configuring novell ® nsure ™ identity manager 2 (formerly dirxml ® ) for enterprise applications...

Configuring Novell® Nsure™ Identity Manager 2 (formerly DirXML®) for Enterprise Applications

Mark WorwetzSenior Software EngineerNovell, [email protected]

© March 9, 2004 Novell Inc.2

one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions.

The one Net vision

Novell exteNd™

Novell Nsure™

Novell Nterprise™

Novell NgageSM

:

:

:

:


The one Net vision

Novell Nsure solutions take identity management to a whole new level. Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people — securely, efficiently, and best of all, affordably.

Novell Nsure™

Novell exteNd™

Novell Nsure™

Novell Nterprise™

Novell NgageSM

:

:

:

:


What is an ERP application?

Enterprise Resource Planning

Software that is utilized by most, if not all, organizations in the enterprise

Integrates various software modules into a single system.

High TCO - Very expensive package to purchase, deploy, and administrate


Configuring Nsure Identity Manager 2 for Enterprise Applications

ERP Integration Issues

Driver Functionality

Driver Configuration

Driver Implementation Scenarios

Questions


ERP Integration Issues

What is the goal of the integration?

Why integrate ERP data?

What data should be shared?

How should the data be accessed?

What are the risks of integration?


ERP

Operating

SystemDatab

ase

Mail

PBX

Directory

What is the Goal of the Integration?Islands of isolated data


What is the Goal of the Integration?Sharing Data through the Enterprise

ERP

PBX

Directory

Mail

OperatingSystem

Database

Identity Manager


What is the Goal of the Integration?Authoritative SourcesERP system — employee and organization data

GroupWise® — e-mail address

Telecom — telephone number

Existing corporate directories — access, legacy resources

Facility database — office/mail-stop

Account Management – System Access rights

Etc.


Why Integrate ERP data?

Contains the most complete set of Identity data

Contains the most authoratative Identity data

Most protected source of data


What does Novell do for ERP?

Help leverage the investment in ERP by:

• Integrating identity data with non-ERP applications

• Provide data conversion opportunities

• Allow access to ERP data outside of the ERP system

• Provide multiple integration options from application-specific to generic interfaces


What Data Should Be Shared?

Only share data that is useful• Data that is duplicated in other applications• Data that is required to process business

workflow• Data that must be accessed by non-ERP

employees• Data that is shared beyond corporate boundary

Do not share sensitive information!• Make sure ERP administrators are involved in the

decision.


How Should the Data be Accessed?It is important that the customer is aware, and comfortable with, the integration access method

• Direct System or Business Object APIs

• Open Standard Protocols (LDAP, JDBC)

• Flat file transfers (XML, CSV)

Make sure ERP administrators are involved in the decision!

Make sure appropriate rights are granted to provide the integration


What are the Risks of Integration?

API access introduces ERP system security concerns

• DirXML Driver acts as an ERP client – what rights should the driver have?

• Are the authentication credentials protected?

Access to underlying data tables introduce data integrity and ERP system support issues.

Flat-file access introduces file-system security and resource issues.

Remote drivers introduce data transmission security issues.

Data integration introduces auditing concerns.


What are the Risks of Integration?Improper planning and insufficient buy-in to the integration solution by all involved personnel is the NUMBER 1 problem in the field!

Always INVOLVE the ERP system administrators in the solution planning!


ERP Integration 'Bottom Line'

The ERP administrators are the only people who really understand the ERP system data and processes – you need their help!

The ERP administrators can make or break the project. Management is very dependent on their opinions – treat them with respect!

The ERP administrators are among the 'best and brightest' people at the customer site – discuss the function of the DirXML driver with them so they are comfortable with it.


Driver FunctionalityDirXML Drivers for SAP HR and PeopleSoft

What is a driver?

What data is shared?

What are the default Policies?

What is the driver design philosophy?

Where does the driver run?

How do the drivers access data?


What is a driver?

A driver is composed of two distinct elements:

Driver Policies•The policies are default configuration information that describe the application connection information, schema mapping, and various data transformation policies•All policies are objects in the Identity Vault•Policies managed using iManager

Driver Shim•The shim is responsible for interfacing with the connected application and implementing policies•The shim is an independent code module


What data is shared?

Both drivers work in a “Publisher primary” mode.• Drivers can Publish all events (Add, Modify, Delete)

• Drivers can Subscribe Modify events only.

Drivers are configured for an HR scenario.• SAP HR driver can only work with HR Master Data records and

methods

• PeopleSoft driver utilizes an HR derived staging table interface by default.

Primary data object is an Employee in the HR system, a User in the Identity Vault

• Personal Data

• Organizational Assignment and Hierarchy Data

• Communication Data


What data is shared?Publisher Channel

homePhonemobilepagerworkforceIDemployeeStatusFull NameGiven NameInitialsmailstopSurnameTelephone NumberPostal CodeS

Physical Delivery Office NameSA

isManagermanagerWorkforceIDOUTitlemanagerdirectReports

CNGroup MembershipPassword Data


What data is shared?Subscriber Channel

CN *Description *Distinguished Name *

Telephone NumberhomePhonemobilepagerInternet EMail Address

workforceID (notify only)

* PeopleSoft only


Default Publisher Policies

Object Matching• Match object with same class and 'workforceID'.

Object Naming• First Initial + Surname, no Suffix, all capitalized

(ie. John Adams = JADAMS)• Duplicates sequentially numbered (JADAMS2)

Object Placement• Active Employees in specified 'Active' container.• Inactive Employees in specified 'Inactive'

container.• 'employeeStatus set to 'A' or 'I' respectively.


Default Publisher Policies

Password• Set to value of 'Surname' attribute

Hierarchy• All managers identified by 'isManager' set to '1'.• Managers have DN of subordinates in 'directReports'

attribute.• Employees have DN of manager in 'manager' attribute• Employees have workforceID of manager in

'managerWorkforceID' attribute.Organizational Data

• OU (Department) attribute must contain text name• Title attribute must contain text name


Maintaining Manager-EmployeeObject Relationships

JackdirectReports = Maria

Mariamanager = JackdirectReports = John

Johnmanager = Maria


Default Subscriber Policies

Object Matching• Match object with same class and 'workforceID'.


DirXML Driver for PeopleSoft

Driver Design Philosophy

Overview

Publisher Channel

Subscriber Channel

Remote Loader Configuration



Driver Design PhilosophyDirXML Driver for PeopleSoft

Must work with last 3 supported PeopleTools versions.

Must be certified by PeopleSoft.

Must require no modification of existing business applications.

Must utilize standard PeopleSoft integration technology.

Must guarantee that all PeopleSoft events are processed.

Must process all events in chronological order.

Must satisfy the customer!


Driver Design AccomplishmentsDirXML Driver for PeopleSoft

Must work with last 3 supported PeopleTools versions.

• Drivers work with PeopleTools versions 7.5, 8.1, and 8.4.

Must be certified by PeopleSoft.• Certification received in September 2003.

Must require no modification of existing business applications.

• No extensions or server upgrades required.



Must utilize standard PeopleSoft integration technology.

• Message Agent for PeopleTools 7.5 and 8.1• Component Interface for PeopleTools 8.1 and 8.4

Must guarantee that all PeopleSoft events are processed.

• Transaction file processing allows driver to determine which events to process and report the status of processing.



Must process all events in chronological order.• Transaction processing in PSA components

provides proper effective date of transactions. Driver processes events on effective date.



Must satisfy the customer!• All customers have unique requirements.• The driver can handle most issues via configuration and

policies.• The driver functionality is periodically updated with new

version and TID releases based 100% on real customer feedback.


OverviewDirXML Driver for PeopleSoft

The DirXML Driver for PeopleSoft utilizes technology delivered by PeopleSoft.

• Driver is a PeopleTools driver, not an application driver. Can be used to integrate any desired data.

• Message Agent technology used for 3.6x driver.• Component Interface (CI) technology used for 4.x

driver.• Both drivers are delivered with a PeopleSoft Service

Agent (PSA). This contains pre-defined PeopleSoft components and sample application for simple, non-integrated deployment on PeopleSoft server.

• PSA contains a Transaction interface to facilitate the reporting of application events to the driver.


Overview(continued)

Drivers must have connectivity to PeopleSoft server in order to funtion. Driver acts as an administrative client.

Synchronous interface used for both Publisher and Subscriber channel.

Drivers are 'application-neutral', but do not support 'Add' or 'Delete' operations on the Subscriber channel.

Driver supports Application server connectivity failover.

Transaction model allows multiple drivers to process events.

34

Publishing PeopleSoft Data to Other Applications

Publisher Channel

DirXML RemoteLoader Service

DirXML Driver for

Application N

PeopleSoft Modules

Transactions

PeopleTools

IdentityVault

PeopleSoft Host

PeopleSoft Client

DirXML Remote

Loader Shim

DirXMLEngine

DirXML Remote

Loader Service

Application Host Application Host

Application Server

PeopleSoft Message

Agent or CI

DirXML Driverfor

PeopleSoft


DirXML Driver for

Exchange

Data changes from PeopleSoft application modules are logged

Configured to poll on specified intervals for data changes

Driver object containingbusiness policies and connection parameters

Driver Requests Transactions

1

Driver receives data and transforms the relevant information into an XML document

2Application NExchange

The driver updates and retrieves data in the application

6

FIN EPM CRM

HR SCM SA

etc.

DirXML Engine processes data according to business policies

5

XML Doc

SSL Connection

3 DirXML Engine adds or updates the data into Identity Vault

4


Publisher Channel Functionality

To simplify implementation, a synchronous PeopleSoft Interface is utilized.

Access to event information from PeopleSoft is via a Transaction CI. (DIRXML_TRANS)

PeopleSoft code (PeopleCode) in the PSA is used to organize transactions into processing date order. Future-dated events are not processed until date is current or past.

Driver polls the Transaction CI for records indicating “Available” transactions involving Add, Modify, or Disable/Delete of data records. Transaction record contains key of data record affected by transaction.


Publisher Channel Functionality(continued)

Transaction state set to “In Process”. Key to data record and transaction ID is stored.

Access to PeopleSoft data records is via a Data Component Interface (CI). (DIRXML_SCHEMA)

Since the CI is not class specific, the Data CI name is used as the class name for schema mapping.

Driver supports multiple Data CIs to facilitate handling transactions for multiple object types.


Publisher Channel Functionality(continued)

Driver reads current data values of data record and Publishes event.

Event is processed by engine, status is returned to driver.

Transaction CI is utilized to update status in transaction record.

38

Subscribing Application Data to PeopleSoft

PeopleSoft Modules

Transactions

PeopleTools

IdentityVaultPeopleSoft

HostPeopleSoft

Client

DirXML Remote

Loader Shim

DirXMLEngine

DirXML Remote

Loader Service

Application Server

PeopleSoft Message

Agent Interface

DirXML Driverfor

PeopleSoft

FIN EPM CRM

HR SCM SA

etc.

Data from other applications

1

XML Doc

XML Doc

SSL Connection

2Data the

PeopleSoft driver

subscribes to that comes from other

applications through Identity Manager

3Driver posts incoming data to the Staging Table

PeopleSoft configured to

consume data from

the Staging Table

4

Identity Manager Host

Subscriber Channel

Driver object containingbusiness policies and connection parameters


DirXML Driver for PeopleSoft Subscriber Channel-Overview

Driver uses Data CI to access records for Query or Modify events. All other events return “warning” status to indicate they are not supported.

A record “Find” operation preceeds data object “Get” access to avoid database errors.

For Modify events the driver updates a data staging table. PeopleCode transfers modifications to appropriate application tables.


DirXML Driver for PeopleSoft Driver Deployment Notes

By using a “Find” operation to avoid database errors, the driver becomes reliant on primary keys that are unique over their length. If possible, do not use keys that are subsets of other keys. (ie. “AB”, “ABCDE”). The “Find” operation will return a non-unique key warning while searching for “AB”.

Do not remove or modify any fields of the Transaction CI. The driver depends on them. It is OK to add fields.

For Modify events the driver updates a data staging table. PeopleCode transfers modifications to appropriate application tables.



DirXML Driver for PeopleSoft



Driver Configuration ParametersConnection Parameters

Authentication ID• The name of the PeopleSoft administrative user that will

be used for all read and write operations to the PeopleSoft Application server.

Authentication Context• The DNS name or IP address and JOLT port of the target

PeopleSoft Application server host system. Must be preceeded with '//' and contain a ':' delimiter. Multiple entries allowed for connectivity failover must be separated with ';'(ie. //psofthost:9000;//backuphost:9000)

Application Password•Password of the administrative user.


PeopleSoft Client Library Path• Path to the PeopleSoft client library file 'psapiadapter.dll'.

Schema CI Name•The name of the PeopleSoft Component Interface used to read and write PeopleSoft data records (default: DIRXML_SCHEMA01).

Data Record ID Field• The name of the PeopleSoft application data record primary

key field (default: DIRXML_ASSOC_ID)

Driver Configuration ParametersDriver Implementation Parameters


Transaction CI Name• The name of the Component Interface that is used to read

and update PeopleSoft transaction records. (default: DIRXML_TRANS01)

Driver Subset Identifier• This field is a string used to match the driver to the

transaction records it will process.Queue Poll Interval (seconds)

• The time in seconds that the driver waits between requests for available transactions from the Transaction CI.

Schema Data Processing Mode (0/1)• Data record retrieval methodology utilized by driver• 0 - “Find” used to warn of duplicate keys. Followed by

“Get”• 1 - “Find” used to generate error for duplicate keys.

Followed by “Get” if only 1 instance found.

Driver Configuration ParametersPublisher Implementation Parameters


Implementing Default PolicyExporting Master Data from PeopleSoft

The driver implementation guarantees that all current attributes of an object are obtained during processing of any transaction on that object.

The PeopleSoft component and PeopleCode that implements it are responsible for reporting all data of interest for the object being processed AND for related objects. The sample application includes:

• User's Department name and ID• User's Manager's ID• Flag indicating if User is a manager• User's Employee status• User's Title


Implementing Default Policy

The driver Policies perform the task of maintaining referential relationships between 'Manager' and 'Employee' objects.

• Only Identity Vault queries are required• Relationships maintained using 'manager' and

'directReports' attributes on related User objects.


DirXML Driver for PeopleSoftDefault HR Mapping Rule

DIRXML_SCHEMA01 Attr NameCommonNameDescriptionFullNameFirstNameMiddleNameEmailDeptLongDescrCityPostalStateAddress1LastNameTitleLongDescrStatusManagerMailDropManagerIDAssocID

Identity Vault Attr NameCNDescriptionFull NameGiven NameInitialsInternet EMail AddressOUPhysical Delivery Office NamePostal CodeSSASurnameTitleemployeeStatusisManagermailstopmanagerWorkforceIDworkforceID


DirXML Driver for PeopleSoftRemote Loader Usage

Why use the Remote Loader?• PeopleTools client must run on Win32

• Identity Vault and PeopleSoft may not be on Win32 platform

PeopleSoft with Remote Loader requirements• Host platform supporting JDK/JRE 1.4 or higher

• PeopleTools client installed on host platform

Remote Loader features• SSL connection security

• Bi-directional password handshake


DirXML Driver for SAP HR

Driver Design Philosophy

Overview

Publisher Channel

Subscriber Channel

Remote Loader Configuration



Driver Design PhilosophyDirXML Driver for SAP HR

Must work with R/3 version 4.5b and later.

Must be certified by SAP Labs.

Must require no new SAP server extensions or upgrade.

Must utilize standard SAP integration technology.

Must run on standard SAP host platforms.

Must guarantee that all SAP events are processed.

Must process all events in chronological order.

Must process future-dated events.

Must satisfy the customer!


Driver Design AccomplishmentsDirXML Driver for SAP HR

Must work with R/3 version 4.5b and later.• Driver works with SAP R/3 versions 4.5b, 4.6A,

4.6C, and Web AS 6.1 and 6.2.

Must be certified by SAP Labs.• Certification received in September 2001.

Must require no new SAP server extensions or upgrade.

• No extensions or server upgrades required.



Must utilize standard SAP integration technology.• Java Connector (JCO)• Application Link Enabling (ALE)• Intermediate Documents (IDoc - File format)• Business Object API (BAPI)

Must run on standard SAP host platforms.• Pure Java implementation runs anywhere a JVM

and, if desired, JCO can reside.• Linux, Win32, AIX, Solaris, HP-UX, etc.



Must guarantee that all SAP events are processed.• Using IDoc file format guarantees persistant event

delivery regardless of driver status.

Must process all events in chronological order.• IDoc sorting by driver ensures proper event order

processing.

Must process future-dated events.• Driver has 4 modes for handling future-dated

events based on various customer requirements.



Must satisfy the customer!• All customers have unique requirements.• The driver can handle most issues via configuration and

policies.• The driver functionality is periodically updated with new

version and TID releases based 100% on real customer feedback.


OverviewDirXML Driver for SAP HR

The DirXML Driver for SAP HR utilizes technology delivered by SAP. SAP server is configured, not customized.

• Application Link Enabling (ALE) configured to support the Publisher channel.

• Intermediate Document (IDoc) files are created by SAP server and retrieved by the Driver for processing.

• SAP Java Connector (JCO) is used for synchronous connectivity to SAP server.

• Business Object API (BAPI) is used to Query for data in SAP server.


Overview(continued)

BAPI Technology is used to subscribe data into SAP

The Driver must connect to the SAP database on the Subscriber channel. It can utilize a connection on the Publisher channel. It generally connects as a “Communication” or “CPIC” user.

Additional security between SAP and eDirectory servers available via DirXML Remote Loader

57

DirXML RemoteLoader Shim

Data changes from SAP HR application modules are logged

Publisher Channel

SAP Host

SAP R/3HR

Application LinkEnabling (ALE)

Publishing SAP Data to Other Applications


DirXML Driver

For SAP/HR

SAP Host

Driver Shim filters relevant data into XML format

21IDoc posted to host file system with client number references

HRMD-A IDocs

C:\IDOCS\0_400_n

XML Doc

SSL Connection

3

Configured to poll the IDocs directory on intervals for docs pertaining to specific client number

IdentityVault

DirXMLEngine

DirXML Engine adds or updates the data into Identity Vault


4DirXML RemoteLoader Service

DirXML Driver for

Application N

APPLICATION HOST

APPLICATION HOST


DirXML Driver forExchange

Application NExchange

The driver updates data in application 6

DirXML Engine processes dataaccording to business rules

5

Driver object containing

business rules and connection

parameters


What IsApplication Link Enabling (ALE)?

Application Link Enabling (ALE) technology enables communication between SAP and external systems such as eDirectory.

ALE ensures integration in a distributed environment.

The IDoc acts as the data container.


What is an IDoc?

“IDoc” stands for Intermediate Document

An IDoc is a data container used to exchange data between any two processes that can understand the data.

IDocs are stored in the file system of the SAP system host.

Every IDoc has a unique, incremental number ― the number is unique within a client


What is an IDoc? (cont)

IDocs are created as a result of execution of an ALE process.

IDocs are independent of the direction of data exchange.

• However, the Driver uses only the outbound process.

IDocs can be viewed with a text editor.


IDoc Processing

Only Outbound IDocs for configured client number are consumed

Optional handling of “future-dated” IDoc Infotypes via configuration parameters

Information for multiple objects are handled as separate DirXML events.

Status of each event reflected by IDoc output file name extensions:

.warn

.bad

.proc

.futr

.futp

.done

.fail


IdentityVault

SAP Host

SAP Host

DirXML RemoteLoader Shim

DirXMLEngine


DirXML DriverFor

SAP/HR


Driver object containingbusiness policies andconnection parameters

2DirXML Engine adds or updates the data into Identity Vault

SAP R/3HR

Application LinkEnabling (ALE)

BAPI/ JCO

BAPIDoc

4The Driver Shim translates XML Doc into BAPI, the SAPnative API, and adds or updatesthe data in SAP/HR

SSL Connection

XML Doc

3Data the SAP driver subscribes to that comes from other applications through eDirectory

Subscribing Application Data to SAP HR

Subscriber Channel

XML Doc

Data from other applications

1


DirXML Driver for SAP HR Subscriber Channel-Overview

Driver Resembles an SAP Client

Standard SAP Programming Interface

Utilizes SAP BAPIs for HR application (Limited Infotype support)

• Personal Information Infotype (0002)

• Private Address Information Infotype (0006)

• Communication Infotype (0105)


DirXML Driver for SAP HRSubscriber Channel-Overview

The only configuration required within SAP for the subscription channel is setting up a ‘Communication’ (CPIC) user

The driver will log on to SAP as a communication user.

The driver can NOT create or delete employee records!


DirXML Driver for SAP HR Driver Deployment Notes

Why does the driver use IDoc “File” port instead of “TRFC” port?

Why does the Publisher channel generate only <modify> events?

Do I need to have connectivity with the SAP system to use the driver?

If I use 'Publisher only' mode, why does the driver try to read data from my SAP system?

Can I prevent read operations in 'Publisher only' mode?

Why can't the driver read IDocs from a mapped drive?



DirXML Driver for SAP HR



Driver Configuration ParametersConnection Parameters

Authentication IDThe name of the SAP non-dialog (CPIC) user that will be used for all read and write operations to the SAP HR host system.

Authentication ContextThe DNS name or IP address of the target SAP HR host system

Application PasswordPassword of the CPIC user.

SAP System NumberThe two-digit system number of the SAP server

SAP User Client NumberThe three digit number of the SAP client containing the data to be synchronized.

SAP User Language

The two-character language abbreviation that the client uses.

68

Character Set EncodingThe name of the encoding the driver will use for translating IDoc text data to Java unicode strings.

Metadata File DirectoryThe name of the file system directory from which the driver will read the specified SAP Master HR IDoc definition file.

Master HR IDoc (Optional)The name of the IDoc message type that will be generated by the SAP ALE system when publishing SAP HR database modifications or Master records.

Address Subtype Code (Optional)This is an enumerated configuration parameter that allows an administrator to specify which subtypes of the Private Address infotype the driver will synchronize.

Communication Subtype Code (Optional)

This is an enumerated configuration parameter that allows an administrator to specify which subtypes of the Communication infotype the driver will synchronize.

Poll Interval (seconds)This parameter specifies how often the driver will poll for unprocessed IDocs.

Publisher IDoc DirectoryThis specifies the file system directory from which the publisher will read IDocs published by the SAP ALE system.

Publisher Channel Only?This specifies whether the driver will only perform Publisher channel operations. No SAP connection is required in this mode, but will be used if available.

Future-date Event Handling Option

This parameter determines how future-dated infotype information is to be handled. Four modes supported:0 - All events sent immediately1 – Future events held until future date2 – Future events sent immediately and on future date.3 – Future events sent immediately and daily until future date is reached.

Driver Configuration ParametersImplementation Parameters


What data is shared?Publisher Channel

homePhonemobilepagerworkforceIDemployeeStatusFull NameGiven NameInitialsmailstopSurnameTelephone NumberPostal CodeS

Physical Delivery Office NameSA

isManagermanagerWorkforceIDOUTitlemanagerdirectReports

CNGroup MembershipPassword Data


Implementing Default PolicyExporting Master Data from SAP

It is not possible to remotely Query for information of non-Person objects in SAP.

To enhance the capabilities of the driver it is recommended that Position, Organization, and other desired HR object data be exported to eDirectory.

This is done primarily to obtain the names of Organizational objects and to maintain Object Relationships between objects.

Some organizations may also choose to utilize the structure of the data export for creating their eDirectory tree structure.


Exporting Master Data from SAP

To export data from SAP the instructions for generating an IDoc should be followed

Object Types:

P Person

S Position

C Job

O Organization

Maps to 'User'

Maps to 'Organizational Role'

Maps to 'CommExec'

Maps to 'Organizational Unit'


Exporting Master Data from SAPMaintaining Object Relationships

Driver supports a 'RELATIONSHIPS' Query to allow Policies to request details of various inter-object relationships during IDoc processing.

• Used to determine the hierarchy of SAP 'Position' objects and reflect the relationships on the Identity Vault objects.

– Utilizes 'manager' and 'directReports' schema extensions on 'Organizational Role' objects.

• Can be used to determine the hierarchy of SAP 'Organization' objects to mirror organizational structure in eDirectory.



Position ('S') object '50000010' (Manager) processed.

• Has a top-down relationship with Position '50000020' (Clerk)

• Identity Vault object 'Manager-S50000010' created.

Position ('S') object '50000020' (Clerk) processed.• Has a bottom-up relationship with Position

'50000010' (Manager)• Identity Vault object 'Clerk-S50000020' created.• 'manager' attribute of 'Clerk-S50000020' set to

'Manager-S50000010'• 'directReports attribute of 'Manager-S50000010' set

to include 'Clerk-S50000020'.



Person ('P') object '50000001' (JADAMS) processed.• Has a 'holds' relationship with Position '50000010'

(Manager)• Identity Vault object 'JADAMS' created.• 'Title' attribute of 'JADAMS' set to 'Manager-

S50000010'• 'isManager' attribute of 'JADAMS' set to '1'• 'Role Occupant' attribute of Identity Vault object

'Manager-S50000010' set to 'JADAMS'



Person ('P') object '50000002' (SSMITH) processed.• Has a 'holds' relationship with Position '50000020'

(Clerk)• Identity Vault object 'SSMITH' created.• 'Title' attribute of 'SSMITH' set to 'Clerk-

S50000020'• 'manager' attribute of 'SSMITH' set to 'JADAMS'• 'Role Occupant' attribute of Identity Vault object

'Clerk-S50000020' set to 'JADAMS'• 'directReports' attribute of 'JADAMS' set to include

'SSMITH'.


DirXML Driver for SAP HRMapping Rule (sample)

SAP HR Attribute Name

P0002:VORNA:none:134:25

P0002:NACHN:none:84:25

P0006:ORT01:US01:133:25

P0006:ORT01:1:133:25

P0105:USRID:MAIL:78:30

P0105:USRID:CELL:78:30

P0105:USRID:PAGR:78:30

P0006:TELNR:195:14

Identity Vault Attribute Name

Given Name

Surname

City

Home City

Internet E-Mail Address

Mobile

Pager

Home Phone


DirXML Driver for SAP HRRemote Loader Usage

Why use the Remote Loader?• Identity Vault does not exist for SAP Host Platform

• Identity Vault not allowed on SAP Host Platform

SAP Driver with Remote Loader requirements• Host platform supporting JDK/JRE 1.4 or higher

• SAP JCO client installed on host platform

Remote Loader features• SSL connection security

• Bi-directional password handshake

Question and Answer

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

configuring novell ® nsure ™ identity manager 2 (formerly dirxml ® ) for enterprise applications...

Documents

data integration

erp data outside

erp integration issueswhat

data integrity

data tables

source of data

erp client

risks of integration