This post illustrates how to create a service user for use with the SAP IDM connector for SAP BusinessObjects BI Platform. To follow these instructions, you'll need access to the BusinessObjects Central Management Console (CMC) with an administrative account, such as the built-in "Administrator" user.
Log on to CMC at http://<host>:<port>;/BOE/CMC and open the "Users and Groups" view. Use the "Create a user" button to create a new user account. I'll use Z_IDM_USER as login ID.
In the "New User" dialog, the following settings are important:
It might be tempting to use concurrent user instead of named user, but keep in mind that when the maximum number of concurrent users is reached at peak load times, SAP IDM might not be able to connect to SAP BusinessObjects anymore. Use a concurrent user only if the number of concurrent user licenses available will not be exhausted in practice.
Use "Create & Close" to return back to "Users and Groups".
Access levels in SAP BusinessObjects are collections of so-called rights (more on that later). You use access levels in access control list (ACL) entries to specify exactly how a principal (user or group) can access the resource proctected by the ACL. Examples for built-in access levels are "View" and "Full Control".
We'll create a custom access level to ensure our service user has the minimal set of privileges required by SAP IDM. In CMC, navigate to "Access Levels", then use "Create an access level". Enter at least a title (ID) in the dialog "Create New Access Level". I'll use Z_IDM_GRANT. After the access level has been created, use its context menu to navigate to "Included Rights".
A dialog with the list of included rights will be shown, which is initially empty. Use the button "Add or Remove Rights".
SAP IDM requires rights from two rights collections: "System -> User" and "System -> User Group". The next section has the complete list of rights required for reference.
Included Rights from System -> User
Included Rights from System -> User Group
Here's how the list of included rights of your custom access level should finally look like in CMC:
Adding rights to an access level looks complex at first, so here's an example of the two checkboxes/radio buttons (highlighted in red) you need to use to add the rights "Add or edit user attributes" and "Add objects to the folder", respectively.
For "Add or edit user attributes", just tick the "Grant" radio button. For "Add objects to the folder", just check "Override General Global". The "Apply to" option will be set automatically to "Object and Subobjects", which is what we need.
Return back to "Users and Groups" in CMC to create two new access control list entries: one to allow the service user access to the special folder "Users", and one to allow access to the special folder "Groups". The procedure to create these two ACL entries is almost identical, so I'll start with the "Users" folder and illustrate that in much detail, but keep things shorter for "Groups" in order to avoid repetition.
Use Manage -> Top-Level Security -> All Users from the menu bar. Confirm the information message that will be shown, and proceed to the dialog "User Security: Users".
Use "Add Principals" to create a new ACL entry. In the "User Security" step, you'll specify who will have access and select our service user.
From the list of "Available Users or Groups" on the left, select the user Z_IDM_USER you created previously, and then "Add to selection" button to add it to "Selected Users or Groups" on the right. Proceed to the next step using "Add and Assign Security".
In the following "Assign Security" dialog, you'll specify how the service user will be able to access this folder. For this purpose, you'll select the custom access level created previously.
I recommend breaking rights inheritance by unchecking both "Inherit From Parent Folder" and "Inherit From Parent Group". Rights inheritance means additional complexity that is not needed for our purposes, and it can make troubleshooting more difficult.
Then, select the custom access level Z_IDM_GRANT from the list of "Available Access Levels" on the left and use "Add to Selection" to add it to the list of "Assigned Access Levels" on the right.
Save your changes using "OK".
The resulting ACL of the "Users" folder should have a new entry for principal "Z_IDM_USER" and access level "Z_IDM_GRANT" as shown below.
What we have done so far will allow the service user to access BusinessObjects users only, as we have created an ACL entry for the "Users" folder which stores all user objects. What remains to do is to create a second ACL entry that will allow the service user to access BusinessObjects user groups as well. Hence, this second ACL entry must be created in the ACL of the "Groups" folder that stores all user group objects.
In the "Users and Groups" view of CMC, use "Manage -> Top-Level Security -> All Groups" from the menu:
Confirm the information dialog that will pop up, and then repeat exactly the same steps as for the "Users" folder. The end result should look like this:
That's it. The service user is now ready to be used by the SAP IDM connector for SAP BusinessObjects BI Platform.
Want to learn more about this connector? Have a look at the connector's GitHub project, which also contains a small Wiki with additional resources.
Create the Service User
Log on to CMC at http://<host>:<port>;/BOE/CMC and open the "Users and Groups" view. Use the "Create a user" button to create a new user account. I'll use Z_IDM_USER as login ID.
In the "New User" dialog, the following settings are important:
- Authentication Type: Enterprise
- Account Name: your choice
- Password: your (secure) choice
- Password never expires: true
- User must change password at next logon: false
- User cannot change password: true
- Connection Type: Named User
It might be tempting to use concurrent user instead of named user, but keep in mind that when the maximum number of concurrent users is reached at peak load times, SAP IDM might not be able to connect to SAP BusinessObjects anymore. Use a concurrent user only if the number of concurrent user licenses available will not be exhausted in practice.
Use "Create & Close" to return back to "Users and Groups".
Create an Access Level
Including Rights
Access levels in SAP BusinessObjects are collections of so-called rights (more on that later). You use access levels in access control list (ACL) entries to specify exactly how a principal (user or group) can access the resource proctected by the ACL. Examples for built-in access levels are "View" and "Full Control".
We'll create a custom access level to ensure our service user has the minimal set of privileges required by SAP IDM. In CMC, navigate to "Access Levels", then use "Create an access level". Enter at least a title (ID) in the dialog "Create New Access Level". I'll use Z_IDM_GRANT. After the access level has been created, use its context menu to navigate to "Included Rights".
A dialog with the list of included rights will be shown, which is initially empty. Use the button "Add or Remove Rights".
SAP IDM requires rights from two rights collections: "System -> User" and "System -> User Group". The next section has the complete list of rights required for reference.
Reference: List of Rights Required by the Connector
Included Rights from System -> User
- Add or edit user attributes
- Add objects to the folder
- Change user password
- Delete objects
- Edit objects
- Modify the rights users have to objects
- View objects
Included Rights from System -> User Group
- Edit objects
- View objects
Here's how the list of included rights of your custom access level should finally look like in CMC:
Example: Adding Rights
Adding rights to an access level looks complex at first, so here's an example of the two checkboxes/radio buttons (highlighted in red) you need to use to add the rights "Add or edit user attributes" and "Add objects to the folder", respectively.
For "Add or edit user attributes", just tick the "Grant" radio button. For "Add objects to the folder", just check "Override General Global". The "Apply to" option will be set automatically to "Object and Subobjects", which is what we need.
Update Access Control Lists
Return back to "Users and Groups" in CMC to create two new access control list entries: one to allow the service user access to the special folder "Users", and one to allow access to the special folder "Groups". The procedure to create these two ACL entries is almost identical, so I'll start with the "Users" folder and illustrate that in much detail, but keep things shorter for "Groups" in order to avoid repetition.
Update ACL of "Users" Folder
Use Manage -> Top-Level Security -> All Users from the menu bar. Confirm the information message that will be shown, and proceed to the dialog "User Security: Users".
Use "Add Principals" to create a new ACL entry. In the "User Security" step, you'll specify who will have access and select our service user.
From the list of "Available Users or Groups" on the left, select the user Z_IDM_USER you created previously, and then "Add to selection" button to add it to "Selected Users or Groups" on the right. Proceed to the next step using "Add and Assign Security".
In the following "Assign Security" dialog, you'll specify how the service user will be able to access this folder. For this purpose, you'll select the custom access level created previously.
I recommend breaking rights inheritance by unchecking both "Inherit From Parent Folder" and "Inherit From Parent Group". Rights inheritance means additional complexity that is not needed for our purposes, and it can make troubleshooting more difficult.
Then, select the custom access level Z_IDM_GRANT from the list of "Available Access Levels" on the left and use "Add to Selection" to add it to the list of "Assigned Access Levels" on the right.
Save your changes using "OK".
The resulting ACL of the "Users" folder should have a new entry for principal "Z_IDM_USER" and access level "Z_IDM_GRANT" as shown below.
Update ACL of "Groups" Folder
What we have done so far will allow the service user to access BusinessObjects users only, as we have created an ACL entry for the "Users" folder which stores all user objects. What remains to do is to create a second ACL entry that will allow the service user to access BusinessObjects user groups as well. Hence, this second ACL entry must be created in the ACL of the "Groups" folder that stores all user group objects.
In the "Users and Groups" view of CMC, use "Manage -> Top-Level Security -> All Groups" from the menu:
Confirm the information dialog that will pop up, and then repeat exactly the same steps as for the "Users" folder. The end result should look like this:
That's it. The service user is now ready to be used by the SAP IDM connector for SAP BusinessObjects BI Platform.
Want to learn more about this connector? Have a look at the connector's GitHub project, which also contains a small Wiki with additional resources.
- SAP Managed Tags:
3 Comments
