How does the IDM SAP User Management driver access the role library

  • 7016162
  • 09-Feb-2015
  • 09-Feb-2015

Environment

NetIQ Identity Manager Driver - SAP User Management

Situation

How does the driver access the role library in SAP User Management

Resolution

For the information below, please note that WHENEVER POSSIBLE we avoid using the RFC_READ_TABLE BAPI, and we NEVER use it for reading security-related tables. However, some information - specifically the localized descriptions of available roles, is only available via this method.

There is also a lot of implementation detail in the following, so use it with discretion.

AGR_DEFINE is for local role definitions on any SAP system. We are NOT reading the role definitions from only the CUA Central system. When the entitlement query (or entry query) is issued to a specific logical system (eg: CLNT032), the request from the driver is directed to that logical system via a JCo connection. For our implementation, we first read all of the AG objects from the target logical system using BAPI_PDOTYPE_GETDETAILEDLIST. Unfortunately, there is not much "detail" in this AG list, so we need to augment the information. The driver therefore uses the list of AG objects as indexes to read the local AGR_DEFINE table to obtain the linkage to the AGR_TEXTS file to get the AG description using the specified locale.

For assignments of roles, we do NOT read any tables. The driver utilizes the BAPI_USER_LOCACTGROUPS_READ method to find CUA role assignments. This BAPI returns the LOCACTGROUPS table, and each row of that table contains the logical system name - which allows the driver to determine which system the role assignment belongs to. The driver policies determine which query is issued to the driver, so make sure if you want CUA role assignments you are using a query for LOCACTIVITYGROUPS, not ACTIVITYGROUPS.

So the bottom line is:

- Driver fans out the request for Role information to the respective CUA clients, reads local AGR_DEFINE table

- Driver obtains CUA role assignments via BAPI calls to CUA Central client. Assignments linked to proper client using value of "SYSTEM" field (logical system ID).