ROI iAM

Appearance

Configuration of an existing repository to provision through ROI iAM

Prerequisite

  • The repository is configured on the ROI iAM side (source, target, system details).
  • ROI iAM completes the initial load for that system.
  • All HR users must exist in ROI iAM and have their ROIAM_IDENTIFIER_<hubName> populated in IdM.

1. Configure repository type constants

  • Open the Repository Type of the existing repository that will integrate with ROI iAM.
  • Create two repository constants of category "Repository Type Constant With Override":
    • ROIAM_HUB_REPOSITORY
      • Data Type: String
      • Description: Name of the HUB repository used for ROI iAM configuration. If empty, provisioning uses the standard connection.
    • ROIAM_TARGET_REPOSITORY
      • Data Type: String
      • Description: Name of the target repository in ROI iAM.

2. Configure repository type plugins for ROI iAM provisioning

Adapt each relevant plugin so ROI iAM runs when ROIAM_HUB_REPOSITORY is set.

  1. Open the CreateUser plugin of the target repository type/package.
  2. Add a Conditional task immediately before the backend creation step.
  3. Use this "SQL Query" condition:
sql
SELECT
  CASE
    WHEN varValue IS NULL OR varValue = '' THEN 0
    ELSE 1
  END AS hubRepo
FROM mc_repository_vars
WHERE Repository = %REPID%
  AND VarName   = 'ROIAM_HUB_REPOSITORY'

  1. Route the standard CreateUser process task to the False branch of the condition:

    • Place the existing CreateUser task in the False branch.
    • Move "Update User ACCOUNT" (or equivalent) below the CreateUser task in the False branch.
    • Keep any other backend update tasks in the False branch in their correct order.

  2. Plug the ROI iAM task into the CreateUser process:

    • Open com.roiable.roiam.connectorProcessesPlugins.
    • Drag the CreateUser plugin from this package into the target process.
    • Place the ROI iAM CreateUser process in the True branch of the conditional task.

    The result should be:

    • False branch: original backend flow, including account update and all backend-related operations.
    • True branch: ROI iAM connector CreateUser process.

    Screenshot 6

  3. Repeat the same conditional pattern for the following plugins:

    • CreateUser
    • ModifyUser
    • DeleteUser
    • AssignUserMembership
    • RevokeUserMembership
    • EnableUser
    • DisableUser

3. Configure ROI iAM load jobs for the target repository type

  1. In the Jobs section of the target repository package:

    • Create subfolder “ROI iAM jobs”.

  2. Create repository job "Initial load - ROIAM" privileges:

    • Navigate to the com.roiable.roiam.hub package → Target Loads.
    • Open the "Initial load - ROIAM privileges" job.
    • Copy all passes from this job into the new job in the target package (or recreate the same structure and values).
    • Link script ROIAM_hubPrivilegesInitialLoad from com.roiable.roiam.hub.

  3. Create repository job "Daily load - ROIAM privileges":

    • From com.roiable.roiam.hubTarget Loads, open "Daily load - ROIAM privileges".
    • Copy its passes into the new job in the target package (or recreate them).
    • Link script ROIAM_hubPrivilegesDailyLoad from com.roiable.roiam.hub.

  4. Populate the two repository constants created in step 1 for each system which provisions via ROI iAM:

    • ROIAM_HUB_REPOSITORY – HUB repository used for ROI iAM configuration.
    • ROIAM_TARGET_REPOSITORY – System name in ROI iAM.

  5. Execute "Initial load - ROIAM privileges" and verify:

    • The job log shows success.
    • Temporary table roiam_%$rep.$NAME%_groups_initial exists.
    • Data in the temporary table looks correct.
    • All existing roles/groups in the repository have attribute ROIAM_IDENTIFIER_<hubName> populated.

    Screenshot 7

  6. Execute "Daily load - ROIAM privileges" and verify:

    • Temporary table roiam_%$rep.$NAME%_groups_delta populates as expected.
    • Schedule this job to run immediately after the standard "Daily Load – Roles job" for the repository.

4. Test provisioning

Test end-to-end provisioning:

  • CreateUser
  • ModifyUser
  • DeleteUser
  • AssignUserMembership
  • RevokeUserMembership
  • EnableUser
  • DisableUser

Important In the current ROI iAM version, the source of entries does not change. SAP IdM continues to create both MX_PERSON and MX_PRIVILEGE entries; the ROI iAM load jobs enhance them with the values required for provisioning to target systems.