SAP NetWeaver Identity Management

Published on July 2016 | Categories: Documents | Downloads: 123 | Comments: 0 | Views: 735
of 17
Download PDF   Embed   Report

drgtydfsh

Comments

Content

SAP NetWeaver Identity Management
PDF download from SAP Help Portal:
http://help.sap.com/saphelp_nwidmic_72/helpdata/en/ec/fb9fcba923426f8715c3bf66e87cb9/content.htm
Created on September 02, 2014

The documentation may have changed since you downloaded the PDF. You can always find the latest information on SAP Help Portal.

Note
This PDF document contains the selected topic and its subtopics (max. 150) in the selected structure. Subtopics from other structures are not included.

© 2014 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose
without the express permission of SAP SE. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE
and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by
SAP SE and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be
liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express
warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other
SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in Germany and other
countries. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

Table of content

PUBLIC
© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 1 of 17

Table of content
1 SAP NetWeaver Identity Management
1.1 SAP NetWeaver Identity Management Provisioning Framework for SAP Systems: Architectural Overview
1.2 Installation
1.2.1 Installing and Configuring SAP NetWeaver Identity Management User Interface for HTML5
1.2.1.1 Introduction
1.2.1.1.1 SAP UI Development Toolkit for HTML5 (SAPUI5)
1.2.1.1.2 SAP NetWeaver Identity Management REST Interface Version 2
1.2.1.1.3 Prerequisites
1.2.1.1.4 Installation and Configuration Process
1.2.1.1.5 Limitations and Considerations
1.2.1.2 Authorization and Authentication for the Identity Management User Interface for HTML5
1.2.1.2.1 Assigning the Role idm.user
1.2.1.2.2 Enabling Single Sign-On with Logon Tickets
1.2.1.3 Adding the Predefined User Interface Tasks and Configuring the Solution
1.2.1.3.1 Importing the Task Folder
1.2.1.3.2 Configuring the Solution
1.2.1.3.2.1 Defining the DESCRIPTION Attribute for the MX_ROLE Entry Type
1.2.1.3.2.2 Maintaining the Attributes for the My Data Task
1.2.1.3.2.2.1 Virus Scan Interface
1.2.1.3.2.3 Maintaining the Attribute MX_BUSINESS_AREA for Entry Type MX_ROLE
1.2.1.3.2.4 Access Control for the Tasks
1.2.1.3.2.5 Configuring the AS Java for SSL Use
1.2.1.4 Deploying the Identity Management User Interface for HTML5
1.2.1.5 Accessing the Identity Management User Interface for HTML5
1.2.1.6 Upgrading the Identity Management User Interface for HTML5
1.3 Reference
1.3.1 OData Rest Interface
1.3.1.1 SAP NetWeaver Identity Management REST Interface Version 2
1.3.2 Reporting
1.3.2.1 Identity Reporting Using SAP NetWeaver Business Warehouse
1.4 SAP Provisioning Framework
1.4.1 SAP NetWeaver Identity Management for SAP System Landscapes: Configuration Guide
1.4.2 SAP NetWeaver Identity Management Provisioning Framework for SAP Systems Version 2: Configuration Guide
1.4.3 UWL Integration Configuration Guide
1.4.3.1 History of Changes
1.4.3.2 Introduction
1.4.3.3 Prerequisites
1.4.3.4 Tasks
1.4.3.4.1 Deploying the IDM Connector for UWL
1.4.3.4.2 Setting up Remote Access to the Portal (Optional)
1.4.3.4.2.1 Configuring the Use of Logon Tickets
1.4.3.4.2.2 Registering the IDM Connector for UWL in the Portal
1.4.3.4.2.2.1 Registering the IDM Connector (Release 7.0)
1.4.3.4.2.2.2 Registering the IDM Connector (Release 7.1 and higher)
1.4.3.4.2.3 Configuring the IDM Connector in the UWL Configuration
1.4.3.4.2.4 Processing Identity Management Tasks from the UWL Worklist
1.4.3.4.2.5 Troubleshooting
1.4.3.4.2.5.1 Cannot Deploy the IDM Connector for UWL
1.4.3.4.2.5.2 UWL Worklist Error
1.4.3.4.2.5.3 Users are Prompted for User ID and Password

PUBLIC
© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 2 of 17

1 SAP NetWeaver Identity Management
SAP NetWeaver Identity Management provides central role-based identity management for provisioning user and access data within your heterogeneous system
landscape. It enables you to control all identities within your organization, not only for employees, but also for contractors, customers, partners, and other identities
that need to access your organization’s applications.
SAP NetWeaver Identity Management can connect to any number of different applications and ensure that the identity information is updated correctly in each of
these applications. It provides a unified view of the virtual identity of the users.
In addition to central user provisioning, SAP NetWeaver Identity Management offers the following functions:
Approvals Workflow
A web-based workflow that defines an approval process based on business rules and policies to assign and maintain access rights for users across
multiple systems.
Rules- and Roles-based Provisioning
The use of roles to assign privileges to users.
Password Management
The provisioning of passwords including a password-reset self-service for users and password synchronization across all connected target systems.
Audit and Monitoring
A centralized reporting function for compliance and auditability
Standards-based Support for Identity Federation
A feature enabling cross-company identity management scenarios and integration with SAP NetWeaver Single Sign-On.
The architecture of SAP NetWeaver Identity Management consists of the two main components:
Identity Center
This is the primary component for identity management. Identity Center uses a centralized repository, called the identity store, to provide a uniformed view of
the data, regardless of the data's original source.
Virtual Directory Service
This component logically represents information from a number of disparate directories, databases, and other data repositories in a virtual directory tree. You
decide which views of the information different users and applications can access.
SAP NetWeaver Identity Management is integrated with SAP Business Suite software, for example, the SAP ERP Human Capital Management solution.
Depending on your SAP NetWeaver Identity Management release, you can integrate SAP NetWeaver Identity Management with the SAP NetWeaver Business
Warehouse component or the SAP BusinessObjects Access Control application.

SAP NetWeaver Identity Management Provisioning Framework for
SAP Systems: Architectural Overview
This document provides an architectural overview over system landscapes when using the SAP Provisioning Framework.

History of Changes
The following table provides an overview of the most important document changes.
Table 1:
Version

Change

7.2 Rev 0

Initial release.

1.2 Installation
The following sections describe the installation of the SAP NetWeaver Identity Management components.

1.2.1 Installing and Configuring SAP NetWeaver Identity
Management User Interface for HTML5
This document describes how to install and configure the SAP NetWeaver Identity Management User Interface for HTML5.

1.4.3.2 Introduction
SAP NetWeaver Identity Management User Interface for HTML5 is a user interface based on HTML5 and JavaScript, and developed using the SAP UI
Development toolkit for HTML5 (SAPUI5). It also uses SAP NetWeaver Identity Management REST Interface Version 2.
SAP NetWeaver Identity Management User Interface for HTML5 can be used by all users to maintain their own profile information and request new roles (selfservice). Authorizations are grouped into business roles, again made available to end-users, who can request assignment of the business roles. SAP NetWeaver
Identity Management User Interface for HTML5 only supports assignment requests for business roles, that is, users cannot request privilege assignments.
Managers and administrators can also use SAP NetWeaver Identity Management User Interface for HTML5 for role request approvals. Although privilege
assignment requests from the users are not supported, the My Approvals page supports approving and declining both business role assignments and privilege
assignments for managers and administrators, to support cases in which approval workflows are set up for individual privileges, triggered either by automated
processes or other UIs or APIs.

1.2.1.1.1 SAP UI Development Toolkit for HTML5 (SAPUI5)
PUBLIC
© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 3 of 17

The SAP UI Development Toolkit for HTML5 (SAPUI5) is SAP's new enterprise-ready HTML5 rendering library for client-side UI rendering and programming. It
combines the advantages of being open and flexible as well as being enterprise ready, supporting all SAP Product Standards. While Web Dynpro is best suited
to heavyweight transactional applications for expert usage, SAPUI5 is designed for building lightweight consumer-grade UIs for casual usage. It is aimed at
developers at SAP and customers with web development skills (HTML, CSS3, JavaScript). SAPUI5 provides extensible controls and powerful theming but is
easy to consume, based on open standards, and integrates with third-party JavaScript libraries. SAPUI5 applications run on a wide range of devices
(smartphone, tablet, and desktop) and on multiple server platforms.

Related Information
UI Development Toolkit for HTML5 Developer Center (SAP Developer Center)
A Vocabulary and Associated APIs for HTML and XHTML (W3C Editor's Draft)

1.3.1.1 SAP NetWeaver Identity Management REST Interface
Version 2
The SAP NetWeaver Identity Management REST Interface offers a remote interface to SAP NetWeaver Identity Management and its data, that is, it allows you to
use custom user interfaces (UIs) that access the SAP NetWeaver Identity Management data.
For more information about the Identity Management REST Interface Version 2, see SAP NetWeaver Identity Management REST Interface Version 2.

Related Information
SAP NetWeaver Identity Management REST Interface Version 2
Virus Scan Interface

1.4.3.3 Prerequisites
Before you can install and configure the Identity Management User Interface for HTML5 , a set of prerequisites needs to be fulfilled.
The following is the list of prerequisites that need to be fulfilled.
You should have the following knowledge:
Thorough knowledge about SAP NetWeaver AS Java and its tools.
Thorough knowledge about SAP NetWeaver Identity Management , and Identity Center in particular.
The following software is required:
SAP NetWeaver 7.3 SP9 Patch 1 and higher, or SAP NetWeaver 7.3 including Enhancement Package 1 (EHP1) SP6 Patch 3 and higher (on which
SAP NetWeaver Identity Management User Interface and SAP NetWeaver Identity Management User Interface for HTML5 are to be deployed).
SAP NetWeaver Identity Management Identity Center version 7.2 SP8 or higher, must be correctly installed and licensed.
An Identity Center where at least one dispatcher is configured and running (see SAP NetWeaver Identity Management Identity Center: Initial Configuration).
SAP NetWeaver Identity Management User Interface is installed and configured in accordance with SAP NetWeaver Identity Management Identity Center:
Installing and configuring the Identity Management User Interface.
SAP NetWeaver Identity Management REST Interface Version 2 is deployed on your AS Java (where the SAP NetWeaver Identity Management User
Interface is deployed) in accordance with SAP NetWeaver Identity Management REST Interface Version 2.
SAPUI5 library is required. The required library is available as an AS Java Extension for the SAP NetWeaver version you are using (versions 7.3 SP9
Patch 1 and higher, or EHP1 for SAP NetWeaver 7.3 SP6 Patch 3 and higher). Download the library extension from the SAP Software Download Center and
deploy the downloaded SCA file on your AS Java server, using the Software Update Manager (SUM).

Note
To locate the correct SAPUI5 library, choose the following path on the SAP Software Download Center :
Support Packages and Patches
A-Z
Index
N
SAP NETWEAVER
<your SAP NETWEAVER version>
Entry by Component
AS Java Extensions
SAPUI5 CLIENT RT AS
JAVA <your SAP NW version>
# OS independent .

Related Information
SAP NetWeaver Identity Management Identity Center Installation overview
SAP NetWeaver Identity Management Identity Center Installing and configuring the Identity Management User Interface
SAP NetWeaver Identity Management Identity Center Initial Configuration
SAP NetWeaver Identity Management REST Interface Version 2
SAP Software Download Center
Using the Software Update Manager (SUM)

1.2.1.1.4 Installation and Configuration Process
When all prerequisites are fulfilled, you can start the installation and configuration of the Identity Management User Interface for HTML5 .
The process of installing and configuring the Identity Management User Interface for HTML5 involves completing the following steps:
Authorization and authentication for the REST interface:
Assigning the required role and actions in User Management Engine (UME)
Enabling single sign-on with logon tickets
Adding the predefined user interface tasks in the Identity Center Management Console and configuring the solution
Deploying the Identity Management User Interface for HTML5 on your AS Java
Accessing the Identity Management User Interface for HTML5

1.2.1.1.5 Limitations and Considerations
PUBLIC
© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 4 of 17

1.2.1.1.5 Limitations and Considerations
Modifications of the Identity Management User Interface
Any modifications of the Identity Management User Interface for HTML5 are not supported.
The imported tasks should not be deleted or replaced by any similar tasks in the configuration, because the task GUIDs are referred directly in the code of
the user interface.
The imported, predefined User Interface tasks should not be modified in any way (including attributes and the access control defined on the tasks).
JavaScript files in the deployment package should not be replaced, removed or modified in any way.

Language Settings
You change the language for the Identity Management User Interface for HTML5 by modifying the language setting for the respective browser. For more information
on how to update the browser language, see the browser documentation.

Note
A limitation of the Microsoft Internet Explorer 9 is that it takes the language configured for the operating system. In such a case, it is recommended that you
update to Microsoft Internet Explorer 10, which browser does not have such a limitation.

Pictures Uploads
The upload of pictures in any format is not supported by the Microsoft Internet Explorer 9. In such a case, you will receive the following error message: Browser
does not support getting the file for uploading. Then, you need to upgrade to Microsoft Internet Explorer 10.

Related Information
Identifying the Language Code / Locale

1.2.1.2 Authorization and Authentication for the Identity
Management User Interface for HTML5
To access the REST API v2, the user requires the UME actions idm_authenticated and idm_authenticated_restapi. To access Identity Management
User Interface for HTML5, the user needs the UME action idm_authenticated_ui5 in addition to the actions required for the REST API v2. The role
idm.user contains all three of these UME actions, and you should assign it to the user so that he or she has the appropriate authorization and authentication for
the Identity Management User Interface for HTML5.These actions and the role are provided as part of the software component containing the Identity Management
User Interface and the REST service. All other necessary authorizations for a service call are defined by the access control of the related Identity Management UI
task.
The default configuration of the SAP NetWeaver Identity Management 7.2 REST API forces a logon on all requests using the provided basic authentication
credentials, which consumes time and leads to a high number of security sessions in the SAP NetWeaver AS Java . Using single sign-on (SSO) with logon
tickets for the REST API improves the performance.

1.2.1.2.1 Assigning the Role idm.user
Context
Make sure that all users that will use the Identity Management User Interface for HTML5 are assigned the role idm.user (this assigns the neccessary UME
actions idm_authenticated, idm_authenticated_restapi and idm_authenticated_ui5 to the user).
To assign the role to the users, proceed as follows:

Procedure
1. In the UME (http(s)://<server>:<port>/useradmin), search for the role idm.user.
2. Assign the role to all users that you want to be able to access the Identity Management User Interface for HTML5 .

Related Information
Administration of Users and Roles in User Management Engine (UME) for SAP NetWeaver 7.3
Administration of Users and Roles in User Management Engine (UME) for SAP NetWeaver 7.3 EHP1

1.2.1.2.2 Enabling Single Sign-On with Logon Tickets
To improve performance, make sure that single sign-on with logon tickets is enabled for the REST service, as described in SAP NetWeaver Identity Management
REST Interface Version 2 (see topic Configuring Single Sign-On With Logon Tickets in the REST Interface for AS Java 7.1 and higher).

PUBLIC
© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 5 of 17

Related Information
SAP NetWeaver Identity Management REST Interface Version 2

1.2.1.3 Adding the Predefined User Interface Tasks and
Configuring the Solution
You can manage information displayed in the Identity Management User Interface for HTML5 and the access restrictions for this information through User
Interface tasks in the Identity Center Management Console. You need to import predefined User Interface tasks into the Identity Center Management Console. You
should not change the User Interface, and therefore should not delete, replace, or modify the imported, predefined User Interface tasks in any way.
Some configuration is required for the solution.

1.2.1.3.1 Importing the Task Folder
Context
The file UI tasks for HTML5.mcc contains a folder with the predefined User Interface tasks. To import the folder, proceed as follows:

Procedure
1. In the Identity Center Management Console, select the identity store node in the console tree (by default, Enterprise People ) and choose Import… from the
context menu.
2. Navigate to the directory <Identity Center install directory>/Templates/Identity Center/UI for HTML5 and select the file UI
tasks for HTML5.mcc.
3.
4.
5.
6.
7.

Choose Open . The SAP NetWeaver Identity Management Configuration Copy Tool dialog box appears.
Select the option Link tasks into display- and event properties on entry types and attributes and make sure that Import is selected.
Select the Advanced tab and make sure that a dispatcher is selected for the imported tasks.
Choose Next > and then Import .
When the import is completed, choose Finish . Alternatively, to view the details about the completed import, choose View logfile before choosing Finish .

Results
The imported folder with all the User Interface tasks is added to the Identity Center identity store (you may have to refresh the console tree before it is visible):

The imported folder contains the following User Interface tasks:
Name of the UI task

Description

Display Identity

Displays the details of an identity entry. For future use.

My Data

Retrieves and updates the user data (for example,. user picture, name (first, last and
middle name(s)), title, language, and so on). Associated with the My Data page
(overview data) and the Change My Data page (accessed from the My Data page by
choosing the Change My Data button) in the Identity Management User Interface for
HTML5 .

My Roles

Retrieves and updates details about the assigned roles and requested new roles.
Associated with the My Roles page and the My Requests page in the Identity
Management User Interface for HTML5 .

Display Role

Displays detailed information of a role (for example, role description). Associated with the
pages My Requests and My Roles in the Identity Management User Interface for
HTML5 .

Display Company Address

Displays detailed information for company address (information like company name,
location, phone number, and so on). Associated with the Workplace Data section of the
My Data page in the Identity Management User Interface for HTML5 .

My Security Questions

Retrieves the currently-available security questions and updates the answers to these
questions. Associated with the My Security Questions section of the My Data page
and the Change My Security Question page (accessed from the My Data page, under
the My Security Questions section) in the Identity Management User Interface for
HTML5 .

Business Area (Allowed Values)

Retrieves the list of defined business areas, which can be used to search for roles that
are relevant for a specific business area. Associated with the My Requests page in the
Identity Management User Interface for HTML5 .

Do not delete, replace, or modify the imported, predefined User Interface tasks in any way.

PUBLIC
© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 6 of 17

Note
The imported tasks cannot be deleted or replaced by any similar tasks in the configuration, because the task GUIDs are referred to directly in the code of the
user interface.

Note
Do not modify the imported tasks to include new attributes.

Note
Do not modify access control for the predefined tasks.

1.2.1.3.2 Configuring the Solution
To use the predefined User Interface tasks for Identity Management User Interface for HTML5 , you need to configure or maintain the following:
In the List column of the Attributes tab of the MX_ROLE entry type, select the DESCRIPTION attribute.
Maintain the values of the attributes MX_SALUTATION, MX_TITLE_SUPPLEMENT, and MXREF_MX_COMPANY_ADDRESS for the My Data task.
Maintain the values for the attribute MX_BUSINESS_AREA for the entry type MX_ROLE.
View the access control defined for the User Interface tasks.
Activate HTTPS (the use of SSL) on your AS Java.

1.2.1.3.2.1 Defining the DESCRIPTION Attribute for the
MX_ROLE Entry Type
Context
For the entry type MX_ROLE, you need to select the attribute DESCRIPTION in the List column of the entry type's Attributes tab. This is important for the
description information displayed on the My Requests page in the Identity Management User Interface for HTML5.

Procedure
1. Select and open the entry type MX_ROLE in the console tree of the Identity Center Management Console (under the Entry types node of the identity store
schema) to view the entry type's properties.
2. Select the Attributes tab.
3. Find the DESCRIPTION attribute and select the List option.
4. Choose OK to save and close the dialog box.

1.2.1.3.2.2 Maintaining the Attributes for the My Data Task
The My Data task is responsible for retrieving and updating the user data like user picture, name (first, last, and middle name(s)), title, or language. No actual
configuration of the User Interface task is necessary, but you need to maintain some attribute values:
MX_SALUTATION: Language-specific, ABAP mapping attribute displaying the title of the user (Mr, Mrs, and so on). Retrieve the input help for the attribute
needs to be from the system (read customizing table (TSAD3, TSAD3T)) or maintain it manually. The value defined for this attribute for the given identity
entry also needs to be retrieved from the system, and any changes in the value should be updated in the system.
MX_TITLE_SUPPLEMENT: Language-specific, ABAP mapping attribute displaying a title supplement, such as a noble title. Retrieve the input help for the
attribute from the system (read customizing table (TSAD5)) or maintain it manually. The value defined for this attribute for the given identity entry also needs
to be retrieved from the system, and any changes in the value should be updated in the system.
MXREF_MX_COMPANY_ADDRESS: This entry reference attribute should be retrieved from the system (or maintained manually). The workplace location data
displayed on the user interface is derived from this value.
The allowed values for attributes MX_SALUTATION and MX_TITLE_SUPPLEMENT, and the valid entries for the entry reference MXREF_MX_COMPANY_ADDRESS
can be obtained using the standard "initial load" job templates of the SAP provisioning framework. Check if the necessary data is already available in your identity
store and that it is correct. If not, obtain the data using the "initial load" jobs. You can also use the SAP provisioning framework to read the values/references
defined for the identity entries into the identity store and to provision this data to target systems. For more details about the SAP provisioning framework and the
"initial load" jobs, see SAP NetWeaver Identity Management for SAP System Landscapes: Configuration Guide.

Related Information
SAP NetWeaver Identity Management for SAP System Landscapes: Configuration Guide

1.2.1.3.2.2.1 Virus Scan Interface
The option to upload user pictures to the Identity Management User Interface for HTML5 could be abused, by utilizing it for virus distribution. Identity Management
REST Interface 2.0 supports the virus scan interface of the AS Java for write access of the binary attributes in the identity store. For details about how to set up the
virus scan interface and how to configure it for different services, such as the Identity Management REST interface, see the documentation regarding the virus
scan interface for your AS Java on SAP Help Portal.
To learn more about the details that are specific to using the virus scan interface together with the Identity Management REST interface, see SAP NetWeaver
Identity Management REST Interface Version 2.

PUBLIC
© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 7 of 17

Related Information
Virus Scan Interface for SAP NetWeaver 7.3 (SAP Help Portal)
Virus Scan Interface for SAP NetWeaver 7.3 EHP1 (SAP Help Portal)
SAP NetWeaver Identity Management REST Interface Version 2

1.2.1.3.2.3 Maintaining the Attribute MX_BUSINESS_AREA for
Entry Type MX_ROLE
We recommend that you categorize the roles into business areas, which means maintaining the MX_BUSINESS_AREA attribute of the MX_ROLE entry type.
This information is used/displayed by the My Roles task, which retrieves and updates the details about the assigned roles and requested new roles for a user.
The My Requests page of the User Interface allows the filtering of roles by business area.

1.2.1.3.2.4 Access Control for the Tasks
Do not modify access control for the predefined tasks.

1.2.1.3.2.5 Configuring the AS Java for SSL Use
Context
To be able to update the answers of the security questions on the Change My Security Questions page in the Identity Management User Interface for HTML5,
HTTPS must be activated for your AS Java where the User Interface is installed. There are two ways you can configure the use of SSL - either manually by
configuring the ICM and the AS Java keystore separately, or by using the SSL configuration tool in SAP NetWeaver Administrator.
Proceed as follows:

Procedure
1. Follow the steps described in Configuring the Use of SSL on the AS Java.
2. Your AS Java is ready to use SSL. You may want to test the SSL connection to the AS Java after performing the configuration.

Related Information
Configuring the Use of SSL on the AS Java for SAP NetWeaver 7.3
Configuring the Use of SSL on the AS Java for EHP 1 for SAP NetWeaver 7.3

1.2.1.4 Deploying the Identity Management User Interface for
HTML5
Context
To deploy the Identity Management User Interface for HTML5 , do the following:

Procedure
1. Download the SCA file (the Identity Management User Interface for HTML5 ) to be deployed. Navigate to the download area of SAP NetWeaver Identity
Management 7.2 in the SAP Software Download Center (on the SAP Support Portal), and download the SCA file.

Note
To locate the correct SCA file for the Identity Management User Interface for HTML5 , choose the following path on the SAP Software Download Center:
Support Packages and Patches
A - Z Index
N
SAP NW IDENTITY MANAGEMENT
SAP NW IDENTITY MANAGEMENT 7.2
Comprised Software Component Versions
NW IDM 7.2 UI FOR HTML5
# OS independent .

Note
Make sure that the SCA file for the Identity Management User Interface for HTML5 has the same SP version as the SAP NetWeaver Identity
Management (and its user interface) and the SAP NetWeaver Identity Management REST Interface Version 2 . The SCA file name is
IDM_UI_HTML5<IdM SP version>_<IdM Patch version>.sca. For example, for SAP NetWeaver Identity Management 7.2 SP8 (Patch 0),
the file name is IDM_UI_HTML508_0.sca.
2. Use the Software Update Manager (SUM) to deploy the Identity Management User Interface for HTML5 (the SCA file) on your SAP NetWeaver AS Java
where both the Identity Management REST Interface Version 2 and the Identity Management User Interface are deployed.

Related Information
PUBLIC
© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 8 of 17

Related Information
SAP Software Download Center
Using the Software Update Manager (SUM)

1.2.1.5 Accessing the Identity Management User Interface for
HTML5
Context
To access the Identity Management User Interface for HTML5 , proceed as follows:

Procedure
1. Enter http(s)://<host>:<port>/idmui5 in your browser.
2. Provide the credentials in the logon window and choose Log On .
3. You are now logged on to the Identity Management User Interface for HTML5. The My Data page appears.

1.2.1.6 Upgrading the Identity Management User Interface for
HTML5
Context
To perform an upgrade of a deployed Identity Management User Interface for HTML5 component, proceed as follows:

Note
The SCA file for the Identity Management User Interface for HTML5 must be on the same SP level as SAP NetWeaver Identity Management (and its User
Interface) and SAP NetWeaver Identity Management REST Interface Version 2. Upgrading the Identity Management User Interface for HTML5 to a new SP
version requires the upgrading of the other components to the same SP version first.

Procedure
1. Update the User Interface task folder and configure the solution as described in Adding the Predefined User Interface Tasks and Configuring the Solution.
When updating the task folder, make sure that you select the Update option instead of Import .
2. Update the Identity Management User Interface for HTML5 by deploying the new SCA file as described in Deploying the Identity Management User
Interface for HTML5.

Related Information
Adding the Predefined User Interface Tasks and Configuring the Solution
Deploying the Identity Management User Interface for HTML5

1.3 Reference
The following sections cover reference topics for the SAP NetWeaver Identity Management components.

1.3.1 OData Rest Interface
1.3.1.1 SAP NetWeaver Identity Management REST Interface
Version 2
Version 2 of Identity Management REST (Representational state transfer) service implements the Open Data Protocol (OData) in version 2.0.
Consumers of this service API (Application Programming Interface) should be familiar with OData before implementing their own applications. For more
information about the Open Data protocol, see the OData web site.
Version 2 of the Identity Management REST service supports - as does OData - both formats for representing the resources it exposes, the XML-based Atom
format and the JavaScript Object Notation (JSON) format. In contrast, version 1 of the Identity Management REST service only supported the JSON format. For
readability's sake, all examples in this document are based on the Content-Type application/json, with the exception of the service metadata document that
is only returned in XML format.
OData is designed to be modular. This means, that the Identity Management REST service only implements as much of the OData specification as required for
the intended target scenarios and used the odata4j open source library. Furthermore, the support for Query Options is limited in version 2. To allow the
implementation of further features, for example, to support more Query Options, within the REST interface in later service packs, clients can call a service
operation that returns version information. Clients can then check whether certain features can be used or not.
The Identity Management REST interface supports SAP NetWeaver 7.30 SP9 and 7.31 SP6 and higher as runtime environment and requires SAP NetWeaver

PUBLIC
© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 9 of 17

Identity Management 7.2 SP8 or higher. The interface is contained in the IDMREST<IdM SP version>_<IdM Patch version>.sca.
It is still possible to use the version 1 of the Identity Management REST service. However, the Identity Management REST Interface Version 2 has clear
advantages over its previous version, and is the recommended version of the Identity Management REST service.

Related Information
Open Data Protocol

1.3.2 Reporting
1.3.2.1 Identity Reporting Using SAP NetWeaver Business
Warehouse
Document History
Caution
Before you start the implementation, make sure you have the latest version of this document.
The following table provides an overview of the most important document changes.
Version

Date

Description

1.0

2010-06-14

Initial version of the document

1.1

2010-10-26

Updates due to patches for SAP NetWeaver Identity

2.0

2010-12-06

Management 7.1 as described in 1505504

.

Document is valid for SAP NetWeaver Identity
Management 7.1 and 7.2. System requirement for BI
content is Release 7.05 SP 2.

2.1

2011-10-21

Updates for Web Services description. BW Reporting with
SAP NetWeaver Identity Management 7.2 supports using
SAP NetWeaver 7.3 BI Content Add-On 5.

1.4 SAP Provisioning Framework
This section describes the SAP Provisioning Framework.

1.4.1 SAP NetWeaver Identity Management for SAP System
Landscapes: Configuration Guide
History of Changes
Table 1:
Version

Change

7.2 Rev 11

Minor changes.

7.2 Rev 10.1

Added note on permissions for the service user used for connections to LDAP directories.

7.2 Rev 9

Added Setting up an SAP Java Connector (SAP Co) and Related Traces and Restricting
the CPIC or JRFC Trace to a Specific Pass.

7.2 Rev 8

Added DB2 connection parameters for VDS connection.
Added Provisioning Productive Instead of Initial Passwords and Single Sign-On for AS
ABAP Systems sections

7.2 Rev 7

Added description for setting-up an update job.
Updated constants appendix including password provisioning.
Updated attributes appendix.
Minor updates.

7.2 Rev 6

Added prerequisite for HCM data export to LDAP.
Added Oracle connection parameters for VDS connection.

7.2 Rev 5

Added SSL repository constant for ADS.
Added notifications set-up for role assignments.

7.2 Rev 4

Added information on the Business Suite connector. Several smaller updates.

7.2 Rev 3

Added information on group handling.
Added information on SAP HANA ™ database.
Added information on provisioning of company addresses.
Updated copyright.
Added SAP Note 1618734.

PUBLIC
© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 10 of 17

7.2 Rev 2

Updated Appendix A: Repository Constants

7.2 Rev 1

Added Limitations and Considerations When Connecting an AS Java to an LDAP
Directory section.
Added General Remarks on Repository Constants section.
Added a remark on lower amount of configuration steps.
Added a reference to the LDAP wizard (transaction HRIDMWIZARD_START) in the
SAP HCM system for configuring the SAP HCM system and exporting the data.

7.2

Original version.

Related Information
SAP Note 1618734 - Upgrading SAP Provisioning Framework
Limitations and Considerations When Connecting an AS Java to an LDAP Directory
General Remarks on Repository Constants
Password Provisioning
Single Sign-On for AS ABAP Systems
Setting up an SAP Java Connector (SAP JCo) and Related Traces
Restricting the CPIC or JRFC Trace to a Specific Pass

1.4.2 SAP NetWeaver Identity Management Provisioning
Framework for SAP Systems Version 2: Configuration Guide
History of Changes
The following table provides an overview of the most important document changes.
Table 1:
Version

Change

7.2 Rev 0

Initial release.

Related Information
Limitations and Considerations When Connecting an AS Java to an LDAP Directory
General Remarks on Repository Constants
Password Provisioning
Single Sign-On for AS ABAP Systems
Setting up an SAP Java Connector (SAP JCo) and Related Traces
Restricting the CPIC or JRFC Trace to a Specific Pass

1.4.3 UWL Integration Configuration Guide
1.4.3.1 History of Changes
Table 1: History of Changes
Version

Change

7.2 Rev 3

Minor updates.

7.2 Rev 2

Minor corrections.

7.2 Rev 1

Added procedure version for AS Java 7.1 for Registering the IDM Connector for UWL in
the Portal.

7.2 Rev

Original version.

1.4.3.2 Introduction
The Universal Worklist (UWL) gives users a unified and centralized way to access their work and relevant information in the portal. It collects tasks from multiple
provider systems in one list for easy access to all tasks. With this architecture, you can also include tasks that originate from SAP NetWeaver Identity
Management (SAP NetWeaver ID Mgmt), for example, approvals.
To do this, you must install and set up the corresponding IDM connector for UWL that is provided with SAP NetWeaver Identity Management.
The table below shows the software components according to release.
Software Component

Release

Software Component Long Text

Comment

IDMPORTALCONT <version> .sca

7.2

IDM PORTAL CONTENT 7.20

Use when installing on an AS Java for
SAP NetWeaver Release 7.0

IDMPORTALCONT <version> .sca

7.21

IDM PORTAL CONTENT 7.21

Use when installing on an AS Java for
SAP NetWeaver Composition

PUBLIC
© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 11 of 17

Environment Release 7.1 and higher or on
SAP NetWeaver 7.3

You can set up the portal with the UWL IDM connector to either run on the same system as the SAP NetWeaver ID Mgmt administration user interfaces, or it can
run on a remote system.

1.4.3.3 Prerequisites
AS Java/Portal: Release 7.0 or higher with UWL configured on the portal
UWL is configured on the portal.
SAP NetWeaver Identity Management: Release 7.2 or higher
The SAP NetWeaver Identity Management workflow UIs as of Release 7.2 are also deployed and configured on the corresponding AS Java. This AS Java
can belong to either an SAP NetWeaver 7.0 system, an SAP NetWeaver Composition Environment (CE) Release 7.1 system or higher, or on an SAP
NetWeaver 7.3 system. The table below shows the UI software components according to release.
Software Component

Release

Software Component Long Text

Comment

IDMIC<version>.sca

7.20

NW IDM 7.2 UIS FOR NW 7.00

Use when installing on an AS Java for
SAP NetWeaver Release 7.0

IDMIC<version>.sca

7.21

NW IDM 7.2 UIS FOR NW 7.10

Use when installing on an AS Java for
SAP NetWeaver Composition
Environment Release 7.1 or Release 7.2
or for SAP NetWeaver 7.3

For more information, see the Installing and Configuring the Identity Management User Interface document provided with the SAP NetWeaver Identity
Management installation.
You have the administrative authorizations on the portal and on the SAP NetWeaver Identity Management systems.

More Information
UWL: For more information about configuring UWL, see the documentation on the Help Portal for your release.
SAP NetWeaver Identity Management workflow UIs: For more information, see the document Installing and Configuring the Identity Management User
Interface provided with the SAP NetWeaver Identity Management installation.

Related Information
Installing and Configuring the Identity Management User Interface
Release 7.0
Release 7.1
Release 7.2
Release 7.3

1.4.3.4 Tasks
Context
To set up the portal and UWL to include SAP NetWeaver Identity Management tasks are included, you must:

Procedure
1. Deploy the IDM connector for UWL on the AS Java where the SAP NetWeaver Identity Management workflow UIs are running. If the portal is running on a
remote system, also deploy the SAP NetWeaver Identity Management workflow UIs and the IDM connector for UWL on the portal system.
2. In addition, if the portal is running on a remote system:
1. Configure the use of logon tickets between the portal and the SAP NetWeaver Identity Management system so that the connection between the two
systems can be established for the logged on user.
2. Register the IDM connector for UWL on the portal. In this step, you configure the URL to use to access the SAP NetWeaver Identity Management
administration user interfaces.
3. Set up the IDM connector in the UWL configuration.

Results
Once the connector has been configured, you can view the SAP NetWeaver Identity Management workflow and approval tasks in the UWL worklist.
See the sections that follow.

1.4.3.4.1 Deploying the IDM Connector for UWL
Context
The IDM connector for UWL is provided with SAP NetWeaver ID Mgmt as a Software Component Archive (SCA) with the name

PUBLIC
© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 12 of 17

IDMPORTALCONT <version> .sca. You can find the SCA in the installation directory along with the workflow UIs or they are available for download on the SAP
Service Marketplace.
The deployment procedure is the same as for other SCAs on the AS Java. For more information, see the deployment documentation on the SAP Help Portal
regarding your release.

Procedure
1. Deploy the archive on the AS Java where the SAP NetWeaver ID Mgmt workflow UIs are running.
2. If the portal is running on a remote system, deploy both the SAP NetWeaver ID Mgmt workflow UIs (IDMIC <version> .sca) and the IDM connector for
UWL (IDMPORTALCONT <version> .sca) on the portal system.

Related Information
Downloads
Installation and Upgrades
Installations and Upgrades
Release 7.0
Release 7.1
Release 7.2
Release 7.3
Installing and Configuring the Identity Management User Interface

A-Z Index

N

SAP NW IDENTITY MANAGEMENT

1.4.3.4.2 Setting up Remote Access to the Portal (Optional)
Context
If the portal is running on a remote system, you must:

Procedure
1. Configure the use of logon tickets between the portal and the SAP NetWeaver ID Mgmt system so that the connection between the two systems can be
established for the logged on user.
2. Register the IDM connector for UWL on the portal. In this step, you configure the URL to use to access the SAP NetWeaver Identity Management
administration user interfaces.

1.4.3.4.2.1 Configuring the Use of Logon Tickets
Between the SAP NetWeaver Identity Management system and the portal, you can use logon tickets.

Context

Procedure
1. Set up the AS Java to trust the portal:
1. Using the SAP NetWeaver Administrator on the AS Java that hosts the SAP NetWeaver Identity Management workflow UIs, navigate to the
configuration for trusted systems. http:// <hostname> : <port> /nwa
Configuration
Trusted Systems
2. Choose
Add Trusted System
By Querying Trusted System .
3. Select JAVA as the System Type and enter the connection parameters to the portal.
4. Choose Next and finish the wizard.
This step retrieves the portal’s public-key certificate and stores it in the AS Java’s keystore to use to verify logon tickets. It also adds the information from the
portal’s public-key certificate to the login module EvaluateTicketLoginModule options.
2. Adjust the login module stack:
1. Navigate to the login module stack configuration: The location of the login module stack configuration depends on the release:
Release 7.0
In this release, use the Visual Administrator. Navigate to the Security Provider, which is located at
<SID>
Server_ <Instance ID>
Services
Security Provider .
As of Release 7.1
In this release, use the SAP NetWeaver Administrator. Navigate to the policy configuration under
Configuration
Authentication and Single
Sign-On .
2. Add the logon ticket module EvaluateTicketLoginModule to the login module stack for the SAP-J2EE-Engine component. See the figure
below for Release 7.0.

PUBLIC
© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 13 of 17

1.4.3.4.2.2 Registering the IDM Connector for UWL in the Portal
This procedure differs slightly depending on the underlying AS Java release of the Portal. Therefore, the following two sections are dedicated to the specific
releases.

1.4.3.4.2.2.1 Registering the IDM Connector (Release 7.0)
Context
These steps apply to a portal running on Release 7.0.

Procedure
1. On the portal system, navigate to the service configuration. http:// <hostname> : <port> /irj/portal

System Administration

System

Configuration
Service Configuration
2. Expand Applications and scroll down until you find the application tc~idm~uwl.
3. Expand the application tc~idm~uwl and choose Services .
4. From the context menu (right mouse button) for IDMConnectorRegistrationService, choose Configure .
5. Enter the connection data ( Host name of IDM Web Dynpro Java UI host , Port number of the IDM Web Dynpro Java UI host , Port number of the P4
protocol on the IDM Web Dynpro Java UI host , and Protocol of the IDM Web Dynpro Java UI host ) to use for the connection to the system that hosts the
SAP NetWeaver Identity Management workflow UIs.
6. Restart the IDMConnectorRegistrationService to update the service runtime.
1. From the main screen in the portal, navigate to the support desk. http:// <hostname> : <port> /irj/portal

System Administration

Support
2. Choose Portal Runtime .
3. Choose Application Console .
4. Select tc~idm~uwl from the list of applications and choose Show .
5. Restart the service.

1.4.3.4.2.2.2 Registering the IDM Connector (Release 7.1 and
higher)
Context
These steps apply to a portal running on Release 7.1 and higher.

Procedure
1. In the NetWeaver Administrator of the AS Java, navigate to the service configuration. http:// <hostname> : <port> nwa

Configuration

Management
Infrastructure
Application Modules
2. Search the Module List for the service tc~idm~uwl.
3. In Web Module Details , choose the IDMConnectorRegistrationService on the Components tab.
4. In Portal Service Details , enter the connection data to use for the connection to the system that hosts the SAP NetWeaver Identity Management workflow
UIs on the Properties tab:
Protocol of the IDM Web Dynpro Java UI host
Host name of IDM Web Dynpro Java UI host
Port number of the IDM Web Dynpro Java UI host
Port number of the P4 protocol on the IDM Web Dynpro Java UI host

Note
These parameters are used to establish the URL to use to connection to the system that host the SAP NetWeaver Identity Management workflow UIs.
Therefore, specify HTTP or HTTPS as the protocol to use. Also, we recommend you use the fully qualified host name for URLs. This also applies to the
URL that the users use to access the portal. Otherwise, the domain used when issuing logon tickets will not match what is used at connection time, and
users will be prompted for user ID and password when accessing the SAP NetWeaver Identity Management workflow UIs from the UWL worklist.
5. Save your entries.
6. Restart the IDMConnectorRegistrationService to update the service runtime.
1. Under Related Tasks , choose the Start & Stop: Java EE Applications link.
2. Select tc~idm~uwl from the list of applications.
3. Restart the service by choosing the Stop Service and Start Service buttons under Application Instance Details .

1.4.3.4.2.3 Configuring the IDM Connector in the UWL
Configuration

PUBLIC
© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 14 of 17

Prerequisites
You have the authorizations for UWL administration on the portal.

Context
As the next step, configure UWL to use the IDM connector to get the corresponding tasks from the SAP NetWeaver Identity Management workflow.

Procedure
1.
2.
3.
4.

On the portal system, navigate to
System Administration
System Configuration .
Choose Universal Worklist and Workflow in the left pane. The list of Universal Worklist Systems appears.
If no IDM connector exists, create one by choosing New . (You an also edit an existing one by choosing Edit .)
In the Create New System Connection section, enter the data as shown in the table below.
Field

Local Configuration

System Alias

SAP_LocalSystem

Type

IDMLocalConnector

Remote Configuration
<any_name>
IDMRemoteConnector

5. Save the connector data.

Results
This information is sufficient for the IDM connector. However, there are additional UWL-specific configuration settings you can set, or customizing activities that you
can perform, for example, creating custom views. Adjust such settings or create or modify views as appropriate.

1.4.3.4.2.4 Processing Identity Management Tasks from the UWL
Worklist
Once the IDM connector has been configured, you can view and process Identity Management workflow tasks from the UWL worklist. For example, the UWL list
below shows approval tasks for creating new users.

From the UWL worklist, you can also call the SAP NetWeaver Identity Management workflow UIs to process the items from the identity management workflow. This
offers more flexibility, for example, you can customize the SAP NetWeaver Identity Management workflow UIs to meet your specific needs.

1.4.3.4.2.5 Troubleshooting
The following sections describe a few of most common configuration errors that can occur and how to solve them.

1.4.3.4.2.5.1 Cannot Deploy the IDM Connector for UWL
Symptom
You receive an error indicating that the software component IDMPORTALCONT <version> .SCA cannot be deployed.

Likely Cause
The corresponding version of the SAP NetWeaver Identity Management workflow UIs is not deployed (software component IDMIC <version> .SCA).

Solution
PUBLIC
© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 15 of 17

Make sure UIs are also deployed on the system where you are deploying the IDM connector for UWL. Make sure the versions apply to the underlying AS Java.
See Introduction, Prerequisites, and Deploying the IDM Connector for UWL.

Related Information
Introduction
Prerequisites
Deploying the IDM Connector for UWL

1.4.3.4.2.5.2 UWL Worklist Error
Symptom
You receive an error when trying to load the worklist stating that UWL could not connect to the provider.

Likely Cause 1
The trust relationship used for logon tickets was not established correctly.

Solution 1
Make sure the portal is listed as a trusted system in the SAP NetWeaver Identity Management system. (See the configuration for Trusted Systems.) Also make
sure the login module stack for the SAP-J2EE-Engine component on the SAP NetWeaver Identity Management system contains the login module
EvaluateTicketLoginModule. Make sure the options for this module contain the information from the portal’s public-key certificate. See Setting up Remote
Access to the Portal (Optional).

Likely Cause 2
Connect parameters entered for IDMConnectorRegistrationService are wrong.

Solution 2
Make sure the connection parameters are set correctly in the IDMConnectorRegistrationService. See Registering the IDM Connector (Release 7.0), step
5.

Likely Cause 3
Service IDMConnectorRegistrationService not restarted after configuration.

Solution 3
Restart the service. See Registering the IDM Connector (Release 7.0), step 6.

Related Information
Setting up Remote Access to the Portal (Optional)
Registering the IDM Connector (Release 7.0)

1.4.3.4.2.5.3 Users are Prompted for User ID and Password
Symptom
The UWL list shows the correct worklist items, but users are prompted for user ID and password when accessing the SAP NetWeaver Identity Management
workflow user interface.

Likely Cause
The user accessed the portal with a different domain than that what was specified in the host name used for the connection. Therefore, the logon ticket was issued
for a different domain than that which is used for the connection between the UWL worklist and the AS Java where the SAP NetWeaver Identity Management
workflow UIs are hosted. In this case, the logon ticket is not used for authentication purposes and the user will be prompted for user ID and password.

Solution
Make sure users are accessing the portal using the same domain as that what is used for the connection between the portal and the system where the SAP
NetWeaver Identity Management workflow UIs are located. For best results, we recommend using the fully-qualified host name for both cases. See section
Registering the IDM Connector (Release 7.0) step 5.

PUBLIC
© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 16 of 17

Related Information
Registering the IDM Connector (Release 7.0)

PUBLIC
© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 17 of 17

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close