Rule-based assignment of the company address to

Note: In the blog, we use the organizational unit as input for resolving the company address. In other scenarios, it might be better to use the personnel area (company) or the personnel subarea (location) for company address assignment.

Contents of this blog are: Data Modelling, binding of a Web AS ABAP system to the SAP NW IdM, development of Java scripts as well as the configuration of the Workflow component

Agenda

• 1. Explanation of the example scenario
• 2. Provide the data model
• 3. Implementation
• 3.1 Connecting a Web AS ABAP system
• 3.1.1 Initial Load Job
• 3.1.2 Staging Area
• 3.2 Development of the Java script routines
• 4. Workflow

• 1. Explanation of the example scenario

  The businesses partner objects are loaded from the ERP-system into SAP NetWeaver Identity management. The company addresses are loaded from the Web AS ABAP systems. Alternatively, the new company Addresses can be created in the workflow module of SAP NW IdM. In any case, SAP NW IdM is the leading system for both after the initial load.

  The picture below shows the scenario, which is to be implemented. During reading the employees into the Identity Store, an assignment rule assigns the company address, depending on the organizational unit, the employee belongs to, to the person object. Using the workflow this can be indicated in the profile of the employees. The before configured data model of the SAP NW IdM must be adapted accordingly.

  

  2. Provide the data model

  Additionally to the two existing entry types MX_Person and MX_COMPANY_ADDRESS an own entry type Z_HCMORGUNIT must be created. For each relationship between the entry types there are two attributes: MXREF_xxx and MXMEMBER_xxx. The arrows in the upper picture show the MXMEMBER attributes. A company address can have relations to several organizational units and an organizational unit can have relations to several persons. In addition, the org unit itself can be structured hierarchically.

  Subsequently, the entry types are adapted and so the data model for the implementation is being provided.

  Entry type: Z_HCMORGUNIT

  The necessary entry type Z_HCMORGUNIT will provide in the identity center under the “identity store”, “identity store pattern”, “entry types”. In the context menu of entry types click you of “New”, than on entry type. Subsequently, you can under “attributes” define your own attributes. After all attributes are put on, click double on the entry type, the following window opens. Navigate to the tab „relation“ and activate under „Allow“ the entry type MX_COMPANY_ADDRESS and MX_PERSON.

  

  In the tab “attributes” under “Allow” activate the check boxes.

  Entry type: Company Address

  Also with entry type company address must be manufactured the relations with both other entry types, see the following picture.

  

  By setting the relations before, the SAP NW IdM produces automatically the two attributes MXMEMBER_Z_HCMORGUNIT and MXMEMBER_MX_PERSON. The check box under „Allow“ must be activated here likewise.

  Entry type: MX_PERSON

  In the tab „relation “in the entry type MX_PERSON does not have to be activated a check box.

  

  Since no connections are defined to other entry types, so SAP NW IdM system generate only MXREF-attributes and no MXMEMBER-attributes.

  After the data model is so far provided, we can start with the actual implementation.

  3. Implementation

  First a Web AS ABAP system is connected at the SAP NW IdM system, in order to load the company addresses into the Identity store. Subsequently, on the data base server two tables are provided. The first table contains the organisational units and the second the persons. In practice, these tables are filled for example by SAP PI. But you can create the tables easily on the data base server without any SAP PI System. In the next step a Statging Area is implemented in the Identity center, in order to load the data records of the two tables into the Identity store. In the last step a Java script is developed, which makes the automatic assignment of the company addresses with the employees.

  3.1 Connecting a Web AS ABAP system

  Click in the Identity center under „management“, „to Repositories“ and select in the context menu „new“, than „Repository… “.

  

  In the Repository Wizard select under „Identity center “, „Repositories “, „SAP NetWeaver AS ABAP (Specific Application server) “.

  Enter for the Repository a name, optionally can a description be added.

  

  In the next window you write the connection data from your Web AS ABAP system. Importantly here is the task IDs of Provisioning-, Deprovisioning- and Modifytask. These find you under the imported SAP Provisioning Framework, in the Identity Store under „System Type Specific Tasks“, „AS ABAP Tasks“.

  Terminate in the end the Wizard with „the finish “- button.

  

  Next the initials load job is put on.

  3.1.1 Initial Load Jobs

  Create under your Identity Store a new folder for the Web AS ABAP system. In the context menu, choose “New” and “Run job Wizard…”.

  Click on „Next“.

  

  Select from the Templates under „Jobs_SAP NetWeaver “the job „AS ABAP – initial load “.

  In the end the just now provided Repository is to be selected.

  

  Close the Wizard with „finish “.

  The following picture shows, which pass can be disabled.

  

  Before you start the job, this must be activated in the tab „option“ and assigned to a dispatcher. Subsequently, you click on the button „Run now “. In the job logs examine you please whether the job was successful.

  Table: HCM_ORGUNIT

  The following picture shows the table HCM_ORGUNIT. The table contains the columns „ORGOBJECTID“, „ORGNAME“, „SPRACHE“, „PARENT“, „CHILD“ and „LEITUNG“. Please create the table on your data base server and provide data. In our use case, the data is provided directly from the HR system (using SAP PI and the standard extraction routines on the HR system)

  

  Table: HCM_BUPA

  The table HCM_BUPA, stores the employees of the company and has among other things the columns „Uniqueid“, „Last name“, Birth name“, „Second name“, „First name“ and „Organisation Unit“. Please create this table, too. This table is the staging area for employee data coming e.g. from an HR system. For the implementation, you can also populate information by hand.

  3.1.2 Staging Area

  Create under the Identity Store in the Identity Center a new folder with the name „Statging Area“. In the context menu of the folder, please click on „New“ and afterwards on „Empty job”.

  

  Within the job you insert a “To Identity Store“ pass.

  In the tab „SOURCE “is indicated by SQL statement the table HCM_BUPA. In the “Destination” tab select MX_PERSON under “Entry type” and the attributes from the table.

  

  The same steps are to be accomplished also for the table HCM_ORGUNIT. After the two jobs are created, now the Java script can be developed.

  3.2 Development of the Java script routines

  The Java script looks in the data record of the organizational unit, which is assigned to the employees, first for the attribute MXREF_MX_COMPANY_ADDRESS in the column “Attrname”. If a mskey is in the column “Avalue”, this is registered with the person under that attributes MXREF_MX_COMPANY_ADDRESS.

  Against it if no value is found, the Java script looks for the attribute MXREF_Z_HCMORGUNIT, whether the organizational unit of another organizational unit is subordinated. If this is the case, the company ADDRESS of the superordinate organizational unit is taken.

  The following source code shows the parameters, which are handed over to the function.

  var field = Par.split(“!!”);

  var parPrefix = field[0];

  var parUniqueid = field[1];

  var parOrgunit = field[2];

  var idStore = field[3];

  Further variables must be created.

  var SQL = “”;

  var sqlOrgunitKey = “”;

  var finalCaKey = “”;

  var sqlCaDefaultKey = “”;

  var sqlCaOrgunitKey = “”;

  var counter = 0;

  var counterMax = 5;

  In the first step the default company address is determined.

  SQL = “Select mskey from mxiv_sentries where is_id=’” + idStore + “‘ and avalue = ‘COMPANY:SAP_IDM_DEFAULT’”; sqlCaDefaultKey = UserFunc.uSelect(SQL);

  Next the Mskey of the organizational unit of the user is determined.

  SQL = “SELECT mskey from mxiv_sentries where avalue=’”+ parPrefix + “:” + parOrgunit+”‘”; sqlOrgunitKey = UserFunc.uSelect(SQL);

  In the loop it is examined whether the organizational unit already possesses a company address, if not after a Parent looked, has also this no address than SAP default company address assigned.

  SQL = “Select avalue from mxiv_sentries where mskey=’” + sqlOrgunitKey + “‘ and attrname = ‘MXREF_MX_COMPANY_ADDRESS’ and is_id =’” + idStore + “‘”; sqlCaOrgunitKey = UserFunc.uSelect(SQL);

  if (sqlCaOrgunitKey != “”)

  finalCaKey = sqlCaOrgunitKey;

  counter = counterMax;

  else

  SQL = “Select avalue from mxiv_sentries where mskey=’” + sqlOrgunitKey + “‘ and attrname = ‘MXREF_Z_HCMORGUNIT’ and is_id =’” + idStore + “‘”;

  sqlOrgunitKey = UserFunc.uSelect(SQL);

  if (sqlOrgunitKey == “”)

  finalCaKey = sqlCaDefaultKey;

  counter = counterMax;

  counter++;

  while (counter<counterMax);

  return finalCaKey;

  During the development of the scriptes you can need the tag “UserFunc.uErrMsg (1, “XXX “) to write values in the system log.

  After you finished the Java script, you can call the function in the tab “Destination” of the pass from the HCM_BUPA job. Than start the job. Please look in the job log whether, possibly errors arose.

  

  Configuration of the Workflow

  In the last step the Workflow will be implemented. Under the „SAP Provisioning Framework“ folder is the folder „Web Enabled task “. Please create here two new folders. One folder for the company address and the other one for the persons. Activate on the tab „general “the check box „show folder in workflow “. Next you create in the both folders a ordered task group to show the company addresses and the identities in the workflows. Activate in the folder, in the tab “options” the checkbox “Public task” and the checkbox “Show on welcome page”. In the tab „attribute “the desired attributes can be selected. In the end we regard the result in the Workflow.

  4. Workflow

  The Workflow in the following picture shows a lot of Self and Deleagted services.

  

  Company Address

  Navigate to the announcement of the company address, in the selection find you all company addresses of the Web AS ABAP system which was tied up before.

  Show the Identities

  Next we go to the identities. Navigate to the order task group, which was created before.

  

  Select a identity.

  If you selected the correct attributes with the Workflow configuration, you see the linkage with the organizational unit as well as the assigned address.