SAP ABAP Application Server User Registry Connector

Directory Integrator, Version 7.1.1

SAP ABAP Application Server User Registry Connector

The section describes the configuration and operation of the IBM® Tivoli® Directory Integrator SAP ABAP Application Server User Registry Connector.

This chapter contains the following sections:

This component is not available in the Tivoli Directory Integrator 7.1.1 General Purpose Edition.

Introduction

This component enables the provisioning and management of SAP user accounts to external applications (with respect to SAP ABAP Application Server). The Connector uses the generic RFC invocation feature of the IBM Tivoli Directory Integrator Function Component for SAP ABAP Application Server (referred to hereafter as the RFC Function Component). The RFC Function Component enables the Connector to manage SAP user account attributes by executing RFC ABAP code as an external SAP ABAP Application Server client application.

The Connector supports an extendable generic framework for provisioning SAP user accounts and their associated attributes. This is achieved by defining an XML representation of user account information. This XML is then transformed via XSL style sheet transformations (XSLT) into RFC requests. The default functionality of the Connector does not require the deployment of custom RFC ABAP code onto the target SAP ABAP Application Server instance.

The key features and benefits of the Connector are:

Support for Create, Read, Update, and Delete (C.R.U.D) operations for SAP users.
Modifiable behavior through XSL transformations for SAP ABAP Application Server RFC execution.
Minimal compile time dependency between the Connector and SAP ABAP Application Server. The Connector does not use any generated RFC proxy code. It relies on the RFC Function Component as a dynamic proxy.

The Connector supports the following IBM Tivoli Directory Integrator Connector modes:

Add Only
Update
Delete
Lookup
Iterator

Figure 2 below illustrates the component design of the SAP User Registry.

Figure 10. Component design of the SAP User Registry

Diagram shows integration architecture and event flow.

Skip Lookup in Update and Delete mode

The SAP ABAP Application Server User Registry Connector supports the Skip Lookup general option in Update or Delete mode. When it is selected, no search is performed prior to actual update and delete operations.

For this to function, the sapUserName attribute should be defined in the Link Criteria of the Connector.

Configuration

The SAP ABAP Application Server User Registry Connector may be added directly into an assembly line. The following section lists the configuration parameters that are available for SAP ABAP Application Server client connections and XSL style sheet behavior. The runtime names are shown in parentheses.

Parameters

ABAP AS Client (client)

SAP ABAP AS Logon client for SAP connection (for example, 100). This is passed directly to the RFC Function Component.

ABAP AS User (user)

SAP ABAP AS Logon user for SAP connection. This is passed directly to the RFC Function Component.

Password (passwd)

SAP ABAP AS Logon password for SAP connection. This is passed directly to the RFC Function Component.

ABAP AS System Number (sysnr)

The SAP ABAP AS system number for SAP connection (for example, 100). This is passed directly to the RFC Function Component.

ABAP AS Hostname (ashost)

SAP ABAP Application Server name for SAP connection. This is passed directly to the RFC Function Component.

Gateway host (gwhost)

Gateway host name for SAP connection. This is passed directly to the RFC Function Component.

RFC Trace (trace)

Set to one (1) to enable RFC API tracing. If enabled, the SAP RFC API will produce separate rfc_nnnn.trc files in the working directory of IBM Tivoli Directory Integrator. This option may be useful to help diagnose RFC invocation problems. It logs the activity and data between the Connector and SAP ABAP Application Server. This should be set to zero (0) for production deployment.

Optional RFC Connection Parameters

Used to define a list of other optional RFC connection parameters. The value for this configuration list is a key=value list where each connection parameter is separated by the space character. For example the following string value would set the SAP Gateway Service to "sapgw00" and enable the SAP GUI.

"gwserv=sapgw00 use_sapgui=1"

Here is a list of optional SAP Java Connector parameters that are accessible.

Alias user name (alias_user)
SAP message server (mshost)
Gateway service (gwserv)
Logon language (lang)
1 (Enable) or 0 (disable) RFC trace (trace)
Initial codepage in SAP notation (codepage)
Secure network connection (SNC) mode, 0 (off) or 1 (on) (snc_mode)
SNC partner, for example, p:CN=R3, O=XYZ-INC, C=EN (snc_partnername)
SNC level of security, 1 to 9 (snc_qop).
SNC name. Overrides default SNC partner (snc_myname)
Path to library which provides SNC service (snc_lib)
SAP R/3 name (r3name)
Group of SAP application servers (group)
Program ID of external server program (tpname)
Host of external server program (tphost)
Type of remote host 2 = R/2, 3 = R/3, E = External (type)
Enable ABAP debugging 0 or 1 (abap_debug)
Use remote SAP graphical user interface (0/1/2) (use_sapgui)
Get/Don't get a SSO ticket after logon (1 or 0) (getsso2)
Use the specified SAP Cookie Version 2 as logon ticket (mysapsso2)
Use the specified X509 certificate as logon ticket (x509cert)
Enable/Disable logon check at open time, 1 (enable) or 0 (disable) (lcheck)
String defined for SAPLOGON on 32-bit Windows (saplogon_id)
Data for external authentication (PAS) (extiddata)
Type of external authentication (PAS) (extidtype)
Idle timeout (in seconds) for the connection after which it will be closed by R/3.
Only positive values are allowed. (idle_timeout)
Enable (1) or Disable (0) dsr support (dsr)

RFC Function Component Name (sapr3.userconn.rfcFC)

The name of the RFC Function Component registered with IBM Tivoli Directory Integrator. This option should be changed only on the advice of IBM support. The default value is:

ibmdi.SapR3RfcFC

Add Mode StyleSheets (sapr3.userconn.putStylesheets)

The list of XSLT style sheets files to be executed by the Connector when deployed in Add Only mode. At runtime, each style sheet is applied to the XML contained within the Container Entry. The XSL will be applied to the value of the attribute named sapUserXml. Each XSL style sheet filename must be entered on a new line within the text box. This configuration parameter should be changed only at the direction of IBM support. The default value is:

xsl/bapi_user_create.xsl, xsl/bapi_user_actgroups_assign.xsl, 
   xsl/bapi_user_profiles_assign.xsl

Update Mode StyleSheets (sapr3.userconn.modifyStylesheets)

The list of XSLT style sheets files to be executed by the Connector when deployed in Update mode. At runtime, each style sheet is applied to the XML contained within the Container Entry. The XSL will be applied to the value of the attribute named sapUserXml. Each XSL style sheet filename must be entered on a new line within the text box. This configuration parameter should be changed only at the direction of IBM support. The default XSL list is:

xsl/bapi_user_change.xsl, xsl/bapi_user_actgroups_assign.xsl, 
   xsl/bapi_user_profiles_assign.xsl

Delete Mode StyleSheets (sapr3.userconn.deleteStylesheets)

The list of XSLT style sheets files to be executed by the Connector when deployed in Delete mode. At runtime, each style sheet is applied to the XML contained within the Container Entry. The XSL will be applied to the value of the attribute named sapUserXml. Each XSL style sheet filename must be entered on a new line within the text box. This configuration parameter should be changed only at the direction of IBM support. The default value is:

xsl/bapi_user_delete.xsl

Lookup Mode Pre StyleSheet (sapr3.userconn.findPreStylesheet)

The XSLT style sheet file to be executed by the Connector when creating an RFC XML request that is able to obtain all user attributes for a given user. This configuration value must be set when the Connector is deployed in Update, Delete, and Lookup modes. This configuration parameter should be changed only at the direction of IBM support. The default value is:

xsl/bapi_user_getdetail_precall.xsl

Lookup Mode Post StyleSheet (sapr3.userconn.findPostStylesheet)

The XSLT style sheet file to be executed by the Connector when creating the user XML formatted response from the Connector. This configuration value must be set when the Connector is deployed in Update, Delete, and Lookup modes. The XSLT transforms the response XML from the RFC executed as a result of the XSLT from Lookup Mode Pre StyleSheet configuration. This configuration parameter should be changed only at the direction of IBM support. The default value is:

xsl/bapi_user_getdetail_postcall.xsl

Select Entries Pre StyleSheet (sapr3.userconn.selectEntriesPreStylesheet)

The XSLT style sheet file to be executed by the Connector when creating an RFC XML request that is able to obtain all user names from SAP. This configuration value must be set when the Connector is deployed in Iterator mode. This configuration parameter should be changed only at the direction of IBM support. The default value is:

xsl/bapi_user_getlist_precall.xsl

Select Entries Post StyleSheet (sapr3.userconn.selectEntriesPostStylesheet)

The XSLT style sheet file to be executed by the Connector when creating the user XML for the getNextEntry() processing. This configuration value must be set when the Connector is deployed in Iterator mode. The XSLT transforms the response XML from the RFC executed as a result of the XSLT from Select Entries Pre StyleSheet configuration. This configuration parameter should be changed only at the direction of IBM support. The default value is:

xsl/bapi_user_getlist_postcall.xsl

Iterator Mode Pre StyleSheet (sapr3.userconn.getNextPreStylesheet)

The XSLT style sheet file to be executed by the Connector when creating an RFC XML request that is able to obtain all user attributes for a given user. This configuration value must be set when the Connector is deployed in Iterator mode. This configuration parameter should be changed only at the direction of IBM support. The default value is:

xsl/bapi_user_getdetail_precall.xsl

Iterator Mode Post StyleSheet (sapr3.userconn.getNextPostStylesheet)

The XSLT style sheet file to be executed by the Connector when creating the user XML formatted response from the Connector. This configuration value must be set when the Connector is deployed in Iterator mode. The XSLT transforms the response XML from the RFC executed as a result of the XSLT from Iterator Mode Pre StyleSheet configuration. This configuration parameter should be changed only at the direction of IBM support. The default value is:

xsl/bapi_user_getdetail_postcall.xsl

Detailed Log

When checked, generates additional log messages. The Connector logs data and activity when this option is enabled.

Using the SAP ABAP Application Server User Registry Connector

This section describes how to use the Connector in each of the IBM Tivoli Directory Integrator Connector modes. The section also describes the IBM Tivoli Directory Integrator Entry schema supported by the Connector.

Note:

The default XSL style sheet file name values are relative path locations with respect to the IBM Tivoli Directory Integrator AssemblyLine execution directory. In some situations, it may be necessary to preprend the default file name values with the fully qualified installation location of the XSL files. Such modification is likely if the IBM Tivoli Directory Integrator Component Suite for SAP ABAP Application Server has been installed in (or if the AssemblyLine is executing from) a directory location separate from the IBM Tivoli Directory Integrator installation.

IBM Tivoli Directory Integrator Entry Schema

The User Registry Connector supports only two fixed IBM Tivoli Directory Integrator entry attributes. The schema is available through the discover schema feature (the Connect button) in the IBM Tivoli Directory Integrator configuration tool. The attribute schema is described below.

Table 50. IBM Tivoli Directory Integrator Schema
Attribute Name	Type	Description
sapUserXml	java.lang.String	A string representing the attributes of an SAP user. The XSchema is defined in XSchema for User Registry Connector XML. This attribute and value must be present on the Output Map when the Connector is deployed in Add Only, Update and Delete modes. This attribute and value are available on the Input Map when the Connector is deployed in Lookup and Iterator modes.
sapUserName	java.lang.String	A string representing the name of a given SAP user. The Connector supports this attribute primarily for configuration of Link Criteria.

Add Only Mode

When deployed in Add Only mode, the Connector is able to create a new user in the SAP database. The Connector should be added to the Flow section of a IBM Tivoli Directory Integrator AssemblyLine. The Output Map must define a mapping for the sapUserXml Connector attribute. The value of this attribute represents the details of the user to be added to SAP. The value will be applied to each configured XSLT file in the order defined. The XSLT transforms produce separate RFC XML requests to be executed by the RFC Function Component, which is managed internally by the Connector.

The Connector does not support duplicate or multiple entries. Only one entry should be supplied to the Connector at a time.

Update Mode

When deployed in Update mode, the Connector is able to modify an existing user in the SAP database. The Connector should be added to the Flow section of a IBM Tivoli Directory Integrator AssemblyLine. The Output Map must define a mapping for the sapUserXml Connector attribute. The value of this attribute represents the details of the user to be changed in SAP. The value will be applied to each configured XSLT file in the order defined. The XSLT transforms produce separate RFC XML requests to be executed by the RFC Function Component, which is managed internally by the Connector.

Additionally, the sapUserName attribute should be defined in the Link Criteria of the Connector. The Link Criteria is required by the AssemblyLine, since the AssemblyLine will invoke the Connectors findEntry() method to verify the existence of the given user. The value of sapUserName, as defined in the Link Criteria, must match the value of the <sapUserName> XML element present in the value of sapUserXml. All parameters defined in the Link Criteria are passed as XSLT style sheet parameters. If duplicate Link Criteria names are supplied, the Connector will use the last value supplied. The style sheets are not required to use the parameter.

The only operator supported for Link Criteria is an equals exact match. Wildcard search criteria are not supported, because the RFC lookup method does not currently support wild cards. The Connector will not return duplicate entries.

The Connector does not support duplicate or multiple entries. Only one entry should be supplied to the Connector at a time.

Note:

This mode allows role and profile assignments to be changed. If sapRoleList or sapProfileList are present in the XML supplied to the Connector, then Connector will perform a complete delete and replace of the current assignments in SAP. This means the supplied XML must contain the complete assignments that need to exist after the operation is executed. This is true also for date ranges associated with roles. If the intention is to change a date range for a role already assigned, and not add or remove existing assignments, the complete list of role assignments with the new date ranges needs to be supplied in the XML. Date ranges should be present with all roles, unless the SAP defaults date values are acceptable.

Delete Mode

When deployed in Delete mode, the Connector is able to delete an existing user from the SAP database. The Connector should be added to the Flow section of a IBM Tivoli Directory Integrator AssemblyLine. The sapUserName attribute must be defined in the Link Criteria of the Connector. The Link Criteria is required by the AssemblyLine, since the AssemblyLine will invoke the Connector's findEntry() method to verify the existence of the given user. All parameters defined in the Link Criteria are passed as XSLT style sheet parameters. If duplicate Link Criteria names are supplied, the Connector will use the last value supplied. The style sheets are not required to use the parameter.

The only operator supported for Link Criteria is an equals exact match. Wildcard search criteria are not supported, because the RFC lookup method does not currently support wild cards.

The Connector does not support duplicate or multiple entries. Only one entry should be supplied to the Connector at a time.

Lookup Mode

When deployed in Lookup mode, the Connector is able to obtain all details of a given SAP user. The Connector should be added to the Flow section of a IBM Tivoli Directory Integrator AssemblyLine. The sapUserName attribute must be defined in the Link Criteria of the Connector. If duplicate Link Criteria names are supplied, the Connector will use the last value supplied. The Connector will populate the XML string value of the attribute sapUserXml. This attribute is available to the AssemblyLine in the Connector's Input Map .

The Connector's findEntry() method is the main code executed. It uses the result of the XSLT transform configured in Lookup Mode Pre StyleSheet, to execute an RFC to obtain all details for the given user. The result of the RFC is then transformed using the XSLT transform configured in Lookup Mode Post StyleSheet.

The only operator supported for Link Criteria is an equals exact match. Wildcard search criteria are not supported, because the RFC lookup method does not currently support wild cards.

The Connector does not support duplicate or multiple entries. The Connector will return only one entry at a time.

Iterator Mode

When deployed in Iterator mode, the Connector is able to retrieve the details of each user in the SAP database, in turn, and make those details available to the AssemblyLine. The XSLT style sheets for Select Entries Pre StyleSheet, Select Entries Post StyleSheet, Iterator Mode Pre StyleSheet, and Iterator Mode Post StyleSheet must be configured.

When deployed in this mode, the IBM Tivoli Directory Integrator AssemblyLine will first call the Connector's selectEntries() method to obtain and cache a list of all user names in the SAP database. The AssemblyLine will then call the Connector's getNextEntry() method. This method will maintain a pointer to the current name cached in the list. The method will use this name to call an RFC to obtain all details for the user. The results of the RFC are formatted by an XSLT transform and set as the value of sapUserXml and returned by the Connector.

Transactional Operations Not Supported

Neither the Connector nor IBM Tivoli Directory Integrator currently supports transactions with SAP ABAP Application Server. Some of the known consequences are explained in this section.

When the Connector is deployed in a mode that results in write operations with SAP (that is, Add Only, Update andDelete) it is possible for operations to be partially complete. This can occur if multiple XSL style sheets, which generate RFC requests, are required to complete the operation. If one of the earlier RFC requests fails, then RFC requests executed subsequently may fail as a result. The Connector attempts to perform all XSL transformations and resulting RFC invocations on a best effort basis.

Consider the Add Only case to create a user account in SAP. The first style sheet generates an RFC request for BAPI_USER_CREATE. The second style sheet generates an RFC request for BAPI_USER_ACTGROUPS_ASSIGN. The third style sheet generates an RFC request for BAPI_USER_PROFILES_ASSIGN. If the third request fails, then the user may be created without the assignment of profiles.

Another case exists when attempting to create a user that already exists in SAP. The first style sheet results in a call to BAPI_USER_CREATE. This invocation will result in an ABAP application level error return result (this is not the same as an API or infrastructure error). The Connector will log this. The Connector will then proceed with the subsequent style sheet and RFC invocations, which attempt to assign roles and profiles to the user. Since the user already exists, the role and profile assignments will succeed.

For the case explained above, should the Connector stop processing after the first RFC, or should the Connector continue with the role and profile assignments that the IBM Tivoli Directory Integrator user expected to exist for the newly created user? If the required behavior is to stop after the first RFC error, then an additional configuration of the IBM Tivoli Directory Integrator AssemblyLine can satisfy this requirement. Deploy a second instance of the Connector in Lookup mode before the Add Only mode instance. The Lookup Connector can assist some custom JavaScript code to conditionally terminate or continue the AssemblyLine, depending on the existence of the user to be created.

Handling ABAP Errors

The Connector invokes BAPI/RFC functions in SAP to perform the Connector mode operations. In some cases, data passed to the BAPI/RFC functions from the XML input, may result in ABAP data validation failures. An example of this case could be the value for post code is not valid within the country region. The BAPI/RFC functions return the results of validation checks in the RETURN parameter of the RFC.

The Connector has been designed to make the RFC return status available to the AssemblyLine. The Connector does not interpret or translate ABAP errors or warnings into thrown exceptions. The Connector registers a script bean named urcAbapErrorCache. The bean is registered for all Connector modes and can be accessed in Connector hooks. The bean is an instance of AbapErrorCache. Script code in a Connector hook can use this information to perform contingency actions as required. The cache is reset before the execution of each Connector method.

Example script code is shown below. For specific details, refer to the Javadoc contained in the distribution package.

var errs = urcAbapErrorCache.getLastErrorSet();
if (errs.size() > 0) {
  task.logmsg("********** There were ABAP Errors **********");
  for (var i = 0; i < errs.size(); ++i) {
   var errInfo = errs.get(i);
   task.logmsg("The message is: " + errInfo.getMsg());
   task.logmsg("The message number is: " + errInfo.getMsgNum().toString());
  }
}

var warns = urcAbapErrorCache.getLastWarningSet();
if (warns.size() > 0) {
  task.logmsg("********** There were ABAP Warnings *********");
  for (var i = 0; i < warns.size(); ++i) {
   var errInfo = warns.get(i);
   task.logmsg("The message is: " + errInfo.getMsg());
   task.logmsg("The message number is: " + errInfo.getMsgNum().toString());
  }
}

IBM Tivoli Directory Integrator 7.1.1