Understanding UWL BPM substitution rules setup in LDAP environment
Introduction to UWL BPM substitutions toolset
Any of you who ever worked with SAP BPM suite or SAP PO integrated solution probably used such standard Netweaver functionality as UWL substitutions. Though they are widely used among different-scoped Netweaver Portal installations, we have used it primarily for BPM tasks. If you have not used them up to now let me explain what is it intended for.
It is a standard toolset integrated into UWL that is used for assigning and re-assigning of tasks of absent and left employees to department managers and supervisors, naturally to any dedicated person. The person to whom the tasks are assigned is called nominee or substitute in SAP terms, and you (or person whose tasks are assigned) is called substituted user.
When this functionality should be used? When accountant is on a leave and somebody needs to approve the invoice, usually it is CEO or CFO, when supplier have sent quotation but there is no single purchase manager around to make a decision, and in such emergency case senior supply executive can do that, and many other cases likewise.
Very useful thing, is it? Definitely. Though, the things get complicated when your SAP portal is connected to company Microsoft Active Directory (AD) or similar LDAP provider.
What I am speaking about is this scenario:
Here is a standard SAP Java Application Server config tool you are probably familiar with, this tool is used for configuration of WebAS, including but not limited to configuration of UME users in conjunction with LDAP. On the very bottom of this applet you can find the setting Use UME unique id with unique LDAP attribute which seems like nothing mysterious but ticking it may be very tricky if you don’t know all the ins and outs.
When the setting is enabled, UME engine assigns user ID to LDAP user ID and uniquely identifies UME user with LDAP. Other UME fields can also be mapped and adjusted in web-version of the tool through datasourceConfiguration_XXXXXXX.xml file which define mapping of different LDAP fields to UME ones.
The real business-story in my company
Until the moment no IT landscape changes done all can be fine, but things can get tricky sometimes. Imagine that your company moves to another location, or maybe establish new departments or making lay-off and fires an employee. What can happen?
In our company we got a problem while testing and setting up Substitution management app, developed by me. During app functioning some UME users it tried to process caused a dump in the program.
What were the features of the app? In brief:
- Search substitutions by substituted user, by substitute and by principal
- Creating substitutions with different parameters for users
- Deleting outdated and erroneous rules
Some rules caused dump at the moment of deletion and for a long time the cause of the dump was a mystery to me. On top of that some users were displayed like Deleted
Their department had been also showed as Deleted which was quite weird as no departments in our company were deleted those days ?
I started to investigate the problem and found nothing, I even couldn’t guess the names of the problem users. Then I decided to introduce additional field which showed substitute user UME Unique ID
That way the root problem seemed more and more evident to me, it was inconsistency between LDAP and UME users in SAP Netweaver BPM platform.
During company transformation a couple of years ago, it opened new branch in our city but some of the users left in .net AD domain, whilst newly joined employees were in .ru domain. Some were recreated, some were not and here was the pitfall. Those users that had UME Unique ID absent in LDAP database showed as Deleted and caused dump during any manipulations. A long-long time ago, at the very beginning when SAP BPM was introduced in the company I even didn’t work here and I wasn’t able to give the recommendations about IT infrastructure and how to integrate SAP BPM and LDAP better way.
What is well-known for sure among the Netweaver pros concerning this case is that SAP released the note 777640 recommending to use not a distinguished LDAP unique ID but a custom attribute mapped to UME j_user field. This note is quite descriptive and straight-forward and I will not rewrite it here, I just recommend to read it for everybody who is ever going to set up LDAP together with BPM. For mapping different object you should change these attributes in your datasourceConfiguration_XXXXXXX.xml:
ume.ldap.unique_user_attribute=<attributename> ume.ldap.unique_uacc_attribute=<attributename> ume.ldap.unique_grup_attribute=<attributename>
However, this approach has one limitation: it will not work if implemented after setup of SAP BPM portal with UME central repository. All UME user data will be lost after such change, so it was not a good fit for our case.
So what else could have been be done? I started to dive more and more into BPM architecture and because I wasn’t very familiar with BPM technical tables I did it through trial and error.
The things I have learned:
- All users in UME are stored in table BC_BPEM_UM_MAP in BPM database
- Substitution rules lay in BC_BPEM_TM_SUBST
- BPM users are never deleted, unlike in LDAP directory, it doesn’t matter for BPM what is going on in LDAP.
- Only manual update of BPM tables can solve the problem.
To fix outdated substitution rules with absent substitutes one should execute such query:
DELETE FROM BC_BPEM_TM_SUBST WHERE SUBSTITUTE_ID = <unique_user_id>
To fix issue with substituted users the query is:
DELETE FROM BC_BPEM_TM_SUBST WHERE USER_ID = <unique_user_id>
Much later I found a SAP note which listed almost the same things I have done but at the time of solving I was not aware of this saving note 2175807. Too late as always ?
Note contains red warning noting that one should not edit BC_BPEM_UM_MAP under no circumstance, but I did it without any notable consequences. I deleted outdated users both from BC_BPEM_UM_MAP table and from BC_BPEM_TM_SUBST and all went fine. Anyway I suggest you not to do like me and follow all SAP recommendations.
Hope this post will be helpful for someone.