How to manage ABAP Repositories with Provisioning Framework 2
The SAP IDM Provisioning Framework 2, which was released in the first half of 2014, offers significant improvement over the original version. Some of the main benefits of the updated framework include improved performance along with a simplified task structure which makes it easier to understand what is happening under the hood. In this document we will review how to configure the new framework to provision, update and disable accounts in an ABAP system.
Before you begin this document make sure that SAP IM 7.2 SP9 is installed and correctly configured. Import the new Provisioning Framework into the Identity Center as well.
In order to manage identities in the target ABAP repository, the following needs to be accomplished:
- Create target ABAP repository
- Create and run initial ABAP load job in Identity Center
- Ensure that the Repository system privilege is correctly configured
- Configure the master privilege on the target repository
- Configure the correct tasks on the events tab of the target repository
- Update the hook tasks in the repository constants (optional)
- Create role with Master Privilege and assign to target user
Create Target ABAP repository
Follow the standard process to create a new ABAP repository. Enter the target system, client and the target credentials as usual.
Create and Run Initial ABAP Load Job in Identity Center
Use the job wizard to create and initial load for the new ABAP system. Consider limiting the number of users and privileges that are written to the SAP Identity Center. This can be done by modifying the SQL select statement on the source tab of the pass in question. Make certain that all passes run including the one entitled “Update System Privilege trigger attributes” are enabled.
Ensure that the Repository system privilege is correctly configured
Go the privileges of the target Identity Center and add “%System%” to the filter. Now open the properties of the system privilege of the target ABAP system.
Go to the task tab of the privilege, the item in question should look similar to this example:
The important points on this screen are:
- The system privilege determines if provisioning, deprovisioning and/or modification tasks will fire. The various tasks are inherited from the repository settings which we will get to shortly.
- IDM will only sync the attributes checked on this privilege to the target ABAP systems. If for example, “DisplayName” is unchecked then IDM will not sync any changes made in the Identity Center to this ABAP target.
- The ABAP initial load job will set all of the pertinent values on the system privilege. Ensure that the initial load job runs correctly. You will still need to configure repository level values.
Configure the Master Privilege on the Target Repository
Go to your target repository and select the “privileges” tab. Ensure that the repository privilege is listed as the “Master Privilege”
The repository privilege is separate and distinct from the system privilege discussed in the prior section. Keep in mind that the system privilege defines behavior contingent upon having the repository Master privilege assigned to the MX_Person record.
This means that you must assign the repository privilege to the target MX_Person in order to provision a new ABAP account, assign additional privileges or synchronize attributes. The bottom the line is no repository privilege, no action on the given MX_Person record for that ABAP target.
Next, move to the “Events Task” and be sure to set the following. By default all of these items are blank when a new repository is created so they need to be manually set.
By setting the Assignment and Privilege tasks noted above you are instructing IDM to fire the hook tasks defined at the repository level. In other words, the event tasks are the entry point to fire the appropriate hook task that are defined the repository constants.
Update the hook tasks in the repository constants (optional)
By default the hook tasks on the repository are set up when you run the new repository wizard. Most likely you will not have to make any changes to the default hook values. The exception is if you are upgrading from provisioning framework 1 to 2 then check the repository hook constants and confirm they are pointed at the right tasks.
The hook tasks are defined in the repository constants as such:
Again the wizard should set the correct values for you so no action should be needed on your part unless you are upgrading from a previous framework version.
Create Role with Master Privilege and Assign to Target User
Finally, in order to provision a new ABAP account for the target system you will need to create an IDM role and add the master privilege to it. Use the standard role management screens in the IDM portal to accomplish this. See page 47 of SCN document “Working with Roles and Privliges” for a detailed discussion on role management via the portal.
Once you add the role with the master privilege to an end user from the IDM portal the new ABAP account will be provisioned.
Now that the account is created you can sync attributes from LDAP or the IDM portal. If for instance you update the display name of a given user in your IDM portal, it will update the target ABAP system. The Identity Center shows that the change has been sent to the ABAP target and can be verified in the SU01 record.
If you want to disable the account on the ABAP target, modify the user in the portal and select the disable check box. Be sure the save your changes:
In the Identity Center, the ABAP account has been disabled.
To unlock, return to the portal and uncheck the disable box
The Identity Center will then unlock the ABAP target
Lastly, if you remove the role with the master privilege from the end user account via the portal, IDM will delete the account on the ABAP target
If you add the role back with the master privilege to the end user in question, the account will be re-provisioned.
This document covered the basics of how to configure ABAP account management with the SAP IDM Provisioning Framework 2. You can expand upon this work by creating additional IDM portal roles with other ABAP system privileges.