Technical Articles
Installing the SAP BusinessObjects Connector on SAP IDM 8.0
Release 1.1.0 of the SAP IDM connector for SAP BusinessObjects BI Platform is now available for SAP IDM 8.0 and 7.2. Following up on my earlier post from SAP IDM 7.2, I’ll explain the installation step-by-step for SAP IDM 8.0.
Download and install SAP BI platform Java SDK
The prerequisites for installing the connector on SAP IDM 8.0 are exactly the same as for SAP IDM 7.2. Hence, it requires the following JAR files from SAP’s BI platform Java SDK:
aspectjrt.jar bcm.jar ceaspect.jar cecore.jar celib.jar cesession.jar corbaidl.jar cryptojFIPS.jar ebus405.jar log4j.jar logging.jar TraceLog.jar jcmFIPS.jar (BIP 4.2 SP4 or higher)
Copy these into a directory on the SAP IDM runtime. As usual, I’ll assume you’ll use C:\IDM_BOBJ_LIBS on the SAP IDM runtime. For details regarding where to obtain the SDK and how to extract the required JAR files, please refer to Download and install SAP BI platform Java SDK of the 7.2 version.
Add SDK JARs to SAP IDM dispatcher classpath
To make the SDK JARs visible from SAP IDM, add them to the dispatcher’s Java class path. On the SAP IDM runtime, start the Identity Management Dispatcher Utility in GUI mode using the command dispatcherutil gui
Open the Dispatcher Utility’s settings dialog using Tools -> Settings. Add all SDK JAR files listed above to the setting DSE Class Path. Defining the Settings for the Identity Management Dispatcher Utility in the SAP Help Center has all the details.
After saving your changes, regenerate the service scripts for all dispatchers and restart them.
Download connector and import IDM package
Use SAP Identity Management Developer Studio to connect to the IDM database. As the SAP BusinessObjects connector depends on package com.sap.idm.provisioning.engine that comes with SAP IDM 8.0, you’ll need to import that first if you haven’t already done so.
Download the latest stable connector release from https://github.com/foxysoft/idm-connector-bobj/releases/latest to the machine where SAP IDM Developer Studio is installed, and unzip idm-connector-bobj-<VERSION>.zip. It contains an IDM package file de.foxysoft.bobj.idmpck. Use SAP IDM Developer Studio to import that into your main Identity Store.
When prompted for an import reason, make sure you keep the default option “Import” selected. Don’t use “Import as new package”. Confirm the import using “OK”.
Create a SAP IDM repository
Open the SAP Identity Management administration UI at http://<host>:<port>/idm/admin in a web browser and create a new repository of type SapBusinessObjects42. This repository type is part of the SAP BusinessObjects connector package.
After the repository has been created, change repository constants HOST, LOGIN, PASSWORD and PORT as appropriate for your environment. Please refer to Import SAP IDM repository and initial load job in the 7.2 version for additional information on how to find out CMS host name and name server port.
Execute initial load and finalize repository configuration
Select the “Jobs” tab of the repository details view. A new job SAP BOBJ 4.2 – Initial Load has been created and assigned to the repository automatically. Execute this job now to load SAP BusinessObjects groups into SAP IDM.
This job should take a few minutes only to execute. Use “Refresh” to verify that the job has finished successfully, then open the SAP Identity Management UI at http://<host>:<port>/idm to verify that privileges from SAP BusinessObjects have been loaded.
As a final step, you may go back to the SAP Identity Management administration UI and update repository constant MX_REQ_PRIV with the master privilege just created by the initial load. In this example, that’s PRIV:BOE:ONLY.
If you have a suitable No Master Process to assign missing master privileges automatically, assign that to repository constant MX_REQ_PRIV_NOMASTER_TASK. In my screenshot below, this process reference is not set (-1 means “None”).
That’s it. You’re ready to manage all your SAP BusinessObjects Enterprise users and groups from SAP IDM 8.0 now. If you’re interested in learning more about this connector, visit its GitHub project, which also contains a small Wiki with additional resources.
Great stuff, Lambert! It will be great to tell customers that this functionality exists! Looking forward to doing this one day!
Dear Mr. Boskamp.
I would like to confirm, if this connector for Business Object 4.2 is available to sybase database?
In our enviroment we used the SAP IdM 8.0 SP 04 on Adaptive Server Enterprise 16.0 SP02 PL04 on Red Hat Enterprise Linux Server release 6.9 (Santiago).
Best regards,
João Paulo.
As documented in the connector's wiki, Sybase is currently not supported, unfortunately.
If you have a skilled developer in your team, they may be able to fill in the missing pieces with some custom development, though. As far as I remember, it's a matter of rewriting two SQL queries in the connector's initial load job. Making it work on Sybase should require no more than one or two days of development effort.
Thank you Mr. Boskamp for your reply.
I understood. We will working to make it running on Sybase database.
If you want, after this adjust we can share the update coding.
Great idea. If you can share your results after successful implementation, I'll update the source code of the open source version accordingly. Good luck!
We are also on Sybase database and also integrating with BOBJ system. But, the connection did not go well.
Did you guys connect successful with BOBJ, if so please share the solution?
Thanks,
Nagesh
Hi Nageswara Muthavarapu.
We decided to change our database, not because the connection between SAP IdM to BOBJ system was not working on Sybase.
We had many problems to run SAP IdM 8.0 SP 05 on Sybase. So to solve that, we opened one incident ticket (OSS) to request the best practices when running the SAP IdM 8.0 on Sybase, but they didn't reply appropriate.
Now, we are doing the instalattion of our systems (DEV, QAS and PRD) to run on SQL Server 2016.
Good luck.
João Paulo.
How do we get the log/Tracelog for the activity like create or change to the backend irrespective of the connector type in IDM.
Thanks and Regards,
Giridhara Tadikonda
As this is not specific to the BOBJ connector, you might get better answers by asking the same in the general SAP Identity Management Q&A forum.
General information about which tasks have been executed by whom and when can be retrieved using the database view mcv_executionlog_list.
Hi Lambert,
Great and useful blog.
We are using the connector and I was wondering If there are any plans to include the removal of a specific user alias.
The BI Support Tools (Enterprise Alias Manager) can remove or add Enterprise aliases only. This functionality would be a great extension to the existing SAP IDM connector for SAP BusinessObjects BI Platform.
Keep up the good work!
Thanks very much.
Best Regards,
Ridouan Taibi
Ridouan,
great feedback, thank you. The connector will likely not see any new feature development over the next couple of months at least, because the projects I'm involved in right now have a different focus.
However, you may look into two options:
Hope that helps,
Lambert
Hi Lambert,
Thanks for your feedback.
Good luck with your project.
Regards,
Ridouan
Hi Lambert,
Thanks for the document. It is really helpful as we are currently trying to connect BI platform to our IdM 8.0 system. However, it looks like I missed something because when I run the initial load, I get the following error:
Is this related to the class path settings? Or something else?
Regards,
Francis
Yes, this is a classpath issue. Depending on your BI support package level, you might need additional JAR files on your classpath.
Please check SAP Note 2451365 - Exception - BCM Intialization Failure connecting to Business Intelligence platform BI 4.2 Sp4+ and add the list of additional JARs mentioned there to the dispatcher classpath.
Please let me know if that resolves the problem. I'll add a corresponding Wiki article to the GitHub repository and update the JAR file list in this blog post in case it works.
Hi Lambert,
Thanks! That did the trick and I was able to run the initial load. However, I get a new error below :
I tried to look at the script and if I understand correctly, it is filling out the FX_BOBJ_MODIFY_TRIGGERS so I did that manually
And tried to assign the PRIV:XXX:ONLY and the user was successfully created in BusinessObjects. However, when I try to assign a group by either assigning group GROUP:XXX:Administrators or directly assigning privilege PRIV:GROUP:XXX:Administrators, no groups are assinged in BusinessObjects.
Maybe I missed something?
Best Regards,
Francis
There is one dollar sign too few in your version of the pass “Set modify triggers from package constant” in the initial load job. The correct code (as found in GitHub) on the source tab should look like this:
In your version, the $ right before FUNCTION.fx_IDSID()$$ – near the bottom of the query- seems to be missing. Can you please check?
If that’s the case, correct the SQL query as shown above, then run the job again. After that, the modify triggers of the privs and groups loaded by the job will be correct. Hence, provisioning of group assignments should work as expected afterwards.
Now it works perfectly! Thanks Lambert!
Hi Lambert,
thank you for this nice document!
One question: We are using Active Directory Alias in our BO-System for Single Sign On. Is there a possibility to set this alias from the IDM to the BO-System? In my tests this is not working. Is there a setting i have to adjust before?
Kind Regards,
Felix
The SAP IDM BusinessObjects connector does not support managing third party aliases (including Active Dirctory) out of the box, unfortunately. I've heard several people mentioning that they use the so-called "BI Support Tool" for this task instead. SAP Note 2667858 talks in detail about this.
Assuming that the SDK can manage third party aliases, it might also be an option to add custom code to the connector that provides this capability. I have no clue about the effort, though. If you decide to evaluate this option, I recommend to implement a stand-alone Java prototype for managing the AD aliases first. Once that works, you can port it to JavaScript and add that to the connector.
Tanks for your answer!
If I understand it correctly, is provisioning the AD alias already stored in the IDM to the BO more than just an attribute assignment? Would program logic be needed for this?
Yes, additional program logic / JavaScript code would be needed.
Hi Lambert,
Thank you for the great document. I have followed the document to test IdM connection and found out one more BO library file is required. Please kindly update the blog. 🙂
Thanks,
Chenyang
Done. Thanks for your feedback.
Hi Lambert,
This is an excellent resource for connecting the BOBJ to idm, thank you for the blog and the connector.
I have a question from the security perspective, how can we achieve the secure connection , either by the SAML token or by the exchange of the certs or by any other means.
Regards
Ravi
The BI Java SDK has support for encrypting and authenticating network communcation using SSL/TLS. One good resource including links into more detailed documentation is SAP Note 2634052.
Since the connector internally uses the BI Java SDK, it's reasonable to assume that SSL could be enabled for the connector as well. I never used SSL in a customer project, though. Hence I can't confirm whether SSL really works for the connector or not. Give it a try.
Dear Lambert,
Thank you for the great document.
I want to create a report that shows the list of SAP Business Object Reports the BO users has access to. Is it possible with SAP Identity Manager? (Which users can access which reports?)
Kind Regards;
Ismail Arslan
SAP IDM only stores BOBJ users, BOBJ groups and the links between the two. That's all we have.
More detailed authorization information, like which group or user has access to which Business Object Report, is only available in the BI platform itself. A report like the one you have in mind would hence need to be created from the BI platform's data directly.