SAP Identity Management

i
 SAP Identity Management

About the Tutorial

SAP IdM is an identity management system to perform the user management and business
workflows in large and complex enterprise. You can integrate SAP and non-SAP systems
to identity management using default packages to import identity data and to provide self-
service access management feature to end users.

Audience
This tutorial has been prepared for someone who wants to learn and understand the
processes in Identity management. After completing this tutorial, you will find yourself at
a moderate level of expertise in SAP IdM.

Prerequisites
Before you start proceeding with this tutorial, we assume that you are well-versed with
basic access management concepts. You should have basic knowledge on how an Identity
and Access management system works.

Copyright & Disclaimer

 Copyright 2021 by Tutorials Point (I) Pvt. Ltd.

All the content and graphics published in this e-book are the property of Tutorials Point (I)
Pvt. Ltd. The user of this e-book is prohibited to reuse, retain, copy, distribute or republish
any contents or a part of contents of this e-book in any manner without written consent
of the publisher.

We strive to update the contents of our website and tutorials as timely and as precisely as
possible, however, the contents may contain inaccuracies or errors. Tutorials Point (I) Pvt.
Ltd. provides no guarantee regarding the accuracy, timeliness or completeness of our
website or its contents including this tutorial. If you discover any errors on our website or
in this tutorial, please notify us at contact@tutorialspoint.com

ii
 SAP Identity Management

Table of Contents
About the Tutorial ........................................................................................................................................... ii

Audience .......................................................................................................................................................... ii

Prerequisites .................................................................................................................................................... ii

Copyright & Disclaimer .................................................................................................................................... ii

Table of Contents ........................................................................................................................................... iii

1. SAP IDM — Introduction ........................................................................................................................... 1

2. SAP IDM — Architecture ........................................................................................................................... 3

3. SAP IDM — Installation ............................................................................................................................. 5

Installing IdM core components ...................................................................................................................... 5

Installing SAP IdM runtime and other developer components ....................................................................... 8

Installing SAP IdM deployable components .................................................................................................. 10

Installing Active Directory Server Virtually .................................................................................................... 12

4. SAP IDM — Developer Studio ................................................................................................................. 14

Configuring SAP IdM Developer Studio ......................................................................................................... 15

5. SAP IDM — Setting up the Framework .................................................................................................... 17

6. SAP IDM — Repository Types .................................................................................................................. 19

7. SAP IDM — Using Identity Stores ............................................................................................................ 21

8. SAP IDM — Identity Center Properties .................................................................................................... 24

9. SAP IDM — Maintaining Packages .......................................................................................................... 28

10. SAP IDM — Using Processes .................................................................................................................... 30

11. SAP IDM — Identity Store Forms ............................................................................................................ 32

12. SAP IDM — Maintaining Jobs .................................................................................................................. 35

13. SAP IDM — Self Service Password Reset ................................................................................................. 37

Defining Password Reset Parameters............................................................................................................ 38

14. SAP IDM — Setting Email Notifications ................................................................................................... 40

15. SAP IDM — Connecting SAP ABAP Systems ............................................................................................. 42

iii
 SAP Identity Management

Creating a job for update .............................................................................................................................. 42

16. SAP IDM — Connecting non-SAP Systems ............................................................................................... 44

17. SAP IDM — Identity Reporting using SAP BW ......................................................................................... 46

18. SAP IDM — Integration using GRC 10.0 ................................................................................................... 47

19. SAP IDM — Migration to New Version .................................................................................................... 49

20. SAP IdM — Job Responsibilities .............................................................................................................. 50

iv
 1. SAP IDM — Introduction SAP Identity Management

In large enterprises, main challenge is to organize and maintain identity data and privilege
securely. Enterprise data is stored in different applications and collected from multiple
source so it includes major risk to manage the data confidentiality. To distribute the data
security, there is need to manage and maintain identity data and privileges up to date.
There are various Identity and access management modules in market which helps Data
owner in managing identity information accurately and up to date.

Major ERP software providers provide inbuild capability to manage identity with other
modules. These identity management tools are embedded in ERP/CRM software and no
need to install or configure explicitly.

SAP Identity Management is similar tool provided by SAP which help companies managing
their user accounts in complex environment for both SAP and non-SAP systems. With use
of SAP Identity management tool, companies can manage and provide access to different
heterogenous applications without much manual work and that too securely.

There are various reasons why an Identity and Access Management soln is required:

 As business processes running on on-premise and cloud both there is need to

manage user access management seamlessly.

 Need to assign application and information access based on user roles and
irrespective of technical hierarchies in directory

 To provide self-service user and password management system and to avoid

manual password reset for critical applications

 To pull the reports based on current and previous access

 Reduce the operational cost to perform user provisioning in complex landscape

 Ease to manage multiple source of identities

 Availability of audit trails and log system to track identity changes

 To meet company specific requirements for user access management solution

 To prevent the unauthorized access to company resources- Enterprise

applications, Database, Webapps, Active Directory, etc. in multi- enterprise
environments

1
 SAP Identity Management

Key Benefits
Following are the key benefits of using SAP Identity Management:

 To ensure that user permissions are assigned to required systems at right time and
prevent unauthorize access

 Consistency in managing user roles and permission across multiple complex

enterprise landscape

 Secure execution of business approval workflows and processes

 Ease of managing audit trail and log systems for tracking

2
 2. SAP IDM — Architecture SAP Identity Management

SAP identity management system is used to maintain identity data across different ECC
applications. You can import data from different SAP applications to IDM based on available
authorizations. From backend application, after importing the authorizations- privileges
are added to system and this is then sync to backend applications.

User interfaces are used to perform the different self-management identity tasks in identity
store and changes are replicated back to backend applications.

Most of SAP Identity management components run on NetWeaver application and Java
server. Few of important component of SAP IdM includes:

 SAP Identity Store

 User interface for users and Administrators
 IdM Database
 IdM Developer Studio
 Developer Studio Service
 Runtime component

Identity store provides a consistent view of identity data from multiple sources and helps
in managing business processes, logging and auditing, password management and
reporting feature for access management. Identity center collects the data from different

3
 SAP Identity Management

application repositories, transform to required formats and replicate it back to source

repositories.

Few components of IDM run on SAP NetWeaver AS for Java and this includes Identity
Management User Interface for users and administrators however few of other
components are installed separately and stand-alone components. Key components of SAP
IDM architecture mentioned below:

Administrators can install SAP Identity Management using Software Provisioning Manager
1.0 installation tool. Provisioning Manager 1.0v installs all SAP Identity Management
components except IDM Developer Studio client, Logon Help and SAP IDM Password
management utility. Mentioned components to be installed manually using external client
tools.

SAP IDM Dispatcher Utility

This is used to create new dispatchers in IDM system. With use of user interface
component- you can also stop or start the dispatchers. This can be done via user interface
component or using command line option.

IDM Runtime Engine

This component of IDM is used for synchronization and provision tasks and requires SAP
Java Virtual Machine for execution.

4
 3. SAP IDM — Installation SAP Identity Management

You can install SAP IdM system in distributed environment where each process runs on
separate system. You can use any of OS to perform the installation and select any of
database like MS SQL, Oracle, DB2, etc.

You can use Software Provisioning Manager (SWPM) tool for performing the installation of
IdM. By following the below steps, you can install SAP IdM:

Installing IdM core components

To install IdM core component, login using an OD administrator account and stat Software
Provisioning manager tool (sapinst.exe) and select SAP Identity Management 8.0 
Installation  Distributed System  SAP Identity Management Core Component as shown
below

Run the installation in Typical mode. You need to pass you SAP SID and destination drive
after staring core component installation.

5
 SAP Identity Management

Follow the installation steps and pass the path of SAP archives, SAP host agent, etc. Next
you will be prompted to select the database system:

Provide the host name where database is running, port# and credentials for IdM database:

6
 SAP Identity Management

In next window, you have to provide the Database schema prefix and base qualified name
to be used for IdM packages:

Pass the other parameters in subsequent steps and follow the instruction steps and click
on Next button to run the installation. When the installation of IdM core component is
completed, below message will appear:

7
 SAP Identity Management

Installing SAP IdM runtime and other developer components

Logon to other host where you want to install IdM runtime and other deployable
components, and open Software Provisioning Manager and select SAP Identity
Management 8.0  Installation  Distributed System  SAP Identity Management
Dispatcher Instance.

Start the installation process in a Typical mode and provide the profile ddir patch of SAP
IdM system as shown below:

8
 SAP Identity Management

Follow the steps as per installation steps and pass the instance number assigned to SAP
IdM dispatcher or you can also use the default value.

In the next step, provide the driver path and JDBC driver class name. Review the
parameters and proceed with completing the installation steps.

9
 SAP Identity Management

Installing SAP IdM deployable components

Open Software Provisioning Manager. Select SAP Identity Management 8.0  Installation
 Distributed System  SAP Identity Management Components on SAP NetWeaver AS
Java.

This will install the below components:

Mandatory Components

 SAP IdM Developer Studio Service

 SAP IdM User interface

Additional Components

10
 SAP Identity Management

 SAP IdM REST interface

 SAP IdM Portal Content
 Identity Federation

Follow the steps in previous installation and provide SAP SID of the NetWeaver Java
system where these components to be used:

In the next step, you need to select the additional IdM deployable components you want
to deploy:

After selecting the additional components, click on Next button and installation will
complete for SAP IdM deployable components.

11
 SAP Identity Management

Installing Active Directory Server Virtually

Open Software Provisioning Manager and select SAP Identity Management 8.0 
Installation  Additional Components  SAP Identity Management Virtual Directory
Server. This will install Virtual directory server instance 8.0 on selected host.

Follow the installation steps and provide instance number to assign to Virtual Directory
server or you can use default provided.

12
 SAP Identity Management

Next step is to review the parameters and complete the installation process.

13
 4. SAP IDM — Developer Studio SAP Identity Management

SAP IDM Developer Studio is an Eclipsed based plug in and used to configure Identity
management solution. This is a client-based tool and has to be installed on each developer
or administrator system. To enable Identity Management developer studio, From Eclipse
User interface, navigate to Help -> Install New software.

Next is to provide the repository site where the plugin is available from. Click on “Add…”
as shown in below screenshot:

This will open Add Repository dialog box, pass the name like- “SAP Identity Management
Developer Studio: and under location field, pass URL of Identity Management Developer
Studio plugin. Provide this URL https://tools.hana.ondemand.com/oxygen for Eclipse
Oxygen (4.7) -> OK.

14
 SAP Identity Management

When you expand SAP Identity Management Tools, Select SAP Identity Management
Developer Studio checkbox and click on Next.

Configuring SAP IdM Developer Studio

In SAP IDM Developer studio, you can add connection to IDM database. You need to pass
the below details:

 Application Server name

 Port
 Data Source

Under Preferences -> Connections -> “ click on + sign “.

Provide the required information and click on OK to add the Database. Once you add the
database, you can expand and see the tree view.

15
SAP Identity Management

16
5. SAP IDM — Setting up the Framework SAP Identity Management

In SAP Identity Management, you can use set of templates to connect to SAP systems and
setting up the jobs, processes for different tasks. A Package in SAP IDM is smallest unit of
code that can be a connector type or set of utilities used by other packages. Administrators
can gran permissions to user to transport each package separately and then work on
configuration to customize them. IDM provides configuration packages as default
component to provide starting point customization.

Each package is identified with global unique name which means you cannot have same
package name in any of identity store.

You can usually find below package types:

Engine package
This package provides the core flows which are responsible for triggering the necessary
processes and other common scripts used in other packages.

Connector package
This package provides the connector, which is used for provisioning the specific systems
like SAP ABAP, etc.

Forms package
This package stores definition of all user interface tasks for different transaction types

Notification package
This package contains the notification task and templates which are used to send
notifications for provisioning, approval tasks and business work flows.

Custom package
This package is used to customize the provisioning framework without altering the other
stored packages. This package contains the customize scripts from other customers and
few of default custom scripts which can be used to customize other packages.
17
 SAP Identity Management

User Authorization to access packages

To access the content of package, user must have required authorization on that package.
Below authorization exists for packages:

 View
 Developer
 Layout Developer
 Import

 Owner

18
 6. SAP IDM — Repository Types SAP Identity Management

To connect your SAP and non-SAP system to SAP Identity Management, repositories has
to be created based on different types. Repository type tells the common constants for all
the repository type available and assist in repository configuration process.

Below are the advantages of using Repository type:

 For all the repository type, you can change repository constant and this will apply
to already existing and new repositories.

 You can also add new constant for all the repositories of any types and this
includes existing and new repositories.

You usually require changes to the Repository type of given repository in following
scenarios:

 While upgrade SAP Identity Management from v7.2 to 8.0 and to use provisioning
framework in SAP IDM 8.0. This will allow you to configure v7.2 repositories to
change type of repositories delivered in new framework.

 There is custom repository type with the custom features and you want to change
any existing repository type to custom.

To change the Repository type, you have to log on to SAP Identity Management
Administration UI- “http://<host>:<port>/idm/admin”.

Next is to choose the System Configuration tab -> click on Repositories from left menu.

You can select a repository which is disabled and click on “Change Repository Type”.

19
 SAP Identity Management

Next is to Select the Repository type -> Provide description (optional field) -> OK. Next is
to validate the Repository constants and fix the values if required as below.

You can also view the Repository changes history by navigating to “Configuration History
Repository Operations.

You can also view the Repository constants changes due to change in the Repository type,
Navigate to Configuration History  Repository Constants

20
 7. SAP IDM — Using Identity Stores SAP Identity Management

In SAP IDM, information stored in Identity stores are used in provisioning framework and
this provides a centralize repository for managing identity related information like Dept,
Emp name, Groups, BU, etc. Identity store also provides extensive audit trail and tracking
functionality to monitor attributes which can be changed.

Usually an Identity store is connected to identity management user interface in SAP

NetWeaver AS for Java and each Java installation can only connect to one identity store.
There are number of system attributes added in the system when an identity store is
created. There is an identifier- MSKEYVALUE which stores unique identifier in Identity store
across all entry types.

In Identity Management, you use entry type to define an entry property such as allowed
and mandatory attributes.

Note: MSKEY number is unique across in an identity center across all identity stores.

21
 SAP Identity Management

Managing Entry types in Identity store

Usually it is not recommended to delete entry types in an identity store as they are
required for audit trail and tracking purpose. You can mark it as inactive or use a state
field to mark the status of that entry type.

Ex: An employee can join back a company later and in that can it simplifies the process if
the same entry type can be used for that employee.

22
SAP Identity Management

23
8. SAP IDM — Identity Center Properties SAP Identity Management

Identity Center is the main component of SAP IDM which provides key functionality for
identity management system. Identity center uses identity store to manage all the key
functions. SAP Identity center is usually installed with a management console, and other
runtime components. For using logon service via Active Directory server for self-service
password management, SAP IDM should be configured with Identity center.

Following are the key functions performed using Identity Center:

 Password reset
 Business and workflows
 Logging
 Audit trail
 Reporting
 Provisioning

SAP Identity Center contains the following components:

Management Console
Management console is a plug in in MMC and is used for setting up the starting
configuration for different tasks and jobs in provisioning flows.

Database Management
24
 SAP Identity Management

SAP Identity center uses the database to maintain all the information about provisioning
tasks and business workflows, logging information and audit trails, and identity store, etc.
You can use following DB’s in identity Center:

 Oracle Version 10/11

 DB2
 MS SQL Server 2005/2008

Copying Identity Center Configuration

To copy SAP Identity center configuration and data from one database to other, you can
use system copy. For this task, you can find job in SAP Community network. Download
the Zip file from SCN and extracts the file and below steps to be performed:

 Creating Dispatcher
 Import the job folder
 Configuring the imported repository

To pass dispatcher script, you have to navigate to Options Tab -> Create Dispatcher
Scripts

After script is created, you need to pass the details for run jobs and runtime engine. To
define this, navigate to Policy tab - > select Run Jobs check box.

25
 SAP Identity Management

You can check the Dispatcher status under Options tab -> To update the status click on
Refresh button. The status is showing under Service state field.

You can also select dispatcher service to auto start. For this, select the checkbox Automatic
start field to enable the same.

26
 SAP Identity Management

You can also manage Dispatcher job to stop/start manually. For this, you can use Start
and Stop option below Service State:

27
 9. SAP IDM — Maintaining Packages SAP Identity Management

As mentioned earlier in this tutorial, Package is smallest unit of configuration which can
be a connector or collection of utilities used by other packages in Repository. Few default
packages are delivered as a part of Identity management core component and imported
to database to provide the starting point for solution.

Package has set of features which are used to maintain them in the Identity management
repositories. Following are the key features:

 Package Qualified name

 User Editing
 Authorization
 Version control
 Objects
 Transporting packages

Package Qualified Name

Each package in SAP Identity system has qualified name which contains base name which
is provided during installation and package name which is passed during package creation.
Base name passed during installation usually contains alphanumeric, numbers, underscore
and dot. Ex: XYZ.com. Package name passed during package creation is globally unique
i.e., you cannot have same package name in different identity stores in SAP IDM.

User Editing
To make changes to a package, you must check out and once changes are done, you
should check in to make updated configuration available to other packages. When a
package is checked out, no other user can make the configuration modification to that
package.

Authorization
To access the package content, user should have permissions on that package. Users can
have different level of authorization on packages in identity store. Below are common
authorization exists on the package:

 Owner
 View
 Developer
 Import
 Layout Developer

Version Control

28
 SAP Identity Management

Using version control of package, you can restore the previous version of the package.
Package usually has two version numbers, Major version and Minor version.

Major Version: Whenever you make changes to a package and make it public, major
version is incremented.

Minor Version: When you check in a package every time, minor version is incremented.

Objects
You can define the objects used in package as public or private. A public object can be
called by other packages.

Transporting Packages
Each package in an identity store is transported separately.

Note: To perform provisioning framework in SAP IDM Developer Studio, you must import
an engine package, a custom package and connector package.

29
 10. SAP IDM — Using Processes SAP Identity Management

In SAP Identity management, you can create new processes and use developer studio to
drag processes in workflow. You can disable/enable packages by navigating to Package
properties.

Navigate to General tab of process properties to enable/disable the Process. Under General
tab, you have the following options:

 Field
 Description
 Enabled
 Process ID/Name

Process ID shows the number that is used to identify the process in IdM database.

Using Process Properties

A process in an Identity store defines the set of operations that are executed in a particular
sequence. You see the below options for Process property:

30
 SAP Identity Management

General
Using General tab, you can enable/disable the process or define the process type. You can
also define a repository for the process.

Result Handling
This tab can be used to perform result handling for the processes.

Documentation
In this field, you can provide the documentation of a process.

31
 11. SAP IDM — Identity Store Forms SAP Identity Management

Identity store forms are used to maintain entries in identity store such as privilege, user,
roles, etc. A set of forms are default delivered as package in provisioning framework. An
identity form usually contains below fields:

 Attribute definitions
 Access control
 UI configuration details

Usually forms are defined as public objects inside a package however you can remove
them from public and read them. There are other guided activities apart from default form
as given below:

View Assignment Request Forms

These forms can be used to check the status of assignment requests and can be used to
authorize user to restart any failed activity.

Assignment Request Form

This is used to provide one or more assignment to a user and usually use for providing
context-based roles.

Password Reset
This is used to provide user with guided activity to reset the passwords.

To create a form, navigate to Forms folder in the package using Identity Management
developer studio  New.

Next is to take action as per below form options:

32
 SAP Identity Management

If you want to create a Form folder, Select Folder option.

Or to create a form  Select Form.

Or to create a guided task form  Select Assignment Request/ View Assignment

Request/Password Reset form.

You can also configure the form properties, following tabs are available and after making
changes, navigate to File -> Save.

 General
 Result Handling
 Attributes
 Access Control
 Presentation
 Documentation

General
This tab is used to perform general properties for a form. Below are the options under
General tab:

Field Description

Enabled To enable/disable form

FormID/Name
This shows a number that identifies the form within the Identity Management database.

Form Type
33
 SAP Identity Management

This is used to define the form type. The following values are available:

 Regular
 Access Control Form
 Display Form
 Search Form

Repository
This option can be used to link the repository to the form. While running the form, selected
repository is used.

Result Handling
This is used to configure the result handling part of the form.

Attributes
This is used to define the form attributes.

Parameters
Parameter is used to configure the guided activity- assignment request/view assignment
request/ password reset.

Access Control
Using this tab, you can define the access part for the form.

Presentation
This is used to configure form presentation.

Documentation
You can provide form description in this tab.

34
 12. SAP IDM — Maintaining Jobs SAP Identity Management

In SAP IDM, jobs are stored inside Job folder under package and are executed inside an
identity store. Following actions can be performed:

 Creating a new job

 Enable/Disable an existing job
 Executing a job

To create a new Job, select Job Folder of the package and select New  Job. You can pass
the Job name, connect to a dispatcher and define the Job properties.

You can also define the Job properties. To define the Job properties -> Select the job in
the tree view and click on Properties option from context menu.

Below options are available:

 General
 Logging
 State
 Documentation

To save the changes to a Job, go to File  Save.

35
 SAP Identity Management

Below options are available to define Job Properties under General tab:

Enabled: This check box can be used to enable/disable the job.

Job ID/Name: This shows the unique ID and job name.

Schedule Rule: The schedule rule is used to define job execution frequency.

Schedule Time: The schedule time displays the time when the job is scheduled to run.
You can also select “Run to schedule the job” to be run immediately. The scheduled time
is set to the current time.

To stop a running job, you can click on “Stop” button.

Run by Dispatcher(s): You can choose the dispatcher(s) that are allowed to run this job.

36
13. SAP IDM — Self Service Password Reset SAP Identity Management

In SAP IdM 8.0 or upper version, you can configure Logon help service or self-service
password reset for end users. With login help service, end users can change their
password. To configure Self-service password reset, below prechecks should be met:

 You should have minimum one dispatcher running in landscape.

 There should be one user account exists apart from administrator.
 There should be an Identity Management User Interface configured.
 There should be UME role with action “idm_anonymous” assigned Anonymous
Users groups in UME.

Next step is to create password reset form for end users and to add to identity store
configuration.

Follow the steps to create password reset form:

Go to SAP IdM developer studio Navigate to package where you want to create the form
for self-service password reset -> Form.

Go to Context menu  New  Password reset. You can rename the form to PasswordReset
form.

37
 SAP Identity Management

Next is to assign Anonymous user group to allows access. For this go to “Access Control”
tab of the newly created form  Select Anonymous in Allow access drop down  OK.

To save the changes, go to File  Save.

Defining Password Reset Parameters

To use self-service password reset, you need to define password reset parameters like
number of questions should prompt, minimum number of correct answers for validation,
etc.

To define the parameters, go to Context menu of the Password reset form  Properties.
Navigate to Parameters tab and configure the parameters as required.

38
SAP Identity Management

39
14. SAP IDM — Setting Email Notifications SAP Identity Management

You can use notification package available in SAP provisioning framework to set up the
email notification in SAP Identity Management 8.0. There is package available in Developer
Studio “com.sap.idm.util.notification” that contains the notification package and the
templates to enable the notification.

To configure email notification, you need to pass the value of “NOTIFYEVENT” package
constant and make this point to notification template. You have below notification event
types available:

NOTIFYEVENT_ASSIGNMENT_COMPLETED: To send notification related to assigning

a privilege

NOTIFYEVENT_ASSIGNMENT_FAILED: To send notification related to failed

assignment

NOTIFYEVENT_ASSIGNMENT_REVOKED: To send notification related to access

removal

NOTIFYEVENT_PASSWORD_CHANGED: To send notification related to password

change

NOTIFYEVENT_USER_MODIFIED: To send notification related to modifying user

account

NOTIFYEVENT_USERACCOUNT_CREATED: To send notification related to user account

NOTIFYEVENT_USERACCOUNT_DELETED: To send notification regarding user deletion

NOTIFYEVENT_USERACCOUNT_DISABLED: To send notification related to user

account disablement

NOTIFYEVENT_USERACCOUNT_ENABLED: To enable the user notification

To use this notification events, you need to check out a package in IdM Developer Studio
and create a process.

40
 SAP Identity Management

After configuring the notification event types, you need to add the mail template names
in the Notification Package constants.

41
15. SAP IDM — Connecting SAP ABAP Systems SAP Identity Management

You can configure your SAP Identity management system to connect to SAP ABAP system
and provision ABAP users. In SAP IdM 8.0 or higher Provisioning framework, you have
connector delivered as separate package with name “com.sap.idm.connector.abap”. This
connector can be used to communicate SAP Identity management system with SAP ABAP
system for user provisioning.

Creating a job for update

In IdM developer studio tree view, you have to select connector package for which you
want to create job. Ex: For ABAP connector package “com.sap.idm.connector.abap”.

Next is to go to Jobs folder, copy the initial job load and rename the Job for ABAP update
in required update, “ABAP- Update”.

Keep the below pass active and disable the other passes:

 ReadABAPRoles
 ReadABAPProfiles
 ReadABAPCompanyAddress
 ReadJavaRoles
 WriteABAPRolePrivileges: only if corresponding Read pass is active

42
 SAP Identity Management

 WriteABAPProfilePrivileges: only if corresponding Read pass is active

 WriteABAPCompanyAddress: only if ReadJavaRoles pass is active
 WriteJavaRolePrivileges: only if corresponding ReadJavaRoles pass is active

There are other packages in SAP IdM developer Studio which can be used to connect to
other SAP systems. You have to search for SAP Provisioning Framework packages, choose
IdM files and select the correct file.

For example, to connect to SAP HANA system, you can select the HANA connector package
file “com.sap.idm.connector.hana.idmpck”.

Select the required package, and the package will be imported to Identity Management
Developer Studio.

43
16. SAP IDM — Connecting non-SAP Systems SAP Identity Management

To connect to non-SAP systems to SAP Identity Management, if default connector package

is not available then you can build you own connector for these commonly used systems
(JDBC, Web Services, flat files, Database, LDAP, etc.).

First step is to setup the Repository and initial load. For setting up the repository you can
use Repository wizard.

Below table confirm the list of connectors Provided in SAP Identity Management:

44
SAP Identity Management

45
17. SAP IDM — Identity Reporting using SAP BW SAP Identity Management

You can also use SAP Business Warehouse system fo reporting purpose. To use BW for
reporting, you should setup the connectivity between SAP IDM and BW. Post that you need
to transfer identity store data to BW. To connect SAP BW, you can use SAP package
available in IdM developer Studio.

Below software components will be required while using SAP BW for reporting purpose:

 Identity Center
 Virtual Directory Server (VDS)
 SAP NetWeaver BW
 Web service on the BW system

To start with the data transfer, you need to create a job in the Identity Center that triggers
a Web service call from the Virtual Directory Service to the Persistent Staging Area on the
BW system.

You can have multiple call configured depends on the amount of data to be transferred.
This is used for both, i.e., initial load of the data and to perform the subsequent delta
loads.

46
18. SAP IDM — Integration using GRC 10.0 SAP Identity Management

You can integrate SAP Identity management system with Access control GRC by enabling
set of processes in Identity center. With use of SAP IdM system, you can perform
Provisioning in multiple connected systems based on compliance rules defined in Access
Control. Based on communication defined between Identity management and Access
Control, you can trigger below calls for implementing role synchronization.

 RFC Communication
 Web Service Communication

To import GRC Provisioning framework to Identity Center, you can use the separate
package “com.sap.idm.grc.grc10” in SAP Identity Management 8.0 version. This
package provides the repository type, initial provisioning processes, jobs, and scripts to
perform the initial load.

This package com.sap.idm.grc.grc10 provides the set of internal and public processes.
Below shows the list of public processes:

Following screenshot shows the package structure for integrating GRC Access control to
Identity Management:

47
SAP Identity Management

48
19. SAP IDM — Migration to New Version SAP Identity Management

You can also upgrade SAP Identity Management 7.1/7.2 to version 8.0. If you are running
with SAP IdM v7.1 then to upgrade to version 8.0, you need to first upgrade to SAP IdM
v7.2. To migrate to SAP identity management 8.0, your current system should be running
on v7.2 SP09 or v7.2 SP10.

SAP Identity Management v8.0 has some critical improvements from older versions:

 Option to use IDM Developer Studio as Eclipse plug-in

 Ease of integration with other SAP systems
 Better security and access controls

Below checks should be performed before starting the upgrade:

 All dispatchers should be stopped.

 REST API and user interface should be stopped.
 Backup of database and identity data should be taken.
 To upgrade SAP IdM database, you should use mxmc_update script.

You can perform the installation of SAP Idm 8.0 version separately and post installation,
you need to copy key.ini file from 7.2 system to mentioned path:

 Use this location on DB node-

/usr/sap/<SID>/SYS/global/security/data/Key/Keys.ini

 Use this location on runtime environment-

/usr/sap/<SAPSID>/IDM<Instance_Number>/Identity_Center/Key/Keys.ini

 You should set Keys.ini file referred to this path-

\\<host>\sapmnt\<SAPSID>\SYS\global\security\data\Key\Keys.ini, where
<SAPSID> is the SAP system ID of SAP Identity Management system

 Next is to perform the Import of identity store from SAP IdM v7.2
 Next is to perform the Import of repositories from SAP IdM v7.2
 Next is to perform the Import job folders from SAP IdM v7.2
 Next is to perform the Import data from SAP IdM v7.2

49
 20. SAP IdM — Job Responsibilities SAP Identity Management

Key responsibilities of SAP IdM Administrator are as follows:

 With minimum 3-6 years of experience in SAP IdM

 Experience in connecting IdM to SAP and non-SAP systems, AD system and
Database
 Ability to handle business role-based assignments
 Setting and monitoring the IdM jobs
 Good understanding and experience in SAP Security and authorizations
 Experience in performing SAP IdM tasks- user management, business and
process workflows, managing identity stores
 Setting up the repositories for different SAP and non-SAP apps
 Knowledge of SAP GRC v10 Access Control and segregation of duties based on
roles including GRC rules
 Good understanding on Information Security controls and knowledge of ISO27001
controls

50