SAP Multichannel Foundation for Utilities: User Provisioning with IdM

More detailed description of process flow for the user provisioning in our integration scenario:

There are several possible options how to leverage IDM system as all the API’s to create/delete/modify user and assign privileges are provided. it is possible to create custom UI where user self-service requests are triggered directly to IDM system. We decided to leverage existing MCF public application and SAP Gateway functionality and create users in IDM using BAdI’s in SAP Gateway user management component. This is only example of the integration of IDM. Depending on the customer's requirements it has to be adapted or different technique can be used.

1. Form Public MCF UI, user  accesses a sign up page and enters necessary information like: user names, e-mail, Contract Account. Then user submits this request and standard SAP Gateway OData request is executed (user self-service entity UserRequestManagement).
2. This request is redirected to the leading user management system (which is CRM for Utilities in our case).
3. Then this user request is verified and e-mail notification is sent to the user.
4. In e-mail notification, a user click on the link and another OData request is triggered to activate this user.
5. This user activation request is again redirected to the user management system.
   • During user activation process, SAP Gateway BAdI is called. Then custom BAdI implementation is executed instead of standard user creation.
   • In our implementation scenario, we assume that a user is existing customer and has a Business Partner and Contract Account. We supply it for IDM user creation. This BP will be linked to the user during user provisioning process
6. The mentioned above BAdI implementation triggers user creation in IDM system via REST API provided by IDM solution.
7. As soon as user is created in IDM, the user provisioning scripts will automatically run which will replicate it to all the ABAP repositories which are configured in IDM system.
   • This provisioning process usually takes some time.  User need to be informed that activation process is not immediate.
   • In the backend ABAP systems user will be created by the special function module which will trigger IDM BAdI. In the implementation of this BAdI we linke newly created user with Business Partner as it is required by MCF solution

Settings required in the leading user management system to call IDM REST API (step  f.)

1. You need to configure HTTP connection to IDM server in leading user management system:
   1. Run SM59 transaction to configure your new HTTL connection:
      
      IDM/REST picture 1
   2. Create a new HTTP connection
      
      IDM/REST picture 2
   3. Configure a new entry:
      In the tab "Logon & Security", you can use the basic authentication with user and password - use administrator user in your IDM system.
      In the tab “Special Options”, set to accept cookies, as shown below:
      
      IDM/REST picture 3
      
2. You need to Enhance the existing User Management
   1. Enhance the BAdI:
      
      SAP delivers a standard BAdi implementation for UMC user management: CRM_IU_UMC_UM. Now to integrate with IDM, you need to change some if its behavior. To do so, a new enhancement should be created which has similar settings but different implementation class; and the new implementation class, in its simplest form, could derive from the standard implementation class.
      
      Now you need to adjust your new class based on the needs. For example, if want to create a new user account via IDM, then the method /IWBEP/IF_MGW_UM_USER_MANAGER~CREATE_USER needs to be overwritten to have something like this:
      
      First you need to create attributes table where you store all the attributes you want to pass to IDM system (in the "User Provisioning part (a). there is an explanation how to define the additional attributes in IDM repository.
        ls_attribute-name  = 'MX_FS_CONTRACT_ACCOUNT'.
        ls_attribute-value = ls_iu_account_info-buag_id.
        APPEND ls_attribute to lt_attribute.
        ls_attribute-name  = 'MX_FS_BUSINESS_PARTNER'.
        ls_attribute-value = ls_iu_account_info-account_id.
        APPEND ls_attribute to lt_attribute.
      
      Then you need to instantiate an HTTP REST client using HTTP destination your created:
      cl_http_client=>create_by_destination( EXPORTING destination = 'UMC_IDM_RESTAPI' IMPORTING client = client ).
      
      Using this http client you need to set an URL of the request which will be something like "/idmrest/v72alpha/entries/0":
      cl_http_utility=>set_request_uri( request = client->request uri = lv_uri_post ).
      
      Then you need to set an operation:
      client->request->set_method(if_http_request=>co_request_method_post ).
      
      After that you need to set a header fields (for example to post you need  to set a csrf token which  you need to get first using the same sequence of operations):
      client->request->set_header_field( name = if_rest_request=>gc_header_csrf_token value = 'Fetch').
      
      And after that you need to set a form fields passing a table  you created before:
      client->request->set_form_fields( fields = it_attribute ).
      
      And finally you can send a request:
      client->send( ).
      and receive a response:
      client->receive( ).
      
      Details how to use a REST client you can find under this  link.
   2. Common IDM rest services which can be used in your IDM integration:
      • Search and retrieve a user
        GET http://<recourse>:<port>/idmrest/v72alpha/entries?EntryType=MX_PERSON&MX_LASTNAME=...
      • Get details of current user
        GET http://<recourse>:<port>/idmrest/v72alpha/entries/0
      • Creating a new entry in the IDM task
        POST http://<recourse>:<port>/idmrest/v72alpha/entries/5784/tasks/1321 *
        
        * Note you need to provide a CSRF token in the header and some necessary attributes in the pay load. Tasks number may be different based on the IDM setting. Required task numbers you can find under: "Identity Store" -> <name of your Identity store> -> "Provisioning_framework" -> "Web Enabled Tasks" -> "Identity" ...
        
        IDM/REST picture 4
      • Assign new privilege to the new entry
        POST http://<recourse>:<port>/idmrest/v72alpha/entries/14156/tasks/38
        MXREF_MX_PRIVILEGE=12199
        
        Again, privilege ID may be different based on the IDM settings. You can find ID's of privileges under: "Identity Store" -> <name of your Identity store> -> "Identity store Metadata" -> "Privileges". After complete set up of the user provisioning, you will find main privileges for you repositories under the names PRIV:<repository name>:ONLY. Double click on the privilege name and you'll find Privilege ID. Please bear in mind that assigning corresponding privilege will trigger the user replication/ provisioning. You can also create a task in IDM system which will assign all the necessary privileged to you user and then execute this task via REST API.
        
   3. Activate the new implementation IMG node: "SAP NetWeaver Gateway Service Enablement"->"Backend OData Channel" -> "User Self Service Setup -> "Implement User Management"    In the node, deactivate the standard implementation and activate the new one.

User provisioning setup (step g.).

In order to IDM system provision users (step g) we need to set it up. Here below is an detailed description about IDM set up.

1. You need to create new attributes in Identity Store in your Identity Management System. Those additional attributes will be used for user verification during user self-registration. Examples of those attributes in the real environment can be Contract Account, Driver License, Social Insurance Number, e.t.c. Depending which attributes are provided, Business Partner can be created on the backend (ERP/CRM) Utilities systems as well.  Although, we are implementing  test scenario when Utility customer has existing account (Business Partner) in the systems, and has corresponding Contract Account. That is why we created only two new attributes
   1. New Attributes are created in IDM system as following:
      • Start you Identity Center Console and go to your Identity Store schema:
      • Right click on the “attributes”  and select “New”->”Identity store attribute” in the context menu:
        
        IDM picture 1
        
      • Enter the attribute name: MX_FS_CONTRACT_ACCOUNT and MX_FS_BUSINESS_PARTNER for your new attributes. Bear in mind that prefix MX_FS_ is obligatory prefix for proper mapping of those attributes to the RFC calls on the backend:
        
        IDM picture 2
        
      • Enter Entry type for which those attributes are valid MX_PERSON (for each attribute).
        
        IDM picture 3
        
2. You need to be able to maintain those attributes for the identities in your Identity Store. Also you have to be able to provide values of those attributes when you create your user via REST API.
   1. The following standard UI task needs to be adjusted and new attribute need to be added:
      
      IDM picture 4
      
      IDM picture 5
   2. You can move those attributes up and down to be shown on the standard IDM UI where you want them to appear.
      
3. Create a new Repository in your IDM system for each backend system where your want your users to be provisioned. We have created 3 repositories as we have three systems in our landscape: SAP NW Gateway, CRM for Utilities, Utilities Industry System (IS-U)
   1. Go to Management->Repositories. In the context menu choose New->Repository
      
      IDM picture 6
      
   2. On the first screen of the Repository wizard, choose: “Business Suite AS ABAP (Load Balanced Connector)” – it is quite important to choose Business Suite connector, it will automatically create a constants which the proper task names. Using specific to Business Suite tasks is important as only in this case proper BAdI’s will be triggered on the backend ABAP system.
      
      IDM picture 7
   3. On the next screen of the Repository wizard, enter the name of your repository. It is better to use naming convention with the system name followed by the client number.
      
      IDM picture 8
   4. On the next screen of the Repository wizard you enter the data about your system including credentials to access it. User should have all power user/ administrator capabilities as other users will be created using this user.
      
      IDM picture 9
   5. Then you just finish process and your repository is created
   6. When you double click on the “Constants” of the repository your created you’ll see all of them. You can change those constants any time. For example sometimes you need to establish connection to specific application server instead of the message server and provide an application server system number. Also there will be needed to change some constant for hook tasks – which will be described further in this integration manual.
      
      IDM 10 picture
      
4. Before we do the next step in IDM system (which is Initial load), we need to make some customizing setting in all your backend systems where users need to be provisioned.
   1. Login to you backend SAP system. Using transaction SM30, add a new entry to the customizing table IDM_BADI_FILTER as following:
      
      BADI picture 1
      
      BADI picture 2
      
      
5. In this step you we are describing implementation of the BAdI on the backend ABAP systems. This BAdI’s need to be activated in all the backend systems SAP Gateway,  CRM and ERP (IS-U) systems.
   1. Create a new class based on the interface: IF_BADI_EXTEND_IDENTITY.
   2. Create your Enhancement Implementation for the Enhancement Spot BADI_EXTEND_IDENTITY using SE19 transaction. Provide a class name and BAdI definition name BADI_EXTEND_IDENTITY.
   3. Implement method: IF_BADI_EXTEND_IDENTITY~PRE_MODIFY_CHECK_IDENTITY - here we are doing verification if user can be created in backend system
   4. Implement method:  IF_BADI_EXTEND_IDENTITY~POST_MODIFY_IDENTITY  In this method we need to link created user with the Business Partner. Please, bear in mind that because of replication user in the CRM or IS-U systems can be created before and if BP is created at the same time, you must not create the same BP in the second system. You should get this user’s linked BP in the other system and link this BP in current system.
6. Initial load step  in IDM system is necessary step even though, sometimes, we do not need to have actual backend users to be loaded in IDM^*. This step will create all main privileges and triggers for your repository. You have to repeat this step for each system you need to set up user provisioning.
   
   For our integration scenario I disabled passes to save users and privileges from the backend system. The reason is the following: online users will create their accounts using user self-service. Also, for Multichannel application, corresponding user account in the backend ABAP systems will be created with the reference user. This  reference user will hold all the authorization roles and profiles. That is why I disabled pass for saving of ABAP authorization privileges (roles and profiles) as well. It really depends on your integration scenario if you need to load users and privileges to IDM or not.
   
   * Note:  Sometimes your have a legacy system where your online users are stored. You need to create a repository for this system in IDM as well and make an initial load of all those users. (It might be, for example, your SAP NW Java AS with your users for UCES solution).
   
   1. To create a job for initial load you need to go to Job Folder. In the context menu choose:  “New” -> ”Run job wizard”
      
      IDM picture 11
   2. After you click on the next button, you will be forwarder to the screen to select a job. Use the following folder:  "Identity Center" -> "Jobs" -> "SAP NetWeaver" -> "BusinessSuite AS ABAP–Initial Load"
      
      IDM picture 12
   3. Then select you repository and click on “Next”
      
      IDM picture 13
   4. And, finally, click on “Finish” button and your Job for initial load will be created  (rename it – that it would include the repository name).
   5. Job has been created. You then need to adjust this job depending on your integration scenario. It is possible to disable some passes with the help of context menu.
   6. After that you can just run this job. Job results will be shown in the “Job log”.
      
      IDM picture 14
7. After successful run of the job you need to test if current IDM users will be replicated to the ABAP systems. If your initial run was successful, special IDM privilege will be created which allows to provision your users into ABAP repository:
   1. Start SAP NetWeaver Identity Management UI in your browser using url: https://you_system:port/webdynpro/dispatcher/sap.com/tc~idm~wd~workflow/Idm
   2. Login as administrator
   3. Find existing user or create one, select this user and you will see standard UI task appear: “Assign Privileges, Roles and Groups”.
      
      IDM picture 15
   4. You will be navigated to the screen where you can assign a special privileges
   5. In the “Available” – in the left part of the tab, Choose to show Privilege and find a privilege with the name “PRIV_yourrepositoryname_ONLY”,
      then click on “Go” button
   6. Select this privilege and add it using “Add” button
      
      IDM picture 16
   7. Then you can even check in the ABAP system using SU01 transaction if your user was created
   8. In the Job log of the Identity Center UI you can monitor the execution of the Job.
      
      IDM picture 17
   9. Then you can even check in the backend ABAP system using SU01 transaction if your user was created
      
      IDM/ABAP picture 1

8. Next step is to make sure that the backend BAdI is triggered when user is created from IDM. We need to verify this user in the backend and link it to the Business Partner and Create a Business Partner when necessary

   1. Task to create user should pass a filter value. We did not find out a standard way to pass a filer that is why we define our own task as a copy. To make a copy of the task go to "Identity Store" -> "Provisioning Framework" -> "CONNECTORS" -> "ABAP BusinessSuite Connector" -> "Plugins" -> "1. Create BS User". In the context menu of this node click “Copy”, then right click on Plugins folder and click “Paste”. Whole task with subtasks will be copied. Rename it as you wish.
      
      IDM picture 18
      
      IDM picture 19

   2. Adjust a job related to this task. Expand this task and find related job. Navigate to the configuration of the job “CreateABAPIdentity" and change/adjust attributes on the “Destination” tab:

      • Filter to hardcoded ZUMC * (or filter name you use in the see section 4)
        
        IDM picture 20
        

      • Reference User to UMC_REF_USR (or other reference user you use for SAP MCF)

      • Address data as shown on picture:
        
        IDM picture 21

   3. For all your repositories, change the repository constant MX_HOOK1_TASK to your new copy of the task.
      
      IDM picture 22

After this step user provisioning set up is ready and you can try to test whole scenario.

Here it is an additional links to help you with user provisioning set up: