Skip to Content
Technical Articles
Author's profile photo Simona Lincheva

SAP IdM Attestation (user access review) custom IdM processes, UI5 and reporting

Hi all,

This blog is related to the options we have with SAP IdM Attestation functionality, coming from the standard IdM processes and implemented with the additional customizations.

1st we have to decide between the Attestation options we have in IdM – Get Attesters from:SAP IdM Attestation task

attest%20process%20setup

attest process setup

We can choose between:

  • Task

The attesters are defined in the Attester field below (that is, on the attestation task itself).

Note: this will be one attester per attestation process set in the Attester field

  • Role/Privilege

The attesters are defined on the role or privilege with the attribute MX_ATTESTER.

  • Manager

The attester(s) will be the manager(s) defined on the user(s) with the attribute MX_MANAGER.

  • User Defined

The attesters are set with context variables with the preprocessing task.

 

Before starting the implementation we have to review the existing structure (we use SQL queries to get the report needed in order to select the best case):

  • Case 1 – if we have 1000 users assigned in 1 privilege and for those 1000 users we have 20 different managers, there will be 1 task per manager with around 50 users inside the task
    • but if each manager has 50 users under him/her and we execute attestation for all privileges in IdM and those 50 users have from 200 to 2000 different role/privs, then each manager will have from 200 to 2000 and more tasks
  • Case 2 – if we have 1000 users assigned in 1 privilege and we have the attester attribute set for this privilege (taking the attester from the privilege itself), we will have 1 task with 1000 users inside
    • in case 2 we can use the privilege approvers as attesters, but we have to validate the number of tasks that will be created for each attester
    • if we have attesters with more than 600 privileges to attest we might have to think of a way to separate the tasks between more attesters

Next step is building the custom UI supporting the Attestation process (we recommend SAPUI5 consuming the standard IdM rest generated from the attestation process):

Attestation%20UI%20home%20page

Attestation UI home page

UI%20overview

UI overview

UI%20overview%20option%202

UI overview option 2

In addition we can have some nice functionalities:

  • Additional user information
  • Role/privilege description, as the technical name might not be enough
  • In case of privileges – back-end system related to it

Additional%20user%20info

Additional user info

UI%20comment

UI comment

Info%20on%20delegated%20tasks

Info on delegated tasks

 Note: delegated users from each task are no longer visible in the initial attester Inbox, but we can still get the number and display a warning in case of delegation

 

Here are most of the rest calls in use from the SAPUI5 (examples):SAP IdM Attestation REST options

  • ToDo tab – attester overview (example):
    • /idmrestapi/v2/service/TaskCollection – GET
    • /idmrestapi /v2/service/TaskCollection(SAP__Origin=’IDM’,InstanceID=’NxNN’)/Assignments/$count – GET
  • Detail UI
    • /idmrestapi/v2/service/TaskCollection(SAP__Origin=’IDM’,InstanceID=’ NxNN’)/Assignments – GET
    • /idmrestapi/v2/service/TaskCollection(SAP__Origin=’IDM’,InstanceID=’ NxNN’)/CustomAttributeData – GET
  • Detail Delegate (example)
    • Get Users
      • /idmrestapi/v2/service/ET_MX_PERSON?filterBasic=USER_ID- GET
    • Delegate to User
      • /idmrestapi/v2/service/Decision?InstanceID=’NxNN’&SAP__Origin=’IDM’&DecisionKey=’DELEGATE’&DelegateId=’12312’&LinkId=’31231232112’&Comments=’test’ – POST
    • Assignments refresh after action
      • /idmrestapi/v2/service/TaskCollection(SAP__Origin=’IDM’,InstanceID=’ NxNN’)/Assignments – GET
      • /idmrestapi/v2/service/TaskCollection(SAP__Origin=’IDM’,InstanceID=’ NxNN’)/CustomAttributeData – GET
  • Detail REST calls (overview with examples)
    • /idmrestapi/v2/service/TaskCollection(SAP__Origin=’IDM’,InstanceID=’ NxNN ‘)/Assignments – GET
    • /idmrestapi/v2/service/TaskCollection(SAP__Origin=’IDM’,InstanceID=’ NxNN ‘)/CustomAttributeData – GET
    • Detail Certify
      • /idmrestapi/v2/service/Decision?InstanceID=’ NxNN ‘&SAP__Origin=’IDM’&DecisionKey=’ATTEST’ &Action=’CERTIFY’&LinkId=’123123123’&Comments=’test’ – POST

 

Next step is to create and manage the process triggering the attestation in IdM:

%u0442%u0442%u0442

IdM UI managing attestations

Important customization here are the notifications, as the standard functionality is sending notifications per task (and in 99% of the cases one attester has from 20 to 100 tasks even more). The additional customization is sending those notifications per attester, each attester receives only one initial/reminder notification.

 

Final step of this implementation will be the reports covering the Attestation processes:

  1. report for active tasks – basic report
  2. report for active tasks – detail report with users inside and delegation info
  3. report for delegated tasks (admin report) – detail info with initial attester and delegated attester
  4. report for delegated tasks (self service) – executed from the attesters for themselves
  5. report of privilege/role attestation date
  6. report for expired tasks

I hope that this blog will presend a few options and better understanding of the functionality provided within SAP IdM Attestation. SAP IdM provides a number of possible scenarios and a great flexibility in the way you decide to implement the process.

This is one possible solution related to audit observation, as the yearly access review is an important process in each company.

I hope, this blog is useful and any feedback/question will be welcomed 🙂

 

Kind Regards,

Simona Lincheva

Assigned Tags

      10 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Sivajan Kumaran
      Sivajan Kumaran

      Excellent blog Simona. Thanks for sharing!

       

      Author's profile photo Simona Lincheva
      Simona Lincheva
      Blog Post Author

      Hi Sivajan,

      Thanks, I’m glad you like it 🙂

      BR,

      Simona

      Author's profile photo Rahul Athwani
      Rahul Athwani

      Thanks for the blog...very useful.

      Author's profile photo Ranjan Kumar Dash
      Ranjan Kumar Dash

      Excellent Simona. How can we know which roles attested and which are not. MXI_ATTESTATION shows only the active attestations.

      Author's profile photo Simona Lincheva
      Simona Lincheva
      Blog Post Author

      Hi Ranjan,

       

      You can have a report listing the last attestation date of the role/privilege and if the attestation is active or not. Here are the attributes you can use for your report:

      MX_ATTEST_ACTIVE

      MX_ATTEST_NEXTDATE

      MX_ATTEST_LASTDATE

      Those attributes are updated from the standard attestation procedure and you can used them to get the attestation info you need.

       

      BR,

      Simona

      Author's profile photo Mathys van der Merwe
      Mathys van der Merwe

      Hi Simona,

      We're trying to build a similar UI5 at the moment, but struggling to get a connection to IdM on the deployed app.

      I suspect it is as we're still using Fiori on-Premise on Gateway rather the the Cloud one which would allow us a connection via SAP Cloud Connector which is how we are able to test successfully via SAP Web IDE.

      Author's profile photo Simona Lincheva
      Simona Lincheva
      Blog Post Author

      Hi Mathys,

       

      What exactly is the issue, the rest api you are calling is not reachable from the application you deployed?

      The specific case here is that the rest call needs authenticated user, as those are tasks part of the attester inbox, so the user needs the correct authorizations in IdM and if there is no SSO you will have a popup for the login.

       

      BR,

      Simona

      Author's profile photo Mathys van der Merwe
      Mathys van der Merwe

      Hi Simona,

      We have resorted to creating an RFC connection and a manual SEGW service which uses the HTTP_CLIENT and REST_CLIENT classes in ABAP to pass data to and from IdM and presenting the data in the UI5 app.

      This seems to work, but we suspect this isn't the ideal solution.

      Our previous attempt in WebIDE made a connection via SAP Cloud Connector which was a more ideal solution as all the code resided within the UI5 app, but Gateway doesn't connect to IdM via SCC.

      It looks like your UI5 app is deployed on IdM itself.  Did you use NWDS to develop it?

       

      Thanks
      Thys

      Author's profile photo Simona Lincheva
      Simona Lincheva
      Blog Post Author

      Hi Mathys

       

      We used the WebIDE for this, but it was deployed on the Portal where IdM ASJAVA is running.

      As well we tested connection with the WebIDE, just for testing and It was working as well, I will check again and update further, if I missed something.

       

      BR,

      Simona

      Author's profile photo James Whitworth
      James Whitworth

      Hi,

      What is the link between Task and Role?

      We have a list of Tasks, from TaskCollection, and want to know the MS_KEY_VALUE of the Role that the task belongs to.  How do we obtain this?  All we have from TaskCollection is InstanceId.

      Regards,

      James