Technical Articles
SAP IdM Attestation (user access review) custom IdM processes, UI5 and reporting
Hi all,
This blog is related to the options we have with SAP IdM Attestation functionality, coming from the standard IdM processes and implemented with the additional customizations.
1st we have to decide between the Attestation options we have in IdM – Get Attesters from:SAP IdM Attestation task
attest process setup
We can choose between:
- Task
The attesters are defined in the Attester field below (that is, on the attestation task itself).
Note: this will be one attester per attestation process set in the Attester field
- Role/Privilege
The attesters are defined on the role or privilege with the attribute MX_ATTESTER.
- Manager
The attester(s) will be the manager(s) defined on the user(s) with the attribute MX_MANAGER.
- User Defined
The attesters are set with context variables with the preprocessing task.
Before starting the implementation we have to review the existing structure (we use SQL queries to get the report needed in order to select the best case):
- Case 1 – if we have 1000 users assigned in 1 privilege and for those 1000 users we have 20 different managers, there will be 1 task per manager with around 50 users inside the task
- but if each manager has 50 users under him/her and we execute attestation for all privileges in IdM and those 50 users have from 200 to 2000 different role/privs, then each manager will have from 200 to 2000 and more tasks
- Case 2 – if we have 1000 users assigned in 1 privilege and we have the attester attribute set for this privilege (taking the attester from the privilege itself), we will have 1 task with 1000 users inside
- in case 2 we can use the privilege approvers as attesters, but we have to validate the number of tasks that will be created for each attester
- if we have attesters with more than 600 privileges to attest we might have to think of a way to separate the tasks between more attesters
Next step is building the custom UI supporting the Attestation process (we recommend SAPUI5 consuming the standard IdM rest generated from the attestation process):
Attestation UI home page
UI overview
UI overview option 2
In addition we can have some nice functionalities:
- Additional user information
- Role/privilege description, as the technical name might not be enough
- In case of privileges – back-end system related to it
Additional user info
UI comment
Info on delegated tasks
Note: delegated users from each task are no longer visible in the initial attester Inbox, but we can still get the number and display a warning in case of delegation
Here are most of the rest calls in use from the SAPUI5 (examples):SAP IdM Attestation REST options
- ToDo tab – attester overview (example):
-
- /idmrestapi/v2/service/TaskCollection – GET
- /idmrestapi /v2/service/TaskCollection(SAP__Origin=’IDM’,InstanceID=’NxNN’)/Assignments/$count – GET
- Detail UI
-
- /idmrestapi/v2/service/TaskCollection(SAP__Origin=’IDM’,InstanceID=’ NxNN’)/Assignments – GET
- /idmrestapi/v2/service/TaskCollection(SAP__Origin=’IDM’,InstanceID=’ NxNN’)/CustomAttributeData – GET
- Detail Delegate (example)
- Get Users
- /idmrestapi/v2/service/ET_MX_PERSON?filterBasic=USER_ID- GET
- Delegate to User
- /idmrestapi/v2/service/Decision?InstanceID=’NxNN’&SAP__Origin=’IDM’&DecisionKey=’DELEGATE’&DelegateId=’12312’&LinkId=’31231232112’&Comments=’test’ – POST
- Assignments refresh after action
- /idmrestapi/v2/service/TaskCollection(SAP__Origin=’IDM’,InstanceID=’ NxNN’)/Assignments – GET
- /idmrestapi/v2/service/TaskCollection(SAP__Origin=’IDM’,InstanceID=’ NxNN’)/CustomAttributeData – GET
- Get Users
- Detail REST calls (overview with examples)
-
- /idmrestapi/v2/service/TaskCollection(SAP__Origin=’IDM’,InstanceID=’ NxNN ‘)/Assignments – GET
- /idmrestapi/v2/service/TaskCollection(SAP__Origin=’IDM’,InstanceID=’ NxNN ‘)/CustomAttributeData – GET
- Detail Certify
- /idmrestapi/v2/service/Decision?InstanceID=’ NxNN ‘&SAP__Origin=’IDM’&DecisionKey=’ATTEST’ &Action=’CERTIFY’&LinkId=’123123123’&Comments=’test’ – POST
Next step is to create and manage the process triggering the attestation in IdM:
IdM UI managing attestations
Important customization here are the notifications, as the standard functionality is sending notifications per task (and in 99% of the cases one attester has from 20 to 100 tasks even more). The additional customization is sending those notifications per attester, each attester receives only one initial/reminder notification.
Final step of this implementation will be the reports covering the Attestation processes:
- report for active tasks – basic report
- report for active tasks – detail report with users inside and delegation info
- report for delegated tasks (admin report) – detail info with initial attester and delegated attester
- report for delegated tasks (self service) – executed from the attesters for themselves
- report of privilege/role attestation date
- report for expired tasks
I hope that this blog will presend a few options and better understanding of the functionality provided within SAP IdM Attestation. SAP IdM provides a number of possible scenarios and a great flexibility in the way you decide to implement the process.
This is one possible solution related to audit observation, as the yearly access review is an important process in each company.
I hope, this blog is useful and any feedback/question will be welcomed 🙂
Kind Regards,
Simona Lincheva
Excellent blog Simona. Thanks for sharing!
Hi Sivajan,
Thanks, I’m glad you like it
BR,
Simona
Thanks for the blog...very useful.
Excellent Simona. How can we know which roles attested and which are not. MXI_ATTESTATION shows only the active attestations.
Hi Ranjan,
You can have a report listing the last attestation date of the role/privilege and if the attestation is active or not. Here are the attributes you can use for your report:
MX_ATTEST_ACTIVE
MX_ATTEST_NEXTDATE
MX_ATTEST_LASTDATE
Those attributes are updated from the standard attestation procedure and you can used them to get the attestation info you need.
BR,
Simona
Hi Simona,
We're trying to build a similar UI5 at the moment, but struggling to get a connection to IdM on the deployed app.
I suspect it is as we're still using Fiori on-Premise on Gateway rather the the Cloud one which would allow us a connection via SAP Cloud Connector which is how we are able to test successfully via SAP Web IDE.
Hi Mathys,
What exactly is the issue, the rest api you are calling is not reachable from the application you deployed?
The specific case here is that the rest call needs authenticated user, as those are tasks part of the attester inbox, so the user needs the correct authorizations in IdM and if there is no SSO you will have a popup for the login.
BR,
Simona
Hi Simona,
We have resorted to creating an RFC connection and a manual SEGW service which uses the HTTP_CLIENT and REST_CLIENT classes in ABAP to pass data to and from IdM and presenting the data in the UI5 app.
This seems to work, but we suspect this isn't the ideal solution.
Our previous attempt in WebIDE made a connection via SAP Cloud Connector which was a more ideal solution as all the code resided within the UI5 app, but Gateway doesn't connect to IdM via SCC.
It looks like your UI5 app is deployed on IdM itself. Did you use NWDS to develop it?
Thanks
Thys
Hi Mathys
We used the WebIDE for this, but it was deployed on the Portal where IdM ASJAVA is running.
As well we tested connection with the WebIDE, just for testing and It was working as well, I will check again and update further, if I missed something.
BR,
Simona
Hi,
What is the link between Task and Role?
We have a list of Tasks, from TaskCollection, and want to know the MS_KEY_VALUE of the Role that the task belongs to. How do we obtain this? All we have from TaskCollection is InstanceId.
Regards,
James
Hello Simona,
I have created a very simple UI5 application for this ATTESTATION & deployed in SAP IDM AS server. I have used WEBIDE to build the application. But the application is performing very slow in production. You can find the picture of the application.
The application has two buttons: Certify the Attestation & Reject the attestation using the service "/Decision".
Do you have any idea behind the slow performance of the application in production?
Please let me know.
Thanks,
Arindam