This post will explain how to install the SAP IDM connector for SAP BusinessObjects BI Platform. I’ll guide you through the installation step-by-step on SAP IDM 7.2 with SAP BusinessObjects BI Platform 4.2. Instructions for installing on SAP IDM 8.0 are available in this follow-up.
- Introducing SAP BusinessObjects
- Download and install SAP BI platform Java SDK
- Add SDK JARs to SAP IDM dispatcher classpath
- Download and unpack SAP IDM connector
- Import SAP IDM global scripts and provisioning tasks
- Import SAP IDM repository and initial load job
- Execute initial load and finalize repository configuration
Introducing SAP BusinessObjects
SAP BusinessObjects BI Platform has numerous options for integrating external user stores, such as Active Directory, LDAP or SAP. In the past, using one of these options was the only way to integrate BI platform into SAP IDM. With AD, for example, IDM provisioned AD users and groups, and BI platform used those users and groups from AD.
However, BI platform also has so-called Enterprise users and groups directly in its own database. Managing Enterprise users and groups from SAP IDM, however, used to be a functional white space in the past. The new open source connector for SAP BusinessObjects closes this gap. It’s licensed under the Apache license, version 2.0, with full source code available on GitHub. The latest version is compatible with both SAP IDM 7.2 and SAP IDM 8.0.
Download and install SAP BI platform Java SDK
The connector is built upon SAP’s BI platform Java SDK, so you’ll need to get that from SAP support portal (S-User required). Browse downloads by category and navigate to:
ANALYTICS SOLUTIONS / SBOP BUSINESS INTELLIGENCE PLATFROM (SBOP ENTERPRISE) / SBOP BI PLATFORM (ENTERPRISE) / SBOP BI PLATFORM 4.2 / SBOP BI PLATFORM 4.2 SP02 CLIENT TOOLS WINDOWS (32B)
Select the SDK version that matches your BI platform server release.
The client tools download is large (~2GB), with only a small fraction relevant for IDM. To keep the connector’s installation footprint as small as possible, I recommend not to install it on SAP IDM directly. If you can, install it on a separate Windows 7/8/10 machine or VM, which I’ll refer to as the “client tools machine”. During install, deselect everything except “SAP BusinessObjects BI platform Java SDK”:
After installation is complete, create a new directory for the SDK JARs on the SAP IDM runtime. I’ll assume you’ll use C:\IDM_BOBJ_LIBS on the SAP IDM runtime.
Copy the below files from C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib on the client tools machine to C:\IDM_BOBJ_LIBS on the SAP IDM runtime machine:
aspectjrt.jar bcm.jar ceaspect.jar cecore.jar celib.jar cesession.jar corbaidl.jar cryptojFIPS.jar ebus405.jar log4j.jar logging.jar TraceLog.jar jcmFIPS.jar (BIP 4.2 SP4 or higher)
That’s it for the client tools machine. All remaining steps will be performed on the SAP IDM runtime.
Add SDK JARs to SAP IDM dispatcher classpath
To make the SDK JARs visible from SAP IDM, add them to the dispatcher’s Java classpath. In the Identity Center Designtime 7.2 (MMC), you can add classpath extension via Tools -> Options -> Java. Add all files listed above.
After saving your changes, regenerate dispatcher scripts and restart all dispatchers. If you need to do this without the help of MMC, edit property DSECLASSPATH in the dispatcher service property files.
Download and unpack SAP IDM connector
Downloaded the latest stable connector release from https://github.com/foxysoft/idm-connector-bobj/releases/latest.
Unzip idm-connector-bobj-<VERSION>.zip into a directory on the SAP IDM runtime. I’ll assume you’ll use C:\IDM_BOBJ_INSTALL
Import SAP IDM global scripts and provisioning tasks
Import the connector’s global scripts from SAP BOBJ 4.2 Global Scripts.mcc
Next, import the connector’s provisioning tasks from SAP BOBJ 4.2 Tasks.mcc into the SAP Master identity store (“Enterprise people”, by default).
This import will create a new provisioning group “SAP BOBJ 4.2 Connector” underneath the folder you’re importing into. Choose whatever parent folder fits your content structure best. I’ll assume you’ll use the top level “Provisioning folder”.
Under advanced import options, make sure to check “Map source dispatchers to target dispatchers” and “Run jobs” for at least one of your dispatchers.
Import SAP IDM repository and initial load job
Create a new SAP IDM repository from template SAP BOBJ 4.2 Repository.rtt. Specify a repository name and connection details of the SAP BusinessObjects Central Management Server (CMS). I’ll use BOE as repository name and Administrator as login user. Using a suitable technical user would more advisable, but that’s a topic for a separate article.
If you have access to the BusinessObjects Central Management Console (CMC), you can look up the appropriate Host name of CMS and Name Server Port under “Servers” => “<yourhostname>.CentralManagementServer”, and then “Properties” => “Common Settings”.
You’re ready to import the BusinessObjects initial load job now. Choose a suitable job folder, then run the job wizard and use the SAP BOBJ 4.2 Initial Load.dst template:
When prompted for a repository, select BOE and finish. Verify that the job has really been created with the repository assigned; if not, add BOE again manually.
Execute initial load and finalize repository configuration
Verify that the initial load job is enabled and has a dispatcher assigned. If all is OK, start it using “Run Now”. This should take less than 5 minutes to complete for BusinessObjects systems with <1K users and groups.
The job will create one-to-one MX_GROUP and MX_PRIVILEGE pairs in SAP IDM for every BusinessObjects Enterprise group. Like with AD or portal integration, you can assign either of these to MX_PERSON or MX_ROLE. For more background on the group/privilege topic, I recommend Ivar Ness’ excellent article and the Group Concepts section of the SAP IDM System Landscape Configuration Guide.
Note that this initial load doesn’t create new MX_PERSONs in SAP IDM, but only adds account information to existing ones whose MSKEYVALUE equals a BusinessObjects Enterprise user’s login.
Verify BusinessObjects Enterprise groups have been loaded as expected in the IDM web UI:
Finally, complete BOE’s repository configuration by entering PRIV:BOE:ONLY as master privilege:
That’s it. Happy provisioning!