SAP Multichannel Foundation for Utilities and Public Sector: User Provisioning with SAP IDM

More detailed description of process flow for user provisioning in our integration scenario:

There are several possible options how to leverage SAP IDM system as all the APIs to create/delete/modify user and assign privileges are provided. It is possible to create custom UI where user self-service requests are triggered directly to the SAP IDM system. We decided to leverage existing SAP MCF public application and SAP Gateway functionality and create users in SAP IDM using BAdIs in SAP Gateway user management component. This is only an example of the integration of SAP IDM. Depending on customer’s requirements it has to be adapted or different technique can be used.

1. From the Public MCF UI page, user accesses a sign up page and enters necessary information like: user names, e-mail, contract account. Then user submits this request and standard SAP Gateway OData request is executed (user self-service entity UserRequestManagement).
2. This request is redirected to the leading user management system (which is SAP CRM for Utilities in our case).
3. Then this user request is verified and e-mail notification is sent to the user.
4. In the e-mail notification, a user clicks on the link and another OData request is triggered to activate this user.
5. This user activation request is again redirected to the user management system.
   • During the user activation process, an SAP Gateway BAdI is called. Then a custom BAdI implementation is executed instead of standard user creation.
   • In our implementation scenario, we assume that a user is an existing customer and has a business partner(BP)  and contract account. We supply them for IDM user creation. This BP will be linked to the user during user provisioning process.
6. The abovementioned BAdI implementation triggers user creation in the SAP IDM system via REST API provided by the SAP IDM solution.
7. As soon as a user is created in ISAP DM, the user provisioning scripts will automatically run which will replicate it to all the ABAP repositories which are configured in the SAP IDM system.
   • This provisioning process usually takes some time.  The user needs to be informed that an activation process is not immediate.
   • In the backend ABAP systems, the user will be created by the special function module, which will trigger the SAP IDM BAdI. In the implementation of this BAdI we link newly created user with Business Partner as it is required by the SAP MCF solution

Settings required in the leading user management system to call the SAP IDM REST API (step  f.)

1. You need to configure an HTTP connection to the SAP IDM Server in your leading user management system:
   1. Run SM59 transaction to configure your new HTTP connection:
      
      IDM/REST picture 1
   2. Create a new HTTP connection:
      
      IDM/REST picture 2
   3. Configure a new entry:
      In the tab “Logon & Security”, you can use the basic authentication with user and password – use administrator user in your IDM system.
      In the tab “Special Options”, set to accept cookies, as shown below:
      
      IDM/REST picture 3
      
2. You need to enhance the existing User Management
   1. Enhance the BAdI:

      SAP delivers a standard BAdI implementation for SAP MCF user management: CRM_IU_UMC_UM. Now to integrate with the SAP IDM, you need to change some if its behavior. To do so, a new enhancement should be created, which has similar settings but different implementation class; and the new implementation class, in its simplest form, could derive from the standard implementation class.

      Now you need to adjust your new class based on your needs. For example, if you want to create a new user account via SAP IDM, then the method /IWBEP/IF_MGW_UM_USER_MANAGER~CREATE_USER needs to be overwritten to have code similar to the sample below:
      
      First you need to create attributes table where you store all the attributes you want to pass to IDM system (in the “User Provisioning part (a). there is an explanation how to define the additional attributes in IDM repository.
        ls_attribute–name  = ‘MX_FS_CONTRACT_ACCOUNT’.
        ls_attribute–value = ls_iu_account_info–buag_id.
        APPEND ls_attribute to lt_attribute.
        ls_attribute–name  = ‘MX_FS_BUSINESS_PARTNER’.
        ls_attribute–value = ls_iu_account_info–account_id.
        APPEND ls_attribute to lt_attribute.
      
      Then you need to instantiate an HTTP REST Client using HTTP Destination you created:
      cl_http_client=>create_by_destination( EXPORTING destination = ‘UMC_IDM_RESTAPI’ IMPORTING client = client ).

      Using this HTTP Client you need to set a URL of the Request which will be something like “/idmrest/v72alpha/entries/0”:
      cl_http_utility=>set_request_uri( request = client->request uri = lv_uri_post ).

      Then you need to set an operation:
      client->request->set_method(if_http_request=>co_request_method_post ).
      
      After that you need to set header fields (for example, to post, you need  to set a csrf token, which  you need to get first using the same sequence of operations):
      client->request->set_header_field( name = if_rest_request=>gc_header_csrf_token value = ‘Fetch’).
      
      And after that you need to set form fields passing a table  you created before:
      client->request->set_form_fields( fields = it_attribute ).
      
      And finally you can send a request:
      client->send( ).
      and receive a response:
      client->receive( ).
      
      Details on how to use a REST Client you can find under this  link.
   2. Common SAP IDM REST services, which can be used in your SAP IDM integration:
      • Search and retrieve a user
        GET http://<recourse>:<port>/idmrest/v72alpha/entries?EntryType=MX_PERSON&MX_LASTNAME=…
      • Get details of a current user
        GET http://<recourse>:<port>/idmrest/v72alpha/entries/0
      • Creating a new entry in the IDM task
        POST http://<recourse>:<port>/idmrest/v72alpha/entries/5784/tasks/1321 *

        * Note you need to provide a CSRF token in the header and some necessary attributes in the payload. Numbers for tasks may be different based on the SAP IDM setting. You can find the required task numbers under: “Identity Store” -> <name of your Identity store> -> “Provisioning_framework” -> “Web Enabled Tasks” -> “Identity” …
        
        IDM/REST picture 4

      • Assign new privilege to the new entry
        POST http://<recourse>:<port>/idmrest/v72alpha/entries/14156/tasks/38
        MXREF_MX_PRIVILEGE=12199

        Again, privilege ID may be different based on the SAP IDM settings. You can find IDs of privileges under: “Identity Store” -> <name of your Identity store> -> “Identity store Metadata” -> “Privileges”. After you complete setup of the user provisioning, you will find main privileges for your repositories under the names PRIV:<repository name>:ONLY. Double click on the privilege name and you’ll find the Privilege ID. Please bear in mind that assigning a corresponding privilege will trigger the user replication/provisioning. You can also create a task in the SAP IDM system which will assign all the necessary privileges to a user and then execute this task via REST API.
        

   3. Activate the new implementation customizing node: “SAP NetWeaver Gateway Service Enablement”->”Backend OData Channel” -> “User Self Service Setup -> “Implement User Management”    In the node, deactivate the standard implementation and activate the new one.

User provisioning setup (step g.).

In order to allow the SAP IDM system to provision users (step g), we need to set it up. Here below is a detailed description about SAP IDM setup.

1. You need to create the new attributes in the Identity Store in your Identity Management System. Those additional attributes will be used for user verification during user self-registration. Examples of those attributes in the real environment can be contract account, driver license, social insurance number, etc. Depending on which attributes are provided, Business Partners can be created in the backend (ERP/CRM) Utilities systems as well.  We are implementing a test scenario, when a Utility customer has an existing account (Business Partner) and a corresponding Contract Account in the backend systems. That is why we created only two new attributes:
   1. New Attributes are created in the SAP IDM system as follows:
      • Start your Identity Center Console and go to your Identity Store schema:
      • Right-click on the “attributes”  and select “New”->”Identity store attribute” in the context menu:
        
        IDM picture 1
        
      • Enter the attribute name: MX_FS_CONTRACT_ACCOUNT and MX_FS_BUSINESS_PARTNER for your new attributes. Bear in mind that prefix MX_FS_ is an obligatory prefix for proper mapping of those attributes to the RFC calls in the backend:
        
        IDM picture 2
        
      • Enter the “Entry type” MX_PERSON for which those attributes are valid. Repeat it for each attribute.
        
        IDM picture 3
        
2. You need to be able to maintain those attributes for the identities in your Identity Store. Also, you have to be able to provide values of those attributes when you create your user via REST API.
   1. The following standard UI task needs to be adjusted and new attributes need to be added:
      
      IDM picture 4
      
      IDM picture 5
   2. You can move the attributes up and down to be shown on the standard IDM UI where you want them to appear.
      
3. Create a new Repository in your SAP IDM system for each backend system where you want your users to be provisioned. We have created 3 repositories as we have three systems in our landscape: SAP Gateway, SAP CRM for Utilities, SAP IS-U.
   1. Go to Management->Repositories. In the context menu choose New->Repository
      
      IDM picture 6
      
   2. On the first screen of the Repository wizard, choose: “Business Suite AS ABAP (Load Balanced Connector)” – it is quite important to choose Business Suite connector; it will automatically create constants with the proper task names. Using tasks specific to Business Suite  is important as only in this case proper BAdIs will be triggered in the backend ABAP system.
      
      IDM picture 7
   3. On the next screen of the Repository wizard, enter the name of your repository. It is better to use a naming convention with the system name followed by the client number.
      
      IDM picture 8
   4. On the next screen of the Repository wizard, enter the data about your system, including credentials to access it. User should have all power user/administrator capabilities in backend systems as other users will be created using this user.
      
      IDM picture 9
   5. Then you just finish the process and your repository is created.
   6. When you double-click on the “Constants” of the repository you just created, you’ll see all of them. You can change those constants at any time. For example, sometimes you need to  establish a connection to specific Application Server instead of the Message Server and provide an Application Server system number. Also, you might need to change some constants for “hook” tasks, which will be described further in this integration manual.
      
      IDM 10 picture
      
4. Before we do the next step in IDM system (which is Initial load), we need to make some customizing settings in all your backend systems where users need to be provisioned.
   1. Login to you backend SAP system. Using transaction SM30, add a new entry to the customizing table IDM_BADI_FILTER as following:
      
      BADI picture 1
      
      BADI picture 2
      
      
5. In this step, we are describing implementation of the BAdI on the backend ABAP systems. This BAdI’s need to be activated in all the backend systems SAP Gateway,  CRM and ERP (IS-U) systems.
   1. Create a new class based on the interface: IF_BADI_EXTEND_IDENTITY.
   2. Create your Enhancement Implementation for the Enhancement Spot BADI_EXTEND_IDENTITY using SE19 transaction. Provide a class name and BAdI definition name BADI_EXTEND_IDENTITY.
   3. Implement method: IF_BADI_EXTEND_IDENTITY~PRE_MODIFY_CHECK_IDENTITY – here we are doing verification if user can be created in backend system
   4. Implement method:  IF_BADI_EXTEND_IDENTITY~POST_MODIFY_IDENTITY  In this method we need to link created user with the Business Partner. Please, bear in mind that because of replication user in the CRM or IS-U systems can be created before and if BP is created at the same time, you must not create the same BP in the second system. You should get this user’s linked BP in the other system and link this BP in current system.
6. Initial load step  in IDM system is necessary step even though, sometimes, we do not need to have actual backend users to be loaded in IDM^*. This step will create all main privileges and triggers for your repository. You have to repeat this step for each system you need to set up user provisioning.

   For our integration scenario I disabled passes to save users and privileges from the backend system. The reason is the following: online users will create their accounts using user self-service. Also, for MCF application, corresponding user account in the backend ABAP systems will be created with the reference user. This  reference user will hold all the authorization roles and profiles. That is why I disabled pass for saving of ABAP authorization privileges (roles and profiles) as well. It really depends on your integration scenario if you need to load users and privileges to IDM or not.
   
   * Note:  Sometimes your have a legacy system where your online users are stored. You need to create a repository for this system in IDM as well and make an initial load of all those users. (It might be, for example, your SAP NW Java AS with your users for UCES solution).
   

   1. To create a job for initial load you need to go to Job Folder. In the context menu choose:  “New” -> ”Run job wizard”
      
      IDM picture 11
   2. After you click on the next button, you will be forwarder to the screen to select a job. Use the following folder:  “Identity Center” -> “Jobs” -> “SAP NetWeaver” -> “BusinessSuite AS ABAP–Initial Load”
      
      IDM picture 12
   3. Then select you repository and click on “Next”
      
      IDM picture 13
   4. And, finally, click on “Finish” button and your Job for initial load will be created  (rename it – that it would include the repository name).
   5. Job has been created. You need to adjust this job depending on your integration scenario. It is possible to disable some passes with the help of context menu.
   6. After that you can just run this job. Job results will be shown in the “Job log”.
      
      IDM picture 14
7. After successful run of the job, you need to test if current IDM users will be replicated to the ABAP systems. If your initial run was successful, special IDM privilege will be created which allows to provision your users into ABAP repository:
   1. Start SAP NetWeaver Identity Management UI in your browser using url: https://you_system:port/webdynpro/dispatcher/sap.com/tc~idm~wd~workflow/Idm
   2. Login as administrator
   3. Find existing user or create one, select this user and you will see standard UI task appear: “Assign Privileges, Roles and Groups”.
      
      IDM picture 15
   4. You will be navigated to the screen where you can assign a special privileges
   5. In the “Available” – in the left part of the tab, Choose to show Privilege and find a privilege with the name “PRIV_yourrepositoryname_ONLY”,
      then click on “Go” button
   6. Select this privilege and add it using “Add” button
      
      IDM picture 16
   7. Then you can even check in the ABAP system using SU01 transaction if your user was created
   8. In the Job log of the Identity Center UI you can monitor the execution of the Job.
      
      IDM picture 17
   9. Then you can even check in the backend ABAP system using SU01 transaction if your user was created
      
      IDM/ABAP picture 1

8. Next step is to make sure that the backend BAdI is triggered when user is created from IDM. We need to verify this user in the backend, link it to the Business Partner and/or Create a Business Partner when necessary

   1. Task to create user should pass a filter value. We did not find out a standard way to pass a filer value, that is why we define our own task as a copy. To make a copy of the task go to “Identity Store” -> “Provisioning Framework” -> “CONNECTORS” -> “ABAP BusinessSuite Connector” -> “Plugins” -> “1. Create BS User”. In the context menu of this node click “Copy”, then right click on Plugins folder and click “Paste”. Whole task with subtasks will be copied. Rename it as you wish. Adjust the ta
      
      IDM picture 18

   2. Adjust a job related to this task. Expand this task and find related job. Navigate to the configuration of the job “CreateABAPIdentity” and change/adjust attributes on the “Destination” tab:

      • Filter to hardcoded ZUMC * (or filter name you use in the see section 4)
        
        IDM picture 19
        

      • Reference User to UMC_REF_USR (or other reference user you use for SAP MCF)

      • Address data as shown on picture:
        
        IDM picture 20

   3. For all your repositories, change the repository constant MX_HOOK1_TASK to your new copy of the task.
      
      IDM picture 21
      I
      IDM picture 22

After this step user provisioning set up is ready and you can try to test whole scenario.