periodic table for sap idm - roiable.com · the java-based modules of sap. the ide was always based...
TRANSCRIPT
R O I A B L E / / 2 0 1 9
Dpi At AuCoLmSu
Uid
ROIABLE Periodic Table of SAP IdM
Sst
Dt H Ea Ss Os Dq
Cp Re At Va Hjp M
Dbp Rh Q A An Sh Az Pw De Ex Rd
Lta Ma Ast Ids Gr Sr Cx Fu Rp Tp Ate 2fa Idp Idl Gp
Aon Rlt Tt Ac Dg Io Y Yv En Ar Tsl Sv Lu Di
T L Sta Mr
So Api Vd Pr Sq Ue Cu Sl Si R1 Sp Js X R2 Oa
Cn Ad Hr Hl Iag Im Sy G Ne Cs Fi Hc Ias Ips Cc
Id
user experience
building blocks
HR actions
common terms
technical terms
landscape
security
others
compliance
HR terms
master data
short name
element numbersymbol
Identity
main processes
IdIdentity
Mass actions
PPrivilege Admin
ScSource
TgTargetQueue
JbJob
DsDispatcher
AgAssign-ment Access
WrfWorkflow
UUser Asset
Identity store Group
BrBusiness
role Script Context Repository
AccountUnique identifier
Dynamic group
Initial load MSKEY
AttAttribute
FForm
EtEntry type
MSKEY-VALUE
Staging area
Manual repository
System users
ApAttribute mapping
Line manager
RoRole owner
ArAutomated repository
RcReconciliation Constants
SSO API VDS Protocol SQL UME CUA SAML SCIM REST v1 SOAP JSON XML REST v2 OAUTH
ConnectorActive
directoryHR
systemHybrid
landscape IAG IAM System GRCSAP
NetWeaverCloud
systemsSAP Fiori
Heterogeneous landscape IAS IPS
SAP Cloud Connector
Developer studio
DbDatabase
Database procedure
IpkIdM
package
Add-on
IcpIdM
components
Hire
Change position
Re-hire
Long-term absence
Return fromabsence
Termination
Self-service
WdWeb
Dynpro
UxUser
experience
UiUser
interface Validations
Derivations
Emergency access
Authentication
AuthorizationPassword
management
2-factor authentication
Identity provider
Service provider
PiProvisioning
De-provisioning
Reports
Scheduling
Transport Attestation
Emailnotification Archiving Translation
SdSegregation
of duties
RaRisk
analysis Audit trailAuthorization
matrix
Organizational structure
HR job/ position
External
Identity lifecycle
Lock/unlock
Single source of truth
Dataquality
Monitoring
Roledesign
GDPR
Dataintegrity
Future actions
StSearch results
ClContainersand leaves
QnQualified
name
AlAccess control
RsReferences
DlDelta
MiMitigation
PsPasses
EvTkTasks Events
EyEncryption
R O I A B L E / / 2 0 1 9
WorkflowIn SAP IdM context workflow is used mainlyto control the sequence of tasks within acertain process. For example, what shouldhappen if a certain task finishes with anerror, or what should be the next step incase of a successful approval of pendingassignment.Workflows are designed within the mainIdM tool Developer Studio. They havebeen recently enhanced in version 8.0, butstill lack certain capabilities and theflexibility of a modern workflow tool. Such,however, can be easily integrated tosupport more complex scenarios includingintegration of ticketing systems.
The way a particular type of work isorganized to achieve a repeating businessgoal or in other words, the order of stages ina work process. Workflows can use differentkind of notations to depict their flow andsequence of operations. Normally workflowsprocess set(s) of data. The data beingprocessed determines the type of theprocess approval, enrichment, creation,etc.
UxUser
experience
SsSelf-service
request
DtDeveloper
studio
UiUser
interface
selected element
generaldefinition
SAP IdMcontext
element name
related elements(clickable)
back to overview
R O I A B L E / / 2 0 1 9
WorkflowIn SAP IdM context workflow is used mainlyto control the sequence of tasks within acertain process. For example, what shouldhappen if a certain task finishes with anerror, or what should be the next step incase of a successful approval of pendingassignment.Workflows are designed within the mainIdM tool Developer Studio. They havebeen recently enhanced in version 8.0, butstill lack certain capabilities and theflexibility of a modern workflow tool. Such,however, can be easily integrated tosupport more complex scenarios includingintegration of ticketing systems.
The way a particular type of work isorganized to achieve a repeating businessgoal or in other words, the order of stages ina work process. Workflows can use differentkind of notations to depict their flow andsequence of operations. Normally workflowsprocess set(s) of data. The data beingprocessed determines the type of theprocess approval, enrichment, creation,etc.
UxUser
experience
SsSelf-service
DtDeveloper
studio
TkTasks
R O I A B L E / / 2 0 1 9
Single source
of truth
SSOT is fundamental for SAP IdM, since thesystem is seen as the all-seeing-eye ofevery landscape and it comes quitenaturally to be aware of every bit ofinformation that runs across it. During thedesign phase it should be taken intoconsideration how SAP IdM can become theSSOT for the organization not only in termsof access/privileges, but also when itcomes to employee/externals master data.Second, but not less important is whenSSOT is established to keep it intact. This isnot always easy, especially if edit mode isstill enabled in the target systems, forwhich SAP IdM is seen as master.
The single source of truth, shortly SSOT, isthe practice of structuring informationmodels and associated data schemas insuch a way that every data element ismastered (or edited) in only one place. Inother words SSOT is a concept that anorganization can apply as part of itsinformation architecture to ensure thateveryone in the organization uses the samedata when making business decisions.
DiData
integrity
ExExternal
TgTarget
DqData
quality
R O I A B L E / / 2 0 1 9
Developer
studio
Developer studio is the design-time tool forSAP IdM. Most of the artifacts can becreated and maintained only there,including forms, processes, entry types, idmpackages, etc.The studio replaces the outdated console,which was available with releases prior toSAP IdM 8.0.It is important to keep the patch level of theSAP IdM plug-in for Developer studioaligned with the patch levels of the otherrelevant SAP IdM components to avoid anycross-component communication issues.Developer studio is using the attached SAPNetWeaver UME for authentication.
Developer studio is an integrateddevelopment environment (IDE) for most ofthe Java-based modules of SAP. The IDEwas always based on Eclipse releases, butonly since the recent releases it is utilizingclean Eclipse builds and implementing theconcept of plug-ins, which delivers theneeded toolset for developing variousenterprise applications like BPM, BRM, PI,Portal, SAPUI5, etc.
IcpIdM
components
UeUME
AzAuthorization
NeSAP
NetWeaver
R O I A B L E / / 2 0 1 9
The hiring process in SAP IdM contextnormally starts in the moment when a newemployee is registered in thehuman resources management system (e.g.SAP HR, SuccessFactors, etc.). During thatprocess, the new employee is registered forthe first time in SAP IdM and receives theirunique identifier and pre-defined accessaccording to their job position. To speed upthe process of onboarding, it is a goodpractice to run certain processes before theactual hire date, in order for the employeeto be be fully empowered to do their job onDay One. Such process could be theassignment of a hardware (laptop, mobiledevice) to the new employee.
Hire is an HR process of reviewingapplications, selecting the rightcandidate(s), assessing them and choosingbetween them to make the hiring decision.Selected candidates are sent an offer, that ifaccepted, starts an internal company hiringprocedure. Last, but not least it triggers anonboarding process that should enable thenew employee to fulfill their job according tothe job definition.
Hire
FuFuture actions
HrHR
system
HjpHR job/ position
IdlIdentity lifecycle
R O I A B L E / / 2 0 1 9
Emergency access is equally important in IT.Imagine a breach or a critical bug that hasjust occurred in a productive system and isobstructing your business of functioningcorrectly. Thousands, if not millions ofdollars could be potentially running downthe drain and this must be stoppedimmediately. The worst thing that couldhappen is if your most skilled rescuepersonnel has the proper knowledge tosolve the problem but does not have theneeded access to actually put the solutionto work. SAP IdM can provision the neededaccess just for the needed time interval.Proper monitoring of all actions can befacilitated with SAP GRC.
Emergency access is critical during whencrisis happens. For example, during fire,timing and quick response are essential tosave lives and property. Effective emergencyaccess ensures that fire trucks can reach abuilding in time to extinguish the fire.Pertinent facilities and equipment remainavailable and unobstructed at all times toensure effective fire detection, evacuation,suppression, and response.
Emergency
access
GGRC
AtAuthentication
AzAuthorization
RaRisk
analysis
R O I A B L E / / 2 0 1 9
After the onboarding process has beenfinished and the initial employee privilegesand roles based on their position have beenassigned comes a time, when additionalaccess for a side project is needed. Suchaccess can be requested by the employeeusing self-service. Other self-service taskscould include password change, change ofown master data or even some customtasks defined during the implementation.The self-service process is vital for SAP IdM,since it removes the burden of IT takingcare of everything and gives the control inthe hands of the end users.
Self-service is a type of electronic support(e-support) that allows customers andemployees to access information andperform routine tasks over the network,without requiring any interaction with arepresentative of an enterprise. In otherwords self-service means offering customersand employees tools and information sothey can find answers to their questions andhave a better experience with a product orservice.
Self-service request
Self-service
UxUser
experience
UiUser
interface
FiSAP Fiori
WdWeb
Dynpro
R O I A B L E / / 2 0 1 9
SAP IdM utilizes the Web Dynpro Javatechnology for its standard user interfaces.The interesting thing here is that WebDynpro forms are generated from scratchusing a form configuration in DeveloperStudio. This makes the approach extremelyflexible and easy to adapt.Unfortunately, Web Dynpro is already quiteoutdated as web technology. That is thereason why, more and more, you would seeSAPUI5 as leading UI technology for newapplications, even such running on SAPIdM. Thankfully, there are many frameworksavailable that transform the standard UI ofSAP IdM into a more appealing Fiori UI.
Web Dynpro (WD) is a proprietary webapplication technology developed by SAP SEthat focuses on the development of server-side business applications. One of its maindesign features is that the user interface isdefined in an entirely declarative manner.Web Dynpro applications can be developedusing either Java (Web Dynpro for Java,WDJ or WD4J) or ABAP (Web Dynpro ABAP,WDA or WD4A) flavor.
Self-service request
Web Dynpro
DtDeveloper
studio
FiSAP Fiori
UxUser
experience
UiUser
interface
R O I A B L E / / 2 0 1 9
SAP IdM was acquired by SAP at the timewhen SAPUI5 had not seen light yet. Thishas determined the UI course for theproduct Web Dynpro. Already building thefirst UI for the product was a challenge, somigrating it from one UI technology toanother was out of the question. The userexperience topic is pretty much influencedby the web appearance of the product, butthere are also other aspects where muchcan be expected. This really niche topic isthankfully addressed by a number of add-ons that exist, which help raise the productadoption and popularity among end users.
User experience refers to the singular andaccumulated experiences that occur forusers as a consequence of them interactingwith an object in a given context. True userexperience goes far beyond givingcustomers what they say they want orproviding checklist features. Providing high-quality user experience includes services ofmultiple disciplines, including engineering,marketing, graphical and industrial design,and interface design.
Self-service request
User experience
UiUser
interface
WdWeb
Dynpro
FiSAP Fiori
WrfWorkflow
R O I A B L E / / 2 0 1 9
The organizational structure of theenterprise plays a very important roleduring the design and implementation of anSAP IdM system. A lot of information can bederived from the way the structure isdefined. For example line manager rulescan be extracted from the org. structure andassigned automatically in IdM. This wouldalso automate any changes that mightappear e.g. a manager leaving thecompany would automatically re-assign allexisting employees to the new manager.Additionally systems like Active Directorycould be directly dependent on the org.structure, thus making it a key componentduring provisioning and de-provisioning.
Organizational structure is a system used todefine hierarchy within an organization. Itidentifies each job, its function and where itreports to within the organization. Thisstructure is developed to establish how anorganization operates and to assist inobtaining its goals to allow for futuregrowth. Such structure is illustrated usingan organizational chart.
Organizational
structure
PiProvisioning
DpiDe-
provisioning
LmLine
manager
AdActive
directory
R O I A B L E / / 2 0 1 9
As any other system dealing with importantemployee data, SAP IdM makes noexception in terms of data quality metrics.Especially if the concept of SSOT (SingleSource Of Truth) is implemented, then thesystem is regarded as the master for anyinformation related to the identities thatreside in it. Any kind of inconsistency whenit comes to the accuracy, completeness,reliability, relevance or actuality of the datacan be categorized as a critical issue.Therefore, one of the most importantaspects during the design andimplementation of the system is to makesure that data quality is always preserved .
Data quality is a perception or anassessment of data's fitness to serve itspurpose in a given context. The quality ofdata is determined by factors such asaccuracy, completeness, reliability,relevance and how up to date it is. As databecomes more intricately linked with theoperations of organizations, the emphasison data quality gains greater attention.
Data quality
SstSingle source
of truth
DiData
integrity
IdIdentity
GpGDPR
R O I A B L E / / 2 0 1 9
The database is the most importantcomponent of an SAP IdM system. There isa simple explanation to that everyimportant piece of information from theconfiguration of the display forms, throughthe assignment of the privileges, the audittrail, the values, the logs, even thingsinvisible to the human eye are persistedin the IdM database. In case of a disasterit is absolutely essential to ensure that youhave a recent backup of the database torestore operations as fast as possible.Although being a relational database, SAPIdM DB is offering a serious amount offlexibility due to its column-based tablesstructure.
A database is a collection of informationthat is organized so that it can be easilyaccessed, managed and updated. Computerdatabases typically contain aggregations ofdata records or files, containing informationabout transactions or interactions withspecific counterparts. Databases varyaccording to their structure and internaloperations e.g. Relational DB, In-memoryDB, noSQL DB, etc.
Database
IcpIdM
components
PPrivilege
AgAssign-ment
AtAudit trail
R O I A B L E / / 2 0 1 9
The change position process within SAPIdM is one of these having the leaststandardization. This is because everyenterprise has its own internal proceduresabout how things should happen duringsuch an organizational change. Some preferhard conditions e.g. remove all previousaccess from the old position, assign newaccess for the new position, while othersprefer a more smooth transition, where theemployee would still have access to theirold roles/privileges for a certain period oftime so they can coach or help a potentialnew signing with their tasks on the newposition until they are able to perform ontheir own.
Change position is an HR process thathappens whenever an employee is movingfrom one department to another within theorganization or changes their jobdescription due to internal reorganization intheir department. Often position changesare directly related to the way an employeemoves on their career ladder. This might ormight not be associated to any pay raise ormore responsibilities.
Change position
WrfWorkflow
PiProvisioning
DpiDe-
provisioning
AAccess
R O I A B L E / / 2 0 1 9
Reporting within SAP IdM plays animportant role in informing the securityowners on how the system is performing itsjob, whether any adjustments are neededand of course if any inconsistencies existthat need addressing.Reports are often requested by auditors totrace assignments of critical privileges toindividuals. Those should include thereason why the access was requested andthe belonging approvals that led to theactual assignment.SAP BW and Lumira have establishedthemselves as the standard reporting toolsfor SAP IdM. Overnight jobs sync the data tothose tools and reports are generated there.
A document (electronic/paper) containinginformation organized in a narrative,graphic, or tabular form, prepared on adhoc, periodic, recurring, regular, or asrequired basis. Reports may refer to specificperiods, events, occurrences, or subjects,and may be communicated or presented inoral or written form. Reports are oftenfollowing a specific format depending on theaudience to which they will be presented.
Reports
JbJob
DqData
quality
AAccess
DiData
integrity
R O I A B L E / / 2 0 1 9
Although authentication is not carried outdirectly by SAP IdM, the system has animportant role in the process, whichprecedes the authentication itself.Alongside IdM, SAP is also delivering anidentity provider service that could actuallycarry out the authentication. The IdP isrunning on SAP NetWeaver Java andsupports SAML 2.0 assertion authenticationrequests. Logically, in order to verify anidentity, it should first know of its existence.Check is done against the underlying UMEof SAP NW. Here comes the role of SAP IdMthat should provision the user to therespective UME before an authenticationrequest is started.
Authentication is the process of determiningwhether someone or something is, in fact,who or what it declares itself to be.Authentication technology provides accesscontrol for systems by checking to see ifuser's credentials match the credentials in adatabase of authorized users or in a dataauthentication server. The process onlyverifies the identity but does not provide anyexplicit privileges/roles checks.
Authentication
IdpIdentity provider
SlSAML
NeSAP
NetWeaver
UeUME
R O I A B L E / / 2 0 1 9
SAP IdM standard user interface relies onWeb Dynpro. An UI technology that is long-time outdated, unintuitive and mobile un-friendly. Unfortunately, replacing thestandard UI with another technology is nota trivial task due to the high complexity andflexibility of the current user interface.Following the configurations of the IdM UIforms, the runtime UI is renderingrespective fields, entry types andassignments on the screen. The selectedapproach, although smart, makes the re-creation of the UI a tough task. Thankfully,SAP partner companies have found a way tobreak the tradition and generate fullyfunctional SAPUI5 interfaces.
In IT, the user interface (UI) is everythingdesigned into an information device that aperson may interact with. This can includedisplay screens, keyboards, a mouse and theappearance of a desktop/tablet/mobile. It isalso the way through which a user interactswith an application or a website. The UI isone of the components that has a directimpact on the user experience of thecomplete product/solution.
Self-service request
User interface
UxUser
experience
WdWeb
Dynpro
FForm
EtEntry type
R O I A B L E / / 2 0 1 9
Due to the complexity and flexibility of theSAP IdM solution, validations are builtthroughout its user interactions to ensureerror-free input and illogical operations.Although the validations give a helpinghand, they do not show you oneto do a certain thing, neither would theyobject if you try to create an endless loop ofconnected jobs.The human factor in implementing SAP IdMstill cannot be neglected and therequirements of the companies are onlygetting more complex. That is whysometimes it is necessary to build your ownvalidations that make sure the system runsstable and according to the specifications.
Assessment of an action, decision, plan, ortransaction to establish that it is correct,complete, being implemented (and/orrecorded) as intended and delivering theplanned outcome. Validations can beautomated, manual or guided. Clearly, it ispreferable to implement fully automatedvalidations to simplify the input of the enduser, but this is not always possible. In thosecases it is considered a good practice to atleast provide a guide on how the end usercan perform a manual validation.
Self-service request
Validations
UxUser
experience
DeDerivations
JbJob
SsSelf-service
R O I A B L E / / 2 0 1 9
At the end an HR job/position can bebroken down to the attributes that aremaintained in the human resourcesmanagement system. For example if anemployee has to work in a certain plant,then the plant number will be assigned totheir personnel record giving indicationabout the above. A close analysis of the HRrecord of each employee can give us a lot ofvaluable information, which can be put towork with SAP IdM. Using an AuthorizationMatrix it is possible to create a mappingbetween important attributes of theemployee and the access that they need inorder to carry out their duties according tothe HR job/position they currently have.
An HR job/position is a written narrative thatdescribes the general tasks, or other relatedduties, and responsibilities of an employee.It may specify the functionary to whom theposition reports, specifications such as thequalifications or skills needed by the personin the job, information about the equipment,tools and work aids used, workingconditions, physical demands, and a salaryrange.
HR
job/position
OsOrganizational
structure
AuAuthorization
matrix
HrHR
system
AttAttribute
R O I A B L E / / 2 0 1 9
Since SAP IdM is relying for its operation onthe underlying database, it is quite clearthat one of the main monitoring targets forthe system would be exactly the databaseitself. However, metrics like throughput,remaining free table space, buffers state,speed of SQL query execution, etc. may notprovide answers to questions like why myprovisioning runs slow, why is my SAP IdMsystem at a standstill, etc. Those can onlybe answered if important parameters in theIdM specific tables are monitored andproper thresholds are established.Thankfully, you do not need to know allthose, since several companies are alreadyproviding a solution to the problem thatruns out-of-the-box.
Supervising activities in progress to ensurethey are on-course and on-schedule inmeeting the objectives and performancetargets is defined as Monitoring. In ITmonitoring is regarded as low-qualified, buthigh-importance task. Sometimes thiscontradiction is leading to false alarms or inthe worst case late notification to morequalified personnel. For a proper monitoring,it is critical to monitor the correct controlsand have a proper automated notification inplace.
Monitoring
DbDatabase
AonAdd-on
PiProvisioning
SqSQL
R O I A B L E / / 2 0 1 9
It is no wonder that in a database-drivensolution, such as SAP IdM, databaseprocedures play an extremely important part.Repeatable operations that run on DB level areimplemented as procedures to simplify andstreamline the product development. However,this comes at a cost. The product supportsvarious database vendors and those do nothave an aligned SQL language syntax. Thismeans that procedures should be written asgeneric as possible and the result issometimes complex and hard to understandSQL statements. On top comes the fact thatthe same DB was used for previous releaseslike 7.2. So old and new database proceduresshould live next to each other in harmony.Easy, right!?
A stored procedure is a set of StructuredQuery Language (SQL) statements with anassigned name that are stored in a relationaldatabase management system as a group,so it can be reused and shared by multipleprograms.Stored procedure can access or modify datain a database, but it is not tied to a specificdatabase or object, which offers a number ofadvantages.
Database
procedure
DbDatabase
SqSQL
R O I A B L E / / 2 0 1 9
A re-hire process is not the most commonHR action that happens in one companyand therefore it is often neglected duringthe implementation of SAP IdM. However,due to its complexity, automating exactlythis process can avoid a lot of headacheslater. Although often compared with a hire,the re-hire process has its own specificsand those must be obeyed. For example, areturning employee has already an existingrecord within SAP IdM and there would beno need to generate a new unique identifier,but maybe the person has married andwould require a new email address andtheir new position maybe requires newsystem provisioning.
Re-hire is an HR process of an exemployee/external returning to thecompany, where they used to work before.The employee most often is recovering theirprevious employee id and record, whilebeing assigned new job position,responsibilities and chain of command.Apart from the above differentiation, a re-hire process is much like a regular hire fromHR perspective.
Re-hire
HrHR
system
HHire
PiProvisioning
UidUnique identifier
R O I A B L E / / 2 0 1 9
SAP IdM is an asynchronous processingsystem and as such it needs to have anorder in which it should process its workitems. As mostly everything, this order isstored and determined on database level.Unfortunately, it is not very easy to predictthe exact sequence in which jobs will beexecuted. Even though in version 8.0 it isnot recommended to start more than onethread of your dispatcher, it is still hard tosay which job/task will follow.When executing processes, synchronizationcan be achieved using thatwait for all child processes spawn from theparent to finish before continuing. This isapplicable on entry level.
A queue is a list of work items that areawaiting to be processed. When a job issent to a queue, it is simply added to the listof jobs. Computer programs often work withqueues as a way to order tasks. Forexample, when the CPU finishes onecomputation, it will process the next one inthe queue. Often queues might havepriorities that distort the sequential order ofthe processing, where higher prioritizeditems are processed first.
Queue
JbJob
WrfWorkflow
DsDispatcher
DbDatabase
R O I A B L E / / 2 0 1 9
The units that need to be executed withinone job are known as passes in SAP IdM.There are two main categories of passesto- and from-passes. Both can be configuredin different setups to read/write data bothfrom source/target repositories, atemporary database table or the IdentityCenter database itself. This makes themextremely useful for any kind of task andonce we add also the complex possibilitiesfor scheduling and nesting, the jobsbecome one of the main building blocks ofany SAP IdM implementation. Do not forgetthat they also need good maintenance and,of course, always a running dispatcher toexecute them.
A job refers to units of work or set ofinstructions that need to be executed. A jobincludes all the activities involved incompleting it end to end. It may includesmall programs or large processes,depending on the task at hand. Normallyjobs are then scheduled using a jobscheduler to run on particular intervals oftime or at specific times during the day.
Job
DbDatabase
DsDispatcher
ShScheduling
PsPasses
R O I A B L E / / 2 0 1 9
The dispatcher in SAP IdM contextrepresents a Java service/program thatruns on the runtime IdM component of thesystem. Normally the dispatcher pools theIdM database for any scheduled jobs to beprocessed. The pooling interval can beconfigured to optimize performance.Additionally, tasks from the queue will alsobe processed by an available dispatcher.One SAP IdM system may have more thanone dispatcher, but the recommendation isnot to have more than one dispatcher perIdM runtime component. Thus, if you needmore than one, you should install it on aseparate IdM runtime component.
A worker/service whose job is to receiveinstructions and organize thoseappropriately for execution. The mostimportant aspect of a dispatcher is theiravailability and workload processing speed(e.g. how fast they process certaininstruction). Another important featurewould be the possibility to self-reset in caseof error, thus not blocking the processingqueue and continuing from where it stoppedbefore the error.
Dispatcher
IcpIdM
components
DbDatabase
JbJob
QQueue
R O I A B L E / / 2 0 1 9
Assignments in SAP IdM can range frombusiness roles, technical privileges,employees, to dynamic groups, customentry-types and company addresses.Practically anything that is an entry-typecan be assigned to another entry. Mostcommon assignments, of course, are thosewhere an employee is assigned a businessrole, a technical privilege or a manager withall its accompanying information fromwhen, till when, who made the assignment,why (reason) and who requested it initially.A detailed audit trail is constantly availableto track down all historic movements ofthose assignments.
The simple definition of assignment wouldbe something that has been assigned tosomeone. However, if we dig deeper, thereare more aspects to it. Such would be theperiod for which the assignment has beenassigned, by whom was it assigned, whorequested the assignment, etc. It does notend with the current state of the assignment
equally important is also to know itshistory, e.g. has it been assigned in thepast?
Assignment
EtEntry type
PPrivilege
BrBusiness
role
AtAudit trail
R O I A B L E / / 2 0 1 9
Access in the SAP IdM vocabulary is mostlyused in two aspects. First, for permissionsrelated to the usage of the IdM system itself
e.g. access for the role administrator. Theother, more common meaning is when weare talking about the permissions a specificemployee/external has in a targetconnected system being represented bybusiness roles or/and technical privileges. Ifparticular access is only available in thetarget system without SAP IdM havingknowledge about it, then we are talkingabout a breach in the SSOT paradigm and aproper reconcile process should be startedto sort this inconsistency.
In general, access refers to the permissionto use. If you've been given the rights to usea computer or service, you have anauthorized access usually granted byentering your username and password orusing a certificate. Access can also be achannel of communication that is openedwith a software or hardware device such ascomputer drive, modem, or printer. If theappropriate access is not obtained, the userreceives or other similarerror message.
Access
SstSingle source
of truth
RcReconciliation
PPrivilege
BrBusiness
role
R O I A B L E / / 2 0 1 9
The identity is the one of the main reasonswhy SAP IdM exists. It is its main processor,primary controller and safe-keeper.Identities in SAP IdM vary from employees,through 3rd party contractors, to seasonalworkers. All of them are seen as equalidentities before IdM. They all need to becatered by the system. Organized in identitystores the identities evolve during their lifein SAP IdM representing their identitylifecycle in the company. Each identity mustbe unique to SAP IdM and therefore eachhas a unique identifier. That might not beany meaningful peace of information butshould be good enough to distinguish oneidentity from another.
Shortly, this could be the distinguishingcharacter or personality of an individual. Thelonger description varies depending on thearea of application. Generally in IT, identityis accepted as a term, when we would liketo abstract from properties irrelevant for theinformation processing. Such could begender, physical state, hair color, clothing,etc. Although abstracted, each identity mustbe uniquely identifiable among others, eventhough sharing same attributes.
Identity
IdsIdentity
store
IdlIdentity lifecycle
UidUnique identifier
UUser
R O I A B L E / / 2 0 1 9
A privilege is the smallest possible entitythat can give access to a particularfunctionality in SAP IdM or any connectedtarget system. Privileges are normallyloaded from target systems and should berefreshed regularly to maintain consistency.Privileges from different target systems areregularly combined in meaningful businessroles to simplify self-service requests andstreamline access control. Privileges arestored in a dedicated entry type called
. Although it is enough tostore only the and the
in the entry type, it is highlyrecommended to build privileges with richerinformation.
Privilege, in the context of computersecurity, is the concept of allowing users todo only certain things. For example, anordinary user might be prevented fromchanging certain data, while a systemadministrator is typically permitted to do so.A user privilege may be maintainedmanually or through the IAM system.Manual maintenance hides risks of securitybreach and thus it is highly recommended tobe avoided.
Privilege
ImIAM
YvMSKEY-VALUE
TgTarget
EtEntry type
R O I A B L E / / 2 0 1 9
The admin in SAP IdM has a very importantrole. It is crucial not to forget theirpassword, since it may prove very hard torecover. Admins were irreplaceable in theold 7.2 release of IdM, but thankfully in 8.0a proper user access has been introducedalongside the Developer Studio. Althoughthe default owner of each package is itscreator, it is possible to assign also otherusers to the package access. However, thelimitation remains that only one user cancheckout a package at the same time and ifwe take into consideration the forced check-in feature, the whole new constellationleads to a better structured developmentprocess.
An administrator or shortly admin is aperson who ensures that a system operatesin a correct and efficient way. The specificsof their duties vary depending on the type ofsystem they look after, but in general, theyare the first to be contacted if somethingdoes not look good or behaves strange.Often admins have more privileges andaccess than a regular user and that is whythey are most often being audited for anyirregular activities or misuse of authority.
Admin
DtDeveloper
studio
IpkIdM
package
AAccess
PPrivilege
R O I A B L E / / 2 0 1 9
The term source is most often used in SAPIdM when we are talking about sourcesystems. We call them for short.Source systems are those systems, whichplay the role of feeders of information toSAP IdM. Such could be for example aMicrosoft Exchange Server, which can beused as the source for the attribute .Proper definition of the source systemsconnected to SAP IdM is an important task,which needs to be performed carefully. Inorder for SAP IdM to play its SSOT roleproperly, it has to be fed with the mostactual and proper information at the verymoment it appears at the source.
Following the classical definition, a sourcecould be a place, person, or thing fromwhich something originates or can beobtained. In IT terms this is most often somekind of code, system or service, which isdesignated as source, because particulardata is obtained from it. It is common thatmultiple sources co-exist to feed enoughinformation to a central system, which afterformatting can supply it to a target forfurther processing.
Source
SySystem
AttAttribute
SstSingle source
of truth
DqData
quality
R O I A B L E / / 2 0 1 9
The term target is most often used in SAPIdM when we are talking about targetsystems. We call them for short.Target systems are those systems to whichprovisioning of data and access is made. Asystem may be both a source and a target,depending on the setup. For example, an HRsystem may be target due to an update ofits email field from SAP IdM, but also playsthe role of a source, since the personnelnumber of the employee is updated fromSAP HR to SAP IdM. Normally propertriggers are set in place, so that wheneverfields or access updates in SAP IdMhappen, they are immediately sent to thecorrect targets.
Following the classical definition, a targetcould be a place, person, or thing that is theaim of an operation. In IT terms this is mostoften some kind of code, system or service,which is designated as target, because itaccepts specifically formatted data forfurther processing. If target is connected toa SSOT system, then often they are multipleand are being fed with the most actualinformation from the source to keep themup-to-date.
Target
HrHR
system
SstSingle source
of truth
PiProvisioning
ScSource
R O I A B L E / / 2 0 1 9
Scheduling is a functionality that wasnatively built in the old managementconsole of SAP IdM 7.2. It allowed users todefine job executions using differentoptions like specific times, reoccurring slotsand even build chains of job executions.Unfortunately, this functionality lost its enduser interface during the migration to v. 8.0.The new Developer Studio provides only afew pre-defined options for scheduling jobsand those options can run out very quickly.Thankfully, the backend functionality in thedatabase was kept intact and following theSAP Note 2729037 it is possible to createyour own rules. The other option would beto use the free add-on from ROIABLE.
Scheduling could have different meanings,but for our purposes adopt this one -determining when an activity should start orend, depending on its duration, predecessoractivity (or activities), predecessorrelationships, resource availability, andtarget completion date of the project. Eachmature IT system should provide means ofcreating scheduling rules, which couldsignificantly simplify its operation andmonitoring activities.
Scheduling
JbJob
DtDeveloper
studio
DbDatabase
AonAdd-on
R O I A B L E / / 2 0 1 9
Authorization, same as authentication, isnot carried out directly by SAP IdM. Thesystem has an important role in theprocess, which precedes both securitymechanisms. Authorization is normallycarried out by the service provider followingspecific rules. Often those are calculated bythe presence or absence of a particular roleassigned to an already authenticated user.Here comes the role of SAP IdM, whichshould provision the proper roles for theuser so that the authorization is successful.In web applications absence of the rolebeing checked leads to 403 HTTP Forbiddenresponses, which obstruct the user fromaccessing the requested resource.
Authorization is a security mechanism usedto determine user/client privileges or accesslevels related to system resources, includingcomputer programs, files, services, data andapplication features. Authorization isnormally preceded by authentication foruser identity verification. Duringauthorization a system verifies anauthenticated user's access rules and eithergrants or refuses resource access.
Authorization
SvService provider
AtAuthentication
PiProvisioning
AAccess
R O I A B L E / / 2 0 1 9
SAP IdM offers password management forall connected systems through the so-calledpassword hooks. The mechanism allowssetting both productive and temporarypasswords. Respective settings should beconfigured both in SAP IdM and the targetsystem to allow secure operations. Onegeneral drawback of the standard passwordmanagement is the absence of any kind ofprogress feedback and the fact that onlyone password can be defined for allsystems/accounts of the currently logged-inuser. Thankfully, there are add-ons that cansolve this challenge and drastically improvethe user experience of the end users.
Passwords are a set of characters providedby users during authentication. Althoughthey remain as one of the most often usedmethods of authentication, they are subjectto security threats when mishandled.Password management is a set of principlesand best practices to be followed by userswhile storing and managing passwords in anefficient manner to secure them as much aspossible in order to prevent unauthorizedaccess.
Password
management
UxUser
experience
AonAdd-on
TgTarget
AcAccount
R O I A B L E / / 2 0 1 9
Derivations in SAP IdM are often hidden forthe human eye, since they happen in thebackground. For example, a simple requestfor a role/privileges generates a number ofobjects in the database, which are derivedfrom the events that appear throughout thewhole process. That is why sometimes it isvery hard to track everything happening inthe product for a non-skilled person.The human factor in implementing SAP IdMcannot be neglected and the requirementsof the companies are only getting morecomplex. That is why sometimes it isnecessary to build your own derivations thatmake sure the system runs stable andaccording to the specifications.
The action of obtaining something from asource or origin following specificguides/rules. In order to make sense,derivations are mostly automated. Theirmain purpose is to reduce as much aspossible the manual input by the end usersof data, which can be computer calculated.Even when such derivation is not 100%determinable, it is still regarded as useful toshow a set of possible options for the userto choose from.
Self-service request
Derivations
VaValidations
DbDatabase
SsSelf-service
AAccess
R O I A B L E / / 2 0 1 9
Externals, although being regular identitiesfrom SAP IdM point of view, have a specialstatus in most organizations. They are oftennot part of the corporate human resourcessystem (e.g. SAP HR) and therefore do notfit out of the box in all establishedprocesses within IdM. Most companies haveoutsourced the management of thoseidentities to a third-party system (e.g. AD).Unfortunately, this by itself does not solvethe problem related to the fact thatexternals also need proper handling in IdM.Typically they have expiring contracts,special conditions, more regular permissionchanges and sometimes urgent requests foraccess.
When recruiting externals businesses sourcecandidates outside of the organization. Mostoften those are hired for temporary projectsor to fill in for a position. Sometimes bigenterprises hire externals to fill in a newtechnology knowledge gap as mentors,advisors and tutors. It is healthy for anorganization to keep a good ratio betweeninternal and external employees, in order toavoid too much dependency on externalresources.
External
EaEmergency
access
IdIdentity
HrHR
system
AdActive
directory
R O I A B L E / / 2 0 1 9
SAP IdM offers a great opportunity to buildthe so-called business roles. They are cross-system and often represent certain positionor function within a company. Since IdM isthe SSOT, it knows about all availableprivileges within all connected systems,thus making their combination inmeaningful business roles easier. Adrawback of this approach is that thereshould be a person who is pretty well awareof what each position is responsible for and,most importantly, which privileges fromwhich system are needed in order to fulfilltheir job. Business roles can be loaded alsofrom external tools like SAP GRC, where riskanalysis has already taken place.
Proper role design is very important tofacilitate the so-called role-based accesscontrol (RBAC). It is probably the most usedmethod in enterprises and that is why rolesneed proper definitions. Often a goodprinciple to follow would be to build the rolewith the least access possible and thenenrich it gradually as requests come in.Another very effective method to buildproper roles is role mining. However, itrequires a good amount of historytransactions in the system.
Role design
SstSingle source
of truth
GGRC
BrBusiness
role
PPrivilege
R O I A B L E / / 2 0 1 9
Packages are a new addition to v. 8.0 ofSAP IdM. They streamline the configurationand transport activities within DeveloperStudio. There are packages delivered duringinstallation by SAP and others that theenterprise can create to customize, developand enhance the solution further. A packagecontains two version numbers, a majorversion and a minor version. Those are usedto track the changes within a package. Aprevious version of a package can berestored and unsaved (not checked-in)changes reverted. Objects within a packagedefined as public can be called from otherpackages. Processes, scripts and forms canbe public in a package.
A package is a collection of configurationinformation, such as constants, scripts,repository types, processes, forms and jobs.It is the smallest part of the configurationthat is maintained as a unit. This could be aconnector for a repository type or acollection of utilities that are used by otherpackages. Users are granted access todifferent packages that allows multipleusers to work on the configuration andtransport separately.
IdM package
DtDeveloper
studio
FForm
RpRepository
QnQualified
name
R O I A B L E / / 2 0 1 9
The long-term absence differs quite a lotfrom other HR processes, since it is neithercreating, nor terminating anyaccess/account in the connected systems.Most often actions taken during this HRaction are related to locking accounts,which will not be used by theemployee/external during their long-termabsence. Depending on the case, it couldhappen that the employee still needsaccess to their email, so a global lock mightnot be the best solution. Additionally,reflecting this HR action in SAP IdM needsto take into account that it is expected atsome point of time the employee to returnto their regular job.
Long-term absence is an HR process of anemployee/external being on absence thatspreads longer than a regular vacation ornormal sick leave. Most often such is relatedto maternity/paternity leaves that couldextend sometimes to a year or two. Othersthat fall in this category could be long-termsickness or sabbatical leave. In both casesproper actions are needed to make sure thatsecurity remains intact within theorganization.
Long-term
absence
HrHR
system
AcAccount
AAccess
LuLock/unlock
R O I A B L E / / 2 0 1 9
Mass operations are a critical functionalityfor every organization with large number ofidentities in SAP IdM. Expectations are thatchanging multiple users following a simplefilter criteria should be a simple and non-problematic task. While an agreement maybe reached with regards to the simplicity,the non-problematic aspect is an issue.Within the standard solution mass actionsare handled by uploading CSV files usingcustom jobs. This is an extremely error-prone approach, which should be executedonly by professionals. Luckily, there are add-ons that make things much easier andreduce significantly the risks.
An action involving operations with largevolumes of information that belongs todifferent identities, can be categorized asmass action. Obviously, such actions areavailable to save time when, for example,the department of multiple identities needsto be updated to one and the same newvalue due to an organizational change.Other type of mass actions could includeassignments of privileges/roles or evenlocking/unlocking multiple identities.
Mass actions
IdIdentity
DqData
quality
JbJob
OsOrganizational
structure
R O I A B L E / / 2 0 1 9
In SAP IdM users can be split in 4categories administrators, who haveaccess to most critical functionalities of thesystem and are able to configure andoperate it; key/power users who have moreknowledge about the system than a regularuser and thus can execute certainjobs/operations which require skilledsupervision; system users being technicalentities used for communication purposesbetween connected systems; end usersall identities loaded in the SAP IdM systemirrelevant if employees or externals. They allshare the same self-service tasks and usethe system to simplify their daily lives interms of security.
Entity that has the authority to use certainapplication, equipment, facility, process, orsystem, or one who consumes or employs agood or service to obtain a benefit or solve aproblem. This is probably the most universaldefinition of the word . However, in thesecurity context users are not necessarilythe people operating a solution or solvingproblems. Often a user in this context ispointing to the identity loaded in thesystem.
User
SsSelf-service
JbJob
IdIdentity
AnAdmin
R O I A B L E / / 2 0 1 9
Normally assets are not stored/managedwithin SAP IdM. There are specializedsystems for managing assets and the bestpractice would be to connect those to IdMand store only a reference of items relatedsomehow to an employee/external.However, when such external systems arenot present or their integration requiressignificant effort, it is possible to maintainassets in IdM. Adapted workflows can evenmake sure that, for example, laptops andphones are pre-ordered on time so that theyare on the desk of the new employee ontheir first day at the office. One way or theother, assets are important aspect for the360-degree view of the SSOT.
An asset is a piece of software or hardwarewithin an information technologyenvironment. Tracking of assets within an ITasset management system can be crucial tothe operational or financial success of anenterprise. Assets are integral componentsof the systems and networkinfrastructure. In a broader sense an assetcould also be a person, but for the purposeof this definition we will limit it only to non-living objects.
Asset
WrfWorkflow
SstSingle source
of truth
IdIdentity
IdlIdentity lifecycle
R O I A B L E / / 2 0 1 9
The identity store within SAP IdM is thesafekeeper of the identity store schema. It isthe blueprint about the existing entry typesand attributes both standard and custom.From a job, the identity store can be updatedusing a To identity store pass. On the otherhand, an identity store can be used as asource in all To-passes. For provisioning tasksthe identity store is always the source, whichautomatically means that any informationsent to a target system should first bepersisted there. This is a good practice thathelps achieve the SSOT paradigm withoutworrying that something might get lost in IdMafter being sent to the target system. Therecould only be one main identity store andmultiple others called staging areas.
An identity store is a central repository formanaging identity information, such asemployees, departments, roles, privilegesand groups. The information in the identitystore can then be used for provisioning andsynchronization purposes. An IdentityCenter may contain one or more identitystores, but only one can be connected to theuser interface in SAP NetWeaver Java. Theidentity store is attribute-based and offers alot of flexibility during the setup.
Identity store
StaStaging
area
SstSingle source
of truth
JbJob
PiProvisioning
R O I A B L E / / 2 0 1 9
The group concept in SAP IdM has a bit of adifferent meaning. It could be used as agroup of privileges representing certainbackend functionality, most often used byMicrosoft AD. Other option could be thatgroups are simply a set of users read froman SAP NetWeaver Java repository, thusrepresenting a number of identities groupedtogether. Respectively, from the aboveexplanation, the entity type MX_GROUP,which represents groups in IdM, can haveassigned objects from the following twoentity types -> MX_PERSON andMX_PRIVILEGE. AS ABAP repositories do notsupport the group concept.
A collection of entities, being persons, rolesor privileges, which are considered togetheras being related following some businessrules/meaning. Grouping, if done right, is aconcept that simplifies the management andoperation of any large enterprise security.Instead of assigning multiple singleprivileges to a person each time they needto do a particular task, a group can beassigned once and reused later whenneeded. In this line of words business rolesalso represent a kind of grouping.
Group
EtEntry type
AdActive
directory
BrBusiness
role
NeSAP
NetWeaver
R O I A B L E / / 2 0 1 9
Although business roles are crucial forevery SAP IdM implementation, there is noproper user interface for their maintenance.The simplest option would be over the oldWeb Dynpro interface that however offersmaintenance for only one business role at atime. This could be extremely timeconsuming within large enterprises andtherefore an additional option with anupload of CSV file is provided. This option,however, does not provide criticalvalidations of the file and could potentiallymess up the data in the system irreversibly.The Authorization Matrix concept comesinto play here to help structure andmaintain all the business roles properly.
A business role is a semantic group ofprivileges, normally from different sourcesystems, which build up the required accessfor an individual to do their job based oncertain HR criteria job description,position in org. structure, etc. Business rolescan follow a flat architecture where they donot overlap, but sometimes stackingbusiness roles can help reduce their countand simplify management.
Business role
OsOrganizational
structure
AuAuthorization
matrix
WdWeb
Dynpro
PPrivilege
R O I A B L E / / 2 0 1 9
The official scripting language for SAP IdMv. 8.0 is JavaScript. In previous releasesother scripting languages like Visual Basicwere supported, but not anymore. AlthoughJavaScript is rated as one of the mostprospering script languages, it is boggeddown in IdM due to a very old versionsupport of the runtime. Because of thatmost of the innovative features of thelanguage have to be re-created in an old-school fashion. On the bright side, there ispractically nothing that cannot be achievedusing scripts in SAP IdM, including callingJava functions, which by itself opens a widerange of possibilities.
A script is a program or sequence ofinstructions that is interpreted or carried outby another program rather than by thecomputer processor. Scripts are gainingserious momentum within SAP nowadayssince they are easier to learn, simpler todebug and are very undemanding when itcomes to consumption of hardwareresources. Some of the popular scriptlanguages are JavaScript, Python, Ruby,Perl, etc.
Script
ApAttribute mapping
DtDeveloper
studio
VaValidations
DeDerivations
R O I A B L E / / 2 0 1 9
Contexts in SAP IdM should be created in aseparate entry type. Then the newly createdentry type should be defined as a legalcontext type in the entry type to which itcan be assigned. This is then reflectedautomatically in the user interface and theinherited assignment of roles andprivileges. Conditional context assignmentsare also possible. They are executed only ifthe value of the context attribute matches apre-defined value (list of values) in theparent object. Default contexts are also auseful feature for person entities, where theattribute MX_CTX_AUTO_VALUES containsthe default contexts for each context type.
A context can be defined as the situationwithin which something exists or happensand that can help explain it. In our ITmeaning it is possible to add a reference toa given context that limits the validity of theassignment to a specific context. Such, forexample may be a region, a project or anorganizational unit. The purpose is to reducethe number of roles needed to depict allpossible combinations of the attributevalues.
Context
EtEntry type
AgAssign-ment
PPrivilege
BrBusiness
role
R O I A B L E / / 2 0 1 9
Future actions in SAP IdM are oftenrepresented as pending values that are appliedwhen the time comes. The right time for that isdetermined based on their validity attributesand more precisely on . Its valuemakes the difference, if the attribute will beapplied immediately or on a certain date. If the
attribute is attached to a person,then we are talking about the so-called
. An often-used approach, when weneed to hire someone in the future, but wealready have the required data in HR upfrontand the sync is delivering needed informationto SAP IdM. This method is useful also whencertain processes need to be started inadvance e.g. request for laptop, phone, etc.
When we talk about the future in IT context,we tend to focus on upcoming technologiesand breakthrough innovations. However, ifwe focus in the area of IAM, the future issomething that is not so distant and oftenrelated to a period of a couple of weeks,maximum a month. It identifies with thetime when a person is entering the IdMsystem, but certain attributes and/orroles/privileges have future dates andtherefore be applied immediately.
Future actions
AttAttribute
HrHR
system
AstAsset
ImIAM
R O I A B L E / / 2 0 1 9
In order to use the new provisioningframework delivered by SAP IdM v. 8.0 theproper repository types should be assignedto the repositories. The old repositoryapproach from v. 7.2 work with thenew framework. The type of the repositoryis also the decisive element that defineswhat type of system we are connecting.Most common repository types beingconnected are on-premise systems like SAPBusiness Suite, Microsoft Active Directoryand cloud platforms like SAP CloudPlatform. From the cloud hybrid scenariosare possible using services like IAS and IPS.
In general terms, a repository can be viewedas a place where information may be stored.For our context, this information could rangefrom connection details through systemspecific constants to repository type. All thisalso defines the behavior of the repository,the available parameters and provisioningoptions. Repositories may be enabled,disabled, copied, exported, imported,created and deleted.
Repository
IasIAS
IpsIPS
PiProvisioning
SySystem
R O I A B L E / / 2 0 1 9
The transport procedure is built from twosteps -> an export and an import. Both canbe executed only using the DeveloperStudio. The export part is easier to handle,since it simply gathers the existing datafrom the source transport system (eachpackage separately). On the other hand, theimport part of the two-step process hascertain prerequisites and could go one wayor another depending on the content of thetarget IdM system. A hard condition for asuccessful transport is that the name of thedispatcher, used within the package beingtransported, is one and the same in bothIdM systems.
Transport is the procedure that includesmoving software packages from one systemto another (e.g. from Development toQuality). Packages are the only unit that canbe transported, and they follow a strictversion release, which is changeddepending on what is updated within thepackage since it was last checked-in. Thecheck-in process is equally important for thetransport, since open packages (notchecked-in) cannot be transported.
Transport
IpkIdM
package
DtDeveloper
studio
DsDispatcher
R O I A B L E / / 2 0 1 9
There is no standard attestation processdelivered out-of-the-box with SAP IdM.However, building one is dully documentedand should be no problem for a skilledprofessional. The verification itself is doneby executing the mentioned process foreach role or privilege that needs to bereviewed. For every assignment there couldbe only one attester, who sees only theassignments for which they are responsible.Logically for such important process, allattestation operations are logged andavailable in the audit trail. Once the processis triggered, the so-called attestation task isgenerated in the To Do list of the assignedattester.
Attestation is the process that periodicallyconfirms users' access rights to criticalresources. There could be multiple reasonsfor the periodic check, but the two mostrepeating ones are manual assignment ofcritical access, which has not been time-limited, and temporary assignment ofaccess directly in the target system, whichis then later identified during comparisonwith the IdM system as an outcast. Optionshere allow for access review, which leadeither to permanent assignment or removal.
Attestation
WrfWorkflow
AgAssign-ment
AtAudit trail
AAccess
R O I A B L E / / 2 0 1 9
Logically, since SAP IdM does not play adirect role in the authentication securityprocess, it is even less involved in providing2-factor authentication. However, sameprerequisites apply for both authenticationand authorization processes. A user shouldbe provisioned in the system where they aretrying to use or setup 2FA. SAP NetWeaverJava offers options for 2FA as part ofanother SAP solution Single Sign-On.Often it is installed together with SAP IdM,but neither of the two products should beseen as a prerequisite for the other. Theycan exist fine as stand-alone solutions,however some features are morestreamlined when used together.
2-factor authentication (2FA) is a securityprocess in which the user provides twodifferent authentication factors to verifythemselves as a result protecting betterboth the user's credentials and theresources that can be accessed. Two-factorauthentication provides a higher level ofassurance than authentication methods thatdepend on single-factor authentication(SFA), where the user provides only onefactor typically a password or passcode.
2-factor
authentication
SoSSO
NeSAP
NetWeaver
AtAuthentication
AzAuthorization
R O I A B L E / / 2 0 1 9
SAP IdM by itself does not provide thefunctionality to serve as an IdP. However,part of the installation package contains anIdP that can be installed on SAP NetWeaverJava and serve authentication requests toweb applications in the landscape. In hybridscenarios SAP IdM can be seen as thesource of the identities master data, whichis then loaded in the cloud, for example, inthe Identity Authentication Service. IAS isthe cloud IdP of SAP and can serve requeststo every web application in the cloud, orany on-premise web application withInternet access. Such hybrid solutions arecommon nowadays before complete IT ismoved to the cloud.
An identity provider (IdP) is a system thatcreates, maintains, and manages identityinformation for principals, while providingauthentication services to registered andtrusted service providers. Identity providersoffer user authentication as a service. Themost often consumer of such service areweb applications through SAML2 protocol.In a cloud environment IdPs play a veryimportant role eliminating the need for theuser to re-authenticate with every app.
Identity
provider
AtAuthentication
SvService provider
SlSAML
IasIAS
R O I A B L E / / 2 0 1 9
The main reason why enterprises integrateIAM solutions in their landscapes is tohandle properly and in timely manner theidentity lifecycle of their employees bothexternal and internal. SAP IdM is nodifferent here. Its main priority is to keepthe access of the users according tospecified rules, update those when nextstep in the identity lifecycle occurs andrespectively terminate as soon as possibleany system access, when the user is nolonger part of the enterprise. All otherfeatures and functionalities of the productare seen as secondary, even if definitelyuseful and important.
An identity lifecycle represents the full cycleof an identity and its access in a givenenterprise. From the moment when theperson was hired to the moment when theyretire or leave the business. In betweenthere could be multiple changes in theidentity status like position changes, payraises, maternity/paternity leaves, etc. Allthose account to the history of the user, orthe so-called identity lifecycle.
Identity
lifecycle
ImIAM
HHire
IdIdentity
TTermination
R O I A B L E / / 2 0 1 9
GDPR defines a set of principles, whichform the legal framework. Those also haveimpact on the so-called rights of anindividual. Such are the right to beinformed, right of access, right torectification, right to erasure/to beforgotten, right to restrict processing, rightto data portability, right to object and rightsin relation to automated decision makingand profiling. With most of those, if not withall of them, SAP IdM can help a lot byputting order in the inevitable informationalchaos of a heterogeneous landscape.Crucial here is that the SSOT paradigmshould be intact. It will guarantee that theinformation in SAP IdM is actual.
The General Data Protection Regulation(GDPR) is a legal framework that setsguidelines for the collection and processingof personal information from individuals wholive in the European Union (EU). Since theRegulation applies regardless of whereapplications are based, it must be heededby all that target European citizens, even ifthey don't specifically market goods orservices to EU residents.
GDPR
SstSingle source
of truth
HcHeterogeneous
landscape
AAccess
AttAttribute
R O I A B L E / / 2 0 1 9
SAP IdM has reached maturity. Certainenhancements and stability fixes areplanned for the near future, but its existingfunctionality change dramatically.However, the product has APIs and aconnector framework that allow customersand partners to extend and continuedeveloping the solution according to theirneeds. For example one of the biggestdrawbacks to date is the user experience forend users, which is also one of the mainshowstoppers during adopting. Thankfully,here SAPUI5 can easily come in play withan add-on and deliver an alternative to theold Web Dynpro interface having more user-friendly, mobile-enabled experience.
An add-on is a software extension that addsextra features to a product. It may extendcertain functionalities, add new ones, orsimply improve their usability. The conceptis popular from leading browsers, whichallow add-ons to bring various newfunctionalities to their products. An add-onshould never alter the original functionalityof the product. It may provide alternativemeans of doing the same thing but shouldnever change the original product.
Add-on
UxUser
experience
ApiAPI
CnConnector
WdWeb
Dynpro
R O I A B L E / / 2 0 1 9
The return from absence can be seen as theopposite of the long-term absence HRprocess. In most cases, the locked accountsare being unlocked in order to revive theuser in all target systems, where they hadaccess before the long-term absence.Partial unlock might be needed, if duringthe initial lock not all systems were under aglobal lock. Respectively, such partial lockshould be handled with a partial unlock.Critical here is that we do not generate newaccounts for the user, or we would overwriteany preferences/settings they have in thetarget systems. A good practice is to resetthe password and send it again to the user.
Return from absence is an HR process of anemployee/external joining back after long-term absence such as maternity/paternityleave or longer sick leave. Normally, in suchcases all actions taken during the long-termabsence should be reverted, so that theperson can go back to their regular duties.Sometimes, there are more complicatedcases, where during the long-term absencethe position was taken by a substitute or therole of the absent employee has changed.
Return from
absence
LtaLong-term absence
LuLock/unlock
SySystem
AcAccount
R O I A B L E / / 2 0 1 9
Within SAP, SSO is introduced through aproduct with the same name SAP SingleSign-On. The solution supports on-premiseand hybrid scenarios for simple and secureauthentication setup. Alongside the singlesign-on, two additional importantfunctionalities are introduced the multiplesign-on, which could be required for criticalbusiness applications, and the multi-factorauthentication, where the user must provideat least two different authentication factorsto verify themselves. A pre-requisite for theSAP SSO product is the availability of SAPNetWeaver Java server, where the solutionruns and reuses a number of servicesalready available on the platform.
Single sign-on (SSO) is a session and userauthentication service that permits an enduser to enter one set of login credentials(such as a name and password) and be ableto access multiple applications. In general,SSO can be achieved with different means.Focusing on SAP, the most common onesbased on the authentication method arelogon tickets, X.509 certificates andKerberos (SPNEGO).
SSO
2fa2-factor
authentication
NeSAP
NetWeaver
AtAuthentication
SlSAML
R O I A B L E / / 2 0 1 9
SAP IdM is both providing and consuming anumber of APIs. On the provider side themost common ones are the REST v. 1 andREST v. 2 interfaces, which expose a largeportion of the product functionalities. Theyare very useful when building new webapplications. The REST v. 1 is thepredecessor and was popular before therelease of SAP IdM v. 7.2 SP8. After that theREST v. 2 protocol is the more often usedand the one that will be enriched in futurereleases. On the consumer side IdM uses anumber of BAPIs from SAP Business Suiteas well as SAP HR. Through VDS twoadditional protocols are supported LDAP& SPML.
A set of functions and/or proceduresallowing the creation of applications thataccess the features or data of an operatingsystem, application or other service is calledan API. The short abbreviation stands forapplication programming interface and canbe categorized depending on if the APIs areprovided or consumed by theproduct/solution in question. APIs can beprogrammed in different languages, but theimportant thing for their consumption is thedesign pattern used.
API
VdVDS
R1REST v1
R2REST v2
HrHR
system
R O I A B L E / / 2 0 1 9
The VDS delivered together with the SAP IdMinstallation can provide important featureslike namespace conversion and schemaadaptations to enable a flexible solution thatcan continually grow and change to supportdemands from current and future applicationswithout changing the underlying architectureand design of data stores like databases anddirectories. Commonly VDS is used whenconnecting to SAP HR through the standardLDAP export. Another interesting usage forVDS would be, if it is connected to the userstore of SAP NetWeaver Java UME. Then theuser interface of the user management can beused to browser and create new users in SAPIdM.
A virtual directory server (VDS) offersoptions to visualize data betweenapplications, directory servers or data storesthat are fundamentally incompatible. Thevirtual directory server is a kind of softwareoperating as a middleware application. Itcan abstract back-end data from clientsoftware applications thus allowing dynamicchange of how the data is visualized. Inother words, it can offer a unified virtualview from several systems that appear asone.
VDS
UeUME
HrHR
system
NeSAP
NetWeaver
DbDatabase
R O I A B L E / / 2 0 1 9
SAP IdM supports both SPML and SCIMprotocols, whereas SCIM is the one that isestablishing itself as standard. While SPMLrelies on XML, SCIM supports an API thatspeaks REST and the data can be eitherformatted as JSON or XML. Fromcommunication point of view SAP IdM hascertain prerequisites in order to supportpart of its functionalities. For example, theconsumption of its REST APIs is possibleonly if https protocol is used. Same appliesif you would like to change the productivepassword of a target system (e.g. SAP orAD). In those cases secure communicationprotocol should be established between thesystem and IdM.
A protocol is a standard set of rules thatallow electronic devices to communicatewith each other. These rules include whattype of data may be transmitted, whatcommands are used to send and receivedata, and how data transfers are confirmed.The standard framework of the Internet isTCP/IP and the most famous protocols thatoperate within include UDP, HTTP and FTP. Interms of security protocols - SPML and SCIMare used for identity provisioning.
Protocol
XXML
JsJSON
SySystem
SiSCIM
R O I A B L E / / 2 0 1 9
SQL for SAP IdM is like ABAP for SAPBusiness Suite. If you are good at it, there isnothing you cannot do with the system.Apart from all the job passes andconfiguration options, where SQL is usedwithin Developer Studio, a lot can also beachieved directly on a database level. It isabsolutely forbidden to manipulate datadirectly in the IdM database, but this goesexactly the other way around, if you onlywant to retrieve information from there. Ifyou know yourself around the DB schema,you can get some amazing reports in notime. As a DB-based solution SAP IdM alsohas a serious amount of databaseprocedures, which can be reused.
Structured Query Language (SQL) is acomputer language for relational databasemanagement and data manipulation. SQLcould be used to query, insert, update anddelete data. SQL syntax may vary betweenthe different database vendors, referred toas Native SQL, but there are a number ofcommands that are unified and should beexecuted in the same manner irrelevant ofthe DB vendor.
SQL
DbDatabase
DbpDatabase procedure
DtDeveloper
studio
ReReports
R O I A B L E / / 2 0 1 9
UME plays an important role for SAP IdM ina couple of aspects. First of all, since theuser interface is running on SAP NetWeaverJava, this also automatically means thatUME is the central place to assign UI relatedroles for SAP IdM. Second, the DeveloperStudio is connecting to the database usingan Application resource again from SAPNetWeaver. On top SAP SSO is also basedon SAP NetWeaver Java. Third and last,UME can be connected to a VDS to act as abrowser or/and initiator of creation for newidentities within the SAP IdM identity store.Not to forget is also that UME is one of thestandard supported target systems that SAPIdM can provision to.
The user management engine (UME) is acentralized user management for all Javaapplications. It can be configured to sourceits user data from multiple data sources likeABAP, LDAP or VDS. It is seamlesslyintegrated in SAP NetWeaver Java as itsdefault user store and can be administratedusing its administration tools. UME has avery extensive Java API, which can be usedto build additional extensions or add-ons.
UME
DtDeveloper
studio
SoSSO
NeSAP
NetWeaver
VdVDS
R O I A B L E / / 2 0 1 9
SAP IdM has been named the terminator ofCUA, but that neither happened, nor will ithappen in the future. The reason for that isquite simple both solutions morecomplement themselves rather thancompeting against each other. If CUA isalready implemented and working in arather homogeneous SAP landscape, thereis nothing easier than connecting SAP IdMdirectly to CUA, instead of every individualSAP system. On top CUA definitely knowsbetter how to distribute an ABAP privilegethe right way, it just needs the propercommand from the central mind SAP IdM,in order to do so.
CUA or central user administration is anABAP based resource for managing centrallylarge number of users that exist in multipleABAP systems within the SAP landscape.Although limited to only ABAP-basedsystems, it is useful for complex landscapeswith a lot of manual maintenance. Since therelease of SAP IdM, CUA has been anoutcast, although there are scenarios, whereboth solutions can work in parallel.
CUA
UUser
PPrivilege
PiProvisioning
DpiDe-
provisioning
R O I A B L E / / 2 0 1 9
SAP IdM has a web-based part and this isits user interface (not based on DeveloperStudio). A whole IdM component beingdeployed on SAP NetWeaver Java isresponsible for the rendering of thedynamic Web Dynpro UI. These webapplications as well as any new SAPUI5apps, built using the REST APIs of SAP IdM,can take advantage of SAMLauthentication/authorization. The SAPNetWeaver Java server is fully capable ofdelivering this functionality and can evenact as Identity provider for other web appsthrough the additional IdP componentdelivered as part of the SAP IdM installationpackage.
Security Assertion Markup Language,shortly SAML, is an open standard forexchanging authentication and authorizationdata between parties, in particular betweenan identity provider and a service provider.SAML is an XML-based markup language forsecurity assertions. It is one of the mostcommon used languages for webapplications and is widely supported bymultiple vendors, among them also SAP.
SAML
IdpIdentity provider
SvService provider
NeSAP
NetWeaver
IcpIdM
components
R O I A B L E / / 2 0 1 9
Since SAP IdM v. 8.0 SP5, there is a newstandard connector for SCIM 2.0. It allowsfor seamless communication andprovisioning of identities from on-premise toother (cloud or on-premise) systems thatsupport the standard. The hybrid securityscenario is based on this connector. Itestablishes a link to SAP IPS that is used toprovision to multiple target cloud systems.This way the information within SAP IdM isreused also for the cloud landscape of theenterprise without exposing the informationwithin to the outside world. If however thescenario requires data to be stored in thecloud, SAP can connect to IAS, which alsosupports SCIM.
System for Cross-domain IdentityManagement, or shortly SCIM, is a standardfor automating the exchange of user identityinformation between identity domains or ITsystems. It is becoming a kind of enterprisestandard for web applications that are opento being controlled from outside identityproviders. Within the SAP portfolio SCIM issupported by the following security-relatedproducts: SAP IdM, SAP IAS and SAP IPS.
SCIM
IdpIdentity provider
HlHybrid
landscape
IpsIPS
IasIAS
R O I A B L E / / 2 0 1 9
REST v. 1 is the old web API exposed by SAPIdM until v. 7.2 SP8. Up to that release thiswas the only option to use services to buildcustom web applications. For those who areused to the new REST v. 2 API, the old onemay look awkward and it is incompatiblewith the new one. REST v. 2 is not a realsuccessor of REST v. 1, rather a completelyrewritten API that initially used odata4jlibrary and lately switched to Apache Olingodue to supportability issues. REST v. 1 islimited with regards to the supported HTTPmethods, covering only GET and POST. It
offer expanding and the onlysupported data format is JSON (non-ODATAcompliant).
Representational State Transfer (REST) is asoftware architectural style that defines aset of constraints to be used when creatingWeb services. Web services that conform tothe REST architectural style, called RESTfulWeb services, provide interoperabilitybetween computer systems on the Internet.Most often data transmitted with RESTservices is either JSON or XML formatted.
REST v.1
R2REST v2
JsJSON
XXML
ApiAPI
R O I A B L E / / 2 0 1 9
SOAP is probably one of the few messagingprotocols that are not integrated andsupported in SAP IdM by default. Toconsume SOAP services you would needVDS. Alternatively, because of the opennessof the SAP IdM product, it is possible tobuild your own SOAP connector that canconsume mostly any kind of SOAP services.There are even add-ons on the market thatallow you to generate the structure of theinput/output directly in Developer Studio toreduce the time needed for the integration.Popular solution that uses SOAP forexample is Success Factors.
Simple Object Access Protocol, or shortlySOAP, is a messaging protocol specificationfor exchanging structured informationthrough web services in computer networks.Its purpose is to provide extensibility,neutrality and independence. It uses XML forits message format and relies on applicationlayer protocols, most often HypertextTransfer Protocol (HTTP) or Simple MailTransfer Protocol (SMTP), for messagenegotiation and transmission.
SOAP
XXML
VdVDS
DtDeveloper
studio
ApiAPI
R O I A B L E / / 2 0 1 9
JSON is somehow not directly related toSAP IdM. Rather their relation comesthrough the available APIs REST v. 1 andREST v. 2. Both support JSON as format fortransmitting data between the IdM serverand the browser making the call. Lately,JSON has been preferred instead of XMLdue to a number of reasons like fasterparsing, readability of the raw data (betterformatting) and less volume due to lesstags needed. Of course, XML has its ownadvantages in some cases, for example it isbetter supported by desktop applications.For web applications built with JavaSciptlike SAPUI5, JSON is the preferred choice.
JavaScript Object Notation, or shortly JSON,is an open-standard file format that useshuman-readable text to transmit dataobjects consisting of attribute value pairsand array data types. It is a very commondata format used for asynchronous browserserver communication used by both RESTand ODATA services.
JSON
ApiAPI
XXML
R1REST v1
R2REST v2
R O I A B L E / / 2 0 1 9
XML is more popular within SAP IdM thanJSON. Apart from being used also for theavailable APIs REST v. 1 and REST v. 2, it isin the roots of how VDS builds its datarepresentations. Additionally, the new IdMtransport packages also use XML todescribe their contents. Somewhat hidden,but important functionality like isusing XML to store its information in thedatabase. Understandably XML is muchbetter supported by desktop applicationsthan JSON and this is an area, where itsusage is predominant. Another benefit ofusing XML is that we can apply XSLTtransformations, which are popular amongdevelopers.
EXtensible Markup Language, or shortlyXML, is a markup language that defines aset of rules for encoding documents in aformat that is both human-readable andmachine-readable. It is a common dataformat for asynchronous browser servercommunication used by both REST andODATA services.
XML
ApiAPI
VdVDS
JbJob
IpkIdM
package
R O I A B L E / / 2 0 1 9
If we talk about REST v. 2, we cannotuniquely identify which release of SAP IdMwe exactly refer to, because the interfaceitself is available already with SAP IdM v.7.2 SP8, but its completeness andimplementation differ significantly from thelatest release at the moment, which wasposted with SAP IdM v. 8.0 SP6. Alongsidethe change of the used library from odata4jto Apache Olingo, a lot of additionalfunctionality was exposed like for examplethe option to create new objects. With thelatest additions the API has become astandard for building web applications thatneed to exchange data with SAP IdM.
REST v.2
Representational State Transfer (REST) is asoftware architectural style that defines aset of constraints to be used when creatingWeb services. Web services that conform tothe REST architectural style, called RESTfulWeb services, provide interoperabilitybetween computer systems on the Internet.Most often data transmitted with RESTservices is either JSON or XML formatted.
ApiAPI
JsJSON
XXML
R1REST v1
R O I A B L E / / 2 0 1 9
The scenario involving OAUTH authorizationis a bit distant to an enterpriseenvironment, where one would configuresingle sign-on between the requiredsystems and be done with it. In a cloudsetup however, things look different. Veryoften the provided resources are not hostedby one and the same organization and suchSSO is not possible. In this case OAuthensures that only permissions for therequested resources are granted to userand application, but access to otherresources is denied. Similarly, SAP IdM canuse OAUTH to get access to the cloud IPS,but not to the other services available onthe SAP Cloud Platform.
OAuth is an open standard for delegatedauthorization. One of the main differences toSAML is that OAUTH does not deal withauthentication. Its main usage is withmobile scenarios or also popular whenconsuming ODATA services from SAPGateway. The good news is that OAUTH andSAML can be applied together where theSAML Assertion is used as an OAuth BearerToken getting the best of both standards.
OAUTH
CsCloud
systems
SoSSO
SlSAML
IpsIPS
R O I A B L E / / 2 0 1 9
Accounts in SAP IdM play a very importantrole in the access provisioning and de-provisioning processes. An identity withinIdM has as many accounts as connectedtarget systems where this identity hasaccess or is created as a user. Often eachaccount represents a combination ofimportant parameters that identify the userin the respective system as unique. For ADit could be the SAMaccountname, for SAPjust the logon name, for other third-partysystems it could be the email address. Inthe best-case scenario accounts can bedisabled, enabled, locked and unlockedseparately without having to go over aglobal lock or global disable process.
An account is an established technique forconnecting a user and an informationservice and/or computer network. Useraccounts determine whether a user canconnect to a computer, network or similar.User account is one of the methods toauthenticate to a system and receive thenecessary access to resources of thatsystem. A user technically is not limited toonly one account per system.
Account
IdIdentity
PiProvisioning
TgTarget
AdActive
directory
R O I A B L E / / 2 0 1 9
Although a sequenced numbering of theidentities within SAP IdM is often usedapproach, it is not necessarily the best andmost suited one for every purpose. It maywork well, if the complete landscape iscreated from scratch with IdM beingavailable from its first operational days.This, however, is actually a quite raresituation. Most of the companies introduceIdM only when the complexity of handlingmultiple users and systems gets unbearableto be operated manually. For such casespicking such unique identifier that caneasily match identities across multiplesystems could be a life saver during theinitial load.
A symbolic identification code that isattached to an item or business entity,which is exclusive to that particular entity.Often, this can be a serial number or similaridentification. In this case we need theunique identifier to be able to tell oneidentity from another within SAP IdM. Thusthe unique identifier can be practicallyanything that does not duplicate amongidentities.
Unique
identifier
IdIdentity
UUser
SySystem
IoInitial load
R O I A B L E / / 2 0 1 9
As mentioned, members of a dynamic groupare determined at the time of resolving agroup. The attributes MX_TARGET_FILTERand MX_TARGET_DEFINITION are used todefine the members. The following two areseen as the most common usages fordynamic groups: using them as a source fora job to define a selection of entries to beprocessed at the same time or using themas a constraint for a role. In this case anyentries matching the filter for the dynamicgroup will be defined as members of therole. The same approach can be used todefine members that are either allowed ornot allowed for a role.
Dynamic groups are such, where identitiesfalling into the group are not predefined inadvance but are determined dynamically (inreal time) based on certain attribute values.Although any set of attributes can be used,often attributes like plant, location, managerare used to create those dynamic groups.They have their own entry type, which iscalled MX_DYNAMIC_GROUP.
Dynamic group
AttAttribute
EtEntry type
JbJob
BrBusiness
role
R O I A B L E / / 2 0 1 9
Before actually running an initial load inSAP IdM there are a number of things thatshould be thoroughly checked. Each syncedattribute should know its leading system,initial passwords generation should bedefined, and a test initial load should beexecuted before running it productively.During the initial load, the mapping of theattributes should be carried out carefullyand identities with the same uniqueidentifier should be merged into the IdentityStore, not created as new. Once all systemsare initially loaded, we have a snapshot ofthe current state of the system landscape.This snapshot should be regularly updatedto keep SAP IdM a verified SSOT.
The first step when connecting atarget/source system, which containsidentity data, to SAP IdM is performing aninitial load. It represents loading relevantidentity data from the source/target systeminto the Identity Store of SAP IdM. BeforeIdM can control any identities and assignthem roles/privileges it should know aboutthem, so this step cannot be omitted and ifexecuted improperly could lead to aninconsistent state of the IdM system.
Initial load
SstSingle source
of truth
TgTarget
ScSource
IdIdentity
R O I A B L E / / 2 0 1 9
Within SAP IdM the mskey has a bit moreimportant role than just being a key for aparticular entry. It is the only attribute thatcan be considered unique across all identitystores in an SAP IdM installation. Apartfrom that it mostly inherits all the benefitsof a regular relational database auto-increment key and it is often preferred forcomplex SQL joins and views. Onceassigned during creation the mskey remainsunchanged in the database unless aphysical deletion is performed. Inactiveentries also retain their original mskey. Allobject relations (references) in IdM are builtbased on mskey.
Although you find the term mskey incommon solutions, its actual usage is widelyspread in relational databases. Mskey is akey column in a table that is auto-generatedwith an ongoing increment of one (e.g. 101,102, etc.). This approach makes sure thatevery entry in a table will have at least oneunique identifier. Additionally, such key isquite handy when we need to operate withcomplex SQL statements/joins due to itsnumeric value.
MSKEY
DbDatabase
SqSQL
AttAttribute
IdsIdentity
store
R O I A B L E / / 2 0 1 9
The IdM definition of an attribute is notmuch different than the original with someadditions. Apart from the obvious propertieslike name, description and type, there arethree additional a definition if theattribute is single or multi-value, a mappingvalue for target/source system, if such ismaintained, and a freestyle comment. Thereare also some special attribute types liketask and entry reference. The task referencecan be addressed either with the TaskID(numeric) or with the Task GUID (string),while the entry reference is always definedusing mskey. It is allowed to create customattributes in any of the identity stores.
In computing an attribute is a specificationthat defines a property of an object,element, or file. It may also refer to or setthe specific value for a given instance ofsuch. For clarity attributes should morecorrectly be considered metadata. Anattribute is frequently and generally aproperty of a property. However, in actualusage the term attribute can and is oftentreated as equivalent to a propertydepending on the technology beingdiscussed.
Attribute
YMSKEY
IdsIdentity
store
EtEntry type
StaStaging
area
R O I A B L E / / 2 0 1 9
Forms in SAP IdM were previously known asUI tasks. Their old name was probably moreself-explanatory, but it was replaced inrecent releases of the product. A form, inpractice, is a dedicated user interface thatis targeting a certain entry and can eitherview, create or maintain it. A form usuallycontains the needed attribute definitions(what user sees on the screen), theexecution access control (who is allowed toaccess the form) and some other UIconfigurational elements (e.g. sections,tabs, etc.). For a quick start SAP deliverspredefined forms as a standard package,but it is a common practice that customersalso define such themselves.
A form is a window or screen that containsnumerous fields or spaces to enter data.Each field holds a field label so that anyuser who views the form gets an idea of itspurpose. A form is considered more userfriendly than free text input because it canguide the user and validate their input.Forms can also include a lot of browsercoding, which can make them extremelysophisticated and appealing.
Form
EtEntry type
AttAttribute
UiUser
interface
AlAccess control
R O I A B L E / / 2 0 1 9
An entry type is the representation of theidentity data according to the schema in theidentity store. While SAP delivers asignificant number of predefined entrytypes like MX_PERSON, MX_ROLE, etc., acustomer is free to either extend theavailable ones or build their own entrytypes. If entry types are defined assearchable, they would also appear in theManage tab of the SAP IdM user interfacethus letting end users search entries fromthat type and perform different operationsusing forms. By default the MX_PERSONentry type is set as the identity entry type,but this can be changed using theconfiguration in Developer Studio.
An entry type is not a very common termwhen it comes to general IT systems. Theclosest to it would be something like apredefined type or a user-defined type. Theidea is that the simple types provided inmost systems are not enough for the IdMscenario. Therefore complex, moremetadata-rich types are delivered already bythe product out-of-the-box. Customers canalso extend those or create brand new ones.
Entry type
UiUser
interface
DtDeveloper
studio
FForm
IdIdentity
R O I A B L E / / 2 0 1 9
Within SAP IdM the mskeyvalue is treatedspecifically. It is an attribute that is uniquewithin one identity store across all entrytypes. If we talk about a person, thisattribute normally contains something thatuniquely identifies the person e.g. email,employee number, etc. The mskeyvalue isalso the username used for logging on toIdentity Management user interface andmust therefore match the name of the userin SAP NetWeaver Java UME. An additionalusage is during provisioning, where themskeyvalue is used as the main identifier.
why there is a prefix recommendationfor those entry types mskeyvalues e.g.ROLE:, PRIV:, etc.
Similar to mskey, mskeyvalue is not foundvery often in common solutions. Mskeyvaluecan again be seen as a unique identifier, butit is not auto-generated, rather defined bythe developer (e.g. HOUSE101, HOUSE102,etc.). It can be referred to as a readablemskey, with the exception that it might notbe unique in the whole database. This mighthappen if multiple companies are using thesame database for the same application, butdifferent identities (e.g. multi-tenancy).
MSKEYVALUE
YMSKEY
UeUME
PiProvisioning
EtEntry type
R O I A B L E / / 2 0 1 9
Email notifications play an important role inSAP IdM being the easiest way of informinga person about what is happening insidethe system. A very common use case is tosend messages from the SAP provisioningframework. To use email notifications youwould need the standard notificationspackage, which delivers the notificationprocess and prebuilt templates to cover themost common cases. If those are notenough for your use case, you can alwaysbuild custom notifications using JavaScriptand sending them with the functionuSendSMTPMessage. Since SAP IdM isopen to integrations, using other means ofnotifications is also possible.
Nowadays emails are an established way ofcommunication between people, but alsofrom machine to a person. The latter aresometimes referred to as automated emailnotifications since they do not involve anyhuman interaction and are often used tonotify a person about the appearance ofcertain event. A very basic form of suchemails are newsletters. Although theircontent might be prepared by humans, theactual send out is automated.
notification
PiProvisioning
IpkIdM
package
SrScript
AonAdd-on
R O I A B L E / / 2 0 1 9
The process of archiving is especiallyimportant for IAM systems due to the largeamount of historical data, which they store.The data dictionary of the database is builtusing column-based instead of row-basedapproach. The first is the reason why thesolution is so flexible, but also brings to thetable the important question of datavolumes and performance. To gather allinformation for a particular person in acolumn-based table, you need to join it withitself as many times as the number ofattributes you would like to select. Thisoperation is extremely costly if the tablecontains too much historical data that is nolonger relevant for the enterprise.
Data archiving is the process of moving datathat is no longer actively used to a separatestorage for long-term retention. Archiveddata consists of older data that remainsimportant to the organization or must beretained for future reference or regulatorycompliance purposes. In the best-casescenario data archives should be indexedand have easy search capabilities.
Archiving
DbDatabase
AttAttribute
ImIAM
IdIdentity
R O I A B L E / / 2 0 1 9
With a very long list of supportedlanguages we can say that SAP IdM is aninternational-ready software. Using aspecial annotation for translated texts(whenever a text has translations indifferent languages, its presentation label isprefixed by e.g. #MX_DISPLAYNAME)SAP IdM can output the proper labelaccording to what is defined within the UMEproperty for user language. Automatedtranslation is not possible out-of-the-boxand if you define any new attributes, entrytypes, etc. then you need to take care oftranslating the visible texts on the screen tothe supported languages according to youruse case.
The most common definition for translationcan be summarized as the process oftranslating words or text from one languageto another. When we talk about it in the ITcontext, most of the time we are notreferring to an actual person who is givenone word in a language and they simplyoutput the same word in another language.Often translation is fully or semi-automated,using services that automatically scan thetext and output it in the selected language.
Translation
AttAttribute
UeUME
EtEntry type
UiUser
interface
R O I A B L E / / 2 0 1 9
SAP IdM can be seen as a service provider,since it offers a wide range of services foridentity access and management. As part ofthe SAP IdM installation package there isalso an identity provider service that runson SAP NetWeaver Java and can close thecycle without the need of integrating anexternal IdP. If we look at a broader hybridscenario including the cloud, there we alsohave two services - SAP ProvisioningService and SAP Authentication Serviceone acting as the service provider, while theother providing authentication andauthorization functionality.
A service provider is a vendor that providesIT solutions and/or services to end usersand organizations. This incorporates all ITbusinesses that provide products andsolutions through services that are on-demand, pay per use or using a hybriddelivery model. Sometimes service providersbuild also identity services to cover theneeds of authorization and authenticationfor their products and services. However, itis often the case that external identityproviders are used.
Service
provider
ImIAM
HlHybrid
landscape
IasIAS
IpsIPS
R O I A B L E / / 2 0 1 9
The term lock/unlock has established itselfas a key process within SAP IdM. Apart frombeing integrated in at least two importantHR actions Long term absence (Lock) andReturn from long term absence (Unlock), itcan also be used as a self-service formanagers and administrators. Sometimeswithout any HR action there might be aneed to lock somebody from accessing theunderlying IT infrastructure. MX_DISABLEDattribute can be used for that purpose. Ifset, it will trigger a global lock to allsystems where the user has a registeredaccount. Partial system locking is alsopossible but requires additional customdevelopment.
The term is popular mainly as a securemechanism of obstructing operationalsystem access on a device (e.g. mobile,laptop, etc.) by requesting a user to enteragain their credentials (e.g. user/password,biometrics, etc.). However, in softwareterms, lock/unlock could mean more. Forexample you might have access to yourcomputer/OS, but not be able to access yourSAP software in the same time, becauseyour account is locked there.
Lock/unlock
LtaLong-term absence
RltReturn from
absence
SsSelf-service
HrHR
system
R O I A B L E / / 2 0 1 9
Data integrity is paramount when it comesto SAP IdM. Acting as a 360-degree singlesource of truth, it is always expected thatdata within the solution is complete, actualand consistent. This applies not only to themaster data, but also to the access of eachsingle user in the database. Unfortunately, ifcertain best practices are not implemented,it is easy to break the data integrity of SAPIdM. A simple example is manipulating a
access directly in the target systemwithout using the provisioning mechanismof SAP IdM. The newly assigned role in thetarget system is not visible to SAP IdM andthus data integrity is broken.
Data integrity is the overall completeness,accuracy and consistency of data. As youcan imagine, if this integrity is broken, thenthe system credibility is undermined. Youcannot rely any more on the data there anduntil the integrity is restored you are proneto making wrong decisions based onincorrect/incomplete data. Even though thisapplies to most of the IT systems, it isparticularly important for those, acting as asingle source of truth.
Data integrity
SstSingle source
of truth
PiProvisioning
DqData
quality
UUser
R O I A B L E / / 2 0 1 9
SAP IdM can be roughly broken down in 4components. Those would be the IdMruntime, IdM user interface, IdM databaseand IdM developer workspace. Each of thoseplay an important role in providing the finalproduct experience/functionality. A regularuser would have the most interaction withthe IdM UI, while for example an IdM adminwill often use the Developer studio, which ispart of the developer workspace. The othertwo components, however, are the real heartof the solution. All configuration andoperational data is stored in the database,while the runtime makes sure that those jobsand tasks are executed on the properenvironment using a dispatcher.
Obviously, the term has no meaning outsideof the IdM area, but we will focus here onthe definition of components as a generalterm. A component is a functionallyindependent part of any system. It performssome function and may require input orproduce output. A component in software isoften represented by classes. Componentssometimes communicate with each other inorder to produce the expected result for theend user.
IdM
components
DtDeveloper
studio
DsDispatcher
AnAdmin
UiUser
interface
R O I A B L E / / 2 0 1 9
The termination process in SAP IdM contextnormally starts in the moment when anappropriate HR action is received from the
human resources managementsystem (e.g. SAP HR). It is also possible totrigger a termination in the future. Duringthat process, an existing employee (internalor external) will be terminated/removedfrom any existing accounts in the
landscape. The access isremoved permanently, but the master dataof the user is not deleted. It is simplymarked with the attribute MX_INACTIVE,since it might happen that the same personmight be rehired again in the future.
Termination in HR marks the end of ancontract with an employer.
Irrelevant if it was voluntary or due to theinitiative, the end effect is that
the employee would no longer need theiraccess to the enterprise IT landscape andrespective processes must be triggered. Thiswould also be applicable independent of thefact if the leaving employee was an internalor external hiring (e.g. contractor).
Termination
RhRe-hire
HrHR
system
AcAccount
UUser
R O I A B L E / / 2 0 1 9
The more standard connectors an IdM systemhas to its target repositories the better is theconnectivity of this system within aheterogenous landscape. SAP IdM provides anumber of connectors out-of-the-box forstandard SAP and non-SAP software likeBusiness Suite, Active directory, AS Java, etc.In order for a connector to be fully operationalin IdM context, it should support severaloperations like user creation, modification,deletion, disable/enable, assign/unassignroles and setting up passwords. In the lastyears a protocol has established itself as astandard this is the System for Cross-domainIdentity Management or shortly SCIM.
A connector is usually known as part of acable that plugs into a port or interface toconnect one device to another. In order tobring this knowledge into our context, wemight just as well say that a connector is aninterface that supports several operations,which are enough to connect one system toanother for a specific purpose (e.g. identitymanagement). Connectors use underlyingprotocols like SCIM, REST, ODATA, SOAP, etc.to transport data between systems.
Connector
SiSCIM
SpSOAP
AdActive
directory
HcHeterogeneous
landscape
R O I A B L E / / 2 0 1 9
Active directory plays a very important role inSAP IdM context, since it drastically expandsthe reach that SAP IdM can have acrossmultitude of applications, which simply supportAD out-of-the-box. Having a standard connectorfor AD, SAP IdM can easily provision users androles to the directory service, which then canbe used to operate other solutions via AD astheir main identity directory. It is even possibleto split the individual applications within AD asseparate repositories in SAP IdM, but thisrequires a bit of custom development. It isworth the investment, since then you wouldhave truthful reports as to what access isassigned in which applications and not onecommon repository e.g. AD.
Active Directory (AD) is a directory servicedeveloped by Microsoft for Windows domainnetworks. It is included in most WindowsServer operating systems as a set ofprocesses and services. Initially, ActiveDirectory was only in charge of centralizeddomain management. Starting withWindows Server 2008, however, ActiveDirectory became an umbrella title for abroad range of directory-based identity-related services.
Active
directory
RpRepository
PiProvisioning
ReReports
CnConnector
R O I A B L E / / 2 0 1 9
HR is the main source system for SAP IdM.SAP or non-SAP, it is the starting point for anyidentity lifecycle trigger, no matter if it is newhire, change position, termination, etc. WhenSAP HR is the main source for employee data,then it can be connected using a standardconnector to SAP IdM over VDS and deltasync mechanism can be enabled to reducethe data traffic between the two systems.Apart of this role, HR can also be a targetsystem for SAP IdM. For example if a newemployee needs first to be created inMicrosoft Exchange to get an automaticallygenerated email address, then this email willbe provisioned back to HR from SAP IdM forcompleteness of the employee record.
A human resources (HR) system or oftenalso referred to as human capitalmanagement (HCM) system is a softwarethat combines a number of processes toensure easy management of humanresources as well as the attached businessprocesses and data that go along with. Suchoften are employee data storage, managepayrolls, benefits administration andattendance records.
HR system
ScSource
VdVDS
IdlIdentity lifecycle
PiProvisioning
R O I A B L E / / 2 0 1 9
When talking about SAP, the cloud isalways the topic that is pushed forward andthe one that is developed actively. However,often the question is how do we securethe new cloud applications. If we would liketo integrate those new applications andsystems the way we used to do it in thepast with on-premise, then the answer is togo for a hybrid approach. Since SAP IdM isan on-premise solution, it can remain thesingle source of truth for your employeesand externals but connecting it to servicesin the cloud like SAP IAS and SAP IPS opensa new horizon of opportunities with cloudapplications.
Hybrid landscapes in computer terms arethose combining two or more different typesof environments in order to grasp the best ofboth worlds. Specifically in SAP context,hybrid has established itself as a bestpractice, where you can still operate youron-premise investments, but in parallel goforward with innovations in a very agile andrapid-moving cloud environment.
Hybrid
landscape
SstSingle source
of truth
ExExternal
IasIAS
IpsIPS
R O I A B L E / / 2 0 1 9
While IAG is not a one to one reproductionof SAP GRC Access Control in the cloud, itdoes have some overlapping areas andfunctionalities. Similar to SAP IdM, IAG canalso build business roles and provisionthose using SAP IPS to different targetsystems. As a workflow the solution usesthe established SAP Cloud Workflow serviceand SAP Cloud Business Rules. IAG offersalso standard connectivity to on-premiseSAP GRC to retrieve the risk rules andcollections. One distinctive difference thatcomes up with IAG is that it can alsoaddress non-SAP systems, which is not sotrivial task with on-premise SAP GRC.
The general business definition of Identityand Access Governance (IAG) sometimesoverlaps with Identity and AccessManagement (IAM). It is more precise,however, to use it in the specific context ofassessment and mitigation of the risksrelated to User access. SAP IAG is asoftware solution that addresses cloudneeds as for example Segregation of dutiesreporting, which normally are served by on-premise products like SAP GRC.
IAG
GGRC
BrBusiness
role
PiProvisioning
SdSegregation
of duties
R O I A B L E / / 2 0 1 9
Usually IAM solutions bundle additionalcomponents like single-sign-on and multi-factor authentication. With SAP those areseparated in another product called SAPSingle Sign-On. The two main solutions thattake care of the fundamental IAM features areSAP IdM and SAP GRC. They contain thenecessary information of master dataand access. Often built as single source oftruth, their data integrity is crucial for thecorrect operation and truthful reporting. Oneof the most important roles of an IAM systemin the landscape it to take proper care of theidentity lifecycle of an employee/external, sothat they always have the proper authorizedaccess to the IT landscape.
Identity and access management (IAM) is aframework of business processes, policiesand technologies that facilitates themanagement of electronic or digitalidentities. With an IAM framework in placeIT managers can control user access tocritical information within theirorganizations. IAM products offer role-basedaccess control that allows systemadministrators to regulate access tosystems or networks based on the roles ofthe individual users within the enterprise.
IAM
SstSingle source
of truth
IdlIdentity lifecycle
SoSSO
DiData
integrity
R O I A B L E / / 2 0 1 9
Looking at systems in SAP IdM context, theymay be categorized in four types: source,target, proxy and manual. Source are thesystems, regarded as the master for a piece ofinformation, coming in SAP IdM. For exampleSAP HR is regarded as master for the
name, while Microsoft Exchange isthe master for the email address.Target systems are simply the receivers of theinformation stored in SAP IdM be it masterdata or access that is being provisioned. Proxyis a special type of system common in hybridlandscapes (e.g. when SAP IdM needs tocontrol a cloud service like SAP IPS). Manualare the systems that are not automaticallyprovisioned by SAP IdM but are still controlledby the process.
In IT context system is a basic, complete andoperational computer, including all thehardware and software required to make itfunctional for a user. It should have theability to receive user input, process data,and with the processed data createinformation for storage and/or output.Systems nowadays can be situated indifferent environments (e.g. on-premise,cloud, private cloud, etc.), but this shouldnot affect in any way their fundamentalfunctionalities described above.
System
ScSource
TgTarget
MrManual
repository
ArAutomated repository
R O I A B L E / / 2 0 1 9
While SAP GRC has many functionalities, it isthe Access control module that is most oftenconnected with SAP IDM in order to achievemore holistic approach. The out-of-the-boxintegration delivers the needed Segregation ofDuties check when assigning new roles tousers. GRC ensures no major risks are activein the system and if such cannot be avoidedthat they have proper mitigation rules inplace. Apart from the standard rulesframework delivered by SAP, a customer canalso expand and build their own custom rulesfor risk evaluation. The three most commonrules sets are R3, Basic and HR based (oftenused as basis for GDPR).
Governance, risk and compliance (GRC)refers to a strategy for managing anorganization's overall governance,enterprise risk management and compliancewith regulations. We can think of GRC as astructured approach to aligning IT withbusiness objectives, while effectivelymanaging risk and meeting compliancerequirements.
GRC
SdSegregation
of duties
GpGDPR
IagIAG
RaRisk
analysis
R O I A B L E / / 2 0 1 9
From version 7.3 SAP NetWeaver introduced acouple of new components that run on theplatform from the SAP IdM portfolio. The userinterfaces both end user and admin, run onthe platform and are accessible with the alias:/idm, or /idm/admin. With version 8.0 SAP IdMexpanded even further the importance of theplatform by making use of the standard datasource resources to establish connections tothe database for two purposes one for theuser interface and another one for the newlydelivered Developer Studio. Respectively, theconnection between the developer workplaceand SAP IdM database is not direct, rather firstgoing to SAP NetWeaver and from there to thedatabase.
SAP NetWeaver refers to a technologicalfoundation (platform) acquired by SAP in thebeginning of this century. Since 2003 whenthe first SAP version 2004 wasreleased up to the latest release 7.5the platform went through massivetransformations, but almost 20 years later itstill serves multiple use cases withnumerous important software products,among which are SAP Process Orchestrationand SAP Identity Management.
SAP NetWeaver
UiUser
interface
DbDatabase
DtDeveloper
studio
IcpIdM
components
R O I A B L E / / 2 0 1 9
The most popular cloud systems from SAP arein the SaaS area: SAP S/4HANA and C/4HANAsuites and all acquired applications likeFieldglass, Concur, SuccessFactors, etc. Thepopular PaaS services used to be two theNeo and the Cloud Foundry platform, butrecently SAP announced that strategically theyare moving only with CF forward. With suchrich palette of software it is no doubt thatcustomers are asking questions about securityintegrations. SAP were capable to provide asolid answer to those questions with SAPIdentity Provisioning Service. Running in ahybrid scenario with SAP IdM on-premise, itcan provision to all those target systems in asimilar fashion as it is typically done to on-premise systems.
A cloud system or cloud computingtechnology refers to the computingcomponents (hardware, software andinfrastructure) that enable the delivery ofcloud computing services such as: SaaS(software as a service), PaaS (platform as aservice) and IaaS (infrastructure as service)via a network (i.e. the Internet). Cloudsystems are part of a model that shifts thecomputing workload to a remote location.
Cloud
systems
IpsIPS
HlHybrid
landscape
PiProvisioning
TgTarget
R O I A B L E / / 2 0 1 9
Although Fiori is the targeted user experiencefor all SAP applications, there are someexceptions, which have grown historically witha very complex Web Dynpro auto-generateduser interface. Pushing very hard to make bigadvancements in the Cloud, SAP decided to notinvest resources in a challenging redesign ofsuch products considered more or less mature.One of the impacted ones was SAP IDM. At theend it was the SAP partners that startedoffering an alternative to the customersthrough their own add-ons. Currently there areseveral solutions capable to transform thestandard Web Dynpro UI into a beautiful SAPFiori app. The 2 most popular approaches areto rework completely the old UI or to render thealready built logic dynamically in Fiori.
SAP Fiori is a design language and userexperience approach developed by SAP foruse by SAP, its customers and its partnerswithin business applications. Thetechnology behind SAP Fiori is SAPUI5,which became quite popular in recent yearsand additionally has an open source versioncalled OpenUI5 that can even be used innon-SAP scenarios. Currently SAP Fiori is onthe market with its latest version 3, whosemain goal is to equalize the user experienceacross all SAP products.
SAP Fiori
UiUser
interface
UxUser
experience
WdWeb
Dynpro
AonAdd-on
R O I A B L E / / 2 0 1 9
Homogeneous landscapes are extremely rarenowadays. Proper IAM solutions should be ableto tackle the challenges of a heterogeneouslandscape without having to makecompromises with the quality of service.Although IdM started mostly focused on SAP-based services and products, SAP expandedthe portfolio significantly and now togetherwith the cloud services like SAP IAM and SAPIPS they support numerous non-SAP systemslike Google G Suite, Azure AD and actually anySCIM-enabled system. The single source oftruth becomes even more important in suchlandscapes, where retrieving information fromall systems is equal to a full-time job.
Heterogeneous landscapes are those built ofdifferent types of systems (e.g. vendors,interfaces, applications). Normallycustomers end up with such landscapetrying to adopt best-of-breed solutions indifferent areas of their business, but eventhose that are very SAP minded have atleast one Microsoft Active Directory thatalready helps with the heterogeneity.
Heterogeneous
landscape
ImIAM
IasIAS
IpsIPS
SiSCIM
R O I A B L E / / 2 0 1 9
SAP IAS can be used stand-alone as an IdPprovider, but it has a lot more to offer if it isintegrated with the other security offerings ofSAP like IdM and IPS. On top SAP IAS alsosupports delegated authentication, making itideal for hybrid landscapes and scenarios.Two-factor authentication and social loginoptions allow for higher security and flexibilitywith customer facing applications. Furtherenhancements include logon overlay andcustom design, self-registration with GooglereCAPTCHA or phone verification, risk-basedauthentication and more. IAS can also enrichthe existing information about an employee inorder to enable them to use particular cloudservices (e.g. additional group assignments inthe cloud).
SAP Identity Authentication Service is acloud service for secure authentication anduser management in SAP cloud and on-premise applications. It provides services forauthentication, single sign-on, and usermanagement. It is broadly used within SAPand popular there also under the name SAPID service. SAP IAS can be very useful inhybrid scenarios, when authentication andauthorization of end users still need to be re-routed to on-premise IdP, although the appis in the cloud.
IAS
HlHybrid
landscape
IpsIPS
SoSSO
AtAuthentication
R O I A B L E / / 2 0 1 9
SAP Identity Provisioning Service offersthree use cases for connecting systemssource, which is usually the central userstore of the enterprise; a target could beon-premise or in the cloud; or a proxy, whichis a special type of connector for hybridlandscapes. It allows to provision entitiesfrom one SCIM-based to another externalnon-SCIM system without making a directconnection between them. The actualprovisioning is done through jobs, whichcan be ran on demand or scheduled. Thereis one further option for real-timeprovisioning, but it is available only if thesource system is SAP IdentityAuthentication Service.
IPS is a cloud-based service from SAPproviding robust identity managementcapabilities, including account creation,user authorization, de-provisioning, andmore. It helps you optimize accessmanagement processes and meet corporatecompliance standards. IPS is also thefoundation for a landscape-wide single sign-on scenario in combination with SAP IAS.Additionally, it is an integral part of thehybrid approach together with SAP IdM.
IPS
IasIAS
SiSCIM
PiProvisioning
HlHybrid
landscape
R O I A B L E / / 2 0 1 9
In common scenarios like integration betweenSAP IdM and IAS or/and IPS SAP CloudConnector is not needed, since IdMestablishes a direct connection to them.However, if we would like to expose anapplication that is implementing the REST v2interface of SAP IdM in the cloud, then weshould setup a Cloud connector, which firstexposes the needed path to the APIs, andsecond connects to the right cloud account,where the app is running. The challenging partcomes when we need to take care of theauthentication of the end users. In the cloudwe can achieve that using SAP IAS, but itshould be connected to the same on-premiseIdP, which SAP IdM is using in order tofacilitate the single sign-on.
SAP Cloud Connector serves as a linkbetween SAP Cloud Platform (Neo or CFversion) and on-premise systems. It runs ason-premise agent in a secured network andprovides fine-grained control over exposedon-premise systems and resources as wellas the cloud applications using CloudConnector. For productive scenarios it canbe used in high-availability setup, whichreduces the chance of interruptedcommunication.
SAP Cloud
Connector
IasIAS
IpsIPS
SoSSO
ApiAPI
R O I A B L E / / 2 0 1 9
A staging area in SAP IdM is simply anotheridentity store with its unique identifier(number) and its attached entry types,attributes, processes, etc. Oneimplementation may have as many stagingareas as needed. However, those sometimesadd unnecessary complexity and they arenot the solution to any data stagingproblem. A very common scenario wherestaging areas are used is during the syncwith the HR system. Often the received dataneeds a number of validations andtransformations and the staging area offersa very good option to execute those beforemoving the clean/verified data to theproductive identity store.
An intermediate storage area between thesource of the information and the actualplace where it will be stored. Usually it istemporary, and its contents can be safelydeleted after a successful transfer to theoriginal target. It could be that the dataundergoes certain transformations andvalidations before being transferred to itsfinal destination. Often it can be used as anassembly point where data from multiplesources is gathered, processed and pushedto the productive area.
Staging area
IdsIdentity
store
VaValidations
HrHR
system
UidUnique identifier
R O I A B L E / / 2 0 1 9
Manual repositories play a very important roleduring the initial architecture of SAP IdM. It iscommon in complex landscapes to be simplyimpossible to connect all systems to SAP IdMusing standard or 3rd party connectors. Even ifpossible, maybe it does not make sense toinvest so much for systems that are probablynot updated so often. Here the answer wouldbe to go for manual repositories. Theirworkflow reaches the important roles withinthe company for a particular system and givesthem very detailed explanations about theaccess that needs to be granted. Onceexecuted, the information is marked in SAPIdM as completed and the access is attachedto the user.
The term manual repository could havemultiple meanings, but the one that appliesmost to our context is: a target system thatis connected to SAP IdM, but provisioning ofusers/access is not automated, ratherrunning through an established workflow.Very often the initial loads for such systemsare executed with files exported from thetarget system and imported in SAP IdM. Forthe end users the system appears as aregular IdM connected repository.
Manual
repository
WrfWorkflow
PiProvisioning
TgTarget
IoInitial load
R O I A B L E / / 2 0 1 9
Although system users do not have an identitylifecycle as most regular users, they can stillbe managed by SAP IdM. For that purpose, aseparate cockpit is built, where such users canbe monitored and handled from creation totermination. A best practice is to have at leastone real person responsible for a system userand the moment it is not needed anymore, thisuser to be suspended and later terminatedmanually by its owner. System users do notsimply need special accounts in IdM, butsometimes require completely newprocesses/branches due to their special statusin the target systems. Because of thatcomplexity they are often left out-of-scope forthe first phases of an SAP IdM implementation.
System users are usually those used formachine to machine communication. Othername, which is often used, is technical users.Such are typically restricted from dialog loginsand have non-expiring passwords andaccounts. Even though there are no realpeople behind those users, they pose a similaror even sometimes bigger threat to theenterprise, if not managed properly. This isbecause system users have much moreprivileges than normal users, which makesthem a hot target for a hacker attack.
System users
IdlIdentity lifecycle
AcAccount
UUser
MMonitoring
R O I A B L E / / 2 0 1 9
Within SAP IdM attribute mapping is deliveredas a predefined template for each connectordepending on the target system that needs tobe connected to the identity store. Onceimported those templates can be manipulatedin order to achieve the expected result. Askilled consultant can add/remove attributesor even use attribute operators (e.g. {d}).Operators should be applied very carefully,since they are case-sensitive and could lead todrastically different results. Additionally,scripts written in JavaScript can be used formore complex transformations. Important isthat every operation triggered by IdM (e.g.creation, modification, etc.) has its own set ofattribute mappings, which need to be adapted.
Attribute mapping is the definition whichtarget system attributes correspond towhich identity store attributes. apredefined map that can be expanded withcustom attributes as long as the connectorallows it. Whenever this is not the case,then the connector needs to be extended orseparate APIs can be implemented to haveaccess to attributes not listed by default.
Attribute
mapping
AttAttribute
SrScript
ApiAPI
IdsIdentity
store
R O I A B L E / / 2 0 1 9
Line managers in SAP IdM are often syncedtogether with the employee from the HRsystem. Normally they are determined basedon the organizational structure of theenterprise. Most companies define a structurewith only one responsible line manager peremployee, but others rely on more complexrule framework, where two or more managerscan be line managers for one employeedepending on what area of their work isaddressed. With standard approval workflowsself-service permission requests are firstapproved by the assigned line managerbefore being processed to further approvallevels or directly assigned to the targetsystem.
A line manager is an employee who directlymanages other employees and operationswhile reporting to a higher-ranked manager.They are responsible also for making surethat their subordinates have the properpermissions in the enterprise landscape tocomplete their job and achieve their goals.Respectively, an IAM system is a key assetfor each line manager, helping them keep aneye on all employee permission requestsand delivering them 360-degree reportsabout the existing access.
Line manager
OsOrganizational
structure
WrfWorkflow
SsSelf-service
ImIAM
R O I A B L E / / 2 0 1 9
The logic used to determine role ownersdiffers from one SAP IdM implementation toanother. It is why there is no standardalgorithm to achieve that. The most commonscenario is to open a form for maintaining roleowners by hand or to assign them during theupload of the business roles. Often self-service permission requests include approvalsfrom role owners, so that they are alsoinformed about the ongoing access changesand can make more informed decisions incase they decide to update the business roleor revise its assignments through anattestation process.
Role owner is a popular term with IAMsolutions. It represents a person, who isresponsible for a particular business role ora set of business roles. Since business rolesrequire good knowledge in both security andbusiness operations, the designated personshould periodically review users attached tothe role through attestation. They are alsooften included in the approval process whena self-service request is started for thebusiness role they are responsible for.
Role owner
WrfWorkflow
SsSelf-service
BrBusiness
role
AteAttestation
R O I A B L E / / 2 0 1 9
Automated repositories are the key to theprocess automation that can be achieved withan SAP IdM system. The more target systemsare connected as automated repositories, thehigher the percentage of automation would be.However, in complex landscapes it is notcommon to connect all systems as automatedrepositories to SAP IdM using standard or 3rd
party connectors. Even if possible, maybe itdoes not make sense to invest so much forsystems that are probably not updated sooften. That is why a good analysis needs to beexecuted before moving on with theimplementation and only repositories with a lotof self-service requests and/or user/accesschanges should be fully automated.
The term automated repository could havemultiple meanings, but the most applicableto our context is: a target system connectedto SAP IdM with enabled automatedprovisioning of users/access. This requires adedicated connector, which might notalways be available and needs to becustom-developed. Connectors themselvesand operations like initial load, creation,modification, termination are delivered astemplates with the respective connectorpackage.
Automated
repository
MrManual
repository
CnConnector
IoInitial load
TgTarget
R O I A B L E / / 2 0 1 9
Reconciliation in SAP IdM is executedfollowing a scheduled procedure and ranthrough a dispatcher enabled forhousekeeping. Entries that need to beprocessed are marked with a so-calledflag. Manual reconciliation is also possibleusing the internal function uIS_PrivReconcile .Reconciliation is applicable to roles andprivileges and is most useful when large setsof assignments need to be recalculated andcorrected. Performing it in one synchronoustransaction could take very long time and putserious load on the system, thus preventingnormal operations. This is unacceptable for acritical system as SAP IdM, so the operation isbroken down into smaller asynchronouschunks.
Reconciliation is a popular term from theaccounting world. Its standard definitionhowever should be adapted in order to fitbetter to the IAM context. So, it is a processthat compares sets of records to check thatthe data and the assignments are correctand in sync (e.g. not dirty). Items that arenot consistent are marked with dirty and arethen processed additionally by IdM in orderto bring the system to an accurate andcomplete state.
Reconciliation
DsDispatcher
PPrivilege
BrBusiness
role
AgAssign-ment
R O I A B L E / / 2 0 1 9
There are three types of constants in SAP IdM.Those would be repository, package and jobconstants. The first are normally defined in atemplate and their values are used to accessthe data source of a repository. The packageconstants are only available within thepackage where they are defined and can becalled by jobs, tasks and scripts as long asthose are part of the same package. A callfrom outside the package, though possible,requires a custom package script. Jobconstants can be used in any field in a passdefinition. They are stored in the job definition.All of the above can be accessed using thefunction uGetConstant .
In computer programming a constant is avalue that cannot be altered by the programduring normal execution, i.e. the value isconstant. When associated with anidentifier, a constant is said to be "named,"although the terms "constant" and "namedconstant" are often used interchangeably.This is contrasted with a variable, which isan identifier with a value that can bechanged during normal execution, i.e. thevalue is variable.
Constants
IpkIdM
package
JbJob
RpRepository
SrScript
R O I A B L E / / 2 0 1 9
SAP IdM is not capable of executing SoDchecks on its own. Here an important roleplays the integration with SAP GRC. It is avery common practice to run approval flowswith integrated GRC step from within SAPIdM. This way not only the existingassignments are risk-free, but also any futureassignment will first pass assessment in GRCand only then it can be assigned to the userin IdM. If risk cannot be eliminated, it shouldbe at least mitigated with a proper mitigationcontrol, which again can be set in SAP GRC.SoD is a very important process within publiccompanies since it is a requirement forcompliance with Sarbanes Oxley Act (SOX).
Segregation of duties (SoD) is an internalcontrol designed to prevent error and fraudby ensuring that at least two individuals areresponsible for the separate parts of anyprocess/task. SoD involves breaking downtasks that might reasonably be completedby a single individual into multiple tasks sothat no one person is solely in control. Acommon segregation of duties for payroll isto have one employee responsible for theaccounting portion of the job and someoneelse responsible for the payments.
Segregation of
duties
GGRC
WrfWorkflow
RaRisk
analysis
AgAssign-ment
R O I A B L E / / 2 0 1 9
With SAP IdM provisioning can be defined bythe creation of objects and setting ofattributes in various repositories. It is basedon setting number of tasks to perform givenactions. Obviously one of the most importantthings for the provisioning is to have aconsistent persistence state of the data. Eventtasks on privileges can also trigger theprovisioning process. During provisioning theaudit trail is updated so that it is easier laterto find who did what and when. Additionalfeatures like chaining tasks,context variables and possible rollbacks makethe provisioning process quite comprehensivesolution that can address even complexneeds.
Provisioning is the process of coordinatingthe creation of user accounts, e-mailauthorizations and others in the form ofrules and roles as well as other tasks likeprovisioning of physical resourcesassociated with enabling new users ormodifying existing ones. To facilitate theprovisioning identity management systemsnormally include a workflow component thatmoves the process from one step to thenext.
Provisioning
AttAttribute
AgAssign-ment
AtAudit trail
WrfWorkflow
R O I A B L E / / 2 0 1 9
Risk analysis is not performed with SAP IdM.For that purpose is used a module of SAP GRCAccess Control called Access Risk Analysis orshortly ARA. Its main function is to performSoD analysis and it was designed to identify,analyze and solve problems related to thetopic. A nice addition is that simulations canbe run in order to verify the organizationalrules before they are applied productively. Thereporting and analysis itself can be carriedout on three levels management, businessand technical. This allows users from eacharea to dig into the details, which are ofinterest to them. Risks that cannot becompletely omitted should implementmitigation controls.
Risk analysis is the process of identifyingand analyzing potential issues that couldnegatively impact key business initiatives orcritical projects in order to helporganizations avoid or mitigate those risks.One of the common analysis that isavailable is the Segregation of Duties (SoD).Normally, solutions have a prebuilt set ofrules available, but those can be modifiedand tailored to the specifics of theorganization. The analysis includes theidentification, mitigation and reporting.
Risk analysis
GGRC
SdSegregation
of duties
MiMitigation
R O I A B L E / / 2 0 1 9
With SAP IdM de-provisioning operates quitesimilar to the provisioning process by actuallymodifying objects and setting attributes invarious repositories. It is again based onsetting number of tasks to perform givenactions. Obviously one of the most importantfactors is to have a consistent persistencestate of the data. Event tasks on privileges canalso trigger the de-provisioning process. Duringde-provisioning the audit trail is updated sothat it is easier to find later who did what andwhen. De-provisioning does not necessarilymean deletion in the target repositories.Sometimes data needs to be retained for acertain period and in those cases the users areonly disabled, instead of physically deleted.
De-provisioning is the process ofcoordinating the removal of user accounts,e-mail authorizations and others in the formof rules and roles as well as other tasks likede-provisioning of physical resourcesassociated with disabling users or limitingtheir access to a particular system. Tofacilitate the de-provisioning, identitymanagement systems normally include aworkflow component that moves theprocess from one step to the next.
De-provisioning
AttAttribute
AgAssign-ment
AtAudit trail
WrfWorkflow
R O I A B L E / / 2 0 1 9
The standard audit trail of SAP IdM is stored inthe database table mxp_audit, which has along list of columns that help you identifyimportant metrics about the particular audit -like the task that this audit record belongs to,date when the audit record was created, statusof the audit record, reference to the parentaudit ID, error message, general information,etc. Although each of these fields has itsmeaning, one of the most cryptic ones is thegeneral information field UserID. Its name ismisleading, since it may contain informationfar beyond the userid like task id, task name,attribute id, entry id, etc. Another approach tobuilding custom audit trails is to store relevantdata in custom entry types.
Audit trail, also referred to as audit log, is asecurity-relevant chronological record, set ofrecords, and/or destination and source ofrecords that provide documentary evidenceof the sequence of activities that haveaffected at any time a specific operation,procedure, or event. Audit records typicallyresult from activities like financialtransactions, scientific research and healthcare data transactions, or communicationsbetween individuals, systems, accounts, orother entities.
Audit trail
EtEntry type
AttAttribute
DbDatabase
TkTasks
R O I A B L E / / 2 0 1 9
The standard way of building an authorizationmatrix with SAP IdM is by maintaining largeCSV files with all the business roles and theirbelonging access across the systemlandscape. However, this approach is veryerror prone and always requires a skilledperson, who will be responsible to upload thefiles, monitor their processing and potentiallyfind any issues that resulted from theoperation. Much better approach would be tohave a proper tool, which is ideally web-basedand allows you to have features likeversioning, validation and collaboration. Thusyou can enable your security team to beproductive and not always rely on technicalpersonnel.
Authorization matrix is one or multiple listsof business roles with their attachedprivileges from all automated and manualrepositories in SAP IdM. It helps keep anoverview of what each business roleprovides as access to the users who have it.After an update to the authorization matrixnormally a reconciliation should be executedin order to bring the roles and privilegesassignments to a consistent state in the IdMsystem.
Authorization
matrix
ArAutomated repository
MrManual
repository
PPrivilege
BrBusiness
role
R O I A B L E / / 2 0 1 9
In SAP IdM context container and leaf objectsrefer to entry type classes. A leaf object is asingle entry type that cannot have children.Such entry type, for example, is MX_PERSON.A container object is an entry type that cancontain other entry types. Examples here couldbe MX_GROUP and MX_ROLE. Following thissimple notation, it is very easy to define whichattributes are available for use when makingreferences between objects. The attributeMXMEMBER_<entry_type> is typical forcontainers, while the MX_REF_<entry_type> isused both with leaves and containersdepending on the hierarchy we would like tobuild.
Container is an object that can containreferences to other objects. A leaf, on theother hand, is seen as an endpoint of abranch and cannot contain other objects.They are often used when hierarchies orassignments have to be designed within ITsystems. Containers are characterized bythe way they access their children/parents,the way those are stored and the way oftraversing the objects within a container.
Containers
and leaves
RsReferences
EtEntry type
AttAttribute
BrBusiness
role
R O I A B L E / / 2 0 1 9
With version 8.0 of SAP IdM a term qualifiedname entered the vocabulary. Already duringinstall a base qualified name, which cannot bechanged afterwards, is requested. It representsa system namespace that should be globallyunique (e.g. com.<company>). The qualifiedname is used as identifier for a package. Publicobjects also have a qualified name, used whencalling them from other packages. Repositorytypes are similarly identified exclusively byqualified name and therefore if we move arepository type from one package to another,its qualified name changes. Same applies toprocesses. Their names should comply with thequalified name requirements.
In computer programming a fully qualifiedname is an unambiguous name thatspecifies which object, function, or variablea call refers to. Normally, the rules forbuilding such qualified names should bepart of the naming convention of eachproject. Often those define a certain prefixthat always precedes the objects based ontheir type and location in the project. Thedot notation is helpful to keep the pathe.g. com.sap.idm.processes.<Qname>
Qualified name
RpRepository
IpkIdM
package
WrfWorkflow
R O I A B L E / / 2 0 1 9
With SAP IdM when we talk about accesscontrol in 99% of the cases we mean formaccess control or who has access to executecertain form. The behalf options allowthe following configurations: meansbasically that this is a form visible to everyonewithout limitations; or identity storecan refer to one specific user, privilege, role orother entry type; the last one is one ofthe most complex since it supports 5 differentmodes: for self-service;
entry for which the user is a manager;entry for which the user is an
owner; entry for which theuser is a member and of wherethe objects have the same entry assigned.
Access control is a security technique thatregulates who or what can view or useresources in a computing environment. It isa fundamental security concept that aims tominimize the risks for the business ororganization. With IAM systems it is used toregulate the access internally for tools anduser interfaces of the product. For example,administrators often have full access to allfunctionalities of the system, while end andkey users have only a subset of the fulladmin access.
Access control
RsReferences
FForm
ImIAM
EtEntry type
R O I A B L E / / 2 0 1 9
Encryption plays an important role in SAP IdM.Its usage comes with multiple aspects. On onehand it is used when encrypting secureattributes like passwords before storing themin the database. On the other hand it is used toencrypt the credentials used for establishingthe connection to the database, for example forthe dispatcher. The encryption keys shouldtherefore be accessible to all components ofan IdM installation. They are stored in a filecalled . which could be storedcentrally or distributed based on the setup.New keys can be generated on certain period,but it is critically important not to delete anyold keys from the file, because this mightrender unusable all previously encrypted data.
Encryption is the method by whichinformation is converted into secret codethat hides the information's true meaning.The science of encrypting and decryptinginformation is called cryptography. There aremany different algorithms that could beused to encrypt a clear text, but some areconsidered not secure, so you always needto first check if the applied algorithm is stillactual. For example 3DES is an algorithmthat is no longer considered secure.
Encryption
DbDatabase
DsDispatcher
IcpIdM
components
AttAttribute
R O I A B L E / / 2 0 1 9
Search results in SAP IdM can be found in theuser interface on multiple occasions. The mostused though is probably the one in the managetab, where authorized users can search theavailable entry types. Others include forexample searching for MX_ASSIGNMENTS (e.g.roles and privileges together). Interestingly, asearch result is not configured, as some mightexpect, using a search form. The columns andthe data displayed in the table of the searchresult are purely dependent on the listedattributes of the searched entry type. On theother hand the search form defines only theattributes over which the search query will beexecuted.
The list of results that a search returns inresponse to specific word or phrase query iscalled search results. Regularly, each listingincludes some kind of a link that expandsmore information about the found result.Advanced search results might include apreview of the complete data behind theresult as well as a semantic ranking, whichhelps the users find the best match for theirsearch query quicker.
Search results
UiUser
interface
EtEntry type
FForm
AttAttribute
R O I A B L E / / 2 0 1 9
Tasks in SAP IdM are very useful for performingoperations in the identity store or the targetsystem. They always operate on entries such asentry types, attributes and assignments. Theysplit in six types: action; conditional; switch;attestation; approval and wait tasks. Action taskcontains a reference to a job that is run after thetask is executed. Conditional one executessubtasks based on the result branch that isfollowed as per some condition, evaluated astrue or false. Switch tasks are similar toconditional ones, but the result can be any exactmatch and more than two exits are supported.Approval and attestation are human tasks andperform sub-flow based on result, e.g. approval.Wait tasks are used for synchronization ofprocess branches.
A general definition of a task would be: thesmallest identifiable and essential piece ofwork that can be performed. Importantaddition for the context we are in is thattasks can be used only as part of aprocess/workflow. They cannot be sharedwith other processes, neither can they becalled outside of the process, where theywere defined. Additional limitation is thatthey cannot be used as an event (e.g.onOK), for that purpose you need to use aprocess.
Tasks
WrfWorkflow
EtEntry type
AgAssign-ment
AttAttribute
R O I A B L E / / 2 0 1 9
Often a collection of passes is responsible forsome of the most important jobs within SAPIdM like initial loads, reconciliation orsynchronization. Generally, there are two typeof passes: and . Theformer reads from a source system or file andwrites in a temporary database table. Thelatter reads from a database table and writesto a target system or to the identity store.During the pass execution attribute mappingand cleansing can be performed. A third typeof passes is also available, but it is not aspopular as the other two. It isan extremely powerful pass, which can call anyshell command, run scripts, start a program,etc.
A pass is an atomic unit that executes apiece of work. It could update or read from arepository but could also read from a sourcesystem or write to a target one. Dependingon their configuration and type differentoptions are available, but passes mustalways be part of a job and their executionis inevitably sequential within the job towhich they are attached. A chain of passesis always executed completely, irrelevant ifany of the passes has failed.
Passes
JbJob
ScSource
TgTarget
DlDelta
R O I A B L E / / 2 0 1 9
References in SAP IdM can be bi-directional orunidirectional. The first are automaticallycreated by IdM if two entry types are definedto have relation between each other. Suchreferences are covered by the attributesMXREF_<ENTRY_TYPE> used for referencing aparent entry and MXMEMBER_<ENTRY_TYPE>used for referencing a child entry. Theunidirectional references are between anattribute and an entry type. Examples here aremany, but some of the standard ones areMX_APPROVERS, MX_MANAGER andMX_OWNER. All of them define a relation tothe entry type MX_PERSON, but with differentsemantics.
Reference is a relation between objects inwhich one object designates or acts asmeans by which to connect to or link toanother object. The first object in thisrelation is said to refer to the second object.The second object is called the referent ofthe first object. Those relations within SAPIdM are depicted by the usage of twoattributes MXREF_<ENTRY_TYPE> andMXMEMBER_<ENTRY_TYPE>.
References
EtEntry type
AttAttribute
ClContainersand leaves
AgAssign-ment
R O I A B L E / / 2 0 1 9
Deltas in SAP IdM are commonly used whenloading data from connected systems (e.g. forsyncing the privileges from a system). Theprocess first marks all loaded entries as
and before it writes them to thetarget generates a hash of every record to bewritten. This is compared to a delta table (ifsuch already exists). If the hash is missing ordifferent, then the entry is written to the targetand the new hash is stored in the delta tablefor future comparison. If hash is already in thetable, the entry is skipped. Delta-enabledpasses can be useful, but also very dangerousif not configured properly, since they mightdelete all entries from the target, if for somereason the connection to the source fails andreturns an empty result.
Delta is an incremental approach to loaddata that only syncs up blocks, which havechanged after the first full load or theprevious delta run. The differences arerecorded either in files or within databasetables as hashes. The process involvesexamining the stored deltas and locating theblocks that have changed since the lastload. Changed data, rather than the entireset, can then be sent to the target, whichsaves computing power and additionalnetwork traffic.
Delta
PsPasses
TgTarget
PPrivilege
DbDatabase
R O I A B L E / / 2 0 1 9
Mitigation controls are available with SAPGRC and could perform functions likeidentifying SoD as a known risk, establishinga period of time during which this risk mayexist (if monitored) and associates a list ofmonitors with the control. Mitigation isavailable for users, roles, profiles and HRobjects and it is an important toolkit to movethe business forward with well-calculated andmonitored risks. Without mitigation controlsmost of the SoD risk checks can establish ablockage of any assignments, which maydelay important business operations anddecisions.
The elimination or reduction of thefrequency, magnitude, or severity ofexposure to risks, or minimization of thepotential impact of a threat or warning isdefined as mitigation. Mitigation controlsare used when you want to make certainfunctionality available to specific users orroles although there are risk violationsassociated with it.
Mitigation
RaRisk
analysis
GGRC
SdSegregation
of duties
UUser
R O I A B L E / / 2 0 1 9
Events in SAP IdM can be attached to forms,entry types, attributes, repositories, processesand identity stores. Respectively, there aremany event types: add when an entry isadded; modify when an entry is modified;delete when an entry is deleted; onOKexecuted when the outcome of a task is ok;onError executed when the outcome of a taskis error; provision and de-provision triggeredon a repository for respective process to bestarted; validate used for starting approvalprocesses; submit when submitting an UIform; notify for raising alerts; and last but notleast, request complete triggered when arequest is completed in a particular identitystore.
Events allow objects to notify other objectsabout important activities. Events are in theheart of the SAP IdM clockwork. They triggerthe execution of important processes likemodification, deletion, provisioning, de-provisioning, etc. Events can start onlyprocesses. During that default event contextvariables are created in the framework. Suchcontext variable for example is#MxEventType, which points to the eventtype that has started the process.
AttAttribute
WrfWorkflow
Events
EtEntry type
PiProvisioning
R O I A B L E / / 2 0 1 9
1 Some references, inspirations and quotes for the general definitions have been used from the following sources:
Websites: sap.com; cio.com; wikipedia.org; techtarget.com; dictionary.cambridge.org; businessdictionary.com; techterms.com; computerhope.com; kissflow.com; study.com; fss.txstate.edu; uxdesign.cc; smallbusiness.chron.com; techopedia.com; zoho.com; investopedia.comAuthors: Neil Miller, Caglar Araz
2 All names and trademarks of software products and services mentioned herein are owned by their registered owners
3 This material is provided by ROIABLE for informational purposes only and does not guarantee against any errors or omissions withrespect to the material
4 Copyright © ROIABLE ®. All rights reserved.
s a l e s @ r o i a b l e . c o m
+ 1 ( 9 2 9 ) 2 3 5 - 9 5 6 0
+ 3 5 9 ( 8 9 9 ) 9 5 4 - 0 2 7
w w w. r o i a b l e . c o m