IBM Security Identity adapter for SAP NetWeaver 7.1.33 is available. Compatibility, installation, and other getting-started issues are addressed.
Copyright International Business Machines Corporation 2003,
2019. All rights reserved.
US Government Users Restricted Rights -- Use, duplication or disclosure
restricted by GSA ADP Schedule Contract with IBM Corp.
These Release Notes contain information for the following products that was not available when the IBM Security Identity Server manuals was printed:
The IBM Security Identity Adapter for SAP NetWeaver is designed to create and manage accounts on a target SAP NetWeaver ABAP server. The adapter runs in "agentless" mode and communicates using standards BAPI and RFC methods supplied with the SAP server. Communication to these BAPI and RFC methods is enabled by the SAP Java Connector (Jco) API.
The IBM Security Identity Server adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from the IBM Security Identity Server will fail if the adapter is not given sufficient authority to perform the requested task.
Review and agree to the terms of the IBM Security Identity Manager Adapter License prior to using this product. The license can be viewed from the "license" folder included in the adapter package.
Adapter Version
|
Component |
Version |
|
Build Date |
2020 June 11 20.56.45 |
|
Adapter Version |
7.1.33 |
|
Component Versions |
Adapter build: 7.1.33.213 Profile: 7.1.33.213 Connector: 7.1.33.213 Dispatcher 7.1.39 and above |
|
Documentation |
The following guides are available in the IBM Knowledge Centre: · SAP NetWeaver Adapter Installation and Configuration Guide · Integration for SAP Governance, Risk and Compliance Access Control Installation and Configuration Guide |
New Features
|
Internal # |
Enhancement # (RFE) |
Description |
|
|
|
Items included in current release (7.1.33) |
|
RTC 185234 |
RFE 135338 (59543) |
SAP S/4 Adapter Note: Added support for SAP S/4 HANA On-premise |
|
|
|
Items included in 7.1.32 release |
|
RTC 181518 |
|
Attribute Values lookup Support -SAPNW Adapter added for IGI 5.2.5
See Limitation on to pick-up the value form drop-down list section for more information. |
|
|
|
Items included in 7.1.31 release |
|
|
|
Added support for JCo 3.0.18 |
|
|
|
Items included in 7.1.30 release |
|
RTC 174562 |
|
Support for SAP NW 752 |
|
RTC 162832 |
|
SAPGRC support on ISIMVA 7.0 See “Support SAPGRC on ISIMVA 7.0“section for more information. |
|
|
|
Items included in 7.1.29 release |
|
|
|
None |
|
|
|
Items included in 7.1.28 release |
|
|
|
None |
|
|
|
Items included in 7.1.27 release |
|
Internal |
|
Addition of the special flag attribute in targetProfile.json |
|
|
|
Items included in 7.1.26 release |
|
|
|
None |
|
|
|
Items included in 7.1.25 release |
|
|
|
None |
|
|
|
Items included in 7.1.24 release |
|
Internal |
|
SAP Authorization roles issue - SAP complexAttribute handler should set ID value for ComplexAttributeValue |
|
|
|
Items included in 7.1.23 release |
|
RTC 153839 |
|
Added support for JCo 3.0.16. Bug 2160 - Test connection issue on SAP NW adapter service failing with 'Password decryption failed' Bug 2262 - SAP NetWeaver CTGDIK220E Communication error with SAP R/3 |
|
|
|
Items included in 7.1.22 release |
|
RTC 151783 |
|
Add Support for Identity Governance and Intelligence (IGI) v5.2.2 This adapter is now designed for use with IBM security Identity manager, Privileged Identity Manager and Identity Governance and Intelligence
Note – SAPNetWeaver adapter does not support adapter inside VA functionality. It can’t be install inside the identity Governance and Intelligence VA.
|
|
|
|
Items included in 7.0.21 release |
|
|
|
None |
|
|
|
Items included in 7.0.20 release |
|
RTC 142424 |
|
Support for SAP NW 750 |
|
96511 (46480) |
|
Support for Complex attribute handler for SAP Note: In order to use this feature, upgrade to IBM Security Identity Manager Version 7.0.1. |
|
RTC 142424 |
|
Support for SAP NW 750 |
|
|
|
Items included in 7.0.19 release |
|
Internal |
|
Changes for IGI 5.2 release Note: This change is applicable only to SAP NW adapter Change multi-value attributes to add/delete instead of replace:ersapnwprofile ,ersapnwgroup ,ersapnwusergroups |
|
|
|
Items included in 7.0.18 release |
|
Internal |
|
Role-only changes for IGI 5.2 release Note: This change is applicable only to SAP NW adapter |
|
|
|
Items included in 7.0.17 release |
|
|
|
Initial Release. |
Closed Issues
|
Internal# |
APAR# |
Case# / Description |
|
|
|
Items included in current release (7.1.33) |
|
RTC 185813 Bug 2826 TS001794649 |
APAR IJ22247 |
Instable connection to our SAP-Instances. |
|
RTC 185399 Bug 3097 TS002868452 |
Change xsl files to use PARAMETER1 instead of PARAMETER, where ever required.
|
|
|
|
|
Items included in 7.1.32 release |
|
RTC 177771 |
Bug 2533 |
PMR TS000088851 SAP NW Adapter: Warning is logged when modifying account more than 6 attributes |
|
RTC 181544 |
|
Internal : Modify SAPNWMapping.def file for identity_uid=identity_uid mapping |
|
|
|
Items included in 7.1.31 release |
|
RTC 178407 |
Bug 2678 |
IGI 5.2.4 SAP NetWeaver Code [4203] attribute should be multivalued |
|
RTC 173823 |
Bug 2682 |
Start and end date of SAP authorization roles is ignored while joining provisioning policies |
|
|
|
Items included in 7.1.30 release |
|
RTC 176181 |
IJ06626/BUG 2536
|
PMR TS000093857 Frequent error on multiple suspends to SAP instances.
D - As a SAP NW adapter developer I need to prevent frequent error on multiple suspends to SAP instances, Bugz 2536, APAR IJ06626 |
|
|
|
Items included in 7.1.29 release |
|
RTC 171786 |
IJ03346/BUG 2531
|
PMR TS000079006 SAP Adapter: Request is not retried and fails immediately when SAP server is not available
US - As a SAP NW adapter developer, I need to provide correct error messages |
|
|
IJ05019/ Bug 2573 |
PMR TS000134773 SAP Provisioning doesn't work for email attribute |
|
|
|
Items included in 7.1.28 release |
|
RTC 171627 |
IJ03216/Bug 2518 |
PMR TS000078215 End date of role is not set
to SAP server. As a SAP NW adapter developer, I must ensure properly handling of '|' characters.
|
|
|
|
Items included in 7.1.27 release |
|
RTC 168608 |
Bug 2443 |
PMR 18368,035,649 Adapter password is missing As a SAP NW adapter developer, I must ensure the adapter properly handles SAP JCo caching |
|
|
|
Items included in 7.1.26 release |
|
|
|
None |
|
|
|
Items included in 7.1.25 release |
|
RTC 161746 |
|
AGC - Connector/Adapter SAP Remove Permission system SAP CUA |
|
|
|
Items included in 7.1.24 release |
|
RTC 158750 |
IV94659/Bug 2302 |
PMR 03339,070,724 SAP Authorization Profiles with no description are not reconciled.
See Support data reconciliation as the language given on service form for more details. |
|
|
|
Items included in 7.1.23 release |
RTC 155022 |
IV90363/Bug 2193 |
PMR 18847,130,702/ ISIM SAP reconciliation retrieves only a subset of all roles that are in SAP |
|
|
|
Items included in 7.1.22 release |
|
|
IV87049/Bugz 2103, Bugz 2109 |
PMR 47462, 100,838/ PMR 74041, 000,834/SAP Roles with no description are not reconciled.
This version of adapter is modified to reconcile all the role names and will reconcile role description for role names in the language specified on the service form.
|
|
|
IV90363/Bugz 2193
|
PMR 18847,130,702/ISIM SAP reconciliation retrieves only a subset of all roles that are in SAP.
This version of adapter is modified to reconcile child role names also which are not present on parent system.
|
|
|
Internal/Bug 2177 |
PMR 00519,070,724/ Confusing documentation about the support for the HR Linking extension |
|
|
|
Items included in 7.0.21 release |
|
|
IV87049/Bugz 2103, Bugz 2109 |
PMR 47462, 100,838/ PMR 74041, 000,834/SAP Roles with no description are not reconciled. |
|
|
IV89133/Bugz 2155
|
PMR 62668,004,000/question about ersapnwusergroups attribute modify behavior |
|
|
|
Items included in 7.0.20 release |
|
|
|
None |
|
|
|
Items included in 7.0.19 release |
|
IV77638/Bugz1856 |
SAP NW Adapter modify role request fail, but ISIM LDAP entries updated with role info anyway. |
|
|
|
|
Items included in 7.0.18 release |
|
|
|
None |
|
|
|
Items included in 7.0.17 release |
|
|
|
Initial Release. |
|
Internal# |
APAR# |
Case# / Description |
|
|
|
To use IGI with SAP GRC install the ARCS-SAP adapter agent on SAP resource. For more information, visit Introduction to the ARCS-SAP adapter agent at https://www.ibm.com/support/knowledgecenter/SSGHJR_5.2.3.1/com.ibm.igi.doc/CrossIdeas_Topics/ARCS/ARCS_SAP_Agent/Introduction_to_ARCS-SAP_Agent.html
|
|
|
|
The Adapter for SAP NetWeaver does not retrieve descriptive text from SAP for most support data classes.
|
|
|
|
Language Attribute under both Communication and Default tabs can be search only by language key, e.g. EN.
|
|
|
|
Modifying an account by reassigning a group that has been previously removed from the account is not working correctly. This appears to be a problem with standard SAP functionality.
|
|
|
|
Invalid email format (described in 4.1.7 Email Address) is not reported as error during add and modify operations
|
|
|
|
It is possible to change attributes on the non-CUA/CUA Master License Data tab only if the attribute "Contractual User Type" (ersapnwlicutype) is supplied in the Add or Modify operation request.
|
|
|
|
Recon with filter (eruid=*) is case sensitive due to RMI dispatcher limitation.
|
|
|
|
If custom extension xsl file is missing the operation hangs.
|
|
|
|
After modifying adapter service parameters in the IBM Security Identity Manager server, the dispatcher process hosting the adapter must be restarted.
|
|
|
|
The adapter reports error or failure status to IBM Security Identity Manager for all provisioning operations if a BAPI/RFC executed during the operation reports an error or failure. There are some cases when a SAP BAPI/RFC may report an error incorrectly. The BAPI/RFC actually executes successfully. One specific example is on user creation. If no user company addresses have been defined in SAP, the BAPI function BAPI_USER_CREATE1 reports an error to the adapter, but actually creates the user account in SAP. When the adapter reports the error to IBM Security Identity Manager, IBM Security Identity Manager server will not update the account in its repository resulting in an inconsistency between IBM Security Identity Manager and SAP. The incorrect error status indicator cases are reported to SAP support as they are identified, to be corrected by SAP in support packs. In the meantime, IBM Security Identity Manager users should leverage the full or filtered reconciliation features of IBM Security Identity Manager to maintain consistency between IBM Security Identity Manager and SAP repositories.
|
|
|
|
IBM Security Identity Manager converts date values to the local time zone of the user. As a result, there can be cases where dates returned from SAP via the adapter to IBM Security Identity Manager server appear to lose or gain a day. This occurs when any account attribute is modified in IBM Security Identity Manager. IBM Security Identity Manager will perform the time zone conversion as the modified account is being saved back into the IBM Security Identity Manager request queue for subsequent provisioning.
|
This version of adapter is modified to reconcile support data as per the language given on service form. The details are as below: -
· There are some support data for which language is not a barrier. So, adapter will reconcile such support data as earlier.
E.g. Academic title, Company, User group, Menu, Output device, Parameter, User type.
· There are some support data for which adapter reconcile the name and description as per the language given on service form and reconcile the name only for other languages. In this case, description will be same as name.
E.g. Roles and Profiles.
· There are some support data for which we reconcile the name and description as per the language given on service form and ignore the data for other languages.
E.g. Timezone, Country, Language, Security Policy, Special version, Title, Type.
Multi Byte Character Support Limitations
All character data transferred between IBM Security Identity Manager Server, the adapter, and SAP ABAP server are encoded as UTF-8. The adapter supports provisioning of multi byte characters to and from a directly connected SAP ABAP Unicode server. Provisioning of ASCII characters is supported for Non-Unicode SAP ABAP servers. The adapter does not support provisioning of multi byte characters to any Non-Unicode ABAP server. Extended ASCII characters are not tested or supported for Non-Unicode SAP ABAP servers.
Non Transactional Provisioning
The adapter does not execute provisioning operations within a transactional context. Some provisioning operations require multiple steps to be executed against the SAP server. A consequence of this situation is that errors or warnings which occur after the first step may result in a partially complete provisioning operation. A possible method to handle for this limitation is to use the IBM Security Identity Manager workflow features to execute compensating actions. For example, issue a filter reconciliation for the given user account in order to synchronize the account state between IBM Security Identity Manager and the target server.
Enable Deactivated Password on Modify Limitation
The "Deactivate password" attribute is supported by both the Add and Modify operation. Enabling this attribute on the account form will cause the password for an account to be deactivated in SAP. However, disabling the "Deactivate password" flag is NOT supported in the modify operation. The adapter will not enable the password for an account if the "Deactivate password" flag is unchecked on a modify operation. To re-enable a deactivated password for an account, a request to change the password for the account must be made instead. The state of the disable password flag in IBM Security Identity Manager will not be synchronized until reconciliation is performed.
SAP Adapter Extension Function for HR Linking is no longer supported
Earlier version of SAP adapter had included optional ABAP extension functions for HR Linking, Account Locking, and Productive Password setting and synchronization. Since there are no BAPIs or APIs to do the HR link, adapter code used to directly access SAP tables. However, SAP does not recommended accessing SAP tables directly. Therefore even though the source code sample versions of the extensions are included in adapter package, support for HR linking has been stopped.
SAP Connection parameters not marked as required in the Service form
SAP connection parameters are not marked as required because, SAP adapter can create connection with SAP Netweaver server using either the provided service form attributes or by using the optional RFC parameter attribute present in service form.
See the Installation and Configuration guide for IBM Security Identity Adapter for SAPNetWeaver for detailed instructions.
Corrections to Installation guide:
None
Configuration Notes
None
IBM Security Identity adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
The integration to the Identity Manager server – the adapter framework – is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.
Installation Platform
The IBM Security Identity Adapter for SapNetWeaver adapter was built and tested on the following product versions.
Adapter Installation Platform:
Due to continuous Java security updates that may be applied to your ISIM or PIM servers, the following SDI releases are the officially supported versions:
Note: Earlier SDI supported versions may function properly, however to resolve any communication errors, you must upgrade your SDI releases to the officially supported versions.
Managed Resource:
The following SAP ABAP Basis versions running anywhere on the network are supported:
· SAP NW 700 (NetWeaver 2004s)
· SAP NW 710
· SAP NW 730 (see the "Limitations on support for SAP Productive Passwords" topic in the "Known Issues" section of this document for important functional restrictions)
· SAP NW 740
· SAP NW 750
· SAP NW 752
Following SAP S/4 HANA On-Premise version running anywhere on the network are supported:
· SAP S/4 HANA On-Premise 1809
The adapter supports SAP CUA environments. If CUA is configured the adapter must be deployed against the central CUA master system.
Refer to section "Multi Byte Character Support Limitations" above regarding unicode support limitations.
SAP PATCHES:
The following minimum patch levels, by SAP release version, are required:
SAP Release Software Component Support Package
700 SAP_BASIS SAPKB70026
701 SAP_BASIS SAPKB70111
702 SAP_BASIS SAPKB70210
710 SAP_BASIS SAPKB71014
730 SAP_BASIS SAPKB73007
731 SAP_BASIS SAPKB73102
Specifically, the SAP system must be patched with corrections from
SAP notes 992375, 994415, 1101858 and 1636845.
SAP JCo certified:
JCo 3.0.20
Note: SAP NW Adapter was tested and certified using JCo v3.0.20.
SAP may release a newer version of JCo since then and for reasons unknown, SAP
may not make JCo v3.0.20 available for download. The newer version of JCo may
work as is with the adapter. However, if there are any issues related
directly to the newer version of JCo, it will be addressed in the next release
of the adapter.
IBM Security Identity Manager:
IBM Security Identity Manager v7.0.x
IBM Security Privileged Identity Manager (PIM):
ISPIM v2.x
Identity Governance and Intelligence (IGI):
IGI v5.2.x
This
information was developed for products and services offered in the U.S.A. IBM
may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that
IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property
right may be used instead. However, it is the user's responsibility to evaluate
and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
This
information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this
IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such
information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments
may vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these measurements
will be the same on generally available systems. Furthermore, some measurements
may have been estimated through extrapolation. Actual results may vary. Users
of this document should verify the applicable data for their specific
environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available
sources. IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
IBM,
the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or other
companies. A current list of IBM trademarks is available on the Web at
"Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Microsoft, Windows, and the Windows logo are trademarks of Microsoft
Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
End of Release Notes