Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP IdM Attestation (user access review) custom IdM processes, UI5 and reporting

simona_lincheva4
Participant
‎01-05-2021 7:16 AM
Hi all,

This blog is related to the options we have with SAP IdM Attestation functionality, coming from the standard IdM processes and implemented with the additional customizations.

1st we have to decide between the Attestation options we have in IdM – Get Attesters from:SAP IdM Attestation task


attest process setup


We can choose between:

  • Task


The attesters are defined in the Attester field below (that is, on the attestation task itself).

Note: this will be one attester per attestation process set in the Attester field

  • Role/Privilege


The attesters are defined on the role or privilege with the attribute MX_ATTESTER.

  • Manager


The attester(s) will be the manager(s) defined on the user(s) with the attribute MX_MANAGER.

  • User Defined


The attesters are set with context variables with the preprocessing task.

 

Before starting the implementation we have to review the existing structure (we use SQL queries to get the report needed in order to select the best case):

  • Case 1 - if we have 1000 users assigned in 1 privilege and for those 1000 users we have 20 different managers, there will be 1 task per manager with around 50 users inside the task

    • but if each manager has 50 users under him/her and we execute attestation for all privileges in IdM and those 50 users have from 200 to 2000 different role/privs, then each manager will have from 200 to 2000 and more tasks



  • Case 2 - if we have 1000 users assigned in 1 privilege and we have the attester attribute set for this privilege (taking the attester from the privilege itself), we will have 1 task with 1000 users inside

    • in case 2 we can use the privilege approvers as attesters, but we have to validate the number of tasks that will be created for each attester

    • if we have attesters with more than 600 privileges to attest we might have to think of a way to separate the tasks between more attesters




Next step is building the custom UI supporting the Attestation process (we recommend SAPUI5 consuming the standard IdM rest generated from the attestation process):


Attestation UI home page



UI overview



UI overview option 2


In addition we can have some nice functionalities:

  • Additional user information

  • Role/privilege description, as the technical name might not be enough

  • In case of privileges – back-end system related to it



Additional user info



UI comment



Info on delegated tasks


 Note: delegated users from each task are no longer visible in the initial attester Inbox, but we can still get the number and display a warning in case of delegation

 

Here are most of the rest calls in use from the SAPUI5 (examples):SAP IdM Attestation REST options

  • ToDo tab – attester overview (example):





    • /idmrestapi/v2/service/TaskCollection - GET

    • /idmrestapi /v2/service/TaskCollection(SAP__Origin='IDM',InstanceID='NxNN')/Assignments/$count - GET





  • Detail UI





    • /idmrestapi/v2/service/TaskCollection(SAP__Origin='IDM',InstanceID=' NxNN')/Assignments - GET

    • /idmrestapi/v2/service/TaskCollection(SAP__Origin='IDM',InstanceID=' NxNN')/CustomAttributeData - GET





  • Detail Delegate (example)

    • Get Users

      • /idmrestapi/v2/service/ET_MX_PERSON?filterBasic=USER_ID- GET



    • Delegate to User

      • /idmrestapi/v2/service/Decision?InstanceID='NxNN'&SAP__Origin='IDM'&DecisionKey='DELEGATE'&DelegateId='12312'&LinkId='31231232112'&Comments='test' - POST



    • Assignments refresh after action

      • /idmrestapi/v2/service/TaskCollection(SAP__Origin='IDM',InstanceID=' NxNN')/Assignments - GET

      • /idmrestapi/v2/service/TaskCollection(SAP__Origin='IDM',InstanceID=' NxNN')/CustomAttributeData - GET







  • Detail REST calls (overview with examples)





    • /idmrestapi/v2/service/TaskCollection(SAP__Origin='IDM',InstanceID=' NxNN ')/Assignments - GET

    • /idmrestapi/v2/service/TaskCollection(SAP__Origin='IDM',InstanceID=' NxNN ')/CustomAttributeData - GET

    • Detail Certify

      • /idmrestapi/v2/service/Decision?InstanceID=' NxNN '&SAP__Origin='IDM'&DecisionKey='ATTEST' &Action='CERTIFY'&LinkId='123123123'&Comments='test' - POST






 

Next step is to create and manage the process triggering the attestation in IdM:


IdM UI managing attestations


Important customization here are the notifications, as the standard functionality is sending notifications per task (and in 99% of the cases one attester has from 20 to 100 tasks even more). The additional customization is sending those notifications per attester, each attester receives only one initial/reminder notification.

 

Final step of this implementation will be the reports covering the Attestation processes:

  1. report for active tasks - basic report

  2. report for active tasks - detail report with users inside and delegation info

  3. report for delegated tasks (admin report) - detail info with initial attester and delegated attester

  4. report for delegated tasks (self service) - executed from the attesters for themselves

  5. report of privilege/role attestation date

  6. report for expired tasks


I hope that this blog will presend a few options and better understanding of the functionality provided within SAP IdM Attestation. SAP IdM provides a number of possible scenarios and a great flexibility in the way you decide to implement the process.

This is one possible solution related to audit observation, as the yearly access review is an important process in each company.

I hope, this blog is useful and any feedback/question will be welcomed 🙂

 

Kind Regards,

Simona Lincheva
11 Comments
former_member409784
Discoverer
‎01-05-2021 9:52 PM
0 Kudos
Excellent blog Simona. Thanks for sharing!

 
simona_lincheva4
Participant
‎01-06-2021 7:09 AM
0 Kudos

Hi Sivajan,

Thanks, I’m glad you like it 🙂

BR,

Simona

former_member341968
Explorer
‎01-12-2021 3:50 PM
0 Kudos
Thanks for the blog...very useful.
former_member661383
Discoverer
‎03-04-2021 11:31 AM
0 Kudos
Excellent Simona. How can we know which roles attested and which are not. MXI_ATTESTATION shows only the active attestations.
simona_lincheva4
Participant
‎03-09-2021 10:07 AM
0 Kudos
Hi Ranjan,

 

You can have a report listing the last attestation date of the role/privilege and if the attestation is active or not. Here are the attributes you can use for your report:

MX_ATTEST_ACTIVE

MX_ATTEST_NEXTDATE

MX_ATTEST_LASTDATE

Those attributes are updated from the standard attestation procedure and you can used them to get the attestation info you need.

 

BR,

Simona
Mathys
Explorer
‎02-02-2022 11:12 AM
0 Kudos
Hi Simona,

We're trying to build a similar UI5 at the moment, but struggling to get a connection to IdM on the deployed app.

I suspect it is as we're still using Fiori on-Premise on Gateway rather the the Cloud one which would allow us a connection via SAP Cloud Connector which is how we are able to test successfully via SAP Web IDE.
simona_lincheva4
Participant
‎03-09-2022 6:53 PM
0 Kudos
Hi Mathys,

 

What exactly is the issue, the rest api you are calling is not reachable from the application you deployed?

The specific case here is that the rest call needs authenticated user, as those are tasks part of the attester inbox, so the user needs the correct authorizations in IdM and if there is no SSO you will have a popup for the login.

 

BR,

Simona
Mathys
Explorer
‎03-10-2022 8:42 AM
Hi Simona,

We have resorted to creating an RFC connection and a manual SEGW service which uses the HTTP_CLIENT and REST_CLIENT classes in ABAP to pass data to and from IdM and presenting the data in the UI5 app.

This seems to work, but we suspect this isn't the ideal solution.

Our previous attempt in WebIDE made a connection via SAP Cloud Connector which was a more ideal solution as all the code resided within the UI5 app, but Gateway doesn't connect to IdM via SCC.

It looks like your UI5 app is deployed on IdM itself.  Did you use NWDS to develop it?

 

Thanks
Thys
simona_lincheva4
Participant
‎03-10-2022 3:52 PM
0 Kudos
Hi Mathys

 

We used the WebIDE for this, but it was deployed on the Portal where IdM ASJAVA is running.

As well we tested connection with the WebIDE, just for testing and It was working as well, I will check again and update further, if I missed something.

 

BR,

Simona
jamesw_
Explorer
‎04-27-2022 2:04 PM
0 Kudos
Hi,

What is the link between Task and Role?

We have a list of Tasks, from TaskCollection, and want to know the MS_KEY_VALUE of the Role that the task belongs to.  How do we obtain this?  All we have from TaskCollection is InstanceId.

Regards,

James
arindam_samanta
Participant
‎02-08-2023 1:09 PM
0 Kudos

Hello Simona,

I have created a very simple UI5 application for this ATTESTATION & deployed in SAP IDM AS server. I have used WEBIDE to build the application. But the application is performing very slow in production. You can find the picture of the application.

The application has two buttons: Certify the Attestation & Reject the attestation using the service "/Decision".

Do you have any idea behind the slow performance of the application in production?

Please let me know.

Thanks,
Arindam

Labels in this area
Popular Blog Posts