I have already discussed how to build your own SOAP Webservice (Dotnet based) and use the ECMA2 to consume the data or write back. Now let’s take a look at the SAP Webservice. It’s definitely different (as expected) but it’s still generally the same principle. This blog post will be in two parts. Part 1 will be to show the how to setup SAP and publish the functions you want via a Webservice. Part 2 will be on how to consume it in ECMA2 using DotNet C#, which can be found on my IDAM blog site.
I know most FIM/MIM engineers are only interested in SAP because of the HR module but SAP is much more than HR, you can also use MIM/FIM to manage provisioning (Role assignment etc) and deprovision in SAP. I want to approach this blogpost with a bigger picture in mind which is get some understanding of SAP and look at how Roles and User information can be integrated into MIM. Doing the HR integration will be really easy because it follows the template in the post. I will talk about some aspects of HR integration in this post. For this post and the part 2, I will focus on how one can read SAP user and role information.
Beyond that you can use the knowledge learned in these posts to create PeopleSoft, Salesforce, Workday, ServiceNow connectors to do user provisioning and deprovisioning.
I will be doing some more SAP/FIM/MIM integration blog posts like provisioning and deprovisioning of accounts, the use of ABAP programming to create custom functions and packages. I will be posting in both my IDAM and SAP blog sites.
For SAP engineers here are some acronyms that I will be using
- MIM – The latest version of Microsoft Identity Management products
- FIM – Forefront Identity Manager, the Microsoft Identity management product version before MIM
- ECMA2 – A custom DotNet C# connector in MIM that can be used to connected to just about any system that offers some kind of endpoint mapping.
SAP Webservice details
- The SAP Webservice exposes a function or method or a bunch of them depending on which function group is exposed. By default a function in SAP belongs to a group, you can check SAP documentation for the breakdown.
- A function can return attribute values or tables or both. That I found quite interesting, you would think a function would be single return value, welcome DotNet programmers where we declare what type of value to be returned at the top of the function but in SAP it can return multiple kind of data type results.
- You can create your own function group to expose specific OOB functions. You can take it even further and build your our function or build the result set or table(s) that will be returned by the function. More on that later, I will do a blogpost on my SAP blog site on using ABAP to create your own result set and function group.
- It is important to understand the correlation between the way SAP data is stored and the format you want your data. Remember SAP is a huge relational database so you have to change your mindset from a single flat table structure where all your data will reside to a web of tables. For instance if you want the department of an employee, the data is stored in the employee record as “11234”, meaningless to me unless I can get that this “Finance” department, this may be obtained from another table or the SAP admin can tell you the mapping. This is where a solid SAP team helps, if you have a team that is experienced in Advanced Business Application Programming (ABAP) programming they can build a custom function group for you with a function that returns the data exactly the way you want. Else you get to have some fun coding it into your ECMA2. Another interesting attribute is the Manager attribute, there is no single attribute that says “Manager” of an employee, it is derived from organizational hierarchy, defined reporting structure or approval structure. I will do a separate blogpost specifically on this attribute in SAP.
- You need the ABAP module on your SAP and developer license to setup the Webservice.
Building your own SAP server
So here we have the challenge, how do I build an SAP system to practice integration with FIM/MIM? There are several options out there in the internet
- Type “SAP Sandbox” in your internet search and you will find many options to get an already configured SAP system to practice with for a fee of course. SAP has what is known as the IDES demo system which has all the SAP modules and test data built in, this is what is offered as a sandbox and you can practice with that.
- You can buy an IDES demo system on a USB drive or downloaded for a fee, this you can use for SAP practice and for this integration exercise. If you plan to do more with SAP, I would say this is a good investment. ABAP can really be very interesting.
You can install the SAP NetWeaver Application Server ABAP 7.03 Trial (90 day trial) yourself. This is a “mini SAP“, it does not have all the modules (like the HR module) but it has ABAP and Webservice so I would say this is the best and cheapest area to start.
- I found this installation class very useful and it got me up and running. The class is based on VMware and you will probably find that VMware is used for most SAP information on the web but I use Hyper-V so I just created a Hyper-V W2k8 server and used it for my NetWeaver. Remember you can’t use Hyper-V and VMware together on the same Windows OS, well you can, sort of, and then you wait one day for the blue-screen.
- Go to the SAP store to download the NetWeaver trial and SAP GUI.
- Minimum memory I would recommend is 4GB else your NetWeaver might not install properly.
- Disable IPv6, it can be an issue.
- Give your server a static IP address. Use host file. Make sure DNS server is up when before SAP server starts.
- Get an FQDN for your SAP server. Just hostname will not work for some SAP processes (like SOAMANAGER).
- The (Soap Manager) SOAMANAGER and Webservice on SAP NetWeaver by default is turned off. See my blog post on how to turn it on and related required services that need to be turned on as well.
- The SOAMANAGER may not display on the browser. See my blogpost to resolve this.
This blog post will be based on the NetWeaver option and will take off from you have NetWeaver installed, developer license entered, ABAP, SOAMANAGER and Webservice publishing turned on.
Log into the SAP NetWeaver, start the SAP service. Watch your processes and make sure all processes start and say “Running” before its okay. It can say starting and not change over to running but hang to stop, then you have to troubleshoot. See my blogpost.
Open the SAP GUI and log on
Create a function group package and publish via Webservice
Go to Easy Access menu
Type the transaction code “SE80” which brings up the object navigator.
Type the package name
Enter and select “yes” to choose the creation.
Enter description and Transport layer, click ok
You will be prompted for a workbench request, if this is the first time, you have to create a new local request
After successful creation of the package, right click on the package name and choose Create—>enterprise service
Choose service provider
Choose “Existing ABAP Objects(Inside Out)”
Enter a name for the Webservice and a description
Choose Function Group
Enter the function group SU_USER, this has a lot of User BAPI functions
Select 2 functions to expose via the Web service
Chose the default SOAP application. On the drop down make sure you change it to Authentication with User and Password
Enter the package name and request
You will be brought back to the Package screen. Double click on the package and click yes to save changes
Expand the package, click on the service Provider name you created, click on configuration tab, and change the profiler to Stateful. Double click on the service and click ok to save the changes
Activate the web service
Add an endpoint binding for the web service
Go to the Easymenu and type SOAManager and login
Select Web Service configuration
Search for “zmimsapconnector2”. Click apply selection
At the bottom of the screen click configuration then click create a service configuration
Enter the “zmimsapconnector2”, click apply settings
Select UserID/Password for Transport Channel and click save at the top
Now go to the overview page and click show the wsdl url
Go to a browser and paste this to test
Creating Roles and Users
NetWeaver Trial comes with 3 users who are all Super users. This is not a Role. In the next part we are going to use FIM/MIM to read SAP users and their roles. So we are going to create some roles and then create users and assign them roles.
At the EasyAccess screen type “PFCG”
Create two Roles by typing the names below and click the “Single Role” button, enter description and then save
Create Users and Assign to a Role
At the EasyAccess screen type SU01
Click the create button on the left corner. Enter the following details
Click the Logon Data tab. Enter the alias and a password
Click the Roles tab
Click the button on the right
Enter “General_user” to search for the role
Select General_User and click the check button
Do the same for Technical user. You will have this. Click the Save button at the top.
Create another user MIMUser1. Grant the user only the “General_User” Role.