Vous êtes sur la page 1sur 62
Solution Operation Guide SAP NetWeaver® Identity Management 7.2 Document Version 7.2 Rev 17 - July

Solution Operation Guide

SAP NetWeaver®

Identity Management 7.2

Document Version 7.2 Rev 17 - July 2014

Solution Operation Guide SAP NetWeaver® Identity Management 7.2 Document Version 7.2 Rev 17 - July 2014
© 2012 SAP AG. All rights reserved. No part of this publication may be reproduced

© 2012 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for

any purpose without the express permission of SAP AG. The information

contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain

proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual

Studio are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System

p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise,

PowerVM, Power Architecture, Power Systems, POWER7, POWER6+,

POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System

Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF,

Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and

Smarter Planet are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the United States and

other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or

registered trademarks of Adobe Systems Incorporated in the United States and

other countries.

Oracle and Java are registered trademarks of Oracle and its affiliates.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open

Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and

MultiWin are trademarks or registered trademarks of Citrix Systems Inc.

HTML, XML, XHTML, and W3C are trademarks or registered trademarks of

W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch,

Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered

trademarks of Apple Inc.

IOS is a registered trademark of Cisco Systems Inc.

RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry

Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry

PlayBook, and BlackBerry App World are trademarks or registered trademarks

of Research in Motion Limited.

Google App Engine, Google Apps, Google Checkout, Google Data API,

Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile,

Google Store, Google Sync, Google Updater, Google Voice, Google Mail,

Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks

of Google Inc.

INTERMEC is a registered trademark of Intermec Technologies Corporation.

Wi-Fi is a registered trademark of Wi-Fi Alliance.

Bluetooth is a registered trademark of Bluetooth SIG Inc.

Motorola is a registered trademark of Motorola Trademark Holdings LLC.

Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company.

Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are

provided by SAP AG and its affiliated companies ("SAP Group") for

informational purposes only, without representation or warranty of any kind,

and SAP Group shall not be liable for errors or omissions with respect to the

materials. The only warranties for SAP Group products and services are those

that are set forth in the express warranty statements accompanying such

products and services, if any. Nothing herein should be construed as

constituting an additional warranty.

Documentation in the SAP Service Marketplace You can find this documentation at the following Internet address:

service.sap.com/instguides

Typographic Conventions

Type Style

Represents

Example Text

Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths and options.

Cross-references to other documentation

Example text

Emphasized words or phrases in body text, titles of graphics and tables

EXAMPLE TEXT

Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example, SELECT and INCLUDE.

Example text

Screen output. This includes file and directory names and their paths, messages, names of variables and parameters, source code as well as names of installation, upgrade and database tools.

Example text

Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example text>

Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries.

EXAMPLE TEXT

Keys on the keyboard, for example, function keys (such as F2) or the ENTER key.

Icons

Icon

Meaning

Cautionfor example, function keys (such as F2 ) or the ENTER key. Icons Icon Meaning Example

Examplefor example, function keys (such as F2 ) or the ENTER key. Icons Icon Meaning Caution

Notefor example, function keys (such as F2 ) or the ENTER key. Icons Icon Meaning Caution

Recommendationthe keyboard, for example, function keys (such as F2 ) or the ENTER key. Icons Icon

Syntax for example, function keys (such as F2 ) or the ENTER key. Icons Icon Meaning Caution

Solution Operation Guide for SAP NetWeaver Identity Management

Solution Operation Guide for SAP NetWeaver Identity Management

Contents

1 Getting Started

9

1.1 Global Definitions

9

1.2 Important

SAP Notes

10

1.3 History of

Changes

10

2 Technical System Landscape

11

2.1 Scenario/Component Matrix

11

2.2 URLs to the Identity Management User Interface

12

2.3 Related Documentation

12

3 Defining the System Landscape Directory information (optional)

3.1 Identity Center

13

13

3.1.1 SAP NetWeaver AS Java as of Release 7.0

13

3.1.2 EHP 1 for SAP NetWeaver CE 7.1/SAP NetWeaver Composition

Environment 7.2/SAP NetWeaver 7.3

16

4

3.2 Virtual Directory Server

24

3.2.1 Deployed Configuration

24

3.2.2 Standalone mode

24

Monitoring of Identity Management

25

4.1 Monitoring the Identity Center

25

4.1.1 Viewing the dispatcher status

26

4.1.2 Viewing the job status

26

4.1.3 Viewing the system log

26

4.1.4 Viewing the job log

27

4.1.5 Viewing the provisioning queue

27

4.1.6 Viewing the provisioning audit

27

4.1.7 Viewing the approval queue

28

4.1.8 Setting up a SAP JCo-Trace

28

4.1.9 Viewing the logs from the Identity Management User Interface

28

4.1.10 Viewing the traces from the Identity Management User Interface 28

4.1.11 Using the System diagnostics report for problem analysis

29

4.1.12 Providing access to the configuration for problem analysis

29

4.2 Monitoring of the Virtual Directory Server

29

4.2.1 Viewing the logs on SAP NetWeaver AS Java

29

4.2.2 Viewing the traces on SAP NetWeaver AS Java

29

4.2.3 Viewing the logs when running in standalone mode

30

4.2.4 Verifying that the server is available

30

4.3 Monitoring of Identity Management Identity Federation

30

4.4 Monitoring Performance with Wily Introscope

30

4.4.1 Monitoring SAP NetWeaver AS Java

31

Solution Operation Guide for SAP NetWeaver Identity Management

Solution Operation Guide for SAP NetWeaver Identity Management

4.4.2 Monitoring SAP NetWeaver Identity Management Virtual Directory

Server (Standalone mode)

32

4.4.2.1 Updating the .bat/.sh file (Java 1.3/1.4)

32

4.4.2.2 Updating the .bat/.sh file (Java 1.5/1.6)

32

4.4.3 Troubleshooting

4.5 Configuring and Viewing the Entry Trace

32

33

4.5.1 Configuring the Entry Trace

33

4.5.2 Viewing the Trace Log

34

4.5.3 Reading the Trace Log

34

5

4.6 Analyzing Statement Execution

35

4.6.1 Enabling the Statement Execution Analysis

35

4.6.2 Viewing the Log

36

4.6.3 Reading the Log

36

Management of SAP NetWeaver Identity Management

37

5.1 Starting and Stopping

37

5.1.1 Starting and stopping the Identity Center

37

5.1.2 Starting and stopping the Virtual Directory Server

37

5.2 Software Configuration

37

5.2.1 Software Configuration – Identity Center

37

5.2.2 Software Configuration – Virtual Directory Server

37

5.3 Administration Tools

38

5.4 Backup and Restore

38

5.4.1 Backing up and restoring an Identity Center database

(Microsoft SQL Server)

38

5.4.1.1 Backing up a database

38

5.4.1.2 Restoring

a database

38

5.4.2 Backing up and restoring an Identity Center database (Oracle)

40

5.4.2.1 Backing up a database

40

5.4.2.2 Restoring

a database

40

41

5.4.4 Backing up and restoring a Virtual Directory Server configuration 41

5.4.3 Backing up and restoring an Identity Center database (IBM DB2)

5.5 Application Copy

41

5.6 Periodic Tasks

41

5.6.1 Manual tasks for the Identity Center

41

5.6.2 Manual tasks for Transport/Configuration Management

42

5.6.3 Cleaning up the audit information

42

5.6.4 Cleaning up the table job_execution

43

5.6.5 Clean up the table AuditTrail

43

5.6.6 Cleaning up historic values in the identity store

43

5.6.7 Rebuilding database indexes

43

5.6.8 Viewing Changes to the Configuration

43

5.6.9 Changing Global or Repository Constants

44

5.6.9.1 Modifying Assignment Grouping Repository Constants

5.6.10 Adding a Repository to the Productive System

45

45

Solution Operation Guide for SAP NetWeaver Identity Management

Solution Operation Guide for SAP NetWeaver Identity Management

5.7 Load Balancing

45

5.7.1 Load Balancing – Identity Center

45

5.7.2 Load Balancing – Virtual Directory Server

45

5.8 User Management

46

5.9 Maintaining Message Templates

46

5.9.1 Initial Configuration

46

5.9.2 Listing Message Templates

46

5.9.3 Editing a Message Template

47

5.9.3.1 Available Parameters

48

5.9.4 Adding a Language Version of a Message Template

49

5.9.5 Removing a Language Version of a Message Template

49

5.9.6 Creating a Message Template

50

5.9.7 Removing a Message Template

50

5.10 Managing Approvals

51

5.10.1 Listing Pending Approvals

51

5.10.2 Finding Approvals Using Advanced Search

52

5.10.3 Declining a Pending Approval

52

5.10.4 Escalating a Pending Approval

53

5.10.5 Exporting the Pending Approvals

53

6 High Availability

53

6.1 High Availability for the Identity Center

53

6.2 High Availability for the Virtual Directory Server

53

6.2.1 High Availability for Standalone Virtual Directory Server

7 Software Change Management

53

54

7.1 Software Change Management

54

7.2 Support Packages and Patch Implementation

54

7.3 Upgrading

the

Identity Center

54

7.4 Upgrading the Virtual Directory Server

54

8 Troubleshooting

8.1 Identity Center: Dispatcher fails to start

55

55

8.1.1 Problem Description

55

8.1.2 Solution

55

8.2 Identity Center: Timeout issues

56

8.2.1 Problem Description

56

8.2.2 Solution

56

8.3 Identity Center: Insufficient memory

56

8.3.1 Problem Description

56

8.3.2 Solution

56

8.4 Identity Center: Codepage <number> not supported by JAVA-

environment

57

8.4.1 Problem Description

57

8.4.2 Solution

57

Solution Operation Guide for SAP NetWeaver Identity Management

Solution Operation Guide for SAP NetWeaver Identity Management

8.5 Identity Center: Error messages from jobs accessing ABAP

systems

58

8.5.1 Problem Description

58

8.5.2 Solution

58

8.6 Identity Management User Interface: Java runtime exception

when logging in

58

8.6.1 Problem Description

58

8.6.2 Solution

58

8.7 Identity Management User Interface: Error message about

missing database columns or procedures

58

8.7.1 Problem description

58

8.7.2 Solution

58

8.8 Virtual Directory Server: The Windows service starts, but later

fails with "No driver for database"

59

8.8.1 Problem Description

59

8.8.2 Solution

59

8.9 Virtual Directory Server: Application starts, but later fails with

"No driver for database"

59

8.9.1 Problem Description

59

8.9.2 Solution

59

8.10 Virtual Directory Server: Server doesn’t start

59

8.10.1 Problem Description

59

8.10.2 Solution

59

8.11

Virtual Directory Server: Configuration successfully deployed

on SAP NetWeaver, but the first attempt to contact the database

 

fails 60

8.11.1 Problem Description

60

8.11.2 Solution

60

9 Support Desk Management

9.1 Remote Support Setup

9.1.1 Defining a support user

9.2 Problem Message Handover

60

60

61

61

1 Getting Started

1 Getting Started

1 Getting Started

1 Getting Started 1 Getting Started 1.1 Global Definitions This guide does not replace the daily

1.1 Global Definitions

This guide does not replace the daily operations handbook that we recommend customers create for their specific production operations.

About this Guide

Designing, implementing, and running your SAP applications at peak performance 24 hours a day has never been more vital for your business success than now.

This guide provides a starting point for managing your SAP applications and maintaining and running them optimally. It contains specific information for various tasks and lists the tools that you can use to implement them. This guide also provides references to the documentation required for these tasks, so you will sometimes also need other Guides such as the Master Guide, Technical Infrastructure Guide, and SAP Library.

Target Groups

Technical Consultants

System Administrators

Solution Consultants

Business Process Owner

Support Specialist

1.1

Global Definitions

SAP Application:

A SAP application is an SAP software solution that serves a specific business area like ERP, CRM,

PLM, SRM, SCM.

Business Scenario:

From a microeconomic perspective, a business scenario is a cycle, which consists of several different interconnected logical processes in time. Typically, a business scenario includes several company departments and involves with other business partners. From a technical point of view, a business scenario needs at least one SAP application (SAP ERP, SAP SCM, or others) for each cycle and possibly other third-party systems. A business scenario is a unit which can be implemented separately and reflects the customer’s prospective course of business.

Component:

A component is the smallest individual unit considered within the Solution Development Lifecycle;

components are separately produced, delivered, installed and maintained.

Getting Started

Getting Started

Important SAP Notes

1.2 Important SAP Notes

Getting Started Important SAP Notes 1.2 Important SAP Notes Check regularly for updates available for the

Check regularly for updates available for the Application Operations Guide.

Important SAP Notes

SAP Note

Title

Comment

Number

1498369

Central note for SAP NetWeaver Identity Management 7.2

This is the central entry point for all SAP Notes related to Identity Management 7.2.

1.3 History of Changes

related to Identity Management 7.2. 1.3 History of Changes Make sure you use the current version

Make sure you use the current version of the Application Operations Guide.

The current version of the Application Operations Guide is at service.sap.com/instguides on SAP Service Marketplace.

The following table provides an overview of the most important changes in prior versions.

Version

Important Changes

Version 7.2

Initial version for 7.2, including links to the Identity Management User Interface

Revision 1

Version 7.2

Included Trace information

Revision 7

Version 7.2

Added section 5.6.9.1 describing repository constants for privilege grouping

Revision 15

Version 7.2

Minor change in section 4.1.5 Viewing the Provisioning Queue

Revision 16

Version 7.2

Change in section 4.1.11 Using the System diagnostics report for problem analysis

Revision 17

2 Technical System Landscape

2 Technical System Landscape

2.1 Scenario/Component Matrix

2 Technical System Landscape

2.1 Scenario/Component Matrix

The following diagram shows the architecture of the SAP NetWeaver Identity Management:

the architecture of the SAP NetWeaver Identity Management: The Identity Center database is the core of

The Identity Center database is the core of the Identity Center. This is a single database holding two different types of information:

One type is the configuration information for all items that are defined in the Identity Center, including the job configurations, the job status information (that is, what is being executed at this very moment), the log information (that is, the status of what has been done previously), as well as scheduling information (when the jobs are to be run next).

The other type of information is the actual data being processed, including the Identity store that contains the entries processed by the jobs in the Identity Center, as well as the log and audit information.

The Administrator manages the Identity Center configuration through the Management Console.

The Identity Management User Interface is used for all end-user registration/self service, password resets and approval of tasks. It also contains monitoring information for administrators of the Identity Center.

Technical System Landscape

Technical System Landscape

URLs to the Identity Management User Interface

The Runtime Components (dispatchers, runtime engines and event agents) are responsible for processing both provisioning and synchronization tasks. They are also responsible for performing reconciliation and bootstrapping.

The Dispatcher(s) are connected to the Identity Center database and check for jobs that are ready to be run. A dispatcher is running on each computer where a Runtime engine is installed. The dispatcher starts the Runtime engine that executes the job.

Event agents can be configured to take action based on changes in different types of repositories such as directory servers, message queues or others. This mechanism is optional and its only purpose is to initiate synchronization based on changes in repositories in addition to the scheduled operations.

The Virtual Directory Server can be deployed as a web service on SAP NetWeaver AS Java to provide web service access to the identity data.

When the Virtual Directory Server is deployed as an LDAP server it serves as an interface to third- party applications for the Identity Center.

2.2 URLs to the Identity Management User Interface

The following URLs are used to access the Identity Management User Interface:

http://<host>:<port>/idm to access the main Identity Management User Interface.

http://<host>:<port>/idm/pwdreset to run the password reset task. (See the document SAP NetWeaver Identity Management Identity Center Implementation Guide: Self-service password reset for details.

http://<host>:<port>/idm/admin to access the Identity Management Administration User Interface. For more information about Monitoring, see page 25. For more information about transport, see SAP NetWeaver Identity Management Identity Center Implementation Guide:

Transport for details. For information about configuration, see page 37.

2.3 Related Documentation

Links to the documentation for SAP NetWeaver Identity Management can be found in the help portal:

Topic

Guide/Tool

Installation information

Identity Management Master Guide

Identity Center Installation Overview

Virtual Directory Server Installation and Initial Configuration

Security

Identity Management Security Guide

3 Defining the System Landscape Directory information (optional)

3 Defining the System Landscape Directory information (optional)

3.1 Identity Center

3 Defining the System Landscape Directory information (optional)

This section describes how to maintain the HTTP destination for the System Landscape Directory (SLD) Data Supplier and the configuration is optional, i.e. it is of relevance only when actually using the SLD.

For more information about SLD, see

3.1 Identity Center

The procedure is different, depending on your version of SAP NetWeaver:

SAP NetWeaver AS Java as of Release 7.0

Enhancement Package 1 for SAP NetWeaver Composition Environment 7.1/SAP NetWeaver Composition Environment 7.2

There are separate sections for each SAP NetWeaver version.

3.1.1 SAP NetWeaver AS Java as of Release 7.0

To configure the SLD Data Supplier for SAP NetWeaver AS Java 7.0 use Visual Administrator.

1. Start and login to the Visual Administrator.

2. Select Server\Services\Destinations in the "Cluster" tab.

and login to the Visual Administrator. 2. Select Server\Services\Destinations in the "Cluster" tab. 2014-07 13

Defining the System Landscape Directory information (optional)

Defining the System Landscape Directory information (optional)

Identity Center

3. Select "HTTP" in the "Runtime" tab and choose "New" to create new HTTP destination.

tab and choose "New" to create new HTTP destination. Enter "SLD_DataSupplier" as the name for the

Enter "SLD_DataSupplier" as the name for the destination.

4. Choose "OK". This will open a pane where the destination can be defined further:

open a pane where the destination can be defined further: Enter the following information: URL In

Enter the following information:

URL In the "Connection Settings" section, at least an URL needs to be defined. The URL is http://<host>:<port>, where <host> is the name of the host where the SLD bridge runs and <port> is the AS Java HTTP standard access port of the SLD.

Authentication In "Logon Data" section, select "BASIC" as the authentication method.

Username Specify a Java user that already exists on the host where the SLD bridge runs. Specified Java user must have the role SAP_SLD_DATA_SUPPLIER.

Password Enter the user's password.

3 Defining the System Landscape Directory information (optional)

3 Defining the System Landscape Directory information (optional)

the System Landscape Directory information (optional) 3.1 Identity Center If it is desirable to use HTTPS

3.1 Identity Center

If it is desirable to use HTTPS for the connection from the SLD, select "X509 Client Certificate" as the authentication method. The "Keystore view" field (with the "Certificate" field) is then ready for input. A key storage view contains the root certificates of the trusted roots, and checks the authentication of a received server certificate. Make sure to select "service_ssl" in the "Keystore view" field (see figure below).

in the "Keystore view" field (see figure below). 5. Choose "Save and Test" to save the

5. Choose "Save and Test" to save the entries and to test the connection to the destination. To save the entries only, choose "Save".

It will update the SLD when the application (tc˜idm˜jmx˜app) is started and with regular intervals.

Defining the System Landscape Directory information (optional)

Defining the System Landscape Directory information (optional)

Identity Center

3.1.2 EHP 1 for SAP NetWeaver CE 7.1/SAP NetWeaver Composition Environment 7.2/SAP NetWeaver 7.3

To configure the SLD Data Supplier for Enhancement package 1 for SAP NetWeaver Composition Environment 7.1, SAP NetWeaver Composition Environment 7.2 or SAP NetWeaver 7.3, do the following:

Environment 7.2 or SAP NetWeaver 7.3, do the following: There may be minor differences between the

There may be minor differences between the versions.

1. Start and login to the SAP NetWeaver Administrator.

2. Select the "Configuration Management" tab and then the "Security" sub-tab.

Administrator. 2. Select the "Configuration Management" tab and then the "Security" sub-tab. 16 2014-07
3 Defining the System Landscape Directory information (optional)

3 Defining the System Landscape Directory information (optional)

3. Select "Destinations".

3.1 Identity Center

the System Landscape Directory information (optional) 3. Select "Destinations". 3.1 Identity Center 2014-07 17

Defining the System Landscape Directory information (optional)

Defining the System Landscape Directory information (optional)

Identity Center

4. Choose "Create…" and create a destination called SLD_DataSupplier of type HTTP.

create a destination called SLD_DataSupplier of type HTTP. If such a destination already exists, check if

If such a destination already exists, check if its values suit you and use it.

already exists, check if its values suit you and use it. In "General Data" section define

In "General Data" section define the following:

Destination Name Add the name "SLD_DataSupplier".

Destination Type Select type "HTTP".

3 Defining the System Landscape Directory information (optional)

3 Defining the System Landscape Directory information (optional)

5. Choose "Next".

3.1 Identity Center

(optional) 5. Choose "Next". 3.1 Identity Center In "Connection and Transport" section, specify at

In "Connection and Transport" section, specify at least the URL (http://<host>:<port>), where <host> is the name of the host where the SLD bridge runs and <port> is the AS Java HTTP standard access port of the SLD.

Defining the System Landscape Directory information (optional)

Defining the System Landscape Directory information (optional)

Identity Center

6. Choose "Next".

(optional) Identity Center 6. Choose "Next". In "Logon Data" section, define the following data:

In "Logon Data" section, define the following data:

Authentication Select "Basic (User ID and Password)".

User Name Specify a Java user that already exists on the host where the SLD bridge runs. Specified Java user must have the role SAP_SLD_DATA_SUPPLIER.

3 Defining the System Landscape Directory information (optional)

3 Defining the System Landscape Directory information (optional)

Password Enter the user's password.

(optional) Password Enter the user's password. 3.1 Identity Center If it is desirable to use HTTPS

3.1 Identity Center

If it is desirable to use HTTPS for the connection from the SLD, select "X509 Client Certificate with SSL" as the authentication method. The "Keystore View" field is then ready for input. A key storage view contains the root certificates of the trusted roots, and checks the authentication of a received server certificate. Select "service_ssl" in the "Keystore View" field and "ssl-credentials" in the "Certificate" field (see the figure below):

in the "Certificate" field (see the figure below): You find a list of the available key

You find a list of the available key storage views at Configuration Management Security Management Key Storage.

7. Choose "Finish" to finish and save the entries.

Defining the System Landscape Directory information (optional)

Defining the System Landscape Directory information (optional)

Identity Center

Landscape Directory information (optional) Identity Center If an error occurs, an error message is displayed. If

If an error occurs, an error message is displayed. If the entries are saved successfully, the connection data is saved in encrypted form in the secure store in the database.

3 Defining the System Landscape Directory information (optional)

3 Defining the System Landscape Directory information (optional)

3.1 Identity Center

8. You may test the settings by sending the test data to the SLD select the sub-tab "Infrastructure" from the tab "Configuration Management" (in the SAP NetWeaver Administrator), and then "SLD Data Supplier Configuration".

and then "SLD Data Supplier Configuration". 9. Choose "Collect and Send Data" and wait for the

9. Choose "Collect and Send Data" and wait for the response.

It will update the SLD when the application (tc˜idm˜jmx˜app) is started and with regular intervals.

Defining the System Landscape Directory information (optional)

Defining the System Landscape Directory information (optional)

Virtual Directory Server

3.2 Virtual Directory Server

The process is different depending on whether the configuration is deployed on SAP NetWeaver or you are running in standalone mode.

3.2.1 Deployed Configuration

The process is the same as the process described for the Identity Center.

the same as the process described for the Identity Center. Make sure to specify the correct

Make sure to specify the correct URL and connection parameters to the server.

3.2.2 Standalone mode

When running in standalone mode, you configure the SLD Data Supplier as part of the server properties:

1. View the properties of the server and select the "SLD registration" tab:

of the server and select the "SLD registration" tab: Make sure not to include /sld in

Make sure not to include /sld in the URL.

Select "Enable SLD Registration" and fill in "SLD URL", "SLD Username" and "SLD Password" as described on page 14.

2. Choose "OK".

When you start the server, it will update the SLD when the configuration is loaded or reloaded and with regular intervals.

4 Monitoring of Identity Management

4 Monitoring of Identity Management

4.1 Monitoring the Identity Center

4 Monitoring of Identity Management

Within the management of SAP Technology, monitoring is an essential task. A section has therefore been devoted solely to this subject.

4.1 Monitoring the Identity Center

Monitoring of the Identity Center is done using the "Monitoring" tab of the Identity Management Administration User Interface. How you configure access to the "Monitoring" tab is described in the document SAP NetWeaver Identity Management Identity Center: Installing and configuring the Identity Management User Interface.

The following information is available from the Monitoring tab:

Approval queue

Dispatcher status

Job log

Job status

Provisioning audit

System log

The dispatcher status, job log, job status and system log are also available from the Management Console.

The URL for accessing the "Monitoring" tab is http://<host>:<port>/idm/admin. This URL can be used for instance from Solution Manager.

Monitoring of Identity Management

Monitoring of Identity Management

Monitoring the Identity Center

4.1.1 Viewing the dispatcher status

On each server with the Runtime Components, there will be a dispatcher running. The dispatcher is responsible for starting the runtime engine when a job is ready for execution, as well as performing some basic provisioning logic.

It is essential that the dispatchers are running. If the dispatcher stops, it will no longer be able to perform any logic, nor to start any jobs on the server.

To view the dispatcher status, select "Dispatcher Status" from the "Show" list on the Monitoring tab. The columns show information about each dispatcher that is configured in the system.

The possible states for the dispatcher are:

Running

Not running

4.1.2 Viewing the job status

At a given time, a job is only being executed by one single runtime engine, i.e. a job is single-tread. When a runtime engine starts it will request the first job (i.e. the job with the oldest schedule time) which is available for execution (i.e. has state idle).

The runtime engine will do the following when executing a job:

Request the next available job. The job state is updated to Running.

Periodically, when a job is executed, the runtime engine updates the timestamp on the job, to signal that the runtime engine is alive, as well as updating the number of processed entries.

Release the job, and reschedule. The job state is set to Idle.

Whenever a job is requested, the jobs are checked for any timeouts. If a timeout is detected, the job state is set to Idle and the job is rescheduled. If this is done more than a specified number of times, the job state is set to Error, and the job will no longer execute.

Select "Job Status" from the "Show" list on the Monitoring tab to display the information.

Possible states are:

0: Disabled. The job will not run.

1: Idle. The job is waiting to be executed at the time indicated in the Scheduled column.

2: Running. The job is currently executing.

3: Stopping. The job has been ordered to stop.

-1: Error. A fatal error has occurred, and the job will no longer execute.

-2: Timeout: The defined timeout has been reached. This means that no runtime engines have requested this job for the specified amount of time. When a runtime engine requests job, this is treated as idle.

4.1.3 Viewing the system log

The system log contains information from the system and the jobs and dispatchers connecting to it.

You can filter the log on error level and/or by date interval. You can also search for log entries with specific texts.

Which information is included in the system log is specified in the Management Console. For information about how to configure the system log, see the identity Center help file, accessible from the Identity Center Management Console or the Help Portal, http://help.sap.com.

4 Monitoring of Identity Management

4 Monitoring of Identity Management

4.1.4 Viewing the job log

4.1 Monitoring the Identity Center

The job log displays information about the execution of all jobs in the Identity Center. Each line in the log shows information about one execution of a job. You can filter the log on error level and/or by date interval.

You can view an XML or HTML version of the job log from the "Details" view.

For information about how to configure the job log, see the identity Center help file, accessible from the Identity Center Management Console or the Help Portal, http://help.sap.com.

4.1.5 Viewing the provisioning queue

The provisioning queue shows all TOP level tasks where there are entries waiting to be processed. The "Queue Size" column shows how many entries are waiting for this particular task. You can also see the last time the task was executed, and the state of the job, if this is an action task. The column shows the following values:

1: Temporary failure – task is set for retry and have a possible delay until running again

2: Ready to run – task is ready to run if Exectime is passed

5: Waiting – task is on hold. This is typical on ordered execution of tasks

11: Failed - task is finally failed

21: Expanded OK – task children is expanded OK

22: OK - task is finally OK

4.1.6 Viewing the provisioning audit

The provisioning audit contains one entry for each audit ID that is processed. This information is updated as the task is processed in the system. There will be one entry per root task that is executed.

The "Provisioning Status" column shows the current status of the task:

Task initiated OK

Task not enabled for provisioning

Task does not exist

Loop detected

Task cannot be used in externally as it is private

Entry does not exist in Identity Store

Database error

Task OK

Task Failed

OK

Failed

The "Entry" column shows which entry was processed.

The "Started by" column shows what initiated the task. This can be either an entry (person), event task.

The "Details" view shows more information about each entry in the audit log. There are two tabs containing different audit information.

Monitoring of Identity Management

Monitoring of Identity Management

Monitoring the Identity Center

The "Detailed audit" tab

The "Detailed audit" shows the history of the task execution. The log is updated at certain points of the task execution, making it possible to follow the processing of a request. It is also possible to add information to the detailed audit by using the internal function uAddAuditInfo from the executing tasks.

The "Trace" tab

For newer installations of the Identity Center, the trace is default enabled. If you have an Identity Center that has been upgraded from previous versions, the trace must be enabled manually. This is done in the Management Console. View the properties of the Identity Center and select the "Options" tab. Select "Enable trace".

The trace shows the history of the task execution and is updated after the task has completed.

4.1.7 Viewing the approval queue

The approval queue contains all requests awaiting approvals.

4.1.8 Setting up a SAP JCo-Trace

For information about how to set up a SAP JCo-Trace, see the following sections in the SAP NetWeaver Identity Management for SAP System Landscapes: Configuration Guide:

Setting up an SAP Java Connector (SAP Jco) and Related Traces

Restricting the CPIC or JRFC Trace to a Specific Pass

4.1.9 Viewing the logs from the Identity Management User Interface

The Identity Management User Interface runs on SAP NetWeaver AS Java. The logs are managed in AS Java’s logging framework. The log category can be identified with:

/System/Security/IDM

For information about how to set log levels and other details about log configuration, see

m.

4.1.10 Viewing the traces from the Identity Management User Interface

The Identity Management User Interface runs on SAP NetWeaver AS Java. The traces are managed in AS Java’s logging framework. The traces are identified with:

com.sap.idm.jmx

For information about how to set log levels and other details about log configuration, see

m.

4 Monitoring of Identity Management

4 Monitoring of Identity Management

4.2 Monitoring of the Virtual Directory Server

4.1.11 Using the System diagnostics report for problem analysis

You can get an overview of the Identity Management database by using the SAP NetWeaver Identity Management Configuration Analyzer for a system diagnostics report.

The SAP NetWeaver Identity Management Configuration Analyzer analyzes and gathers the information about an existing configuration, and detects and reports potential configuration issues both related to the migration process and in general.

For more information how to use the Configuration Analyzer, see: SAP NetWeaver Identity Management: Using the Configuration Analyzer.

4.1.12 Providing access to the configuration for problem analysis

In some cases it may be necessary or useful to provide access to the Identity Management configuration for problem analysis. This can be done by using the export feature of the Transport utility.

done by using the export feature of the Transport utility. The Identity Management Administration User Interface

The Identity Management Administration User Interface must be available on the system.

1. If necessary, provide access to the Export feature to the user who is going to perform the export. See the document SAP NetWeaver Identity Management Implementation guide Transport for details.

2. Perform an export and store the file in the file system. This file will contain the Identity Center configuration. If the Virtual Directory Server configuration is part of the transport into this system, that configuration will also be included in the exported file. If not, it can be included by uploading the configuration to the Identity Center database as described in the document SAP NetWeaver Identity Management Implementation guide Transport.

3. This file can then be imported to an empty system for inspection.

4.2 Monitoring of the Virtual Directory Server

4.2.1 Viewing the logs on SAP NetWeaver AS Java

When deploying a configuration on SAP NetWeaver AS Java, the logs are managed in AS Java’s logging framework. The log category is identified with:

/Applications/VirtualDirectoryServer

For more information, see

m.

4.2.2 Viewing the traces on SAP NetWeaver AS Java

When deploying a configuration on SAP NetWeaver AS Java, the traces are managed in AS Java’s logging framework. The trace location is identified with:

Monitoring of Identity Management

Monitoring of Identity Management

Monitoring of Identity Management Identity Federation

com.sap.idm.vds.<LogType>

Where LogType is:

oper

Operation log

audit

Audit log

stat

Statistics

For more information, see

m.

4.2.3 Viewing the logs when running in standalone mode

The default location for the logs are <work area>\logs. The files are called operation.trc, operation.log, audit.trc and stat.trc. You can specify different locations for the log files with the <PATH> in the standalonelog.prop file.

with the <PATH> in the standalonelog.prop file. The <PATH> is the complete path, including file

The <PATH> is the complete path, including file name. Make sure you use two backslashes (\\) in the path, for instance c:\\temp\\operation.trc. You can also use single forward slashes as on Unix, for instance c:/temp/operation.trc.

4.2.4 Verifying that the server is available

You can verify the availability of the server both when it is running in standalone service mode on Microsoft Windows and when deployed on SAP NetWeaver AS Java.

When running in standalone mode, you use "Services" in the Control Panel to see the status of the service. The service is identified with the service name you specified for the configuration.

When deploying a configuration on SAP NetWeaver AS Java, you use the SAP NetWeaver Administrator to verify the availability of the deployed service. The service is identified with sap.com/vds-<application name>, where <application name> is the name you specified when deploying the configuration.

4.3 Monitoring of Identity Management Identity Federation

Identity Federation is an optional component of SAP NetWeaver Identity Management. Operational information is included in the relevant implementation guides for the two Identity Federation software units:

SAP NetWeaver Identity Management Identity Provider Implementation Guide

SAP NetWeaver Identity Management Security Token Service Implementation Guide

4.4

Monitoring Performance with Wily Introscope

SAP NetWeaver Identity Management is prepared to be monitored by Wily Introscope. Wily Introscope provides mechanisms to instrument Java code and analyze performance issues.

SAP NetWeaver Identity Management requires the following version of Wily Introscope:

A Wily Introscope Agent version 8.2.3.5 or higher.

Follow the following link to download Wily Introscope from the Service Marketplace:

4 Monitoring of Identity Management

4 Monitoring of Identity Management

4.4 Monitoring Performance with Wily Introscope

Support Packages and Patches -> SAP SOLUTION MANAGER -> SAP SOLUTION MANAGER 7.0 EHP 1-> Entry by Component -> Agents for managed systems -> Wily Introscope Agent 8.

Select one of the files:

ISAGENTSTD02_3-10007435.SAR

Patch for Introscope Java Agent 8 SP02 for SAP (Standalone Agent)

ISAGENT02_3-10007435.SCA

PatchforIntroscopeJavaAgent 8 SP02,deploymentvia SAPSolMgr

For information about Wily Introscope, see the Solution Manager documentation:

Solution Manager 7.0:

Application Help -> Root Cause Analysis -> Performance Metrics Monitoring with Introscope by Wily

Direct link:

Solution Manager 7.1:

Application Help -> Technical Operations -> Root Cause Analysis -> Performance Metrics Monitoring with Introscope by Wily

Direct link:

4.4.1 Monitoring SAP NetWeaver AS Java

The following components of SAP NetWeaver Identity Management are deployed on SAP NetWeaver AS Java and can be monitored as part of the server:

Identity Management User Interface

Security Token Server

Virtual Directory Server (deployed configuration)

To enable instrumentation of SAP NetWeaver AS Java, see the documentation for Wily Introscope.

For each of these components, the classes to be monitored are visible in the Wily Introscope Workstation under the following nodes:

Component

Node

Class(es)

Identity Management User Interface

SAP NW Identity Management|Identity Center

SAP_ITSAM_IDM_Service_Impl_Impl

Security Token Service

SAP NW Identity Management|Security Token Service

STS

Virtual Directory Server (deployed configuration)

SAP NW Identity Management|Virtual Directory Server

MVDAddOperation

MVDModifyOperation

 

MVDSearchOperation

 

MVDNodeSearchOperation

Monitoring of Identity Management

Monitoring of Identity Management

Monitoring Performance with Wily Introscope

4.4.2 Monitoring SAP NetWeaver Identity Management Virtual Directory Server (Standalone mode)

To be able to monitor a Virtual Directory Server configuration running in standalone mode, you have to modify the .bat/.sh file that starts the server. This .bat/.sh file is created in the configuration’s work area.

To modify this .bat/.sh file you need the following information:

The location of the Wily Introscope Agent (AGENTHOME).

For Java (1.3)/1.4: Create an AutoProbe connector .jar file as described in the document Wily Introscope Version 7.2 Installation Guide for SAP.

An agent name for the configuration (SID_INSTANCE_server0). This name is used to identify the configuration in the Wily Introscope Workstation, so make sure it is unique and meaningful. Note: The agent name has to start with a letter.

The settings for Wily Introscope are added as options to java.exe, depending on which version of Java you are using.

4.4.2.1 Updating the .bat/.sh file (Java 1.3/1.4)

Open the .bat/.sh file and add the following Java options:

-Dcom.wily.introscope.agentProfile=<AGENTHOME>/IntroscopeAgent.profile -Xbootclasspath/p:AGENTHOME/Agent.jar;<AGENTHOME>/connectors/connector.jar

-Dcom.wily.introscope.agent.agentName=<SID_INSTANCE_server0>

4.4.2.2 Updating the .bat/.sh file (Java 1.5/1.6)

Open the .bat/.sh file and add the following Java options:

-Dcom.wily.introscope.agentProfile=<AGENTHOME>/IntroscopeAgent.profile -javaagent:<AGENTHOME>/Agent.jar

-Dcom.wily.introscope.agent.agentName=<SID_INSTANCE_server0>

The classes to be monitored are visible in the Wily Introscope Workstation under the following nodes;

Node

Class(es)

SAP NW Identity Management|Virtual Directory Server

MVDAddOperation

MVDModifyOperation

MVDSearchOperation

MVDNodeSearchOperation

Here is a sample .bat file for Java 1.6:

"D:\JDK6\bin\java.exe" - Dcom.wily.introscope.agentProfile=C:\usr\sap\ccms\AGENT\IntroscopeAgent.profile - javaagent:C:\usr\sap\ccms\AGENT\Agent.jar - Dcom.wily.introsope.agent.agentName=StandaloneVDS -cp "C:\usr\SAP\IdM\Virtual Directory Server\lib\mvd.jar;C:\Program Files\Microsoft SQL Server 2005 JDBC Driver\sqljdbc_1.2\enu\sqljdbc.jar;C:\usr\SAP\IdM\Virtual Directory Server\externals;C:\usr\SAP\IdM\Virtual Directory Server\lib\vdstools.jar;C:\usr\SAP\IdM\Virtual Directory Server\lib\vdsverifier.jar" "- DMX_SERVER_HOME=C:\usr\SAP\IdM\Virtual Directory Server" com.sap.idm.vds.MVDServer "C:\usr\SAP\IdM\Virtual Directory Server\configurations\test1\test1.xml"

4.4.3 Troubleshooting

If you encounter problems during the configuration of Wily Introscope, please see the document Troubleshooting Guide Wily Introscope.

4 Monitoring of Identity Management

4 Monitoring of Identity Management

4.5 Configuring and Viewing the Entry Trace

4.5 Configuring and Viewing the Entry Trace

You can enable tracing to help debug and troubleshoot specific situations. With tracing enabled, you can follow all operations performed on a specific entry. The trace is available on the "Trace" tab in the Identity Management Administration User Interface, provided that the logged-in user has the privilege MX_PRIV:WD:TAB_TRACE. How you configure access to the "Trace" tab is described in the document SAP NetWeaver Identity Management Identity Center: Installing and configuring the Identity Management User Interface.

The following components will add entries to the trace log:

Component

Information

Database procedures

Modifying attribute values

Executing event tasks

Dispatcher

Evaluating switch tasks

Evaluating conditional tasks

Runtime Engine

Executing a job on the entry

Messages written with uInfo, uWarning and uError

Note: The Windows Runtime Engine does not write to the trace log.

4.5.1 Configuring the Entry Trace

To configure the entry trace:

1. Open the Identity Management Administration User Interface and select the "Trace" tab.

2. If you want to include trace information from the Runtime Components, select "Enable trace from Runtime Components".

select "Enable trace from Runtime Components". Enabling trace from the Runtime Components may affect the

Enabling trace from the Runtime Components may affect the performance of the system.

There may be a delay in the logging from the Runtime Components, as logging starts with the next reload of the dispatcher and the next restart of the runtime engine.

3. Enter the MSKEY or <MSKEYVALUE> for the entry you want to trace.

4. Choose "Save".

The entry to trace is stored in the global constant MX_TRACE_ENTRY while the global constant MX_TRACE_RT is set to TRUE if you select "Enable trace from Runtime Components".

Monitoring of Identity Management

Monitoring of Identity Management

Configuring and Viewing the Entry Trace

4.5.2 Viewing the Trace Log

The "Trace log" table shows the contents of the entries in the trace log. The table contains all log entries since the log was last reset. The table contains the following columns:

Column

Description

Entry

The trace log may contain the trace for more than one entry. The "Entry" column shows the ID/name of the entry being traced.

Trace time

The time when the log entry was added.

Component

Which component/process added the log entry.

Event

Which event triggered the log entry.

Attribute

The affected attribute (if any).

Value

The new value (if any).

Change type

The type of operation:

Add/Modify

Delete case sensitive

Delete case insensitive

Message

A free text added by the component.

You can save the trace log as a CSV file by selecting "Download trace (as CSV)".

The trace log is not automatically reset, so you have to choose "Clear trace" to clear the trace log.

4.5.3 Reading the Trace Log

The trace log is stored in the database table mc_trace_data and can be accessed with the view idmv_trace_data. You can create a job in the Management Console with for instance a To ASCII file pass that has this view as "Source" and where you can specify an SQL query that selects the entries you want to include.

4 Monitoring of Identity Management

4 Monitoring of Identity Management

4.6 Analyzing Statement Execution

4.6 Analyzing Statement Execution

A configuration of an Identity Management solution normally contains a number of SQL statements, for instance:

As definition of a source of a pass

Access control on tasks

Conditional and switch tasks

Using the internal function uSelect

There are some recommendations when writing SQL queries as part of the configuration, for instance:

Using the indexed column searchvalue instead of avalue in SQL queries

On Microsoft SQL Server, use WITH (NOLOCK) when applicable

The Configuration Analyzer does some semantic analysis of the statements, but that can only be compared to a list of known issues, and may not be complete for a given configuration.

To help analyze the performance of the queries, it is possible to log all SQL statements that take longer than a predefined time to execute.

that take longer than a predefined time to execute. If the system starts slowing down, there

If the system starts slowing down, there will be an increasing number of log entries in the statement execution log.

number of log entries in the statement execution log. Some queries that are logged may come

Some queries that are logged may come from frameworks or stored procedures that are part of the product, and thus cannot be changed by the customer. Please report such incidents through CSS.

4.6.1 Enabling the Statement Execution Analysis

The statement execution analysis is available on the "Statement Execution" tab in the Identity Management Administration User Interface, provided that the logged-in user has the privilege MX_PRIV:WD:TAB_THRESHOLD. How you configure access to the "Statement Execution" tab is described in the document SAP NetWeaver Identity Management Identity Center: Installing and configuring the Identity Management User Interface.

To enable the statement execution:

1. Open the Identity Management Administration User Interface and select the "Statement Execution" tab.

2. Select "Enable threshold" and enter the number of milliseconds that should be used as threshold. All queries taking longer than the specified value are logged.

3. Choose "Save".

The threshold value is stored in the global constant MX_LOG_EXEC_THRESHOLD.

Monitoring of Identity Management

Monitoring of Identity Management

Analyzing Statement Execution

4.6.2 Viewing the Log

The "Log" table shows all SQL queries that take longer than the specified threshold. The table contains all log entries since the log was last reset.

The table contains the following columns:

Column

Description

Component

Which component/process added the log entry.

Start time

The time the query was started.

Statement

The SQL statement being executed.

Execution time

Time (in ms) to execute the statement.

Entry

The entry being processed (if relevant).

Task ID/Task

Task which was executed (if relevant).

Job ID/Job

Job which was executed (if relevant).

Per default, the table is sorted descending by "Execution time", but you can sort on any column. Use the information in the log to identify statements and analyze them to see if performance can be improved.

You can search the contents of the log by entering a search criterion and choose "Search". This is a free text search in the columns "Component", "Statement", "Entry", "Task ID", "Task", "Job ID" and "Job".

The table shows only the 500 first log entries. To see the complete log, you can save the log as a CSV file by selecting "Download (as CSV)".

The statement execution log is not automatically reset, so you have to choose "Reset log" to clear the log.

4.6.3 Reading the Log

The statement execution log can be accessed with the view idmv_exec_stat. You can create a job in the Management Console with for instance a To ASCII file pass that has this view as "Source" and where you can specify an SQL query that selects the entries you want to include.

5 Management of SAP NetWeaver Identity Management

5 Management of SAP NetWeaver Identity Management

5.1 Starting and Stopping

5 Management of SAP NetWeaver Identity Management

SAP provides you with an infrastructure to help your technical support consultants and system administrators effectively manage all SAP components and complete all tasks related to technical administration and operation.

You can find more information about the underlying technology in the Technical Operations Manual

in the SAP Library under SAP NetWeaver.

5.1 Starting and Stopping

5.1.1 Starting and stopping the Identity Center

The Identity Management User Interface is deployed on SAP NetWeaver AS Java. The service is controlled from here.

The processing of jobs and tasks in the Identity Center is controlled by the dispatchers and the event services. You can start and stop any or all of these services.

If the Management Console is installed on the same server as the dispatcher/event service, the dispatcher can be started and stopped from the dispatcher properties.

You can start and stop a dispatcher from the command line with the following commands:

dispatcher_service_<dispatcher name> start

dispatcher_service_<dispatcher name> stop

This will stop the dispatcher, but any running jobs will complete processing.

5.1.2 Starting and stopping the Virtual Directory Server

A Virtual Directory Server configuration can either be deployed as a web service on SAP

NetWeaver AS Java or be run locally as an LDAP server.

When deployed locally, the server is started and stopped from the Virtual Directory Server user interface.

When deployed on SAP NetWeaver AS Java the service is controlled by SAP NetWeaver AS Java.

5.2 Software Configuration

5.2.1 Software Configuration – Identity Center

The Identity Center configuration is managed through the Management Console. Additionally, some configuration parameters are available through the Identity Management Administration User Interface, for instance in a production environment where the Management Console is not available. See section 5.6.9 for details.

5.2.2 Software Configuration – Virtual Directory Server

You use the Virtual Directory Server user interface to create and maintain the configurations.

If a configuration is uploaded to an Identity Center database for transport, global constants are

available through the Identity Management Administration User Interface, for instance in a production environment where the Virtual Directory Server user interface is not available. See section 5.6.9 for details.

Management of SAP NetWeaver Identity Management

Management of SAP NetWeaver Identity Management

Administration Tools

5.3 Administration Tools

See Section 4 on page 54.

5.4 Backup and Restore

You need to back up your system landscape regularly to ensure that you can restore and recover it in case of failure.

The backup and restore strategy for your system landscape should not only consider SAP systems but should also be embedded in overall business requirements and incorporate your company’s entire process flow.

In addition, the backup and restore strategy must cover disaster recovery processes, such as the loss of a data center through fire. It is most important in this context that you ensure that backup devices are not lost together with normal data storage (separation of storage locations).

5.4.1 Backing up and restoring an Identity Center database (Microsoft SQL Server)

This section describes how to back up and restore your Identity Center database on Microsoft SQL Server.

your Identity Center database on Microsoft SQL Server. You always back up and restore a complete

You always back up and restore a complete Identity Center database.

5.4.1.1 Backing up a database

Back up the database using the normal database procedures. See the database documentation for details.

5.4.1.2 Restoring a database

Install the database schema for the database, as described in SAP NetWeaver Identity Management Identity Center: Installing the database (Microsoft SQL Server).

Restore the database, using the Microsoft SQL Server database utility for restoring a backup. Select the overwrite option to overwrite the newly installed database. See the database documentation for details.

database. See the database documentation for details. Make sure there are no conflicts with the database

Make sure there are no conflicts with the database prefixes, as the backup will always restore a database with the same prefix as the one that was backed up.

In most cases, the database user/login mapping will not be correct after this restore. The exception is if the restore is done to the same database installation from which the backup was taken, in which case the internal user IDs will be the same as on the backup. If you are unable to connect to the database from the Management Console, you need to re-establish this mapping.

5 Management of SAP NetWeaver Identity Management

5 Management of SAP NetWeaver Identity Management

5.4 Backup and Restore

Restoring the user/login mappings

Restore the user/login mappings according to the table below:

SQL Server login

Database user

Database roles

<prefix>_oper

<prefix>_oper

db_owner/dbo

<prefix>_admin

<prefix>_admin_u

<prefix>_admin_role

<prefix>_delta_rw_role

<prefix>_rt

<prefix>_rt_u

<prefix>_rt_role

<prefix>_delta_rw_role

<prefix>_prov

<prefix>_prov_u

<prefix>_prov_role

<prefix>_transport_role

<prefix>_user

<prefix>_user_u

<prefix>_user_role

<prefix>_delta_r_role

Recreate each of the mappings using SQL queries. Log in as sa and run the following

use <prefix>_db

ALTER USER <prefix>_oper_u WITH LOGIN = <prefix>_oper

ALTER USER <prefix>_admin_u WITH LOGIN = <prefix>_admin

ALTER USER <prefix>_rt_u WITH LOGIN = <prefix>_rt

ALTER USER <prefix>_prov_u WITH LOGIN = <prefix>_prov

ALTER USER <prefix>_user_u WITH LOGIN = <prefix>_user

GO

For more information, see the documentation of the Microsoft SQL Server Management Studio.

When all users are connected to the logins, run the script mxmc_update.cmd to set the access control on all the stored procedures. The database should now be available.

Verify that you are able to connect to the restored database with the Management Console and the Identity Management User Interface.

Management of SAP NetWeaver Identity Management

Management of SAP NetWeaver Identity Management

Backup and Restore

5.4.2 Backing up and restoring an Identity Center database (Oracle)

This section describes how to back up and restore your Identity Center database on Oracle.

back up and restore your Identity Center database on Oracle. You always back up and restore

You always back up and restore a complete Identity Center database.

5.4.2.1 Backing up a database

Back up the database using the normal database procedures. See the database documentation for details.

In the Oracle database the following objects in schema must be backed up for MXMC_OPER user.

Function

Index

Package

Package body

Procedure

Sequence

Synonym: MXMC_PROV, MXMC_ADMIN, MXMC_RT and MXMC_USER

Table

Trigger

View

The following objects must be backed up from Security:

USERS

MXMC_ADMIN

MXMC_OPER

MXMC_PROV

MXMC_RT

MXMC_USER

ROLES

MXMC_ADMIN_ROLE

MXMC_DELTA_R_ROLE

MXMC_DELTA_RW_ROLE

MXMC_PROV_ROLE

MXMC_RT_ROLE

MXMC_TRANSPORT_ROLE

MXMC_USER_ROLE

5.4.2.2 Restoring a database

Restore the database using the normal database procedures. See the database documentation for details.

5 Management of SAP NetWeaver Identity Management

5 Management of SAP NetWeaver Identity Management

5.5 Application Copy

5.4.3 Backing up and restoring an Identity Center database (IBM DB2)

This section describes how to back up and restore your Identity Center database on Oracle.

back up and restore your Identity Center database on Oracle. You always back up and restore

You always back up and restore a complete Identity Center database.

Back up and restore the database using the normal database procedures. See the database documentation for details, Database Administration Guide SAP on IBM DB2 for Linux, UNIX, and Windows, (http://service.sap.com/instguidesNW73 -> Operations -> Database-Specific Guides -> SAP DBA Guide: IBM DB2 for LUW (Version 1.40)).

5.4.4 Backing up and restoring a Virtual Directory Server configuration

If you use version control and store the configuration file in a database, this database can be backed up using the normal database procedures.

If the configuration is stored in an .XML file, use a file backup tool to back up the configuration file(s).

5.5 Application Copy

How you move a configuration from a test to a production environment is described in the document SAP NetWeaver Identity Management Identity Center Implementation Guide Transport.

5.6 Periodic Tasks

There are no specific periodic tasks for the Virtual Directory Server apart from what may be defined for the SAP NetWeaver AS Java where the service is deployed.

Some housekeeping tasks for the Identity Center are defined as scheduled procedures. See Configuring the scheduled procedures for housekeeping in the help file for the Identity Center Management Console for more information.

The following manual periodic tasks are defined for each of the Identity Centers.

5.6.1 Manual tasks for the Identity Center

Task

Tool(s)

Recommended

Detailed Description

supporting

Frequency

this task

Verify that all services are running

Monitoring tab/

Daily

Select "Dispatcher Status" to see that all dispatchers are running as expected.

User interface

Check logs for failed jobs

Monitoring tab/

Daily

Select "Job Status" to verify that no jobs are in error state.

User interface

Clean up the audit information

Database

Weekly

See section 5.6.3.

management

 

tool

Management of SAP NetWeaver Identity Management

Management of SAP NetWeaver Identity Management

Periodic Tasks

Task

Tool(s)

Recommended

Detailed Description

supporting

Frequency

this task

Clean up the table job_execution

Database

Weekly

See section 5.6.4.

management

 

tool

Clean up the table AuditTrail

Database

Weekly

See section 5.6.5.

management

 

tool

Clean up historic values in the identity store

Database

Monthly

See section 5.6.6.

management

tool

Rebuild database

Database

Monthly

See section 5.6.7

indexes

management

tool

5.6.2 Manual tasks for Transport/Configuration Management

Task

Tool(s)

Recommended

Detailed Description

supporting

Frequency

this task

View changes to the configuration

Configuration

On demand

See section 5.6.8.

History tab/

 

User interface

Change global or repository constants

System

On demand

See section 5.6.9.

Parameters tab/

 

User interface

Add a repository to the productive landscape

Management

On demand

See section 5.6.9.1.

Console (in

development

 

landscape)

Transport Utility

5.6.3 Cleaning up the audit information

The audit tables are used by the provisioning functionality for auditing every provision request and appropriate status. Further this table will link provision tasks together where typically sub tasks is started by use of OnOk, OnFail, OnChainOK, OnChainFail.

Remove the entries older than a specific audit ID.

To remove entries with audit ID < 1000000, do as follows:

delete from mxi_link_audit where mcAuditID < 1000000 and mcAuditID <> -1

delete from MXP_Audit_Variables where auditID < 1000000

delete from MXP_Ext_Audit where aud_ref < 1000000

delete from mxp_audit where auditid < 1000000

The tables MXP_Audit_Variables and MXP_Ext_Audit has audit ID columns referring to MXP_Audit.auditid, so the entries in these tables must be done before cleaning up the mxp_audit table.

5 Management of SAP NetWeaver Identity Management

5 Management of SAP NetWeaver Identity Management

5.6 Periodic Tasks

5.6.4 Cleaning up the table job_execution

The job_execution table belongs to the delta functionality. Every time a job runs and the delta functionality is turned on, a new entry will be inserted into this table containing date/time and key information about how many entries that was added, modified, deleted, failed or not-changed.

Remove the entries older than a defined date.

5.6.5 Clean up the table AuditTrail

The AuditTrail table belongs to the delta functionality and will keep audit on changes either on entry level or attribute level. If Audit is not turned on, this table will be empty and not filled.

If Audit is turned on, new records will be added when we have add, modify or delete of entries. In the Management Console there can be set a maximum limit of entries to keep in his audit table.

If delta is being used, every execution of a job-pass is added to this table.

Remove the entries older than a defined date.

5.6.6 Cleaning up historic values in the identity store

Any attributes and entries within the identity store which are modified or deleted will be stored in the historic values. This information is held in the table mxi_old_values. There is a configuration parameter on each attribute, which indicates for how many revisions or for how long this information is to be kept. The default value is to keep historic values for 30 days. This information is stored either in mxi_attributes.SaveDays or in mxi_attributes.SaveCopies.

If you want to keep the historic values for a long time, the mxi_old_values table may grow very large. There is no automatic moving of historic data to offline storage.

Since historic data is stored in a separate table, it is quite simple to implement a job which moves this information to an offline storage, by moving entries from mxi_old_values to another database or external storage. The attribute mxi_old_values.ModifyTime holds the date/time when the attribute was last modified, and can be used for selecting the oldest entries to move.

5.6.7 Rebuilding database indexes

With heavy usage of the system, the database indexes will become fragmented, which may decrease performance.

For further information regarding fragmented indexes and rebuilding the indexes, please refer to the documentation for you database system.

5.6.8 Viewing Changes to the Configuration

The overview of changes to the configuration is available in the Identity Management Administration User Interface, using the http://<host>:<port>/idm/admin URL. If the configuration has not been transported, only changes to global constants and repository constants are available.

Select the "Configuration History" tab to view the history of changes to the configuration. You can see details about the following:

Management of SAP NetWeaver Identity Management

Management of SAP NetWeaver Identity Management

Periodic Tasks

Imported configuration files For imported configuration files, the date and time of the import, the ID of the user that performed the import, and the same information for the export are displayed. You can also download the configuration file that was imported.

You can view the import log for each import by selecting the import entry in the list and choosing the "Import Log" tab in the details area. The columns show the "Severity", "Message" and "Time" for each log entry of the import.

Changes to global constants For changes to global constants, the date and time of the change, the ID of the user that made the change, the name and description of the constant and the old and new values are displayed.

Changes to repository constants For changes to repository constants, the date and time of the change, the ID of the user that made the change, details about the repository (for example, ID, name, type, and description), the name and description of the constant changed, and the old and new values are displayed.

constant changed, and the old and new values are displayed. For security reasons, the history for

For security reasons, the history for encrypted data such as passwords is not saved for use in this view. You can see that a change was made, but the old values are not displayed.

5.6.9 Changing Global or Repository Constants

To change global or repository constants in the Identity Management Administration User Interface, use the same URL as for monitoring or for viewing the configuration history, which is http://<host>:<port>/idm/admin.

which is http://<host>:<port>/idm/admin . You can change the constants in the Identity Management

You can change the constants in the Identity Management Administration User Interface, but you cannot create or delete them. To create global constants or add repositories to the system, create them in the development or test/QA system using the Identity Center Management Console and transport them to the (test and) productive systems. Implement any system-specific jobs that use the repositories or constants in the development or test/QA system and transport them as well.

1. To make changes to the system parameters, choose the "System Parameters" tab from the Identity Management Administration User Interface.

2. Select "Global Constants" or "Repositories" to change the corresponding constants.

3. Change the constant values directly in the corresponding table.

the constant values directly in the corresponding table. You can change the parameters for parameterized constants

You can change the parameters for parameterized constants such as JDBC URLs by selecting the constant value. The parameters for these constants are then displayed separately and can be changed.

constants are then displayed separately and can be changed. If a parameterized constant contains a password

If a parameterized constant contains a password parameter that is encrypted, create an encrypted global or repository constant that contains the encrypted value. Reference the password constant in the parameter value of the URL constant. This ensures that the password is encrypted and can be changed.

4. Save the data.

5 Management of SAP NetWeaver Identity Management

5 Management of SAP NetWeaver Identity Management

5.7 Load Balancing

5.6.9.1 Modifying Assignment Grouping Repository Constants

If assignment grouping is defined on the repository in the Identity Center Management Console (see http://help.sap.com/saphelp_nwidmic72/en/mc/dse_repository_privilege.htm), there are two repository constants that will contain this configuration.

MX_PRIV_GROUPING_RULE defines the assignment grouping.The value of the constant ranges from P:-1 to P:7, corresponding to the grouping rule selected on the repository.

MX_PRIV_GROUPING_ATTRIBUTE contains a reference to the grouping attribute, if any.

When selecting the constant MX_PRIV_GROUPING_RULE, the row will expand to reveal a set of checkboxes and radio buttons.

The value of the repository constant depends on the configuration you define. For example, choosing the No Grouping radio button results in a value of P:-1, while choosing the Grouping radio button can result in a value of P:0.

Select the necessary checkboxes and radio buttons to configure the assignment grouping and to define the constant’s value.

If you select the Separate by Privilege Attribute checkbox, you will be able to select a privilege attribute for assignment grouping from the dropdown menu.

5.6.10 Adding a Repository to the Productive System

To add a repository to the productive identity management system, you must add the repository in the development or test/QA system and transport it to the productive system. The overview of the process is:

1. Using the Management Console on the development or test/QA system:

a. Create the repository.

b. Create any configuration elements that apply to the system, for example, account attributes used by the provisioning framework for SAP systems.

c. Create the initial load job and any other jobs or tasks that apply to the system.

2. Using the Identity Management Administration User Interface on the development or test system, export the configuration.

3. Using the Identity Management Administration User Interface on the productive system:

a. Import the configuration.

b. Update the repository definition.

4. Run the initial load job or any other jobs that need to be processed.

For more information on creating repositories, account attributes, and jobs, see the online help.

5.7 Load Balancing

5.7.1 Load Balancing – Identity Center

The system landscape XL – Production described in the SAP NetWeaver Identity Management Identity Center Installation overview describes how load balancing is achieved.

5.7.2 Load Balancing – Virtual Directory Server

Load balancing is handled by the SAP NetWeaver AS Java where the service is deployed.

Management of SAP NetWeaver Identity Management

Management of SAP NetWeaver Identity Management

User Management

5.8 User Management

The Identity Center creates a number of database users as part of the database installation. This is described in the documents SAP NetWeaver Identity Management Identity Center Installing the database (Microsoft SQL Server/Oracle).

How to manage users for the Identity Management User Interface is described in the document SAP NetWeaver Identity Management Identity Center Installing and configuring the Identity Management User Interface.

How you manage users to access the servers created by the Virtual Directory Server is part of the configuration of the server.

5.9 Maintaining Message Templates

Message templates are used when sending notifications to users with a Notification task. The Notification task can be called from an approval task to send messages to the approvers and other involved parties of the approval process.

and other involved parties of the approval process. Message template editing requires Enhancement Package 1 for

Message template editing requires Enhancement Package 1 for SAP NetWeaver Composition Environment 7.1 and newer.

5.9.1 Initial Configuration

The initial configuration of the message templates is described in the topic Configuring the notification templates.

The message templates can be viewed and edited in the "Message Templates" tab in the Identity Management Administration User Interface, provided that the logged-in user has the privilege MX_PRIV:WD:MSGTEMPLATE:R to be able to view the templates and MX_PRIV:WD:MSGTEMPLATE:RW to be able to edit them.

How you configure access to the "Message Templates" tab is described in the document SAP NetWeaver Identity Management Identity Center: Installing and configuring the Identity Management User Interface.

and configuring the Identity Management User Interface . This description is based on full access to

This description is based on full access to the message templates with the MX_PRIV:WD:MSGTEMPLATE:RW privilege.

5.9.2 Listing Message Templates

All message templates for approvals belongs to the message category MX_APPROVALS. Each template can exist in several languages.

You can get an overview of the message templates that are available in the system:

5. Open the Identity Management Administration User Interface and select the "Message Templates" tab.

6. Select a message category. Choose "MX_APPROVALS" to view approval messages. There may be other categories available.

7. Optionally, enter a search criterion and choose "Search". This will search the template names.

All matching message templates are displayed in the "Available templates" list.

Each template can be in several languages, which are listed in the "Available languages" list.

8. Select a language in the list to display the language specific subject and contents.

5 Management of SAP NetWeaver Identity Management

5 Management of SAP NetWeaver Identity Management

5.9.3 Editing a Message Template

5.9 Maintaining Message Templates

You can modify a language version of a message template in the following way:

1. Select a language in the list and choose "Edit".

2. Fill in the fields in the following way:

Category/Name/Language Shows the information for the selected template. These fields cannot be changed.

Localized parameters Select this toggle link to show the list of parameters that can have a specific value for each language when used in the message template. There are three parameters in the list:

Approved, Declined and Timeout.

The text for "Approved", "Declined" or "Timed out" will be used for the parameter PAR_REQUESTRESULT in the message template.

Subject Enter the subject of the message as it will appear in the e-mail.

Format Choose the format of the template. This can be either "HTML" or "Plain text".

Style sheet Only available for HTML templates. Select this toggle link to show or hide the style sheet for the message template.

Contents Enter the text for the template. Either valid HTML encoding or plain text, depending on the chosen format.

You can insert parameters in the template by choosing a parameter in the "Attributes" list and choose "Append". For a list of available parameters, see section 5.9.3.1.

For a list of available parameters, see section 5.9.3.1. The parameter will always be added to

The parameter will always be added to the end of the text. You have to move it (cut/paste) manually to the correct position in the text.

3. You can preview HTML messages by choosing "Preview".

4. Choose "Save".

by choosing "Preview". 4. Choose "Save". If you have chosen HTML as format for the message

If you have chosen HTML as format for the message template, illegal HTML tags (like applet, form or script) will be automatically encoded and illegal event attributes (like onload or onselect) will be removed.

Management of SAP NetWeaver Identity Management

Management of SAP NetWeaver Identity Management

Maintaining Message Templates

5.9.3.1 Available Parameters

You can include information from the request in the message using the list of parameters.

If the <parameter> is not found, the name of the parameter is displayed in the notification message.

If the value of a <parameter> is not found, this will be displayed as an empty string (no value) in the message.

<parameter> can have one of the following values:

Parameter

Description

APPROVALURL

Direct access to the approval on the To Do tab. The URL will be on the form:

%$GLB.MX_GUI_URL_PREFIX%/webdynpro/dispatcher /sap.com/tc~idm~wd~workflow/ProcessApproval?Reque stID=<request id>.

The global constant MX_GUI_URL_PREFIX is imported with the notification task and must be modified for each system.

The approval will be available for the logged in user if he is defined as approver for this request. Otherwise, the approval request will not be displayed.

AUDITID

AuditID of the approval task.

CHARSET

Charset encoding given by the parameter "CHARENC" in the template list file AssignmentNotificationsList.txt.

DATEASSIGNED

The date the assignment was done in ISO8601 format.

DELEGATEDFROMDISPLAYNAME

The display name of the user that has delegated (forwarded) the approval.

LASTAPPROVERDISPLAYNAME

The display name of the last user to approve the request.

REASON

The reason provided by the approver.

RECIPIENTSDISPLAYNAME

Display name (or MSKEYVALUE) of the recipient of the e-mail.

RECIPIENTSSALUTATION

Salutation retrieved from the MX_SALUTATION attribute for the recipient of the e-mail. If the attribute is not found, it is omitted.

REQUESTINGUSERDISPLAYNAME

Display name of the user that requested the assignment. For self-service this will be the same as the TARGETUSERDISPLAYNAME.

REQUESTREASON

The reason provided when requesting the assignment.

REQUESTRESULT

Based on the value of REQUESTSTATUS, the corresponding value for the parameters given in the template list file AssignmentNotificationsList.txt is used. If the parameters are not added in this file, the default values "Approved" and "Declined" are used.

5 Management of SAP NetWeaver Identity Management

5 Management of SAP NetWeaver Identity Management

5.9 Maintaining Message Templates

Parameter

Description

REQUESTSTATUS

The status of the approval.

0: Declined

1: Approved

2: Timed out

SYSTEMURL

The URL to the Identity Management User Interface as specified in the notification task.

TARGETUSERDISPLAYNAME

Display name of the user that is getting the assignment.

TARGETUSERMSKEY

The MSKEY of the user who is getting the assignment.

TARGETROLEDISPLAYNAME

Display name of the role or privilege being assigned.

TARGETCONTEXTDISPLAYNAME

Display name of the context given for the assignment.

VALIDFROM

"Valid from"-date specified for the assignment.

VALIDTO

"Valid to"-date specified for the assignment.

5.9.4 Adding a Language Version of a Message Template

You can add a language version of a message template. The template will be based on the primary language for the message template.

1. Select the message template in the "Available templates" list.

2. Choose "Add language". The "Add language to template" form is displayed. Fill in the fields in the following way:

Template category Shows the category for the message template. The category cannot be changed.

Language When you click the field, the "Extended Value Selector" is displayed. Select the language for the message template.

Template Shows the name of the template and cannot be changed.

Language specific content Fill in the fields in the same way as when modifying a template. See section 5.9.3.

5.9.5 Removing a Language Version of a Message Template

To remove language versions that is no longer needed:

1. Select one or more languages in the "Available languages" list.

2. Choose "Delete language".

3. Confirm that you want to remove the language versions.

3. Confirm that you want to remove the language versions. If you remove all language versions

If you remove all language versions of a template, the message template itself is also deleted.

Management of SAP NetWeaver Identity Management

Management of SAP NetWeaver Identity Management

Maintaining Message Templates

5.9.6 Creating a Message Template

You can create a message template:

1. Select the "Message Templates" tab.

2. Choose "Create". The "Create template" form is displayed.

3. Fill in the fields in the following way:

Template category Select a category for the message template. All approval messages are in the category "MX_APPROVALS".

Language When you click the field, the "Extended Value Selector" is displayed. Select the language for the message template.

Template Enter a name for the template.

message template. Template Enter a name for the template. Template name supports only standard ASCII characters.

Template name supports only standard ASCII characters.

Language specific content Fill in the fields in the same way as when modifying a template. See section 5.9.3.

4. Choose "Save" to save the message template.

5.9.7 Removing a Message Template

You can remove a message template, including all language versions:

1. Select one or more templates in the "Available templates" list.

2. Choose "Delete template".

3. Confirm that you want to remove the template and all language versions.

5 Management of SAP NetWeaver Identity Management

5 Management of SAP NetWeaver Identity Management

5.10 Managing Approvals

5.10 Managing Approvals

Role assignments or other changes to entries in the identity store may require an approval by for instance a manager, role owner. The configuration of the approval task specifies parameters like the timeout and escalation of the approval. For more information about approval processing, see the topic About approval processing in the help file for the Identity Center Management Console.

While waiting for the approver to approve the request, the approval is in pending state, and it will wait until the specified timeout and then handled according to the defined timeout rule. It will then be escalated or declined.

If an approval for some reason will not be approved within reasonable time, for instance if the approver is absent or unable to perform the approval, the pending approval can either be declined or escalated by a manager or administrator.

Pending approvals are managed from the "Approval Management" tab in the Identity Management Administration User Interface. The logged-in user must have one of the following privileges:

MX_PRIV:APPROVALS:READONLY to be able to view pending approvals

MX_PRIV:APPROVALS:PROCESS to be able to decline or escalate the approval

How you configure access to the "Approval Management" tab is described in the document SAP NetWeaver Identity Management Identity Center: Installing and configuring the Identity Management User Interface.

and configuring the Identity Management User Interface . This description is based on full access to

This description is based on full access to the message templates with the MX_PRIV:APPROVALS:PROCESS privilege.

5.10.1 Listing Pending Approvals

You can get an overview of the pending approvals in the system:

1. Open the Identity Management Administration User Interface and select the "Approval Management" tab.

2. Enter a search criterion in the "Find" field. This is a free-text search in the name of the user getting the assignment, the name of the role/privilege, the approver and the context.

You can also use the advanced search (see below).

3. Choose "Go".

All approvals matching the search criterion are displayed in the list. The color of the status indicator shows how many days are left before the approval expires.

4. Select an approval to show more information in the details view below. Select the different tabs to show all information about the approval.

Management of SAP NetWeaver Identity Management

Management of SAP NetWeaver Identity Management

Managing Approvals

5.10.2 Finding Approvals Using Advanced Search

If you need to narrow down the search result more than you can by using the basic search, you can use the advanced search to specify more detailed search criteria:

1. Open the Identity Management Administration User Interface and select the "Approval Management" tab.

2. Choose "Advanced" to open the advanced search panel.

3. Fill in the fields with the search criteria you want to use.

Approval Type Select if you want to include all approvals, or only assignment or basic approvals.

Date Enter a date range. This will find all approvals that have been changed within the period.

Consignee

Choose

find approvals for. You can only find approvals for one specific user.

Approver

Choose

want to see approvals for. You can only find approvals for one specific approver.

Assigner

Choose

want to find approvals for. You can only find approvals for one specific assigner.

for. You can only find approvals for one specific assigner. to the right of the field

to the right of the field to open a dialog box where you can find a user you want to

to the right of the field to open a dialog box where you can find an approver youto open a dialog box where you can find a user you want to to the

to open a dialog box where you can find an approver you to the right of

to the right of the field to open a dialog box where you can find an assigner you

Context

Choose

Choose to the right of the field to open a dialog box where you can find

to the right of the field to open a dialog box where you can find a specific context to

use as search criterion. You can only find approvals for one specific context.

Assignment

Choose

privilege that is requested assigned. You can only search for approvals for one specific role or privilege.

search for approvals for one specific role or privilege. to the right of the field to

to the right of the field to open a dialog box where you can search for the role or

4. Choose "Go".

5.10.3 Declining a Pending Approval

Provided that you have the necessary privilege, you can decline a pending approval:

1. Find the approval you want to decline either with basic or advanced search.

2. Select the approval in the list.

3. Choose "Decline".

4. Optionally, enter a reason why you are declining the approval.

5. Choose "Confirm" to complete the process.

When viewing the assignment details, you will see that the assignment request was declined.

6 High Availability

6 High Availability

6.1 High Availability for the Identity Center

5.10.4 Escalating a Pending Approval

Provided that you have the necessary privilege, you can escalate a pending approval. In this case, the timeout rule of the given approval task is used, so the outcome of the escalation depends on how the approval task is configured. It can either:

Decline the assignment

Escalate to the manager(s) of the approver(s)

Escalate to a new list of approvers

The behavior will be exactly as if the approval had timed out, but will be processed immediately and not wait for the given timeout.

To escalate the approval:

1. Find the approval you want to escalate either with basic or advanced search.

2. Select the approval in the list.

3. Choose "Escalate".

4. Optionally, enter a reason why you are escalating the approval.

5. Choose "Confirm" to complete the process.

The approval will be processed further according to the configuration of the approval task.

5.10.5 Exporting the Pending Approvals

The list of pending approvals can be exported to a CSV file:

1. Find the approvals either with basic or advanced search.

2. Choose "Export". The "File Download" dialog box appears.

3. Select if you want to open or save the file.

The file is either opened in a text editor or saved in the specified folder in the file system.

6 High Availability

6.1 High Availability for the Identity Center

The system landscape XL – Production described in the SAP NetWeaver Identity Management Identity Center Installation overview describes how to achieve high availability.

6.2 High Availability for the Virtual Directory Server

High availability for the Virtual Directory Server deployed on SAP NetWeaver is achieved through deploying the configuration on SAP NetWeaver. How to configure SAP NetWeaver for high availability is described in the documentation for SAP NetWeaver.

6.2.1 High Availability for Standalone Virtual Directory Server

In order to accomplish high availability for a standalone Virtual Directory Server, configure an IP switch in front of the multiple instances of the Virtual Directory Server (multiple servers) running with the same configuration. This can be used for instance in the HCM integration scenario.

Software Change Management

Software Change Management

Software Change Management

7 Software Change Management

7.1 Software Change Management

How you transport a configuration from a test to a production environment is described in the document SAP NetWeaver Identity Management Identity Center Implementation guide – Transport.

7.2 Support Packages and Patch Implementation

Support packages and patches can be found in the following location:

http://service.sap.com/sp-stacks SP Stack Information SAP NetWeaver Identity Management 7.2.

7.3 Upgrading the Identity Center

This is described in the document SAP NetWeaver Identity Management Identity Center Installation overview.

7.4 Upgrading the Virtual Directory Server

This is described in the document SAP NetWeaver Identity Management Virtual Directory Server Installation and initial configuration.

There is no downtime involved in upgrading the software itself. An updated configuration can be deployed while the service is running. Updating the server software itself (SAP NetWeaver) must be done according to the documentation for SAP NetWeaver.

8 Troubleshooting

8 Troubleshooting

8.1 Identity Center: Dispatcher fails to start

8 Troubleshooting

The following problem analysis scenarios are available for SAP NetWeaver Identity Management:

Identity Center: Dispatcher fails to start

Identity Center: Timeout issues

Identity Center: Insufficient dispatcher memory

Identity Center: Codepage <number> not supported by JAVA-environment

Identity Center: Error messages from jobs accessing ABAP systems

Identity Management User Interface: Java runtime exception when logging in

Identity Management User Interface: Error message about missing database columns or procedures

Virtual Directory Server: The Windows service starts, but later fails with "No driver for database"

Virtual Directory Server: Application starts, but later fails with "No driver for database"

Virtual Directory Server: Server doesn’t start

Virtual Directory Server: Configuration successfully deployed on SAP NetWeaver, but the first attempt to contact the database fails

but the first attempt to contact the database fails To help in the problem analysis, you

To help in the problem analysis, you can enable entry trace if it is a specific entry you need to investigate. See section 4.5.

a specific entry you need to investigate. See section 4.5. To help in analyzing performance problems,

To help in analyzing performance problems, you can enable statement execution to see which SQL queries take a long time to execute. See section 4.6.

8.1 Identity Center: Dispatcher fails to start

8.1.1 Problem Description

The dispatcher fails to start.

8.1.2 Solution

Run the following command to verify the dispatcher configuration:

Dispatcher_Service_<dispatcher name> test checkconfig

Verify that the dispatcher finds all necessary JDBC drivers.

Run the following command to start the dispatcher in test mode:

Dispatcher_Service_<dispatcher name> test

Check for error messages from the dispatcher in the console window.

For Microsoft Windows:

Increase the log level in the dispatcher property file to get more logging.

Make sure that the JDBC connection string for the runtime engine is correct.

Troubleshooting

Troubleshooting

Identity Center: Timeout issues