The SAP User Management driver can be queried for ACTIVITYGROUP objects and all other PDOBJECTS in the SAP User Management database so that they can be synchronized into the Identity Vault, and used by the administrator through a browse interface. To do this, the default class mapping must be manually changed to the following:
|
Identity Vault Class |
SAP User Field Description |
SAP User Field(s) |
|---|---|---|
|
Organizational Role |
PDOBJECT |
Organizational Role |
The following sections explain what you need to do to allow support for querying the Organizational Role class:
To edit the Global Configuration Values (GCV), follow these steps:
In iManager, browse to the driver, then click the upper right corner of the driver icon.
Select the Edit Properties link.
The Driver Configuration window is displayed.
Click the Global Config Values tab.
A list of the existing GCV values is displayed.
Click the Edit XML tab to open the XML Editor window.
Select the Enable XML Editing check box and add the following XML code:
<definition display-name="Organizational Role Placement" dn-space="dirxml" dn-type="slash" name="sap-pdobject-placement" type="dn"> <description> The name of the Organizational Role object under which published SAP Organizational Roles will be placed. </description> <value> </value> </definition> Click Apply and OK to save the changes.
The updated GCV is now displayed in the list.
Browse and select the container in the Identity Vault where you want to place the Organizational Role.
Click Apply and OK.
A new rule is required in the placement policy, to place the Organizational Role object in. Follow these steps to create the new rule:
In iManager, click on the driver icon.
The Identity Manager Overview screen is displayed.
In the Publisher channel, click on the Placement Policies icon.
The Publisher Placement policy window is displayed.
Click the existing default Publisher Placement policy.
The Policy Rules screen is displayed.
Click the Edit XML tab.
The XML Editor window is displayed.
Select the Enable XML Editing check box and add the following XML code:
<rule> <description>Organizational Role Placement</description> <conditions> <or> <if-class-name op="equal"> Organizational Role </if-class-name> </or> <or> <if-op-attr name="CN" op="available"/> </or> </conditions> <actions> <do-set-op-dest-dn> <arg-dn> <token-global-variable name="sap-pdobject-placement"/> <token-text xml:space="preserve">\</token-text> <token-escape-for-dest-dn> <token-op-attr name="CN"/> </token-escape-for-dest-dn> </arg-dn> </do-set-op-dest-dn> </actions> </rule>
Click Apply and OK to save the changes.
Click Close to close the Publisher Placement Policy window.
The XSLT file must be modified so that it triggers events only for the USER class.
On the Identity Manager Driver Overview page, click on the Creation Policies icon on the publisher channel of the driver.
The Publisher Creation Policy window is displayed.
Click the Generate User Name Style Sheet link.
The XML Editor window is displayed.
Search for the following XML code: <xsl:template match="add">
Replace it with the following code:
<xsl:template match="add[@class-name='User']">
Click Apply and OK to save the changes.
Click Close to close the Publisher Placement Policy window.
To add the Organizational Role class, and to change the default class mapping, follow these steps:
On the Identity Manager Driver Overview page, click the ‘Driver Filter’ icon in the publisher channel.
Click the Add Class tab.
A pop-up window is displayed.
Click the Show All Classes link.
A list of the available classes is displayed in alphabetical order.
Scroll down to the class Organizational Role, and click it.
In the Application Name field on the right, browse and select the SAP User class PDOBJECT that will be mapped to Organizational Role.
Click Apply to confirm the mapping.
In the filter window, select Organizational Role, and click the Add Attribute tab.
A list of the available attributes is displayed.
Select the CN attribute and click OK.
In theApplication Name field on the right, browse and select the SAP attribute OBJECTS:EXT_OBJ_ID
Select Organizational Role again and click the Add Attribute tab.
Select the Description attribute and click OK.
In the Application Name field on the right, browse and select the OBJECTS:LONG_TEXT attribute.
Click Apply.
In the Filter window, select the Organizational Role class.
In the text field on the right, delete PDOBJECT and replace it with AG.
Click Apply to save the changes.
Click Organizational Role and select the Synchronize option in the Publisher channel.
Click the CN attribute and select the Synchronize option in the Publisher channel.
Click the Description attribute and select the Synchronize option in the Publisher channel.
Click Apply and OK to save the changes, and close the Filter window.
To migrate ACTIVITYGROUP objects into the Identity Vault:
Ensure that the driver is running.
From the Identity Manager Driver Overview window, click Migrate > Migrate into Identity Vault.
The Migrate Data into the Identity Vault window is displayed.
To migrate a single ACTIVITYGROUP object:
Click the Edit List tab.
The Edit Migration Criteria dialog box is displayed.
Select the Organizational Role class from the list on the left side of the window.
Select the CN attribute and click OK.
The Attribute Value dialog box is displayed.
Enter a valid value for the CN attribute and click OK.
Example of a valid attribute: SAP_ESSUSER
Click OK to confirm the entered value and close the dialog box.
Click OK again in the Migrate Data into the Identity Vault window to start the migration.
The Success box is now selected, indicating that migration has started.
To migrate all ACTIVITYGROUP objects, follow these steps:
Click the Edit List tab.
The Edit Migration Criteria dialog box is displayed.
Select the Organizational Role class from the list, then click OK.
To start the migration, click OK again in the Migrate Data into the Identity Vault window.
To verify that the objects you selected have been migrated successfully, you can browse to the container that you specified in the Organizational Role placement policy. Successful migration can also be verified by looking at the DSTRACE window.