Скачать презентацию Configuring Novell Nsure Identity Manager 2 formerly Скачать презентацию Configuring Novell Nsure Identity Manager 2 formerly

e932ded707eab25798136e06543757ae.ppt

  • Количество слайдов: 80

Configuring Novell Nsure ® Identity Manager 2 (formerly Dir. XML ) for ® Enterprise Configuring Novell Nsure ® Identity Manager 2 (formerly Dir. XML ) for ® Enterprise Applications Mark Worwetz Senior Software Engineer Novell, Inc. [email protected] com ™

The one Net vision 2 © March 9, 2004 Novell Inc. The one Net vision 2 © March 9, 2004 Novell Inc.

The one Net vision 3 © March 9, 2004 Novell Inc. The one Net vision 3 © March 9, 2004 Novell Inc.

What is an ERP application? Enterprise Resource Planning Software that is utilized by most, What is an ERP application? Enterprise Resource Planning Software that is utilized by most, if not all, organizations in the enterprise Integrates various software modules into a single system. High TCO - Very expensive package to purchase, deploy, and administrate 4 © March 9, 2004 Novell Inc.

Configuring Nsure Identity Manager 2 for Enterprise Applications ERP Integration Issues Driver Functionality Driver Configuring Nsure Identity Manager 2 for Enterprise Applications ERP Integration Issues Driver Functionality Driver Configuration Driver Implementation Scenarios Questions 5 © March 9, 2004 Novell Inc.

ERP Integration Issues What is the goal of the integration? Why integrate ERP data? ERP Integration Issues What is the goal of the integration? Why integrate ERP data? What data should be shared? How should the data be accessed? What are the risks of integration? 6 © March 9, 2004 Novell Inc.

What is the Goal of the Integration? Islands of isolated data 7 © March What is the Goal of the Integration? Islands of isolated data 7 © March 9, 2004 Novell Inc.

What is the Goal of the Integration? Sharing Data through the Enterprise 8 © What is the Goal of the Integration? Sharing Data through the Enterprise 8 © March 9, 2004 Novell Inc.

What is the Goal of the Integration? Authoritative Sources ERP system — employee and What is the Goal of the Integration? Authoritative Sources ERP system — employee and organization data Group. Wise® — e-mail address Telecom — telephone number Existing corporate directories — access, legacy resources Facility database — office/mail-stop Account Management – System Access rights Etc. 9 © March 9, 2004 Novell Inc.

Why Integrate ERP data? Contains the most complete set of Identity data Contains the Why Integrate ERP data? Contains the most complete set of Identity data Contains the most authoratative Identity data Most protected source of data 10 © March 9, 2004 Novell Inc.

What does Novell do for ERP? Help leverage the investment in ERP by: • What does Novell do for ERP? Help leverage the investment in ERP by: • • Provide data conversion opportunities • Allow access to ERP data outside of the ERP system • 11 Integrating identity data with non-ERP applications Provide multiple integration options from applicationspecific to generic interfaces © March 9, 2004 Novell Inc.

What Data Should Be Shared? Only share data that is useful • Data that What Data Should Be Shared? Only share data that is useful • Data that is duplicated in other applications • Data that is required to process business workflow • Data that must be accessed by non-ERP employees • Data that is shared beyond corporate boundary Do not share sensitive information! • 12 Make sure ERP administrators are involved in the decision. © March 9, 2004 Novell Inc.

How Should the Data be Accessed? It is important that the customer is aware, How Should the Data be Accessed? It is important that the customer is aware, and comfortable with, the integration access method • Direct System or Business Object APIs • Open Standard Protocols (LDAP, JDBC) • Flat file transfers (XML, CSV) Make sure ERP administrators are involved in the decision! Make sure appropriate rights are granted to provide the integration 13 © March 9, 2004 Novell Inc.

What are the Risks of Integration? API access introduces ERP system security concerns • What are the Risks of Integration? API access introduces ERP system security concerns • Dir. XML Driver acts as an ERP client – what rights should the driver have? • Are the authentication credentials protected? Access to underlying data tables introduce data integrity and ERP system support issues. Flat-file access introduces file-system security and resource issues. Remote drivers introduce data transmission security issues. Data integration introduces auditing concerns. 14 © March 9, 2004 Novell Inc.

What are the Risks of Integration? Improper planning and insufficient buy-in to the integration What are the Risks of Integration? Improper planning and insufficient buy-in to the integration solution by all involved personnel is the NUMBER 1 problem in the field! Always INVOLVE the ERP system administrators in the solution planning! 15 © March 9, 2004 Novell Inc.

ERP Integration 'Bottom Line' The ERP administrators are the only people who really understand ERP Integration 'Bottom Line' The ERP administrators are the only people who really understand the ERP system data and processes – you need their help! The ERP administrators can make or break the project. Management is very dependent on their opinions – treat them with respect! The ERP administrators are among the 'best and brightest' people at the customer site – discuss the function of the Dir. XML driver with them so they are comfortable with it. 16 © March 9, 2004 Novell Inc.

Driver Functionality Dir. XML Drivers for SAP HR and People. Soft What is a Driver Functionality Dir. XML Drivers for SAP HR and People. Soft What is a driver? What data is shared? What are the default Policies? What is the driver design philosophy? Where does the driver run? How do the drivers access data? 17 © March 9, 2004 Novell Inc.

What is a driver? A driver is composed of two distinct elements: Driver Policies What is a driver? A driver is composed of two distinct elements: Driver Policies • The policies are default configuration information that describe the application connection information, schema mapping, and various data transformation policies • All policies are objects in the Identity Vault • Policies managed using i. Manager Driver Shim • The shim is responsible for interfacing with the connected application and implementing policies • The shim is an independent code module 18 © March 9, 2004 Novell Inc.

What data is shared? Both drivers work in a “Publisher primary” mode. • Drivers What data is shared? Both drivers work in a “Publisher primary” mode. • Drivers can Publish all events (Add, Modify, Delete) • Drivers can Subscribe Modify events only. Drivers are configured for an HR scenario. • SAP HR driver can only work with HR Master Data records and methods • People. Soft driver utilizes an HR derived staging table interface by default. Primary data object is an Employee in the HR system, a User in the Identity Vault • • Organizational Assignment and Hierarchy Data • 19 Personal Data Communication Data © March 9, 2004 Novell Inc.

What data is shared? Publisher Channel home. Phone mobile pager workforce. ID employee. Status What data is shared? Publisher Channel home. Phone mobile pager workforce. ID employee. Status Full Name Given Name Initials mailstop Surname Telephone Number Postal Code S 20 © March 9, 2004 Novell Inc. Physical Delivery Office Name SA is. Manager manager. Workforce. ID OU Title manager direct. Reports CN Group Membership Password Data

What data is shared? Subscriber Channel CN * Description * Distinguished Name * Telephone What data is shared? Subscriber Channel CN * Description * Distinguished Name * Telephone Number home. Phone mobile pager Internet EMail Address workforce. ID (notify only) * People. Soft only 21 © March 9, 2004 Novell Inc.

Default Publisher Policies Object Matching • Match object with same class and 'workforce. ID'. Default Publisher Policies Object Matching • Match object with same class and 'workforce. ID'. Object Naming • First Initial + Surname, no Suffix, all capitalized (ie. John Adams = JADAMS) • Duplicates sequentially numbered (JADAMS 2) Object Placement • Active Employees in specified 'Active' container. • Inactive Employees in specified 'Inactive' container. • 'employee. Status set to 'A' or 'I' respectively. 22 © March 9, 2004 Novell Inc.

Default Publisher Policies Password • Set to value of 'Surname' attribute Hierarchy • • Default Publisher Policies Password • Set to value of 'Surname' attribute Hierarchy • • All managers identified by 'is. Manager' set to '1'. Managers have DN of subordinates in 'direct. Reports' attribute. Employees have DN of manager in 'manager' attribute Employees have workforce. ID of manager in 'manager. Workforce. ID' attribute. Organizational Data • • 23 OU (Department) attribute must contain text name Title attribute must contain text name © March 9, 2004 Novell Inc.

Maintaining Manager-Employee Object Relationships Jack direct. Reports = Maria manager = Jack direct. Reports Maintaining Manager-Employee Object Relationships Jack direct. Reports = Maria manager = Jack direct. Reports = John manager = Maria 24 © March 9, 2004 Novell Inc.

Default Subscriber Policies Object Matching • 25 Match object with same class and 'workforce. Default Subscriber Policies Object Matching • 25 Match object with same class and 'workforce. ID'. © March 9, 2004 Novell Inc.

Dir. XML Driver for People. Soft Driver Design Philosophy Overview Publisher Channel Subscriber Channel Dir. XML Driver for People. Soft Driver Design Philosophy Overview Publisher Channel Subscriber Channel Remote Loader Configuration Driver Configuration 26 © March 9, 2004 Novell Inc.

Driver Design Philosophy Dir. XML Driver for People. Soft Must work with last 3 Driver Design Philosophy Dir. XML Driver for People. Soft Must work with last 3 supported People. Tools versions. Must be certified by People. Soft. Must require no modification of existing business applications. Must utilize standard People. Soft integration technology. Must guarantee that all People. Soft events are processed. Must process all events in chronological order. Must satisfy the customer! 27 © March 9, 2004 Novell Inc.

Driver Design Accomplishments Dir. XML Driver for People. Soft Must work with last 3 Driver Design Accomplishments Dir. XML Driver for People. Soft Must work with last 3 supported People. Tools versions. • Drivers work with People. Tools versions 7. 5, 8. 1, and 8. 4. Must be certified by People. Soft. • Certification received in September 2003. Must require no modification of existing business applications. • 28 No extensions or server upgrades required. © March 9, 2004 Novell Inc.

Driver Design Accomplishments Dir. XML Driver for People. Soft Must utilize standard People. Soft Driver Design Accomplishments Dir. XML Driver for People. Soft Must utilize standard People. Soft integration technology. • Message Agent for People. Tools 7. 5 and 8. 1 • Component Interface for People. Tools 8. 1 and 8. 4 Must guarantee that all People. Soft events are processed. • 29 Transaction file processing allows driver to determine which events to process and report the status of processing. © March 9, 2004 Novell Inc.

Driver Design Accomplishments Dir. XML Driver for People. Soft Must process all events in Driver Design Accomplishments Dir. XML Driver for People. Soft Must process all events in chronological order. • 30 Transaction processing in PSA components provides proper effective date of transactions. Driver processes events on effective date. © March 9, 2004 Novell Inc.

Driver Design Accomplishments Dir. XML Driver for People. Soft Must satisfy the customer! • Driver Design Accomplishments Dir. XML Driver for People. Soft Must satisfy the customer! • • The driver can handle most issues via configuration and policies. • 31 All customers have unique requirements. The driver functionality is periodically updated with new version and TID releases based 100% on real customer feedback. © March 9, 2004 Novell Inc.

Overview Dir. XML Driver for People. Soft The Dir. XML Driver for People. Soft Overview Dir. XML Driver for People. Soft The Dir. XML Driver for People. Soft utilizes technology delivered by People. Soft. • • Message Agent technology used for 3. 6 x driver. • Component Interface (CI) technology used for 4. x driver. • Both drivers are delivered with a People. Soft Service Agent (PSA). This contains pre-defined People. Soft components and sample application for simple, nonintegrated deployment on People. Soft server. • 32 Driver is a People. Tools driver, not an application driver. Can be used to integrate any desired data. PSA contains a Transaction interface to facilitate the reporting of application events to the driver. © March 9, 2004 Novell Inc.

Overview (continued) Drivers must have connectivity to People. Soft server in order to funtion. Overview (continued) Drivers must have connectivity to People. Soft server in order to funtion. Driver acts as an administrative client. Synchronous interface used for both Publisher and Subscriber channel. Drivers are 'application-neutral', but do not support 'Add' or 'Delete' operations on the Subscriber channel. Driver supports Application server connectivity failover. Transaction model allows multiple drivers to process events. 33 © March 9, 2004 Novell Inc.

Publisher Channel Publishing People. Soft Data to Other Applications Configured to poll on specified Publisher Channel Publishing People. Soft Data to Other Applications Configured to poll on specified intervals for data changes People. Soft Host 1 Driver Requests Transactions People. Soft Modules HR FIN SCM SA EPM CRM etc. Transactions People. Soft Client Dir. XML Remote Loader Service Dir. XML Driver for People. Soft 3 Dir. XML Engine XML Doc SSL Connection Dir. XML Remote Loader Shim Dir. XML Engine adds or updates the data into Identity Vault Application Host Dir. XML Remote Loader Service Dir. XML Driver for Exchange Application Server Application Host Dir. XML Remote Loader Service People. Tools Data changes from People. Soft application modules are logged Driver object containing business policies and connection parameters Identity Vault Dir. XML Driver for Application N Exchange Application N People. Soft Message Agent or CI Driver receives data and transforms the relevant information into an XML document 34 6 The driver updates and retrieves data in the application 5 Dir. XML Engine processes data according to business policies

Publisher Channel Functionality To simplify implementation, a synchronous People. Soft Interface is utilized. Access Publisher Channel Functionality To simplify implementation, a synchronous People. Soft Interface is utilized. Access to event information from People. Soft is via a Transaction CI. (DIRXML_TRANS) People. Soft code (People. Code) in the PSA is used to organize transactions into processing date order. Future-dated events are not processed until date is current or past. Driver polls the Transaction CI for records indicating “Available” transactions involving Add, Modify, or Disable/Delete of data records. Transaction record contains key of data record affected by transaction. 35 © March 9, 2004 Novell Inc.

Publisher Channel Functionality (continued) Transaction state set to “In Process”. Key to data record Publisher Channel Functionality (continued) Transaction state set to “In Process”. Key to data record and transaction ID is stored. Access to People. Soft data records is via a Data Component Interface (CI). (DIRXML_SCHEMA) Since the CI is not class specific, the Data CI name is used as the class name for schema mapping. Driver supports multiple Data CIs to facilitate handling transactions for multiple object types. 36 © March 9, 2004 Novell Inc.

Publisher Channel Functionality (continued) Driver reads current data values of data record and Publishes Publisher Channel Functionality (continued) Driver reads current data values of data record and Publishes event. Event is processed by engine, status is returned to driver. Transaction CI is utilized to update status in transaction record. 37 © March 9, 2004 Novell Inc.

Subscriber Channel Subscribing Application Data to People. Soft Identity Manager Host People. Soft Host Subscriber Channel Subscribing Application Data to People. Soft Identity Manager Host People. Soft Host Dir. XML Remote Loader Service Identity Vault People. Soft Client People. Soft Modules HR FIN SCM SA EPM CRM etc. Transactions Dir. XML Driver for People. Soft Driver object containing business policies and connection parameters XML Doc Dir. XML Engine Dir. XML Remote Loader Shim SSL Connection People. Tools Application Server People. Soft Message Agent Interface 38 Data the People. Soft driver subscribes to that comes from other applications through Identity Manager XML Doc Data from other applications

Dir. XML Driver for People. Soft Subscriber Channel-Overview Driver uses Data CI to access Dir. XML Driver for People. Soft Subscriber Channel-Overview Driver uses Data CI to access records for Query or Modify events. All other events return “warning” status to indicate they are not supported. A record “Find” operation preceeds data object “Get” access to avoid database errors. For Modify events the driver updates a data staging table. People. Code transfers modifications to appropriate application tables. 39 © March 9, 2004 Novell Inc.

Dir. XML Driver for People. Soft Driver Deployment Notes By using a “Find” operation Dir. XML Driver for People. Soft Driver Deployment Notes By using a “Find” operation to avoid database errors, the driver becomes reliant on primary keys that are unique over their length. If possible, do not use keys that are subsets of other keys. (ie. “AB”, “ABCDE”). The “Find” operation will return a non-unique key warning while searching for “AB”. Do not remove or modify any fields of the Transaction CI. The driver depends on them. It is OK to add fields. For Modify events the driver updates a data staging table. People. Code transfers modifications to appropriate application tables. 40 © March 9, 2004 Novell Inc.

Driver Configuration Dir. XML Driver for People. Soft Driver Configuration 41 © March 9, Driver Configuration Dir. XML Driver for People. Soft Driver Configuration 41 © March 9, 2004 Novell Inc.

Driver Configuration Parameters Connection Parameters Authentication ID • The name of the People. Soft Driver Configuration Parameters Connection Parameters Authentication ID • The name of the People. Soft administrative user that will be used for all read and write operations to the People. Soft Application server. Authentication Context • The DNS name or IP address and JOLT port of the target People. Soft Application server host system. Must be preceeded with '//' and contain a ': ' delimiter. Multiple entries allowed for connectivity failover must be separated with '; ' (ie. //psofthost: 9000; //backuphost: 9000) Application Password • P 42 assword of the administrative user. © March 9, 2004 Novell Inc.

Driver Configuration Parameters Driver Implementation Parameters People. Soft Client Library Path to the People. Driver Configuration Parameters Driver Implementation Parameters People. Soft Client Library Path to the People. Soft client library file 'psapiadapter. dll'. • Schema CI Name • The name of the People. Soft Component Interface used to read and write People. Soft data records (default: DIRXML_SCHEMA 01). Data Record ID Field • 43 The name of the People. Soft application data record primary key field (default: DIRXML_ASSOC_ID) © March 9, 2004 Novell Inc.

Driver Configuration Parameters Publisher Implementation Parameters Transaction CI Name • The name of the Driver Configuration Parameters Publisher Implementation Parameters Transaction CI Name • The name of the Component Interface that is used to read and update People. Soft transaction records. (default: DIRXML_TRANS 01) Driver Subset Identifier • This field is a string used to match the driver to the transaction records it will process. Queue Poll Interval (seconds) • The time in seconds that the driver waits between requests for available transactions from the Transaction CI. Schema Data Processing Mode (0/1) • • • 44 Data record retrieval methodology utilized by driver 0 - “Find” used to warn of duplicate keys. Followed by “Get” 1 - “Find” used to generate error for duplicate keys. Followed by “Get” if only 1 instance found. © March 9, 2004 Novell Inc.

Implementing Default Policy Exporting Master Data from People. Soft The driver implementation guarantees that Implementing Default Policy Exporting Master Data from People. Soft The driver implementation guarantees that all current attributes of an object are obtained during processing of any transaction on that object. The People. Soft component and People. Code that implements it are responsible for reporting all data of interest for the object being processed AND for related objects. The sample application includes: • • • 45 User's Department name and ID User's Manager's ID Flag indicating if User is a manager User's Employee status User's Title © March 9, 2004 Novell Inc.

Implementing Default Policy The driver Policies perform the task of maintaining referential relationships between Implementing Default Policy The driver Policies perform the task of maintaining referential relationships between 'Manager' and 'Employee' objects. • • 46 Only Identity Vault queries are required Relationships maintained using 'manager' and 'direct. Reports' attributes on related User objects. © March 9, 2004 Novell Inc.

Dir. XML Driver for People. Soft Default HR Mapping Rule Identity Vault Attr Name Dir. XML Driver for People. Soft Default HR Mapping Rule Identity Vault Attr Name CN Description Full Name Given Name Initials Internet EMail Address OU Physical Delivery Office Name Postal Code S SA Surname Title employee. Status is. Manager mailstop manager. Workforce. ID workforce. ID 47 DIRXML_SCHEMA 01 Attr Name Common. Name Description Full. Name First. Name Middle. Name Email Dept. Long. Descr City Postal State Address 1 Last. Name Title. Long. Descr Status Manager Mail. Drop Manager. ID Assoc. ID © March 9, 2004 Novell Inc.

Dir. XML Driver for People. Soft Remote Loader Usage Why use the Remote Loader? Dir. XML Driver for People. Soft Remote Loader Usage Why use the Remote Loader? • People. Tools client must run on Win 32 • Identity Vault and People. Soft may not be on Win 32 platform People. Soft with Remote Loader requirements • Host platform supporting JDK/JRE 1. 4 or higher • People. Tools client installed on host platform Remote Loader features • • 48 SSL connection security Bi-directional password handshake © March 9, 2004 Novell Inc.

Dir. XML Driver for SAP HR Driver Design Philosophy Overview Publisher Channel Subscriber Channel Dir. XML Driver for SAP HR Driver Design Philosophy Overview Publisher Channel Subscriber Channel Remote Loader Configuration Driver Configuration 49 © March 9, 2004 Novell Inc.

Driver Design Philosophy Dir. XML Driver for SAP HR Must work with R/3 version Driver Design Philosophy Dir. XML Driver for SAP HR Must work with R/3 version 4. 5 b and later. Must be certified by SAP Labs. Must require no new SAP server extensions or upgrade. Must utilize standard SAP integration technology. Must run on standard SAP host platforms. Must guarantee that all SAP events are processed. Must process all events in chronological order. Must process future-dated events. Must satisfy the customer! 50 © March 9, 2004 Novell Inc.

Driver Design Accomplishments Dir. XML Driver for SAP HR Must work with R/3 version Driver Design Accomplishments Dir. XML Driver for SAP HR Must work with R/3 version 4. 5 b and later. • Driver works with SAP R/3 versions 4. 5 b, 4. 6 A, 4. 6 C, and Web AS 6. 1 and 6. 2. Must be certified by SAP Labs. • Certification received in September 2001. Must require no new SAP server extensions or upgrade. • 51 No extensions or server upgrades required. © March 9, 2004 Novell Inc.

Driver Design Accomplishments Dir. XML Driver for SAP HR Must utilize standard SAP integration Driver Design Accomplishments Dir. XML Driver for SAP HR Must utilize standard SAP integration technology. • Java Connector (JCO) • Application Link Enabling (ALE) • Intermediate Documents (IDoc - File format) • Business Object API (BAPI) Must run on standard SAP host platforms. • • 52 Pure Java implementation runs anywhere a JVM and, if desired, JCO can reside. Linux, Win 32, AIX, Solaris, HP-UX, etc. © March 9, 2004 Novell Inc.

Driver Design Accomplishments Dir. XML Driver for SAP HR Must guarantee that all SAP Driver Design Accomplishments Dir. XML Driver for SAP HR Must guarantee that all SAP events are processed. • Using IDoc file format guarantees persistant event delivery regardless of driver status. Must process all events in chronological order. • IDoc sorting by driver ensures proper event order processing. Must process future-dated events. • 53 Driver has 4 modes for handling future-dated events based on various customer requirements. © March 9, 2004 Novell Inc.

Driver Design Accomplishments Dir. XML Driver for SAP HR Must satisfy the customer! • Driver Design Accomplishments Dir. XML Driver for SAP HR Must satisfy the customer! • • The driver can handle most issues via configuration and policies. • 54 All customers have unique requirements. The driver functionality is periodically updated with new version and TID releases based 100% on real customer feedback. © March 9, 2004 Novell Inc.

Overview Dir. XML Driver for SAP HR The Dir. XML Driver for SAP HR Overview Dir. XML Driver for SAP HR The Dir. XML Driver for SAP HR utilizes technology delivered by SAP server is configured, not customized. • • Intermediate Document (IDoc) files are created by SAP server and retrieved by the Driver for processing. • SAP Java Connector (JCO) is used for synchronous connectivity to SAP server. • 55 Application Link Enabling (ALE) configured to support the Publisher channel. Business Object API (BAPI) is used to Query for data in SAP server. © March 9, 2004 Novell Inc.

Overview (continued) BAPI Technology is used to subscribe data into SAP The Driver must Overview (continued) BAPI Technology is used to subscribe data into SAP The Driver must connect to the SAP database on the Subscriber channel. It can utilize a connection on the Publisher channel. It generally connects as a “Communication” or “CPIC” user. Additional security between SAP and e. Directory servers available via Dir. XML Remote Loader 56 © March 9, 2004 Novell Inc.

Publisher Channel Publishing SAP Data to Other Applications SAP Host SAP R/3 HR SAP Publisher Channel Publishing SAP Data to Other Applications SAP Host SAP R/3 HR SAP Host HRMD-A IDocs Dir. XML Remote Loader Service C: IDOCS_400_n Application Link Enabling (ALE) Data changes from SAP HR application modules are logged IDoc posted to host file system with client number references Driver Shim filters relevant data into XML format APPLICATION HOST Dir. XML Remote Loader Service Dir. XML Driver for Exchange Dir. XML Driver for Application N The driver updates data in application 57 XML Doc SSL Connection APPLICATION HOST Exchange Dir. XML Driver For SAP/HR Application N Configured to poll the IDocs directory on intervals for docs pertaining to specific client number Dir. XML Engine processes data according to business rules Dir. XML Engine adds or updates the data into Identity Vault Driver object containing business rules and connection parameters Dir. XML Engine Dir. XML Remote Loader Shim Identity Manager Host

What Is Application Link Enabling (ALE)? Application Link Enabling (ALE) technology enables communication between What Is Application Link Enabling (ALE)? Application Link Enabling (ALE) technology enables communication between SAP and external systems such as e. Directory. ALE ensures integration in a distributed environment. The IDoc acts as the data container. 58 © March 9, 2004 Novell Inc.

What is an IDoc? “IDoc” stands for Intermediate Document An IDoc is a data What is an IDoc? “IDoc” stands for Intermediate Document An IDoc is a data container used to exchange data between any two processes that can understand the data. IDocs are stored in the file system of the SAP system host. Every IDoc has a unique, incremental number ― the number is unique within a client 59 © March 9, 2004 Novell Inc.

What is an IDoc? (cont) IDocs are created as a result of execution of What is an IDoc? (cont) IDocs are created as a result of execution of an ALE process. IDocs are independent of the direction of data exchange. • However, the Driver uses only the outbound process. IDocs can be viewed with a text editor. 60 © March 9, 2004 Novell Inc.

IDoc Processing Only Outbound IDocs for configured client number are consumed Optional handling of IDoc Processing Only Outbound IDocs for configured client number are consumed Optional handling of “future-dated” IDoc Infotypes via configuration parameters Information for multiple objects are handled as separate Dir. XML events. Status of each event reflected by IDoc output file name extensions: . proc . warn . futr 61 . futp. done . bad © March 9, 2004 Novell Inc.

Subscriber Channel Subscribing Application Data to SAP HR Identity Manager Host Driver object containing Subscriber Channel Subscribing Application Data to SAP HR Identity Manager Host Driver object containing business policies and connection parameters Identity Vault SAP Host BAPI/ JCO SAP Host BAPI Doc SAP R/3 HR Dir. XML Remote Loader Service Dir. XML Driver For SAP/HR Application Link Enabling (ALE) XML Doc SSL Connection Dir. XML Engine adds or updates the data into Identity Vault Dir. XML Engine Dir. XML Remote Loader Shim Data the SAP driver subscribes to that comes from other applications through e. Directory XML Doc The Driver Shim translates XML Doc into BAPI, the SAP native API, and adds or updates the data in SAP/HR 1 Data from other applications 62 © March 9, 2004 Novell Inc. 2

Dir. XML Driver for SAP HR Subscriber Channel-Overview Driver Resembles an SAP Client Standard Dir. XML Driver for SAP HR Subscriber Channel-Overview Driver Resembles an SAP Client Standard SAP Programming Interface Utilizes SAP BAPIs for HR application (Limited Infotype support) • • Private Address Information Infotype (0006) • 63 Personal Information Infotype (0002) Communication Infotype (0105) © March 9, 2004 Novell Inc.

Dir. XML Driver for SAP HR Subscriber Channel-Overview The only configuration required within SAP Dir. XML Driver for SAP HR Subscriber Channel-Overview The only configuration required within SAP for the subscription channel is setting up a ‘Communication’ (CPIC) user The driver will log on to SAP as a communication user. The driver can NOT create or delete employee records! 64 © March 9, 2004 Novell Inc.

Dir. XML Driver for SAP HR Driver Deployment Notes Why does the driver use Dir. XML Driver for SAP HR Driver Deployment Notes Why does the driver use IDoc “File” port instead of “TRFC” port? Why does the Publisher channel generate only events? Do I need to have connectivity with the SAP system to use the driver? If I use 'Publisher only' mode, why does the driver try to read data from my SAP system? Can I prevent read operations in 'Publisher only' mode? Why can't the driver read IDocs from a mapped drive? 65 © March 9, 2004 Novell Inc.

Driver Configuration Dir. XML Driver for SAP HR Driver Configuration 66 © March 9, Driver Configuration Dir. XML Driver for SAP HR Driver Configuration 66 © March 9, 2004 Novell Inc.

Driver Configuration Parameters Connection Parameters Authentication ID The name of the SAP non-dialog (CPIC) Driver Configuration Parameters Connection Parameters Authentication ID The name of the SAP non-dialog (CPIC) user that will be used for all read and write operations to the SAP HR host system. Authentication Context The DNS name or IP address of the target SAP HR host system Application Password of the CPIC user. SAP System Number The two-digit system number of the SAP server 67 © March 9, 2004 Novell Inc. SAP User Client Number The three digit number of the SAP client containing the data to be synchronized. SAP User Language The two-character language abbreviation that the client uses.

Driver Configuration Parameters Implementation Parameters Character Set Encoding The name of the encoding the Driver Configuration Parameters Implementation Parameters Character Set Encoding The name of the encoding the driver will use for translating IDoc text data to Java unicode strings. Metadata File Directory The name of the file system directory from which the driver will read the specified SAP Master HR IDoc definition file. Master HR IDoc (Optional) The name of the IDoc message type that will be generated by the SAP ALE system when publishing SAP HR database modifications or Master records. Address Subtype Code (Optional) This is an enumerated configuration parameter that allows an administrator to specify which subtypes of the Private Address infotype the driver will synchronize. Communication Subtype Code (Optional) This is an enumerated configuration parameter that allows an administrator to specify which subtypes of the Communication infotype the driver will synchronize. 68 Poll Interval (seconds) This parameter specifies how often the driver will poll for unprocessed IDocs. Publisher IDoc Directory This specifies the file system directory from which the publisher will read IDocs published by the SAP ALE system. Publisher Channel Only? This specifies whether the driver will only perform Publisher channel operations. No SAP connection is required in this mode, but will be used if available. Future-date Event Handling Option This parameter determines how future-dated infotype information is to be handled. Four modes supported: 0 - All events sent immediately 1 – Future events held until future date 2 – Future events sent immediately and on future date. 3 – Future events sent immediately and daily until future date is reached.

What data is shared? Publisher Channel home. Phone mobile pager workforce. ID employee. Status What data is shared? Publisher Channel home. Phone mobile pager workforce. ID employee. Status Full Name Given Name Initials mailstop Surname Telephone Number Postal Code S 69 © March 9, 2004 Novell Inc. Physical Delivery Office Name SA is. Manager manager. Workforce. ID OU Title manager direct. Reports CN Group Membership Password Data

Implementing Default Policy Exporting Master Data from SAP It is not possible to remotely Implementing Default Policy Exporting Master Data from SAP It is not possible to remotely Query for information of non. Person objects in SAP. To enhance the capabilities of the driver it is recommended that Position, Organization, and other desired HR object data be exported to e. Directory. This is done primarily to obtain the names of Organizational objects and to maintain Object Relationships between objects. Some organizations may also choose to utilize the structure of the data export for creating their e. Directory tree structure. 70 © March 9, 2004 Novell Inc.

Exporting Master Data from SAP To export data from SAP the instructions for generating Exporting Master Data from SAP To export data from SAP the instructions for generating an IDoc should be followed Object Types: Maps to 'User' Maps to 'Organizational Role' Maps to 'Comm. Exec' Maps to 'Organizational Unit' 71 © March 9, 2004 Novell Inc.

Exporting Master Data from SAP Maintaining Object Relationships Driver supports a 'RELATIONSHIPS' Query to Exporting Master Data from SAP Maintaining Object Relationships Driver supports a 'RELATIONSHIPS' Query to allow Policies to request details of various inter-object relationships during IDoc processing. • Used to determine the hierarchy of SAP 'Position' objects and reflect the relationships on the Identity Vault objects. – • 72 Utilizes 'manager' and 'direct. Reports' schema extensions on 'Organizational Role' objects. Can be used to determine the hierarchy of SAP 'Organization' objects to mirror organizational structure in e. Directory. © March 9, 2004 Novell Inc.

Exporting Master Data from SAP Maintaining Object Relationships Position ('S') object '50000010' (Manager) processed. Exporting Master Data from SAP Maintaining Object Relationships Position ('S') object '50000010' (Manager) processed. • • Has a top-down relationship with Position '50000020' (Clerk) Identity Vault object 'Manager-S 50000010' created. Position ('S') object '50000020' (Clerk) processed. • • 73 Has a bottom-up relationship with Position '50000010' (Manager) Identity Vault object 'Clerk-S 50000020' created. 'manager' attribute of 'Clerk-S 50000020' set to 'Manager-S 50000010' 'direct. Reports attribute of 'Manager-S 50000010' set to include 'Clerk-S 50000020'. © March 9, 2004 Novell Inc.

Exporting Master Data from SAP Maintaining Object Relationships Person ('P') object '50000001' (JADAMS) processed. Exporting Master Data from SAP Maintaining Object Relationships Person ('P') object '50000001' (JADAMS) processed. • • Identity Vault object 'JADAMS' created. • 'Title' attribute of 'JADAMS' set to 'Manager-S 50000010' • 'is. Manager' attribute of 'JADAMS' set to '1' • 74 Has a 'holds' relationship with Position '50000010' (Manager) 'Role Occupant' attribute of Identity Vault object 'Manager-S 50000010' set to 'JADAMS' © March 9, 2004 Novell Inc.

Exporting Master Data from SAP Maintaining Object Relationships Person ('P') object '50000002' (SSMITH) processed. Exporting Master Data from SAP Maintaining Object Relationships Person ('P') object '50000002' (SSMITH) processed. • • Identity Vault object 'SSMITH' created. • 'Title' attribute of 'SSMITH' set to 'Clerk-S 50000020' • 'manager' attribute of 'SSMITH' set to 'JADAMS' • 'Role Occupant' attribute of Identity Vault object 'Clerk. S 50000020' set to 'JADAMS' • 75 Has a 'holds' relationship with Position '50000020' (Clerk) 'direct. Reports' attribute of 'JADAMS' set to include 'SSMITH'. © March 9, 2004 Novell Inc.

Dir. XML Driver for SAP HR Mapping Rule (sample) Identity Vault Attribute Name Given Dir. XML Driver for SAP HR Mapping Rule (sample) Identity Vault Attribute Name Given Name P 0002: VORNA: none: 134: 25 Surname P 0002: NACHN: none: 84: 25 City P 0006: ORT 01: US 01: 133: 25 Home City P 0006: ORT 01: 1: 133: 25 Internet E-Mail Address P 0105: USRID: MAIL: 78: 30 Mobile P 0105: USRID: CELL: 78: 30 Pager P 0105: USRID: PAGR: 78: 30 Home Phone 76 SAP HR Attribute Name P 0006: TELNR: 195: 14 © March 9, 2004 Novell Inc.

Dir. XML Driver for SAP HR Remote Loader Usage Why use the Remote Loader? Dir. XML Driver for SAP HR Remote Loader Usage Why use the Remote Loader? • Identity Vault does not exist for SAP Host Platform • Identity Vault not allowed on SAP Host Platform SAP Driver with Remote Loader requirements • Host platform supporting JDK/JRE 1. 4 or higher • SAP JCO client installed on host platform Remote Loader features • • 77 SSL connection security Bi-directional password handshake © March 9, 2004 Novell Inc.

Question and Answer Question and Answer

General Disclaimer This document is not to be construed as a promise by any General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc. , makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.