Scribd
Upload
82 views11 pages

Configuring LDAP Connector in Compliant User Provisioning of GRC Access Control

Uploaded by

shbhaskar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
82 views11 pages

Configuring LDAP Connector in Compliant User Provisioning of GRC Access Control

Uploaded by

shbhaskar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Configuring LDAP Connector in

Compliant User Provisioning of


GRC Access Control (Formerly
Virsa Access Enforcer)

Applies to:
SAP GRC Access Control, release 5.x

Summary
When implementing compliant user provisioning in GRC Access Control the system is typically linked to a
LDAP repository. This paper outlines the configuration of LDAP connector and provides sample mappings for
Active Directory, SunOne, E-Directory, and Tivoli.
Authors: Alpesh Parmar, Aman Chuttani
Company: SAP
Created on: 21 January 2008

Author Bio
Alpesh Parmar is a principal consultant at Regional Implementation Group (RIG) SAP GRC. He is an expert
in GRC Access Control and was instrumental in many successful Access Control ramp-up implementations.
Prior to joining RIG he was part of the Access Control development team.
Aman Chuttani works as a consultant in SAP’s GRC RIG. He has gained extensive experience supporting
SAP's customers in the implementation of SAP GRC Access Control.

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com


© 2008 SAP AG 1
Configuring LDAP Connector in Compliant User Provisioning of GRC Access Control (Formerly Virsa Access Enforcer)

Table of Contents
Configuring LDAP System for Compliant User Provisioning in GRC Access Control........................................3
Configuring LDAP Connector..........................................................................................................................3
Sample Connector Configuration for Different LDAP Types...........................................................................4
Active Directory:...........................................................................................................................................................4
SunOne:.......................................................................................................................................................................4
Novell’s E-Directory: ....................................................................................................................................................5
IBM Tivoli: ....................................................................................................................................................................5
Mapping LDAP Fields .....................................................................................................................................6
Sample LDAP Mapping Screenshots for Different Directory Types ...............................................................7
LDAP Mapping for Microsoft Active Directory ..............................................................................................................7
LDAP MAPPING for SUNONE.....................................................................................................................................8
LDAP Mapping for Novell’s E-Directory .......................................................................................................................9
LDAP Mapping for IBM Tivoli .....................................................................................................................................10
Copyright...........................................................................................................................................................11

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com


© 2008 SAP AG 2
Configuring LDAP Connector in Compliant User Provisioning of GRC Access Control (Formerly Virsa Access Enforcer)

Configuring LDAP System for Compliant User Provisioning in GRC Access Control
Connectors facilitate the transfer of data between Compliant User Provisioning (formerly Virsa Access
Enforcer) and LDAP systems. Compliant User Provisioning (formerly Virsa Access Enforcer) supports
different LDAP types. They include:
• Microsoft Active Directory
• SunOne
• Novell E-Directory
• IBM Tivoli
There are two important tasks which are required in order to have a successful communication between the
Compliant User Provisioning (formerly Virsa Access Enforcer) and the LDAP systems. These include:
• Configuring an LDAP connector
• Mapping the LDAP fields to Compliant User Provisioning fields

Configuring LDAP Connector


Following is the description of fields in the LDAP connector screen:
Name: Input a name for the LDAP connector. This is a free form text.
Short Description: Input text such that it is easily distinguishable from other connectors since the text
entered in this field will be displayed in various screens of AE.
Description: Input a larger description of the connector if you like.
Server Name: Input the server name hosting the LDAP directory. It is better to input the fully qualified name.
An IP address will work too.
Domain: Input the domain name or the base of the directory. Following two formats are supported. 1.
“DC=sap,DC=com”, 2. “sap.com”
Port: Input the port assigned to the directory server.
User Principal Name: Input the service user Id which will be used to access the directory.
Password: Input password of the service user.
User Path: Input the distinguished name of the root directory under which all the users/employees are
stored. Please remove the domain components from the distinguished name.
Group Path: Leave this field blank. This field is not being used in Compliant User Provisioning (formerly
Virsa Access Enforcer).
LDAP Type: Select the directory type which is being used.
Password Encryption: Select encryption type to be utilized by the LDAP server.
Connection Category: Select Production or Non-Production.

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com


© 2008 SAP AG 3
Configuring LDAP Connector in Compliant User Provisioning of GRC Access Control (Formerly Virsa Access Enforcer)

Sample Connector Configuration for Different LDAP Types

Active Directory:

SunOne:

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com


© 2008 SAP AG 4
Configuring LDAP Connector in Compliant User Provisioning of GRC Access Control (Formerly Virsa Access Enforcer)

Novell’s E-Directory:

IBM Tivoli:

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com


© 2008 SAP AG 5
Configuring LDAP Connector in Compliant User Provisioning of GRC Access Control (Formerly Virsa Access Enforcer)

Mapping LDAP Fields


The LDAP mapping helps in mapping the fields between Compliant User Provisioning and corresponding
LDAP fields (attributes). The field values are accordingly pulled from the LDAP directory and populated in
Compliant User Provisioning. Most of the fields in the LDAP mapping screen are self explanatory except for
few. Those fields are explained below.
• Object Class
• UniqueLDAPKey
Object Class is the Common-Name (cn) of the object class attribute (or super class) of the
users/employees/people.
UniqueLDAPKey is the attribute name which holds the DN of the user/employee/people objects.

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com


© 2008 SAP AG 6
Configuring LDAP Connector in Compliant User Provisioning of GRC Access Control (Formerly Virsa Access Enforcer)

Sample LDAP Mapping Screenshots for Different Directory Types

LDAP Mapping for Microsoft Active Directory

AE Field LDAP Mapped Field Description

EmployeeID sAMAccountName Default field for account name.

FirstName givenName Default field for first name

LastName Sn Default field for last name

Email Mail Default field for email ID

Department Department Default field for department

Telephone telephoneNumber Default field for telephone number

ObjectClass User Default structure for the user details

Location L Default field for base location

Location_Country C Default field for country

UniqueLDAPKey distinguishedName Unique key in the LDAP system

Manager Manager Default field for manager ID

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com


© 2008 SAP AG 7
Configuring LDAP Connector in Compliant User Provisioning of GRC Access Control (Formerly Virsa Access Enforcer)

LDAP MAPPING for SUNONE

AE Field LDAP Mapped Field Description

EmployeeID Uid Default field for account name.

FirstName givenName Default field for first name

LastName Sn Default field for last name

Email Mail Default field for email ID

Department Department Default field for department

Telephone telephoneNumber Default field for telephone number

ObjectClass Person Default structure for the user details

Location L Default field for base location

Location_Country C Default field for country

UniqueLDAPKey Entrydn Unique key in the LDAP system

Manager Manager Default field for manager ID

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com


© 2008 SAP AG 8
Configuring LDAP Connector in Compliant User Provisioning of GRC Access Control (Formerly Virsa Access Enforcer)

LDAP Mapping for Novell’s E-Directory

AE Field LDAP Mapped Field Description

EmployeeID Sn Default field for account name.

FirstName GivenName Default field for first name

LastName GivenName Default field for last name

Email Mail Default field for email ID

Department Department Default field for department

Telephone Telephone Default field for telephone number

ObjectClass User Default structure for the user details

Location L Default field for base location

Location_Country L Default field for country

UniqueLDAPKey Uid Unique key in the LDAP system

Manager Manager Default field for manager ID

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com


© 2008 SAP AG 9
Configuring LDAP Connector in Compliant User Provisioning of GRC Access Control (Formerly Virsa Access Enforcer)

LDAP Mapping for IBM Tivoli

AE Field LDAP Mapped Field Description

EmployeeID Cn Default field for account name.

FirstName Sn Default field for first name

LastName Sn Default field for last name

Email Mail Default field for email ID

Department Department Default field for department

Telephone facsimileTelephoneNumber Default field for telephone number

ObjectClass Person Default structure for the user details

Location Location_Country Default field for base location

Location_Country Location_Country Default field for country

UniqueLDAPKey Uid Unique key in the LDAP system

Manager Manager Default field for manager ID

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com


© 2008 SAP AG 10
Configuring LDAP Connector in Compliant User Provisioning of GRC Access Control (Formerly Virsa Access Enforcer)

Copyright
© Copyright 2008 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries,
zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, OpenPower and PowerPC are
trademarks or registered trademarks of IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of
Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts
Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by
Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All
other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves
informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP
Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the
express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an
additional warranty.
These materials are provided “as is” without a warranty of any kind, either express or implied, including but not limited to, the implied
warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall not be liable for damages of any kind including without limitation direct, special, indirect, or consequential damages that may
result from the use of these materials.
SAP does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these
materials. SAP has no control over the information that you may access through the use of hot links contained in these materials and
does not endorse your use of third party web pages nor provide any warranty whatsoever relating to third party web pages.
Any software coding and/or code lines/strings (“Code”) included in this documentation are only examples and are not intended to be
used in a productive system environment. The Code is only intended better explain and visualize the syntax and phrasing rules of
certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors
or damages caused by the usage of the Code, except if such damages were caused by SAP intentionally or grossly negligent.

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com


© 2008 SAP AG 11

You might also like