This post will explain how to install the SAP IDM connector for SAP BusinessObjects BI Platform. I’ll guide you through the installation step-by-step on SAP IDM 7.2 with SAP BusinessObjects BI Platform 4.2. Instructions for installing on SAP IDM 8.0 are available in this follow-up.

Introducing SAP BusinessObjects

SAP BusinessObjects BI Platform has numerous options for integrating external user stores, such as Active Directory, LDAP or SAP. In the past, using one of these options was the only way to integrate BI platform into SAP IDM. With AD, for example, IDM provisioned AD users and groups, and BI platform used those users and groups from AD.

However, BI platform also has so-called Enterprise users and groups directly in its own database. Managing Enterprise users and groups from SAP IDM, however, used to be a functional white space in the past. The new open source connector for SAP BusinessObjects closes this gap. It’s licensed under the Apache license, version 2.0, with full source code available on GitHub. The latest version is compatible with both SAP IDM 7.2 and SAP IDM 8.0.

Download and install SAP BI platform Java SDK

The connector is built upon SAP’s BI platform Java SDK, so you’ll need to get that from SAP support portal (S-User required). Browse downloads by category and navigate to:

ANALYTICS SOLUTIONS
    / SBOP BUSINESS INTELLIGENCE PLATFROM (SBOP ENTERPRISE)
        / SBOP BI PLATFORM (ENTERPRISE)
            / SBOP BI PLATFORM 4.2
                / SBOP BI PLATFORM 4.2 SP02 CLIENT TOOLS WINDOWS (32B)

Select the SDK version that matches your BI platform server release.

The client tools download is large (~2GB), with only a small fraction relevant for IDM. To keep the connector’s installation footprint as small as possible, I recommend not to install it on SAP IDM directly. If you can, install it on a separate Windows 7/8/10 machine or VM, which I’ll refer to as the “client tools machine”. During install, deselect everything except “SAP BusinessObjects BI platform Java SDK”:

/wp-content/uploads/2016/07/bobj_client_tools_select_features_998800.png

After installation is complete, create a new directory for the SDK JARs on the SAP IDM runtime. I’ll assume you’ll use C:\IDM_BOBJ_LIBS on the SAP IDM runtime.

Copy the below files from C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib on the client tools machine to C:\IDM_BOBJ_LIBS on the SAP IDM runtime machine:

 

    aspectjrt.jar
    bcm.jar
    ceaspect.jar
    cecore.jar
    celib.jar
    cesession.jar
    corbaidl.jar
    cryptojFIPS.jar
    ebus405.jar
    log4j.jar
    logging.jar
    TraceLog.jar

That’s it for the client tools machine. All remaining steps will be performed on the SAP IDM runtime.

Add SDK JARs to SAP IDM dispatcher classpath

To make the SDK JARs visible from SAP IDM, add them to the dispatcher’s Java classpath. In the Identity Center Designtime 7.2 (MMC), you can add classpath extension via Tools -> Options -> Java. Add all files listed above.

/wp-content/uploads/2016/07/bobj_classpath_extension_999229.png

/wp-content/uploads/2016/07/bobj_classpath_select_jars_999103.png

After saving your changes, regenerate dispatcher scripts and restart all dispatchers. If you need to do this without the help of MMC, edit property DSECLASSPATH in the dispatcher service property files.

Download and unpack SAP IDM connector

Downloaded the latest stable connector release from https://github.com/foxysoft/idm-connector-bobj/releases/latest.

Unzip idm-connector-bobj-<VERSION>.zip into a directory on the SAP IDM runtime. I’ll assume you’ll use C:\IDM_BOBJ_INSTALL

Import SAP IDM global scripts and provisioning tasks

Import the connector’s global scripts from SAP BOBJ 4.2 Global Scripts.mcc

/wp-content/uploads/2016/07/bobj_global_scripts_import_998858.png

/wp-content/uploads/2016/07/bobj_select_global_scripts_mcc_998885.png

Next, import the connector’s provisioning tasks from SAP BOBJ 4.2 Tasks.mcc into the SAP Master identity store (“Enterprise people”, by default).

This import will create a new provisioning group “SAP BOBJ 4.2 Connector” underneath the folder you’re importing into. Choose whatever parent folder fits your content structure best. I’ll assume you’ll use the top level “Provisioning folder”.

/wp-content/uploads/2016/07/bobj_import_into_sap_master_ids_998873.png

/wp-content/uploads/2016/07/bobj_select_tasks_mcc_998886.png

Under advanced import options, make sure to check “Map source dispatchers to target dispatchers” and “Run jobs” for at least one of your dispatchers.

/wp-content/uploads/2016/07/bobj_import_tasks_adv_options_998887.png

Import SAP IDM repository and initial load job

Create a new SAP IDM repository from template SAP BOBJ 4.2 Repository.rtt. Specify a repository name and connection details of the SAP BusinessObjects Central Management Server (CMS). I’ll use BOE as repository name and Administrator as login user. Using a suitable technical user would more advisable, but that’s a topic for a separate article.

/wp-content/uploads/2016/07/bobj_repository_name_998949.png

/wp-content/uploads/2016/07/bobj_repository_details_998950.png

If you have access to the BusinessObjects Central Management Console (CMC), you can look up the appropriate Host name of CMS and Name Server Port under  “Servers” => “<yourhostname>.CentralManagementServer”, and then “Properties” => “Common Settings”.

/wp-content/uploads/2016/07/bobj_cmc_cms_998926.png

/wp-content/uploads/2016/07/bobj_cms_props_common_settings_998948.png

You’re ready to import the BusinessObjects initial load job now. Choose a suitable job folder, then run the job wizard and use the SAP BOBJ 4.2 Initial Load.dst template:

/wp-content/uploads/2016/07/bobj_run_job_wizard_998975.png

/wp-content/uploads/2016/07/bobj_select_job_template_998976.png

When prompted for a repository, select BOE and finish. Verify that the job has really been created with the repository assigned; if not, add BOE again manually.

/wp-content/uploads/2016/07/bobj_select_job_repository_998977.png

/wp-content/uploads/2016/07/bobj_job_saved_998999.png

Execute initial load and finalize repository configuration

Verify that the initial load job is enabled and has a dispatcher assigned. If all is OK, start it using “Run Now”. This should take less than 5 minutes to complete for BusinessObjects systems with <1K users and groups.

The job will create one-to-one MX_GROUP and MX_PRIVILEGE pairs in SAP IDM for every BusinessObjects Enterprise group. Like with AD or portal integration, you can assign either of these to MX_PERSON or MX_ROLE. For more background on the group/privilege topic, I recommend Ivar Ness’ excellent article and the Group Concepts section of the SAP IDM System Landscape Configuration Guide.

Note that this initial load doesn’t create new MX_PERSONs in SAP IDM, but only adds account information to existing ones whose MSKEYVALUE equals a BusinessObjects Enterprise user’s login.

Verify BusinessObjects Enterprise groups have been loaded as expected in the IDM web UI:

/wp-content/uploads/2016/07/bobj_result_privs_999170.png

Finally, complete BOE’s repository configuration by entering PRIV:BOE:ONLY as master privilege:

/wp-content/uploads/2016/07/bobj_repository_master_priv_999172.png

That’s it. Happy provisioning!

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Hendrik Winkler

    Hey Lambert,

    this is simply awesome. I’m sure that a lot of people have been waiting for this.

    I want to try out the IDM 8 version of your connector. Is this one released yet and is there a guide for this one available as well?

     

    With kind regards,

    Hendrik

    (0) 
  2. Lambert Boskamp Post author

    Hello Hendrik,

    the next connector release 1.1.0 will support IDM 8.0. I hope it will be ready for release in February, still. I will post an updated installation guide for 8.0 in this forum once it’s released.

    Sorry for replying late, I had my email notifications turned off.

    Best regards,

    Lambert

     

    (0) 

Leave a Reply