Integrating SAP HR and Identity Management

Integrating SAP HR and Business
Process Driven Identity Management

Volker Scheuber Holger Dopp
Software Engineer Identity Management Architect
Novell, Inc. /vscheuber@novell.com Novell, Inc. /hdopp@novell.com

Agenda

• Business Process and Identity Management

• Definition

• Processing

• Logging, Monitoring

• Live Demo

2 © Novell, Inc. All rights reserved.

Business Processes
Introduction

Business Process for IDM
Definition

• Single process in the identity life cycle process.

• BP always does have a starting point and one
or many end points.

• BP may contain provisioning/de-provisioning,
approval role assignment/revoke and auditing
steps.

• BP may have a start date and/or validity date.


Typical Business Processes

• Join a company
• Leave a company
• Change organizational assignment
• Change organizational role/position
• Request a role, access, permission
• … many, many other customer driven processes


Business Processes vs.
Event Driven IDM Provisioning

Identity Management (classic)
– event (attribute or object change) driven
– often synchronous process
– event flow from single source → IV → multiple targets
– event flow controlled by driver policies

Business Process (classic)
– transaction based
– often asynchronous process
– process flow from single source → IV → workflow →
multiple targets
– process flow controlled by business process controller

Business Process
Representation

• Set of new or changed attributes
e.g. given name + surname change
→ marriage

• Specific values of attributes
e.g. costcenter change
→ organizational assignment change

• Specific change of attribute values from old to new
e.g. position ID change from value 0000 to 0001..9999
→ change from apprentice to fulltime employee


Business Process
Sources

• Any information source related to objects involved in
the IDM provisioning process.
– Direct connected Applications
> SAP HR, Oracle HR
> Telephone System
– Indirect connected applications
> CSV file
> SAP HR iDocs
– Identity Vault applications
> UserApp Self Provisioning
> UserApp Workflow


Business Process
Execution

• Immediately processing of changes
e.g. - synchronization to other application
- assignment of entitlements

• Future processing of changes
e.g. - multiple future processes along the timeline

• Starting of additional process tasks
e.g. - internal approval workflows
- external approval procedures


Business Process
Discovery

• Semantic description of business process at customer
e.g. - new employee record in SAP HR
- new user account in AD
- new Mailbox in Exchange
- eMail to manager
- new user account in SAP User

• Technical specification of business process
e.g. - objects/attributes provided by SAP HR
- attributes required by AD
- attributes required by Exchange
- system information required by SAP User


Business Process
Representation in SAP HR

• Actions
– Mostly many changed values per event and object

• Org.Management Changes
– Less changed values per event

• Direct change of infotype values
– Single value change per event


SAP HR Business Processes
Actions

• Set of necessary SAP GUI screens to enter data
belonging to a specific HR process
e.g. hire new employee

• Pre-defined actions available at SAP HR
e.g. hire, fire, position change, ...

• Customized actions possible at SAP HR
e.g. change employee picture


Actions (cont.)


Org.Management

• Graphical tool to manage the companies
org.management model
e.g. - manage Org.Unit hierarchy
- manage position to Org.Unit relationship
- manage employee to position assignment

• Multiple operations for multiple objects occur
e.g. - company reorganization

• May interact with action
e.g. - action: position change


Org.Management (cont.)


Infotype Changes

• Infotype: set of logical data grouped according to
subject matter
e.g. personal data, addresses, communication

• Direct change of infotype values
e.g. - change of email address
- change of telephone number

• Single operation per object


Infotype Changes


Timeline

• Infotype value does have a validity time frame (valid
from … to)

• Value changes will delimit existing current values

• Default end date is 12/31/9999

• Value changes can have a future date

• The time line for a specific infotype contains historic,
current and future values


Timeline Sample


SAP HR Driver

• Purpose
– Provision employee and organizational information from SAP
HR into the Identity Vault
– 'Mirror' SAP HR data to the IV
– Support for future event work order processing

• Object Types
P – Person
O – Organization
C – Job
S – Position


SAP BL Driver

• Purpose
– Process SAP HR relevant data to
* calculate organizational structure
* calculate organizational assignments
* discover business processes
* generate and handle future event work order objects
• Object Types
– DirXML-sapPAux (User Auxiliary Class)
– DirXML-sapO (Organization)
– DirXML-sapC (Job)
– DirXML-sapS (Position)


Base BL Driver

• Purpose
– Generate Identity Vault Org.Chart
> Maintain manager/directReports relationship
– User account maintenance
> Delete terminated user accounts

• Object Types
– User


SAP HR / BL Driver Interaction (v1.0)


SAP HR / BL Driver Interaction (v2.0)


CMP eSAPe v2.0 –
SAP HR Full State Attribute

SAP HR Full State Attribute

• Purpose
Contains information about
> all discovered SAP HR values (including time line) for a User objects
> last discovered iDoc input values
> last calculated changes based on current full state and new input values

• Operated by
– SAP HR driver

• Schema
– DirXML-sapPFullState
– stream attribute containing a XML document


SAP HR Full State Attribute (cont.)

• Content
– XML document
> <document> <document>
<fullstate>
(content)
</fullstate>

Child elements <change>
– (content)
</change>
<inputDoc>
> <fullstate> (content)
</inputDoc>
> <change> </document>

> <inputDoc>



• <fullstate>
– 'mirror' of all information ever got from SAP HR
– attribute naming in SAP HR format
– historic and current value time line per attribute

<fullstate>
<modify class-name="P" event-id="SAP-HR:O_100_0000000000013109:P+00000129" src-dn="00000129" timestamp="20091001">
<association>00000129</association>
<modify-attr attr-name="P0001:STELL:none:141:8">
<remove-all-values/>
<add-value>
<value seqnr="000" timestamp="20090101-99991231">00000000</value>
/add-value>
</modify-attr>
</modify>
</fullstate>



• <change>
– last change calculated out of most current <input> document
and olf <fullstate> content
– <add-value> contains new value including delimited and new
time line
– <remove-value> contains removed value including old time line
<change>
<remove-value>
</remove-value>
<add-value>
</add-value>
</modify-attr>
</modify>
</change>



• <inputDoc>
– last incoming input document from SAP HR

<inputDoc>
<remove-all-values/>
<add-value>
</add-value>
</modify-attr>
</modify>
</inputDoc>


<document >
<fullstate >
<modify class -name ="P" event -id="S P -HR-CMP:HR_idm.datO _1 _0
A 01 000000002297082 :P+00400673 " src-dn="00400673 "
timestamp ="200909 24 " lasttimestamp ="20090 924 ">
<association >0 0400673 </association >
<modify -attr attr -name ="P0001 :S LL :non :141 :8">
TE e
<re ve -all-values />
mo
<ad -value >
d
<value seq ="000 " timestamp ="2009
nr 0629 -200 701 ">040001
90 05 </va >lue
nr 0702 -200 702 ">000000
90 00 </va >lue
nr 0703 -999 231 ">040001
91 08 </va >lue
nr 0703 -200 709 ">040001
90 08 </va >lue
nr 0710 -999 231 ">040001
91 12 </va >lue
</add -va >
lue
<nds dtdversion ="1.0" ndsversion ="8.5">
</modify -attr >
<source >
</fullstate >
<product bu ="20
ild 090520 _0 04316 " instance ="S P -HR-CMP" version ="3.5.4">DirX Driver for S P /HR</product >
A ML A
<cha nge >
<contact >No , Inc.</co
vell ntact >
A 01 000000002297082 :P+00400673 " src-dn="00400673 "
</sou >
rce
timestamp ="200909 24 ">
<inp xmlns :sapshim ="h :// www.novell .com/dirxml /drivers /S P him ">
ut ttp AS
<modify class -na ="P" event -id="S P -HR-CMP:HR_idm.datO _101 _0000000 297132
me A 002 :P+00400673 " src-dn="00400 673 "
TE e
timestamp ="200909 24 ">
<re ve -va >
mo lue
<association >004 00673 </associatio >n
nr 0703 -999 231 ">040001
91 08 </va >lue
<modify -attr attr -n ame ="P0001 :S LL :none :141 :8">
TE
</remove -value >
<remove -all-values />
<ad -value >
d
<add -value >
nr 0703 -200 709 ">040001
90 08 </va >lue
<valu seqnr ="000 " timesta
e mp ="20090629 -20090 701 ">04000105 </valu >
e
nr 0710 -999 231 ">040001
91 12 </va >lue
e mp ="20090702 -20090 702 ">00000000 </valu >
e
</add -va >
lue
e mp ="20090703 -20090 709 ">04000108 </valu >
e
</modify -attr >
e mp ="20090710 -99991 231 ">04000112 </valu >
e
</change >
</add -value >
<inputDoc >
</modify -a >ttr
A 01 000000002297132 :P+00400673 " src-dn="00400673 "
timestamp ="200909 24 ">
TE e
<re ve -all-values />
mo
<ad -value >
d
nr 0629 -200 701 ">040001
90 05 </va >lue
nr 0702 -200 702 ">000000
90 00 </va >lue
nr 0703 -200 709 ">040001
90 08 </va >lue
nr 0710 -999 231 ">040001
91 12 </va >lue
</add -va >
lue
</modify -attr >
</inpu tDoc >
</do cument >

DirXML-sapPFullState content
SAP HR iDoc content

IDM eSAPe v2.0 –
SAP HR Business Process Definition

Business Process Definition Object

• Purpose
> SAP HR related business process discovery parameters
> default User account actions executed per business process
> operated against the SAP HR FullState document

• Operated by
– SAP BL driver
• Schema
– DirXML-Resource
– content type: text/vnd.novell.idm.bizProcDef+xml



• Content
– XML document
> <document> <document>
<busprocdefs>
<info-busproc/grouping>
(content)
– Child elements </info-busproc/grouping>
<busproc>
(content)
> <busprocdefs> </busproc>
</busprocdefs>
<vaultactions>
» <info-busproc/grouping> (content)
</vaultactions>
</document>
» <busproc>
> <vaultactions>


(cont.)

• <busprocdefs/info-busproc/grouping>
– definition of business process discovery parameters
– grouping of business processes after
> User account relevance (disable, enable, expiration)
> SAP HR actions and it's variations

<busprocdefs>
<info-busproc>
<grouping>
<type id="1">
<opid id="01">Hiring</opid>
<opid id="06">Transfer – active</opid>
</type>
<type id="2">
<opid id="02">Organizational reassignment</opid>
</type>
</grouping>
</info-busproc>
</busprocdefs>


(cont.)

• <busprocdefs/info-busproc/grouping>
– <type>
> groups all SAP HR actions belonging together
e.g. - all user account relevant actions (<opid>)
- all organizational changes
> only one SAP HR action (<opid>) per <type> can be claimed as valid at a
specific time

– <type/opid>
> list of SAP HR actions
> translation between SAP HR action ID and human readable action name
e.g. <opid id=”09”>Hiring (mini master employee)</opid>
> 'id' represents SAP HR action id


(cont.)

• <busprocdefs/busproc>
– detailed definition to discover variations of a business process
– multiple <busproc> may belong to the same grouping <opid>
– Childs:
> <attr> - attribute name, value and operation
> <result> - action to take place if variation is found
– Parameter:
> co - company this is valid for
> id - id of this variation (must be unique throughout all busprocs)
> name - name of the business process variation
> opid - business process this variation belongs too
> type - type this variation belongs too


(cont.)

• <busprocdefs/busproc/attr>
– defines discovery values for each expected infotype attribute
– Parameter:
> attr-name - name of the SAP HR infotype attribute
> timestamp - declare this attribute to be used for deriving begin and end
date timestamp

<busprocdefs>
<busproc co="EH" id="3" name="Leaving" opid="10" type="1">
<attr attr-name="P0000:MASSN" timestamp="true">
<new-value>10</new-value>
</attr>
<attr attr-name="P0001:PLANS">
</attr>
<result>
<action>Deactivate Account</action>
<action>Employee Settings</action>
</result>
</busproc>
</busprocdefs>


(cont.)

– value definitions are related to incoming infotype values
– multiple value definitions per attribute are handled with logical
OR operation
– Childs:
> new-value - add-value value
> new-value-not - add-value values is not
> diff-values - add-value and remove-value are different
> equal-values - add-value and remove-value are the same, but
have different timestamps
> stat-value - current FullState value
> stat-value-not - current FullState value is not
(if no value is specified, all values are accepted)


(cont.)

– Samples:
<busprocdefs>
<busproc co="EH" id="8" name="Primary Position change with OrgUnit change (without Action)" opid="02" type="2">
<attr attr-name="P0000:MASSN">
<new-value-not/>
</attr>
<attr attr-name="P0001:PLANS" comment="Position" timestamp="true">
<diff-values/>
</attr>
<attr attr-name="P0001:ORGEH">
<diff-values/>
</attr>
</busproc>

<busproc id="9" name="Primary Position change inside OrgUnit (with Action)" opid="02" type="2">
<attr attr-name="P0000:MASSN" timestamp="true">
</attr>
<attr attr-name="P0001:PLANS">
<diff-values/>
</attr>
<attr attr-name="P0001:ORGEH">
<equal-values/>
<new-value-not/>
</attr>
</busproc>
</busprocdefs>


(cont.)

• <busprocdefs/busproc/result>
– references to <vaultactions>, which shall be executed if
business process variation is discovered
– Child:
> action
– multiple actions can be defined
<busprocdefs>
<busproc co="EH" id="12" name="Parental Leave without parttime" opid="13" type="1">
<attr attr-name="P2001:AWART" comment="Attendance or Absence Type" timestamp="true">
</attr>
<attr attr-name="P2001:BEGVA" comment="Start year for leave deduction">
</attr>
<attr attr-name="P2001:BEGDA">
<new-value/>
</attr>
<result>
<action>Dectivate Account</action>
<action>Employee Settings</action>
</result>
</busproc>
</busprocdefs>


(cont.)

• <vaultactions>
– defines IV attribute changes, executed immediately if business
process is discovered
– Variables:
> #ENDDA# - ENDDA value of the discovered business process
> #BEGDA# - BEGDA value of the discovered business process
> #CURDA# - current system date

<vaultactions>
<action name="Activate Account">
<set-attr attr-name="Login Disabled">false</set-attr>
<set-attr attr-name="Login Expiration Time">#ENDDA#</set-attr>
</action>
<action name="Deactivate Account">
<set-attr attr-name="Login Disabled">true</set-attr>
<set-attr attr-name="Login Expiration Time">#BEGDA#</set-attr>
</action>
<action name="Last Change Date">
<set-attr attr-name="Description">#CURDA#</set-attr>
</action>
</vaultactions>


IDM eSAPe v2.0 –
SAP HR Business Process Results

Business Login Action Attribute

• Purpose
> summarized information about discovered business processes
> shows list of historic, current and future business processes
> derived from SAP HR FullState document change

• Operated by
– SAP BL driver

• Schema
– DirXML-sapPBLAction


Business Login Action Attribute
(cont.)

• Content
– Status# -1 = historic
0 = current
1 = future
– BEGDA# start date
– ENDDA# end date
– TYPE# business process type id
– OPID# business process id
– OPDESC# business process description
– ID# business process variation id
– BUSPROC# business process variation description
– DATA# XML document (<change>)

0#B G
E DA =20091209 #E NDDA =99 991231 #TY E =2#O ID =02#O DE C =O
P P P S rganizational
reassignment #ID=7#B P C =P
US RO rima P sitionchan insideO
ry o ge rgUnit (withAction )#DA =<X
TA ML
Document containingtherelevant values for thediscoveredaction . Thevalu may befromdifferent attributes
es /
>

e.g. V LUE =<modify -attr attr -name ="P00 :S LL :none :141 :8">
A 01 TE
<remove -va > lue
<value seqnr ="000 " timestamp ="20090703 -99991231 ">04000108 </valu >
e
</remove -value >
<ad -valu >
d e
<value seqnr ="000 " timestamp ="20090710 -99991231 ">04000112 </valu >
e
</add -va >lue
</mod -a >
ify ttr

DirXML-sapPBLAction content

Future Event Workorder Object

• Purpose
– Contains information about future operation to process.
– Will be triggered by the SAP BL driver.
– Correlates with DirXML-sapPBLAction future list

• Operated by
– SAP BL driver

• Schema
– DirXML-WorkOrder


Future Event Workorder Object
(cont.)

• Content
– DirXML-woType
> SAPBUSPROC

– DirXML-woContent
> Contains the value of the corresponding DirXML-sapPBLAction entry

• Processing
– WO objects are stored in the SAP BL driver container
– the WO object is processed at the DirXML-DueDate
– a WorkToDo object is created in the SAP HR driver container


Future Event WorkToDo Object

• Purpose
– Contains information about an executable operation to process.
– Will be injected into the SAP HR publisher process.
– Derived from WorkOrder object.

• Operated by
– SAP HR driver

• Schema
– DirXML-WorkToDo


Future Event WorkToDo Object
(cont.)

• Content
– DirXML-woType
> SAPBUSPROC

– DirXML-woContent
> Contains the value of the corresponding DirXML-sapPBLAction entry

• Processing
– the WorkToDo object is processed immediately
– The XML document derived from DirXML-woContent is injected
into the SAP HR publisher channel.


<document >
<change >
A 01 000000002297082 :P+00400673 " src-dn="00400673 "
timestamp ="200909 24 ">
TE e
<re ve -va >
mo lue
nr 0703 -999 231 ">040001
91 08 </va >
lue
</remove -value >
<ad -value >
d
nr 0703 -200 709 ">040001
90 08 </va >
lue
nr 0710 -999 231 ">040001
91 12 </va >
lue
</add -va >
lue
</modify -attr >
</change >
</document >

DirXML-WorkToDo content

IDM eSAPe v2.0 –
Business Process Logging


• SAP HR and SAP BL driver are enhanced to write
process logs
• process logs contain information about the processing
of events
– SAP HR Driver
e.g. 20100118082757,false(SAP-HR:O_100_0000000000014120:P+00000142),00000142
SAP Operation "modify" detected
ObjectClass: P
Processing FullState …
FullState attribute read for P - 00000142 [SAP-HR:O_100_0000000000014119.save:P+00000142]
FullState attribute written for P - 00000142 [SAP-HR:O_100_0000000000014120:P+00000142]
Status: SAP-HR:O_100_0000000000014120:P+00000142 success ()


(cont.)

– SAP BL driver
e.g.
20100118082809,true(SAP-HR:O_100_0000000000014121:P+00000142),UTOPIAISMutopiausers000000120
SAP Business Operation "modify" detected
ObjectClass: User
DirXML-sapPFullState
av: - …
Start processing DirXML-sapPFullState …
Incoming attributes:
P0002:NACHN:none:84:25 – Erlin
Discover business process
Change (Name) (3 – 6)
P0002:NACHN FOUND in evt.Change
P0002:NACHN -> DIFF-VALUES
rv (Erlin) <> lav (Andalf)
3 - 3 - #true-P0000:MASSN#true-P0002:VORNA(19700101-99991231;Mark)#true-P0002:NACHN(19700101-
99991231;Erlin)#
FOUND --> [Status]#BEGDA=[BEGDA]#ENDDA=[ENDDA]#TYPE=3#OPID=08#OPDESC=Additional personal
assignment#ID=6#BUSPROC=Change (Name)#DATA= …
Discover BP status and timestamps
Status: 99 # Type: 3 # OPID: 08 # OPDESC: Additional personell assignment # ID: 6 # Name: Change (Name) #
Timeattr: P0002:NACHN # Begda: # Endda:
Write discovered business process to IV
DirXML-sapPBLActions added --> 99#BEGDA=#ENDDA=#TYPE=3#OPID=08#OPDESC=Additional personell
assignment#ID=6#BUSPROC=Change (Name)#DATA= …
Write future events (work orders) to queue
... end processing DirXML-sapPFullState


IDM eSAPe v2.0 –
Live Demo

Synchronize Business Processes from SAP
HR to Novell Identity Vault
®

SAP HR Object Classes and Relations

• SAP HR Relationship Model


SAP HR iDoc Processing

• ALE event driven export
• Scheduled export
• Manual export (PFAL)
• Problem with iDoc content and order


SAP HR Future Date Processing

• group of data belong together
• Stale checking and issue with it


Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,
translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality described for Novell products
remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.
in the United States and other countries. All third-party trademarks are the property of their respective owners.

Integrating SAP HR and Identity Management

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (12)

Destaque

Destaque (7)

Semelhante a Integrating SAP HR and Identity Management

Semelhante a Integrating SAP HR and Identity Management (20)

Mais de Novell

Mais de Novell (20)

Integrating SAP HR and Identity Management