Transcription
Oracle Identity GovernanceConfiguring the SAP User ManagementEngine Application12c (12.2.1.3.0)F12376-03July 2020
Oracle Identity Governance Configuring the SAP User Management Engine Application, 12c (12.2.1.3.0)F12376-03Copyright 2018, 2020, Oracle and/or its affiliates.Primary Author: Alankrita PrakashContributing Authors: Gowri.G.RContributors: Syam Kumar Battu, Jagadeesh Kumar, Niranjana MurthyThis software and related documentation are provided under a license agreement containing restrictions onuse and disclosure and are protected by intellectual property laws. Except as expressly permitted in yourlicense agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license,transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverseengineering, disassembly, or decompilation of this software, unless required by law for interoperability, isprohibited.The information contained herein is subject to change without notice and is not warranted to be error-free. Ifyou find any errors, please report them to us in writing.If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it onbehalf of the U.S. Government, then the following notice is applicable:U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software,any programs embedded, installed or activated on delivered hardware, and modifications of such programs)and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Governmentend users are "commercial computer software" or “commercial computer software documentation” pursuantto the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such,the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works,and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programsembedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oraclecomputer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in thelicense contained in the applicable contract. The terms governing the U.S. Government’s use of Oracle cloudservices are defined by the applicable contract for such services. No other rights are granted to the U.S.Government.This software or hardware is developed for general use in a variety of information management applications.It is not developed or intended for use in any inherently dangerous applications, including applications thatmay create a risk of personal injury. If you use this software or hardware in dangerous applications, then youshall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure itssafe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of thissoftware or hardware in dangerous applications.Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks oftheir respective owners.Intel and Intel Inside are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks areused under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Epyc,and the AMD logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registeredtrademark of The Open Group.This software or hardware and documentation may provide access to or information about content, products,and services from third parties. Oracle Corporation and its affiliates are not responsible for and expresslydisclaim all warranties of any kind with respect to third-party content, products, and services unless otherwiseset forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will notbe responsible for any loss, costs, or damages incurred due to your access to or use of third-party content,products, or services, except as set forth in an applicable agreement between you and Oracle.
ContentsPrefaceAudienceixDocumentation AccessibilityixRelated DocumentsixConventionsxWhat's New in This Guide?1Software UpdatesxiDocumentation-Specific UpdatesxiAbout the SAP User Management Engine Connector1.1Certified Components1-21.2Usage Recommendation1-61.3Certified Languages1-61.4Supported Connector Operations1-71.5Connector Architecture1-81.6Supported Deployment Configurations1-101.6.1User Management with Access Request Management1-101.6.2Audit Trail Details in Connector Logs1-131.6.3User Management with SoD1-141.6.4User Management with Both SoD and Access Request Management1-161.6.5Guidelines on Using an Application Configuration1-161.6.5.11.6.5.21.6.6User Management Engine with SoD and Access RequestManagement1-17User Management with Access Request Management1-17Considerations to Be Addressed When You Enable Access RequestManagement1-181.7Supported Connector Features Matrix1-181.8Connector Features1-191.8.1Full Reconciliation1-191.8.2Limited (Filtered) Reconciliation1-19iii
1.8.3Routing of Provisioning Requests Through SAP GRC Access RequestManagement1-201.8.4SoD Validation of Entitlement Requests1-201.8.5Enabled and Disabled Accounts1-211.8.6Support for Multiple Data Sources1-211.8.7Support for Remote Role Assignment in Federated Portal Network1-211.8.8Support for the Connector Server1-211.8.9Transformation and Validation of Account Data1-221.8.1022.1Process Flow for Creating an Application By Using the Connector2-12.2Prerequisites for Creating an Application By Using the Connector2-32.2.1Downloading the Connector Installation Package2-32.2.2Creating a Target System User Account for Connector Operations2-3Creating an Application By Using the Connector2-4Configuring the SAP User Management Engine Connector3.1Basic Configuration Parameters3-13.2Advanced Setting Parameters3-43.3Attribute Mappings3-93.43.541-22Creating an Application By Using the SAP User ManagementEngine Connector2.33Support for Resource Exclusion Lists3.3.1Attribute Mappings for the SAP UME Connector3.3.2Attribute Mapping for the SAP AC UME ConnectorCorrelation Rules3-93-143-203.4.1Rules, Situations, and Responses for the SAP UME Connector3-203.4.2Rules, Situations, and Responses for the SAP AC UME Connector3-22Reconciliation Jobs3-243.5.1Reconciliation Jobs for the SAP UME Connector3-243.5.2Reconciliation Jobs for the SAP AC UME Connector3-26Performing Postconfiguration Tasks for the SAP User ManagementEngine Connector4.1Configuring Oracle Identity Governance4-14.1.1Creating and Activating a Sandbox4-24.1.2Creating a New UI Form4-24.1.3Publishing a Sandbox4-24.1.4Creating an Application Instance4-24.1.5Updating an Existing Application Instance with a New Form4-3iv
4.2Harvesting Entitlements and Sync Catalog4-34.3Configuring Password Changes for Newly Created Accounts4-44.4Managing Logging4-54.4.1Understanding Log Levels4-54.4.2Enabling Logging4-64.5Configuring SSL to Secure Communication Between the Target System andOracle Identity Governance4-84.6Configuring the IT Resource for the Connector Server4-94.7Configuring the Access Request Management Feature of the Connector4-94.8Configuring SoD (Segregation of Duties)4.8.1Specifying Values for the GRC UME-ITRes IT Resource4-114.8.2Configuring SAP GRC to Act As the SoD Engine4-114.8.3Specifying a Value for the TopologyName Basic ConfigurationParameter4-12Disabling and Enabling SoD4-134.8.44.954.8.4.1Disabling SoD on Oracle Identity Governance4-134.8.4.2Enabling SoD on Oracle Identity Governance4-13Downloading WSDL files from SAP GRC4-144.10Localizing Field Labels in UI Forms4-144.11Synchronizing the SAPUME Process Form and SAP AC UME Process Formwith Target System Field Lengths4-16Using the SAP User Management Engine Connector5.1Configuring Reconciliation5-15.1.1Performing Full Reconciliation5-15.1.2Performing Limited Reconciliation5-15.2Configuring Reconciliation Jobs5-25.3Configuring Provisioning5-35.3.1Guidelines on Performing es for Performing Provisioning Operations in SupportedDeployment Configurations5-4Guidelines for Performing Provisioning Operations AfterConfiguring Access Request Management5-5Performing Provisioning OperationsUninstalling the Connector5-65-7Extending the Functionality of the SAP User Management EngineConnector6.1Configuring the Connector for Multiple Installations of the Target System6-16.2Configuring Transformation and Validation of Data6-16.3Configuring Resource Exclusion Lists6-2v
6.478Configuring Action Scripts6-2Upgrading the SAP User Management Engine Connector7.1Preupgrade Steps7-17.2Upgrade Steps7-27.3Postupgrade Steps7-3Known Issues and Limitations of the SAP User ManagementEngine Connector8.1Known Issues8.1.1Connector Issues8-18.1.1.1Error During SoD Check8-18.1.1.2Code Key Values Displayed Instead of Decode Values8-18.1.1.3Accessing the Target Server or Running the Connector Serverreturns an Error8-28.1.1.4Postupgrade Issue8-28.1.1.5Lookup Data of Timezone, Country, and Locale is not Dynamic8-88.1.2Oracle Identity Governance Issues8.1.2.18.1.2.28.28-18-8Revoke Account Task Rejected and Unable to Update OIGAccount8-8Date 9999 Issue While Provisioning a User in the Enterprise Portal8-8Limitations Related to Target System Features and Specific Connectors8-88.2.1Limitations for AS ABAP Data Source for the Connector8-98.2.2Limitations for Groups That Represent AS ABAP Roles8-98.2.3Limitations for Role Management with the Connector8-109Frequently Asked Questions of the SAP User Management EngineConnectorAFiles and Directories in the SAP User Management EngineConnector Installation PackageIndexvi
List of Figures1-1Architecture of the Connector1-2Connector Integrating SAP GRC Access Request Management with Oracle Identity1-9Governance and the Target System1-111-3Data Flow During the SoD Validation Process1-152-1Overall Flow of the Process for Creating an Application By Using the Connector3-1Default Attribute Mappings for the SAP UME User Account3-123-2Default Attribute Mappings for Group Entitlement3-133-3Default Attribute Mappings for a Role Entitlement3-143-4Default Attribute Mappings for an SAP AC UME Account3-183-5Default Attribute Mapping for a Group Entitlement3-193-6Default Attribute Mappings for a Role Entitlement3-203-7Simple Correlation Rule for the SAP UME Connector3-213-8Predefined Situations and Responses for the SAP UME Connector3-223-9Simple Correlation Rule for the SAP AC UME Connector3-233-10Predefined Situations and Responses for the SAP AC UME Connector3-232-2vii
List of Tables1-1Certified Components1-21-2Connector Operations Supported by the SAP UME and SAP AC UME Connectors1-71-3Supported Connector Features Matrix3-1Parameters in the Basic Configuration Section for the SAP UME Connector with SoD3-13-2Parameters in the Basic Configuration Section for the SAP AC UME Connector3-23-3Advanced Setting Parameters for the SAP UME Connector with SoD3-43-4Advanced Setting Parameters for the SAP AC UME Connector3-53-5Default Attribute Mappings for the SAP UME User Account3-103-6Default Attribute Mappings for Group Entitlement3-133-7Default Attribute Mappings for a Role Entitlement3-133-8Default Attribute Mappings for the SAP AC UME User Account3-143-9Default Attribute Mappings for a Group Entitlement3-193-10Default Attribute Mappings for a Role Entitlement3-203-11Predefined Identity Correlation Rule for the SAP UME Connector3-213-12Predefined Situations and Responses for the SAP UME Connector3-213-13Predefined Identity Correlation Rule for the SAP AC UME Connector3-223-14Predefined Situations and Responses for the SAP AC UME Connector3-233-15Parameters of the SAP UME Target User Reconciliation Job3-243-16Parameters of the SAP UME Target User Delete Reconciliation Job3-253-17Parameters of the Reconciliation Jobs for Entitlements of the SAP UME Connector3-253-18Parameters of the SAP AC UME Target User Reconciliation Job3-273-19Parameters of the SAP AC UME Target User Delete Reconciliation Job3-273-20Parameters of the SAP AC UME Request Status Reconciliation Job3-283-21Parameters of the Reconciliation Jobs for Entitlements of the SAP AC UME Connector3-294-1Log Levels and ODL Message Type:Level Combinations4-54-2Certificate Store Locations4-84-3Parameters of the IT Resource for the Connector Server4-94-4Parameters of the GRC UME-ITRes IT Resource8-1Entries in the Lookup.SAPUME.Configuration Lookup Definition8-28-2Entries in the Lookup.SAPUME.UM.ProvAttrMap Lookup Definition8-38-3Entries in the Lookup.SAPUME.UM.ReconAttrMap Lookup Definition8-38-4Entries in the Lookup.SAPAC10UME.Configuration Lookup Definition8-48-5Entries in the Lookup.SAPAC10UME.UM.ProvAttrMap Lookup Definition8-58-6Entries in the Lookup.SAPAC10UME.UM.ReconAttrMap Lookup Definition8-7A-1Files and Directories in the Connector Installation PackageA-11-184-11viii
PrefaceThis guide describes the connector that is used to onboard SAP User ManagementEngine and SAP Access Control User Management Engine applications to OracleIdentity Governance.AudienceThis guide is intended for resource administrators and target system integration teams.Documentation AccessibilityFor information about Oracle's commitment to accessibility, visit the OracleAccessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx acc&id docacc.Access to Oracle SupportOracle customers that have purchased support have access to electronic supportthrough My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx acc&id info or visit http://www.oracle.com/pls/topic/lookup?ctx acc&id trs if you are hearing impaired.Related DocumentsFor information about installing and using Oracle Identity Governance 12.2.1.3.0, visitthe following Oracle Help Center ndex.htmlFor information about installing and using Oracle Identity Manager 11.1.2.3, visit thefollowing Oracle Help Center page:http://docs.oracle.com/cd/E52734 01/index.htmlFor information about Oracle Identity Governance Connectors 12.2.1.3.0documentation, visit the following Oracle Help Center ors-12213/index.htmlFor information about Oracle Identity Manager Connectors 11.1.1 documentation, visitthe following Oracle Help Center page:http://docs.oracle.com/cd/E22999 01/index.htmix
PrefaceConventionsThe following text conventions are used in this document:ConventionMeaningboldfaceBoldface type indicates graphical user interface elements associatedwith an action, or terms defined in text or the glossary.italicItalic type indicates book titles, emphasis, or placeholder variables forwhich you supply particular values.monospaceMonospace type indicates commands within a paragraph, URLs, codein examples, text that displays on the screen, or text that you enter.x
What's New in This Guide?These are the updates made to the software and documentation for release 12.2.1.3.0of Configuring the SAP User Management Engine Application.The updates discussed in this chapter are divided into the following categories: Software UpdatesThese include updates made to the connector software. Documentation-Specific UpdatesThese include major changes made to the connector documentation. Thesechanges are not related to software updates.Software UpdatesThese are the updates made to the connector software.Software Updates in Release 12.2.1.3.0The following is the software update in release 12.2.1.3.0:Support for Onboarding Applications Using the ConnectorFrom this release onward, the connector bundle includes application onboardingtemplates required for performing connector operations on the SAP User ManagementEngine and the SAP User Management Access Control Engine targets. This helpsin quicker onboarding of the applications for these targets into Oracle IdentityGovernance by using an intuitive UI.Documentation-Specific UpdatesThese are the updates made to the connector documentation.Documentation-Specific Updates in Release 12.2.1.3.0The following documentation-specific update has been made in revision "03" of thisguide:Information about Oracle Identity Manager versions prior to 11g Release 2 PS3(11.1.2.3.0) has been removed from the guide.The following documentation-specific updates have been made in revision "02" of thisguide: In this revision, the document is updated for editorial corrections. A "Note" regarding entitlements has been added to SoD Validation of EntitlementRequests.xi
What's New in This Guide? The "Oracle Identity Governance or Oracle Identity Manager" row of Table 1-1 hasbeen updated to include support for Oracle Identity Governance 12c (12.2.1.4.0). Usage Recommendation has been modified to include support for Oracle IdentityGovernance 12c (12.2.1.4.0). Table 3-20 has been added. Table 3-1 and Table 3-2 of Basic Configuration Parameters have been modifiedand added respectively.xii
1About the SAP User Management EngineConnectorOracle Identity Governance is a centralized identity management solution thatprovides self service, compliance, provisioning and password management servicesfor applications residing on-premises or on the Cloud. Oracle Identity Governanceconnectors are used to integrate Oracle identity Governance with the external identityaware applications.The SAP User Management Engine connector (SAP UME and SAP AC UMEconnectors) lets you onboard SAP applications in Oracle Identity Governance.The SAP UME Connector is used for provisioning and reconciling accounts from SAPNetWeaver Java Application Server. This connector also supports the SoD validationfeature with the help of SAP Goverance, Risk, and Compliance (GRC) Access RiskAnalysis (ARA) module. The SAP AC UME Connector can be configured with SAPGRC Access Request Managent (ARM) module for user provisioning through webservices.Note:In this guide, the connector that is deployed using the Applications optionon the Manage tab of Identity Self Service is referred to as an AOBapplication. The connector that is deployed using the Manage Connectoroption in Oracle Identity System Administration is referred to as a CI-basedconnector (Connector Installer-based connector).From Oracle Identity Governance release 12.2.1.3.0 onward, connector deploymentis handled using the application onboarding capability of Oracle Identity Self Service.This capability lets business users to onboard applications with minimum details andeffort. The connector installation package includes a collection of predefined templates(XML files) that contain all the information required for provisioning and reconcilingdata from a given application or target system. These templates also include basicconnectivity and configuration details specific to your target system. The connectoruses information from these predefined templates allowing you to onboard yourapplications quickly and easily using only a single and simplified UI.Application onboarding is the process of registering or associating an applicationwith Oracle Identity Governance and making that application available for provisioningand reconciliation of user information.The following topics provide a high-level overview of the connector: Certified Components Usage Recommendation Certified Languages Supported Connector Operations1-1
Chapter 1Certified Components Connector Architecture Supported Deployment Configurations Supported Connector Features Matrix Connector Features1.1 Certified ComponentsThese are the software components and their versions required for installing and usingthe connector.Table 1-1Certified ComponentsCompo Requirement for AOB Requirement for CI-Based ConnectornentApplicationOracleIdentityGovernance orOracleIdentityManagerYou can use one ofthe following releasesof Oracle IdentityManager or OracleIdentity Governance:You can use one of the following releases of Oracle IdentityManager or Oracle Identity Governance: Oracle IdentityGovernance 12c(12.2.1.4.0)Oracle IdentityGovernance 12cRelease BP02(12.2.1.3.2) Oracle Identity Governance 12c (12.2.1.4.0)Oracle Identity Governance 12c Release BP02(12.2.1.3.2)Oracle Identity Manager 11g Release 2 PS3 (11.1.2.3.0)and any later BP in this release track1-2
Chapter 1Certified ComponentsTable 1-1(Cont.) Certified ComponentsCompo Requirement for AOB Requirement for CI-Based ConnectornentApplicationTargetsystemsThe target system canbe one of the following: SAP UserManagementEngine running onSAP NetWeaver7.4 SPS 08 orlater SAP UserManagementEngine running onSAP NetWeaver7.5 SPS 00 orlaterNote: If you installan SAP application inJava stack, such asSAP Enterprise Portal,then the connectorcan connect to SAPUser ManagementEngine (UME) of theapplication.If you install anSAP application,such as SAPBusiness Warehouse(BW) or SAPSupplier RelationshipManagement (SRM),in AdvancedBusiness ApplicationProgramming (ABAP)stack, then youmust configure SAPEnterprise Portalagainst SAP userManagement Engine(UME) of theapplication. See therespective targetsystem documentationfor information aboutthis configuration.If you install anSAP application, suchas SAP ProcessIntegration (PI), indual stack (ABAPand Java), then theconnector can connectto SAP UME of theapplication. However,the limitations of theThe target system can be one of the following: SAP User Management Engine running on SAPNetWeaver '04 SPS 14 or later SAP User Management Engine running on SAPNetWeaver 7.0 SPS 05 or later SAP User Management Engine running on SAPNetWeaver 7.4 SPS 08 or later SAP User Management Engine running on SAPNetWeaver 7.5 SPS 00 or laterNote: If you install an SAP application in Java stack, suchas SAP Enterprise Portal, then the connector can connect toSAP User Management Engine (UME) of the application.If you install an SAP application, such as SAP BusinessWarehouse (BW) or SAP Supplier Relationship Management(SRM), in Advanced Business Application Programming(ABAP) stack, then you must configure SAP EnterprisePortal against SAP User Management Engine (UME) of theapplication. See the respective target system documentationfor information about this configuration.If you install an SAP application, such as SAP ProcessIntegration (PI), in dual stack (ABAP and Java), then theconnector can connect to SAP UME of the application.However, the limitations of the ABAP data source areapplicable.1-3
Chapter 1Certified ComponentsTable 1-1(Cont.) Certified ComponentsCompo Requirement for AOB Requirement for CI-Based ConnectornentApplicationABAP data source areapplicable.Connec 11.1.2.1.0torServer11.1.2.1.0ConnectorServerJDKJDK 1.6 update 24 or later and JDK 1.7 or later, or JRockit1.6 or laterJDK 1.6 update 24 orlater and JDK 1.7 orlater, or JRockit 1.6 orlater1-4
Chapter 1Certified ComponentsTable 1-1(Cont.) Certified ComponentsCompo Requirement for AOB Requirement for CI-Based ianceAccessControl(GRCAC)If you want toconfigure and use theAccess Risk Analysisor Access RequestManagement feature ofthis target system, theninstall the following: SAP GRC AC10 on SAPNetWeaver ASABAP 7.02Support Pack 7Install theGRCFND A SP10 component.SAP GRC AC10.1 on SAPNetWeaver ASABAP 7.40Support Pack 8If you want to configure and use the Access Risk Analysis orAccess Request Management feature of this target system,then install the following: SAP GRC AC 10 on SAP NetWeaver AS ABAP 7.02Support Pack 7Install the GRCFND A SP 10 component.SAP GRC AC 10.1 on SAP NetWeaver AS ABAP 7.40Support Pack 8Install the GRCFND A SP 10 component.To use the connector with Java, ABAP, or LDAP datasource, use SAP NetWeaver AS ABAP 7.01 SupportPack 10 with EP RTA component GRCPIEP SP 10patch 2 (on deploying GRCAC1010 4-20007574.SCA)To use the connector with Java, ABAP, orLDAP data source, use SAP NetWeaver ASABAP 7.01 Support Pack 10 with EP RTAcomponent GRCPIEP SP 03 patch 2 (on deployingGRCAC1073003P 2-20009496.SCA)Install theGRCFND A SP10 component.To use theconnector withJava, ABAP, orLDAP data source,use SAPNetWeaver ASABAP 7.01Support Pack 10with EP RTAcomponentGRCPIEP SP 10patch 2 (ondeployingGRCAC1010 4-20007574.SCA)To use theconnector withJava, ABAP, orLDAP data source,use SAPNetWeaver ASABAP 7.01Support Pack 10with EP RTAcomponentGRCPIEP SP 03patch 2 (ondeployingGRCAC1073003P1-5
Chapter 1Usage RecommendationTable 1-1(Cont.) Certified ComponentsCompo Requirement for AOB Requirement for CI-Based ConnectornentApplication2-20009496.SCA)1.2 Usage RecommendationThese are the recommendations for the SAP UME connector versions that you candeploy and use depending on the Oracle Identity Governance or Oracle IdentityManager version that you are using.Note:In Oracle Identity Governance, you can install and configure both SAP UserManagement and SAP User Management Engine connectors.You can configure the connectors with SAP GRC target system to use eitherAccess Risk Analysis or Access Request Management feature. If you are using Oracle Identity Governance releases 12c BP02 (12.2.1.3.2) or12.2.1.4.0, then use the latest 12.2.1.x version of this connector. Deploy theconnector using the Applications option on the Manage tab of Identity SelfService. If you are using Oracle Identity Manager release 11.1. 2.x, as listed in the“Requirement for CI-Based Connector" column of Table 1-1, then use the 11.1.xversion of the SAP User Management Engine connector. If you want to use the12.2.1.x version of this connector with Oracle Identity Manager release 11.1. 2.x,then you can install and use it only in the CI-based mode. If you want to use theAOB application, then you must upgrade to Oracle Identity Governance release12.2.1.3.0.1.3 Certified LanguagesThese are the languages that the connector supports. Arabic Chinese (Simplified) Chinese (Traditional) Czech Danish Dutch English Finnish1-6
Chapter 1Supported Connector Operations French French (Canadian) German Greek Hebrew Hungarian Italian Japanese Korean Norwegian Polish Portuguese Portuguese (Brazilian) Romanian Russian Slovak Spanish Swedish Thai Turkish1.4 Supported Connector OperationsThese are the list of operations that the connector supports for your target system.Table 1-2 Connector Operations Supported by the SAP UME and SAP AC UMEConnectorsOperationSupported for SAP UME?Supported for SAP ACUME?User ManagementCreate a user accountYesYesModify a user accountYesYesDelete a user accountYesYesEnable a user accountYesYesDisable a user accountYesYesLock a user accountYesYesUnlock a user accountYesYesAssign a role to a useraccountYesYesAssign multiple roles to a user YesaccountYes1-7
Chapter 1Connector ArchitectureTable 1-2 (Cont.) Connector Operations Supported by the SAP UME and SAPAC UME ConnectorsOperationSupported for SAP UME?Supported for SAP ACUME?Remove role for a useraccountYesYesRemove multiple roles from auser accountYesYesAssign a group to a useraccountYesNoAssign multiple groups from auser accountYesNoRemove a group for useraccountYesNoRemove multiple groups froma user accountYesNoEntitlementsAdd RoleYesYesAdd Multiple RolesYesYesRemove RoleYesYesRemove Multiple RolesYesYes1.5 Connector ArchitectureThe SAP UME connector is implemented by using the Identity Connector Framework(ICF).The connector sets up Oracle Identity Governance as the front end for sendingaccount creation or modification requests to applications that use the data sourcelinked with SAP User Management Engine.The connector reconciles any account data added or modified through provisioningoperations performed directly on the data source into Oracle Identity Governancethrough SAP User Management Engine.Figure 1-1 shows the connector integrating SAP User Management Engine withOracle Identity Governance.1-8
Chapter 1Connector ArchitectureFigure 1-1Architecture of the ConnectorAs shown in the figure, SAP User Management Engine is configured as themanagement tool for user data stored on a data source, which is either the ABAPmodule, AS (Application Server) Java data source, or an LDAP-based solution. Userdata changes made through the SAP User Management Engine UI are reflected onapplications that use the data source or on the UI of the LDAP-based solution.By creating an application, you configure SAP User Management Engine as a targetresource of Oracle Identity Governance.Oracle Identity Governance sends provisioning requests which are routed through theSPML service to the application or system that uses the data source linked with SAPUser Management Engines. You can view the user data changes resulting from theprovisioning requests through the SAP User Management Engine UI.You can configure the connector to run in the account management mode. Accountmanagement is also known as target resource management. In the accountmanagement mode, the target system is used as a target resource. This mode ofthe connector enables the following operations: ProvisioningProvisioning involves creating or updating users on the target system throughOracle Identity Governance. When you allocate (or provision) an SAP UserManagement Engine resource to an OIG User, the operation results in the creationof an account on SAP UME for that user. In the Oracle Identity Governancecontext, the term provisioning is also used to mean updates made to the targetsystem account through Oracle Identity Governance.During provisioning, adapters carry provisioning data submitted through theprocess form to the target system. The SPML service in the SAP UserManagement Engine accepts provisioning data from the adapters, performs thenecessary provisioning operation, and then returns the response to adapters inOracle Identity Governance. ReconciliationThe scheduled task provided by the connector acts as the SPML client to sendSPML requests to the SPML service in this application server.1-9
Chapter 1Supported Deployment ConfigurationsDuring reconciliation, a scheduled t
1.6.1 User Management with Access Request Management 1-10 1.6.2 Audit Trail Details in Connector Logs 1-13 1.6.3 User Management with SoD 1-14 1.6.4 User Management with Both SoD and Access Request Management 1-16 1.6.5 Guidelines on Using an Application Configuration 1-16 1.6.5.1 User Management Engine with SoD and Access Request Management 1-17
