“Assimilate this” – Worf, Star Trek First Contact
I think this is a good way to start this discussion of how SAP IDM can be used to provision information to a custom application.
In my previous Blog, I explained how to use existing SAP IDM templates to load Identity Data in from a fictional Database Application called “NonSAPApp.” In this entry, I will explain how to use the Provisioning Framework to enable Provisioning from the SAP IDM Web UI.
To do this, I created a folder in the Provisioning Framework folder under the CONNECTORS node called NONSAPAPP, then I created a subfolder called Plugins, followed by 6 Ordered Tasks as shown below:
Each of these tasks needs to be mapped in the NONSAPAPP IDM Repository. Note how the numbers in the Task Name relate to the MX_HOOK constants:
To keep things simple, this blog only specifies a subset of the functions. If you look at one of the other connectors, you’ll see what else can be done with a SAP IDM Connector. As far as I know there is no reason that you cannot extend this custom connector (or any connector for that matter) with additional Hook Tasks based on this model.
In this example, we are only going to go into detail for the Create, Modify, and Delete User Hook Tasks. I created stubs for the Role tasks but did not do anything with them. They can easily be added based on the contents of this blog.
In the Create Task, I made used a “To Database” pass. Nothing terribly fancy here. Note that I used the User Table from my “application” and mapped the attributes.
The big question that usually gets asked at this point is how did you populate the Repository Constant since there is no Repository assigned by default? There’s a couple of things you can do to resolve this:
- Use Copy/Paste or manually type it in.
- Temporarily assign the application repository, set the constants and the set the repository back to “None / Inherited”. This is a good best practice as it saves you some effort if the repository name should ever get changed or if you disable the Repository provisioning cannot occur. If this is populated with the Repository name, provisioning might still be able to occur.
Also, in case you were wondering, I left “Public task” selected so that I can test from the Console if needed. Always helpful J
There’s not much to say about the Modify task. It’s pretty much a copy of the Create task.
One thing that you might need to consider at some point is that if you need logic to check changes that are made, you’ll need to introduce some scripting here.
At last we come to the Delete Task. It might just be the most direct. My example gets to be very simple, since this is a simple application. Your custom application might not be so simple. Make sure you have a good, long requirements discussion with the application owner on this. If there are requirements to disable the user first, or make sure their assigned roles are dropped, you will need to provide for this in some sort of workflow (The Provisioning Framework Connector does allow for disable tasks, they are Hooks 6 and 7, which I did not cover in this example)
To delete the user, I use a simple SQL statement, using the SQL updating option of the “To Database” pass. Again, this is something you’ll need to work out with your app owner and the DBA since your service account might lack these permissions.
I hope this brief overview has been helpful to you. There are multiple ways of approaching this issue, and I used a database method since it was the easiest to demonstrate. In real life, it most certainly not be this direct or easy and you’ll probably need to go through some sort of API, which in some ways will be easier, since you’ll have commands available to you for managing the user objects in the application. If someone does create a connector using an API, I hope it gets shared here on SCN as well!
I’m also attaching the export configuration for people to examine. (Don't forget to drop the "XML" extension, so that it is a valid IDM import file. Note that there are absolutely no warranties or guarantees included with this configuration and neither I nor SAP can be held responsible for anything that happens as a result of using this import. I threw this together quickly but it should serve as an adequate template for you to start your customizations with.