Onboarding the SAP User Management Engine Application

Edit online

Provision users from Verify to On-Premises SAP User Management Engine® adapter.

Before you begin

  1. Configure the identity agent for authentication in Verify. See, Configuring through the Verify user interface.
  2. Deploy and configure the IBM® Verify Identity Brokerage On-Premises component.

Procedure

  1. Log in as administrator on IBM Verify.
  2. Select Applications > Applications and click Add application.
  3. Search application type as the name set for the uploaded application profile from the menu and click Add application.
    For example, if the SAP User Management Engine profile was uploaded with name SAP-UME, then the application is found with SAP-UME(custom).
  4. In the Add applications page, select the General tab, and specify the required details.
  5. Select the Account lifecycle tab.
  6. Specify the provisioning and deprovisioning policies.
    Parameters Description
    Provision accounts

    Provision accounts are Disabled by default, which means the account creation is performed outside of IBM Verify.

    Select the Enabled option to automatically provision an account when the entitlement is assigned to a user. Password generations and email notification features are available for the account that is created using IBM Verify.
    Deprovision accounts

    Deprovision accounts is Disabled by default, which means account removal is performed outside of IBM Verify.

    Select the Enabled option in to automatically deprovision an account when entitlement is removed from a user.
    Account password
    Sync user's Cloud Directory password
    This option is available if Password sync is enabled on the Cloud Directory. It uses the Cloud Directory password when a regular user is provisioned to the application. Federated users receive a generated password when provisioned to the application.
    Generate password
    This option generates a random password for the provisioned account. The password is based on the Cloud Directory password policy.
    None
    This option provisions the account without a password.
    Send email notification This option is available when you select the Generate password option. When you select the Send email notification option an email notification with the auto-generated password is sent to your email address after the account is provisioned successfully.
    Grace period (days) Set the grace period in days for which deprovisioned account is kept as suspended before deleting it permanently.
    Deprovision action Delete the account. This field is available only if the deprovision account field is enabled.
  7. In General section, select Application profile from the drop-down. If the profile does not exist you must create one. For more information see, Managing identity adapter application profiles.
  8. Specify the API authentication details.
    Parameters Description
    Tivoli® Directory Integrator location URL for the IBM VerifyDirectory Integrator instance. For example, rmi://<ip-address>:<port>/ITDIDispatcher, where ip-address is the IBM Verify Directory Integrator host and port is the port number for the RMI Dispatcher.
    SPML Provisioning URL The full qualified domain name of SAP SPML provisioning interface link. This field is mandatory.
    SPML Provisioning User ID The SAP User account login ID that adapter uses to connect to the SAP instance and performs SPML provisioning. This field is mandatory.
    Password The SAP user password that the adapter uses to connect to SAP instance and performs SPML provisioning. This is field is mandatory.
    Identity agent Select an Identity Agent of type provisioning from the drop-down using which the application profile is discovered.
    Description Optional field. Add the description if needed.
    Path for Attribute map properties file This attribute is optional. Specify the file path from where the adapter loads the properties file for a service. If the adapter is configured to use more than one end SAP systems, then each end resource need to have its corresponding properties files. The properties files must have different file names. All these files must reside under ITDI_HOMe/timsol/umeprop/directory.

    The default properties file name is SAPUMEAttributeMap.properties

    For example: If two SAP servers, Server1 and Server2 are configured to use the same Security Directory Integrator, IBM Verify Identity Manager service, service1 is configured for user attributes of Server1 and service2, is configured for user attributes of Server2. If the number of attributes for service1 and service2 are configured to provision different attributes, two properties files must be created, propFile1.properties for Server1 and propFile2.properties for Server2. In this case, the attribute must have a value assigned as umeprop/propFile1.properties for service1 and umeprop/propFile2.properties for Server2.
  9. Click Test Connection to test the connection to the SAP User Management Engine on premises. The connection needs to be successful to provision or reconcile accounts on the SAP User Management Engine application.
  10. Map the target SAP User Management Engine attributes to the Verify attributes as required. Select the Keep updated check box for the attributes that need to be updated on the target.

  11. Select the Account sync tab.
  12. In the Adoption policy section, add one or more attribute pairs that need to match for the account sync process to assign SAP User Management Engine accounts to their respective account owners on Verify.

  13. In the Remediation Policies section, choose a remediation policy to remediate non-compliant accounts automatically.
  14. Click Save.
  15. After the application is saved, specify the authorization policy on the Entitlements tab.