10
SailPoint IdentityIQ Version 1.2 SAP Governance Module This document and the information contained herein is SailPoint Confidential Information.
SailPoint IdentityIQ Version 1.2
SAP Governance Module
This document and the information contained herein is SailPoint Confidential Information.
Copyright © 2019 SailPoint Technologies, Inc., All Rights Reserved.
SailPoint Technologies, Inc. makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. SailPoint Technologies shall not be liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.
Restricted Rights Legend. All rights are reserved. No part of this document may be published, distributed, reproduced, publicly displayed, used to create derivative works, or translated to another language, without the prior written consent of SailPoint Technologies. The information contained in this document is subject to change without notice.
Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, and subparagraphs (c) (1) and (c) (2) of the Commercial Computer Software Restricted Rights clause at FAR 52.227-19 for other agencies.
Regulatory/Export Compliance. The export and re-export of this software is controlled for export purposes by the U.S. Government. By accepting this software and/or documentation, licensee agrees to comply with all U.S. and foreign export laws and regulations as they relate to software and related documentation. Licensee will not export or re-export outside the United States software or documentation, whether directly or indirectly, to any Prohibited Party and will not cause, approve or otherwise intentionally facilitate others in so doing. A Prohibited Party includes: a party in a U.S. embargoed country or country the United States has named as a supporter of international terrorism; a party involved in proliferation; a party identified by the U.S. Government as a Denied Party; a party named on the U.S. Government's Specially Designated Nationals (SDN) List; a party prohibited from participation in export or re-export transactions by a U.S. Government General Order; a party listed by the U.S. Government's Office of Foreign Assets Control as ineligible to participate in transactions subject to U.S. jurisdiction; or any party that licensee knows or has reason to know has violated or plans to violate U.S. or foreign export laws or regulations. Licensee shall ensure that each of its software users complies with U.S. and foreign export laws and regulations as they relate to software and related documentation.
Copyright and Trademark Notices. Copyright © 2019 SailPoint Technologies, Inc. All Rights Reserved. All logos, text, content, including underlying HTML code, designs, and graphics used and/or depicted on these written materials or in this Internet web site are protected under United States and international copyright and trademark laws and treaties, and may not be used or reproduced without the prior express written permission of SailPoint Technologies, Inc.
“SailPoint Technologies & Design,” “SailPoint,” “IdentityIQ,” “IdentityNow,” “SecurityIQ,” “AccessIQ,” “Identity Cube” and “Managing the Business of Identity” are registered trademarks of SailPoint Technologies, Inc. “IdentityAI,” “Identity is Everything” and “The Power of Identity” are trademarks of SailPoint Technologies, Inc. None of the foregoing marks may be used without the prior express written permission of SailPoint Technologies, Inc. All other trademarks shown herein are owned by the respective companies or persons indicated.
IdentitiyIQ User’s Guide 1
Supported Databases
SailPoint IdentityIQ SAP Governance Module Setup
Supported Databases• IBM DB2 10.5 and 11.1• MySQL 5.6 and 5.7• Microsoft SQL Server 2016 and 2017• Oracle 12cR2
Pre-install Steps for the SailPoint IdentityIQ SAP Governance Module
Note: The SAP Governance Module requires SailPoint IdentityIQ version 7.3 or later for the core set of features provided..
The SailPoint IdentityIQ SAP Governance Module is a separately licensed component that includes direct ABAP connectivity to SAP ERP environments, user interface enhancements, and new filtering capabilities.
Note: You must have the proper administration access to IdentityIQ, including access to the server and directory location that hosts the product installation, the ability to create new application connections, and the ability to load new plugins.
You must perform the following tasks before installing the SAP Governance Module.
Create New Application Connections to SAP
The IdentityIQ SAP Governance Module is compatible with all existing SailPoint connectivity for SAP environments. Licensing for connectivity to SAP ERP data (SAP Direct) is included as part of the IdentityIQ SAP Governance Module.
The SAP application connectors for HR/HCM and ERP resource data are available with the SAP application type when creating a new application connection on the Application Definition page.
iiq.properties
You must review the settings in your iiq.properties file. Update the following:
plugins.enabled Must be set to true
plugins.angularSnippetEnabled Must be set to true
pluginsDataSource.username The plugin dataSouce username
2 IdentitiyIQ User’s Guide
Pre-install Steps for the SailPoint IdentityIQ SAP Governance Module
ManagedAttributeExtended.hbm.xml
You must update the database table manually.
The managed attribute ObjectConfig is updated automatically when the plugin is installed.
A ManagedAttributeExtended.hbm.xml file is included in this code base.
Update your Managed Attribute Table:
Updating the ManagedAttributeExtended.hbm.xml1. Open ManagedAttributeExtended.hbm.xml from SAP_Governance_Module-1.2.zip\src\sail-
point\object
2. Open ManagedAttributeExtended.hbm.xml from your identityIQ_installation directory
3. Copy the section between <!--SAP Landscape Hierarchy Columns START--> and <!--SAP Landscape Hierarchy Col-umns END-->
4. Paste the section into the file from the identityIQ_installation directory
5. Navigate to the bin directory in the identityIQ_installation directory
6. Run iiq extendedSchema – this will create a dll file for the supported database types
If this is an initial Install:
This file is executed as part of the table creation create_identityiq_tables-<version>.<dbType>
If you are adding this to a previous install
Note: You might see errors during the following step, they can safely be ignored.
7. Run add_identityiq_extensions.<dbType> to add the columnsThe file is located at IdentityIQ Install Folder/WEB-INF/database/add_identityiq_exten-sions.<dbType>
8. Verify that these three named columns were added to spt_managed_attibute table
hvSapLandscape
hvSapSystem
hvSapClient
Update XML Content for the SAP Application Page
For the SAP resource hierarchy to function, it must have three SAP attributes defined for the application.xml content associated with that application.
Select this application name when creating the connection to SAP for direct, ERP, or HR/HCM access.
pluginsDataSource.password The plugin dataSource password
pluginsDataSource.url The connection string to the plugin dataSource
pluginsDataSource.driverClassName This is the driver used for DB connection
IdentitiyIQ User’s Guide 3
SAP Plugin Installation
The SAP attribute values for direct or ERP connectors are:• <entry key="clientNumber" value="222"/>
• <entry key="hierarchyVisualizerLandscape" value="DEV"/>
• <entry key="systemID" value="22"/>
The SAP attribute values for direct or ERP connectors are:• <entry key="clientNumber" value="001"/>
• <entry key="systemID" value="00"/>
If you are using the SAP Direct or ERP connector, two of these fields are already present with the SAP client number and system ID values that were configured for the application connection. You will need to add the entry key for hierarchyVisualizerLandscape to the application.xml file.
Updating the Application.xml1. Login to IdentityIQ with an administrative account
2. Open the Debug page
3. Select Application from the Select an Object drop down list
4. Click on your Application in the table
5. Add landscape the key and valueFor example:<entry key="hierarchyVisualizerLandscape" value="DEV"/>
Typical values are, QA, DEV, and PROD
SAP Plugin Installation
Note: The SAP Governance Module requires SailPoint IdentityIQ version 7.3 or later.
After the steps above have been completed, install the SAP Governance Module, which is delivered as an IdentityIQ plugin.
Installing the SAP Plugin
1. Login to IdentityIQ with an administrative account
2. Click the gear icon and select Plugins
3. Click New
4. Navigate to the plugin file location
5. Drag the file into the plugin down load area
The file will self-extract, install, and display a success message upon completion.
For detailed information about installing and using plugins within SailPoint IdentityIQ, refer to the latest version of the SailPoint IdentityIQ Administration Guide, “Chapter 4: Working with Plugins.”
4 IdentitiyIQ User’s Guide
SAP Plugin Task Setup and Maintenance
SAP Plugin Task Setup and Maintenance
You must run a few tasks to make sure the plugin runs and loads correctly.
Note: These tasks must be run during setup and periodically as your SAP systems change. It is recommended that these be run anytime the source systems are aggregated.
To run the SAP Plugin tasks, use New Task on the IdentityIQ Task page. Tasks can be as general or specific as required.
1. Click or mouse over the Setup tab and select Tasks to open the Tasks page
2. Select a task type from the New Task drop-down list to open the New Task page
3. Enter a name and brief description for the new taskThis information is displayed on the Tasks table when the new task is saved
Hierarchy Visualizer HR Sync Task
This task syncs HR hierarchy data within IdentityIQ with the plugin’s dataSource.
Exposed Task Fields:
Hidden Task Fields:
Note: These fields can only be modified from the IdentityIQ Debug page.
Hierarchy Visualizer SAP Organizational Resource Sync Task
This task syncs SAP – Direct Connector organization data within IdentityIQ with the plugin’s dataSource.
Exposed Task Fields:
IdentityIQ Note: Note: When selected the rest of the fields are ignored
Use the IdentityIQ manager to create the hierarchy.
Application Dropdown Select an application from which to build the relational data
Attribute String The attribute used to build the hierarchy
hierarchyName The name of the hierarchy to find or create
rootNodeName The name of the root node in the hierarchy
SAP Direct Run against all SAP – Direct applications within IdentityIQ.
Selected by default
IdentitiyIQ User’s Guide 5
SAP Plugin Task Setup and Maintenance
Hidden Task Fields
Note: These fields can only be modified from the IdentityIQ Debug page.
Hierarchy Visualizer SAP Role and Landscape Loader Task
Note: Roles in this case are Managed Attributes.
You must move some data from the SAP applications to its roles for the SAP Role search to work correctly. This task moves data from the application to the roles.
Exposed Task Fields:
Hierarchy Visualizer Import Sync New Task
This task loads identity and SAP data from an external file in CSV format, into the hierarchy plugin.
SAP Role Authorization Object Flattener Task
Note: This task requires SailPoint IdentityIQ version 7.3 P2 or later.
SAP Governance Module task flattens the Authorization Objects string for all roles from the specified application into a list of individual values.
Application Dropdown Deselect SAP Direct and manually select the application used to build the relational data
Default Organizational Hierarchy Load and hold the name of the default hierarchy for the resource hierarchy.
hierarchyName The name of the hierarchy to find or create
rootNodeName The name of the root node in the hierarchy
Application Dropdown The application used to build the relational data
File Path Add the path of the CSV file
ChildId Header Name Column which represents the childId By default it is id
ParentId Header Name Column which represents the parentId. By default it is parentid
Delimiter Name Specify the delimiter to useDefault is ,
Overwrite Hierarchy Overwrite hierarchy or update
Error File Name Specify the name of the error file This is stored in the downloads directory
6 IdentitiyIQ User’s Guide
SAP Plugin Usage
Full Text Index Refresh
Note: If full text search is turned on, this task should be run anytime the previous tasks are run.
This task is included with IdenityIQ and is used when the full text search is turned on.
SAP Plugin Usage
Access Control for the Hierarchy Visualizer
You must assign the following capabilities in IdentityIQ before an identity can see or use the Hierarchy Visualizer. These can be assigned directly on the Identity Detail page or through the creation and assignment of a role.
• VisualizerPluginAccess• HierarchyVisualizerViewIcon
HR Hierarchy Visualizer
Note: One of the sync tasks mentioned previously needs to run successfully inorder to populate one or more SAP hierarchies.
Note: Steps 2 and 3 are only required if you need a hierarchy different than the default.
1. Select the Hierarchy Visualizer button located in the following locations within IdenityIQ:Identity Warehouse pageAccess Requests -> Select Users tabView/Edit Identity pages
2. Select Open
3. Select the hierarchy for your Search – HR Hierarchy by default
4. Search the tree for the desired identity
5. Right click on the Identity
6. Click Select Node
7. The selected identity will populate the associated field on that page.
Organizational Hierarchy Visualizer
1. Select the Hierarchy Visualizer button located in these locationsAccess Requests -> Manage Access tab, Filter expansion
2. Select Open
3. Select the hierarchy for your Search – SAP Direct Organization by default
Application Dropdown The application used to build the relational data
IdentitiyIQ User’s Guide 7
SAP Plugin Usage
4. Search the tree for the desired system
5. Right click the System
6. Click Select Node
7. Three Fields in the filter are populated (landscape, System, Client).
SAP Filters
The three filter fields for SAP landscape, system, or client values are displayed on the filter expansion of the Access Requests -> Manage Access tab.
Use one or more of these filters to reduce the result set to a more manageable size for browsing and selection.
Using SAP Role Attributes in Policies
Note: Support for Authorization Object field values within effective Entitlement SOD policy rules requires IdentityIQ version 7.3 P2 or higher. If you have more than one SAP instance connected to IdentityIQ, use the advanced search to filter on both application and Type = “Role” to ensure you select the correct Role name.
You must provide the entitlement value exactly as it appears in the entitlement catalog for aggregated SAP roles. To view those values:
1. Navigate to the Entitlement Catalog page
2. Select your SAP application instance and SAP role name
3. Scroll to see a list of entitlement names and values for the selected SAP roleEntitlements with an attribute value of TCodes are Tcode values, and FlatAuthObjects are Authorization Object field values
4. Copy the entire value string to use as the entitlement value on the SOD policy page for creating a new pol-icy violation rule. You can select different combinations of Authorization Object and Tcode values when cre-ating a new Effective Entitlement SOD Policy.
Create SOD policy violation rules that include SAP Tcode and Authorization Object values as follows:
1. After aggregating SAP role data, run the Effective Access Index Refresh task
2. Navigate to the Policies page
3. Select Effective Entitlement SOD Policy from the New Policy drop-down menu
4. Click Create New Rule in the SOD Policy Rules section
5. Select your SAP application instance from the drop-down menu in the First Entitlement Set
6. Click Add Attribute to display the application attribute configuration information
7. Select either TCodes or FlatAuthObjects from the Select Attribute drop-down menu
8. Enter the value for the Tcode or FlatAuthObjects in the corresponding Value field
8 IdentitiyIQ User’s Guide
SAP Plugin Usage
