ROI iAM

Appearance

Configuration of an existing repository to provision through ROI iAM

Prerequisite

  • The installation steps of the IdM accelerator must be completed.
  • The repository is configured on the ROI iAM side (source, target, system details).
  • Initial load of the system is executed in ROI iAM.
  • All HR users must exist in ROI iAM and have their ROIAM_IDENTIFIER_<hubName> populated in IdM.

1. Configure repository type constants

  • Open the Repository Type of the existing repository that will integrate with ROI iAM.
  • Create two repository constants of category "Repository Type Constant With Override":
    • ROIAM_HUB_REPOSITORY
      • Data Type: String
      • Description: Name of the HUB repository used for ROI iAM configuration. If empty, provisioning uses the standard connection.
    • ROIAM_TARGET_REPOSITORY
      • Data Type: String
      • Description: Name of the target repository in ROI iAM.

2. Configure repository type plugins for ROI iAM provisioning

Adapt each relevant plugin so ROI iAM runs when ROIAM_HUB_REPOSITORY is set.

  1. Open the CreateUser plugin of the target repository type/package.
  2. Add a Conditional task immediately before the backend creation step.
  3. Use this "SQL Query" condition:
sql
SELECT
  CASE
    WHEN varValue IS NULL OR varValue = '' THEN 0
    ELSE 1
  END AS hubRepo
FROM mc_repository_vars
WHERE Repository = %REPID%
  AND VarName   = 'ROIAM_HUB_REPOSITORY'

  1. Route the standard CreateUser process task to the False branch of the condition:

    • Place the existing CreateUser task in the False branch.
    • Move "Update User ACCOUNT" (or equivalent) below the CreateUser task in the False branch.
    • Keep any other backend update tasks in the False branch in their correct order.

  2. Plug the ROI iAM task into the CreateUser process:

    • Open com.roiable.roiam.connectorProcessesPlugins.
    • Drag the CreateUser plugin from this package into the target process.
    • Place the ROI iAM CreateUser process in the True branch of the conditional task.

    The result should be:

    • False branch: original backend flow, including account update and all backend-related operations.
    • True branch: ROI iAM connector CreateUser process.

    Screenshot 6

  3. Repeat the same conditional pattern for the following plugins:

    • CreateUser
    • ModifyUser
    • DeleteUser
    • AssignUserMembership
    • RevokeUserMembership
    • EnableUser
    • DisableUser

3. Configure ROI iAM load jobs for the target repository type

  1. In the Jobs section of the target repository package:

    • Create subfolder “ROI iAM jobs”.

  2. Create repository job "Initial load - ROI iAM privileges":

    • Navigate to the com.roiable.roiam.hub package → Target Loads.
    • Open the "Initial load - ROI iAM existing IdM repositories" job.
    • Copy all passes from this job into the new job in the target package (or recreate the same structure and values).
    • Link script ROIAM_hubPrivilegesInitialLoad from com.roiable.roiam.hub.

  3. Create repository job "Delta load - ROI iAM privileges":

    • From com.roiable.roiam.hubTarget Loads, open "Delta load - ROI iAM existing IdM repositories".
    • Copy its passes into the new job in the target package (or recreate them).
    • Link script ROIAM_hubPrivilegesDailyLoad from com.roiable.roiam.hub.

  4. Populate the two repository constants created in step 1 for each system which provisions via ROI iAM:

    • ROIAM_HUB_REPOSITORY – HUB repository used for ROI iAM configuration.
    • ROIAM_TARGET_REPOSITORY – System name in ROI iAM.

    ImportantROIAM_HUB_REPOSITORY constant will be used as a switch on/off button for the ROI iAM provisioning. In case there is a HUB specified in the constant of the respective target system in the Admin UI, the provisioning will go through ROI iAM. On the other hand, if the constant is left blank, the standard provisioning steps will be executed for the users in that target system.

  5. Execute "Initial load - ROI iAM privileges" and verify:

    • The job log shows success.
    • Temporary table roiam_%$rep.$NAME%_groups_initial exists.
    • Data in the temporary table looks correct.
    • All existing roles/groups in the repository have attribute ROIAM_IDENTIFIER_<hubName> populated.

    Screenshot 7

  6. Execute "Delta load - ROIAM privileges" and verify:

    • Temporary table roiam_%$rep.$NAME%_groups_delta populates as expected.
    • Schedule this job to run immediately after the standard "Daily Load – Roles job" for the repository.

4. Test provisioning

INFO

This step is required only for the pilot system.

Test end-to-end provisioning:

  • CreateUser
  • ModifyUser
  • DeleteUser
  • AssignUserMembership
  • RevokeUserMembership
  • EnableUser
  • DisableUser

Important In the current ROI iAM version, the source of the entries does not change. SAP IdM continues to create both MX_PERSON and MX_PRIVILEGE entries; the ROI iAM load jobs enhance them with the values required for provisioning to target systems.