SAP Multichannel Foundation for Utilities and Public Sector: User Provisioning with SAP IDM
More detailed description of process flow for user provisioning in our integration scenario:
There are several possible options how to leverage SAP IDM system as all the APIs to create/delete/modify user and assign privileges are provided. It is possible to create custom UI where user self-service requests are triggered directly to the SAP IDM system. We decided to leverage existing SAP MCF public application and SAP Gateway functionality and create users in SAP IDM using BAdIs in SAP Gateway user management component. This is only an example of the integration of SAP IDM. Depending on customer’s requirements it has to be adapted or different technique can be used.
- From the Public MCF UI page, user accesses a sign up page and enters necessary information like: user names, e-mail, contract account. Then user submits this request and standard SAP Gateway OData request is executed (user self-service entity UserRequestManagement).
- This request is redirected to the leading user management system (which is SAP CRM for Utilities in our case).
- Then this user request is verified and e-mail notification is sent to the user.
- In the e-mail notification, a user clicks on the link and another OData request is triggered to activate this user.
- This user activation request is again redirected to the user management system.
- During the user activation process, an SAP Gateway BAdI is called. Then a custom BAdI implementation is executed instead of standard user creation.
- In our implementation scenario, we assume that a user is an existing customer and has a business partner(BP) and contract account. We supply them for IDM user creation. This BP will be linked to the user during user provisioning process.
- The abovementioned BAdI implementation triggers user creation in the SAP IDM system via REST API provided by the SAP IDM solution.
- As soon as a user is created in ISAP DM, the user provisioning scripts will automatically run which will replicate it to all the ABAP repositories which are configured in the SAP IDM system.
- This provisioning process usually takes some time. The user needs to be informed that an activation process is not immediate.
- In the backend ABAP systems, the user will be created by the special function module, which will trigger the SAP IDM BAdI. In the implementation of this BAdI we link newly created user with Business Partner as it is required by the SAP MCF solution
Settings required in the leading user management system to call the SAP IDM REST API (step f.)
- You need to configure an HTTP connection to the SAP IDM Server in your leading user management system:
- Run SM59 transaction to configure your new HTTP connection:
IDM/REST picture 1 - Create a new HTTP connection:
IDM/REST picture 2 - Configure a new entry:
In the tab “Logon & Security”, you can use the basic authentication with user and password – use administrator user in your IDM system.
In the tab “Special Options”, set to accept cookies, as shown below:
IDM/REST picture 3
- Run SM59 transaction to configure your new HTTP connection:
- You need to enhance the existing User Management
- Enhance the BAdI:
SAP delivers a standard BAdI implementation for SAP MCF user management: CRM_IU_UMC_UM. Now to integrate with the SAP IDM, you need to change some if its behavior. To do so, a new enhancement should be created, which has similar settings but different implementation class; and the new implementation class, in its simplest form, could derive from the standard implementation class.
Now you need to adjust your new class based on your needs. For example, if you want to create a new user account via SAP IDM, then the method /IWBEP/IF_MGW_UM_USER_MANAGER~CREATE_USER needs to be overwritten to have code similar to the sample below:
First you need to create attributes table where you store all the attributes you want to pass to IDM system (in the “User Provisioning part (a). there is an explanation how to define the additional attributes in IDM repository.
ls_attribute–name = ‘MX_FS_CONTRACT_ACCOUNT’.
ls_attribute–value = ls_iu_account_info–buag_id.
APPEND ls_attribute to lt_attribute.
ls_attribute–name = ‘MX_FS_BUSINESS_PARTNER’.
ls_attribute–value = ls_iu_account_info–account_id.
APPEND ls_attribute to lt_attribute.
Then you need to instantiate an HTTP REST Client using HTTP Destination you created:
cl_http_client=>create_by_destination( EXPORTING destination = ‘UMC_IDM_RESTAPI’ IMPORTING client = client ).Using this HTTP Client you need to set a URL of the Request which will be something like “/idmrest/v72alpha/entries/0”:
cl_http_utility=>set_request_uri( request = client->request uri = lv_uri_post ).Then you need to set an operation:
client->request->set_method(if_http_request=>co_request_method_post ).
After that you need to set header fields (for example, to post, you need to set a csrf token, which you need to get first using the same sequence of operations):
client->request->set_header_field( name = if_rest_request=>gc_header_csrf_token value = ‘Fetch’).
And after that you need to set form fields passing a table you created before:
client->request->set_form_fields( fields = it_attribute ).
And finally you can send a request:
client->send( ).
and receive a response:
client->receive( ).
Details on how to use a REST Client you can find under this link. - Common SAP IDM REST services, which can be used in your SAP IDM integration:
- Search and retrieve a user
GET http://<recourse>:<port>/idmrest/v72alpha/entries?EntryType=MX_PERSON&MX_LASTNAME=… - Get details of a current user
GET http://<recourse>:<port>/idmrest/v72alpha/entries/0 - Creating a new entry in the IDM task
POST http://<recourse>:<port>/idmrest/v72alpha/entries/5784/tasks/1321 ** Note you need to provide a CSRF token in the header and some necessary attributes in the payload. Numbers for tasks may be different based on the SAP IDM setting. You can find the required task numbers under: “Identity Store” -> <name of your Identity store> -> “Provisioning_framework” -> “Web Enabled Tasks” -> “Identity” …
IDM/REST picture 4 - Assign new privilege to the new entry
POST http://<recourse>:<port>/idmrest/v72alpha/entries/14156/tasks/38
MXREF_MX_PRIVILEGE=12199Again, privilege ID may be different based on the SAP IDM settings. You can find IDs of privileges under: “Identity Store” -> <name of your Identity store> -> “Identity store Metadata” -> “Privileges”. After you complete setup of the user provisioning, you will find main privileges for your repositories under the names PRIV:<repository name>:ONLY. Double click on the privilege name and you’ll find the Privilege ID. Please bear in mind that assigning a corresponding privilege will trigger the user replication/provisioning. You can also create a task in the SAP IDM system which will assign all the necessary privileges to a user and then execute this task via REST API.
- Search and retrieve a user
- Activate the new implementation customizing node: “SAP NetWeaver Gateway Service Enablement”->”Backend OData Channel” -> “User Self Service Setup -> “Implement User Management” In the node, deactivate the standard implementation and activate the new one.
- Enhance the BAdI:
User provisioning setup (step g.).
In order to allow the SAP IDM system to provision users (step g), we need to set it up. Here below is a detailed description about SAP IDM setup.
- You need to create the new attributes in the Identity Store in your Identity Management System. Those additional attributes will be used for user verification during user self-registration. Examples of those attributes in the real environment can be contract account, driver license, social insurance number, etc. Depending on which attributes are provided, Business Partners can be created in the backend (ERP/CRM) Utilities systems as well. We are implementing a test scenario, when a Utility customer has an existing account (Business Partner) and a corresponding Contract Account in the backend systems. That is why we created only two new attributes:
- New Attributes are created in the SAP IDM system as follows:
- Start your Identity Center Console and go to your Identity Store schema:
- Right-click on the “attributes” and select “New”->”Identity store attribute” in the context menu:
IDM picture 1 - Enter the attribute name: MX_FS_CONTRACT_ACCOUNT and MX_FS_BUSINESS_PARTNER for your new attributes. Bear in mind that prefix MX_FS_ is an obligatory prefix for proper mapping of those attributes to the RFC calls in the backend:
IDM picture 2 - Enter the “Entry type” MX_PERSON for which those attributes are valid. Repeat it for each attribute.
IDM picture 3
- New Attributes are created in the SAP IDM system as follows:
- You need to be able to maintain those attributes for the identities in your Identity Store. Also, you have to be able to provide values of those attributes when you create your user via REST API.
- Create a new Repository in your SAP IDM system for each backend system where you want your users to be provisioned. We have created 3 repositories as we have three systems in our landscape: SAP Gateway, SAP CRM for Utilities, SAP IS-U.
- Go to Management->Repositories. In the context menu choose New->Repository
IDM picture 6 - On the first screen of the Repository wizard, choose: “Business Suite AS ABAP (Load Balanced Connector)” – it is quite important to choose Business Suite connector; it will automatically create constants with the proper task names. Using tasks specific to Business Suite is important as only in this case proper BAdIs will be triggered in the backend ABAP system.
IDM picture 7 - On the next screen of the Repository wizard, enter the name of your repository. It is better to use a naming convention with the system name followed by the client number.
IDM picture 8 - On the next screen of the Repository wizard, enter the data about your system, including credentials to access it. User should have all power user/administrator capabilities in backend systems as other users will be created using this user.
IDM picture 9 - Then you just finish the process and your repository is created.
- When you double-click on the “Constants” of the repository you just created, you’ll see all of them. You can change those constants at any time. For example, sometimes you need to establish a connection to specific Application Server instead of the Message Server and provide an Application Server system number. Also, you might need to change some constants for “hook” tasks, which will be described further in this integration manual.
IDM 10 picture
- Go to Management->Repositories. In the context menu choose New->Repository
- Before we do the next step in IDM system (which is Initial load), we need to make some customizing settings in all your backend systems where users need to be provisioned.
- In this step, we are describing implementation of the BAdI on the backend ABAP systems. This BAdI’s need to be activated in all the backend systems SAP Gateway, CRM and ERP (IS-U) systems.
- Create a new class based on the interface: IF_BADI_EXTEND_IDENTITY.
- Create your Enhancement Implementation for the Enhancement Spot BADI_EXTEND_IDENTITY using SE19 transaction. Provide a class name and BAdI definition name BADI_EXTEND_IDENTITY.
- Implement method: IF_BADI_EXTEND_IDENTITY~PRE_MODIFY_CHECK_IDENTITY – here we are doing verification if user can be created in backend system
- Implement method: IF_BADI_EXTEND_IDENTITY~POST_MODIFY_IDENTITY In this method we need to link created user with the Business Partner. Please, bear in mind that because of replication user in the CRM or IS-U systems can be created before and if BP is created at the same time, you must not create the same BP in the second system. You should get this user’s linked BP in the other system and link this BP in current system.
- Initial load step in IDM system is necessary step even though, sometimes, we do not need to have actual backend users to be loaded in IDM*. This step will create all main privileges and triggers for your repository. You have to repeat this step for each system you need to set up user provisioning.
For our integration scenario I disabled passes to save users and privileges from the backend system. The reason is the following: online users will create their accounts using user self-service. Also, for MCF application, corresponding user account in the backend ABAP systems will be created with the reference user. This reference user will hold all the authorization roles and profiles. That is why I disabled pass for saving of ABAP authorization privileges (roles and profiles) as well. It really depends on your integration scenario if you need to load users and privileges to IDM or not.
* Note: Sometimes your have a legacy system where your online users are stored. You need to create a repository for this system in IDM as well and make an initial load of all those users. (It might be, for example, your SAP NW Java AS with your users for UCES solution).- To create a job for initial load you need to go to Job Folder. In the context menu choose: “New” -> ”Run job wizard”
IDM picture 11 - After you click on the next button, you will be forwarder to the screen to select a job. Use the following folder: “Identity Center” -> “Jobs” -> “SAP NetWeaver” -> “BusinessSuite AS ABAP–Initial Load”
IDM picture 12 - Then select you repository and click on “Next”
IDM picture 13 - And, finally, click on “Finish” button and your Job for initial load will be created (rename it – that it would include the repository name).
- Job has been created. You need to adjust this job depending on your integration scenario. It is possible to disable some passes with the help of context menu.
- After that you can just run this job. Job results will be shown in the “Job log”.
IDM picture 14
- To create a job for initial load you need to go to Job Folder. In the context menu choose: “New” -> ”Run job wizard”
- After successful run of the job, you need to test if current IDM users will be replicated to the ABAP systems. If your initial run was successful, special IDM privilege will be created which allows to provision your users into ABAP repository:
- Start SAP NetWeaver Identity Management UI in your browser using url: https://you_system:port/webdynpro/dispatcher/sap.com/tc~idm~wd~workflow/Idm
- Login as administrator
- Find existing user or create one, select this user and you will see standard UI task appear: “Assign Privileges, Roles and Groups”.
IDM picture 15 - You will be navigated to the screen where you can assign a special privileges
- In the “Available” – in the left part of the tab, Choose to show Privilege and find a privilege with the name “PRIV_yourrepositoryname_ONLY”,
then click on “Go” button - Select this privilege and add it using “Add” button
IDM picture 16 - Then you can even check in the ABAP system using SU01 transaction if your user was created
- In the Job log of the Identity Center UI you can monitor the execution of the Job.
IDM picture 17 - Then you can even check in the backend ABAP system using SU01 transaction if your user was created
IDM/ABAP picture 1
-
Next step is to make sure that the backend BAdI is triggered when user is created from IDM. We need to verify this user in the backend, link it to the Business Partner and/or Create a Business Partner when necessary
-
Task to create user should pass a filter value. We did not find out a standard way to pass a filer value, that is why we define our own task as a copy. To make a copy of the task go to “Identity Store” -> “Provisioning Framework” -> “CONNECTORS” -> “ABAP BusinessSuite Connector” -> “Plugins” -> “1. Create BS User”. In the context menu of this node click “Copy”, then right click on Plugins folder and click “Paste”. Whole task with subtasks will be copied. Rename it as you wish. Adjust the ta
IDM picture 18 -
Adjust a job related to this task. Expand this task and find related job. Navigate to the configuration of the job “CreateABAPIdentity” and change/adjust attributes on the “Destination” tab:
-
For all your repositories, change the repository constant MX_HOOK1_TASK to your new copy of the task.
IDM picture 21I
IDM picture 22
-
After this step user provisioning set up is ready and you can try to test whole scenario.
Hi Olga Esipova,
Very nice and impressive article. We were involved into this area since UCES was not even mature enough. MCF is still new for lots of consultants. Last Year we were struggling to find a proper way to Integrate the MCF with SAP NW architecture by using the SAP IDM this jobs become simple. But we were not getting any help/documents on these area from anywhere. Is SAP Planning any such application for B2b as well. As of now we have to for full customization?
Thanks for sharing your valuable knowledge.
Regards,
Narpal Singh
Yes we design MCF as B2C application. Nevertheless, OData extensibility will allow you to implement different authorization rules for different consumers.
For example, there is already agent mode implemented where agent can search for Business Partners and have overview of selected BP. For the agent user, some checks are disabled to compare to the regular user.
With some implementation efforts any B2B scenario can be achieved.
Unfortunately, I do not know what B2B scenario you bear in mind - it might be working out of the box in MCF and might not.
Hello Olga,
Could you let me know how we could activate this agent mode for MCF Odata services? is there a document /blog which explains the same?
Many thanks in advance!
Regards,
Suman Biswas