Connecting Non SAP Applications to SAP IDM (Database oriented)
Connecting Non SAP Applications to SAP IDM (Database oriented)
Lily Sloane: I envy you… the world you’re going to.
Captain Jean-Luc Picard: I envy YOU… taking these first steps into a new frontier.
–Star Trek: First Contact
Previous entries here in the SCN IDM Space have discussed connecting various applications to SAP IDM. Active Directory (and other LDAP related systems) SAP Systems, Flat Files, even database tables. But what we have not really discussed is how to connect a database related system to SAP IDM. As with all things IDM, there are a number of ways to do this using IDM and VDS, and I am going to discuss how to do this over the next couple of blog postings.
In this first entry, I will discuss how to set up the Repository and Initial load for the system, which I am simply calling NonSAPApp. It is based on a simple database structure that was submitted in a Forum thread.
So the first challenge was creating the Repository. To do this, I simply used the New Repository Wizard to create a Database Repository
Didn’t need to do too much here, just name the repository, choose the driver and then add the JDBC and OLE DB connection strings. If you’ve installed IDM before or created a new Identity Store, this should not prove to be too much of an issue. When you’re all done, you’ll get something like this:
Now we can go ahead and create an Initial Load job. To do this, first I went through the job wizard to create a job to use as a template.
Make sure when you are running through the wizard that you select the correct repository. Don’t worry though, it can all be modified later 🙂 After you’ve run through the wizard, expand the node and remove the unnecessary passes so the job looks like this:
Now let’s talk about some of the changes that were made to these passes so it will work for NONSAPAPP.
- In the root node of the job, double check and make sure it’s enabled, has a dispatcher assigned (and running!) This is also your chance to make sure that the correct repository is selected.
- In the Create System Privilege Pass, change the description to something that describes the application. If need be this can be done manually later.
- In ReadNonSAPAppUsers, make sure that you are re-configuring the source tab to read from your Users table. It will look something like this:
You’ll then be able to do an Insert Data Source Template - For ReadNonSapAppRoles, do the same thing, except that you will need to pull from your Roles Table
- In the WriteUsers pass, map the fields accordingly. Blank out any fields that don’t apply or won’t be populated either by disabling the attribute via the # prefix or by clearing the attribute value.
- In the WriteRolePrivilege there is a value of %uniquename% used in the MSKEYVALUE and DISPLAYNAME attributes, if you are not using this value, replace it with a relevant unique value in your database as I have done here:
That’s it, run the job, fix your errors and then check the database to make sure that the roles and users have been created. In this case, my sample data had one user, Luke Skywalker (guess what I was watching?) and some roles that you can see from the following queries.
First a query that shows the user has been created:
Next a query that shows the roles have been created and any users assigned to roles.
So there you have it. You’ll notice I did not handle role assignments here, but I think we call get the general idea of how to do this. In the next week or so, I will wrap this up by extending the provisioning framework to cover adding a user via the IDM UI to the system.
_________
Added 19November2015
Thinking back to my TechEd Sessions with Plamen Pavlov and Kristian Lehment, you might want to try importing the attached file to a Version 8 environment.(Or to a version 7 environment for that matter) Just remember to drop the “.xml” from the filename. Note that there are absolutely no warranties or guarantees included with this configuration and neither myself or SAP can be held responsible for anything that happens as a result of using this import. – MP
If you’d like to know how to connect the application to the Provisioning Framework, take a look at the follow up to this blog: Connecting Non SAP Applications to the SAP IDM Provisioning Framework
Nice Blog Matt... (Y)
Dear Matt,
It looks great!!
but .. I can not find those wizards in my system. 😕 (see attached)
Do I missed something during installation steps?
Dongsu, they are available from within the MMC console. I would recommend going through the tutorials.
Dear Matt,
Would you recommend MMC tutorials, please?
As I do understand, there must be snap-ins available to be added to MMC.
But in whole system there are no snap-ins for IDM.
Only one from SAP AG is SAP system manager as attached.
Are there any additional steps to make those wizards as snap-ins?
Hi Dongsu,
Try looking here,SAP Identity Management 7.2 Documentation, in the General Documents section. Going through these documents should give you a good basic idea of how to work with IDM. I'm also a big fan of Training.
Matt
Matt,
Currently I am on IDM 8.0.
There is no mention about job wizard in all IDM 8.0 install and configuration docs.
Do IDM 8.0 also have job wizard?
Help me some more, please.
dongsu
Dongsu,
Don't have an 8.0 instance running at the moment. Have you looked at the SAP Identity Management 8.0 Documentation page? I have not reviewed it so I don't know how up to date it is. Otherwise is there someone else out there that can answer Dongsu's question?
Matt
Hi Dongsu,
in 8.0 you can select from the jobs context menu - mouse rightclick menu gives you the option create a Job, Ropository Job or a Job Folder. If you choose Repository Job you are "wizzard-like" prompted to select a repository and then you can edit the Passes, Scrips and Constant is a new panel. If you choose normal Job then you are directly given the panel where you can modify Passes, Scrips, Constants and Variables.
So it not exacly step-by-step wizzard or job templates, but is quite simple and straightforward.
Best Wishes,
Fedya
Fedya,
It may simple and straightforward to experienced NW IDM technician.
But I am new to SAP NW IDM and it is not easy to catch up.
After I look in adap connector and this NonSAPApp connector by Matt, I can guess few of them about what they do.(not knowing how to make)
- ReadNonSAPAppRoles
- ReadNonSAPAppUsers
- ReadNonSAPAppAssignments
but for others, it is hard even to know what they do.
Can you tell me which documents explain about this, meaning and how to make.
Before post this question, I tried to find them in IDM 8.0 documents, but could not find it.
Please understand that I am new to NWIDM.
Regards,
dongsu
Hi Dongsu,
I'd recommend to see this video:SAP Identity Management 8.0 Video – Basic Synchronization by my colleague Valentina. it shows step-by-step creating repository types, repositories, jobs and passes.
Best wishes,
Fedya
Fedya,
The link looks misleading.
Verify the link again, please.
dongsu
Check now
Hi Dongsu,
You can check the same video at youtube also.
SAP Identity Management 8.0 – Basic Synchronization - YouTube
Regards,
C Kumar
Hi Dongsu,
Check the blog How To Start Writing A Simple IDM 8.0 Connector by Fedya.
I hope it will help you to connect your SAP IDM 8.0 to your non-SAP system. As your non-SAP system is Database so please choose Repository Type as Database instead of Virtual Directory Server (as discussed in blog) while creating the repository type in SAP IDM developer studio plugins.
Regards,
C Kumar
Dongsu,
I will also attach my job to the blog post later today (By our posting schedules, I'm guessing you are not in North America) If you need it sooner, let me know (I need to get over to a different computer from where I am now 🙂 )
Dear Matt,
do you found any equivalent tool with job wizard in IDM 7.2?
or
do you have plan to do this same configuration in IDM 8.x version?
.........
I imported your NONSAP mcc file, which you attached, and I look in the repository types, repository constants with category, jobs and passes.
there are 15 passes in Initial_Load job for NONSAP repository.
and each passed have quite complex mapping in destination tab.
Fedya says this is straight forward but I don' think it is.....
best regards,
dongsu
Hi Dongsu,
I probably will, but not any time soon unfortunately.
Sorry.
Matt
Matt,
You gave me valuable information.
Thank you so much!! 🙂
I will find more and post new question.
dongsu
Have you imported the IDM 8 framework?
Do you mean these?
Very useful and right to the point. Shows that connecting non-SAP apps is easy.
Thank you, Fedya. Now I have to write the other half 🙂
Hi Matt,
Lovely sharing.. thank you.
In this scenario, the users/roles being created in IDM .. right??
NonSAPapp as a user data source.
May be dumb Q.
ThanQ.
Hi Rika,
Yes, in this case we are reading from the NONSAPAPP, via IDM to create the identities. The next installment will show how to create users directly from IDM.
Matt