1 2 3 13 Previous Next

SAP Identity Management

191 Posts

SAP has several channels how customers can influence what we are building. Find an overview here.

We will be starting a new Customer Engagement Initiative on SAP Identity Management connectivity. We are developing SAP Cloud Identity (SCI) connector with the idea that it will provide further connectivity to cloud applications like Ariba, SAP Cloud For Customers and more cloud applications in the future. And we want to prioritize and adjust the capabilities of IdM-SCI connector based on the feedback and needs of more customer scenarios.

At the same time we want to generalize how connectors for SAP IdM are developed. We are working to enable customers and partners to build their own connectors more easily as there are a lot of systems for which there are no existing connectors from SAP IdM and customers either look for partners or start developing connectors on their own.

On one hand we want to validate the needs and the scenarios how existing and future SAP Identity Management customers will use SAP Cloud Identity connector and on the other hand we want to validate the approaches and the content.

You can read more and register for the initial call here.


I know that some of you already expressed their desire to participate in preliminary talks some time ago.

If you wish to participate you will be contacted to sign a feedback agreement.

I recently started a new project and one of the first things I ran into was privilages assigned to a user that weren't showing up in the UI. When you did a search of their complete record in the Identity Store, their MSKEYs were listed on the user's record but you couldn't see them in the UI.


Having never encountered this before, I went into investigative mode. I'm the kind of person where unanswered questions bore holes in my brain so, I had to know what was happening here! In short, as it turns out, these PRIVs were inherited from someplace else and the parent was removed but, for whatever reason, the child remained; they were orphans, like Batman. So now, they hide in the shadows, granting their users the rights they shouldn't have but still do because of this failed removal process.


Why doesn't the UI show these PRIVs? The user still has it even though he/she shouldn't. Shouldn't it at least still show up if even with some kind of status that shows that it's an orphan? Apparently the UI, when deciding what PRIVs to show on a user's record in the UI, looks at two columns on the IDMV_LINK_EXT view, mcAssignedDirect and mcAssignedInheritCount. If those two columns are both less than or equal to 0, the mcOrphan column goes to 1 and the PRIV stops being shown on the UI. Here's a screenshot to show what I'm talking about:


File Apr 28, 9 16 44 AM.png


So if you're ever in a spot where the UI isn't showing PRIVs that your user clearly has, this might be why. The clean up? Well, that's up to you to figure out. 

Hi All,


Here is our new idea, how to manage a mass number of users in SAP IdM. As most of you may know, the standard IdM UI doesn't allow a mass change of users.

Mass User Data Administration tool provides role based access for Administrators and Managers and is used for user master data & access maintenance - for a number of users. It enables the user to load the data directly from IdM or just to upload an Excel file and complete the action.


MUDA UI separates the 4 main functionalities into sections (Fig.1):

Master data update, Master access update, Mass user lock/unlock and File Import.




Note: In order to find the targeted user(s), each functionality has a Filter (Fig.2) which searches for the users by already selected criteria directly in IdM. The possible filters are dynamically loaded, as all of the attributes are pre-defined in IdM. By pressing the “GO” button, the search in the IdM is executed and returns a result (Fig.3) and in case such one is found it will be added to the table content.





     1. Master data update UI

     The Master data update functionality enables the mass change of multiple user attributes.

In order to do a master data update you can select from the “Choose table columns” dropdown (Fig.4) the attributes, you would like to update or to see in the table.



     When you select your filter criteria and then press the “Go” button. After a result has been generated we can change the values of the attribute you want, or use the Replace All functionality to replace multiple rows which have a certain value with a new one (Fig.5).



     On pressing submit, the table content will be submitted and if any validation error occurs, the wrong row will be highlighted in red and an error panel will appear, displaying all the errors messages. After successful submission a popup with the request ID opens (Fig.6)



and a status of the current request appears on right side in the table toolbar and the status will be auto refreshed (Fig.7).




     2. Master access update UI

     Master access update UI gives us the possibility to assign or un-assign multiple roles and privileges to multiple IdM users at the same time.

Again we have to filer for the users and access we want (Fig.8):




     In case the action is “Assign” - action validity should be selected (Fig.9).



     By pressing the “Assign/Unassign” button, all entries without values in the table will be filled with the values defined in the toolbar above the table (Fig.10). On pressing submit, the table content will be submitted and if any validation error occurs, the wrong row will be highlighted in red and an error panel will appear, displaying all the errors messages.




     3. Mass user lock/unlock UI

     The mass user lock/unlock functionality enables us to lock/unlock a number of selected users. By default - MX_LOCKED attribute is a mandatory filter and the value Locked is pre-selected (Fig.11).



Note: To be able to execute a mass (single is also an option) lock/unlock we have to select a filter criteria, choose a value for the MX-Locked radio button and press the “Go” button. In case the option Locked is selected, all users, which match the filter criteria and are locked will be displayed in the table.


     4. File Import

     This feature provides all functionalities of this Add-On in a single UI view, just by uploading an excel file. The user is able to assign/un-assign access, lock/unlock users and update user’s master data (Fig.12).



     5. Custom MUDA requests created for the submitted UI mass changes - used for auditing purposes. After the UI request finishes we can search the same request in the standard IdM UI by his Request ID (Fig.13).




6. IdM customizations:

  • custom Entry Types _MUDA
  • custom job - managing the submitted mass requests changes
  • custom IdM UI - on SAPUI5 for mass user data/access changes
  • custom javascript-s managing the logic
  • custom UI tasks for the MUDA request - used for auditing

Hope you like it

Simona Lincheva

We showed Lab Preview version of Provisioning Monitor tool at TechEd’2015 and since some time both Identity Management 7.2 and 8.0 customers can enjoy it because it is release independent component.

Based on information form support questions we identified several typical issues and the tool can recognize those and propose solutions for them.

The provisioning monitor can help you analyze and troubleshoot performance issues, such as:

  • A task or а process are stuck in the provisioning queue
  • Many entries are stuck in the provisioning queue
  • The system is too slow, as the execution of tasks or processes is delayed due to a full provisioning queue

The tool reads data from database, it does not do any changes but can show you and advise you what might be the issue by showing the workflows in the provisioning queue, which are related to a specified entry (for example, person, privilege, or role). The output are two JSON files – Workflow.json and Problem.json.

While Workflow.json can give you insights about what is going on with the entry - the workflow as the name implies, the second one contains additional information about the problem and a proposal for a solution, if the analysis of the provisioning monitor has detected one or more of the following root causes:

  1. Tasks are stuck in state „Queued“ but there is no task which they are waiting for to finish
  2. Tasks are stuck in state "Ready to run" with no execution time
  3. An object references itself and can't be completed
  4. Tasks are stuck in state "Wait for event tasks" or "Wait for event task status"
  5. Approval tasks without assigned approvers are stuck in the provisioning queue
  6. There are issues with the dispatcher configuration of the system


Let's look in more details.


1. Tasks are stuck in state „Queued“

The problem is that there are tasks stuck in state “Queued” (State = 37) in the provisioning queue which would never be executed because there is no task which they are waiting to finish or all the tasks are completed.

Solution : The task state in the provisioning queue have to be updated to 2 – “Ready To Run”.

Additional Information : You can fix such problem with the following database statement :

SQL Server/ Sybase ASE - UPDATE mxp_provision set State = 2,  PrevState = State where State = 37 AND ActionID = <ReportedProblemTaskID> AND MSKey = (select mcmskey from mxi_entry with (nolock) where mcmskeyvalue = <EntryMskeyvalue>)

Oracle/DB2  - UPDATE mxp_provision set State = 2 where State = 37,  PrevState = State AND ActionID = <ReportedProblemTaskID> AND MSKey = (select mcmskey from mxi_entry where mcmskeyvalue = <EntryMskeyvalue>)

2. Tasks are stuck in state "Ready to run" with no execution time

The problem is that in the provisioning queue exist tasks which are in status “Ready To Run”, but there is no scheduled execution time about them.

Solution : The exectime in the provisioning queue has to be updated.

Additional Information : You can fix such problem with the following database statement :

  • SQL Server/ Sybase ASE - UPDATE mxp_provision set ExecTime = getdate() where State = 2 AND ActionID = <ReportedProblemTaskID> AND MSKey = (select mcmskey from mxi_entry with (nolock) where mcmskeyvalue = <EntryMskeyvalue>)
  • Oracle/DB2  - UPDATE mxp_provision set ExecTime = sysdate where State = 2 AND ActionID = <ReportedProblemTaskID> AND MSKey = (select mcmskey from mxi_entry where mcmskeyvalue = <EntryMskeyvalue>)

3. An object references itself and can't be completed

The problem is that somewhere in a given task/process flow a task/process has a reference to itself.
Solution : The duplicated task/process has to be removed from the flow.

4. Tasks are stuck in state "Wait for event tasks" or "Wait for event task status"

The problem is that there are tasks in state “Wait for event task” (State = 23) or “Wait for event task status” (State = 24) in the provisioning queue which are waiting for event task which is already completed.

Solution : The status has to be updated respectively to 33 – “Ready To Process Wait Before task” or 34 – “Ready To Process Wait After task”

Additional Information : You can fix such problem with the following database statement :

SQL Server/ Sybase ASE - UPDATE mxp_provision set State = State + 10,  PrevState = State where State = <ReportedProblemState> AND ActionID = <ReportedProblemTaskID> AND MSKey = (select mcmskey from mxi_entry with (nolock) where mcmskeyvalue = <EntryMskeyvalue>)

Oracle/DB2  - UPDATE mxp_provision set State = State + 10,  PrevState = State where State = <ReportedProblemState> AND ActionID = <ReportedProblemTaskID> AND MSKey = (select mcmskey from mxi_entry where mcmskeyvalue = <EntryMskeyvalue>)


5. Approval tasks without assigned approvers are stuck in the provisioning queue

The problem is that an approval task is stuck in the provisioning queue without approvers.

Solution :  If the task is of type Basic Approval, the approvers which are assigned to the task have to be checked. If there are assigned approvers they have to check their “To Do” tab in the Identity Management User Interface. If no approver is assigned,  assign an approver and trigger the approval task again.(One way to do it, is to set the task to be triggered on modify in the Event Tasks property of the attribute. And then modify the attribute)

If the task is of type Assignment Approval, the Development Support has to be contacted.


More information on how to get provisioning monitor tool for 7.2 and how to use it you can find here:

https://css.wdf.sap.corp/sap/support/notes/2225812 - this is a pilot note so you have to request access from our primary support.

Meanwhile as it is also officially released with SP2 we will provide additional simpler delivery channel.


The difference between 7.2 and 8.0 is that in 7.2 it is a command-line standalone tool


while in 8.0 it is integrated in the Monitoring tab of administrative UI.



Here is an example of how to call it in 7.2. in Windows environment:

ProvMonitor.bat "jdbc:sqlserver://localhost:1433;databasename=MXMC_db;user=MXMC_oper;password=_Password" "C:\usr\sap\idm\JDBC Drivers\MSSQL JDBC40\sqljdbc4.jar" "mskeyvalue.demo" "1" "DEBUG"

You can put this string in a shell file and if you do not want to put the password inside use "_Password" and you will be prompted during execution.



We are glad to receive feedback about the tool or other frequent patterns you may have faced.

Our next release of SAP Identity Management 8.0 SP2 is ready and successfully passed validation with several customers and partners

The essential news in this release are:

  • New provisioning monitor to improve analysis of queue state
  • Enabling/Disabling of repositories
  • Changing of repository types
  • MInor Enhancements


We Implemented feedback from customers and fixed issues in:

  • Upgrade from 7.2
  • Development Studio (Eclipse Plug-Ins)


We showed Lab Preview version of provisioning monitor at TechEd’2015 and now both Identity Management 7.2 and 8.0 customers can enjoy it because it is release independent component. The difference is that in 7.2 it is command line standalone tool while in 8.0 it is integrated in the administrative UI.


It recognizes now several typical issues and proposes solutions based on several predefined patterns of common issues.

More info you can find in this blog.

We made possible to Disable and Enable repositories. This is useful in cases when you need to handle target system on which maintenance is to be performed – you can manually disable the respective repository before the maintenance from the Administration UI. IdM will be maintaining provisioning operations while repository is disabled and then after the system is available again, you enable the repository and then the provisioning operations which were not executed while the repository was disabled, are executed.


This is also prerequisite if you want to change repository type. And this is another good news if you are migrating from 7.2 to 8.0. Get benefit from a new functionality for specific target system.

How does it work:

  • Manually trigger the change for disabled repository
  • Repository is renamed and kept for consistency
  • Repository with the original name and the new repository type is created
  • New and the old repositories should be enabled
  • Optionally perform Initial load for the new repository type

All the patches which were delivered for SP1 are also available in SP2. Additional information about  those fixes can be found in this note:

SAP Identity Management 8.0 patches on SP1

And stay tuned for Rapid Deployment Solution Package on IdM 8.0

Hello folks,


Just thought to share our one issue and corresponding solution which took us around 1 days to fix. Hope it will help others too.


We have just completed SAP IDM 7.2 SP10 installation. Our Management and Runtime components were on the different servers. After installing the management Console and setting the JAVA, JDBC string, We have created the dispatcher scripts and copied that to run-time server.


After copy, we have Installed the dispatcher services on run-time server and started it. It started successfully and status was showing fine in the database too but still it was not getting updated in MC.


We spent around whole days to find the issue and at last we have found that somehow dispatcher services has been created on the MC server too and MC was reading the same dispatcher services.




We have deleted the Dispatcher services from the MC server using below command and refreshed the MC.


sc delete <Dispatcher_ServiceName>


After the MC refresh, issue has been fixed and dispatcher has been updated in MC.



C Kumar

in this blog i will explain how to connect a PI with the IDM.


Create a User in the PI

In the PI you must create a technical user who has Access to the PI. (Please contact your PI-Professional to generate the User)
You can also give this user full access to the PI.


Create a Package in the IDM-Developmentstudio

In the IDM Developmentstudio you have to create a "asjava-Package".

(I created it with this package and it works)

I did it with the following instructions from the SAP-Help-Site:

     Connecting an AS Java System with Database as UME Data Source




import package.jpg

import package 2.jpg

import package 3.jpg

import package 4.jpg

Create a Repository in the IDM Admin UI

After you have create the new package, you must create a new repository.

In the IDM Admin UI do the following.

new repos 1.jpg

new repos 3.jpg

new repos 2.jpg

After you do this you must determine the leading systgem for Attributs.

You can read follow documentation form the SAP help site:

Determining the leading System for Attributes

Run the "Initial Load"-Job

Once you have done the upper Points you must run the Job "Initial load" from the IDM Admin UI.




Once you have run the Initial Load Job, the connector loads the users to SAP IDM according to the mapping betwen the IDM and the AS Java attributes.


If the job ends with "ok", now you are able to provide new user from the IDM to the PI.


I hope this documentation isn't wrong but for me it works.

Hello Folks,


I was getting error whenever I tried to insert a new line (to add a filter) in source tab of Initial load jobs.


After the error I was unable to do anything on SAP IDM MC and able to work again after the close and open the MC again.


I was facing this issue again and again whenever I tried to insert a new line (to add a filter) in source tab of Initial load jobs.

After some search I found that, this issue is due to the time-zone difference between the IDM MC server and IDM database server.


Requested the DBA to change the timezone of IDM database server as IDM MC server and this issue has been resolved.


Hope it will help someone who is getting similar issue.


Version - SAP IDM 7.2






Thanks & Regards,


C Kumar

Would be glad to meet some of you at SAP Insider 2016 15-19 Feb in Las Vegas.

I'll give two sessions. One is All-around security: Leveraging SAP’s identity and access management portfolio for an end-to-end solution on 18 Feb 16:40

Will present SAP’s comprehensive identity and access management portfolio that covers both SAP and non-SAP systems in your IT landscape. You can take a detailed look at on-premise identity management and single sign-on, as well as integrated solutions for cloud and cross-company environments. And see how SAP Identity Management, SAP Single Sign-On, SAP Cloud Identity, and SAP Access Control can be leveraged to:

  • Manage identities in heterogeneous system landscapes with just one solution — both on premise and in the cloud
  • Ensure compliance with internal policies and legal regulations
  • Align your single sign-on approach to cover your entire organization and extend to the cloud


The second session will be Safeguard your business-critical data with SAP Enterprise Threat Detection and SAP HANA (17 Feb 8:30)

Will talk about how to identify attacks as they are happening, and analyze threats quickly enough to neutralize them before serious damage can occur with SAP Enterprise Threat. See how organizations use the combined capabilities of SAP HANA and SAP Enterprise Threat Detection to: 

  • Identify and prevent cyber attacks in real time
  • Manage exposure to internal and external threats
  • Leverage your log data to monitor your system landscape
  • Scan for attack patterns, identify security lapses in your landscape, and strengthen your overall security infrastructure

Here is a link to the event program:



There will be Ask the Experts session on Wednesday, February 17, 4:15 - 5:00 in the Exhibition hall.

Everything you can imagine is real.” ― Pablo Picasso


One of the things I’ve always been hesitant to do in my IDM career is play with the actual database objects such as the Stored Procedures. There really should not be a  problem with using them as long as you are careful and use common sense. For example, making changes to the actual Stored Procedure code is a bad idea. At the very least your changes will be overwritten in the next update, and at worst, they could potentially break the update process (or IDM itself!) But I think as long as the basic precautions are taken, the stored procedures can be used with some effectiveness to enhance how we use IDM. The main thing is to go slowly, test what you are working with thoroughly and use examples from existing working jobs and the Stored Procedure definitions themselves so you know what is expected.


If you want to see how this is done in general, take a look at an initial load job, when IDM goes to create the account attribute in the very first pass (at least in the AS Java (Database) – Initial Load job.)


Initial Load Example.jpg


From this screen shot, we see a To Database pass and that it is possible to execute several operations in the same pass. Also the SQL updating option has been selected. This option allows the IDM engine to act as a direct gateway to the back end database where you can run almost any valid SQL command. I don’t know that there are any real exceptions to this save that whatever command is to be executed needs to have permissions for the [mxmc]_rt account.


Looking a little deeper, we see there’s a script being executed to prepare the statement called sap_care_callStoredProcedure and that it takes two arguments separated by the standard IDM delimiter of ‘!!’ Let’s take a quick look to see what it does:

// Main function: sap_core_callStoredProcedure


// Call/execute a stored procedure.

// Parameters (separated by "!!"):

// - Name of the stored procedure

// - List of procedure arguments (separated by "," and string arguments enclosed in '' - actually this is the syntax accepted by MSSQL and Oracle at least)

// Note: The <prefix>_rt user/role must be allowed to execute the respective procedure!

function sap_core_callStoredProcedure(Par){

var ParComponents = Par.split("!!");

var procedure = ParComponents[0];

var arguments = ParComponents[1];

var dbType = "%$ddm.databasetype%";

var result = "";

if (dbType == 1) { // MSSQL

result = "execute " + procedure + " " + arguments;

} else { // Oracle

result = "call " + procedure + " (" + arguments + ")";


return result;



So basically, all this script does is break apart the pieces and then add the appropriate database command based on database type (be careful if you’re using DB2, I have not tested it, but if issues arise, please refer to this  article. I’m pretty sure that the proper database command is ‘call’ since DB2 is being used in Oracle emulation mode.) When troubleshooting you might want to add in a uInfo (result) or uWarning (result) in just before the return statement, it really helps sometimes.


The nice thing about this using this script is that it makes it much easier to call the Stored Procedures and work with the various databases supported by IDM. You might also notice that when the Oracle Database is used that the stored procedure arguments are also encased in parentheses ()


For a practical example of how to use this functionality, I’m going to work with the stored procedure mxi_xcreate_objectclass. This is the stored procedure that is used by IDM to create a new EntryType. (The original architecture of IDM was heavily influenced by LDAP directories) Personally, I’ve wanted to be able to do this particular operation on some past projects where there’s been a need to create EntryTypes in multiple environments and systems, so putting this into a job helps to automate it. Also as a consultant, it helps me to “productize” some of the enhancements I develop, which makes them easier to distribute.


So calling the Stored Procedure seems pretty easy as it’s called as follows:


$FUNCTION.sap_core_callStoredProcedure(mxi_xcreate_objectclass!!1,'ZMY_ENTRYTYPE,'An EntryType Example','My Entry Type',0,1,NULL)$$


However I was a little confused when I first tried to call it as I could not get the last parameter, Pocid parameter to populate correctly, so I needed to look at the code to figure things out (including the names of the parameters) This is probably also a good time to mention that there is no documentation for working with the stored procedures, so you probably should take some time to review any code before you use it.  It's a good way to learn about how IDM's innermost workings are built and also gives you an idea of what is expected when using any of these Stored Procedures.

SP Code.jpg

Pocid correlates to the MSKEY and is generated during the execution of the stored procedure. When I looked through the code and saw it was checking if that parameter was NULL, I knew how to populate it and things worked just fine.


So there’s a couple of things to consider when working with these stored procedures.


  • There’s not too much documentation here, so be careful.
  • Don’t’ make changes to the Stored Procedure code, comments might be OK, but remember that they will potentially be removed with the next update, so be careful.
  • Working directly with the Stored Procedures has direct impact on the Identity Store with fewer built in safeguards, so make sure things are backed up if they are important, and be careful.

Are you sensing the overriding theme here?


If you’d like to take this example a step further, go ahead and use the Stored Procedures mxi_schema_create_attr_ns and mx_schema_add_attr_to_oc_ns to create a new attribute and then add it to the EntryType. Examples can be found in the SAP NetWeaver Templates (start with the Initial Load job for a repository)  If you have questions, post them in comments or start a discussion thread if they are more general.


So go ahead and try and use some of the Stored Procedures to advance your IDM needs, just be careful. I’ll be working on a somewhat more complicated example next and as soon as my testing and verification is complete, I’ll be sharing again with the community.


I have not been able to test this with Version 8 yet.  If anyone does, please let me know how it works and what you needed to do.

The notification functionality in SAP Identity Management 8.0 is available to you with the Notification package of the SAP Provisioning Framework. The notification package com.sap.idm.util.notification contains the notification process and the notification templates, which are used to send emails for approval and attestation tasks.

If you want to trigger a notification because of an SAP Provisioning Framework process, specify the value of the appropriate NOTIFYEVENT package constant to point to the template (a unique template ID) that you want to use: The most commonly used notification events are handled by this package:

  • NOTIFYEVENT_ASSIGNMENT_COMPLETED  -  Privilege assignment notification
  • NOTIFYEVENT_ASSIGNMENT_FAILED - Assignment failed notification
  • NOTIFYEVENT_ASSIGNMENT_REVOKED - Privilege removal notification
  • NOTIFYEVENT_PASSWORD_CHANGED - Changed password notification
  • NOTIFYEVENT_USER_MODIFIED - Modified user notification
  • NOTIFYEVENT_USERACCOUNT_CREATED - Created user notification
  • NOTIFYEVENT_USERACCOUNT_DELETED - Deleted user notification
  • NOTIFYEVENT_USERACCOUNT_DISABLED - Disabled user notification
  • NOTIFYEVENT_USERACCOUNT_ENABLED - Enabled user notification


If you need to configure a mechanism for notification for other events, such as custom process completion or in case of any error, you can use the uSendSMTPMessage internal function. In this article I will give you a simple example for triggering notification for a process completion.


1. In the Identity Management Developer Studio tree view, check out a package and create a process. Rename the process to “doSthProcess”.


2. In the process flow diagram, add an action task to the process. Rename it to ExportIdentitiesTask.


3. In the job view, select the Passes tab and choose New from the context menu. Select a pass of type ToASCII and rename it to ExportIdentitiesPass.


Open ExportIdentitiesPass pass and define as a Source MX_PERSON entry.


As for Destination define the file location, for example ‘C:\tmp\identities.txt’ and the list of attributes you need to export:


5. In the Identity Management Developer Studio tree view, select the Scripts node of the package that you have checked out and add a new package script. Enter the following name for the script: sendingIdentitiesScript.


The variable attachmentLocation points to the toASCII pass file location in this case.

You may add additional logic for the dynamically creation of either text message or subject.

An example of the script is attached to the article.


6. Go back to the job view where you have created the pass ExportIdentitiesPass. Select the Scripts tab and then select Add Link to Package Script from the context menu.


In the Connection to Package Script dialog, select Self from the Select Package drop-down menu.


Select our new script sendingIdentitiesScript in order to be able to use it in the pass.

  7. On the General tab of ExportIdentitiesPass pass, in the Termination Script drop-down menu, select sendingIdentitiesScript.


In similar way, you can define Initialization or Entry related scripts.


Now, you can test the example trough the Test Process feature and check your inbox for a new email with attachment :-) .


Related information you can find here :

“Assimilate this” – Worf, Star Trek First Contact


I think this is a good way to start this discussion of how SAP IDM can be used to provision information to a custom application.


In my previous Blog, I explained how to use existing SAP IDM templates to load Identity Data in from a fictional Database Application called “NonSAPApp.” In this entry, I will explain how to use the Provisioning Framework to enable Provisioning from the SAP IDM Web UI.


To do this, I created a folder in the Provisioning Framework folder under the CONNECTORS node called NONSAPAPP, then I created a subfolder called Plugins, followed by 6 Ordered Tasks as shown below:


Each of these tasks needs to be mapped in the NONSAPAPP IDM Repository. Note how the numbers in the Task Name relate to the MX_HOOK constants:

HOOK Task Assignment.png

To keep things simple, this blog only specifies a subset of the functions.  If you look at one of the other connectors, you’ll see what else can be done with a SAP IDM Connector. As far as I know there is no reason that you cannot extend this custom connector (or any connector for that matter) with additional Hook Tasks based on this model.


In this example, we are only going to go into detail for the Create, Modify, and Delete User Hook Tasks. I created stubs for the Role tasks but did not do anything with them. They can easily be added based on the contents of this blog.


In the Create Task, I made used a “To Database” pass.  Nothing terribly fancy here. Note that I used the User Table from my “application” and mapped the attributes.


The big question that usually gets asked at this point is how did you populate the Repository Constant since there is no Repository assigned by default? There’s a couple of things you can do to resolve this:

  1. Use Copy/Paste or manually type it in.
  2. Temporarily assign the application repository, set the constants and the set the repository back to “None / Inherited”. This is a good best practice as it saves you some effort if the repository name should ever get changed or if you disable the Repository provisioning cannot occur. If this is populated with the Repository name, provisioning might still be able to occur.


Also, in case you were wondering, I left “Public task” selected so that I can test from the Console if needed.  Always helpful J

There’s not much to say about the Modify task.  It’s pretty much a copy of the Create task.


One thing that you might need to consider at some point is that if you need logic to check changes that are made, you’ll need to introduce some scripting here.


At last we come to the Delete Task. It might just be the most direct. My example gets to be very simple, since this is a simple application.  Your custom application might not be so simple. Make sure you have a good, long requirements discussion with the application owner on this. If there are requirements to disable the user first, or make sure their assigned roles are dropped, you will need to provide for this in some sort of workflow (The Provisioning Framework Connector does allow for disable tasks, they are Hooks 6 and 7, which I did not cover in this example)


To delete the user, I use a simple SQL statement, using the SQL updating option of the “To Database” pass. Again, this is something you’ll need to work out with your app owner and the DBA since your service account might lack these permissions.


I hope this brief overview has been helpful to you. There are multiple ways of approaching this issue, and I used a database method since it was the easiest to demonstrate.  In real life, it most certainly not be this direct or easy and you’ll probably need to go through some sort of API, which in some ways will be easier, since you’ll have commands available to you for managing the user objects in the application. If someone does create a connector using an API, I hope it gets shared here on SCN as well!


I’m also attaching the export configuration for people to examine. (Don't forget to drop the "XML" extension, so that it is a valid IDM import file. Note that there are absolutely no warranties or guarantees included with this configuration and neither I nor SAP can be held responsible for anything that happens as a result of using this import.  I threw this together quickly but it should serve as an adequate template for you to start your customizations with.

The long awaited training is now available.

We needed some time to prepare it and thanks to Alexander Zubev it is now available and can be booked across the regions.

I noticed that if you search the global site https://training.sap.com/g/en/, no dates and locations are shown. That’s why you can select UK for Europe and US for America region and search for course number "ADM920" or "Identity Management"


For Germany still 7.2 training sessions are shown with the same number ADM920.



The content can be found here:


I copy it for convenience:

The goal of the course is to gain knowledge about SAP Identity Management 8.0. Understand how SAP Identity manages users in heterogeneous IT landscape. Learn how to integrate identity management with business processes within and beyond your enterprise, using identity federation to facilitate joint authentication and single sign-on for a secure identity management solution across company boundaries.


  • SAP Identity Management (IdM)
    • Describing Identity Management
    • Explaining SAP IdM Architecture
    • Describing the SAP IdM Data Model
  • Forms
    • Creating Forms
    • Customizing Search Results
    • Implementing a Custom User Interface
  • Jobs
    • Creating Jobs
    • Creating a Repository
    • Creating Repository Jobs
    • Implementing Scripts for Advanced Data Conversion
  • Provisioning and Workflow
    • Creating Processes
    • Auditing the Task Execution Process
    • Describing the SAP Provisioning Framework
    • Assigning Privileges
  • Roles
    • Creating Business Roles
    • Defining Automatic Role Assignments
    • Approval Workflow
    • Configuring Approval Workflows
    • Sending Notifications
    • Storing Information with Pending Value Objects (PVO) and Context Variables
    • Implementing Automatic Approve/Decline of Role Requests
  • Context-Based Assignments
    • Defining Context
    • Creating Guided Activity Tasks
    • Provisioning Context Toward Backend Systems
    • Assigning Automatic and Conditional Context
  • SAP IdM and Other SAP Systems
    • Provisioning a User to AS ABAP
    • Setting Up SuccessFactors (SF)
    • Configuring the Virtual Directory Server (VDS) to Publish Information
    • Verifying Authorization Compliance
    • Setting Up SAP Human Capital Management (HCM)
  • Advanced Tasks
    • Running Housekeeping Procedures
    • Accessing the Identity Center Database
    • Debugging Entries
    • Optimizing the Performance of SAP IdM
    • Explaining the Reporting Tools
    • Resetting Passwords
  • SAP IdM Installation and Configuration
    • Installing SAP IdM
    • Configuring SAP IdM Security
    • Updating the Service Package
    • Upgrading SAP IdM 7.2 to IdM 8.0
    • Setting up High-Availability for SAP IdM
    • Transporting Content

The training is highly interactive, alternating between explaining new features, questions, and exercises accompanying each component. Exercises are used throughout the training to give the students the hands-on ability and increase the level of confidence with the product.

Also you can download the index here

Connecting Non SAP Applications to SAP IDM (Database oriented)

Lily Sloane: I envy you... the world you're going to.

Captain Jean-Luc Picard: I envy YOU... taking these first steps into a new frontier.

--Star Trek: First Contact

Previous entries here in the SCN IDM Space have discussed connecting various applications to SAP IDM. Active Directory (and other LDAP related systems) SAP Systems, Flat Files, even database tables. But what we have not really discussed is how to connect a database related system to SAP IDM. As with all things IDM, there are a number of ways to do this using IDM and VDS, and I am going to discuss how to do this over the next couple of blog postings.

In this first entry, I will discuss how to set up the Repository and Initial load for the system, which I am simply calling NonSAPApp. It is based on a simple database structure that was submitted in a Forum thread.

So the first challenge was creating the Repository.  To do this, I simply used the New Repository Wizard to create a Database Repository

Repository Wizard.jpg

Didn’t need to do too much here, just name the repository, choose the driver and then add the JDBC and OLE DB connection strings. If you’ve installed IDM before or created a new Identity Store, this should not prove to be too much of an issue. When you’re all done, you’ll get something like this:

Repository Constants.jpg

Now we can go ahead and create an Initial Load job. To do this, first I went through the job wizard to create a job to use as a template.

Initial Load selection.jpg

Make sure when you are running through the wizard that you select the correct repository.  Don’t worry though, it can all be modified later After you’ve run through the wizard, expand the node and remove the unnecessary passes so the job looks like this:

NONSAPAPP Initial Load.jpg

Now let’s talk about some of the changes that were made to these passes so it will work for NONSAPAPP.

  1. In the root node of the job, double check and make sure it’s enabled, has a dispatcher assigned (and running!) This is also your chance to make sure that the correct repository is selected.
  2. In the Create System Privilege Pass, change the description to something that describes the application.  If need be this can be done manually later.
    Create System Privilege.jpg
  3. In ReadNonSAPAppUsers, make sure that you are re-configuring the source tab to read from your Users table.  It will look something like this:
    Read Users Source.jpg
    You’ll then be able to do an Insert Data Source Template
  4. For ReadNonSapAppRoles, do the same thing, except that you will need to pull from your Roles Table
  5. In the WriteUsers pass, map the fields accordingly. Blank out any fields that don’t apply or won’t be populated either by disabling the attribute via the # prefix or by clearing the attribute value.
    Write Users destination.jpg
  6. In the WriteRolePrivilege there is a value of %uniquename% used in the MSKEYVALUE and DISPLAYNAME attributes, if you are not using this value, replace it with a relevant unique value in your database as I have done here:
    write roles destination.jpg

That’s it, run the job, fix your errors and then check the database to make sure that the roles and users have been created.  In this case, my sample data had one user, Luke Skywalker (guess what I was watching?) and some roles that you can see from the following queries.

First a query that shows the user has been created:

NONSAPPAPP Loaded users.jpg

Next a query that shows the roles have been created and any users assigned to roles.

NONSAPAPP Roles and assignments.jpg

So there you have it. You’ll notice I did not handle role assignments here, but I think we call get the general idea of how to do this. In the next week or so, I will wrap this up by extending the provisioning framework to cover adding a user via the IDM UI to the system.


Added 19November2015

Thinking back to my TechEd Sessions with Plamen Pavlov and Kristian Lehment, you might want to try importing the attached file to a Version 8 environment.(Or to a version 7 environment for that matter) Just remember to drop the ".xml" from the filename. Note that there are absolutely no warranties or guarantees included with this configuration and neither myself or SAP can be held responsible for anything that happens as a result of using this import.  - MP

If you'd like to know how to connect the application to the Provisioning Framework, take a look at the follow up to this blog: Connecting Non SAP Applications to the SAP IDM Provisioning Framework

For SAP Identify Management 7.1, 7.2 and 8.0 the following system behavior may be observed:

  • When you modify attributes with SAP Identity Management Web UI, multiple modify tasks for these attributes are triggered to the backend systems.
  • In most cases this is possible to happen when you do this together with another UI action:

          - change the attributes contained in the modify tasks trigger attributes (e.g. MX_FIRSTNAME) for MX_PERSON and

          - assign/remove MX_ROLE objects.

  • You have not defined attribute MXREF_MX_ROLE as modify task trigger attribute (In the SAP Provisioning Framework, modify task trigger attribute is defined on the system privilege PRIV:SYSTEM:<repository_name> )



The described behavior can be reproduced:

  • Logon to the IDM Web UI
  • Change any modify task trigger attributes's values for a user and assign/remove business roles for it in the same time


This behavior is in very rare cases and it cannot be prevented. It assures the correct provisioning of modified attribute's values to backend systems. It does not cause any provisioning errors.


Filter Blog

By author:
By date:
By tag: