1 2 3 13 Previous Next

SAP Identity Management

183 Posts

Would be glad to meet some of you at SAP Insider 2016 15-19 Feb in Las Vegas.

I'll give two sessions. One is All-around security: Leveraging SAP’s identity and access management portfolio for an end-to-end solution on 18 Feb 16:40

Will present SAP’s comprehensive identity and access management portfolio that covers both SAP and non-SAP systems in your IT landscape. You can take a detailed look at on-premise identity management and single sign-on, as well as integrated solutions for cloud and cross-company environments. And see how SAP Identity Management, SAP Single Sign-On, SAP Cloud Identity, and SAP Access Control can be leveraged to:

  • Manage identities in heterogeneous system landscapes with just one solution — both on premise and in the cloud
  • Ensure compliance with internal policies and legal regulations
  • Align your single sign-on approach to cover your entire organization and extend to the cloud


The second session will be Safeguard your business-critical data with SAP Enterprise Threat Detection and SAP HANA (17 Feb 8:30)

Will talk about how to identify attacks as they are happening, and analyze threats quickly enough to neutralize them before serious damage can occur with SAP Enterprise Threat. See how organizations use the combined capabilities of SAP HANA and SAP Enterprise Threat Detection to: 

  • Identify and prevent cyber attacks in real time
  • Manage exposure to internal and external threats
  • Leverage your log data to monitor your system landscape
  • Scan for attack patterns, identify security lapses in your landscape, and strengthen your overall security infrastructure

Here is a link to the event program:



There will be Ask the Experts session on Wednesday, February 17, 4:15 - 5:00 in the Exhibition hall.

Everything you can imagine is real.” ― Pablo Picasso


One of the things I’ve always been hesitant to do in my IDM career is play with the actual database objects such as the Stored Procedures. There really should not be a  problem with using them as long as you are careful and use common sense. For example, making changes to the actual Stored Procedure code is a bad idea. At the very least your changes will be overwritten in the next update, and at worst, they could potentially break the update process (or IDM itself!) But I think as long as the basic precautions are taken, the stored procedures can be used with some effectiveness to enhance how we use IDM. The main thing is to go slowly, test what you are working with thoroughly and use examples from existing working jobs and the Stored Procedure definitions themselves so you know what is expected.


If you want to see how this is done in general, take a look at an initial load job, when IDM goes to create the account attribute in the very first pass (at least in the AS Java (Database) – Initial Load job.)


Initial Load Example.jpg


From this screen shot, we see a To Database pass and that it is possible to execute several operations in the same pass. Also the SQL updating option has been selected. This option allows the IDM engine to act as a direct gateway to the back end database where you can run almost any valid SQL command. I don’t know that there are any real exceptions to this save that whatever command is to be executed needs to have permissions for the [mxmc]_rt account.


Looking a little deeper, we see there’s a script being executed to prepare the statement called sap_care_callStoredProcedure and that it takes two arguments separated by the standard IDM delimiter of ‘!!’ Let’s take a quick look to see what it does:

// Main function: sap_core_callStoredProcedure


// Call/execute a stored procedure.

// Parameters (separated by "!!"):

// - Name of the stored procedure

// - List of procedure arguments (separated by "," and string arguments enclosed in '' - actually this is the syntax accepted by MSSQL and Oracle at least)

// Note: The <prefix>_rt user/role must be allowed to execute the respective procedure!

function sap_core_callStoredProcedure(Par){

var ParComponents = Par.split("!!");

var procedure = ParComponents[0];

var arguments = ParComponents[1];

var dbType = "%$ddm.databasetype%";

var result = "";

if (dbType == 1) { // MSSQL

result = "execute " + procedure + " " + arguments;

} else { // Oracle

result = "call " + procedure + " (" + arguments + ")";


return result;



So basically, all this script does is break apart the pieces and then add the appropriate database command based on database type (be careful if you’re using DB2, I have not tested it, but if issues arise, please refer to this  article. I’m pretty sure that the proper database command is ‘call’ since DB2 is being used in Oracle emulation mode.) When troubleshooting you might want to add in a uInfo (result) or uWarning (result) in just before the return statement, it really helps sometimes.


The nice thing about this using this script is that it makes it much easier to call the Stored Procedures and work with the various databases supported by IDM. You might also notice that when the Oracle Database is used that the stored procedure arguments are also encased in parentheses ()


For a practical example of how to use this functionality, I’m going to work with the stored procedure mxi_xcreate_objectclass. This is the stored procedure that is used by IDM to create a new EntryType. (The original architecture of IDM was heavily influenced by LDAP directories) Personally, I’ve wanted to be able to do this particular operation on some past projects where there’s been a need to create EntryTypes in multiple environments and systems, so putting this into a job helps to automate it. Also as a consultant, it helps me to “productize” some of the enhancements I develop, which makes them easier to distribute.


So calling the Stored Procedure seems pretty easy as it’s called as follows:


$FUNCTION.sap_core_callStoredProcedure(mxi_xcreate_objectclass!!1,'ZMY_ENTRYTYPE,'An EntryType Example','My Entry Type',0,1,NULL)$$


However I was a little confused when I first tried to call it as I could not get the last parameter, Pocid parameter to populate correctly, so I needed to look at the code to figure things out (including the names of the parameters) This is probably also a good time to mention that there is no documentation for working with the stored procedures, so you probably should take some time to review any code before you use it.  It's a good way to learn about how IDM's innermost workings are built and also gives you an idea of what is expected when using any of these Stored Procedures.

SP Code.jpg

Pocid correlates to the MSKEY and is generated during the execution of the stored procedure. When I looked through the code and saw it was checking if that parameter was NULL, I knew how to populate it and things worked just fine.


So there’s a couple of things to consider when working with these stored procedures.


  • There’s not too much documentation here, so be careful.
  • Don’t’ make changes to the Stored Procedure code, comments might be OK, but remember that they will potentially be removed with the next update, so be careful.
  • Working directly with the Stored Procedures has direct impact on the Identity Store with fewer built in safeguards, so make sure things are backed up if they are important, and be careful.

Are you sensing the overriding theme here?


If you’d like to take this example a step further, go ahead and use the Stored Procedures mxi_schema_create_attr_ns and mx_schema_add_attr_to_oc_ns to create a new attribute and then add it to the EntryType. Examples can be found in the SAP NetWeaver Templates (start with the Initial Load job for a repository)  If you have questions, post them in comments or start a discussion thread if they are more general.


So go ahead and try and use some of the Stored Procedures to advance your IDM needs, just be careful. I’ll be working on a somewhat more complicated example next and as soon as my testing and verification is complete, I’ll be sharing again with the community.


I have not been able to test this with Version 8 yet.  If anyone does, please let me know how it works and what you needed to do.

The notification functionality in SAP Identity Management 8.0 is available to you with the Notification package of the SAP Provisioning Framework. The notification package com.sap.idm.util.notification contains the notification process and the notification templates, which are used to send emails for approval and attestation tasks.

If you want to trigger a notification because of an SAP Provisioning Framework process, specify the value of the appropriate NOTIFYEVENT package constant to point to the template (a unique template ID) that you want to use: The most commonly used notification events are handled by this package:

  • NOTIFYEVENT_ASSIGNMENT_COMPLETED  -  Privilege assignment notification
  • NOTIFYEVENT_ASSIGNMENT_FAILED - Assignment failed notification
  • NOTIFYEVENT_ASSIGNMENT_REVOKED - Privilege removal notification
  • NOTIFYEVENT_PASSWORD_CHANGED - Changed password notification
  • NOTIFYEVENT_USER_MODIFIED - Modified user notification
  • NOTIFYEVENT_USERACCOUNT_CREATED - Created user notification
  • NOTIFYEVENT_USERACCOUNT_DELETED - Deleted user notification
  • NOTIFYEVENT_USERACCOUNT_DISABLED - Disabled user notification
  • NOTIFYEVENT_USERACCOUNT_ENABLED - Enabled user notification


If you need to configure a mechanism for notification for other events, such as custom process completion or in case of any error, you can use the uSendSMTPMessage internal function. In this article I will give you a simple example for triggering notification for a process completion.


1. In the Identity Management Developer Studio tree view, check out a package and create a process. Rename the process to “doSthProcess”.


2. In the process flow diagram, add an action task to the process. Rename it to ExportIdentitiesTask.


3. In the job view, select the Passes tab and choose New from the context menu. Select a pass of type ToASCII and rename it to ExportIdentitiesPass.


Open ExportIdentitiesPass pass and define as a Source MX_PERSON entry.


As for Destination define the file location, for example ‘C:\tmp\identities.txt’ and the list of attributes you need to export:


5. In the Identity Management Developer Studio tree view, select the Scripts node of the package that you have checked out and add a new package script. Enter the following name for the script: sendingIdentitiesScript.


The variable attachmentLocation points to the toASCII pass file location in this case.

You may add additional logic for the dynamically creation of either text message or subject.

An example of the script is attached to the article.


6. Go back to the job view where you have created the pass ExportIdentitiesPass. Select the Scripts tab and then select Add Link to Package Script from the context menu.


In the Connection to Package Script dialog, select Self from the Select Package drop-down menu.


Select our new script sendingIdentitiesScript in order to be able to use it in the pass.

  7. On the General tab of ExportIdentitiesPass pass, in the Termination Script drop-down menu, select sendingIdentitiesScript.


In similar way, you can define Initialization or Entry related scripts.


Now, you can test the example trough the Test Process feature and check your inbox for a new email with attachment :-) .


Related information you can find here :

“Assimilate this” – Worf, Star Trek First Contact


I think this is a good way to start this discussion of how SAP IDM can be used to provision information to a custom application.


In my previous Blog, I explained how to use existing SAP IDM templates to load Identity Data in from a fictional Database Application called “NonSAPApp.” In this entry, I will explain how to use the Provisioning Framework to enable Provisioning from the SAP IDM Web UI.


To do this, I created a folder in the Provisioning Framework folder under the CONNECTORS node called NONSAPAPP, then I created a subfolder called Plugins, followed by 6 Ordered Tasks as shown below:


Each of these tasks needs to be mapped in the NONSAPAPP IDM Repository. Note how the numbers in the Task Name relate to the MX_HOOK constants:

HOOK Task Assignment.png

To keep things simple, this blog only specifies a subset of the functions.  If you look at one of the other connectors, you’ll see what else can be done with a SAP IDM Connector. As far as I know there is no reason that you cannot extend this custom connector (or any connector for that matter) with additional Hook Tasks based on this model.


In this example, we are only going to go into detail for the Create, Modify, and Delete User Hook Tasks. I created stubs for the Role tasks but did not do anything with them. They can easily be added based on the contents of this blog.


In the Create Task, I made used a “To Database” pass.  Nothing terribly fancy here. Note that I used the User Table from my “application” and mapped the attributes.


The big question that usually gets asked at this point is how did you populate the Repository Constant since there is no Repository assigned by default? There’s a couple of things you can do to resolve this:

  1. Use Copy/Paste or manually type it in.
  2. Temporarily assign the application repository, set the constants and the set the repository back to “None / Inherited”. This is a good best practice as it saves you some effort if the repository name should ever get changed or if you disable the Repository provisioning cannot occur. If this is populated with the Repository name, provisioning might still be able to occur.


Also, in case you were wondering, I left “Public task” selected so that I can test from the Console if needed.  Always helpful J

There’s not much to say about the Modify task.  It’s pretty much a copy of the Create task.


One thing that you might need to consider at some point is that if you need logic to check changes that are made, you’ll need to introduce some scripting here.


At last we come to the Delete Task. It might just be the most direct. My example gets to be very simple, since this is a simple application.  Your custom application might not be so simple. Make sure you have a good, long requirements discussion with the application owner on this. If there are requirements to disable the user first, or make sure their assigned roles are dropped, you will need to provide for this in some sort of workflow (The Provisioning Framework Connector does allow for disable tasks, they are Hooks 6 and 7, which I did not cover in this example)


To delete the user, I use a simple SQL statement, using the SQL updating option of the “To Database” pass. Again, this is something you’ll need to work out with your app owner and the DBA since your service account might lack these permissions.


I hope this brief overview has been helpful to you. There are multiple ways of approaching this issue, and I used a database method since it was the easiest to demonstrate.  In real life, it most certainly not be this direct or easy and you’ll probably need to go through some sort of API, which in some ways will be easier, since you’ll have commands available to you for managing the user objects in the application. If someone does create a connector using an API, I hope it gets shared here on SCN as well!


I’m also attaching the export configuration for people to examine. (Don't forget to drop the "XML" extension, so that it is a valid IDM import file. Note that there are absolutely no warranties or guarantees included with this configuration and neither I nor SAP can be held responsible for anything that happens as a result of using this import.  I threw this together quickly but it should serve as an adequate template for you to start your customizations with.

The long awaited training is now available.

We needed some time to prepare it and thanks to Alexander Zubev it is now available and can be booked across the regions.

I noticed that if you search the global site https://training.sap.com/g/en/, no dates and locations are shown. That’s why you can select UK for Europe and US for America region and search for course number "ADM920" or "Identity Management"


For Germany still 7.2 training sessions are shown with the same number ADM920.



The content can be found here:


I copy it for convenience:

The goal of the course is to gain knowledge about SAP Identity Management 8.0. Understand how SAP Identity manages users in heterogeneous IT landscape. Learn how to integrate identity management with business processes within and beyond your enterprise, using identity federation to facilitate joint authentication and single sign-on for a secure identity management solution across company boundaries.


  • SAP Identity Management (IdM)
    • Describing Identity Management
    • Explaining SAP IdM Architecture
    • Describing the SAP IdM Data Model
  • Forms
    • Creating Forms
    • Customizing Search Results
    • Implementing a Custom User Interface
  • Jobs
    • Creating Jobs
    • Creating a Repository
    • Creating Repository Jobs
    • Implementing Scripts for Advanced Data Conversion
  • Provisioning and Workflow
    • Creating Processes
    • Auditing the Task Execution Process
    • Describing the SAP Provisioning Framework
    • Assigning Privileges
  • Roles
    • Creating Business Roles
    • Defining Automatic Role Assignments
    • Approval Workflow
    • Configuring Approval Workflows
    • Sending Notifications
    • Storing Information with Pending Value Objects (PVO) and Context Variables
    • Implementing Automatic Approve/Decline of Role Requests
  • Context-Based Assignments
    • Defining Context
    • Creating Guided Activity Tasks
    • Provisioning Context Toward Backend Systems
    • Assigning Automatic and Conditional Context
  • SAP IdM and Other SAP Systems
    • Provisioning a User to AS ABAP
    • Setting Up SuccessFactors (SF)
    • Configuring the Virtual Directory Server (VDS) to Publish Information
    • Verifying Authorization Compliance
    • Setting Up SAP Human Capital Management (HCM)
  • Advanced Tasks
    • Running Housekeeping Procedures
    • Accessing the Identity Center Database
    • Debugging Entries
    • Optimizing the Performance of SAP IdM
    • Explaining the Reporting Tools
    • Resetting Passwords
  • SAP IdM Installation and Configuration
    • Installing SAP IdM
    • Configuring SAP IdM Security
    • Updating the Service Package
    • Upgrading SAP IdM 7.2 to IdM 8.0
    • Setting up High-Availability for SAP IdM
    • Transporting Content

The training is highly interactive, alternating between explaining new features, questions, and exercises accompanying each component. Exercises are used throughout the training to give the students the hands-on ability and increase the level of confidence with the product.

Also you can download the index here

Connecting Non SAP Applications to SAP IDM (Database oriented)

Lily Sloane: I envy you... the world you're going to.

Captain Jean-Luc Picard: I envy YOU... taking these first steps into a new frontier.

--Star Trek: First Contact

Previous entries here in the SCN IDM Space have discussed connecting various applications to SAP IDM. Active Directory (and other LDAP related systems) SAP Systems, Flat Files, even database tables. But what we have not really discussed is how to connect a database related system to SAP IDM. As with all things IDM, there are a number of ways to do this using IDM and VDS, and I am going to discuss how to do this over the next couple of blog postings.

In this first entry, I will discuss how to set up the Repository and Initial load for the system, which I am simply calling NonSAPApp. It is based on a simple database structure that was submitted in a Forum thread.

So the first challenge was creating the Repository.  To do this, I simply used the New Repository Wizard to create a Database Repository

Repository Wizard.jpg

Didn’t need to do too much here, just name the repository, choose the driver and then add the JDBC and OLE DB connection strings. If you’ve installed IDM before or created a new Identity Store, this should not prove to be too much of an issue. When you’re all done, you’ll get something like this:

Repository Constants.jpg

Now we can go ahead and create an Initial Load job. To do this, first I went through the job wizard to create a job to use as a template.

Initial Load selection.jpg

Make sure when you are running through the wizard that you select the correct repository.  Don’t worry though, it can all be modified later After you’ve run through the wizard, expand the node and remove the unnecessary passes so the job looks like this:

NONSAPAPP Initial Load.jpg

Now let’s talk about some of the changes that were made to these passes so it will work for NONSAPAPP.

  1. In the root node of the job, double check and make sure it’s enabled, has a dispatcher assigned (and running!) This is also your chance to make sure that the correct repository is selected.
  2. In the Create System Privilege Pass, change the description to something that describes the application.  If need be this can be done manually later.
    Create System Privilege.jpg
  3. In ReadNonSAPAppUsers, make sure that you are re-configuring the source tab to read from your Users table.  It will look something like this:
    Read Users Source.jpg
    You’ll then be able to do an Insert Data Source Template
  4. For ReadNonSapAppRoles, do the same thing, except that you will need to pull from your Roles Table
  5. In the WriteUsers pass, map the fields accordingly. Blank out any fields that don’t apply or won’t be populated either by disabling the attribute via the # prefix or by clearing the attribute value.
    Write Users destination.jpg
  6. In the WriteRolePrivilege there is a value of %uniquename% used in the MSKEYVALUE and DISPLAYNAME attributes, if you are not using this value, replace it with a relevant unique value in your database as I have done here:
    write roles destination.jpg

That’s it, run the job, fix your errors and then check the database to make sure that the roles and users have been created.  In this case, my sample data had one user, Luke Skywalker (guess what I was watching?) and some roles that you can see from the following queries.

First a query that shows the user has been created:

NONSAPPAPP Loaded users.jpg

Next a query that shows the roles have been created and any users assigned to roles.

NONSAPAPP Roles and assignments.jpg

So there you have it. You’ll notice I did not handle role assignments here, but I think we call get the general idea of how to do this. In the next week or so, I will wrap this up by extending the provisioning framework to cover adding a user via the IDM UI to the system.


Added 19November2015

Thinking back to my TechEd Sessions with Plamen Pavlov and Kristian Lehment, you might want to try importing the attached file to a Version 8 environment.(Or to a version 7 environment for that matter) Just remember to drop the ".xml" from the filename. Note that there are absolutely no warranties or guarantees included with this configuration and neither myself or SAP can be held responsible for anything that happens as a result of using this import.  - MP

If you'd like to know how to connect the application to the Provisioning Framework, take a look at the follow up to this blog: Connecting Non SAP Applications to the SAP IDM Provisioning Framework

For SAP Identify Management 7.1, 7.2 and 8.0 the following system behavior may be observed:

  • When you modify attributes with SAP Identity Management Web UI, multiple modify tasks for these attributes are triggered to the backend systems.
  • In most cases this is possible to happen when you do this together with another UI action:

          - change the attributes contained in the modify tasks trigger attributes (e.g. MX_FIRSTNAME) for MX_PERSON and

          - assign/remove MX_ROLE objects.

  • You have not defined attribute MXREF_MX_ROLE as modify task trigger attribute (In the SAP Provisioning Framework, modify task trigger attribute is defined on the system privilege PRIV:SYSTEM:<repository_name> )



The described behavior can be reproduced:

  • Logon to the IDM Web UI
  • Change any modify task trigger attributes's values for a user and assign/remove business roles for it in the same time


This behavior is in very rare cases and it cannot be prevented. It assures the correct provisioning of modified attribute's values to backend systems. It does not cause any provisioning errors.

TechEd Las Vegas is over and it is time for a summary.

Thanks to those who came to the security booth, visited roadmaps, lectures, tried hands-on exercises and interacted with us on networking, code reviews, code jams and influence sessions.


/Fedya Toslev, Penka Tatarova, Plamen Pavlov /


Also a had great ASUG session from Matt Pollicove on how to prepare project-wise for IDM8.0


It was also pleasure for me to meet many of the people who are behind this great community here.



We had plenty of discussions and valuable feedback on future and present features. We took it home and digest now.

We heard some customers go with "everything possible in the cloud", others - for scenarios it makes sense. We heard very often connecting Office365 is necessary. And here is why we showed a Lab Preview of SAP Cloud Identity connector - keep an eye on SAP Cloud Identity and stay tuned for the connector. And we heard you need Identity Management and Access Control working together as one.


If you missed some sessions - you also have the option to watch selected session from Las Vegas


And in addition - some Hands-on sessions will be available to the participants as Virtual Hands-on Exercises.


If you are in Europe – you still have the chance to visit TechEd Barcelona starting next week 10 Nov 2015. To those of you already with tickets – Thomas Wolfer, Alexander Zubev, Ralitsa Chipeva will be presenting the following IDM sessions:

  • SEC101 - Best Practices for IAM Across Cloud and On-Premises
  • SEC201 - What's new with IDM 8.0
  • SEC261 - Experience New Features in SAP Identity Management 8.0
  • SEC262 - SAP Runs SAP – How to Upgrade to SAP Identity Management 8.0
  • SEC701 - SAP Identity Management Performance Optimization
  • SEC703 - Troubleshoot your SAP Identity Management

Also highly recommend to attend the related sessions on SAP Cloud Identity Service delivered by Ralin Chimev and Marko Sommer and Single Sign-On sessions delivered by Dimitar Mihaylov and Donka Dimitrova

  • SEC106 - The Cloud Solution for Authentication, Single Sign-On and User Management
  • SEC163 - Single Sign-On for Cloud Applications with SAP Cloud Identity Service
  • SEC263 - Risk-Based Authentication for SAP Fiori and SAP Portal
  • SEC800 – SAP Cloud Identity Service


Feel free to share your impressions also.

Many times we get business requirements to generate a customized report of all users with several attributes like MSKEYVALUE, DISPLAYNAME, MAIL, MOBILE, COUNTRY etc.


If we want to keep all attributes of each user in a single row then it generally requires running a multiple sql-queries and then combining them together in a single file. It is time-consuming and manual work involved may lead to error.


Following single query can be used to generate such custom reports.


Select distinct

(select mskey from idmv_vallink_basic with (nolock) where mcAttrName='MSKEYVALUE' and MSKEY = M.mskey) as MSKEY,

(select mcvalue from idmv_vallink_basic with (nolock) where mcAttrName='MSKEYVALUE' and MSKEY = M.mskey) as MSKEYVALUE,

(select mcvalue from idmv_vallink_basic with (nolock) where mcAttrName='DISPLAYNAME' and MSKEY = M.mskey) as DISPLAYNAME,

(select mcvalue from idmv_vallink_basic with (nolock) where mcAttrName='MX_MAIL_PRIMARY' and MSKEY = M.mskey) as MAIL,

(select mcValue from idmv_vallink_basic with (nolock) where mcAttrName ='MX_ADDRESS_COUNTRY' and MSKEY = M.mskey) as COUNTRY,

(select mcvalue from idmv_vallink_basic with (nolock) where mcAttrName='MX_PHONE_PRIMARY' and MSKEY = M.mskey) as Phone,

(select mcvalue from idmv_vallink_basic with (nolock) where mcAttrName='MX_MOBILE_PRIMARY' and MSKEY = M.mskey) as Mobile,

(select mcvalue from idmv_vallink_basic with (nolock) where mcAttrName='MX_VALIDFROM' and MSKEY = M.mskey) as ValidFrom,

(select mcvalue from idmv_vallink_basic with (nolock) where mcAttrName='MX_VALIDTO' and MSKEY = M.mskey) as ValidTo,

(select mcvalue from idmv_vallink_basic with (nolock) where mcAttrName='MX_DISABLED' and MSKEY = M.mskey) as Disabled_status

from idmv_vallink_basic M with (nolock) where M.mcAttrName='MX_ENTRYTYPE' and M.mcValue='MX_PERSON'




If a user will not have any of the above attributes then query will result NULL for that attribute.


The result will look like




Based on requirement, Attributes can be removed/added in the above query.


The above query can be modified to generate even more customized report.



Query can be written as

Select distinct

(select mskey from idmv_vallink_basic with (nolock) where mcAttrName='MSKEYVALUE' and MSKEY = M.mskey) as MSKEY,

(select mcvalue from idmv_vallink_basic with (nolock) where mcAttrName='MSKEYVALUE' and MSKEY = M.mskey) as MSKEYVALUE,

(select mcvalue from idmv_vallink_basic with (nolock) where mcAttrName='DISPLAYNAME' and MSKEY = M.mskey) as DISPLAYNAME,

(select mcvalue from idmv_vallink_basic with (nolock) where mcAttrName='MX_MAIL_PRIMARY' and MSKEY = M.mskey) as MAIL,

(select mcValue from idmv_vallink_basic with (nolock) where mcAttrName ='MX_ADDRESS_COUNTRY' and MSKEY = M.mskey) as COUNTRY,

(select mcvalue from idmv_vallink_basic with (nolock) where mcAttrName='MX_PHONE_PRIMARY' and MSKEY = M.mskey) as Phone,

(select mcvalue from idmv_vallink_basic with (nolock) where mcAttrName='MX_MOBILE_PRIMARY' and MSKEY = M.mskey) as Mobile,

(select mcvalue from idmv_vallink_basic with (nolock) where mcAttrName='MX_VALIDFROM' and MSKEY = M.mskey) as ValidFrom,

(select mcvalue from idmv_vallink_basic with (nolock) where mcAttrName='MX_VALIDTO' and MSKEY = M.mskey) as ValidTo,

(select mcvalue from idmv_vallink_basic with (nolock) where mcAttrName='MX_DISABLED' and MSKEY = M.mskey) as Disabled_status

from idmv_vallink_basic M with (nolock), idmv_vallink_basic N with (nolock) where M.mcAttrName='MX_ENTRYTYPE' and

M.mcValue='MX_PERSON' and N.mcAttrName='MSKEYVALUE' and N.mcvalue like 'TEST%' and M.mskey=N.mskey



The result will look like




P.S. - Please note that above query will work perfectly with single value attributes while for multivalue attribute it will return only one value which will be picked randomly therefore use this query wisely for multi-value attribute. with (nolock) is specific to MS SQL so if you want to run this query on Oracle/DB2 don't forget to remove with (nolock).


Hope It will help to prepare reports


C Kumar

There is a security track which covers SAP’s security products as well as standard security features, capabilities, and recommendations. It includes sessions on the SAP Cloud Identity service, our new single sign-on offering for the cloud, as well as our extensive SAP Single Sign-On solution for your on-premise landscapes. In addition, we will show how to detect and prevent attacks with SAP Enterprise Threat Detection, and improve the quality of your custom code with our add-on solution for code vulnerability analysis. SAP Identity Management and SAP Access Control offer a combined solution for compliant identity administration across heterogeneous environments. These products are complemented by comprehensive capabilities for authorization, encryption, read access logging, and configuration options for detailed security policies.

Register for SAP TechEd 2015 at the following locations:


Here is a list of related sessions from which you can choose:

SEC101 – Best Practices for IAM Across Cloud and On-Premise Solutions

SEC106 - The Cloud Solution for Authentication, Single Sign-On and User Management

SEC163 - Single Sign-On for Cloud Applications with SAP Cloud Identity Service - 2h hands-on

SEC201 - What's new with IDM 8.0

SEC261 - Experience New Features in SAP Identity Management 8.0 - 2h hands-on

SEC262 - SAP Runs SAP – How to Upgrade to SAP Identity Management 8.0 - 2h hands-on

SEC263 - Risk-Based Authentication for SAP Fiori and SAP Portal - 2h hands-on

TEC102 - Security Strategy Overview


We would be happy to meet with people from the community and exchange thoughts.

Here is an easy way to maintain the users UI access(display/edit/create access control).

  1. Create a custom privilege for the UI Display tasks & UI Edit tasks:
    • PRIV:ROLE:TestUI_Edit
    • PRIV:ROLE:TestUI_Display


Note: for each UI task(display/edit/create) add the needed privilege.


   2.    Create a custom job to maintain the users access

    • You can use a csv file, based  on this file you can grant the needed access(PRIV:ROLE:TestUI_Display/ PRIV:ROLE:TestUI_Edit) to the users
    • Then you will have one FromASCII file pass to read the scv file and create a custom table
    • Second To Identity Store pass to update the users



Hope you like it

Simona Lincheva

Hi community,


As you know, it is possible to enter a validity when assigning roles and privileges through the SAP Identity Management UI based on a date. With this, e.g. the assignments will be valid at the beginning of the day.


But, it is also possible to assign roles and privileges on a more fine granular base with a timestamp. You are able to supply hour, minute, and, if you want to push it further, also seconds and millis.


In a ToIdentity Store Pass, select Entry Type MX_PERSON, and add following lines in order to assign a role on 2015/08/21 on 18:15 (6:15 pm).






You could also use following timestamp to supply millis, but I do not think you need that



Same is true for the VALIDFROM link attribute.


Cheers, Jannis

We are ready with our next release of SAP Identity Management 8.0 SP1

The essential new features in this release are:

  • SAP Identity Management now supports SAP Adaptive Server Enterprise (ASE) database system
  • New Java-based IBM Lotus Domino connector
  • Developer Studio Eclipse plug-in is supported on MAC OS X and Linux.
  • Improved privilege grouping concept
  • Some improvements of the UI based on customers' feedback
  • Enhanced SuccessFactors Connector

After receiving a lot of feedback and requests from customers we made SAP Identity Management now run on an SAP database - SAP Adaptive Server Enterprise (ASE) database system. This will give our customers simplified licensing and optimization of costs of ownership of their SAP solutions.

The new Java-based IBM Lotus Domino connector will address the need of larger customer group and it can run on any platform Java can run. The connector is delivered as a separate package in the Provisioning framework for SAP Identity Management 8.0. To make yourself familiar with the set of supported scenarios and prerequisites see the SAP Identity Management Connector Overview and the respective documentation.

To further expand the platform coverage of SAP Identity Management 8.0 with SP1, the Developer Studio Eclipse plug-in is supported on MAC OS X and Linux.

With the  improved integration between SAP Identity Management and GRC Access Control now the privilege grouping concept allows SAP Identity Management to trigger an assignment of a business role or GRC request only if the business role and its children are already evaluated by the dispatcher and the privileges are grouped into one group. This will ensure that the whole content of the business role (the privileges) will be sent together to the target (GRC AC) system.


Based on input from several customers we did several enhancements in the UIs of Identity Management 7.2 SP10 and also in 8.0 SP1

  • Added some configurability and improved layout of Assignment Details dialog
  • In To Do tab now we show Display name instead of Operation name
  • Usability in Manage tab and made number of favorites configurable
  • Some usability improvements with assignments


SuccessFactors connector now supports update back to SuccessFactors Emplyee Central of the username and email attributes as they are normally generated outside of this system.


Also in parallel we improved the upgrade experience from 7.2 SP9 to 8.0 and 8.0 SP1.

Here you can find also slides about What's New in 8.0 SP1: https://scn.sap.com/docs/DOC-65925

This tool can provide an option to manage the external users, which are neither HR relevant, nor in any other way connected to the sources systems currently used within IdM.

The logic can be separated in three parts:

  • SAP WD UI - for managing the external users information
  • Back-end logic for UI search and validations
  • SAP IdM logic(after the external users are created/changed the master data is updated in IdM and provisioned to the back-end systems)

1. WD UI - External users UI:


Note: in case the HR system can't be use to manage the user's source information

2. Tool functionalities:

  • Complex search criteria to find exactly the people you are looking for.
  • Mechanism for storing new users in IdM if the system is currently busy processing other tasks with higher priority.
  • Easy extendable and transparent for maintenance.
  • Auto generation of user ids (following a certain logic).
  • Permission based access to certain functions.

3. IdM customizations:

  • custom UI tasks for the rest calls
      • UI task for Create
      • UI task for Edit
      • UI task for Display
  • custom repository for managing the users


Note: as there is no back-end, system we need only the Master privilege to trigger the needed workflow in IdM

  • custom job - managing the auto generation of user IDs

Note: on initial load of the users, the custom table should be updated accordingly(as we use for the auto generation of the user IDs)

Hope you like it

Simona Lincheva

As all may know, managing the Business Roles in IdM is not an easy thing to do, especially if the client wants to update them each month/week for a business reasons. In that case we have to manage to provide an easy way for him not only to update the BRs, but to update the user's access accordingly and to have some trace back for the made changes.

First thing that comes to mind is something like that - How to do mass population of a Business Roles with privileges using txt file , but here we are more or less restricted and we don't have any real information, about the changes we made or any validations for the BRs.

So we decided to extend the standard IdM functionality by creating a custom tool for managing the BRs - Authorization Matrix.

The Authorization Matrix allows you to control the BRs within IdM. This tool provides validation rules, easily roll back to a previous version and automatic user access update after BR modification. IdM processes the submitted Matrix and updates the changed business roles, after that the user’s access is updated according the new Matrix. Back-end systems are updated.

1. First we started by separating the logic in three parts:

  • SAPUI5/WD UIs with validation rules
  • Back-end logic for UI validations(access validations, custom tables for managing the data)
  • SAP IdM logic(processing the submitted matrix and updating the user access, creating automatic requests for history review of the user access, with custom Entry Type for the Matrix)

Note: more than one uploads can be executed by a number of users, as we have implemented a custom queue for managing the submitted matrix.

2. SAPUI5 UI - Authorization Matrix:

    • main UI:


    • the rest of the UIs:


3. WD UI - Authorization Matrix:


Note: not only we have the ability to monitor the changes directly from IdM, but we can load previous version of the Matrix and from there we can check the changes or re-submit the old version.

4. IdM customizations:

  • custom Entry Type _Matrix
  • custom job - managing the submitted matrix and managing the queue(more than one matrix can be submitted)
  • custom IdM UI - displaying the requested created for the users(after the access is changed)
  • custom javascript-s managing the logic
  • custom UI tasks for the Matrix

Hope you like it

Simona Lincheva


Filter Blog

By author:
By date:
By tag: