Dear colleagues,

I've encountered multiple questions regarding the installation and upgrade of IDM 8.0.

Below you can find a list of the common issues that one can encounter while ugrading or installing the product

Second Data Source for DevStudio

Now the second data source is needed because of the DevStudio. This is often forgotten but it is present in the documentation. The new component Develompment Studio needs a Data Source and if you don't define one you will constantly get Login Failed or Something Went Wrong errors.

Another thing that might be of use is to name your data source DevStudio - as mentioned in the documentation. We have monitored some issues whith custom naming and we will have a look if this value is hardcoded somewhere but just to be on the safe side use DevStudio as naming for you Data Source.

Here is an example how the configuration looks like:

Admin user does not have rights assigned in user admin

Administrator user needs specific roles in order to operate correctly. If you scratch install IDM 8.0 you need to add them in the user admin. Make sure that the Administrator user exists both in idm and ume and has the following roles:

SPML_Role - it is described how it is created in the documentation

IDM_Authenticated

HTTPS not configured

If you have decided to use the HTTPS connection then you need to use most probably the HTTPS port that can be checked from your enginge monitoring ( by default it should be 50001) Then you need to do some configurations but this is mentioned in the configuration guide - how to enable HTTPS connection.

If you will not to use HTTPS then you need to go for port 50000 and set the property IS_HTTPS=false in to this location (C:\Users\Administrator\workspace\.metadata\.plugins\org.eclipse.core.runtime\.settings\com.sap.idm-dev-studio-userinterface.prefs)

where the workspace is your eclispe workspace.

Keys.ini file is switched

You have to pay special attention to the Keys.ini file. If you are going for the scratch install you need to generate your Keys.ini file and move it to the Identity Center installation folder manualy. Please check that the Keys.ini file is correctly generated and has content.

If you go for the upgrade scenario have in mind that you have to use your old Keys.ini file. If you want to change it - you have to RE-SAVE all your resources that cointain encrypred values with this key - like the Repository Passwords and etc. That means you have to open the settings and save them once more in order to be encrypted with the new key.

Linux shell scripts are with wrong encoding

If you are using Linux\Unix OS have in mind the following - when you edit files - try to do it under this OS and not with Windows. For example if you connect to your instance with WinSCP and edit a file and then process it back to the Linux system it might get Windows encryption. This will make the shell scripts fail during execution. If you edit them under windows please save them in Unix format. For example in Notepad++ there is the option EDIT>EOL Conversion > Unix Format.

That would be all for now - those are the most commonly reported issues. I will further add more info if needed. Have in mind that all of the above is described in the documentation. My recomendation is to follow it striclty when doing Install\Upgrade no matter how expirienced you are.

This is a video tutorial showing you a basic example of how to use SAP Identity Management 8.0, and more specifically, how to synchronize and manage the user data provided by two different data sources. They can be exported from your SAP or non-SAP system. For this example, we use a TXT file, containing the user IDs and emails of the users, and the second data source is a database table containing further information about the same users.

Target group

The video shows a simple, understandable and easy to execute example. It is meant for users who need an introduction to basic synchronization operations in SAP Identity Management.

Purpose of the video

Along with the introduction to the basic synchronization operations, you will get knowledge of the Eclipse-based development environment in SAP Identity Management 8.0 and the new package concept.

Scenario

Using SAP Identity Management 8.0, we import the information from the file email.txt and the database table HR_Sample into the identity store of the SAP Identity Management 8.0 system. The information from both data sources is merged and uploaded to the identity store.

Result

As a result, the information from both data sources is synchronized and transferred to the identity store of an SAP Identity Management system.

If you like to set user attributes out of your role model then maybe attribute privileges are for you. For instance you want to set automatically for all members of a role the ABAP user group.  Or you plan to deactivate the password for some roles. However, every attribute of the MX_PERSON object can be manipulated by the attribute privileges.

This tutorial shows how to implement attribute privileges. It is based on SAP Identity Management 7.2. If you need help for implementing the tasks on IdM 7.1 contact me.

I assume you know how to use the identity center, i.e. how to create tasks and attributes, etc..  Some scripting is needed as well.

Following steps give an overview of the things to be done:

1. Create two attributes for the entry type MX_PRIVILEGE. This will be an attribute for the attribute name and one for the attribute value.
2. Create an add member task, which sets the attribute for an user when the privilege is assigned.
   Create a del member task, which will remove the attribute when the user has lost the privilege.
3. Create  a user interface task for creating attribute privileges on a comfortable way.

1. Adding attributes to the privilege entry type

In your master identity store add a general text attribute 

• name = Z_PRIV_AUTO_ATTRIBUTE
• Entry types tab: link it to MX_PRIVILEGE
• Presentation tab: use SingleSelect
• Attribute values tab: select SQL query and the stament
  SELECT DISTINCT attrname FROM MXI_Attributes where is_id=1
  

The attributeZ_PRIV_AUTO_ATTRIBUTE will contain the name of the attribute to be manipulated. The SQL statement  offers all existing attribute names in your master identity store (check the correct is_id).

Add one more  general text attribute: 

• name =Z_PRIV_AUTO_VALUE
• Entry types tab: link it to MX_PRIVILEGE
• Presentation tab: use SingleLine

The attribute Z_PRIV_AUTO_VALUEwill contain the value of the attribute to be manipulated.

If you check the entry type MX_PRIVILEGE you will find both added attributes:

2. Adding the AddMember and DelMember tasks

Now, it is time for the core mechanism of the attribute privileges. So add two ordered task groups to your provisioning framework. I use my own sub folders 'Entry Type Tasks' -> 'MX_PRIVILEGE'. Name them 'Add Attribute Privilege' and 'Remove Attribute Privilege'. Note the task id's as we will need them later.

To both tasks you add a 'To Generic' pass.

The tasks will work on pending value objects, which hold the information of the user and the assigned attribute privilege.

On the Destination tab of the 'To generic' pass enter two parameter, one for the user mskey and one for the attribute privilege mskey:

• MSKEY    = %MX_ENTRY_REFERENCE%
• PRIV        = %MX_ATTRIBUTE_VALUE%

Note: for IdM 7.1 unfortunately you need to check if a user has assigned a privilege or a privilege has got a new member, as the pending value attributes are inverted.

For the Add Attribute Privilege Pass now enter a new local scrip under 'Next data entry' called 'z_setPrivilegeAttribute' and press edit. Here is the source code:

function z_setPrivilegeAttribute(Par){
var mskey=Par.get("MSKEY");
var priv = Par.get("PRIV");
//get Attributename
sql  = "select aValue from idmv_value_basic_active where mskey="+ priv +" and attrname='Z_PRIV_AUTO_ATTRIBUTE'";
var attrname = uSelect(sql);
if(attrname==null || attrname==""){     var msg="z_setPrivilegeAttribute: Attr Z_PRIV_AUTO_ATTRIBUTE missing for priv="+priv;     uError(msg);     uSkip(2, 2, msg);     return;
}
//get Attributevalue
sql  = "select aValue from idmv_value_basic_active where mskey="+ priv +" and attrname='Z_PRIV_AUTO_VALUE'";
var value = uSelect(sql);
if(value==null || value==""){     var msg="z_setPrivilegeAttribute: Attr Z_PRIV_AUTO_VALUE missing for priv="+priv;     uError(msg);     uSkip(2, 2, msg);     return;
}
//get current value
sql = "select aValue from idmv_value_basic_active where mskey="+ mskey +" \
and attrname='"+ attrname +"' and searchvalue='"+ value +"'";
var currentValue = uSelect(sql);
if(currentValue==null || currentValue==""){     //set Attribute     uIS_SetValue(mskey,1, attrname, value, "ATTRIBUTE PRIVILEGE", 0);
}else{     uWarning("z_setPrivilegeAttribute: nothing to be done for user "+mskey+" "+ attrname +"="+value+".");
}
return;
}

The script reads the attribute name and value from the attribute privilege and compares it to the current value of the user. If it is not the same or missing the script sets the attribute accordingly.

For the Remove Attribute Privilege pass you do the same like above, except a different name for the script 'z_removePrivilegeAttribute'. The source code looks similar:

function z_removePrivilegeAttribute(Par){
var mskey=Par.get("MSKEY");
var priv =Par.get("PRIV");
//get Attributename
sql  = "select aValue from idmv_value_basic_active where mskey="+ priv +" and attrname='Z_PRIV_AUTO_ATTRIBUTE'";
var attrname = uSelect(sql);
if(attrname==null || attrname==""){     uError("z_removePrivilegeAttribute: Attr Z_PRIV_AUTO_ATTRIBUTE missing for priv="+priv);     return;
}
//get Attributevalue
sql  = "select aValue from idmv_value_basic_active where mskey="+ priv +" and attrname='Z_PRIV_AUTO_VALUE'";
var value = uSelect(sql);
if(value==null || value==""){     uError("z_removePrivilegeAttribute: Attr Z_PRIV_AUTO_VALUE missing for priv="+priv);     return;
}
//get current value
sql = "select aValue from idmv_value_basic_active where mskey="+ mskey +" \
and attrname='"+ attrname +"' and searchvalue='"+ value +"'";
var currentValue = uSelect(sql);
if(currentValue==value){     //remove Attribute     uIS_SetValue(mskey,1, attrname, value,"",2);
}else{     uWarning("z_removePrivilegeAttribute: user "+ mskey +" attribute "+attrname+"="+value+" not found.");
}
return;
}

The script only removes the attribute from the user, if the user owns the attribute exactly with the same value like the value of the attribute privilege.

3. Adding a User Interface Task for creating attribute Privileges

In your user interface folder create a new ordered task 'new attribute privilege'. Insert a 'To Identity Store" pass.

The ordered tasks group is set to an UI task by simply mark the 'UI task' check box of the Options tab.

Now, it is possible to configure the Attributes tab. Select 'MX_PRIVILEGE' for entry type and mark 'This task creates a new entry'. For the visible attributes select  Z_PRIV_AUTO_ATTRIBUTE and  Z_PRIV_AUTO_VALUE and make them mandatory. Add more attributes to show, if you like.

Down in the 'To Identy store' pass you configure the pass, so it will automatically add the add member and del member tasks to the new privilege. Therefore,  these lines are needed at least:

• MSKEYVALUE =        %MSKEYVALUE%
• MX_ADD_MEMBER_TASK = (enter the task id of your Add attribute privilege task group )
• MX_DELL_MEMBER_TASK = (enter the task id of your Remove attribute privilege task group )

Enter some more default settings if needed.

I do not explain how to make a fancy design or administrate the access control list of the UI task. You already know it or you will find out. Finally, it maybe looks like this example:

Here I use the attribute privilege to enable a password access for a sap backend IT0. Every member of this privilege has set the attribute Z_PASSWORD_ENABLED_IT0=1 to allow password access.

Be creative with your new possibilities in your role model!

Recently we received from the community the idea to create a downloadable documentation: https://ideas.sap.com/D26309

It is now available in two flavors:

• PDF documents for each guide so that:
  • you can have it offline
  • it is more usable when you want to search inside. I find this valuable - when I need some information first place to search is the Configuration guide.
• the whole online content as downloadable DVD
  

Checkout http://help.sap.com/nwidm80/ to find both versions.

Thanks to Ivelina Kiryakova and Valentina Ivanova

Hello all,

here are some useful tips when trying to install IDM on AIX/DB2 combinations.

The following is comming from testing with AIX 7.1 and DB2 10.5

1) Sudo is needed in on AIX in order to complete proper installation

2) The user that is used should be a member of sudoer ( db2inst1 – should be a sudoer)

3) If you get error like “^M:  not found” – make sure you haven’t touched any files and all encodings are in UNIX/Linux format

4) DB2INSTANCE has not been set. Perhaps you are running as wrong user.  -  no DB schema – you should set your default schema for example  (export DB2instance=db2inst1) and you also have to permanently place it in the env path (set /home/user/ environment PATH with the path to the db2start place)

5) EFS frameowrk not installed – you should install this component usually with this command “efsneable– a” (with root)

6) SQL0104N  An unexpected token "IC_db" was found following "<identifier>". Have in mind that the prefix of your DB should be with small letters and onlu 2 chars.

7) Make sure you have enough space in the drive where you are making the installation

8) DB250101E: The command syntax is invalid. An unexpected token '' was found following '='. Expected values include: '<text>' - This problem is fixed with DB2 APAR IT06188 which is part of DB2 V10.5 FP5SAP2 .

9) ./mxmc-install.sh[90]: syntax error at line 25 : `elif' unexpected - possible encoding issues

10) STORAGEPATH must be set in include.sql

11) DB2 does not support more than 8 characters user names, in effect you must restrict your prefix to maximum 2 characters ($prefix+_admin)

12) if [ ${MC_PREFIX} -gt 2 ] ; then  - REMOVE # from prefix

Hope this is useful.

Todor

Recently I have been working on IDM 7.2 - AD integration so thought to share some information on uLDAPGetEntry() that might help someone who is doing AD integration.

As we know, AD connector is not smart as SAP connectors. IDM will set status "Failed" if it tries to create/assign access to users if the user/assignment already exists in AD. So, I was implementing a solution where IDM checks if user already exists in AD.. if so, then do nothing (Status will be set to 'OK').. If not, then create the user.

I was using uLDAPGetEntry() to check if the user exists.. Contradicting the help documentation, uLDAPGetEntry did not return "NULL" if the user is not found. It returned error as below

ERROR - {err_category=ERROR, err_where=uLDAPGetEntry(ldaps://1xxxx:636/cn=TEST_JAI1,OU=Users,OU=X,DC=XDev,DC=com,DC=au?CN?BASE?(objectclass=person)), err_exception=javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:'OU=Users,OU=X ,DC=XDev,DC=com,DC=au']; remaining name ''}

Hence my script kept failing as I was checking for NULL value. SAP needs to update the code for uLDAPGetEntry() user function or update the help documentation. I do not have authorization to raise an incident to SAP so posting here. Hope someone from SAP takes note of this.

Also, I was using LDAP url,

ldap://1xxxx:636/cn=TEST_JAI1,OU=Users,OU=X,DC=XDev,DC=com,DC=au?CN?BASE?(objectclass=person))

and I kept getting error as below.

javax.naming.ServiceUnavailableException: XXX:636; socket closed..

After some Googling, figured that I should use LDAPS url as below,

ldaps://1xxxx:636/cn=TEST_JAI1,OU=Users,OU=X,DC=XDev,DC=com,DC=au?CN?BASE?(objectclass=person))

It would be nice if SAP adds a note about LDAPS url over LDAP url to establish secure connection while using uLDAPGetEntry.

Hope it helps someone.

Regards,

Jai

You are bored of removing  the  "Copy of" prefixes after you have copied identity center drawers with huge content?

The SQL statements below are a quick way.

Drawers

use mxmc_db

update mc_Group

set Group_Name= right(Group_Name, len(Group_Name)-8)

where Group_Name like 'Copy of %'

Tasks

use mxmc_db

update MXP_Tasks

set Taskname= right(Taskname, len(Taskname)-8)

where taskname like 'Copy of %'

Jobs

use mxmc_db

update MC_Jobs

set name= right(name, len(name)-8)

where name like 'Copy of %'

The statements work on SAP IdM 7.1 and 7.2. I am not sure for SAP IdM 8.0.

From working some time on the IdM topics there are some basic activities that can help performance of the system if you are new to IdM.

The first good source of information is the 'SAP Netweaver Identity Management Solution Operation Guide' found at this link

Section 4.6 of this guide covers Analysing Statement Execution if you need to identify any long running SQL statements in the system. Via the IdM administration UI such statements can be traced based on a minimum runtime threshold as detailed below

For more detailed analysis of SQL statements see Per Krabsetsves' excellent blog at this link

Section '5.6.7 Rebuilding database indexes' advises

With heavy usage of the system, the database indexes will become fragmented, which may
decrease performance.
For further information regarding fragmented indexes and rebuilding the indexes, please refer to
the documentation for you database system.

Most often if your system is suffering this issue you will see system wide performance issues. The UI, jobs and tasks will all perform more slowly than normal or the system could in most severe cases come to a standstill. Keeping the indexes refreshed is essential as much of the processing in the IdM application occurs at database level.

Performance Issues in the UI

If you have a reference attribute assigned to a UI tasks and this takes a long time to open then there maybe an issue in loading all the reference attributes. In the MMC there is the option 'List Entries on Load' which can speed up the loading of the UI task until the root cause of the performance issue can be determined. This checkbox when unchecked means all the attributes will not be loaded automatically in the UI rather the user must search them after the UI opens

Secondly complex access controls on UI tasks are a common cause of performance degredation in the UI. Check the SQL statement used in the access control and see if it can refined anyway to make it faster.

Using No Lock on queries MSSQL queries

If you need to read a large dataset from a MSSQL database then (nolock) hint should be used in the SQL statement e.g.

select * from idmv_link_ext with (nolock) where ..........

In addition remember that storing such data to the IdM database involves making numerous updates therefore if the read from the database takes X time it is not that the case that the update to IdM will also take the same time. The same stands for other databases.

Long running Jobs 'Cookie Does not Match'

If a job runs for a long time it may abort with the error message "Cookie does not match" which means that the Identity Center

does not have this job in its list of active jobs. When the runtime starts running an action task, it will "check out" the job from the Identity Center.

While the job is running, the runtime will periodically signal the Identity Center that it's still active and running.  At this point the Identity Center can
return a status code to force the job to stop running.  In this case the runtime will do a controlled exit. such an issue may arise for example where you are running an initial load from an ABAP system that has many abap roles and profiles. It can take some time to read all these into IdM and thi saction can timeout.

There are 2 timeouts for running jobs, The "Start timeout" and the "Idle timeout".  The values are configured in the MMC, on the
Identity Center node, in the "Options" panel:

The "Start timeout" is the maximum time allowed from the job starts running, until it has processed the first entry.

The "Idle timeout" is the maximum time allowed between each time the runtime signals the Identity Center that it's still active and running.

Top try and resolve this the below settings should be considered

1. The Idle timeout has to be large enough to handle the maximum system load, when there can be a large number of queued jobs.

2. The Start timeout has to be larger then the time it takes to initialize the connector + the time it takes to process the first entry.

3. The Execution timeout has to be larger then the maximum time spent processing one entry.

These are just some small steps that can fix issues that cause severe impact on the running of the IdM application in your organization. I'd welcome any other hints other people have learned over the years of working with IdM ;-)

Best of Luck

Chris

Often searching for a solution to a problem in IdM can mean trying to find an old SCN thread or SAP Note. There is also an additional resource that is available (setup by the IdM development team)  for quickly finding solutions to common issues that are reported through SAP Service Marketplace - the

SAP Netweaver Identity Management Troubleshooting Guide

Currently it covers release 7.1 and 7.2 but is always evolving and will be updated with release 8.0 troubleshooting tips in time. As it is wiki anyone can add content that they feel will be helpful to other IdM administrators.

It has been about 7 years since SAP NW IdM 7.1 was released to customers and since then many companies used the product to benefit from centralized identity management to lower risk and manage user access. Keep operations running efficiently and affordably, while protecting applications and data, to provide user access according to current business roles, manage passwords with self-service capabilities and approval workflows.

Following the product lifecycle, at given point of time we will retire the product. At the end of the year (31.12.2015) we’ll reach the end of mainstream maintenance. In order to plan better your future activities, I would like to notify youabout that fact and also encourage you to get familiar with the new versions of SAP IdM.

There are few publications thatexplain some of the capabilities of the IdM 8.0:

SAP IdM 8.0 highlights

SAP IdM 8.0 developer studio Eclipse plug-in

SAP IdM 8.0 SuccessFactors connector

SAP IdM 8.0 documentation

SAP IdM 8.0 video – basic synchronization

SAP IdM 8.0 Installation and upgrade information

As we all know the standard Notification process in IdM is not very flexible.

In order to have an easier way for our customers to manage the standard SAP IdM notification process, we have developed a custom add-on for IdM notifications. So here is what this add-on provides:

• User friendly UIs for SAP IdM notification management
• Easy UI capabilities for notification update
• Import/export of notifications
• UI data validations

1. First we started by separating the logic in three parts:

• SAPUI5/WD IdM notification administration UI / Back-end validations
• SAP IdM logic(custom Notification repository with some javascript/jave logic for managing the notification process and customer logic)
• User notifications

2. The UI-s:

     2.1. SAPUI5 Notification UIs:

• Language/Organization UI:

• Receiver UI:

• Translation UI:

     2.2 SAP WD Notification UIs:

3. In addition, we have implemented an easier way for UI customization :

• Additional validations can be easily added into the back-end, if needed
• System data visible into the UIs, as Repository, can be changed easily with the system description(ACTIVE_DIRECTORY -> Sys: Active Directory), if needed
• The systems visible into the UI can be predefined(if the customer needs, not all systems to be shown into the Notification UI)
• IdM logic can be easily changed according to customer needs

Hope you like it

Simona Lincheva

In addition to the standard IdM functionality we added this tool, that can run a reports between all available systems in IdM and IdM itself, as well the report can be made across two or more systems(depends on the customers needs).

We started by separating the logic in two parts:

• SAPUI5/IdM UI reports
• SAP IdM logic(custom Entry type with some javascript logic for managing the reports and addition tasks/jobs for executing the report)

Note: no back-end needed for this add-on(only standard rest calls directly to IdM).

1. Custom friendly and easy for configuration UI, enabling the end user to perform identities integrity check across the systems.

• Main UI:
  

• UI after selecting one of the generated reports:           

2.The integrity check report can be executed couple of times in a day(depending on the customers needs - setting in the job responsible for generation the reports).

This tool can be used as a replacement for other ways time consuming actions like:

• mass assign/un-assign of user access
• mass lock/unlock users
• to partially terminate users across the systems(remove access only from one or two of the available systems)

Note: with input data validations.

For example: we have 100 - users and we want to assign 10-SAP roles for each of them. The time used to do so via the standard IdM UI will be very long and boring, but the same case will take only a couple of minutes using the Mass Upload UI.

The logic can be separated in three parts:

• SAP WD UI - for exporting/importing the data(using scv files)
• Back-end logic for UI validations(users and access validations)
  
• SAP IdM logic(after the mass upload is submitted in IdM are created custom requests for each user/system)

Note: more than one uploads can be executed by a number of users, as we have implemented a custom queue for managing the created mass uploads.

1. WD UI - Mass Upload UI:

   1.1. Supported mass actions:

•Add/Remove - roles/privileges

•Add(create)/Remove(terminate) - users

•Lock/Unlock - users

  1.2. UI supported operations:

•Import/Export(file)

•Export template

•Validate (only validates the data,without further actions)

•Submit (internal validations )

•Add single record

•Delete multiple records

Hope you like it

Simona Lincheva

Here is a way to make IdM Notification process more flexible and easier to work with.

1. First we started by separating the logic in two parts:

• SAP IdM custom table for storing the notifications(receivers, test, subject...)
• SAP IdM logic(custom Entry type with some javascript/java logic for managing the notification process and customer logic)

2. IdM custom entry type:

3. IdM tasks for sending the created notifications:

4. IdM custom table is created for the notifications, where all of the email information is stored(subject, To, CC, text, Country…..). When a new location/notification is needed the table can be updated with the new e-mail notifications by simple .csv file.:

Note: the final notification(example):

E-mail can be send for:

• Specific action(crate/terminate/position change/Manager change/On error……)
• Specific country(all local languages are supported)
• Depending on the notification specify To/CC will be set

Overview: A custom entry type used to send e-mail Notifications, which allows:

•   Easy maintenance (if needed all notifications can be modified and new one are easily added) with a simple .csv file
•   Flexibility:

  -  each subject and body of the email can be specific

  -  all languages are supported (for each e-mail a subject/text with a default and native language can be sent)

  -  for all of the needed actions a different e-mail can be sent

  -  To/CC depends of the settings into the notification table(specific To/CC)

  -  on any case of error an e-mail can be sent

Note: link for the updated version - SAP IdM Custom Add-on for Notifications management - on WD&SAPUI5

Hope you like it

Simona Lincheva

As all may know, managing the Business Roles in IdM is not an easy thing to do, especially if the client wants to update them each month/week for a business reasons. In that case we have to manage to provide an easy way for him not only to update the BRs, but to update the user's access accordingly and to have some trace back for the made changes.

First thing that comes to mind is something like that - How to do mass population of a Business Roles with privileges using txt file , but here we are more or less restricted and we don't have any real information, about the changes we made or any validations for the BRs.

So we decided to extend the standard IdM functionality by creating a custom tool for managing the BRs - Authorization Matrix.

The Authorization Matrix allows you to control the BRs within IdM. This tool provides validation rules, easily roll back to a previous version and automatic user access update after BR modification. IdM processes the submitted Matrix and updates the changed business roles, after that the user’s access is updated according the new Matrix. Back-end systems are updated.

1. First we started by separating the logic in three parts:

• SAPUI5/WD UIs with validation rules
• Back-end logic for UI validations(access validations, custom tables for managing the data)
• SAP IdM logic(processing the submitted matrix and updating the user access, creating automatic requests for history review of the user access, with custom Entry Type for the Matrix)

Note: more than one uploads can be executed by a number of users, as we have implemented a custom queue for managing the submitted matrix.

Demo of this tool can be seen here -  Authorization Matrix Add on for SAP IdM - YouTube

2. SAPUI5 UI - Authorization Matrix:

• main UI:

• the rest of the UIs:

3. WD UI - Authorization Matrix:

Note: not only we have the ability to monitor the changes directly from IdM, but we can load previous version of the Matrix and from there we can check the changes or re-submit the old version.

4. IdM customizations:

• custom Entry Type _Matrix
• custom job - managing the submitted matrix and managing the queue(more than one matrix can be submitted)
• custom IdM UI - displaying the requested created for the users(after the access is changed)
• custom javascript-s managing the logic
• custom UI tasks for the Matrix

Hope you like it

Simona Lincheva

This tool can provide an option to manage the external users, which are neither HR relevant, nor in any other way connected to the sources systems currently used within IdM.

The logic can be separated in three parts:

• SAP WD UI - for managing the external users information
• Back-end logic for UI search and validations
• SAP IdM logic(after the external users are created/changed the master data is updated in IdM and provisioned to the back-end systems)

Demo of this tool can be seen here - External Users Add on for SAP IdM - YouTube

1. WD UI - External users UI:

Note: in case the HR system can't be use to manage the user's source information

2. Tool functionalities:

• Complex search criteria to find exactly the people you are looking for.
• Mechanism for storing new users in IdM if the system is currently busy processing other tasks with higher priority.
• Easy extendable and transparent for maintenance.
• Auto generation of user ids (following a certain logic).
• Permission based access to certain functions.

3. IdM customizations:

• custom repository for managing the users
• custom job - managing the auto generation of user IDs

Hope you like it

Simona Lincheva

We are ready with our next release of SAP Identity Management 8.0 SP1

The essential new features in this release are:

• SAP Identity Management now supports SAP Adaptive Server Enterprise (ASE) database system
• New Java-based IBM Lotus Domino connector
• Developer Studio Eclipse plug-in is supported on MAC OS X and Linux.
• Improved privilege grouping concept
• Some improvements of the UI based on customers' feedback
  

After receiving a lot of feedback and requests from customers we made SAP Identity Management now run on an SAP database - SAP Adaptive Server Enterprise (ASE) database system. This will give our customers simplified licensing and optimization of costs of ownership of their SAP solutions.

The new Java-based IBM Lotus Domino connector will address the need of larger customer group and it can run on any platform Java can run. The connector is delivered as a separate package in the Provisioning framework for SAP Identity Management 8.0. To make yourself familiar with the set of supported scenarios and prerequisites see the SAP Identity Management Connector Overviewand the respective documentation.

To further expand the platform coverage of SAP Identity Management 8.0 with SP1, the Developer Studio Eclipse plug-in is supported on MAC OS X and Linux.

With the  improved integration between SAP Identity Management and GRC Access Control now the privilege grouping concept allows SAP Identity Management to trigger an assignment of a business role or GRC request only if the business role and its children are already evaluated by the dispatcher and the privileges are grouped into one group. This will ensure that the whole content of the business role (the privileges) will be sent together to the target (GRC AC) system.

Based on input from several customers we did several enhancements in the UIs of Identity Management 7.2 SP10 and also in 8.0 SP1

• Added some configurability and improved layout of Assignment Details dialog
• In To Do tab now we show Display name instead of Operation name
• Usability in Manage tab and made number of favorites configurable
• Some usability improvements with assignments

Also in parallel we improved the upgrade experience from 7.2 SP9 to 8.0 and 8.0 SP1.

Hi community,

As you know, it is possible to enter a validity when assigning roles and privileges through the SAP Identity Management UI based on a date. With this, e.g. the assignments will be valid at the beginning of the day.

But, it is also possible to assign roles and privileges on a more fine granular base with a timestamp. You are able to supply hour, minute, and, if you want to push it further, also seconds and millis.

In a ToIdentity Store Pass, select Entry Type MX_PERSON, and add following lines in order to assign a role on 2015/08/21 on 18:15 (6:15 pm).

You could also use following timestamp to supply millis, but I do not think you need that

2015-08-21T18:05:23.123

Same is true for the VALIDFROM link attribute.

Cheers, Jannis

Here is an easy way to maintain the users UI access(display/edit/create access control).

1. Create a custom privilege for the UI Display tasks & UI Edit tasks:

• PRIV:ROLE:TestUI_Edit
• PRIV:ROLE:TestUI_Display

Note: for each UI task(display/edit/create) add the needed privilege.

   2.    Create a custom job to maintain the users access

• You can use a csv file, based  on this file you can grant the needed access(PRIV:ROLE:TestUI_Display/ PRIV:ROLE:TestUI_Edit) to the users
• Then you will have one FromASCII file pass to read the scv file and create a custom table
• Second To Identity Store pass to update the users

Hope you like it

Simona Lincheva

There is a security track which covers SAP’s security products as well as standard security features, capabilities, and recommendations. It includes sessions on the SAP Cloud Identity service, our new single sign-on offering for the cloud, as well as our extensive SAP Single Sign-On solution for your on-premise landscapes. In addition, we will show how to detect and prevent attacks with SAP Enterprise Threat Detection, and improve the quality of your custom code with our add-on solution for code vulnerability analysis. SAP Identity Management and SAP Access Control offer a combined solution for compliant identity administration across heterogeneous environments. These products are complemented by comprehensive capabilities for authorization, encryption, read access logging, and configuration options for detailed security policies.

Register for SAP TechEd 2015 at the following locations:

• Las Vegas, October 19-23, 2015
• Barcelona, November 10-12, 2015

Here is a list of related sessionsfrom which you can choose:

SEC101 – Best Practices for IAM Across Cloud and On-Premise Solutions

SEC106 - The Cloud Solution for Authentication, Single Sign-On and User Management

SEC163 - Single Sign-On for Cloud Applications with SAP Cloud Identity Service - 2h hands-on

SEC201 - What's new with IDM 8.0

SEC261 - Experience New Features in SAP Identity Management 8.0 - 2h hands-on

SEC262 - SAP Runs SAP – How to Upgrade to SAP Identity Management 8.0 - 2h hands-on

SEC263 - Risk-Based Authentication for SAP Fiori and SAP Portal - 2h hands-on

TEC102 - Security Strategy Overview

We would be happy to meet with people from the community and exchange thoughts.