IBM Security Verify Governance SAP HR Feed Adapter 10.0.2 is available. Compatibility, installation, and other getting-started issues are addressed.
Welcome to the IBM Security Verify Governance SAP HR feed Adapter.
These Release Notes contain information for the following products that was not available when the IBM Security Verify Governance manuals were printed:
The SAP HR feed Adapter is designed to reconcile Person and Organizational information from the SAP ABAP server. The adapter runs in "agentless" mode and communicates using standards BAPI and RFC methods supplied with the SAP server. Communication to these BAPI and RFC methods is enabled by the SAP Java Connector (Jco) API.
Review and agree to the terms of the IBM Security Verify Governance Adapter License prior to using this product.
The license can be viewed from the "license" folder included in the product package.
Adapter Version
Component |
Version |
Build Date |
2024 June 26 21.40.45 |
Adapter Version |
10.0.2 |
Component Versions |
Adapter build: 10.0.2.9 Profile: 10.0.2.9 Connector: 10.0.2.9 Dispatcher 7.1.39 or higher (packaged separately) SAP NW connector version: 10.0.6 |
Documentation |
The following guides are available in the IBM Knowledge Center
SAP HR Feed Adapter Installation and Configuration Guide |
New Features
Internal # |
Enhancement # (RFE / Idea) |
Description |
|
|
Items included in current release (10.0.2) |
IGI-I-1141/ADAPT-138 |
Improved SAP HR Adapter |
|
|
|
Items included in release (10.0.1) |
RTC 191290 |
ISIM-103/ADAPT-124 |
Add support for IBM Security Verify Governance Identity Manager (ISVGIM) starting v10.0.1 FP4 release onwards |
RTC 191337 |
|
Build with Sap NW connector version 10.0.5 |
RTC 191337 |
|
Add support for JCo 3.1.7 |
|
|
Items included in 7.1.4 release |
Internal |
|
Added support for JCo 3.0.17. |
Internal |
|
Build with Sap NW connector version 7.1.29 |
|
|
Items included in 7.1.3 release |
|
|
None |
|
|
Items included in 7.1.2 release |
RTC 154245 |
|
Added support for JCo 3.0.16. |
|
|
Items included in 7.1.1 release |
RTC 152293 |
|
Add Support for Identity Governance and Intelligence (IGI) v5.2.2 |
Closed Issues
Internal # |
APAR # /Case # |
Description |
|
|
Items included in current release (10.0.2) |
|
City attribute of SAP HR Feed adapter is incorrectly mapped with District field of SAP response payload |
|
|
|
Items included in release (10.0.1) |
RTC 191303 |
Internal - Even after suspending and terminating employee in SAP HR Target system the status is still shows as active in ISVG and ISVGIM |
|
|
|
Items included in 7.1.4 release |
RTC 171786 |
IJ03346/BUG 2531
|
PMR TS000079006 SAP Adapter: Request is not retried and fails immediately when SAP server is not available
US - As a SAP NW adapter developer, I need to provide correct error messages |
|
|
Items included in 7.1.3 release |
RTC 162843 |
|
OUs and Users are missing after SAP recon |
|
|
Items included in 7.1.2 release |
RTC 156200 |
|
Added support for Type B connection. |
|
|
Items included in 7.1.1 release |
|
|
None |
Known Limitations
Internal # |
APAR # |
Case # / Description |
SVGAD-1022 |
|
Default attributes included in the adapter are retrieved from the Standard BAPI's provided by SAP. Since Manager attribute is not available as a part of Standard BAPI, it is not available in the OOTB adapter.
However, any custom attribute derived using custom function can be included by customizing the adapter as described in XSL Stylesheets section under Configuring chapter. The custom function should be RFC enabled to execute it remotely using SAP Java Connector (SAP JCo) library. Important thing to note here is that the custom function should accept Employee ID (PERNR) as an input parameter and should provide related output.
Similarly, if the entry date and leaving date are different from the Standard BAPIs and custom function is used to derive the same, then new custom attributes should be created in adapter profile to map with the output from the custom function. OOTB adapter attribute mappings should not be changed. |
Multi Byte Character Support Limitations
All character data transferred between IBM Security Identity Manager Server, the adapter, and SAP ABAP server are encoded as UTF-8. The adapter supports provisioning of multi byte characters to and from a directly connected SAP ABAP Unicode server. Provisioning of ASCII characters is supported for Non-Unicode SAP ABAP servers. The adapter does not support provisioning of multi byte characters to any Non-Unicode ABAP server. Extended ASCII characters are not tested or supported for Non-Unicode SAP ABAP servers.
See the Installation Guide for IBM Security Verify Governance SAP HR adapter for detailed instructions.
Corrections to Install guide:
No Updates for the current release
No Updates for the current release
You can install an IBM Security Verify Governance Adapter or a custom adapter on the built-in Security Directory Integrator in the virtual appliance instead of installing the adapter externally. As such, there is no need to manage a separate virtual machine or system.
About this task
This procedure is applicable to install this adapter on the virtual appliance.
Procedure
1. Download
the adapter package from the IBM Passport Advantage.
For example, Adapter-<Adaptername>.zip.
The adapter package includes the following files:
Table 1. Adapter package contents |
|
Files |
Descriptions |
bundledefinition.json |
The adapter definition file. It specifies the content of the package, and the adapter installation and configuration properties that are required to install and update the adapter. |
Adapter JAR profile |
A Security Directory Integrator adapter always include a JAR profile which contains: · targetProfile.json o Service provider configuration o Resource type configuration o SCIM schema extensions o List of assembly lines · A set of assembly lines in XML files · A set of forms in XML files · Custom properties that include labels and messages for supported languages.
Use the Target Administration module to import the target profile. |
Additional adapter specific files |
Examples of adapter specific files: · Connector jar files · Configuration files · Script files · Properties files
The file names are specified in the adapter definition file along with the destination directory in the virtual appliance. |
2. From the top-level menu of the Appliance Dashboard, click Configure > SDI Management.
3. Select
the instance of the Security Directory Integrator for which you want to manage
the adapters and click Manage > SDI Adapters
The SDI Adapters window is displayed with a table that list the name, version,
and any comments about the installed adapters.
4. On the SDI Adapters window, click Install.
5. On
the File Upload window, click Browse to locate the adapter package and
then click OK.
For example, Adapter-<Adaptername>.zip.
6. Provide the missing 3rd party libraries when prompted.
a. On
the File Upload for Pre-requisite files window, click Select Files.
A new File Upload window is displayed.
b. Browse and select all the missing libraries. For example, sapjco3.jar
c. Click
Open.
The selected files are listed in the File Upload for Pre-requisite files
window.
d. Click
OK.
The missing files are uploaded and the adapter package is updated with the 3rd
party libraries.
7. Enable secure communication.
a. Select the instance of the Security Directory Integrator for which you want to manage the adapter.
b. Click Edit.
c. Click the Enable SSL check box.
d. Click Save Configuration.
8. Import the SSL certificate to the IBM® Security Directory Integrator server.
a. Select the instance of the Security Directory Integrator for which you want to manage the adapter.
b. Click Manage > Certificates.
c. Click the Signer tab.
d. Click
Import.
The Import Certificate window is displayed.
e. Browse for the certificate file.
f. Specify a label for the certificate. It can be any name.
g. Click Save.
Note: While uploading the Adapter package, you may receive System Error: A file included in the SDI Adapter zip already exists on the system and the Server Message log under Appliance tab of VA will have a reference to error com.ibm.identity.sdi.SDIManagementService E File ibm.com_IBM_Security_Verify_Governance_xxxx.swidtag found in the adapter zip at location ILMT-Tags/ already exists in system. This is because, you can install the same swidtags only once. So, if another adapter of the same type is installed, remove the swidtags.
The ibm.com_IBM_Security_Verify_Governance_Enterprise-xxxx.swidtag file is common to all adapters. In addition to the common swidtag file, an application adapter needs ibm.com_IBM_Security_Verify_Governance_Application_Adapters-xxxx.swidtag file and an infra adapter needs ibm.com_IBM_Security_Verify_Governance_Lifecycle-xxxx.swidtag and ibm.com_IBM_Security_Verify_Governance_Compliance-xxxx.swidtag files. So, if an application adapter is already installed and this is an infra adapter, then only install the infra-specific swidtags and the other way around. Please visit Security Verify Governance Adapters v10.x link to identify the adapter type of the installed adapters.
Before you begin
The steps to install adapter and related files into the container can be performed using the adapterUtil.sh script, which is shipped with the dispatcher package. This script should be staged on the machine running Kubernetes cli. The adapterUtil.sh script is also readily available in the bin directory of ISIM IBM Security Verify Governance Identity Manager Container Starter Kit installation directory (If ISVDI was selected for installation during the ISIM container installation steps).
If, for any reason, the adapter util script cannot be executed or used, the below manual instructions must be followed to copy the files to the persistent volume.
Note: The container must be restarted after installing or uninstalling the adapter and any changes to the configuration yaml. To activate changes and restart the container run the following commands:
· <path_to_starterkit>/bin/createConfigs.sh isvdi
· For OpenShift container: oc -n isvgim rollout restart deployment isvdi
· For kubernetes container: kubectl -n isvgim rollout restart deployment isvdi
Note: This document only describes the adapterUtil.sh command options that are required to install this adapter. For other command options, such as listing installed connectors and 3rd party jars, please refer to the Dispatcher10 Installation and Configuration Guide.
Installing / Upgrading / Re-installing / Downgrading the adapter
Using Script
Use below command to install / upgrade/ re-install / downgrade the adapter:
/path/to/adapterUtil.sh -loadAdapter "/path/to/Adapter-SapHRFeed-*.zip" accept
Where /path/to/adapterUtil.sh is the location where the adapterUtil.sh script is installed and /path/to/Adapter-SapHRFeed-*.zip is the location where the Adapter zip file is staged on the machine running Kubernetes cli.
Manually
Copy the files to the persistent volume mapped to the /opt/IBM/svgadapters directory of the container image as per the given directory structure:
SapNWUserConnector.jar and SapNWSupport.jar
Copy these files to <Persistent_Volume>/jars/connectors directory.
SapNWRfc.jar
Copy this file to <Persistent_Volume>/jars/functions directory.
XSL and sapnw_bapi_errors.properties files:
Copy below files to <Persistent_Volume>/swidtag directory:
sapnw_bapi_person_getdetail_precall.xsl
sapnw_bapi_person_address_precall.xsl
sapnw_bapi_person_email_precall.xsl
sapnw_bapi_employee_getdata_precall.xsl
sapnw_bapi_employee_absence_getdetail_precall.xsl
sapnw_bapi_person_getdetail_postcall.xsl
sapnw_bapi_errors.properties
ILMT-Tags
Copy below files to <Persistent_Volume>/swidtag directory:
ibm.com_IBM_Security_Verify_Governance_Application_Adapters-10.0.2.swidtag
ibm.com_IBM_Security_Verify_Governance_Enterprise-10.0.2.swidtag
Copying 3rd party libraries:
Using Script
Use below command to copy 3rd party jar and library file:
/path/to/adapterUtil.sh -copyTo3rdpartyOthers "/path/to/sapjco3.jar"
/path/to/adapterUtil.sh -copyToLibs "/path/to/libsapjco3.so"
This command will copy the file to <Persistent_Volume>/jars/3rdparty/others and <Persistent_Volume>/libs directory.
Manually
Copy sapjco3.jar file to <Persistent_Volume>/jars/patches directory and libsapjco3.so to <Persistent_Volume>/libs directory. (Refer release notes for the supported jar versions)
Enabling TLS 1.2
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced page from SVDI.
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have an advanced configuration element, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced to add an advanced configuration section to the config.yaml file.
To enable TLSv1.2, add 2 attr and value (key pair as mentioned in the SVDI guide) as below:
- attr: com.ibm.di.SSLProtocols
value: 'TLSv1.2'
- attr: com.ibm.di.SSLServerProtocols
value: 'TLSv1.2'
Note: The container must be restarted after making these changes to the configuration yaml. To activate changes and restart the container run the following commands:
· <path_to_starterkit>/bin/createConfigs.sh isvdi
· For OpenShift container: oc -n isvgim rollout restart deployment isvdi
· For kubernetes container: kubectl -n isvgim rollout restart deployment isvdi
Enabling debug logs and disabling json-logging
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#general_logging page from SVDI.
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have root-level and json-logging configuration elements, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#general_logging to the add root-level and json-logging configuration elements section to the config.yaml file.
To enable debug logs, set value for root-level to debug and to disable json logging, set value for json-logging element to false.
Note: The container must be restarted after making these changes to the configuration yaml. To activate changes and restart the container run the following commands:
· <path_to_starterkit>/bin/createConfigs.sh isvdi
· For OpenShift container: oc -n isvgim rollout restart deployment isvdi
· For kubernetes container: kubectl -n isvgim rollout restart deployment isvdi
Uninstalling the adapter
Using Script
Use below command to remove the adapter:
/path/to/adapterUtil.sh -removeAdapter Adapter-SapHRFeed
Manually
Remove files from the given directory structure of the persistent volume mapped to /opt/IBM/svgadapters directory of the container image.
Note: Some 3rd party jars and ILMT-Tags files might be common with other installed adapters, and hence should not be removed while uninstalling this adapter:
SapNWUserConnector.jar and SapNWSupport.jar
Remove these files to <Persistent_Volume>/jars/connectors directory.
SapNWRfc.jar
Remove this file to <Persistent_Volume>/jars/functions directory.
XSL and sapnw_bapi_errors.properties files:
Remove below files to <Persistent_Volume>/swidtag directory:
sapnw_bapi_person_getdetail_precall.xsl
sapnw_bapi_person_address_precall.xsl
sapnw_bapi_person_email_precall.xsl
sapnw_bapi_employee_getdata_precall.xsl
sapnw_bapi_employee_absence_getdetail_precall.xsl
sapnw_bapi_person_getdetail_postcall.xsl
sapnw_bapi_errors.properties
ILMT-Tags
Remove below files to <Persistent_Volume>/swidtag directory:
ibm.com_IBM_Security_Verify_Governance_Application_Adapters-10.0.2.swidtag
ibm.com_IBM_Security_Verify_Governance_Enterprise-10.0.2.swidtag
Under "Table 1, Adapter components" against the "ITDI_HOME/libs" record update the library files as below:
sapjco3.dll or libsapjco3.so
Under "Table 1, Adapter components" against the "ITDI_HOME/solution/xsl" record update the list of files as below:
- sapnw_bapi_errors.properties
- sapnw_bapi_person_getdetail_precall.xsl
- sapnw_bapi_person_address_precall.xsl
- sapnw_bapi_person_email_precall.xsl
- sapnw_bapi_employee_getdata_precall.xsl
- sapnw_bapi_employee_absence_getdetail_precall.xsl
- sapnw_bapi_person_getdetail_postcall.xsl
Below description is only for IBM Security Verify Governance Identity Manager
There are three adapter profiles included in the SAP HR Feed Adapter distribution package: IdentityManager\BPPerson\SapHRProfile.jar, IdentityManager\Person\SapHRProfile.jar and ISVG\SapHRProfile.jar
The difference between the three profiles is that the IdentityManager\BPPerson\SapHRProfile.jar and IdentityManager\Person\SapHRProfile.jar can be only used with IBM Security Verify Governance Identity Manager instance whereas ISVG\SapHRProfile.jar can only be used with IBM Security Verify Governance instance.
If Business Partner entity is in scope then IdentityManager\BPPerson\SapHRProfile.jar should be used in IBM Security Verify Governance Identity Manager instance else IdentityManager\Person\SapHRProfile.jar should be used. It is not possible for both IdentityManager\BPPerson\SapHRProfile.jar and IdentityManager\Person\SapHRProfile.jar profiles to exist in the same IBM Security Verify Governance Identity Manager instance.
Below description is only for IBM Security Verify Governance
There are three adapter profiles included in the SAP HR Feed Adapter distribution package: IdentityManager\BPPerson\SapHRProfile.jar, IdentityManager\Person\SapHRProfile.jar and ISVG\SapHRProfile.jar
The difference between the three profiles is that the IdentityManager\BPPerson\SapHRProfile.jar and IdentityManager\Person\SapHRProfile.jar can be only used with IBM Security Verify Governance Identity Manager instance whereas ISVG\SapHRProfile.jar can only be used with IBM Security Verify Governance instance.
For IBM Security Verify Governance instance IdentityManager\BPPerson\SapHRProfile.jar and IdentityManager\Person\SapHRProfile.jar profiles should not be used.
Before you begin:
The Dispatcher must be installed
Procedure:
Copy the files from ILMT-Tags folder to the specified location:
1. Windows: <SDI-HOME>\swidtag
2. UNIX/Linux: <SDI-HOME>/swidtag
Adapter Details tab (Below additional attributes are applicable only for IBM Security Verify Governance Identity Manager)
Person profile name
This is a read only field with "SapHRPerson" value.
Use workflow
If this check box is checked, then an identity policy needs to be created for the IBM Security Governance Identity Manager account for the new person. By default, Use workflow check box is checked.
Evaluate separation of duty policy when workflow is used
This check box should be check if evaluation of separation of duty policy is required when the workflow is used.
Placement rule
Provide details for Placement rule. If you do not specify, the default org is used.
Absence Duration Configuration tab (New content to be added)
Offset type
Select one of the options listed below for the offset type to be used for calculation of start and end dates used in the BAPI_ABSENCE_GETDETAILEDLIST RFC request.
· SAP default (Start date : 18000101 and end date: 99991231)
· Customized dates
· Days offset
If no option is selected, adapter will use SAP default 18000101 and 99991231 as start and end dates.
If customized dates option is selected, then the values provided in Customized start date and Customized end date form elements will be used.
If days offset option is selected, then the values provided in Offset in days prior to today's date and Offset in days after today's date form elements will be used.
Customized start date
Provide a start date. If no value is provided, then SAP default start date 18000101 will be used.
Customized end date
Provide an end date. If no value is provided, then SAP default end date 99991231 will be used.
Offset in days prior to today's date
Provide any negative or positive offset value. If no offset is provided, then SAP default start date 18000101 will be used.
If offset is negative, then the offset value will be added to current date to calculate the start date.
If offset is positive, then the offset value will be subtracted from current date to calculate the start date.
Offset in days after today's date
Provide any negative or positive offset value. If no offset is provided, then SAP default end date 99991231 will be used.
If offset is negative, then the offset value will be subtracted from current date to calculate the end date.
If offset is positive, then the offset value will be added to current date to calculate the end date.
SAP Connection Details Tab
Optional RFC Connection Parameters (This is new attribute to be added)
This attribute allows for alternative SAP connectivity parameters to be specified. The value of this attribute is a formatted string of name-value pairs. Each pair must be separated by a single pipe (|) character. The name parts must be in lowercase characters. The general format of the value of this attribute is shown in this example:
<name1>=<value1> <name2=value2> ... <nameN>=<valueN>
For example, the following string value would set the SAP Message Server to messageserver.com with System ID PR0 and Group SPACE:
mshost=messageserver.com|r3name=PR0|group=SPACE
The names and values are those supported directly by the SAP RFC API. A summary of the names is supplied in the following table:
Table 1. Names supported by SAP RFC API |
|
Name |
Description |
Client |
SAP client |
User |
User name for logon. Set to $MYSAPSSO2$ if you are using SSO logon. Set to $X509CERT$ if you are using X509 certificates. |
alias user |
Alias for user name |
Passwd |
Password of the user. If you are using SSO or X509 certificates, supply base64 encode value of SSO ticket or X509 certificate. |
Lang |
Log on language to be used |
Sysnr |
System number of the target SAP system |
Ashost |
Host name of the target SAP application server |
Mshost |
Host name of message service |
Gwhost |
Host name of the SAP gateway service |
Gwserv |
Gateway service name |
r3name |
R/3 name |
Group |
Name of SAP application server group |
Tpname |
Program Id of external RFC server program |
Tphost |
Host name of external RFC server program |
Trace |
Set to 1 to enable RFC API trace logging |
Codepage |
SAP code page |
getsso2 |
Set to 1 to obtain SAP SSO ticket |
mysapsso2 |
SAP Cookie version 2 as logon ticket |
x509cert |
X509 certificate as logon ticket |
snc_mode |
Set to 1 to enable secure network connection |
snc_partnername |
SNC name |
snc_qop |
SNC strength, 1 - 9 |
snc_myname |
SNC name. Overrides partner name |
snc_lib |
Path name to SNC library implementation |
Extiddata |
External authentication (PAS) data |
Extidtype |
External authentication type |
Type B (Load balancing) connection
The mandatory attributes for Type B connection are client, user, passwd, lang, type, mshost, r3name, and group.
To establish Type B (Load Balancing) connection, add the following value under Optional RFC Connection Parameters:
type=B|mshost=<Message Server Name>|r3name=<SYSTEM ID>|group=<Name of SAP application server group>
For example: type=B|mshost=SAPPR0|r3name=PR0|group=SPACE where message server name is SAPPR0 with systemID as PR0 and group SPACE.
Note:
- The dispatcher must be restarted for each change in the Optional RFC Connection Parameters field.
- To establish a Type B (Load Balancing) connection, enable RFC Load balancing in SAP system.
Attribute Mapping (This is applicable only for IBM Security Verify Governance)
Remove existing content of this section and add below details:
Attribute mapping is required to define which target attributes correspond to the Verify Governance User or OU attributes.
About this task
This task involves either an user or OU attribute mapping definition file, which is included in the HR adapter package.
The file consists of Verify Governance User or OU attributes and their equivalent attributes in the managed HR target. The file is structured as <IGI_attribute> = <HR_target_attribute>.
The <IGI_attribute> is fixed and must not be modified. Edit only the <HR_target_attribute>. Some <IGI_attribute> already has a fixed equivalent <HR_target_attribute>. For example:
GIVEN_NAME=ersaphrgivenname
Some <IGI_attribute> do not have a defined <HR_target_attribute> and you can assign the mapping. For example:
USER_TYPE=USER_TYPE
ATTR1=ATTR1
Note:
- The default mapping is already included out-of-the box. If there are no changes to the attribute mapping, there is no need to import the attribute mapping files.
- It might take up to 10 minutes for the attribute mapping changes to take effect once the file is imported.
Procedure
1. Open the mapping definition file by using any text editor.
2. Edit the mapping.
3. If the target attribute has a list of predefined values, use the following syntax to convert its values to the corresponding Verify Governance attribute values.
[conversion].<HR_target_attribute>.<IGI_attribute> = [<HR_target_attribute_value1>=<IGI_attribute_value1>;...;<HR_target_attribute_valuen>=<IGI_attribute_valuen>]
For example:
[conversion].ersaphrgender.GENDER=[M=0;F=1]
4. For attributes that contains date and time, use the following syntax to convert its values.
For example:
[conversion.date].ersaphrdob.BIRTHDAY=[yyyyMMdd=dd/MM/yyyy HH:mm:ss]
[conversion.date].ACCOUNT_EXPIRY_DATE.ACCOUNT_EXPIRY_DATE=[dd/MM/yyyy HH:mm:ss=dd/MM/yyyy HH:mm:ss]
5. Import the updated mapping definition file through the Enterprise Connectors module. For more information, see Attribute-to-permission mapping service in the IBM Security Verify Governance product documentation.
Below description is only for IBM Security Verify Governance Identity Manager
Read the adapter Release Notes for any specific instructions before you import a new adapter profile.
There are three adapter profiles included in the SAP HR Feed Adapter distribution package: IdentityManager\BPPerson\SapHRProfile.jar, IdentityManager\Person\SapHRProfile.jar and ISVG\SapHRProfile.jar
The difference between the three profiles is that the IdentityManager\BPPerson\SapHRProfile.jar and IdentityManager\Person\SapHRProfile.jar can be only used with IBM Security Verify Governance Identity Manager instance whereas ISVG\SapHRProfile.jar can only be used with IBM Security Verify Governance instance.
If Business Partner entity is in scope then IdentityManager\BPPerson\SapHRProfile.jar should be used in IBM Security Verify Governance Identity Manager instance else IdentityManager\Person\SapHRProfile.jar should be used. It is not possible for both IdentityManager\BPPerson\SapHRProfile.jar and IdentityManager\Person\SapHRProfile.jar profiles to exist in the same IBM Security Verify Governance Identity Manager instance.
Below description is only for IBM Security Verify Governance
Read the adapter Release Notes for any specific instructions before you import a new adapter profile.
There are three adapter profiles included in the SAP HR Feed Adapter distribution package: IdentityManager\BPPerson\SapHRProfile.jar, IdentityManager\Person\SapHRProfile.jar and ISVG\SapHRProfile.jar
The difference between the three profiles is that the IdentityManager\BPPerson\SapHRProfile.jar and IdentityManager\Person\SapHRProfile.jar can be only used with IBM Security Verify Governance Identity Manager instance whereas ISVG\SapHRProfile.jar can only be used with IBM Security Verify Governance instance.
For IBM Security Verify Governance instance IdentityManager\BPPerson\SapHRProfile.jar and IdentityManager\Person\SapHRProfile.jar profiles should not be used.
Note: Restart the Dispatcher service after importing the profile. Restarting the Dispatcher clears the assembly lines cache and ensures that the dispatcher runs the assembly lines from the updated adapter profile.
About this task
(Update existing note as below)
Note: You cannot modify
the schema for this adapter. You cannot add or delete attributes from the
schema. The custom attributes added to schema.dsml however OOTB delivered
should not be deleted. The object identifiers for the custom attributes should
match the convention of appending -OID to an attribute name, for
example:
<attribute-type single-value = "true" >
<name>myAttribute</name>
<description>my description</description>
<object-identifier>myAttribute-OID</object-identifier>
<syntax>1.3.6.1.4.1.1466.115.121.1.15</syntax>
</attribute-type>
(Add another note as below)
Note: Changes to connector's initialization parameters is not supported.
Support for custom adapters
(Update the content as below)
The integration to IBM Security Verify Governance servers "the adapter framework" is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a Support Case is opened.
RECONCILIATION ADVANCED MAPPING TAB
Search Person Basic Iterate Request XSL Stylesheet
(Update the list precall XSL files as below)
xsl/sapnw_bapi_person_getdetail_precall.xsl
xsl/sapnw_bapi_person_address_precall.xsl
xsl/sapnw_bapi_person_email_precall.xsl
sapnw_bapi_employee_getdata_precall.xsl
sapnw_bapi_absence_getdetailedlist_precall.xsl
Customizing XSL stylesheets (Add new section at the end of the page)
The adapter supports below type of customizations to the XSL stylesheets:
· Including / Excluding attributes supported by the OOTB adapter.
Steps:
o Modify the sapnw_bapi_person_getdetail_postcall.xsl file to include / exclude attributes by adding / removing the XSLT code.
o Modify the profile if the added attributes aren’t supported by the adapter.
· Including attributes which are available in the existing BAPI response but not supported by the OOTB adapter.
Steps:
o OOTB adapter supports below BAPIs, by default all these BAPIs are included. If all attributes from a particular BAPI are to be excluded, this can be achieved by excluding the matching XSL stylesheet from the list of values that is specified in the "Search Person Basic Iterate Request XSL Stylesheets" attribute in the service form.
Name of BAPI |
Name of corresponding XSL stylesheet |
BAPI_PERSDATA_GETDETAILEDLIST |
sapnw_bapi_person_getdetail_precall.xsl |
BAPI_ADDRESSEMPGETDETAILEDLIST |
sapnw_bapi_person_address_precall.xsl |
BAPI_EMPLCOMM_GETDETAILEDLIST |
sapnw_bapi_person_email_precall.xsl |
BAPI_EMPLOYEE_GETDATA |
sapnw_bapi_employee_getdata_precall.xsl |
BAPI_ABSENCE_GETDETAILEDLIST |
sapnw_bapi_absence_getdetailedlist_precall.xsl |
· Adding new BAPI which is not included in the OOTB adapter.
Steps:
o Create a precall xsl file referring to the files shared with this adapter to generate the BAPI request xml.
o Add all the precall xsl files (including the ones provided by adapter) to the "Search Person Basic Iterate Request XSL Stylesheets" attribute of Service form.
o Modify the sapnw_bapi_person_getdetail_postcall.xsl file to include attributes from the xml response of new BAPI.
o Modify the profile to add the custom attributes not included in the OOTB adapter.
Note: Customization is only supported for the Account / Person object class and not supported for the Supporting data object classes.
Note: Addition of new transformations to XSL file for the custom attributes is supported, however modification of transformations for OOTB delivered attributes is not supported.
Note: The BAPIs that require input parameters other than the Employee Number / Employee ID are not supported by the adapter.
Procedure: (Update the steps as below)
1. Stop the SDI Server process
Pre-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_Solution_Directory>/etc/log4j.properties
3. Modify the following line:
log4j.rootCategory=INFO, Default
to
log4j.rootCategory=DEBUG, Default
Post-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_HOME>/etc/log4j2.xml
3. Modify the following line:
<Root level="info">
to
<Root level="debug">
Post-7.2.0-ISS-SDI-FP0011 (To enable TCB block in debug)
4. Append the line com.ibm.di.logging.close=false in the <SDI_HOME >/etc/global.properties file.
5. Start the SDI Server process
6. Re-create the problem and collect the /logs/ibmdi.log
(Update Table 1 as below)
Table 1. Supported attributes for erSapHRAccount object class |
|||
Attribute Name |
Description |
Required |
Managed Resource Attribute |
erUid |
Employee number |
Yes |
PERNR field from PA0002 Table |
eraccountstatus |
Account Status |
No |
STAT2 field from PA0000 Table |
ersaphrgivenname |
First name of person |
No |
BAPI_PERSDATA_GETDETAILEDLIST.Response/PERSONALDATA/item/FIRSTNAME |
ersaphrlastname |
Last name of person |
No |
BAPI_PERSDATA_GETDETAILEDLIST.Response/PERSONALDATA/item/LASTNAME |
ersaphrgender |
Gender |
No |
BAPI_PERSDATA_GETDETAILEDLIST.Response/PERSONALDATA/item/GENDER |
ersaphrdob |
Date of birth |
No |
BAPI_PERSDATA_GETDETAILEDLIST.Response/PERSONALDATA/item/DATEOFBIRTH |
ersaphrbirthplace |
Place of birth |
No |
BAPI_PERSDATA_GETDETAILEDLIST.Response/PERSONALDATA/item/BIRTHPLACE |
ersaphrbirthcountry |
Country of birth |
No |
BAPI_PERSDATA_GETDETAILEDLIST.Response/PERSONALDATA/item/COUNTRYOFBIRTH |
ersaphrzipcode |
Zip Code |
No |
BAPI_ADDRESSEMPGETDETAILEDLIST.Response/ADDRESS/item/POSTALCODECITY |
ersaphrcountry |
Country |
No |
BAPI_ADDRESSEMPGETDETAILEDLIST.Response/ADDRESS/item/NAMEOFCOUNTRY |
ersaphrphoneno |
Phone number |
No |
BAPI_ADDRESSEMPGETDETAILEDLIST.Response/ADDRESS/item/TELEPHONENUMBER |
ersaphraddress |
Address |
No |
BAPI_ADDRESSEMPGETDETAILEDLIST.Response/ADDRESS/item/STREETANDHOUSENO |
ersaphrcity |
City |
No |
BAPI_ADDRESSEMPGETDETAILEDLIST.Response/ADDRESS/item/CITY |
ersaphrdistrict |
District |
No |
BAPI_ADDRESSEMPGETDETAILEDLIST.Response/ADDRESS/item/DISTRICT |
ersaphremailid |
Email ID |
No |
BAPI_EMPLCOMM_GETDETAILEDLIST.Response/COMMUNICATION/item/ID |
ersaphrpersonou |
Organizational unit |
No |
ORGEH Field from PA0001 Table |
ersaphrnickname |
Nickname |
No |
BAPI_PERSDATA_GETDETAILEDLIST.Response/PERSONALDATA/item/KNOWN_AS |
ersaphrinitials |
Initials |
No |
BAPI_PERSDATA_GETDETAILEDLIST.Response/PERSONALDATA/item/INITIALS |
ersaphrfullname |
Full Name |
No |
BAPI_PERSDATA_GETDETAILEDLIST.Response/PERSONALDATA/item/FULLNAME |
ersaphrlanguage |
Language |
No |
BAPI_PERSDATA_GETDETAILEDLIST.Response/PERSONALDATA/item/LANGUAGE |
ersaphrcocode |
Company |
No |
BAPI_EMPLOYEE_GETDATA/TABLES/ORG_ASSIGNMENT/COMP_CODE |
ersaphrpersarea |
Pers. Area |
No |
BAPI_EMPLOYEE_GETDATA/TABLES/ORG_ASSIGNMENT/PERS_AREA |
ersaphrperssubarea |
Sub Area |
No |
BAPI_EMPLOYEE_GETDATA/TABLES/ORG_ASSIGNMENT/P_SUBAREA |
ersaphrbusarea |
Bus. Area |
No |
BAPI_EMPLOYEE_GETDATA/TABLES/ORG_ASSIGNMENT/BUS_AREA |
ersaphrcc |
Cost Center |
No |
BAPI_EMPLOYEE_GETDATA/TABLES/ORG_ASSIGNMENT/COSTCENTER |
ersaphrlegperson |
Leg. Person |
No |
BAPI_EMPLOYEE_GETDATA/TABLES/ORG_ASSIGNMENT/LEG_PERSON |
ersaphrempgrp |
Employee group |
No |
BAPI_EMPLOYEE_GETDATA/TABLES/ORG_ASSIGNMENT/EGROUP |
ersaphrempsubgrp |
Employee subgroup |
No |
BAPI_EMPLOYEE_GETDATA/TABLES/ORG_ASSIGNMENT/ESUBGROUP |
ersaphrcontract |
Contract |
No |
BAPI_EMPLOYEE_GETDATA/TABLES/ORG_ASSIGNMENT/CONTRACT |
ersaphrpos |
Position |
No |
BAPI_EMPLOYEE_GETDATA/TABLES/ORG_ASSIGNMENT/POSITION |
ersaphrjob |
Job title |
No |
BAPI_EMPLOYEE_GETDATA/TABLES/ORG_ASSIGNMENT/JOB |
ersaphrorgkey |
Organization |
No |
BAPI_EMPLOYEE_GETDATA/TABLES/ORG_ASSIGNMENT/ORG_KEY |
ersaphradmingrp |
Admin Group |
No |
BAPI_EMPLOYEE_GETDATA/TABLES/ORG_ASSIGNMENT/ADMINGROUP |
ersaphrpersadmin |
Pers Admin |
No |
BAPI_EMPLOYEE_GETDATA/TABLES/ORG_ASSIGNMENT/PERS_ADMIN |
ersaphrsupervisor |
Supervisor |
No |
BAPI_EMPLOYEE_GETDATA/TABLES/ORG_ASSIGNMENT/SUPERVISOR |
ersaphrstartdate |
Start Date |
No |
BAPI_EMPLOYEE_GETDATA/TABLES/ORG_ASSIGNMENT/FROM_DATE |
ersaphrenddate |
End Date |
No |
BAPI_EMPLOYEE_GETDATA/TABLES/ORG_ASSIGNMENT/TO_DATE |
ersaphrentrydate |
Entry Date |
No |
BAPI_EMPLOYEE_GETDATA/TABLES/PERSONALDATA/FROM_DATE |
ersaphrleavingdate |
Leaving date |
No |
BAPI_EMPLOYEE_GETDATA/TABLES/PERSONALDATA/TO_DATE |
ersaphrabsences |
Absences |
No |
BAPI_ABSENCE_GETDETAILEDLIST/TABLES/ABSENCE/(ABSENCETYPENAMEOFABSENCETYPE|VALIDBEGIN|VALIDEND) |
ersaphrempstatus |
Employment Status |
No |
STAT2 field from PA0000 Table |
(Add Table 1.1 to 1.12 as listed below after Table 1)
Table 1.1 Supported attributes for erSapHROrgList object class |
|||
Attribute Name |
Description |
Required |
Managed Resource Attribute |
ersaphrorgid |
Organization Unit ID |
Yes |
ORGEH field from T527X Table |
ersaphrorgname |
Organization Unit Name |
No |
ORGTX field from T527X Table |
ersaphrorgdesc |
Organization Unit Description |
No |
ORGTX field from T527X Table |
Table 1.2 Supported attributes for erSapHRCostCenter object class |
|||
Attribute Name |
Description |
Required |
Managed Resource Attribute |
ersaphrcc |
Cost center |
Yes |
KOSTL field from CSKT Table |
ersaphrccgenname |
General name |
No |
KTEXT field from CSKT Table |
ersaphrccvaltodt |
Valid to date |
No |
DATBI field from CSKT Table |
Table 1.3 Supported attributes for erSapHRCompany object class |
|||
Attribute Name |
Description |
Required |
Managed Resource Attribute |
ersaphrcocode |
Company code |
Yes |
BUKRS field from T001 Table |
ersaphrconame |
Company name |
No |
BUTXT field from T001 Table |
Table 1.4 Supported attributes for erSapHRPersArea object class |
|||
Attribute Name |
Description |
Required |
Managed Resource Attribute |
ersaphrpersarea |
Personnel area |
Yes |
PERSA field from T500P Table |
ersaphrpersareatxt |
Personnel area text |
No |
NAME1 field from T500P Table |
Table 1.5 Supported attributes for erSapHRPersSubarea object class |
|||
Attribute Name |
Description |
Required |
Managed Resource Attribute |
ersaphrpersarea |
Personnel area |
Yes |
WERKS field from T001P Table |
ersaphrperssubareakey |
Personnel area-Personnel subarea |
Yes |
WERKS-BTRL field from T001P Table |
ersaphrperssubarea |
Personnel subarea |
No |
BTRTL field from T001P Table |
ersaphrperssubareatxt |
Personnel subarea text |
No |
BTEXT field from T001P Table |
Table 1.6 Supported attributes for erSapHRBusArea object class |
|||
Attribute Name |
Description |
Required |
Managed Resource Attribute |
ersaphrbusarea |
Business area |
Yes |
GSBER field from TGSBT Table |
ersaphrbusareadesc |
Business area description |
No |
GTEXT field from TGSBT Table |
Table 1.7 Supported attributes for erSapHREmpGroup object class |
|||
Attribute Name |
Description |
Required |
Managed Resource Attribute |
ersaphrempgrp |
Employee group |
Yes |
PERSG field from T501T Table |
ersaphrempgrpname |
Employee group name |
No |
PTEXT field from T501T Table |
Table 1.8 Supported attributes for erSapHREmpSubGroup object class |
|||
Attribute Name |
Description |
Required |
Managed Resource Attribute |
ersaphrempsubgrp |
Employee sub group |
Yes |
PERSK field from T503T Table |
ersaphrempsubgrpname |
Employee sub group name |
No |
PTEXT field from T503T Table |
Table 1.9 Supported attributes for erSapHRContract object class |
|||
Attribute Name |
Description |
Required |
Managed Resource Attribute |
ersaphrcontract |
Work contract |
Yes |
ANSVH field from T542T Table |
ersaphrcontracttxt |
Work contract text |
No |
ATX field from T542T Table |
Table 1.10 Supported attributes for erSapHRPosition object class |
|||
Attribute Name |
Description |
Required |
Managed Resource Attribute |
ersaphrpos |
Position |
Yes |
PLANS field from T528T Table |
ersaphrposshorttxt |
Position short text |
No |
PLSTX field from T528T Table |
ersaphrposobjtype |
Position object type |
No |
OTYPE field from T528T Table |
ersaphrposstartdate |
Position start date |
No |
BEGDA field from T528T Table |
ersaphrposenddate |
Position end date |
No |
ENDDA field from T528T Table |
Table 1.11 Supported attributes for erSapHRJob object class |
|||
Attribute Name |
Description |
Required |
Managed Resource Attribute |
ersaprjob |
Job key |
Yes |
STELL field from T513S Table |
ersaphrjobtitle |
Job title |
No |
STLTX field from T513S Table |
ersaphrjobstartdate |
Job start date |
No |
BEGDA field from T513S Table |
ersaphrjobenddate |
Job end date |
No |
ENDDA field from T513S Table |
Table 1.12 Supported attributes for erSapHROrganization object class |
|||
Attribute Name |
Description |
Required |
Managed Resource Attribute |
ersaphrorgkey |
Organization key |
Yes |
ORGKY field from T527O Table |
ersaphrorghirar |
Organization hierarchy |
No |
HIRAR field from T527O Table |
ersaphrorgtype |
Organization type |
No |
NODTY field from T527O Table |
ersaphrorgabbr |
Organization abbreviation |
No |
TEXT1 field from T527O Table |
ersaphrorgname |
Organization name |
No |
TEXT2 field from T527O Table |
Configuration Notes
The following configuration notes apply to this release:
Installation Platform
The IBM Security Verify Governance Adapter was built and tested on the following product versions.
Adapter Installation Platform:
Due to continuous Java security updates that may be applied to your ISVG or ISVGIM servers, the following SDI releases are the officially supported versions:
Note: Earlier SDI supported version may function properly, however, to resolve any communication errors, you must upgrade your SDI releases to the officially supported versions by the adapters
Managed Resource:
The following SAP ABAP Basis versions running anywhere on the network are supported:
SAP Release: - SAP Netweaver 740
Component version:-SAP ECC 6.0
SAP HR Fix Pack: - Fix pack 24
IBM Security Verify Governance Servers:
IBM Security Verify Governance Identity Manager (v10.0.1 FP4 release or later)
IBM Security Verify Governance v10.0
* Unless this document specifies a specific fix pack version of ISVG Identity Manager v10, we expect the adapter to work with ISIM 6 as well. However, it will only be debugged and fixed from the perspective of ISVG-IM v10.
SAP JCo certified:
JCo 3.1.7
Note:
SAP HR Feed Adapter was tested and certified using JCo v3.1.7. SAP may have
released a newer version of JCo since then and for reasons unknown, SAP may not
make JCo v3.1.7 available for download. The newer version of JCo may work as is
with the adapter. However, if there are any issues related directly to
the newer version of JCo, it will be addressed in the next release of the
adapter. On Windows platforms, JCo 3.1 requires the Visual Studio 2013 C/C++
runtime libraries to be installed on the system. If not present, download and
install the "Visual C++ 2013 Redistributable Package" from the
Microsoft knowledge base article 4032938 and choose the package, which
corresponds to the used Locale and JVM bit-width (x64 for 64-bit or x86 for
32-bit).
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com� are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.
Other company, product, and service names may be trademarks or service marks of others.