ROI iAM

Appearance

Configuration of a new system that will go through ROI iAM

Prerequisite

  • The installation steps of the IdM accelerator must be completed.
  • The repository must be configured on the ROI iAM side (source, target, system details).
  • Initial load of the system is executed in ROI iAM.
  • All HR users must exist in ROI iAM and have their ROIAM_IDENTIFIER_<hubName> populated in IdM.

Steps

  1. Create connector repository
    • Create a repository of type ROIAM_CONNECTOR.
    • Configure these repository constants:
      • ROIAM_HUB_REPOSITORY – HUB repository storing ROI iAM connection details and configuration.
      • ROIAM_TARGET_REPOSITORY – Name of the system in ROI iAM.

Optional

Configure Privilege MSKEYVALUE/ROIAM UID creation

Configure these constants to apply a custom naming convention to Privileges loaded from the system.

  • ROIAM_UID_TEMPLATE - Controls how IdM Privilege MSKEYVALUE/ROIAM UID is created. The default value is PRIV:<externalType>:<idm_rep_name>:<displayName>. The following parameters can be inserted into triangle brackets to be replaced with data from the groups load or the IdM Repository name (idm_rep_name):

    • id
    • displayName
    • description
    • uniqueIdentifier
    • externalName
    • srcRepository
    • externalType
    • type
    • idm_rep_name

  • ROIAM_UID_REGEX_REPLACE - Regex(es) (delimited with ||) to be replaced in the last section of the template, after the last colon.

  • ROIAM_UID_REGEX_REPLACE_SYMBOL - String(s) (delimited with ||) to replace the String found by the regex from the ROIAM_UID_REGEX_REPLACE constant. If it has more values, it needs to have the same number as the previous constants. Replacements work on a pair basis and are run sequentially, from left to right.

  • ROIAM_UID_REGEX_REMOVE - Regex(es) or String(s) to be removed from the last section of the template, delimited with ||.

These constants can be set on HUB level and/or CONNECTOR level. In case any of the fields in the CONNECTOR are empty, the ones from the appropriate HUB will be used. ROIAM_UID_REGEX_REPLACE and ROIAM_UID_REGEX_REPLACE_SYMBOL must both be empty or configured.

  1. Run connector initial load

    • Open the repository in the IdM Admin UI.

    • Go to Jobs and execute job "[1] Read - ROI iAM data".

    • Confirm success by checking:

      • The IdM job log shows success.
      • These database tables exist:
        • roiam_%$rep.$NAME%_users
        • roiam_%$rep.$NAME%_userLinks_load
        • roiam_%$rep.$NAME%_accounts
        • roiam_%$rep.$NAME%_groups
        • roiam_%$rep.$NAME%_groupMembers_load
      • Verify the data in these tables is correct.

    • Run steps 2, 3 and 4 of the connector’s initial load for the new connector repository:

      • Execute job “[2] Write - SAP IdM attributes and system privileges” and confirm it finishes successfully.
      • Execute job “[3] Write - ROI iAM data in IdM” and confirm backend user access in IdM.
      • When it is verified that all entries and links are successfully created in IdM, execute job “[4] Activate - IdM triggers” to add the triggers to the respective privileges.

    • Once all jobs are executed, the system can be considered as fully live.

  2. Test provisioning

    INFO

    This step is required only for the pilot system.

    Test end-to-end provisioning:

    • CreateUser
    • ModifyUser
    • DeleteUser
    • AssignUserMembership
    • RevokeUserMembership
    • EnableUser
    • DisableUser

Important In the current ROI iAM version, the source of the entries does not change. SAP IdM continues to create both MX_PERSON and MX_PRIVILEGE entries, while the ROI iAM load jobs enhance them with the values required for provisioning to target systems.