framework 1 to 2 then check the repository hook constants and confirm they are pointed at the right tasks. 


The hook tasks are defined in the repository constants as such:

SAP_6.png


Again the wizard should set the correct values for you so no action should be needed on your part unless you are upgrading from a previous framework version.


Create Role with Master Privilege and Assign to Target User


Finally, in order to provision a new ABAP account for the target system you will need to create an IDM role and add the master privilege to it.  Use the standard role management screens in the IDM portal to accomplish this.   See page 47 of SCN document “Working with Roles and Privliges” for a detailed discussion on role management via the portal.


Once you add the role with the master privilege to an end user from the IDM portal the new ABAP account will be provisioned.


SAP_7.png

Now that the account is created you can sync attributes from LDAP or the IDM portal.   If for instance you update the display name of a given user in your IDM portal, it will update the target ABAP system.  The Identity Center shows that the change has been sent to the ABAP target and can be verified in the SU01 record.


SAP_8.png

 

If you want to disable the account on the ABAP target, modify the user in the portal and select the disable check box.  Be sure the save your changes:


SAP_9.png

In the Identity Center, the ABAP account has been disabled.


SAP_11.png

To unlock, return to the portal and uncheck the disable box

SAP_12.png

The Identity Center will then unlock the ABAP target

SAP_13.png

Lastly, if you remove the role with the master privilege from the end user account via the portal, IDM will delete the account on the ABAP target

SAP_14.png

If you add the role back with the master privilege to the end user in question, the account will be re-provisioned.

SAP_15.png

Next Steps

This document covered the basics of how to configure ABAP account management with the SAP IDM Provisioning Framework 2.  You can expand upon this work by creating additional IDM portal roles with other ABAP system privileges.

To report this post you need to login first.

3 Comments

You must be Logged on to comment or reply to a post.

  1. Tero Virta

    Hi Scott,

    I would add few points:

    Account Privilege task (PRIV:MYREPOSITORY:ONLY) screen shots were missing from the post, what they should have configured is that Add/Del-member tasks set to inherited and Modify-tasks set to none.

    The System Privilege should have the Add/Del-member tasks on Member Events tab set to none (screen shot missing).

    Another point on the System Privilege and the Trigger Attributes is that the list should be kept as small as possible. The product has some amazing features but due to the asynchronous nature of it, speed is not among them, so I always avoid un-necessary processing, here the attribute changes that are not relevant for AS ABAP should be ticked off.

    All other privileges should have Add/Del-member tasks set to inherited, Modify-task set to none and the Account Privilege set as Master Privilege.

    The blog is not really limited to AS ABAPs or PF2 on Sp9, the knowledge can be applied to older PF too and to other repository types too.

    (0) 

Leave a Reply