The section describes the configuration and operation of the IBM TDI User Registry Connector for SAP ABAP Application Server.
This chapter contains the following sections:
This component is not available in the TDI 7.1 General Purpose Edition.
This component enables the provisioning and management of SAP user accounts to external applications (with respect to SAP ABAP Application Server). The Connector uses the generic RFC invocation feature of the IBM TDI Function Component for SAP ABAP Application Server (referred to hereafter as the RFC Function Component). The RFC Function Component enables the Connector to manage SAP user account attributes by executing RFC ABAP code as an external SAP ABAP Application Server client application.
The Connector supports an extendable generic framework for provisioning SAP user accounts and their associated attributes. This is achieved by defining an XML representation of user account information. This XML is then transformed via XSL style sheet transformations (XSLT) into RFC requests. The default functionality of the Connector does not require the deployment of custom RFC ABAP code onto the target SAP ABAP Application Server instance.
The key features and benefits of the Connector are:
The Connector supports the following IBM TDI Connector modes:
Figure 2 below illustrates the component design of the SAP User Registry.
Component design of the SAP User Registry
The User Registry Connector for SAP ABAP Application Server supports the Skip Lookup general option in Update or Delete mode. When it is selected, no search is performed prior to actual update and delete operations.
For this to function, the sapUserName attribute should be defined in the Link Criteria of the Connector.
The User Registry Connector for SAP ABAP Application Server (SAP ABAP AS) may be added directly into an assembly line. The following section lists the configuration parameters that are available for SAP ABAP Application Server client connections and XSL style sheet behavior. The runtime names are shown in parentheses.
"gwserv=sapgw00 use_sapgui=1"
Here is a list of optional SAP Java Connector parameters that are accessible.
Alias user name (alias_user)
SAP message server (mshost)
Gateway service (gwserv)
Logon language (lang)
1 (Enable) or 0 (disable) RFC trace (trace)
Initial codepage in SAP notation (codepage)
Secure network connection (SNC) mode, 0 (off) or 1 (on) (snc_mode)
SNC partner, for example, p:CN=R3, O=XYZ-INC, C=EN (snc_partnername)
SNC level of security, 1 to 9 (snc_qop).
SNC name. Overrides default SNC partner (snc_myname)
Path to library which provides SNC service (snc_lib)
SAP R/3 name (r3name)
Group of SAP application servers (group)
Program ID of external server program (tpname)
Host of external server program (tphost)
Type of remote host 2 = R/2, 3 = R/3, E = External (type)
Enable ABAP debugging 0 or 1 (abap_debug)
Use remote SAP graphical user interface (0/1/2) (use_sapgui)
Get/Don't get a SSO ticket after logon (1 or 0) (getsso2)
Use the specified SAP Cookie Version 2 as logon ticket (mysapsso2)
Use the specified X509 certificate as logon ticket (x509cert)
Enable/Disable logon check at open time, 1 (enable) or 0 (disable) (lcheck)
String defined for SAPLOGON on 32-bit Windows (saplogon_id)
Data for external authentication (PAS) (extiddata)
Type of external authentication (PAS) (extidtype)
Idle timeout (in seconds) for the connection after which it will be closed by R/3.
Only positive values are allowed. (idle_timeout)
Enable (1) or Disable (0) dsr support (dsr)
ibmdi.SapR3RfcFC
xsl/bapi_user_create.xsl, xsl/bapi_user_actgroups_assign.xsl, xsl/bapi_user_profiles_assign.xsl
xsl/bapi_user_change.xsl, xsl/bapi_user_actgroups_assign.xsl, xsl/bapi_user_profiles_assign.xsl
xsl/bapi_user_delete.xsl
xsl/bapi_user_getdetail_precall.xsl
xsl/bapi_user_getdetail_postcall.xsl
xsl/bapi_user_getlist_precall.xsl
xsl/bapi_user_getlist_postcall.xsl
xsl/bapi_user_getdetail_precall.xsl
xsl/bapi_user_getdetail_postcall.xsl
This section describes how to use the Connector in each of the IBM TDI Connector modes. The section also describes the IBM TDI Entry schema supported by the Connector.
The default XSL style sheet file name values are relative path locations with respect to the IBM TDI AssemblyLine execution directory. In some situations, it may be necessary to preprend the default file name values with the fully qualified installation location of the XSL files. Such modification is likely if the IBM TDI Component Suite for SAP ABAP Application Server has been installed in (or if the AssemblyLine is executing from) a directory location separate from the IBM TDI installation.
The User Registry Connector supports only two fixed IBM TDI entry attributes. The schema is available through the discover schema feature (the torch icon) in the IBM TDI configuration tool. The attribute schema is described below.
Attribute Name | Type | Description |
---|---|---|
sapUserXml | java.lang.String |
A string representing the attributes of an SAP user. The XSchema is defined in XSchema for User Registry Connector XML. This attribute and value must be present on the Output Map when the Connector is deployed in Add Only, Update and Delete modes. This attribute and value are available on the Input Map when the Connector is deployed in Lookup and Iterator modes. |
sapUserName | java.lang.String | A string representing the name of a given SAP user. The Connector supports this attribute primarily for configuration of Link Criteria. |
When deployed in Add Only mode, the Connector is able to create a new user in the SAP database. The Connector should be added to the Flow section of a IBM TDI AssemblyLine. The Output Map must define a mapping for the sapUserXml Connector attribute. The value of this attribute represents the details of the user to be added to SAP. The value will be applied to each configured XSLT file in the order defined. The XSLT transforms produce separate RFC XML requests to be executed by the RFC Function Component, which is managed internally by the Connector.
The Connector does not support duplicate or multiple entries. Only one entry should be supplied to the Connector at a time.
When deployed in Update mode, the Connector is able to modify an existing user in the SAP database. The Connector should be added to the Flow section of a IBM TDI AssemblyLine. The Output Map must define a mapping for the sapUserXml Connector attribute. The value of this attribute represents the details of the user to be changed in SAP. The value will be applied to each configured XSLT file in the order defined. The XSLT transforms produce separate RFC XML requests to be executed by the RFC Function Component, which is managed internally by the Connector.
Additionally, the sapUserName attribute should be defined in the Link Criteria of the Connector. The Link Criteria is required by the AssemblyLine, since the AssemblyLine will invoke the Connectors findEntry() method to verify the existence of the given user. The value of sapUserName, as defined in the Link Criteria, must match the value of the <sapUserName> XML element present in the value of sapUserXml. All parameters defined in the Link Criteria are passed as XSLT style sheet parameters. If duplicate Link Criteria names are supplied, the Connector will use the last value supplied. The style sheets are not required to use the parameter.
The only operator supported for Link Criteria is an equals exact match. Wildcard search criteria are not supported, because the RFC lookup method does not currently support wild cards. The Connector will not return duplicate entries.
The Connector does not support duplicate or multiple entries. Only one entry should be supplied to the Connector at a time.
This mode allows role and profile assignments to be changed. If sapRoleList or sapProfileList are present in the XML supplied to the Connector, then Connector will perform a complete delete and replace of the current assignments in SAP. This means the supplied XML must contain the complete assignments that need to exist after the operation is executed. This is true also for date ranges associated with roles. If the intention is to change a date range for a role already assigned, and not add or remove existing assignments, the complete list of role assignments with the new date ranges needs to be supplied in the XML. Date ranges should be present with all roles, unless the SAP defaults date values are acceptable.
When deployed in Delete mode, the Connector is able to delete an existing user from the SAP database. The Connector should be added to the Flow section of a IBM TDI AssemblyLine. The sapUserName attribute must be defined in the Link Criteria of the Connector. The Link Criteria is required by the AssemblyLine, since the AssemblyLine will invoke the Connector's findEntry() method to verify the existence of the given user. All parameters defined in the Link Criteria are passed as XSLT style sheet parameters. If duplicate Link Criteria names are supplied, the Connector will use the last value supplied. The style sheets are not required to use the parameter.
The only operator supported for Link Criteria is an equals exact match. Wildcard search criteria are not supported, because the RFC lookup method does not currently support wild cards.
The Connector does not support duplicate or multiple entries. Only one entry should be supplied to the Connector at a time.
When deployed in Lookup mode, the Connector is able to obtain all details of a given SAP user. The Connector should be added to the Flow section of a IBM TDI AssemblyLine. The sapUserName attribute must be defined in the Link Criteria of the Connector. If duplicate Link Criteria names are supplied, the Connector will use the last value supplied. The Connector will populate the XML string value of the attribute sapUserXml. This attribute is available to the AssemblyLine in the Connector's Input Map .
The Connector's findEntry() method is the main code executed. It uses the result of the XSLT transform configured in Lookup Mode Pre StyleSheet, to execute an RFC to obtain all details for the given user. The result of the RFC is then transformed using the XSLT transform configured in Lookup Mode Post StyleSheet.
The only operator supported for Link Criteria is an equals exact match. Wildcard search criteria are not supported, because the RFC lookup method does not currently support wild cards.
The Connector does not support duplicate or multiple entries. The Connector will return only one entry at a time.
When deployed in Iterator mode, the Connector is able to retrieve the details of each user in the SAP database, in turn, and make those details available to the AssemblyLine. The XSLT style sheets for Select Entries Pre StyleSheet, Select Entries Post StyleSheet, Iterator Mode Pre StyleSheet, and Iterator Mode Post StyleSheet must be configured.
When deployed in this mode, the IBM TDI AssemblyLine will first call the Connector's selectEntries() method to obtain and cache a list of all user names in the SAP database. The AssemblyLine will then call the Connector's getNextEntry() method. This method will maintain a pointer to the current name cached in the list. The method will use this name to call an RFC to obtain all details for the user. The results of the RFC are formatted by an XSLT transform and set as the value of sapUserXml and returned by the Connector.
Neither the Connector nor IBM TDI currently supports transactions with SAP ABAP Application Server. Some of the known consequences are explained in this section.
When the Connector is deployed in a mode that results in write operations with SAP (that is, Add Only, Update andDelete) it is possible for operations to be partially complete. This can occur if multiple XSL style sheets, which generate RFC requests, are required to complete the operation. If one of the earlier RFC requests fails, then RFC requests executed subsequently may fail as a result. The Connector attempts to perform all XSL transformations and resulting RFC invocations on a best effort basis.
Consider the Add Only case to create a user account in SAP. The first style sheet generates an RFC request for BAPI_USER_CREATE. The second style sheet generates an RFC request for BAPI_USER_ACTGROUPS_ASSIGN. The third style sheet generates an RFC request for BAPI_USER_PROFILES_ASSIGN. If the third request fails, then the user may be created without the assignment of profiles.
Another case exists when attempting to create a user that already exists in SAP. The first style sheet results in a call to BAPI_USER_CREATE. This invocation will result in an ABAP application level error return result (this is not the same as an API or infrastructure error). The Connector will log this. The Connector will then proceed with the subsequent style sheet and RFC invocations, which attempt to assign roles and profiles to the user. Since the user already exists, the role and profile assignments will succeed.
For the case explained above, should the Connector stop processing after the first RFC, or should the Connector continue with the role and profile assignments that the IBM TDI user expected to exist for the newly created user? If the required behavior is to stop after the first RFC error, then an additional configuration of the IBM TDI AssemblyLine can satisfy this requirement. Deploy a second instance of the Connector in Lookup mode before the Add Only mode instance. The Lookup Connector can assist some custom JavaScript code to conditionally terminate or continue the AssemblyLine, depending on the existence of the user to be created.
The Connector invokes BAPI/RFC functions in SAP to perform the Connector mode operations. In some cases, data passed to the BAPI/RFC functions from the XML input, may result in ABAP data validation failures. An example of this case could be the value for post code is not valid within the country region. The BAPI/RFC functions return the results of validation checks in the RETURN parameter of the RFC.
The Connector has been designed to make the RFC return status available to the AssemblyLine. The Connector does not interpret or translate ABAP errors or warnings into thrown exceptions. The Connector registers a script bean named urcAbapErrorCache. The bean is registered for all Connector modes and can be accessed in Connector hooks. The bean is an instance of AbapErrorCache. Script code in a Connector hook can use this information to perform contingency actions as required. The cache is reset before the execution of each Connector method.
Example script code is shown below. For specific details, refer to the Javadoc contained in the distribution package.
var errs = urcAbapErrorCache.getLastErrorSet(); if (errs.size() > 0) { task.logmsg("********** There were ABAP Errors **********"); for (var i = 0; i < errs.size(); ++i) { var errInfo = errs.get(i); task.logmsg("The message is: " + errInfo.getMsg()); task.logmsg("The message number is: " + errInfo.getMsgNum().toString()); } } var warns = urcAbapErrorCache.getLastWarningSet(); if (warns.size() > 0) { task.logmsg("********** There were ABAP Warnings *********"); for (var i = 0; i < warns.size(); ++i) { var errInfo = warns.get(i); task.logmsg("The message is: " + errInfo.getMsg()); task.logmsg("The message number is: " + errInfo.getMsgNum().toString()); } }