SAP ECC UM Agent

SAP-ECC-UMAgent is the DirX Identity agent that handles the synchronization of SAP user entries from a SAP ECC database with the Identity Store.

SAP-ECC-UMAgent is implemented in Java. SAP-ECC-UMAgent supports ECC 6.0, SAP S/4HANA (1709 FPS1) on-premise and higher and runs with all NetWeaver (ABAP stack) platforms that are supported by the SAP Java Connector and by DirX Identity. The underlying interface is upwards compatible from SAP R/3 to SAP ECC.

The employed "USER" BAPI methods are also generally applicable to the SAP Central User Administration (CUA).

With SAP S/4HANA the user management has been extended to include Business User Management. With that you can update the business user through multiple channels. There is a customization view available that defines the maintenance source of the workplace address attributes of a (business) user. If the source is set to User Management then the entire user attributes can be managed by the SAP ECC UMAgent/Connector. Attributes in this view where the source is not set to user management can only be read by the SAP ECC UMAgent/Connector. (See SAP note 2570961 for more details.)

SAP-ECC-UMAgent can:

Perform a full export of users, roles (activity groups) and profiles from an SAP ECC system, including the references to all assigned roles and profiles for users.
Perform a delta import of users into an ECC system, including creation of users, modification of user attributes, modification of a user’s role and profile assignments and deletion of users.
Generate a trace file (for tracing, reporting which objects were processed and the operations that failed)

Prerequisites

The SAP-ECC-UMAgent requires:

The SAP Java Connector (JCo) - to be installed on the machine where the UMAgent (that is, DirX Identity server) should run. The SAP Java Connector is a toolkit that allows a Java application to communicate with any SAP system. Unfortunately, the redistribution of the SAP JCo is not allowed, but the Java Connector can be downloaded free of charge at SAP’s Support Portal (https://support.sap.com → Products → Connectors → SAP Java Connector). If you do not have a login for the SAP Support Portal, ask your SAP administrator or request the data by SAP.

You must install the 64bit JCo.

For the latest information on JCo 3.1.4 or higher, see the release notes or SAP note 2786882 “SAP JCo 3.1 release and support strategy”.

On Windows platforms, JCo 3.1 requires the Visual Studio 2013 C/C runtime libraries to be installed on the system. If not present, download and install the 64bit "Visual C 2013 Redistributable Package" from the Microsoft knowledge base article https://support.microsoft.com/en-us/help/4032938. See the latest JCo documentation and/or SAP note 2786882.

Pay attention to the installation notes that come with the JCo distribution.

If you want to use the SAP-ECC-UMAgent for real-time provisioning or in the password synchronization scenario, you must copy the sapjco3.jar file additionally into the folder _
install_path_*/ids-j/confdb/jobs/framework/lib*.
For Windows and Linux platforms, you must remove the file sapjco.jar from the folder _
install_path_*/ids-j/confdb/jobs/framework/lib*,
if it still exists there.

(Windows only): Please do not copy the sapjco3.dll into the windows-dir*\system32* directory. This could break the operability of other JCo versions that are already installed on the same system. Furthermore, you would risk that the current installation also would not work anymore if the sapjco3.dll is replaced in the windows-dir*\system32* directory in the future. Instead, you must add the sapjco3-install-path to the PATH environment variable.
Additionally pay attention to set the system environment CLASSPATH variable with the full pathname including filename of sapjco3.jar.

In order to run properly, the account that the agent uses to connect must have the rights for general user management (create, edit, display, lock/unlock, and delete user; S_USER_GRP for user groups (can be limited to certain user groups), S_USER_AGR for roles and S_USER_PRO for profiles) and the right to read the following tables (general authorization object is S_TABU_DIS):
non-CUA environment: USR10, USR11, AGR_DEFINE, AGR_TEXTS
CUA environment: USRSYSPRF, USRSYSPRFT, USRSYSACT, USRSYSACTT. We recommend defining a new authorization group for these tables as you can assign only authorization groups to the field DICBERCLS of S_TABU_DIS and far too many tables are in the relevant authorization groups SC and SS. With S_TABU_NAM the accessible tables can be defined.
Additionally, the UM connector retrieves information from the ECC system’s data dictionary. In order to do this, the account that the agent uses needs the following access rights granted:
(Authorization Object: S_RFC, ACTVT: 16, FUGR)
ECC Release Function Groups:
RFC1, SDIFRUNTIME, SG00, SRFC, SYST, SYSU.
For requesting the data, the agent uses RFC_READ_TABLE that belongs to function group SDTX. You must grant the access rights (authorization object: S_RFC, ACTVT: 16, FUGR) also to SDTX.
For changing the productive password and not using SNC (option setProductivePwdAtModDirectly is set to false), the agent uses SUSR_USER_CHANGE_PASSWORD_RFC that belongs to function group SUSO. You must grant the access rights (authorization object: S_RFC, ACTVT: 16, FUGR) also to SUSO.
The agent uses the port 33xx if it is connecting to an application server without any gateway server or SAP router, where xx stands for the SAP gateway number / system number to connect to the SAP system (eventually a firewall administration is necessary). (See the section "General Notes" below for details.)
If you want to export the lock status of a user (attribute ISLOCKED.xxx), the following SAP support packages are required: Release 6.10: SP 43, Release 6.20: SP 51, Release 6.40: SP 12, Release 7.00: SP 01 (see SAP Note 826050 for more information).
The SAP-ECC-UMAgent uses the Java runtime environment (JRE) for DirX identity which is located in dxi_java_home.

Secure Connection

You can use Secure Network Communications (SNC) and the "SAP Cryptographic Library" to secure the connection to the SAP system application server. The "SAP Cryptographic Library" is available in the SAP Service Marketplace for software downloading (http://service.sap.com/download; then follow the link to "SAP Cryptographic Software"). If you do not have a login for the SAP Service Marketplace, ask your SAP administrator or request the data from SAP. SNC is called in the native code of JCo. Therefore, you must download and use it for your operating system.

See the section “Installing and Configuring SNC Connections” for more information.

Restrictions

The agent implementation has the following restrictions:

SAP roles and profiles cannot be created or modified (due to missing appropriate interfaces).
Productive password update on CUA systems:
No productive password update is propagated onto CUA child systems unless you use the option setProductivePwdAtModDirectly set to true in conjunction with SNC. If you are using a CUA system in conjunction with an SAP Enterprise Portal, this is normally not an issue.
Workaround: In a password scenario without the use of SAP Enterprise Portal, each CUA child system should be configured as a single target system.
In conjunction with SAP Enterprise Portal: Password update is only possible when the password authentication store is either the CUA central system or an LDAP directory.
Search on profiles on a CUA system: only the fields “profn”, “subsystem” and “typ” can be exported.
The search for user lock status needs extra SAP support packages.

Changes

The agent now uses the SAP module function BAPI_USER_GETLIST for searches to export users and no longer accesses the SAP tables USR02 (non-CUA system) and USZBVSYS (CUA system) directly. As a result, the lock status can only be exported via the ISLOCKED attributes (see the support package referenced above). USR02.UFLAG (non-CUA system) and USZBVSYS.STATUS USZBVSYS.SUBSYSTEM (CUA system) are no longer supported. This is a change to previous versions.

The agent exports only valid role assignments of a user. Roles assigned in the SAP system that are only valid in the past or in the future are not exported. This is a change to previous versions. If you still want the old behavior, you must set the attribute “onlyValidRoles” to false. You only get correct results if the client is in the same time zone (including daylight savings time) as the ECC server.

The agent now uses the parameter SELF_REGISTER in the function module BAPI_USER_CREATE1 for creating a user with a productive password per default. The old mechanism in 2 steps (initial password and then setting the productive password via SUSR_USER_CHANGE_PASSWORD_RFC) is still available. This is a change to previous versions.

Overview

The following figures illustrate the components of the SAP-ECC-UMAgent export and import operations.

Figure 1. SAP-ECC-UM-Agent Export Components

Figure 2. SAP-ECC-UM-Agent Import Components

This section describes:

SAP-ECC-UMAgent command line format for export and import operations
SAP-ECC-UMAgent configuration files for export and import operations
The export data file format that SAP-ECC-UMAgent generates
The import data file format that SAP-ECC-UMAgent recognizes
The search request file format that SAP-ECC-UMAgent recognizes
General Notes

Command Line Format

The command line format to invoke SAP-ECC-UMAgent is as follows:

SAPUMAgent.bat configuration_file

Parameters

configuration_file

Specifies the name of the file that contains the specifications for the export or import procedure. With the exception of the search criteria in export mode (which are described in a separate Service Provisioning Markup Language (SPML) file), all parameters of SAP-ECC-UMAgent operation are defined in the agent’s configuration file, in XML format.

The following table describes the codes provided when SAP-ECC-UMAgent finishes running:

Exit Code	Description
0	SAP-ECC-UMAgent completed successfully.
1	SAP-ECC-UMAgent completed with errors, which are described in the specified tracefile unless this file cannot be created due to a file exception error.
60	SAP-ECC-UMAgent completed with warnings, which are described in the specified tracefile.

Configuration File Formats

SAP-ECC-UMAgent uses the following configuration files:

ECC UM export configuration file - controls the export of data from a SAP R/3 system
ECC UM import configuration file - controls the import of data into an a SAP R/3 system

Templates of these configuration files are provided with the Agent installation. The filenames are:

ImportConfig.xml (to import user and user to role and profile assignments)
ExportConfig.xml (to export users or profiles or roles)
SearchRequest.xml (contains the search request to select the objects for export)

In general, you have to customize these files to support the requirements of your SAP R/3 system import and export operations.

This section also describes the general structure of a configuration file.

General Structure of a Configuration File

A SAP-ECC-UMAgent configuration file is in XML format.

The SAP-ECC-UMAgent is composed of multiple sub-units (connectors), which are configured in the configuration file. Different types of connectors are used for export and import. Consequently, you must not change the general structure of SAP-ECC-UMAgent import/export configuration files. Instead, you configure some well-defined attribute values to the specific environment in which the agent runs.

Tags

The configuration files contain the tags job, connector, logging and connection.

job - Defines the file’s document tag, with connector sub-tags
connector - Configures the properties of one connector, has connection and/or logging sub tags
connection - Configures connection parameters, for example, filename for a reader/writer or host/port/credentials for a network connector
logging - Configures the logging properties of a connector

Attributes

A connector tag can have the following attributes:

name - The connector’s name
role - One of reader, controller, connector, RequestCryptTransformer, or responseWriter
className - The name of the Java class that implements the connector

The connection parameters of the specific connectors are described in their connection sub-tags.

Each connection tag has the attribute

type - The type of connection (file format, protocol)

Readers and response writers are configured by the attribute

filename - The pathname of the input or output file.

The SAP_ECC_UM connection is configured by the attributes

logonVariant – indicator for logon variants:
0 = no load balancing (direct connection to the SAP instance)
1 = no load balancing but via gateway
2 = with load balancing

User logon properties:

user - The logon user for binding to the ECC system
password - The logon user password
client - The client number (3 digits)
language - The language that is used in response messages from the ECC system, if not defined the default user language is used.

Configuration for physical connection:

Direct connection to SAP instance:

server - The host name or IP address of the ECC application server
systemID,systemIDgateway - The system identification number (2 digits) or the name of the SAP system
gwhost - Host name of the SAP gateway
gwserv - Service number of the SAP gateway

Load balancing connection to a group of SAP instances:

server - The host name / IP address of the message server
r3SystemName - Name of the SAP system
group - Name of the group of application servers
msserv - SAP message server port, optional for a logon balancing connection

SAP router string can be used in both cases if the SAP system is behind a SAP router:

saprouter - SAP router string

SNC configuration:

snc_mode - Specifies SNC mode (true or false)
snc_lib - The path and file name of the cryptographic library
snc_partnername - The application server’s SNC name
snc_myname - The client’s SNC name

Destination configuration:

poolCapacity - (formerly maxConnections) The maximum number of idle connections kept open by the destination. A value of 0 has the effect that there is no connection pooling (default 3).
peakLimit - The maximum number of active connections that can be created for a destination simultaneously (default 6).

SAP tracing:

RFC_TRACE - A boolean switch to enable/disable RFC trace.
CPIC_TRACE - Enable/disable CPIC trace (0..3).

Behavioral configuration:

accesstoCUA - A boolean switch to specify whether the target system is a single ECC system or a ECC CUA system. The default is false.
combinedRoleProfileSubsystem – A boolean switch to specify whether (true) or not (false) combined role#subsystem or profile#subsystem names is used. The default is false.
blankValues – A boolean switch to specify whether (true) or not (false) blank values in attributes are exported. The default is false.
trim – A boolean switch to specify whether (true) or not (false) values in attributes are trimmed (delete blanks at the beginning and the end of a value). The default is true.
onlyValidRoles - A boolean switch to specify whether (true) or not (false) role assignments that are valid on the day of the export are exported (false; meaning also in the past or future). The default is true.
dontuseCacheResults - A boolean switch to specify whether (true) or not (false) internal BAPI_USER_GET_DETAIL calls set the import parameter CACHE_RESULTS to " " (blank). The default of the SAP interface method is "X". The default is false.
searchSapServiceUser - A boolean switch to specify whether (true) or not (false) certain SAP system accounts like "SAP*" should be exported. The default is false.
directlyAssignedRolesOnly - A boolean switch to specify whether (true) or not (false) only directly assigned roles are exported. If false, the export result contains all single roles for a composite role (indirectly assigned roles). So there is no difference visible in directly assigned single roles and indirectly single roles via a composite role. The default is false.
setProductivePwdAtAddDirectly - A boolean switch to specify whether (true) or not (false) the internal BAPI_USER_CREATE1 uses the SELF_REGISTER flag to set a productive password in one step. The default is true.
setProductivePwdAtModDirectly - A boolean switch to specify whether (true) or not (false) the internal BAPI_USER_CHANGE uses the PRODUCTIVE_PWD flag to set a productive password in one step. Notice that this requires an SNC connection. The default is false.
tryLoginAsUser – A boolean switch to specify whether (true) or not (false) a login as the account with the given new password is processed as part of a productive password modify operation. The default is true.
doCommit - A boolean switch to specify whether (true) or not (false) a BAPI_TRANSACTION_COMMIT call is executed in add and modify requests. This is necessary if you want certain user changes be reported in change log records. The default is false.
useCombinedAttributeForParameter - A boolean switch to specify whether (true) or not (false) combined values is used (key=value pair) for the PARAMETER1 table. This is necessary if you want to set multiple key-value pairs. The key is assigned to the field PARAMTER1.PARID and the value is assigned to the field PARAMETER1.PARVA. The default is false.
combinedAttributeForParameter - The name of the attribute from which or to which a combined key-value pair is read or written. There is no default (the attribute is only relevant if useCombinedAttributeForParameter is set to true).
useAdditionalRoleParameters - A boolean switch to specify whether (true) or not (false) additional SAP role parameters are accepted when both CUA and combinedRoleProfileSubsystem are set. By default, only “dxrRole.NAME” is allowed. When this switch is set to true, “dxrRole.TO_DAT” and “dxrRole.FROM_DAT” are also allowed. Note that you must provide an equal number of NAME and other values, also with the same changetype (add, replace). The default is false.
doUserLockedRetry – The number of retries an operation (Add, Modify, Delete) is repeat if the user is currently locked. When modifications via BAPI calls are performed in sequence, it can happen that the user to modify is still locked by a previous call (asynchronous handling of operations). To manage this problem, use this parameter in conjunction with the doUserLockedInterval parameter. The default is 15. If set to 0, no retry is done.
doUserLockedInterval – The number of milliseconds between retries. The default is 200 milliseconds.

The agent’s logging is configured in the controller’s logging tag by the attributes:

level - The integers 0-9, where 0 indicates no logging and 9 indicates full logging
filename - The name of the trace file

Export Configuration File Format

The export configuration file has the format defined in the general section. The following template describes its configuration. The attribute values that you can configure are shown in bold (blue) italic, for example, level:

<?xml version="1.0" encoding="UTF-8" ?>
<job>
 <connector name="Default Controller" version="0.1" role="controller"
className="siemens.dxm.connector.framework.DefaultControllerStandalone">
    <logging level="level" filename="tracefilename" />
</connector>
<connector role="reader" name="SPML file reader"
className="siemens.dxm.connector.framework.SpmlFileReader">
    <connection type="SPML" filename="SPMLinputfile" />
  </connector>
  <connector role="connector" className="siemens.dxm.connector.sapUM.sapUMuser"
name="SAP UM Agent" version=”2.00”>
    <connection type="SAP_ECC_UM"
        user="account"
        password="password"
        server="server">
      <property name=”client” value=”client number”/>
      <property name=”systemID” value=”system number”/>
      <property name=”systemIDgateway” value=”system number”/>
<property name=”gwhost” value=”gateway server”/>
<property name=”gwserv” value=”gateway service number”/>
<property name=”group” value=”group name”/>
      <property name=”r3systemName” value=”ECC System name”/>
<property name=”logonVariant” value=”0 or 1 or 2”/>
      <property name=”language” value=”language ISO code”/>
      <property name=”accesstoCUA” value=”false or true”/>
<property name=”combinedRoleProfileSubsystem”
         value=”false or true”/>
<property name=”maxConnections” value=”number”/>
<property name=”blankValues” value=”false or true”/>
      <property name=”snc_mode” value=”false or true”/>
      <property name=”snc_lib” value=”path”/>
      <property name=”snc_partnername” value=”p:distinguished name”/>
     </connection>
  </connector>
  <connector role="responseWriter" name="LDIF File writer"
className="siemens.dxm.connector.framework.LdifFileWriter">
    <connection type="LDIF" filename=”outputFile" />
  </connector>
 </job>

level

level specifies how much information the messages in the trace files provide. The value is an integer in the range 0 to 5 and 9.

Level	Type of Messages Logged
0	none
1	FatalError and Error
2	FatalError, Error and Warning
3	FatalError, Error and Warning
4	FatalError, Error and Warning
5	FatalError, Error, Warning and Trace
9	FatalError, Error, Warning and Trace (and additional HTML files)

tracefilename

tracefilename specifies the pathname of the trace file.

SPMLinputfile

SPMLinputfile specifies the pathname of the Service Provisioning Markup Language (SPML) file that contains the search request.

className

ClassName specifies which object type is processed:

siemens.dxm.connector.sapUM.sapUMuser for users,
siemens.dxm.connector.sapUM.sapUMactgroups for roles,
siemens.dxm.connector.sapUM.sapUMprofile for profiles.

siemens.dxm.connector.sapUM.sapUM as a common class. In this case a prefix "USER:", "ROLE:", or "PROFILE:" must be provided in the SPML identifier part.

account

account specifies the account to be used for connecting to the ECC system.

password

password specifies the password to be used for connecting to the ECC system.

client

client specifies the client number to be used for connecting to the ECC system.

language

language specifies the language that is used in ECC response messages (SAP ECC Language ID in accordance with ISO 639).

logonVariant

logonVariant indicates the variant of the connection:

0 = no load balancing: connect to an application server or via SAP router
1 = no load balancing but via gateway: connect to a gateway server
2 = with load balancing: connect to a message server

server

server specifies the host name or the IP address of the application server (logonVariant 0 or 1) or the host name/ IP address of the message server (logonVariant 2).

The host name and the service name of the application or message server must be defined in the hosts and services files:

logonVariant 0 or 1: <service name> = sapdp<system number>
logonVariant 2: <service name> = sapms<ECC system name>.

systemID, systemIDgateway

systemID,systemIDgateway specifies the system number to be used for connecting to the ECC system (logonVariant 0 or 1).

gwhost

gwhost specifies the host name or the IP address of the SAP gateway server (logonVariant 1).

The host name and the service name of the SAP gateway must be defined in the hosts and services files. If GWHOST and GWSERV are not specified the service name of the SAP gateway must be defined in the services file (<service name> = sapgw<system number>).

gwserv

gwserv specifies the gateway service number (logonVariant 1). For example: "sapgw00".

r3SystemName

r3SystemName is the name (system ID) of the ECC system (logonVariant 2).

group

group specifies the name of the group of application servers (logonVariant 2).

msserv

msserv specifies the SAP message server port, optional for a logon balancing connection.

sapRouter

sapRouter specifies a string for connection to systems behind a SAP Router. SAP Router string contains the chain of SAP Routers and its port numbers and has the form:

(/H/host)+

poolCapacity

poolCapacity specifies the maximum number of idle connections kept open by the destination. A value of 0 has the effect that there is no connection pooling (default value is 3)

peakLimit

peakLimit specifies the maximum number of active connections that can be created for a destination simultaneously (default value is 6)

snc-mode

snc_mode specifies whether or not SNC is used.

snc_lib

snc_lib specifies the path and file name of the SAP Cryptographic library.

snc_partnername

snc_partnername specifies the application server’s SNC name.

snc_myname

snc_myname specifies the client’s SNC name.

combinedRoleProfileSubsystem

combinedRoleProfileSubsystem is a boolean switch to specify whether the agent should process combined “<role name>#<subsystem>” or “<profile name>#<subsystem>” names for the assignment of roles or profiles in a CUA environment.

accessToCUA

accessToCUA specifies whether the target system is a single ECC system or a ECC CUA system.

blankValues

blankValues specifies whether (true) or not (false) blank values in attributes should be exported. The default is false.

trim

trim specifies whether (true) or not (false) values in attributes should be trimmed; that is blanks at the beginning and the end of a value are deleted. The default is true.

onlyValidRoles

onlyValidRoles specifies whether (true) or not (false; meaning also in the past or future) role assignments that are valid at the day of the export is exported. The default is true.

searchSAPServiceUser

searchSAPServiceUser specifies whether (true) or not (false) certain SAP system accounts like "SAP*" is exported in a search request. The default is false.

dontUseCacheResults

dontUseCacheResults specifies that for the internal used BAPI Call BAPI_USER_GET_DETAIL in modify or search requests the import parameter CACHE_RESULTS is set to " " (blank). See SAP note 1101858 for more details. The default is false.

directlyAssignedRolesOnly

directlyAssignedRolesOnly - A boolean switch to specify whether (true) or not (false) only directly assigned roles are exported. If false, the export result contains all single roles for a composite role (indirectly assigned roles). So there is no difference visible in directly assigned single roles and indirectly single roles via a composite role. The default is false.

setProductivePwdAtAddDirectly

setProductivePwdAtAddDirectly - A boolean switch to specify whether (true) or not (false) the internal BAPI_USER_CREATE1 uses the SELF_REGISTER flag to set a productive password in one step. The default is true.

setProductivePwdAtModDirectly

setProductivePwdAtModDirectly - A boolean switch to specify whether (true) or not (false) the internal BAPI_USER_CHANGE uses the PRODUCTIVE_PWD flag to set a productive password in one step. Notice that this requires an SNC connection. The default is false.

tryLoginAsUser

tryLoginAsUser - A boolean switch to specify whether (true) or not (false) a login as the account with the given new password is processed as part of a productive password modify operation. The default is true.

doCommit

doCommit - A boolean switch to specify whether (true) or not (false) a BAPI_TRANSACTION_COMMIT call is executed in add and modify requests. This is necessary if you want certain user changes be reported in change log records. The default is false.

useCombinedAttributeForParameter

useCombinedAttributeForParameter – A boolean switch to specify whether (true) or not (false) combined values are used (key=value pair) for the PARAMETER1 table. This is necessary if you want to set multiple key-value pairs. The key is assigned to the PARAMTER1.PARID field and the value is assigned to the PARAMETER1.PARVA field. The default is false.

combinedAttributeForParameter

combinedAttributeForParameter – The name of the attribute from which or to which a combined key-value pair is read or written. There is no default (the attribute is only relevant if useCombinedAttributeForParameter is set to true).

useAdditionalRoleParameters

useAdditionalRoleParameters - A boolean switch to specify whether (true) or not (false) additional SAP role parameters are accepted when both CUA and combinedRoleProfileSubsystem are set. By default, only “dxrRole.NAME” is allowed. When this switch is set to true, “dxrRole.TO_DAT” and “dxrRole.FROM_DAT” are also allowed. The default is false.

Use the following attributes to control password generation:

minLength: minLength specifies the minimum number of characters. The default value is 8.
maxLength: maxLength specifies the maximum number of characters. The default value is 8.
minUpperChar: minUpperChar specifies the minimum number of capital letters. The default value is 4.
minLowerChar: minLowerChar specifies the minimum number of lower-case letters. The default value is 0.
minNumeric: minNumeric specifies the minimum number of digits. The default value is 1.
minNonAlphaNum: minNonAlphaNum specifies the minimum number of non-alphanumeric characters. The default value is 1.
minSpecialChar: minSpecialChar specifies the minimum number of special characters. The default value is 0.
prohibitChars: prohibitChars specifies the characters that are prohibited.

Search Request File Format

The objects to be exported are defined in a Service Provisioning Markup Language (SPML) search request. SPML is an XML format. The following template describes its configuration. The attribute values that can be configured are shown in bold (blue) italic, e.g., attribute1:

<?xml version="1.0" ?>
  <spml:searchRequest xmlns="urn:oasis:names:tc:SPML:1:0"
xmlns:spml="urn:oasis:names:tc:SPML:1:0" requestID="search_01">
  <spml:searchBase type="urn:oasis:names:tc:SPML:1:0#UserIDAndOrDomainName">
     <spml:id>prefix</spml:id>
 </spml:searchBase>
 <spml:filter>
     filter_expression
 </spml:filter>
 <spml:attributes>
         <attribute name="attribute1" />
         <attribute name="attribute2" />
    </spml:attributes>
  </spml:searchRequest>

searchbase: searchbase specifies the type of objects to be returned by the search: "USER:", "ROLE:", or "PROFILE:". In case of users a sapusername can be added to do a search on one account ("USER:_sapusername_").

searchbase is optional. Default is type user.
attributes: attributes specifies the attributes attribute1, attribute2,… to be returned by the search.
filter_expression: filter_expression specifies the search filter in SPML syntax. Only ApproximateMatch and ExtensibleMatch are prohibited. You can also have filter criteria on ECC user, activitygroup and profile names. In this case, use “USERNAME”, ”AGR_NAME”, and “PROFN” respectively as attribute names. See the section "Framework-based Agents" above for more information about SPML filters.

See the section "Framework-based Agents" above for more information.

Filter Expression in BAPI USER GETLIST

The SPML filter expression is mapped to the SAP filter expression for the module BAPI_USER_GETLIST if it is appropriate. If the mapping is not possible, then a filter is not sent to the SAP system and the filtering takes place in the agent on the client side.

SAP only supports a subset of searchable user attributes and allows multiple attributes in the filter expression. An attribute can appear more than once; in this case, however, only the following is allowed: a selection using the same attribute linked with 'OR' and a selection using different attributes with 'AND'. An SPML filter linking the same attribute with ‘AND’ is not possible.

The mapping accepts an AND selection of the same attribute and the first selection operator is “GreaterEqual” and the second is “LessEqual”. This will be mapped in one SAP selection using “Between”. Similarly, “LessEqual” and “GreaterEqual” will be mapped into “NotBetween”. Note that the upper limit is exclusive, not inclusive. This is the only exception where you can give the same attribute linked with ‘AND’. For the upper limit, give the next higher value. It is also recommended to use only upper-case values.

Example: Searching for users that begin with ‘A’ and ‘B’:

-<and>
    <greaterOrEqual name="ADDRESS.LASTNAME">
         <value>A</value>
    </greaterOrEqual>
    <lessOrEqual name="ADDRESS.LASTNAME">
         <value>C</value>
    </lessOrEqual>
</and>

This will be mapped to the following internal selection range table:

PARAMETER	FIELD	SIGN	OPTION	LOW	HIGH
ADDRESS	LASTNAME	I	BT	A	C

PARAMETER

FIELD

SIGN

OPTION

LOW

HIGH

ADDRESS

LASTNAME

“I” is the INCLUDE sign, “BT” is BETWEEN.

The following table is taken from the current SAP documentation at the time of this writing and is subject to change by SAP. It shows which user attributes can be used:

PARAMETER	FIELD	Permitted LOW Values
USERNAME		<user name>
LOGONDATA	GLTGV, GLTGB, USTYP, CLASS, ACCNT, TZONE, CODVN, UFLAG (not in BAPI_USER_GET_DETAIL, which shows this information in parameter ISLOCKED)	(in accordance with the field type)
DEFAULTS	SPLD, SPLG, SPDB, SPDA, DATFM, DCPFM, LANGU, KOSTL, START_MENU, TIMEFM	(in accordance with the field type)
REF_USER	REF_USER	<user name>
ALIAS	USERALIAS	<user alias>
PROFILES	BAPIPROF	<profile name>
LOCPROFILES	SUBSYSTEM, PROFILE	(in accordance with the field type)
ACTIVITYGROUPS	AGR_NAME, FROM_DAT, TO_DAT	(in accordance with the field type)
LOCACTGROUPS	SUBSYSTEM, AGR_NAME, FROM_DAT, TO_DAT	(in accordance with the field type)
ADDRESS	FIRSTNAME, LASTNAME, DEPARTMENT, INHOUSE_ML, FUNCTION, BUILDING_P, BUILDING, ROOM_NO_P, TEL1_EXT, TEL1_NUMBR, FAX_EXTENS, FAX_NUMBER, E_MAIL	(in accordance with the field type)
COMPANY	COMPANY	<cross-system key of company address>
LASTMODIFIED	MODDATE, MODTIME	'L'
ISLOCKED	LOCAL_LOCK, GLOB_LOCK, WRNG_LOGON, NO_USER_PW	(in accordance with the field type)
SYSTEM	SUBSYSTEM	<logical system name>

PARAMETER

FIELD

Permitted LOW Values

USERNAME

LOGONDATA

GLTGV, GLTGB, USTYP, CLASS, ACCNT, TZONE, CODVN, UFLAG (not in BAPI_USER_GET_DETAIL, which shows this information in parameter ISLOCKED)

(in accordance with the field type)

DEFAULTS

SPLD, SPLG, SPDB, SPDA, DATFM, DCPFM, LANGU, KOSTL, START_MENU, TIMEFM

(in accordance with the field type)

REF_USER

ALIAS

USERALIAS

PROFILES

BAPIPROF

LOCPROFILES

SUBSYSTEM, PROFILE

(in accordance with the field type)

ACTIVITYGROUPS

AGR_NAME, FROM_DAT, TO_DAT

(in accordance with the field type)

LOCACTGROUPS

SUBSYSTEM, AGR_NAME, FROM_DAT, TO_DAT

(in accordance with the field type)

ADDRESS

FIRSTNAME, LASTNAME, DEPARTMENT, INHOUSE_ML, FUNCTION, BUILDING_P, BUILDING, ROOM_NO_P, TEL1_EXT, TEL1_NUMBR, FAX_EXTENS, FAX_NUMBER, E_MAIL

(in accordance with the field type)

COMPANY

<cross-system key of company address>

LASTMODIFIED

MODDATE, MODTIME

'L'

ISLOCKED

LOCAL_LOCK, GLOB_LOCK, WRNG_LOGON, NO_USER_PW

(in accordance with the field type)

SYSTEM

SUBSYSTEM

The UMAgent does not check the attributes. The expression is sent to the SAP system. If an attribute is not allowed, an error return code is returned, which results in a warning on the client side and no search result is returned.

Import Configuration File Format

The import configuration file has the format defined in the general section. The following template describes its configuration. The attribute values that you can configure are shown in bold (blue) italic, for example level:

<?xml version="1.0" encoding="UTF-8" ?>
<job>
  <connector name="Default Controller" version="0.1" role="controller"
className="siemens.dxm.connector.framework.DefaultControllerStandalone">
    <logging level="level" filename="tracefilename" />
  </connector>
  <connector role="reader" name="LDIF change file reader"
className="siemens.dxm.connector.framework.LdifChangeReader">
    <connection type="LDIF change" filename="inputFilename" />
       <property name=”IdentifierType”
value=”urn:oasis:names:tc:SPML:1:0#UserIDAndOrDomainName”/>
       <property name=”ExtractRDN” value=”true or false”/>
       <property name=”IncludingNamingAttribute” value=”true or false”/>
    </connector>
  <connector role="connector" className="siemens.dxm.connector.sapUM.sapUMuser"
name="SAP UM Agent" version=”2.00”>
    <connection type="SAP_ECC_UM"
        user="account"
        password="password"
        server="server">
  <property name=”client” value=”client number”/>
  <property name=”systemID” value=”system number”/>
  <property name=”systemIDgateway” value=”system number”/>
  <property name=”gwhost” value=”gateway server”/>
  <property name=”gwserv” value=”gateway service number”/>
  <property name=”group” value=”group name”/>
  <property name=”r3SystemName” value=”ECC System name”/>
  <property name=”logonVariant” value=”0 or 1 or 2”/>
    <property name=”language” value=”language ISO code”/>
  <property name=”accesstoCUA” value=”false or true”/>
  <property name=”combinedRoleProfileSubsystem” value=”false or true”/>
  <property name=”maxConnections” value=”number”/>
  <property name=”blankValues” value=”false or true”/>
  <property name="snc_mode" value="false or true"/>
  <property name="snc_lib" value="path>"/>
   <property name="snc_partnername" value="p:distinguished_name"/>
    </connection>
  </connector>
  <connector role="responseWriter" name="SPML File writer"
className="siemens.dxm.connector.framework.SpmlFileWriter">
    <connection type="SPML" filename="responseFilename" />
  </connector>
</job>

Here follows a description of the fields that are different to their description in the export configuration.

inputfileName: inputfileName specifies the pathname of the LDIF change file that contains the data for import.
ExtractRDN: ExtractRDN specifies whether the DN or RDN is used. If false, the DN is unescaped and will be used as the identifier. If true, the RDN is extracted with or without naming attributes (see next field IncludingNamingAttribute) and unescaped.
IncludingNamingAttribute: IncludingNamingAttribute specifies whether or not naming attributes are included in the identifier.
responseFilename: responseFilename specifies the name of the Service Provisioning Markup Language (SPML) response file that contains the responses to the add, modify, and delete requests.

Export Data File Format

A search request creates an export file in LDIF content format that contains the search result.

The identifiers of the users ( i. e. attribute USERNAME.BAPINAME), roles (i. e. attribute AGR_DEFINE.AGR_NAME or USRSYSACT.AGR_NAME) and profiles ( i. e. attribute USR10.PROFN or USRSYSPRF.PROFN) are converted to LDAP distinguished name (DN) syntax.

Import Data File Format

The import data file format recognized by the SAP ECC UM agent is LDIF change file format. The data has to be provided in UTF-8 character set (or US-ASCII), not in ISO8859-1 (Latin-1).

The supported change types are add, modify, and delete; modifyDN is not supported.

Example:

A user with user name ps045293 for the person Paul Simon with telephone number 45293 and role SAP_ALL_DISPLAY valid from 03/11/01 is created. Mandatory attributes for creating a user are lastname (and user name). Password is also mandatory if no SNC parameters are set:
```
dn: cn=ps045293
changetype:add
ADDRESS.LASTNAME:Simon
ADDRESS.TEL1_NUMBR:45293
PASSWORD.BAPIPWD:hugohugo
ADDRESS.FIRSTNAME:Paul
ACTIVITYGROUPS.AGR_NAME:SAP_ALL_DISPLAY
ACTIVITYGROUPS.FROM_DAT:2003-11-01
ACTIVITYGROUPS.TO_DAT:9999-12-31
```

Another role is assigned to the user ps045293:

dn: cn=ps045293
changetype:modify
add: ACTIVITYGROUPS.AGR_NAME
ACTIVITYGROUPS.AGR_NAME:SAP_WORKPLACE_USER
-

The user rk044251 is deleted:
```
dn: cn=rk044251
changetype:delete
```

Installing and Configuring SNC Connections

The SAP Cryptographic Library installation package contains the following relevant files:

The SAP Cryptographic Library (sapcrypto.dll for Windows or libsapcrypto.so for Linux - you need the 64bit package)
The configuration tool sapgenpse.exe (sapgenpse for Linux)

Installation Procedure

Extract the contents of the SAP Cryptographic Library installation package.
Copy the library and the configuration tool sapgenpse.exe to a local directory, for example to install_path/SAPCryptolib.
Check the file permissions. The user under which the SAP -ECC-UMAgent runs must be able to execute the library’s functions.
Create the sub-directory sec in this directory. This is also the directory where the user’s PSE and credentials are created.
Set the (system) environment variable SECUDIR to the sec sub-directory.
On Linux, in the file SapUM.sh in the installation folder, set the environment variable LD_LIBRARY_PATH accordingly.

When using the SAP Cryptographic Library as the security product for SNC, the SAP-ECC-UMAgent user must possess a Personal Security Environment (PSE). This PSE contains the user’s public-key information, which includes its private key, its public-key certificate, and the list of public-key certificates that it trusts.

To create the SNC PSE for the user, in which the SAP-ECC-UMAgent runs, use the command line tool sapgenpse.exe as shown below. As an alternative, you can use a single PSE for both, the application server and the SAP-ECC-UMAgent. In this case, copy the application server’s SNC PSE to the user’s SECUDIR directory.

Use the following command to create the PSE:

sapgenpse get_pse -p PSE_Name -x PIN Distinguished_Name

Example 1. sapgenpse

The following command creates the PSE_Name file UM.pse that is protected with the PIN umpin. When using this PSE, the SAP-ECC-UMAgent user has the Distinguished_Name CN=sapum, O=MyCompany, C=DE.

sapgenpse gen_pse -p UM.pse -x umpin “CN=sapum, O=MyCompany, C=DE”

The UMAgent must have active credentials at run-time to be able to access its PSE. Therefore, use the configuration tool’s command seclogin to “open” the PSE.

Use the following command to open the user’s PSE and create credentials:

sapgenpse seclogin -p PSE_Name -x PIN -O user_ID

If you run the services under the LocalSystem account - which is the default on Windows - then use -O SYSTEM.

Example 2. sapgenpse

sapgenpse seclogin -p UM.pse -x umpin -O SYSTEM

To be able to communicate using SNC, the SAP system application server must be able to identify the SAP-ECC-UMAgent and vice versa. This identification process takes place using the information stored in the user’s PSE. Therefore, to make sure that the two servers can identify each other, you can either use a single PSE for both sides, or you can create individual ones. If you use individual PSEs, you must exchange the public-key certificates so that they can identify each other You have two possibilities: you can use these certificates without signing them by a Certificate Authority (CA), or you can create certificate requests and send them to your CA to sign them, and then import the signed certificates you receive from the CA.

The identification process steps without using any CA are:

Export the SAP-ECC-UMAgent’s public-key certificate using the configuration tool’s command export_own_cert:

sapgenpse export_own_cert -o output_file -p PSE_Name -x PIN

Import the SAP-ECC-UMAgent’s public-key certificate into the application server’s SNC PSE:

If the application server is an SAP Web Application Server with Release 6.20 or later, then you can use the trust manager (transaction STRUST) to import the certificate. Otherwise, use the configuration tool’s command maintain_pk:

sapgenpse maintain_pk -a cert_file -p PSE_Name -x PIN

Export the application server’s public-key certificate:

If the application server is an SAP Web Application Server >= Release 6.20, then you can use the trust manager. Otherwise, use the configuration tool’s command export_own_cert.
Import the application server’s public-key certificate into the SAP-ECC-UMAgent’s SNC PSE using the configuration tool’s command maintain_pk.
In User Maintenance (transaction SU01) in the SAP system, assign the user’s SNC name that you entered in generating the PSE on the SNC tab page. The SNC name is not the same as the Distinguished Name you used when creating the PSE. The SNC name has the syntax *p:*Distinguished_Name.
Take care to specify the distinguished name in the same way wherever it occurs. The operations are case sensitive.

Other mandatory settings on the server-side are:
- In the table USRACLEXT of the server, the user name and user’s SNC name must be maintained (user in which the SAP-ECC-UMAgent process runs).
  
  The following system parameters must be set:
  
  snc/accept_insecure_rfc to 1
  
  snc/permit_insecure_start to 1 for all application servers
If you want to use signed certificates, perform these steps after performing step 1 and before performing step 2 above:
- Export a certificate request file from your PSE with the command:
  
  sapgenpse gen_pse -p PSE_Name -x PIN -onlyreq -r certfile.p10
  
  The request file is in PKCS#10 format. Send this to your CA to sign.
- Import the certificate request response and the CA certificate into your PSE with the command:
  
  sapgenpse import_own_cert -p PSE_Name -x PIN -c user_cert.crt -r ca_cert.crt
  
  where user_cert.crt is the signed user certificate and ca_cert.crt is the certificate from the CA. If there are any intermediate certificates from the CA, you can add them with additional -r options.
  
  Similar steps must be performed on the SAP server side.

Example 3. Commands

Exporting the SAP UMAgent’s public-key certificate.

sapgenpse export_own_cert -o UM.crt -p UM.pse -x umpin
Importing the UMAgent’s public-key certificate into the application server’s SNC PSE.

sapgenpse maintain_pk -a UM.crt -p SAPSNC.pse -x sappin
Export the application server’s public-key certificate.

sapgenpse export_own_cert -o SAPSNC.crt -p SAPSNC.pse -x sappin
Import the application server’s public-key certificate into the UMAgent’s SNC PSE.

sapgenpse maintain_pk -a SAPSNC.crt -p UM.pse -x umpin

For the SAP-ECC-UMAgent connection, set the following SNC-related mandatory parameters:

SNC mode
whether (true) or not (false) SNC is active.

SNC library path
the path and file name of the SAP Cryptographic library; for example, install_path/SAPCryptolib/sapcrypto.dll.

Partner’s SNC name
the application server’s name; for example, p:CN=ABC, O=MyCompany, C=US. (Case-sensitive, as written in the certificate! Note the prefix “p:”)

General Notes

The UMAgent uses SAP’s Business Application Programming Interface (BAPI) to import and export user data. As a result, you must use the BAPI table and attribute names, not the SAP ECC internal table names. The BAPI data view can be viewed on an ECC system using the transaction BAPI. The business object is USER.

You can view attribute names for roles or profiles if you select the method “ActgroupsAssign” or “ProfilesAssign” and then the table “Activitygroups” or “Profiles” (non-CUA). For CUA, the methods are “LocActgroupsAssign” or “LocProfilesAssign” and then the table “Activitygroups” or “Profiles”. The CUA methods can only be viewed in release 640, although they exist in previous releases, too.

Distinguished Names

On the directory side, the DN (distinguished name) is used to identify an entry. There is no DN in the SAP user management. For ECC users, the user name is the key. You can find it in the SAP ECC table USR05 as field BNAME. The agent maps the BAPI attribute USERNAME.BAPINAME to a DN. If you want to export the user name, you must have the DN in your list of selected attributes. In an export, the user name is written as a DN attribute.

Attribute Configuration File

An attribute configuration file defines the attributes that are present in a particular connected directory. The example attribute configuration file of the SAP ECC connected directory uses only a subset of valid attributes in the SAP ECC user management. You can see the content of this file in the DirX Identity Manager in the connectivity global view default scenario when selecting Configure from the context-sensitive menu of the Scenario → Default → Target Scheduled → SAP ECC/UM container (field Attribute Config). You find more attributes in the file inst_path/schema/dirx/dirxabbr-ext.DirXmetahub.SAP-UM.

Import/Export Date Values

To import a date, use the format yyyymmdd. The exported format is yyyy-mm-dd.

Distribution in a CUA Environment

In a CUA environment, it depends on the current distribution parameter settings for the user master records where attributes can be maintained:

In the central system
Locally in the child system
In the child system with automatic redistribution to the central system and the other CUA child systems

The DirX Identity Provisioning scenario only supports a distribution model where SAP roles and/or profiles are distributed globally. You can display and maintain the distribution model within transaction SCUM.

Synchronizing User Groups
User groups can be created and distributed if you change the system behavior of the central system and the target system by setting a switch in the PRGN_CUST Customizing table. See SAP note 395841 for further information.

Lock/Unlock

To lock or unlock a user, the agent uses the (pseudo-)attribute dxrTSState to determine whether a user must be locked or unlocked:

Operation / dxrTSState	ENABLED	DISABLED
AddRequest	user is created without any lock	user is created with lock
ModifyRequest	user is unlocked	user is locked
DeleteRequest	not applicable	not applicable

Operation / dxrTSState

ENABLED

DISABLED

AddRequest

user is created without any lock

user is created with lock

ModifyRequest

user is unlocked

user is locked

DeleteRequest

not applicable

Other values of the attribute dxrTSState are ignored.

In a CUA environment, the lock/unlock is done only globally and it depends on the current distribution parameters set for the lock data whether global locking is possible.

Export Lock Status

In a search, the lock status can be retrieved via the attributes ISLOCKED.WRNG_LOGON, ISLOCKED.LOCAL_LOCK, ISLOCKED.GLOB_LOCK, and ISLOCKED.NO_USER_PW with the following meaning:

'Wrng_Logon': The password logon is locked by incorrect user logons.
'Local_Lock': The logon to this client is locked for the user.
'Glob_Lock': Logon in all systems of Central User Administration is locked for the user ('global').
'No_User_Pw': For this user, the option for password-based logon is deactivated.

All attributes are of type CHAR(1) with values L means locked or U means unlocked.

In a CUA environment the lock status in a child system can not be retrieved.

Export Users

The search for users in a CUA environment exports even users that have no child system assigned. This has changed from previous releases due to the BAPI_USER_GETLIST search.

The following system accounts are not exported: “SAP*”, “DDIC”, “EarlyWatch”, “BCUSER”, and “SAPCPIC” unless the configuration parameter searchSAPServiceUser is set to TRUE.

Export User to Child System Relationship

In a CUA environment the child systems on which a user has an account can be exported in the attribute SYSTEMS.SUBSYSTEM.

Password Synchronization

In Version 8.3, a new mode to synchronize passwords has been introduced that simplifies the password synchronization of productive passwords. Both allow using the underlying BAPI methods USER.CREATE1 or USER.CHANGE to set a productive password in one step. It is configured by the configuration parameters setProductivePwdAtAddDirectly (default: true) and/or setProductivePwdAtModDirectly (default: false).

New procedure:

Using the parameter SELF_REGISTER in the BAPI method USER.CREATE1 a productive password can be set. No other constraints exist. Therefore, the default value for setProductivePwdAtAddDirectly is true.

Using the parameter PRODUCTIVE_PWD in the BAPI method USER.CHANGE a productive password can be set. However, using this parameter needs a secured connection via SAP’s SNC to the application server. Therefore the default value for setProductivePwdAtModDirectly is false.

Old procedure:

Parameter setProductivePwdAtAddDirectly set to false and setProductivePwdAtModDirectly set to false:

The BAPI methods USER.CREATE1 or USER.CHANGE are only used in the mode to set an initial password. The agent uses the RFC-enabled function SUSR_USER_CHANGE_PASSWORD_RFC to change or set a productive password. If a password must be set, the agent first tries to log in as the user to the SAP system with the new password. If the login is successful, no password update is done. This attempt can be configured through the tryLoginAsUser option. If not, the agent calls USER.CREATE1 or USER.CHANGE to set an internally-generated dummy password and then calls the above function to set the productive password.

Either one or both function calls can fail. If the first fails no change has been made. If the second fails the user is protected via an unknown password. Either the password synchronization has to be processed again or only an administrative person can resolve the issue.

SAP does not perform productive password replication in a CUA environment. Password synchronization will therefore only work if the central CUA system is also the authentication server in the ECC system landscape (which is generally the case in conjunction with an Enterprise Portal). Otherwise the password is just changed on the central CUA system but not on the child systems.

The agent offers a set of configuration parameters to configure the password generation for the internally-generated dummy password (minLength, maxLength, minUpperChar, and so on).

The login attempt configuration option is intended for the password scenario where users change their password in SAP and then in the Web Center. In this case, the second password set fails, which sets the failed login counter on the SAP side. To avoid this situation, this login attempt is configurable.

To set the password via the RFC-enabled function, the user must be in the unlocked state (through failed logins). Therefore, if the function calls fail with the SAP message id 190, the user is unlocked and the password set is processed again.

For both procedures:
The change of a password on the central CUA system fails if the user has no role or profile assignment on this central ECC system. To overcome this situation an empty role can be assigned as follows:

dxrRole.Name:#<_ACTIVITYGROUPS.SUBSYSTEM_>

ACTIVIGROUPS.SUBSYSTEM:<_ACTIVITYGROUPS.SUBSYSTEM_>

(See section “Role or Profile Assignments in CUA Environment” below for more information.) The name of the subsystem must be the one of the central CUA system.

Password Reset

The agent supports an administrative password reset and change password at next log on. The agent uses the boolean (pseudo-)attribute dxrPwdReset to decide if a productive or initial password must be set. The attribute works in both scenarios in conjunction with the attribute PASSWORD.BAPIPWD.

If dxrPwdReset is TRUE then only an initial password is set via USER.CREATE1 or USER.CHANGE. If dxrPwdReset is FALSE or not set (default behavior) then the productive password is set as described above.

Example for administrative password reset or change password at next log on:

dxrPwdReset: TRUE
PASSWORD.BAPIPWD: Administrator_Password

Example for set productive password:

dxrPwdReset: FALSE
PASSWORD.BAPIPWD: value_of_dxmPassword

The attribute dxmPassword holds the current password of the user.

Role or Profile Assignments in CUA Environment

The agent has been extended to ease the role assignments in a CUA environment. The agent accepts the (pseudo-)attributes “dxrRole.NAME” / “dxrProfile.NAME” for this purpose. The values describe the role/profile name concatenated with the subsystem. Delimiter is the pound symbol (#).The values have therefore the following syntax: “<ACTIVITYGROUPS.AGR_NAME>#<ACTIVITYGROUPS.SUBSYSTEM>”

To use this feature use the combinedRoleProfileSubsystem switch in the configuration file.

Setting Additional Options in Realtime Workflows

If you want to set additional options for the connector like directlyAssignedRolesOnly for realtime workflows perform the following steps:

In DirX Identity Manager → Connectivity → Expert View, browse to the workflow and expand the workflow to see all contained entries.
Select join → ts and perform the Goto DataView operation from the context-sensitive menu.
Export the value of the attribute dxmContent as a xml file.
Open the file with an editor and insert the option in the connection tag section of the connector for example:

<property name="directlyAssignedRolesOnly" value="true"/>
Import the changed xml file into the attribute dxmContent.
Go back to the Expert View, select the workflow and perform the Load IDS-J Configuration from the context-sensitive menu.

This is the way for non-clustered realtime workflows. See the description of clustered workflows on how to set additional options in that case.

Special Cases When Changing Data

When changing data, consider the following special cases:

Address: You can maintain certain address data in the Address structure or alternatively in tables. For example, data such as telephone number, fax and e-mail address can be maintained in the tables AddTel, AddFax, and AddSmtp respectively.

We recommend maintaining the information in the tables instead of in the Address structure for the following reasons:

You can store multiple entries in the tables. The Address structure only contains one entry for each of these fields.
The telephone and fax numbers are stored in international format in the tables, but not in the Address structure.
If you change data in the Address structure, any entries in the corresponding table will be lost.
Communication data: When changing communication data (Add<Xxx> parameters), you need to consider the following fields:
CONSNUMBER: To differentiate between multiple entries for communication data, use the sequence number that is stored in the field CONSNUMBER. To change a specific entry, enter the entry’s sequence number in this field. If you want to add an entry, specify a sequence number that is higher than that for any existing entry.
R_3_USER: This field applies to the telephone numbers. It indicates the type of telephone connection and if the number used is the standard number. The following applies:
<blank>: The telephone number is a land-line telephone.
1: The telephone number is the standard land-line telephone.
2: The telephone number is a mobile telephone.
3: The telephone number is the standard mobile telephone.
STD_NO: Only one telephone number appears as the standard telephone number in the Address structure. Therefore, use this field to indicate that the telephone number (land-line or mobile) for this entry is the overall standard telephone number that appears the Address structure.
STD_RECIP: This field indicates whether the corresponding telephone number can be used for short messages (SMS). If this is the case, then the number is copied to the communication data used for paging services.

Not all fields are used by all of the communication data parameters.

If you want to modify for example the extension you must provide at least CONSNUMBER, STD, NO, and TELEPHONE all together because the LDIF change replace operation clears the whole row in the ADDTEL table.

Company Location: The company location address is stored with the business object AddressOrg and not the object USER. Therefore, when specifying or changing the company location with the BAPI_USER_CHANGE, you can only specify or assign an existing company location.