cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

how to create user with role via spml from ume

Go to solution
Former Member

on ‎02-15-2015 5:54 AM

0 Kudos

Hi all

I'm new to sap , I'm uscing the SAP NetWeaver 2004s UME as ABAP for datasource, and testing create user via spml protocol from third part IDM platform.  I followed the api link here : https://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/668e6629-0701-0010-7ca0-994cb7dec5a3&overrid...

I can create user with normal simple fields successfully, but cannot create user with role assigned.

the request is as below and the response show success, the user is created, but actually the role is not assigned.

<spml:addRequest xmlns:spml='urn:oasis:names:tc:SPML:1:0' xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core' requestID='add-1423979403419'>

  <spml:attributes>

    <dsml:attr name='objectclass'>

      <dsml:value>sapuser</dsml:value>

    </dsml:attr>

    <dsml:attr name='allassignedroles'>

      <dsml:value>ROLE.UME_ROLE_PERSISTENCE.un:Everyone</dsml:value>

    </dsml:attr>

    <dsml:attr name='assignedroles'>

      <dsml:value></dsml:value>

    </dsml:attr>

    <dsml:attr name='logonname'>

      <dsml:value>Test126</dsml:value>

    </dsml:attr>

    <dsml:attr name='lastname'>

      <dsml:value>Li</dsml:value>

    </dsml:attr>

    <dsml:attr name='firstname'>

      <dsml:value>Test124</dsml:value>

    </dsml:attr>

    <dsml:attr name='password'>

      <dsml:value>Abcd!234</dsml:value>

    </dsml:attr>

  </spml:attributes>

</spml:addRequest>

and I check the schema "SAPprincipals", didn't found the attribute "assignedroles" and "allassignedroles" fro sapuser objectclass

what do I need to do to assign user with role via spml calling from thirdpart IDM platform ?

Thanks.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎02-15-2015 6:15 AM
0 Kudos

I assign the role manually from ume idm console, then try the searchRequest, also cannot found the assigned roles attribute get returned, then I guess it's the sapuser schema issue. not sure what need to do to extend the schema.

<spml:searchRequest xmlns:spml='urn:oasis:names:tc:SPML:1:0' xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core'>

  <spml:searchBase type='urn:oasis:names:tc:SPML:1:0#GUID'>

    <spml:id>sapuser</spml:id>

  </spml:searchBase>

  <dsml:filter>

    <dsml:equalityMatch name='logonname'>

      <dsml:value>Test125</dsml:value>

    </dsml:equalityMatch>

  </dsml:filter>

  <spml:attributes>

    <dsml:attribute name='firstname'/>

    <dsml:attribute name='lastname'/>

    <dsml:attribute name='assignedroles'/>

    <dsml:attribute name='allassignedroles'/>

    <dsml:attribute name='assignedgroups'/>

    <dsml:attribute name='allassignedgroups'/>

  </spml:attributes>

</spml:searchRequest>

<spml:searchResponse xmlns:spml='urn:oasis:names:tc:SPML:1:0' xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core' result='urn:oasis:names:tc:SPML:1:0#success'>

  <spml:searchResultEntry>

    <spml:identifier type='urn:oasis:names:tc:SPML:1:0#GenericString'>

      <spml:id>USER.R3_DATASOURCE.TEST125</spml:id>

    </spml:identifier>

    <spml:attributes>

      <dsml:attr name='firstname'>

        <dsml:value>Test124</dsml:value>

      </dsml:attr>

      <dsml:attr name='lastname'>

        <dsml:value>Li</dsml:value>

      </dsml:attr>

    </spml:attributes>

  </spml:searchResultEntry>

</spml:searchResponse>

success

Show replies
Show replies
former_member2987
Active Contributor
‎02-16-2015 1:14 PM
0 Kudos

Steven,

If you are using SAP IDM, you don't need to go through SPML directly, rather use the Provisioning Framework to connect to the system.

If you are not using SAP IDM, I'm sorry, but you'll need to check with your product's support mechanisms, or maybe post this to th  . \

Regards,

Matt

Former Member
‎02-25-2015 2:56 AM
0 Kudos

Thanks, Matt


Can you provide some insight or links about the SAP Provisioning Framework?


Right now, I'm working on a customer IDM/IAM project, and we need provision user account information into SAP system via one idm product, the idm

product will call the SPML service to create user account in sap. Currently SAP IDM is not used as the central idm enginee product currently, but rather

as an important target system.  However, I'd like to know more about SAP Provisioning Framework.

terovirta
Active Contributor
‎02-25-2015 6:48 AM
0 Kudos 


steven li wrote:





Can you provide some insight or links about the SAP Provisioning Framework?



product will call the SPML service to create user account in sap. Currently SAP IDM is not used as the central idm enginee product currently, but rather




as an important target system.

The Provisioning Framework has, like the name hints, the connectivity from SAP IdM to various target/source systems (ABAP, Java, GRC, AD/LDAP, Domino etc). It runs within the SAP IdM product but Provisioning Framework has no outside API for a programming language. The integration capabilities of SAP IdM are not limited to the Provisioning Framework as number of connectors existed before the PF.

Out of curiosity; so if SAP IdM is your target system, how have you integrated into it and what are you going to do with it?

The System Landscape Configuration Guide is one of the best documents about it; SAP NetWeaver Identity Management for SAP System Landscapes: Configuration Guide - SAP Library

All docs about current version (7.2): http://scn.sap.com/docs/DOC-8397

regards, Tero

Chenyang
Contributor
‎02-25-2015 9:04 PM
0 Kudos

Steven,

SAP IDM has standard connector (provisioning framework) to create SAP JAVA users. SAP IDM also has RESTful API to receive incoming calls. Instead of provisioning user/roles from third party IDM, you can setup the landscape like this,

3rd Party IDM --> SAP IDM --> SAP ABAP/JAVA

Depends on which SAP IDM version you are using, you may use RESTful API alpha version or V2,

https://scn.sap.com/docs/DOC-26747

SAP NetWeaver Identity Management REST Interface Version 2 - SAP Library

Cheers,

Chenyang Xiong

former_member2987
Active Contributor
‎02-26-2015 1:12 PM
0 Kudos

No worries, Steven.

Take a look here: look in the Identity Management Frameworks section.  It should give you what you need.

Regards,

Matt

Former Member
‎03-05-2015 6:27 AM
0 Kudos

Thanks for your information, I will double check.

Former Member
‎03-05-2015 6:33 AM
0 Kudos

Hi Tero

Thanks for your reply.

As the client have already one IAM product in place, and it's used with tons of others applications, like OA system, business applications, mail systems, HR systems, etc. Considering SAP as the major key business systems also, now we need to  include SAP system into the IAM platform also.

Currently, we are using SAP JCO RFC call BAPI function to create/update/delete/enable/disable user and for java, we are using spml protocol. then the IAM platform will call those connectors to manage sap users. Although I'd like to try SAP IDM system now as Chenyang's suggestion

"3rd Party IDM --> SAP IDM --> SAP ABAP/JAVA"

Thanks.

Former Member
‎03-05-2015 6:36 AM
0 Kudos

Hi Chengyang

Thanks for your insight, I would like to try this option, just curious, is the SAP IDM REST API is installed with sap system by default or we need to install and config some add-on ?

anyway, I will read the link and try to find the answer.

Thanks for your help

Chenyang
Contributor
‎03-05-2015 8:55 PM
0 Kudos

Hi Steven,

It depends on which SAP IDM version and patch level you are running.

The first version comes with IDM UI application. The second requires installation. I'd recommend to use RESTful API V2 because the first one is an alpha version.

I've done some similar integration before. There are many open possibilities. I am not sure 3rd party IDM has a LDAP interface to access. If yes, this might be a easier solution.

Best Regards

Chenyang Xiong

Answers (0)

Ask a Question