integrating sap hr and business process driven identity management

Integrating SAP HR and Business Process Driven Identity Management

Volker ScheuberSoftware EngineerNovell, Inc. /[email protected]

Holger DoppIdentity Management ArchitectNovell, Inc. /[email protected]

© Novell, Inc. All rights reserved.2

Agenda

• Business Process and Identity Management

• Definition

• Processing

• Logging, Monitoring

• Live Demo

Business ProcessesIntroduction


Business Process for IDMDefinition

• Single process in the identity life cycle process.

• BP always does have a starting point and one or many end points.

• BP may contain provisioning/de-provisioning, approval role assignment/revoke and auditing steps.

• BP may have a start date and/or validity date.


Typical Business Processes

• Join a company• Leave a company• Change organizational assignment• Change organizational role/position• Request a role, access, permission• … many, many other customer driven processes


Business Processes vs. Event Driven IDM Provisioning

Identity Management (classic)– event (attribute or object change) driven – often synchronous process– event flow from single source → IV → multiple targets– event flow controlled by driver policies

Business Process (classic)– transaction based– often asynchronous process– process flow from single source → IV → workflow →

multiple targets– process flow controlled by business process controller


Business ProcessRepresentation

• Set of new or changed attributese.g. given name + surname change

→ marriage

• Specific values of attributese.g. costcenter change

→ organizational assignment change

• Specific change of attribute values from old to newe.g. position ID change from value 0000 to 0001..9999

→ change from apprentice to fulltime employee


Business ProcessSources

• Any information source related to objects involved in the IDM provisioning process.

– Direct connected Applications> SAP HR, Oracle HR> Telephone System

– Indirect connected applications> CSV file> SAP HR iDocs

– Identity Vault applications> UserApp Self Provisioning> UserApp Workflow


Business ProcessExecution

• Immediately processing of changese.g. - synchronization to other application

- assignment of entitlements

• Future processing of changese.g. - multiple future processes along the timeline

• Starting of additional process taskse.g. - internal approval workflows

- external approval procedures


Business ProcessDiscovery

• Semantic description of business process at customere.g. - new employee record in SAP HR

- new user account in AD- new Mailbox in Exchange- eMail to manager- new user account in SAP User

• Technical specification of business processe.g. - objects/attributes provided by SAP HR

- attributes required by AD- attributes required by Exchange- system information required by SAP User

Business Processes in SAP HR


Business ProcessRepresentation in SAP HR

• Actions– Mostly many changed values per event and object

• Org.Management Changes– Less changed values per event

• Direct change of infotype values– Single value change per event


SAP HR Business ProcessesActions

• Set of necessary SAP GUI screens to enter data belonging to a specific HR process

e.g.hire new employee

• Pre-defined actions available at SAP HRe.g.hire, fire, position change, ...

• Customized actions possible at SAP HRe.g. change employee picture


SAP HR Business ProcessesActions (cont.)


SAP HR Business Processes Org.Management

• Graphical tool to manage the companies org.management model

e.g. - manage Org.Unit hierarchy- manage position to Org.Unit relationship- manage employee to position assignment

• Multiple operations for multiple objects occure.g. - company reorganization

• May interact with actione.g. - action: position change


SAP HR Business Processes Org.Management (cont.)


SAP HR Business ProcessesInfotype Changes

• Infotype: set of logical data grouped according to subject matter

e.g.personal data, addresses, communication

• Direct change of infotype valuese.g. - change of email address

- change of telephone number

• Single operation per object


SAP HR Business ProcessesInfotype Changes


SAP HR Business Processes Timeline

• Infotype value does have a validity time frame (valid from … to)

• Value changes will delimit existing current values

• Default end date is 12/31/9999

• Value changes can have a future date

• The time line for a specific infotype contains historic, current and future values


SAP HR Business Processes Timeline Sample

CMP eSAPe v2.0


SAP HR Driver

• Purpose– Provision employee and organizational information from SAP

HR into the Identity Vault– 'Mirror' SAP HR data to the IV– Support for future event work order processing

• Object TypesP – PersonO – OrganizationC – JobS – Position


SAP BL Driver

• Purpose– Process SAP HR relevant data to

* calculate organizational structure* calculate organizational assignments* discover business processes* generate and handle future event work order objects

• Object Types– DirXML-sapPAux (User Auxiliary Class)– DirXML-sapO (Organization)– DirXML-sapC (Job)– DirXML-sapS (Position)


Base BL Driver

• Purpose– Generate Identity Vault Org.Chart

> Maintain manager/directReports relationship

– User account maintenance> Delete terminated user accounts

• Object Types– User


SAP HR / BL Driver Interaction (v1.0)


SAP HR / BL Driver Interaction (v2.0)

CMP eSAPe v2.0 – SAP HR Full State Attribute


SAP HR Full State Attribute

• PurposeContains information about

> all discovered SAP HR values (including time line) for a User objects> last discovered iDoc input values> last calculated changes based on current full state and new input values

• Operated by– SAP HR driver

• Schema– DirXML-sapPFullState– stream attribute containing a XML document


SAP HR Full State Attribute (cont.)

• Content– XML document

> <document>

– Child elements> <fullstate>> <change>> <inputDoc>

<document><fullstate>

(content)</fullstate><change>

(content)</change><inputDoc>

(content)</inputDoc>

</document>



• <fullstate>– 'mirror' of all information ever got from SAP HR– attribute naming in SAP HR format– historic and current value time line per attribute

<fullstate><modify class-name="P" event-id="SAP-HR:O_100_0000000000013109:P+00000129" src-dn="00000129" timestamp="20091001">

<association>00000129</association><modify-attr attr-name="P0001:STELL:none:141:8">

<remove-all-values/><add-value>

<value seqnr="000" timestamp="20090101-99991231">00000000</value>/add-value>

</modify-attr></modify>

</fullstate>



• <change>– last change calculated out of most current <input> document

and olf <fullstate> content– <add-value> contains new value including delimited and new

time line – <remove-value> contains removed value including old time line

<change><modify class-name="P" event-id="SAP-HR:O_100_0000000000013110:P+00000129" src-dn="00000129" timestamp="20091001">


<remove-value><value seqnr="000" timestamp="20090101-99991231">00000000</value>

</remove-value><add-value>

<value seqnr="000" timestamp="20090101-20090109">00000000</value><value seqnr="000" timestamp="20090110-99991231">50000297</value>

</add-value></modify-attr>

</modify> </change>



• <inputDoc>– last incoming input document from SAP HR

<inputDoc><modify class-name="P" event-id="SAP-HR:O_100_0000000000013110:P+00000129" src-dn="00000129" timestamp="20091001">


<remove-all-values/><add-value>

<value seqnr="000" timestamp="20090101-99991231">50000297</value></add-value>

</modify-attr></modify>

</inputDoc>


<nds dtdversion ="1.0" ndsversion ="8.5"><source ><product build ="20090520 _004316 " instance ="SAP-HR-CMP" version ="3.5.4">DirXML Driver for SAP /HR</product ><contact >Novell , Inc.</contact >

</source ><input xmlns :sapshim ="http://www.novell .com/dirxml /drivers /SAPShim "><modify class -name ="P" event -id="SAP-HR-CMP:HR_idm.datO_101_0000000002297132 :P+00400673 " src-dn="00400673 "

timestamp ="20090924 "><association >00400673 </association ><modify -attr attr -name ="P0001 :STELL :none :141:8"><remove -all-values /><add -value ><value seqnr ="000" timestamp ="20090629 -20090701 ">04000105 </value ><value seqnr ="000" timestamp ="20090702 -20090702 ">00000000 </value ><value seqnr ="000" timestamp ="20090703 -20090709 ">04000108 </value ><value seqnr ="000" timestamp ="20090710 -99991231 ">04000112 </value >

</add-value ></modify -attr >

<document ><fullstate >

<modify class -name ="P" event -id="SAP-HR-CMP:HR_idm.datO _101_0000000002297082 :P+00400673 " src-dn="00400673 "timestamp ="20090924 " lasttimestamp ="20090924 ">

<association >00400673 </association ><modify -attr attr-name ="P0001 :STELL :none :141 :8">

<remove -all-values /><add-value >

<value seqnr ="000" timestamp ="20090629 -20090701 ">04000105 </value ><value seqnr ="000" timestamp ="20090702 -20090702 ">00000000 </value ><value seqnr ="000" timestamp ="20090703 -99991231 ">04000108 </value ><value seqnr ="000" timestamp ="20090703 -20090709 ">04000108 </value ><value seqnr ="000" timestamp ="20090710 -99991231 ">04000112 </value >


</fullstate ><change >

<modify class -name ="P" event -id="SAP-HR-CMP:HR_idm.datO _101_0000000002297082 :P+00400673 " src-dn="00400673 "timestamp ="20090924 ">


<remove -value ><value seqnr ="000" timestamp ="20090703 -99991231 ">04000108 </value >

</remove -value ><add-value >

<value seqnr ="000" timestamp ="20090703 -20090709 ">04000108 </value ><value seqnr ="000" timestamp ="20090710 -99991231 ">04000112 </value >


</change ><inputDoc >



<remove -all-values /><add-value >

<value seqnr ="000" timestamp ="20090629 -20090701 ">04000105 </value ><value seqnr ="000" timestamp ="20090702 -20090702 ">00000000 </value ><value seqnr ="000" timestamp ="20090703 -20090709 ">04000108 </value ><value seqnr ="000" timestamp ="20090710 -99991231 ">04000112 </value >


</inputDoc ></document >

SAP HR iDoc contentDirXML-sapPFullState content

IDM eSAPe v2.0 – SAP HR Business Process Definition


Business Process Definition Object


> SAP HR related business process discovery parameters> default User account actions executed per business process> operated against the SAP HR FullState document

• Operated by– SAP BL driver

• Schema– DirXML-Resource– content type: text/vnd.novell.idm.bizProcDef+xml– stream attribute containing a XML document


Business Process Definition Object

• Content– XML document

> <document>

– Child elements> <busprocdefs>

» <info-busproc/grouping>

» <busproc>

> <vaultactions>

<document><busprocdefs>

<info-busproc/grouping>(content)

</info-busproc/grouping><busproc>

(content)</busproc>

</busprocdefs><vaultactions>

(content)</vaultactions>

</document>


Business Process Definition Object(cont.)

• <busprocdefs/info-busproc/grouping>– definition of business process discovery parameters – grouping of business processes after

> User account relevance (disable, enable, expiration)> SAP HR actions and it's variations

<busprocdefs><info-busproc>

<grouping><type id="1">

<opid id="01">Hiring</opid><opid id="06">Transfer – active</opid>

</type><type id="2">

<opid id="02">Organizational reassignment</opid> </type>

</grouping></info-busproc>

</busprocdefs>



• <busprocdefs/info-busproc/grouping>– <type>

> groups all SAP HR actions belonging togethere.g. - all user account relevant actions (<opid>) - all organizational changes

> only one SAP HR action (<opid>) per <type> can be claimed as valid at a specific time

– <type/opid>> list of SAP HR actions> translation between SAP HR action ID and human readable action name

e.g. <opid id=”09”>Hiring (mini master employee)</opid>> 'id' represents SAP HR action id



• <busprocdefs/busproc>– detailed definition to discover variations of a business process– multiple <busproc> may belong to the same grouping <opid>– Childs:

> <attr> - attribute name, value and operation> <result> - action to take place if variation is found

– Parameter:> co - company this is valid for> id - id of this variation (must be unique throughout all busprocs)> name - name of the business process variation> opid - business process this variation belongs too> type - type this variation belongs too



• <busprocdefs/busproc/attr>– defines discovery values for each expected infotype attribute– Parameter:

> attr-name - name of the SAP HR infotype attribute> timestamp - declare this attribute to be used for deriving begin and end

date timestamp

<busprocdefs><busproc co="EH" id="3" name="Leaving" opid="10" type="1">

<attr attr-name="P0000:MASSN" timestamp="true"><new-value>10</new-value>

</attr><attr attr-name="P0001:PLANS">

<new-value>99999999</new-value></attr><result>

<action>Deactivate Account</action><action>Employee Settings</action>

</result></busproc>

</busprocdefs>



• <busprocdefs/busproc/attr>– value definitions are related to incoming infotype values– multiple value definitions per attribute are handled with logical

OR operation– Childs:

> new-value - add-value value> new-value-not - add-value values is not> diff-values - add-value and remove-value are different> equal-values - add-value and remove-value are the same, but

have different timestamps> stat-value - current FullState value> stat-value-not - current FullState value is not

(if no value is specified, all values are accepted)



• <busprocdefs/busproc/attr>– Samples:

<busprocdefs><busproc co="EH" id="8" name="Primary Position change with OrgUnit change (without Action)" opid="02" type="2">

<attr attr-name="P0000:MASSN"><new-value-not/>

</attr><attr attr-name="P0001:PLANS" comment="Position" timestamp="true">

<diff-values/></attr><attr attr-name="P0001:ORGEH">

<diff-values/></attr>

</busproc>

<busproc id="9" name="Primary Position change inside OrgUnit (with Action)" opid="02" type="2"><attr attr-name="P0000:MASSN" timestamp="true">

<new-value>02</new-value></attr><attr attr-name="P0001:PLANS">

<diff-values/></attr><attr attr-name="P0001:ORGEH">

<equal-values/><new-value-not/>

</attr></busproc>

</busprocdefs>



• <busprocdefs/busproc/result>– references to <vaultactions>, which shall be executed if

business process variation is discovered– Child:

> action

– multiple actions can be defined <busprocdefs>

<busproc co="EH" id="12" name="Parental Leave without parttime" opid="13" type="1"><attr attr-name="P2001:AWART" comment="Attendance or Absence Type" timestamp="true">

<new-value>0601</new-value></attr><attr attr-name="P2001:BEGVA" comment="Start year for leave deduction">

<new-value>3</new-value></attr><attr attr-name="P2001:BEGDA">

<new-value/></attr><result>

<action>Dectivate Account</action><action>Employee Settings</action>

</result></busproc>

</busprocdefs>



• <vaultactions>– defines IV attribute changes, executed immediately if business

process is discovered– Variables:

> #ENDDA# - ENDDA value of the discovered business process> #BEGDA# - BEGDA value of the discovered business process> #CURDA# - current system date

<vaultactions><action name="Activate Account">

<set-attr attr-name="Login Disabled">false</set-attr><set-attr attr-name="Login Expiration Time">#ENDDA#</set-attr>

</action><action name="Deactivate Account">

<set-attr attr-name="Login Disabled">true</set-attr><set-attr attr-name="Login Expiration Time">#BEGDA#</set-attr>

</action><action name="Last Change Date">

<set-attr attr-name="Description">#CURDA#</set-attr></action>

</vaultactions>

IDM eSAPe v2.0 – SAP HR Business Process Results


Business Login Action Attribute


> summarized information about discovered business processes> shows list of historic, current and future business processes> derived from SAP HR FullState document change


• Schema– DirXML-sapPBLAction– stream attribute containing a XML document


Business Login Action Attribute(cont.)

• Content– Status# -1 = historic

0 = current 1 = future

– BEGDA# start date– ENDDA# end date– TYPE# business process type id– OPID# business process id– OPDESC# business process description– ID# business process variation id– BUSPROC# business process variation description– DATA# XML document (<change>)


DirXML-sapPBLAction content

0#BEGDA =20091209 #ENDDA =99991231 #TYPE =2#OPID=02#OPDESC =Organizational reassignment #ID=7#BUSPROC =Primary Position change inside OrgUnit (with Action )#DATA=<XMLDocument containing the relevant values for the discovered action . The values may be from different attributes />

e.g. VALUE =<modify -attr attr -name ="P0001 :STELL :none :141:8"><remove -value >

<value seqnr ="000" timestamp ="20090703 -99991231 ">04000108 </value ></remove -value ><add-value >

<value seqnr ="000" timestamp ="20090710 -99991231 ">04000112 </value ></add-value >

</modify -attr >


Future Event Workorder Object

• Purpose– Contains information about future operation to process.– Will be triggered by the SAP BL driver.– Correlates with DirXML-sapPBLAction future list


• Schema– DirXML-WorkOrder


Future Event Workorder Object(cont.)

• Content– DirXML-woType

> SAPBUSPROC

– DirXML-woContent > Contains the value of the corresponding DirXML-sapPBLAction entry

• Processing– WO objects are stored in the SAP BL driver container– the WO object is processed at the DirXML-DueDate– a WorkToDo object is created in the SAP HR driver container


Future Event WorkToDo Object

• Purpose– Contains information about an executable operation to process.– Will be injected into the SAP HR publisher process.– Derived from WorkOrder object.

• Operated by– SAP HR driver

• Schema– DirXML-WorkToDo


Future Event WorkToDo Object(cont.)

• Content– DirXML-woType

> SAPBUSPROC

– DirXML-woContent > Contains the value of the corresponding DirXML-sapPBLAction entry

• Processing– the WorkToDo object is processed immediately– The XML document derived from DirXML-woContent is injected

into the SAP HR publisher channel.


DirXML-WorkToDo content

<document ><change >



<remove -value ><value seqnr ="000" timestamp ="20090703 -99991231 ">04000108 </value >

</remove -value ><add-value >

<value seqnr ="000" timestamp ="20090703 -20090709 ">04000108 </value ><value seqnr ="000" timestamp ="20090710 -99991231 ">04000112 </value >


</change ></document >

IDM eSAPe v2.0 – Business Process Logging


Business Process Logging

• SAP HR and SAP BL driver are enhanced to write process logs

• process logs contain information about the processing of events

– SAP HR Drivere.g. 20100118082757,false(SAP-HR:O_100_0000000000014120:P+00000142),00000142

SAP Operation "modify" detected ObjectClass: P Processing FullState … FullState attribute read for P - 00000142 [SAP-HR:O_100_0000000000014119.save:P+00000142] FullState attribute written for P - 00000142 [SAP-HR:O_100_0000000000014120:P+00000142] Status: SAP-HR:O_100_0000000000014120:P+00000142 success ()


Business Process Logging(cont.)

– SAP BL drivere.g.20100118082809,true(SAP-HR:O_100_0000000000014121:P+00000142),\UTOPIAISM\utopia\users\000000120 SAP Business Operation "modify" detected ObjectClass: User DirXML-sapPFullState av: - … Start processing DirXML-sapPFullState … Incoming attributes: P0002:NACHN:none:84:25 – Erlin Discover business process Change (Name) (3 – 6) P0002:NACHN FOUND in evt.Change P0002:NACHN -> DIFF-VALUES rv (Erlin) <> lav (Andalf) 3 - 3 - #true-P0000:MASSN#true-P0002:VORNA(19700101-99991231;Mark)#true-P0002:NACHN(19700101-99991231;Erlin)# FOUND --> [Status]#BEGDA=[BEGDA]#ENDDA=[ENDDA]#TYPE=3#OPID=08#OPDESC=Additional personal assignment#ID=6#BUSPROC=Change (Name)#DATA= … Discover BP status and timestamps Status: 99 # Type: 3 # OPID: 08 # OPDESC: Additional personell assignment # ID: 6 # Name: Change (Name) # Timeattr: P0002:NACHN # Begda: # Endda: Write discovered business process to IV DirXML-sapPBLActions added --> 99#BEGDA=#ENDDA=#TYPE=3#OPID=08#OPDESC=Additional personell assignment#ID=6#BUSPROC=Change (Name)#DATA= … Write future events (work orders) to queue ... end processing DirXML-sapPFullState

IDM eSAPe v2.0 – Live Demo

Synchronize Business Processes from SAP HR to Novell® Identity Vault


SAP HR Object Classes and Relations

• SAP HR Relationship Model


SAP HR iDoc Processing

• ALE event driven export• Scheduled export• Manual export (PFAL)• Problem with iDoc content and order


SAP HR Future Date Processing

• group of data belong together• Stale checking and issue with it

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

integrating sap hr and business process driven identity management

Documents