Académique Documents
Professionnel Documents
Culture Documents
Copyright 2008 SAP AG. All rights reserved. SAP Library document classification: PUBLIC
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, Excel, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves information purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
Preface
The product
SAP NetWeaver Identity Center is a high-end identity management solution, capable of handling a large amount of repositories containing an unlimited amount of information. The Identity Center offers a robust, flexible and scalable high-availability solution for workflow, provisioning, data synchronization and joining for a large number of data repositories. The Identity Center provides a framework for a number of jobs.
The reader
This manual is written for people who need an introduction to the workflow module of the SAP NetWeaver Identity Management Identity Center and the managing of roles and privileges.
Prerequisites
To get the most benefit from this manual, you should have the following knowledge: General knowledge about the Identity Center and job definitions for instance as described in SAP NetWeaver Identity Management Identity Center Getting Started and SAP NetWeaver Identity Management Identity Center Tutorial: Basic Synchronization. General knowledge about provisioning and task definitions as described in SAP NetWeaver Identity Management Identity Center Tutorial Provisioning. Knowledge of Microsoft SQL Server or Oracle. The following software is required: SAP NetWeaver Identity Management Identity Center version 7.0 or newer must be correctly installed and licensed. An Identity Center where at least one dispatcher has been configured and is running. An Identity Center Workflow web interface configured for this Identity Center and identity store. The data source used in this tutorial (hr.csv) is included with the installation. The file is located in the \Tutorial\Data source directory. In this tutorial the default installation folder is used, which is C:\Program Files\SAP\IdM\Identity Center.
The manual
The manual is a tutorial giving an introduction to the privileges, roles and workflow functions of the Identity Center. This tutorial is not a substitution for training. Person names used in this tutorial are fictional.
ii
Related documents
You can find useful information in the following documents: SAP NetWeaver Identity Management Identity Center: Installing the database (Microsoft SQL Server/Oracle) SAP NetWeaver Identity Management Identity Center Getting Started SAP NetWeaver Identity Management Identity Center Tutorial: Basic Synchronization SAP NetWeaver Identity Management Identity Center Tutorial Provisioning
iii
Table of contents
Introduction .................................................................................................................................. 1
Roles and role-based provisioning.........................................................................................................1 The identity store ..................................................................................................................................2 Workflow .............................................................................................................................................2 Access control on tasks .........................................................................................................................3 Use cases ..............................................................................................................................................3 Tasks, roles and privileges ....................................................................................................................5 The data source.....................................................................................................................................8 The data flow and the task structure ......................................................................................................9 Preparations ..........................................................................................................................................9 Section overview ................................................................................................................................11
iv
Introduction SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Introduction
The purpose of this tutorial is to give an introduction to managing and assigning roles and privileges, and the Workflow web interface of the SAP NetWeaver Identity Management Identity Center. The tutorial shows how to create roles and privileges, and how to define mechanisms for assigning these to identity store entries using Workflow. We create Workflow tasks to create roles and manage the roles and privileges. The privileges and provisioning tasks are created directly in the Identity Center user interface.
In this tutorial, we illustrate role-based provisioning. A role hierarchy can be defined, where each role can be assigned any number of privileges. By assigning one or more roles to a user, the necessary provisioning is done automatically for this user, to grant access or set other information in the required applications. When roles are removed from a user, de-provisioning will ensure that the privileges are removed. Normally, only a limited number of roles should be defined, and these should be used to handle 80% of the privilege assignments. To handle the remaining 20%, rules should be the preferred method, although direct assignments are also possible. The use of temporary roles is also supported for cases where a role should be assigned for a limited time. A role can be defined with a time limit, and when this time limit is reached, the account is automatically de-provisioned.
Copyright 2008 SAP AG. All rights reserved.
Introduction SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
MX_PRIVILEGE A privilege entry type that defines a privilege to a given resource, for instance access in a given system. A user can be assigned any number of privileges, either directly or as a result of roles having privileges. Assigning and removing privileges can automatically start tasks to perform provisioning and de-provisioning. MX_ROLE Roles can be created as a hierarchy, each role having a number of privileges. Assigning a role to a user automatically assigns all the privileges of the role to the user. In addition, any child roles and privileges are assigned to the user.
Workflow
The Identity Center's Workflow is designed and configured through a feature-rich graphical user interface and is tightly integrated with the identity store. A workflow is started every time a provisioning request is initiated. The Identity Center Workflow can be used to: Collect identity information from the specific individuals. Enforce single- or multi-stage approvals from authorized personnel. Generate notifications to designated users when manual actions need to be performed, or report the outcome of completed tasks. Execute new workflow tasks (such as notifications and escalation) when pre-defined timeouts are reached.
Copyright 2008 SAP AG. All rights reserved.
Introduction SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Use cases
Two use cases are used in this tutorial one modeling the physical access control in a building (workplace), and other modeling a development project group with access to common (or role specific) project resources.
Introduction SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Based on the information above, four roles are defined for this use case: ROLE:Employee, ROLE:IT, ROLE:Adm and ROLE:Manager. The defined privileges are PRIV:MainEntrance, PRIV:ServerRoom and PRIV:ArchiveRoom, which give the user access rights to the main entrance, the server room and the archives respectively.
Introduction SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Project resources
This use case models a typical development project group, where all group members are given access to the resources needed for the project. The resources used by the project group could be a project archive (physical or non-physical), software, domain or other tools. To keep it simple, the project group members need access to only one project resource in this scenario. The resource is a non-physical project archive. The access to the project archive is given users by the privilege PRIV:ProjectArchive (the only privilege defined for this use case). Six roles are defined for the use case: ROLE:Developer, ROLE:Doc, ROLE:Tester, ROLE:HeadDeveloper, ROLE:TestLeader and ROLE:ProjectLeader.
Edit role properties This task is used to manage the roles to modify some information about the role. Here we can build the hierarchy by adding child roles and we can assign/connect privileges to the role. Assign role Delete role Edit privilege properties This task is used to assign a role to a user. You can add new or remove existing role members. This task is used to delete a role. This task is primarily used to edit privilege inheritance direction. It is also possible to add/remove role references and add a short description of the privilege.
Introduction SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Four provisioning tasks are also created, one for provisioning and one for de-provisioning of users for the two repository definitions Building and Project. Every time a user is given a particular privilege, a file will be created (containing the timestamp of when the privilege was assigned to the user) and provisioned to the respective folder: #Building_Provisioning This task is referenced from the Building repository definition using the attribute MX_PROVISIONTASK. The task contains the shell execute pass Add file to building folder which creates a file containing the timestamp of when a privilege is assigned to user and provisions it to the building folder. This task is referenced from the Building repository definition using the attribute MX_DEPROVISIONTASK. The task contains the shell execute pass Delete file from building folder which deletes the previously created file from the building folder. This task is referenced from the Project repository definition using the attribute MX_PROVISIONTASK. The task contains the shell execute pass Add file to project folder which creates a file containing the timestamp of when a privilege is assigned to user and provisions it to the project folder. This task is referenced from the Project repository definition using the attribute MX_DEPROVISIONTASK. The task contains the shell execute pass Delete file from project folder which deletes the previously created file from the project folder.
#Building_Deprovisioning
#Project_Provisioning
#Project_Deprovisioning
We define ten roles in this tutorial: ROLE:Employee ROLE:IT ROLE:Adm This role gives the privilege PRIV:MainEntrance. This role gives the privilege PRIV:ServerRoom. In addition, it inherits the privilege PRIV:MainEntrance from its child role ROLE:Employee. This role gives the privilege PRIV:ArchiveRoom. In addition, it inherits the privilege PRIV:MainEntrance from its child role ROLE:Employee. This role has two child roles ROLE:IT and ROLE:Adm, and thus inherits the privileges PRIV:MainEntrance, PRIV:ServerRoom and PRIV:ArchiveRoom. ROLE:Developer gives no privileges on its own, but inherits the privilege PRIV:ProjectArchive from the role ROLE:ProjectLeader.
ROLE:Manager
ROLE:Developer
ROLE:HeadDeveloper This role inherits the privilege PRIV:ProjectArchive from ROLE:ProjectLeader. It has one child role ROLE:Developer, and is a child role itself. ROLE:Tester ROLE:TestLeader ROLE:Tester gives no privileges on its own, but inherits the privilege PRIV:ProjectArchive from the role ROLE:ProjectLeader. This role inherits the privilege PRIV:ProjectArchive from ROLE:ProjectLeader. It has one child role ROLE:Tester, and is a child role itself. This role inherits the privilege PRIV:ProjectArchive from ROLE:ProjectLeader, and has no child roles but it is a child role itself.
ROLE:Doc
Introduction SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
ROLE:ProjectLeader
This role has three child roles ROLE:Doc, ROLE:TestLeader and ROLE:HeadDeveloper. It gives the privilege PRIV:ProjectArchive.
Four privileges are defined in this tutorial: PRIV:MainEntrance PRIV:ServerRoom PRIV:ArchiveRoom This privilege gives the users the right to access the building (main entrance). The privilege gives the user access to the server room. Often given to IT personnel. The privilege gives the user access to the archive. Often given to the administration staff.
PRIV:ProjectArchive This privilege gives the project members access to common (nonphysical) project archive.
Introduction SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Introduction SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
There is a job (Employees to Identity store) that reads the data from the source file hr.csv and updates the entries in the identity store. The entry type for these entries is MX_PERSON. We create four privileges (PRIV:MainEntrance, PRIV:ServerRoom, PRIV:ArchiveRoom and PRIV:ProjectArchive) that we can assign to the entries. The privileges contain links to the repository definitions which again contain links to the tasks that are executed when the privilege is assigned or removed. The task structure is shown in the illustration above. There are separate task structures for each of the target repositories (the folders building and project).
Preparations
Before you proceed with the tutorial, there are a couple of things that must be specified.
Specify the name of the constant and the directory where the folders are to be stored. Make sure that the directory actually exists (create the folder Tutorial). 2. Choose "OK" to close the dialog box.
10
Introduction SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
11
Introduction SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Section overview
The tutorial consists of the following sections: Section 1: Creating the identity store Section 2: Building the identity store Section 3: Creating the privileges Section 4: Creating the provisioning tasks This section describes how to create the identity store and enable it for workflow. In this section we are going to read the contents of the file hr.csv into the identity store. This section shows how to create the privileges. This section describes how to create the tasks responsible for provisioning and de-provisioning of users. This section shows how to create the Workflow tasks. In this section we create roles by executing the Workflow tasks created in the previous section. In this section we learn how to assign roles and their privileges to a user, using the Workflow interface. This section introduces reverse privilege inheritance direction (top-down inheritance direction). The section shows the difference between the bottom-up and top-down inheritance direction of the privileges and how to implement reverse inheritance. In this section we learn how to delete roles we previously created.
Section 5: Creating the Workflow tasks Section 6: Creating the roles Section 7: Use case Physical access control Section 8: Use case Project resources
12
Section 1: Creating the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Enter a name for the identity store. Disable the automatic attribute creation. This option is used to control what happens when an attribute which does not exist or an attribute which is not defined as a legal attribute on an entry type is written to the identity store.
13
Section 1: Creating the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
If the "Automatically create new attributes" is enabled, the new attribute is created and added to the entry type. If the option is disabled, an error is returned. 3. Choose "Next >".
We will use the MX_PERSON entry type, so we do not need any additional entry types. 4. Choose "Next >" and then "Finish" to complete the wizard. The new Identity Store is created and added to the console tree:
14
Section 1: Creating the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Select "Identity store" as the authentication method. This is necessary to be able to log into the workflow. 2. Choose "Apply". 3. Choose "Add user".
Select "MX_PERSON" in the "Entry type" field. Fill in a user name and password you will use to log in to the Workflow interface. 4. Choose "OK".
15
Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
16
Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Fill in the file name. To do this, click inside the "File name" field and the "" button will appear.
17
Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
7. Choose "Next >", and then "Finish" to insert the new repository definition.
18
Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Modify the name of the job in the console tree. Enable the job and select a dispatcher. 3. Choose "Apply". This job will contain two passes; one to read the source (ASCII) file hr.csv into the temporary table (tutorial_employees), and another to read from this table into the identity store. This must be done in a single job. The reason is that the first pass will delete the temporary table every time it executes, and then fill it with the data from the hr.csv file. If the second pass was a separate job (which could then be run asynchronously from the first), it could start just when the table was deleted or just partly filled, and then remove the missing people from the identity store.
19
Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Enter Read Employees as the name of the pass in the console tree. Repository Select the "Employees" in the "Repository" list. 2. Select the "Source" tab and fill in the following:
20
Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
File name Use the context menu to insert the repository constant %$rep.FILENAME% that refers to the file name. Field separator Enter a comma sign (,) as the field separator. Header line Make sure that "Header line" is selected. 3. Select the "Destination" tab:
Fill in the fields with the following values: Database Use the context menu to insert the system parameter %$ddm.identitycenter% that refers to the Identity Center database. Table name Enter tutorial_employees as the table name. Note: Do not use hyphen in table names, as this will cause problems with some database drivers. Definitions Choose "Insert template" and select "Data source template" to create the pass definitions. 4. Choose "Apply".
21
Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Modify the pass name in the console tree. Database Use the context menu to insert the system parameter %$ddm.identitycenter%. SQL statement Enter the SQL statement to select all rows from the table created in the previous pass (SELECT * FROM tutorial_employees;).
22
Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Identity store Select the "PrivRoles" identity store. Entry type Select the entry type "MX_PERSON". Definitions Choose "Insert template" and select "Data source template" to insert the definitions for the pass. Modify the definition to use the attributes from the entry type. You can use the context menu to find the destination attributes. Give the attribute MSKEYVALUE the EmployeeID values, and add the attribute DISPLAYNAME constructed of employee's first and last name (as shown above). 3. Choose "Apply".
23
Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Note: Notice that login to Monitoring is limited to <prefix>_user. This user is by default set to mxmc_user, but can be configured in config.xml (and needs to be configured by those using a database with prefix other than <mxmc>). To configure the login user, insert the following line into the config.xml file: <databaseuser>%PREFIX%_user</databaseuser>. 2. Choose "Identity store" in the menu.
24
Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
3. Select the "PrivRoles" identity store and then "Search" to return all entries in the identity store.
25
Section 2: Building the identity store SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Fill in the fields with the following values: Enable delta Select this check box to enable delta on this pass. Delta database Use the context menu to insert the system parameter %$ddm.identitycenter% to specify that you want to use the Identity Center database for the delta database. Delta identifier Enter Employees_to_IDStore as the delta identifier. This must be unique within one delta database. Delta key This is automatically filled in with the value from the first line of the definitions on the "Destination" tab. Skip unchanged entries and Mark for deletion Make sure that both "Skip unchanged entries" and "Mark for deletion" are selected. 2. Choose "Apply". Run the job a couple of times and view the job log. You can observe that the first time the job is run after the delta is enabled, 50 entries are modified, while the next time, the job detects that the entries are unmodified. Note: The count is the total for the job, including the entries handled by the "Read Employees" pass. These entries are always included in the "Add" column, as no delta has been defined for this pass.
Copyright 2008 SAP AG. All rights reserved.
26
Section 3: Creating the privileges SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
27
Section 3: Creating the privileges SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
28
Section 3: Creating the privileges SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Name the repository definition Building. 4. Choose "Next >", and then "Finish", to insert the new repository definition. 5. Expand the "Building" entry (under Management\Repositories) in the console tree, select "Constants" and choose New/Constant from the context menu.
Specify the name of the constant and the directory where the target repository (folder) is stored. Use the context menu to insert the constant %$glb.TUTORIAL_PATH%. 6. Choose "OK" to close the dialog box and insert the constant. 7. Repeat the same procedure to define the repository definition for the project folder. Name the repository definition Project and define a constant PATH with the value %$glb.TUTORIAL_PATH%\project.
29
Section 3: Creating the privileges SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Name Enter the name of the privilege. Repository Select the correct repository definition for this privilege. By adding the repository reference to the privilege, you could re-use the tasks for other privileges controlling other folders. 2. Choose "OK" to close the dialog box and insert the new privilege. 3. Repeat the process for privileges PRIV:ServerRoom, PRIV:ArchiveRoom and PRIV:ProjectArchive. For the PRIV:ProjectArchive privilege, select Project in the "Repository" field.
30
Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
For instance:
#Building_Provisioning #Building_Deprovisioning
Before the provisioning tasks are created, the Java script GetMskeyvalueFromPriv used by the provisioning tasks need to be defined.
For instance:
3001-PRIV_MainEntrance.txt
Cleaned MSKEYVALUE of the privilege is MSKEYVALUE where the colon (":") is replaced by the underscore ("_") for MSKEYVALUE "PRIV:MainEntrance" the cleaned MSKEYVALUE will be "PRIV_MainEntrance". The reason is that it is not possible to use the colon (":") in a file name. The global Java script GetMskeyvalueFromPriv is used by the provisioning tasks to obtain the cleaned MSKEYVALUE of the privilege assigned to the user. To create the script, do the following: 1. Go to Management\Global scripts and select "JScript" in the console tree. 2. Choose New/Script from the context menu.
31
Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
3. Choose "OK".
Define the following script (you can copy and paste the script defined under and replace the template definition):
// Main function: GetMskeyvalueFromPriv // --- This function returns the MSKEVALYE for the privilege which caused this task // to execute. // Some UserFunc.uErrMsg calls are included for debugging. Remove the comment "//" // before these calls to get the information in the log file. function GetMskeyvalueFromPriv() { // get audit ID, then changevalues which holds the mskey of the privilege added // then get the value of the attribute MSKEYVALUE for that entry // --- First get the AuditID which is currently executing AuditID = UserFunc.uGetAuditID(); // UserFunc.uErrMsg(1,"AuditID:"+AuditID);
// --- Then get which values were changed // This returns "<Attribute name>:<OPERATION>;<New value>!!<Old value>" ChangeValues = UserFunc.uGetChangeValues("!!",AuditID); // UserFunc.uErrMsg(1,"ChangeValues:"+ChangeValues); // --- No values returned. We're probably just doing a test if(ChangeValues == "") { return "TestRun"; } // --- Split the returned value so that we get the MSKEY temp = ChangeValues.split(";");
32
Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Values = temp[1].split("!!"); // UserFunc.uErrMsg(1,"Values (New/Old):"+Values[0]+"/"+Values[1]); // --- If privilege was deprovisioned, its in Old Value, return [1] Val0len = UserFunc.Len(Values[0]); // UserFunc.uErrMsg(1,"Lenght of Values[0]:"+Val0len); if (Val0len < 1) { PrivAssignedMSKEY = Values[1]; } else { PrivAssignedMSKEY = Values[0]; } // --- Got MSKEY of privilege, now get the MSKEYVALUE PrivMSKEYVALUE = UserFunc.uIS_GetValue(PrivAssignedMSKEY,0,"MSKEYVALUE"); // --- Replace : with _ to make it "file-name friendly" PrivMSKEYVALUEclean = UserFunc.uReplaceString(PrivMSKEYVALUE, ":", "_"); // UserFunc.uErrMsg(1, "Returning MSKEYVALUE:" + PrivMSKEYVALUEclean); return PrivMSKEYVALUEclean; }
33
Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Deselect "Show folder in workflow" as the tasks in this folder should not be displayed in the workflow. 3. Choose "Apply".
34
Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Rename this task to #Building_Provisioning. Select the Building repository definition in the "Repository" field. 2. Choose "Apply".
35
Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Modify the job name in the console tree. Modify the job properties: Enabled Select this check box to enable the job to be run by a dispatcher. Run by dispatchers Select a dispatcher that should be responsible for running this job. 4. Choose "Apply".
36
Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
5. Select "Script" in the console tree (under the job), then choose New/Link global script and select "GetMskeyvalueFromPriv" to establish the link to the global script GetMskeyvalueFromPriv.
6. Select the job and choose New/Shell execute to create a pass in the console tree.
In a "Destination" tab add the following line to the definitions (you can use the context menu to insert the constants/attributes/scripts or copy and paste the lines below):
cmd /c echo Privilege assigned %$ddm.date% %$ddm.time% > "%$rep.PATH%\%MSKEYVALUE%-$FUNCTION.GetMskeyvalueFromPriv(???)$$.txt"
7. Choose "Apply".
Copyright 2008 SAP AG. All rights reserved.
37
Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Rename this task to #Building_Deprovisioning. Select the Building repository definition in the "Repository" field. 2. Choose "Apply". 3. Select the job in the console tree:
38
Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Modify the job name in the console tree. Modify the job properties: Enabled Select this check box to enable the job to be run by a dispatcher. Run by dispatchers Select a dispatcher that should be responsible for running this job. 4. Choose "Apply". 5. Select "Script" in the console tree (under the job), then choose New/Link global script and select "GetMskeyvalueFromPriv" to establish the link to the global script GetMskeyvalueFromPriv. 6. Select the job and choose New/Shell execute to create a pass in the console tree.
In a "Destination" tab add the following line to the definitions (you can use the context menu to insert the constants/attributes/scripts or copy and paste the line below):
cmd /c Del "%$rep.PATH%\%MSKEYVALUE%-$FUNCTION.GetMskeyvalueFromPriv(???)$$.txt"
7. Choose "Apply".
39
Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Enter Project provisioning folder as name for the folder. 2. Choose "OK". The folder is included in the console tree.
Deselect "Show folder in workflow" as the tasks in this folder should not be displayed in the workflow. 3. Choose "Apply".
40
Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Rename this task to #Project_Provisioning. Select the Project repository definition in the "Repository" field. 3. Choose "Apply".
41
Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Modify the job name in the console tree. Modify the job properties: Enabled Select this check box to enable the job to be run by a dispatcher. Run by dispatchers Select a dispatcher that should be responsible for running this job. 5. Choose "Apply". 6. Select the pass in the console tree:
42
Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Rename this task to #Project_Deprovisioning. Select the Project repository definition in the "Repository" field. 3. Choose "Apply".
43
Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Modify the job name in the console tree. Modify the job properties: Enabled Select this check box to enable the job to be run by a dispatcher. Run by dispatchers Select a dispatcher that should be responsible for running this job. 5. Choose "Apply". 6. Select the pass in the console tree:
44
Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Enter the MSKEYVALUE of one of the entries in the identity store. 2. Choose "OK".
View the log as the dispatcher processes the tasks. 3. Choose "Close" to close the dialog box.
Copyright 2008 SAP AG. All rights reserved.
45
Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
View the contents of the folder to verify that the entry has been created. Following the same procedures, you can now test the tasks #Building_Deprovisioning, #Project_Provisioning and #Project_Deprovisioning.
Troubleshooting
If any problems should occur during the execution, you can check some of the following: Verify that the dispatcher is running and that it is enabled for provisioning jobs. Verify that all tasks and jobs are enabled. Verify that the job has been defined for the given dispatcher. View the logs. System log Verify that the dispatcher has requested the given job. Job log View any error messages in the job log to see if you can find the cause of the problem. If you need to investigate a job more thoroughly, you can specify a different log file name for the job in the "Logging" tab of the job properties. You can also deselect the check box "Reset output file" to avoid overwriting the log file each time the job is run. This can be useful when debugging a provisioning job that may be run several times in sequence. If you need more logging info from a specific job, you can create a specific dispatcher and increase the log level in the dispatcher's .prop file. Specify that the job is to be run by this specific dispatcher. Make sure that the dispatcher is not running. To run the job, start the dispatcher from the command line with the following command:
dispatcher_service_<dispatcher name> test runonce
The job will then be run once and a detailed log file will be created.
46
Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
2. Before creating the constant MX_PROVISIONTASK, which will reference the provisioning task from the repository definition, make sure that you have the correct Task ID for the provisioning task #Building_Provisioning.
47
Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Note: Task ID is displayed in the "Task ID/Name" field of the task's "Options" tab, as shown in picture below (circled in with red).
3. Select "Constants" in the console tree and choose New/Constant from the context menu.
Enter "MX_PROVISIONTASK" as the name of the repository constant (the name of the constant must be MX_PROVISIONTASK with the exact same casing). Enter the correct Task ID for the provisioning task "#Building_Provisioning", in this case "1". 4. Choose "OK" to add the new constant to the repository definition. 5. Following the same procedure, add the repository constant "MX_DEPROVISIONTASK" (the name of the constant must be MX_DEPROVISIONTASK with the exact same casing) with its correct value (here "3"). This will define a link to the de-provisioning task "#Building_Deprovisioning".
48
Section 4: Creating the provisioning tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Now we have defined links to the provisioning and de-provisioning tasks on the Building repository definition.
49
Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Enter "Workflow" as name for the folder. 2. Choose "OK". The folder is included in the console tree:
50
Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Select "Automatically expand folder" to specify that the tasks in this folder are automatically displayed when you log on to the Workflow interface. 3. Choose "Apply".
Modify the task name in the console tree. Select "Show on welcome page".
51
Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Select "MX_ROLE" as entry type and configure the attributes for the task as displayed above. Select "This task creates a new entry". 3. Choose "Apply". 4. Select the "Access control" tab and choose "Add".
Select "Logged-in user or identity store entry" in the "Allow access for" list.
52
Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Enter the name of the identity store user you added previously (admin). You might use "Check name" to ensure that the name you entered is correct and exists. This allows the "admin" user to create new roles. 5. Choose "OK". The resulting access control is displayed in the details pane:
6. Choose "Apply".
53
Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Modify the task name in the console tree. Select "Show on welcome page".
54
Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Select "MX_ROLE" as entry type and configure the attributes for the task as displayed above. 3. Choose "Apply". 4. Select the "Access control" tab and define access for the admin user as done for the previous task (Create role). 5. Choose "Apply".
55
Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Modify the task name in the console tree. Select "Show on welcome page". 2. Select the "Attributes" tab:
56
Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Select "MX_PERSON" as entry type and configure the attributes for the task as displayed above. Selecting "List in search result" for the DISPLAYNAME attribute will result in person's name showing in Workflow search list, in addition to MSKEYVALUE (which is the employee ID). 3. Choose "Apply". 4. Select the "Access control" tab and define access for the admin user as done for the previous tasks. 5. Choose "Apply".
Modify the task name in the console tree. Select "Show on welcome page".
57
Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Select "MX_ROLE" as entry type and configure the attributes for the task as displayed above. 3. Choose "Apply". 4. Select the "Access control" tab and define access for the admin user as done for the previous tasks. 5. Choose "Apply". To be able to actually delete a role, it is necessary to create a separate action task and job for doing this.
58
Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
6. Select the task and choose New/Action task/Empty job from the context menu.
The task and the job are inserted in the console tree. 7. Select the job in the console tree:
Enable the job and select the dispatcher to run the job. 8. Choose "Apply".
59
Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
9. Select the job and choose New/To Identity store from the context menu.
In the "Destination" tab do the following: Select "-- Self --" in the "Identity store" field. This is to optimize the export/import. Select the MX_ROLE entry type in the "Entry type" field. Modify the definitions as shown above (add MSKEYVALUE and changeType). Use the context menu to insert these. 10. Choose "Apply".
60
Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Modify the task name in the console tree. Select "Show on welcome page".
61
Section 5: Creating the Workflow tasks SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Select "MX_PRIVILEGE" as entry type and configure the attributes for the task as displayed above. 3. Choose "Apply". 4. Select the "Access control" tab and define access for the admin user as done for the previous tasks. 5. Choose "Apply". All Workflow tasks are now created. The next step is to create the roles using the Workflow user interface.
62
Section 6: Creating the roles SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
63
Section 6: Creating the roles SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
3. Choose "Login".
You are now logged in as admin-user and are able to execute the Workflow tasks.
64
Section 6: Creating the roles SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Enter "ROLE:Employee" as role's unique ID (and a short description of a role if you wish). 2. Choose "OK" to create a role. You return to a task list. When the task completes successfully, the progress indicator turns green. Note: You might have to press the "Refresh" button before the progress indicator turns green. If the indicator still doesn't turn green, check that your dispatcher is running. 3. Repeat this until you have created all roles.
65
Section 6: Creating the roles SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
In the Identity Center user interface (Identity store metadata\Roles), you can observe the roles you just created:
66
Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Add the link between the roles and the privileges. Assign roles, and thereby privileges, to the identity store entries. In previous sections, you have created both privileges and roles needed.
67
Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
2. Choose "Search".
68
Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
69
Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
6. Choose the "Add" button to the left of ROLE:Employee to add the role to the child role list.
7. Choose "OK".
The role ROLE:Employee is added as the child role of the role ROLE:Adm. 8. Choose "OK" to confirm and complete the task. You return to a task list. When the task completes successfully, the progress indicator turns green.
Copyright 2008 SAP AG. All rights reserved.
70
Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
9. Repeat the steps for other roles to complete the hierarchy: Role name ROLE:IT ROLE:Manager Defined child roles ROLE:Employee ROLE:Adm, ROLE:IT
In the Identity Center (Identity store metadata\Roles), you can observe the role hierarchy you just built:
71
Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
2. Choose "" to assign privileges and then choose "Search" to list all privileges.
72
Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
4. Choose "OK".
The privilege PRIV:MainEntrance is added to the role ROLE:Employee. 5. Choose "OK" to confirm and complete the task. You return to a task list. When the task completes successfully, the progress indicator turns green. 6. Repeat the steps for other roles: To the ROLE:IT role, add the privilege PRIV:ServerRoom To the ROLE:Adm role, add the privilege PRIV:ArchiveRoom
73
Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
74
Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
4. Choose "" to define role(s) and then choose "Search" to list all roles available.
75
Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
6. Choose "OK".
7. Choose "OK" to complete the task and assign the role. You return to a task list. When the task completes successfully, the progress indicator turns green.
76
Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Now you can open the building folder and observe that the user "3001" is given the privilege PRIV:MainEntrance and provisioned to the folder.
8. Repeat the process for the other roles provisioning to the building folder: Entry "3002" Entry "3003" Entry "3004" ROLE:IT ROLE:Adm ROLE:Manager
The result is the following: Entry "3002" has two privileges PRIV:ServerRoom from the role ROLE:IT and PRIV:MainEntrance inherited from the role ROLE:Employee. Entry "3003" has two privileges PRIV:ArchiveRoom from the role ROLE:Adm and PRIV:MainEntrance inherited form the role ROLE:Employee. Entry "3004" has three privileges all inherited from the roles lower in the hierarchy PRIV:MainEntrance inherited from the role ROLE:Employee, PRIV:ServerRoom inherited from the role ROLE:IT and PRIV:ArchiveRoom inherited from the role ROLE:Adm. This will provision entries to the building folder:
77
Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
78
Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
2. Select one of the entries you previously assigned a role to, entry "3001" for instance.
Choose "Search" under the "Assignments" (on the right side of the pane) to list all roles this entry already is a member of.
79
Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
to do so).
5. Choose "OK".
6. Choose "OK" to confirm and complete the task which will remove the link between the user and the role, and thus remove the privilege PRIV:MainEntrance. You return to a task list. When the task completes successfully, the progress indicator turns green.
80
Section 7 Use case Physical access control SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Now open the building folder and observe that the user was de-provisioned (removed) from the folder.
81
Section 8: Use case Project resources SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
The use case Project resources, however, illustrates the reverse privilege inheritance direction (top-down). The privilege PRIV:ProjectArchive, assigned to the role ROLE:ProjectLeader, will be inherited downwards by all the child roles in the tree until every role member has the privilege.
82
Section 8: Use case Project resources SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Use the same procedure as when building the role hierarchy for the use case Physical access control, shown on page 66.
83
Section 8: Use case Project resources SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
3. Select "PRIV:ProjectArchive".
84
Section 8: Use case Project resources SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
4. Choose "" to define role with reverse inheritance and choose "Search" to list all roles available.
85
Section 8: Use case Project resources SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
6. Choose "OK".
7. Choose "OK" to confirm and complete the task. You return to a task list. When the task completes successfully, the progress indicator turns green. Now you have implemented the reverse inheritance direction of the privilege PRIV:ProjectArchive.
Use the same procedure as when provisioning users in the use case Physical access control, shown on page 73.
86
Section 8: Use case Project resources SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
87
Section 9: Deleting roles SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
88
Section 9: Deleting roles SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
2. Select the role "ROLE:ProjectLeader" (you can select any role to delete, but here we select the role "ROLE:ProjectLeader").
3. Choose "OK" to confirm and complete the task which will delete the role. You return to a task list. Deleting the role ROLE:ProjectLeader will also delete the privilege given to the role. This results in de-provisioning of all users that lost the privilege (all users that were added in the previous section):