In Designer:
Open a project in the Modeler.
Right-click the driver icon or line, then select click
In iManager:
In iManager, click to display the Identity Manager Administration page.
Open the driver set that contains the driver whose properties you want to edit:
In the
list, click .If the driver set is not listed on the
tab, use the field to search for and display the driver set.Click the driver set to open the Driver Set Overview page.
Locate the SAP User Management Fan-Out driver icon, then click the upper right corner of the driver icon to display the
menu.Click
to display the driver’s properties page.By default, the properties page opens with the
tab displayed.The Driver Configuration options are divided into the following sections:
The driver module changes the driver from running locally to running remotely or the reverse.
Table A-1 Driver Modules
Option |
Description |
---|---|
|
Used to specify the name of the Java class that is instantiated for the shim component of the driver. This class can be located in the classes directory as a class file, or in the lib directory as a .jar file. If this option is selected, the driver is running locally. The name of the Java class is: com.novell.nds.dirxml.driver.sapumshim.SAPDriverShim |
|
This option is not used with the SAP User Management driver. |
|
Used when the driver is connecting remotely to the connected system. Designer includes two suboptions: |
The authentication section stores the information required to authenticate to the connected system.
Table A-2 Authentication Options
Option |
Description |
---|---|
|
Specify an SAP account that the driver can use to authenticate to the SAP system. Example: SAPUser |
or
|
Specify the IP address or name of the SAP server the driver should communicate with. |
or
Port
|
Used only if the driver is connecting to the application through the Remote Loader. The parameter to enter is hostname=xxx.xxx.xxx.xxx port=xxxx kmo=certificatename, when the hostname is the IP address of the application server running the Remote Loader server and the port is the port the Remote Loader is listening on. The default port for the Remote Loader is 8090. The kmo entry is optional. It is only used when there is an SSL connection between the Remote Loader and the Metadirectory engine. Example: hostname=10.0.0.1 port=8090 kmo=IDMCertificate |
) or
|
Specify the maximum event cache file size (in KB). If it is set to zero, the file size is unlimited. Click to set the file size to unlimited in Designer. |
or
|
Specify the password for the user object listed in the field. |
or
|
Used only if the driver is connecting to the application through the Remote Loader. The password is used to control access to the Remote Loader instance. It must be the same password specified during the configuration of the Remote Loader on the connected system. |
The startup option allows you to set the driver state when the Identity Manager server is started.
Table A-3 Startup Options
Option |
Description |
---|---|
|
The driver starts every time the Identity Manager server is started. |
|
The driver does not start when the Identity Manager server is started. The driver must be started through Designer or iManager. |
|
The driver has a cache file that stores all of the events. When the driver is set to Disabled, this file is deleted and no new events are stored in the file until the driver state is changed to Manual or Auto Start. |
|
This option applies only if the driver is deployed and was previously disabled. If this option is not selected, the driver re-synchronizes the next time it is started. |
The Driver Parameters section lets you configure the driver-specific parameters. When you change driver parameters, you tune driver behavior to align with your network environment.
The parameters are presented by category:
Table A-4 Driver Settings
Parameter |
Description |
---|---|
|
Specify the SAP system ID of the SAP application server. The system ID is found in the SAP GUI status bar located in the lower right corner of the main window. This parameter is used to generate the realm for Account Tracking. The system ID is usually a three-character string that uniquely identifies a SAP system in the SAP system landscape. The realm must be unique per application type. For example: \<system ID>\<system number>\<client number> \S71\00\800 |
|
Specify the SAP system number of the SAP application server. This is referred to as the in the SAP logon properties. The default value is 00. |
|
Specify the client number to be used on the SAP application server. This is referred to as the in the SAP logon screen. |
|
Select the client type the driver is connecting to: The fan-out policies must know what type of client they are communicating to so they can generate the correct events. For example, most of the attributes in a CUA child client are synchronized through the CUA central client. |
> > |
This option is displayed only if you select .Specify the logical system name of the CUA central client that manages this client. The fan-out policies must know which client is the central client of a CUA child client, so that they can generate correct events. For example, most of the attributes in a CUA child client are synchronized through the CUA central client. |
> > |
This option is displayed only if you select .Add an attribute name in the Identity Vault namespace that you want to synchronize directly to the CUA child client, instead of sending it to the CUA central client. This filter is evaluated after the driver’s Subscriber filter is applied. For an attribute to encounter this filter, it must also be set to Subscribe or Notify in the regular driver filter. This filter is implemented in the Event Transformation policy set. For most deployments, you should leave the two default attributes of Login Disabled and nspmDistributionPassword in the filter. The fan-out policies must know which attributes to send directly to a CUA child client. |
|
Specify the Logic System Name for the client as it appears in the SAP system, if the SAP client is the central client in a CUA landscape. Otherwise, specify a unique name for this system. The driver uses the logical system names from both the primary connection and all of the secondary connections to uniquely identify a connection. The driver looks up the connection information based on this value. |
|
Specify the language code this driver will use for the SAP session. This is referred to as the in the SAP logon screen. |
|
Specify all of the languages installed on your SAP system. All of the languages you specify in the list are made available to the Role Mapping Administrator, so that Role Mapping Administrator can render the UI accordingly. |
|
The code for the character set to translate IDoc byte-string data into Unicode strings. An empty value causes the driver to use the host JVM default. |
|
Set this to if only the primary value of Communicate tables should be synchronized.or Set this to if all values should be synchronized. |
|
Select whether the driver populates the User Company Address data for the Publisher channel and for the Subscriber queues. |
|
Select to have the driver shim issue an error instead of a retry on Subscriber operation results. Use this setting when running the driver in fan-out mode. If you are not using the fan-out mode, select to disable this feature. If you are using the standard mode, select to enable this. |
Table A-5 Subscriber Settings
Parameter |
Description |
---|---|
|
The communication table comment is a text comment the driver adds to all Communication table entries added by the Subscriber channel. This is a useful method for determining where an entry originated from when viewing values via the SAP GUI. Leaving this field blank provides no comment for the table entries. |
|
This parameter specifies the methodology used by the driver to set User account passwords. Passwords can be set by the driver's administrative User account or by the affected User's account (this sets a password on new accounts or modifies passwords for existing Users.) Select if passwords must be changed immediately at the user’s next login.or Select if you do not want users to change passwords immediately at login. |
(Conditional) |
If you select the option above, you should specify a Password Set Method: orAdministrator Set: Passwords are set by the driver's administrative User account. This method is deprecated and does not comply with SAP security best practices. The method works only for SAP systems that are version 4.6c or older. User Set: Passwords are supplied by the affected users. The following parameters must be set if you select User Set:
|
|
Select whether to allow the driver to set password for non-dialog user types, such as Communications, System, Service, and Reference on the Subscriber channel. |
|
Select client. Local locking requires additional configuration in the SAP system. Select to lock accounts globally, which locks all accounts in the CUA child clients if the account in the CUA central client is locked. For more information, see Section G.0, Setting and Clearing Granular Locks. to lock accounts locally in the |
|
If you are configuring the driver for fan-out, click the plus icon , then add the information for the additional SAP system. The information requested is listed in Table A-4, Driver Settings. Repeat this process for each system you want to fan out to from this driver. |
Table A-6 Publisher Settings
Parameter |
Description |
---|---|
|
Select whether or not you want to enable the driver’s Publisher channel. |
|
Select JCo 3 Server to receive data distribution broadcasts from the SAP ALE system. Select if the driver consumes text file IDocs distributed by the SAP ALE system. if the driver instantiates a |
|
Specify the SAP Gateway ID that distributes user data to the driver. |
|
Specify the registered program ID that is used by the driver. This value is specified in the SAP port definition. |
|
Select whether the JCo 3 server TRFC tracing is enabled. |
|
Specify the logical system name configured in the SAP system for user distribution to the Identity Manager driver. Publication only works if the Publisher channel is enabled and the driver’s primary connection is to a CUA central client. |
|
Specify how often the Publisher channel polls for unprocessed IDocs. The default value is 10 seconds. |
|
The behavior of this option is based on the values of the User record’s Logon Data “Valid From” date (LOGONDATA:GLTGV) when IDocs are processed by the Publisher channel. This field does not need to be in the Publisher filter for this processing to occur. Choose one of the following options:
|
|
Specify the file system location where the SAP User IDoc files are placed by the SAP ALE system (file port configuration) or by the driver (TRFC configuration.) This setting is only used if the Publisher channel is enabled. |
|
Specify how many minutes of inactivity can elapse before this channel sends a heartbeat document. In practice, more than the number of minutes specified can elapse. That is, this parameter defines a lower bound. |
Displays an ordered list of ECMAScript resource files. The files contain extension functions for the driver that Identity Manager loads when the driver starts. You can add additional files, remove existing files, or change the order the files are executed.
Displays an ordered list of Global Configuration objects. The objects contain extension GCV definitions for the driver that Identity Manager loads when the driver is started. You can add or remove the Global Configuration objects, and you can change the order in which the objects are executed.