on 02-15-2015 5:54 AM
Hi all
I'm new to sap , I'm uscing the SAP NetWeaver 2004s UME as ABAP for datasource, and testing create user via spml protocol from third part IDM platform. I followed the api link here : https://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/668e6629-0701-0010-7ca0-994cb7dec5a3&overrid...
I can create user with normal simple fields successfully, but cannot create user with role assigned.
the request is as below and the response show success, the user is created, but actually the role is not assigned.
<spml:addRequest xmlns:spml='urn:oasis:names:tc:SPML:1:0' xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core' requestID='add-1423979403419'>
<spml:attributes>
<dsml:attr name='objectclass'>
<dsml:value>sapuser</dsml:value>
</dsml:attr>
<dsml:attr name='allassignedroles'>
<dsml:value>ROLE.UME_ROLE_PERSISTENCE.un:Everyone</dsml:value>
</dsml:attr>
<dsml:attr name='assignedroles'>
<dsml:value></dsml:value>
</dsml:attr>
<dsml:attr name='logonname'>
<dsml:value>Test126</dsml:value>
</dsml:attr>
<dsml:attr name='lastname'>
<dsml:value>Li</dsml:value>
</dsml:attr>
<dsml:attr name='firstname'>
<dsml:value>Test124</dsml:value>
</dsml:attr>
<dsml:attr name='password'>
<dsml:value>Abcd!234</dsml:value>
</dsml:attr>
</spml:attributes>
</spml:addRequest>
and I check the schema "SAPprincipals", didn't found the attribute "assignedroles" and "allassignedroles" fro sapuser objectclass
what do I need to do to assign user with role via spml calling from thirdpart IDM platform ?
Thanks.
I assign the role manually from ume idm console, then try the searchRequest, also cannot found the assigned roles attribute get returned, then I guess it's the sapuser schema issue. not sure what need to do to extend the schema.
<spml:searchRequest xmlns:spml='urn:oasis:names:tc:SPML:1:0' xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core'>
<spml:searchBase type='urn:oasis:names:tc:SPML:1:0#GUID'>
<spml:id>sapuser</spml:id>
</spml:searchBase>
<dsml:filter>
<dsml:equalityMatch name='logonname'>
<dsml:value>Test125</dsml:value>
</dsml:equalityMatch>
</dsml:filter>
<spml:attributes>
<dsml:attribute name='firstname'/>
<dsml:attribute name='lastname'/>
<dsml:attribute name='assignedroles'/>
<dsml:attribute name='allassignedroles'/>
<dsml:attribute name='assignedgroups'/>
<dsml:attribute name='allassignedgroups'/>
</spml:attributes>
</spml:searchRequest>
<spml:searchResponse xmlns:spml='urn:oasis:names:tc:SPML:1:0' xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core' result='urn:oasis:names:tc:SPML:1:0#success'>
<spml:searchResultEntry>
<spml:identifier type='urn:oasis:names:tc:SPML:1:0#GenericString'>
<spml:id>USER.R3_DATASOURCE.TEST125</spml:id>
</spml:identifier>
<spml:attributes>
<dsml:attr name='firstname'>
<dsml:value>Test124</dsml:value>
</dsml:attr>
<dsml:attr name='lastname'>
<dsml:value>Li</dsml:value>
</dsml:attr>
</spml:attributes>
</spml:searchResultEntry>
</spml:searchResponse>
success
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks, Matt
Can you provide some insight or links about the SAP Provisioning Framework?
Right now, I'm working on a customer IDM/IAM project, and we need provision user account information into SAP system via one idm product, the idm
product will call the SPML service to create user account in sap. Currently SAP IDM is not used as the central idm enginee product currently, but rather
as an important target system. However, I'd like to know more about SAP Provisioning Framework.
steven li wrote:
Can you provide some insight or links about the SAP Provisioning Framework?
product will call the SPML service to create user account in sap. Currently SAP IDM is not used as the central idm enginee product currently, but rather
as an important target system.
The Provisioning Framework has, like the name hints, the connectivity from SAP IdM to various target/source systems (ABAP, Java, GRC, AD/LDAP, Domino etc). It runs within the SAP IdM product but Provisioning Framework has no outside API for a programming language. The integration capabilities of SAP IdM are not limited to the Provisioning Framework as number of connectors existed before the PF.
Out of curiosity; so if SAP IdM is your target system, how have you integrated into it and what are you going to do with it?
The System Landscape Configuration Guide is one of the best documents about it; SAP NetWeaver Identity Management for SAP System Landscapes: Configuration Guide - SAP Library
All docs about current version (7.2): http://scn.sap.com/docs/DOC-8397
regards, Tero
Steven,
SAP IDM has standard connector (provisioning framework) to create SAP JAVA users. SAP IDM also has RESTful API to receive incoming calls. Instead of provisioning user/roles from third party IDM, you can setup the landscape like this,
3rd Party IDM --> SAP IDM --> SAP ABAP/JAVA
Depends on which SAP IDM version you are using, you may use RESTful API alpha version or V2,
https://scn.sap.com/docs/DOC-26747
SAP NetWeaver Identity Management REST Interface Version 2 - SAP Library
Cheers,
Chenyang Xiong
Hi Tero
Thanks for your reply.
As the client have already one IAM product in place, and it's used with tons of others applications, like OA system, business applications, mail systems, HR systems, etc. Considering SAP as the major key business systems also, now we need to include SAP system into the IAM platform also.
Currently, we are using SAP JCO RFC call BAPI function to create/update/delete/enable/disable user and for java, we are using spml protocol. then the IAM platform will call those connectors to manage sap users. Although I'd like to try SAP IDM system now as Chenyang's suggestion
"3rd Party IDM --> SAP IDM --> SAP ABAP/JAVA"
Thanks.
Hi Steven,
It depends on which SAP IDM version and patch level you are running.
The first version comes with IDM UI application. The second requires installation. I'd recommend to use RESTful API V2 because the first one is an alpha version.
I've done some similar integration before. There are many open possibilities. I am not sure 3rd party IDM has a LDAP interface to access. If yes, this might be a easier solution.
Best Regards
Chenyang Xiong
User | Count |
---|---|
95 | |
11 | |
11 | |
10 | |
9 | |
8 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.