My cenario is: the web system sends some data to IDM and PI makes this communication.
My SAP PI is not Java Only. I also have the abap part.
And I dont know anything about IDM .
We have an IDM team but they didt tell me if it's possible creating web service on the IDM side, or if exist another way to communicate with PI or with abap (SAP ECC for example).
IdM consolidates all of your user IDs for various services in a business, SAP/Email/LDAP/etc.
I'm not 100% sure if you want to consolidate IDs on the web system or within PI? Basically, what IDs are you looking to control from IdM?
IdM does provide its own webservice, if it is installed in most cases requires a dedicated Java application server and then 3 additional components to be added in via SUM.
My "web service" is my HR System, that is a non SAP application.
I can communicate with this system, via SOAP. Due to that, I called it "web application".
So, my HR system, is going to send the employee informations (name, document number, birth date, etc), and IDM will record it and generates the employee's SAP user.
I would have to agree with @Matt pulling data through web protocols is going to restrict the information that IdM can obtain...For example if the HR admins make a change, lets say add a new required field (lets say a SIP phone extension for the phone system), they have to then present that in a way that PI can obtain it, then PI has to have changes made to provide the data to the IdM server, then you have to update your IdM configuration to also include that data....thats a lot of changes to take place.
The DBA and HR admins should be able to provide a user ID that IdM can log into the DB, as another solution and you could have the data read directly...but then you get to learn the layout of the HR SQL DB... Fun fun fun
As Matt says - it can be easier to use a 'transfer' table. Nearly any HR system can export data to a readable format - either SQL or even CSV. You can then read that data in to get what you need.
You can write your own Java to accept SOAP requests and various other options but they tend to involve lots of work and you'd have to determine if its worth the effort.
Reading directly from HR has all sorts of issues - some around security (lots of HR contains very sensitive data that they will scream at if someone else gets access to it), and some around the integrity of the database.
It's safer to get an extract you can use that contains only the data you need. It removes the need to mine the HR structure.
1. Have the HR team prepare a SQL based extract. You'll want them to create the extract based on the minimal dataset needed, as Peter had mentioned, no need to get information that is not needed for the provisioning process. I prefer SQL since the DBAs can make sure that the tables have restricted access to protect privacy. They can also set up secure access to protect the data as well. Something not as easily or comprehensively done with CSV and other text formats.
2. Now you can create an IDM job that will read this data and begin the provisioning process. Simple use this HR table as the source and map it to the relevant IDM attributes in the destination tab.
Note you could also use this for identity updates as well as new user provisioning.
Also worth noting that you may have a hard time finding the correct doco using SOA as that could also imply 'Start of Authority' vs 'Service-Oriented Architecture'.
IDM Identity Service can provide web services access to identity store, while currently it accepts SPML requests. Please you can refer to its doc from following page(search "identity service"):
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.