Download and install SAP BI platform Java SDK

lambert-giese · ‎02-08-2017

Release 1.1.0 of the SAP IDM connector for SAP BusinessObjects BI Platform is now available for SAP IDM 8.0 and 7.2. Following up on my earlier post from SAP IDM 7.2, I'll explain the installation step-by-step for SAP IDM 8.0.

Download and install SAP BI platform Java SDK

The prerequisites for installing the connector on SAP IDM 8.0 are exactly the same as for SAP IDM 7.2. Hence, it requires the following JAR files from SAP’s BI platform Java SDK:

aspectjrt.jar

bcm.jar

ceaspect.jar

cecore.jar

celib.jar

cesession.jar

corbaidl.jar

cryptojFIPS.jar

ebus405.jar

log4j.jar

logging.jar

TraceLog.jar

jcmFIPS.jar (BIP 4.2 SP4 or higher)

Copy these into a directory on the SAP IDM runtime. As usual, I'll assume you'll use C:\IDM_BOBJ_LIBS on the SAP IDM runtime. For details regarding where to obtain the SDK and how to extract the required JAR files, please refer to Download and install SAP BI platform Java SDK of the 7.2 version.

Add SDK JARs to SAP IDM dispatcher classpath

To make the SDK JARs visible from SAP IDM, add them to the dispatcher’s Java class path. On the SAP IDM runtime, start the Identity Management Dispatcher Utility in GUI mode using the command dispatcherutil gui

Open the Dispatcher Utility's settings dialog using Tools -> Settings. Add all SDK JAR files listed above to the setting DSE Class Path. Defining the Settings for the Identity Management Dispatcher Utility in the SAP Help Center has all the details.

After saving your changes, regenerate the service scripts for all dispatchers and restart them.

Download connector and import IDM package

Use SAP Identity Management Developer Studio to connect to the IDM database. As the SAP BusinessObjects connector depends on package com.sap.idm.provisioning.engine that comes with SAP IDM 8.0, you'll need to import that first if you haven't already done so.

Download the latest stable connector release from https://github.com/foxysoft/idm-connector-bobj/releases/latest to the machine where SAP IDM Developer Studio is installed, and unzip idm-connector-bobj-<VERSION>.zip. It contains an IDM package file de.foxysoft.bobj.idmpck. Use SAP IDM Developer Studio to import that into your main Identity Store.

When prompted for an import reason, make sure you keep the default option "Import" selected. Don't use "Import as new package". Confirm the import using "OK".

Create a SAP IDM repository

Open the SAP Identity Management administration UI at http://<host>:<port>;/idm/admin in a web browser and create a new repository of type SapBusinessObjects42. This repository type is part of the SAP BusinessObjects connector package.

After the repository has been created, change repository constants HOST, LOGIN, PASSWORD and PORT as appropriate for your environment. Please refer to Import SAP IDM repository and initial load job in the 7.2 version for additional information on how to find out CMS host name and name server port.

Execute initial load and finalize repository configuration

Select the "Jobs" tab of the repository details view. A new job SAP BOBJ 4.2 - Initial Load has been created and assigned to the repository automatically. Execute this job now to load SAP BusinessObjects groups into SAP IDM.

This job should take a few minutes only to execute. Use "Refresh" to verify that the job has finished successfully, then open the SAP Identity Management UI at http://<host>:<port>;/idm to verify that privileges from SAP BusinessObjects have been loaded.

As a final step, you may go back to the SAP Identity Management administration UI and update repository constant MX_REQ_PRIV with the master privilege just created by the initial load. In this example, that's PRIV:BOE:ONLY.

If you have a suitable No Master Process to assign missing master privileges automatically, assign that to repository constant MX_REQ_PRIV_NOMASTER_TASK. In my screenshot below, this process reference is not set (-1 means "None").

That's it. You're ready to manage all your SAP BusinessObjects Enterprise users and groups from SAP IDM 8.0 now. If you're interested in learning more about this connector, visit its GitHub project, which also contains a small Wiki with additional resources.

former_member2987 · ‎02-08-2017

Great stuff, Lambert! It will be great to tell customers that this functionality exists! Looking forward to doing this one day!

former_member584332 · ‎05-30-2018

Dear Mr. Boskamp.

I would like to confirm, if this connector for Business Object 4.2 is available to sybase database?

In our enviroment we used the SAP IdM 8.0 SP 04 on Adaptive Server Enterprise 16.0 SP02 PL04 on Red Hat Enterprise Linux Server release 6.9 (Santiago).

Best regards,

João Paulo.

lambert-giese · ‎05-31-2018

As documented in the connector's wiki, Sybase is currently not supported, unfortunately.

If you have a skilled developer in your team, they may be able to fill in the missing pieces with some custom development, though. As far as I remember, it's a matter of rewriting two SQL queries in the connector's initial load job. Making it work on Sybase should require no more than one or two days of development effort.

former_member584332 · ‎06-01-2018

Thank you Mr. Boskamp for your reply.

I understood. We will working to make it running on Sybase database.

If you want, after this adjust we can share the update coding.

lambert-giese · ‎06-04-2018

Great idea. If you can share your results after successful implementation, I'll update the source code of the open source version accordingly. Good luck!

muthavarapu · ‎08-21-2018

We are also on Sybase database and also integrating with BOBJ system. But, the connection did not go well.

Did you guys connect successful with BOBJ, if so please share the solution?

Thanks,

Nagesh

former_member584332 · ‎08-24-2018

Hi Nageswara Muthavarapu.

We decided to change our database, not because the connection between SAP IdM to BOBJ system was not working on Sybase.

We had many problems to run SAP IdM 8.0 SP 05 on Sybase. So to solve that, we opened one incident ticket (OSS) to request the best practices when running the SAP IdM 8.0 on Sybase, but they didn't reply appropriate.

Now, we are doing the instalattion of our systems (DEV, QAS and PRD) to run on SQL Server 2016.

Good luck.

João Paulo.

former_member189252 · ‎08-30-2018

How do we get the log/Tracelog for the activity like create or change to the backend irrespective of the connector type in IDM.

Thanks and Regards,

Giridhara Tadikonda

lambert-giese · ‎08-31-2018

As this is not specific to the BOBJ connector, you might get better answers by asking the same in the general SAP Identity Management Q&A forum.

General information about which tasks have been executed by whom and when can be retrieved using the database view mcv_executionlog_list.

rtaibi1 · ‎09-24-2018

Hi Lambert,

Great and useful blog.

We are using the connector and I was wondering If there are any plans to include the removal of a specific user alias.

The BI Support Tools (Enterprise Alias Manager) can remove or add Enterprise aliases only. This functionality would be a great extension to the existing SAP IDM connector for SAP BusinessObjects BI Platform.

Keep up the good work!

Thanks very much.

Best Regards,

Ridouan Taibi

lambert-giese · ‎09-26-2018

Ridouan,

great feedback, thank you. The connector will likely not see any new feature development over the next couple of months at least, because the projects I'm involved in right now have a different focus.

However, you may look into two options:

Check whether you can add the required feature on your own. That's the beauty of open source. The function fx_bobjUser.setAllAliasesDisabled() provides a working example of how (enterprise) aliases can be modified using the connector. This is currently used for the EnableUser/DisableUser plugins of the connector.

In case your requirement pertains to 3rd party aliases, not to Enterprise aliases: check whether you're going down the wrong rabbit hole. 3rd party aliases represent data from external systems (like SAP BW) in the BI platform. So instead of modifying the aliases in BI, it seems more reasonable to connect from IDM to SAP BW, modify the data there, and re-load them into BI.

Hope that helps,

Lambert

rtaibi1 · ‎09-27-2018

Hi Lambert,

Thanks for your feedback.

Good luck with your project.

Regards,

Ridouan

francisadrian_panilla3 · ‎10-29-2018

Hi Lambert,

Thanks for the document. It is really helpful as we are currently trying to connect BI platform to our IdM 8.0 system. However, it looks like I missed something because when I run the initial load, I get the following error:

Is this related to the class path settings? Or something else?

Regards,

Francis

lambert-giese · ‎10-30-2018

Yes, this is a classpath issue. Depending on your BI support package level, you might need additional JAR files on your classpath.

Please check SAP Note 2451365 - Exception - BCM Intialization Failure connecting to Business Intelligence platfor... and add the list of additional JARs mentioned there to the dispatcher classpath.

Please let me know if that resolves the problem. I'll add a corresponding Wiki article to the GitHub repository and update the JAR file list in this blog post in case it works.

francisadrian_panilla3 · ‎11-15-2018

Hi Lambert,

Thanks! That did the trick and I was able to run the initial load. However, I get a new error below :

I tried to look at the script and if I understand correctly, it is filling out the FX_BOBJ_MODIFY_TRIGGERS so I did that manually

And tried to assign the PRIV:XXX:ONLY and the user was successfully created in BusinessObjects. However, when I try to assign a group by either assigning group GROUP:XXX:Administrators or directly assigning privilege PRIV:GROUP:XXX:Administrators, no groups are assinged in BusinessObjects.

Maybe I missed something?

Best Regards,

Francis

lambert-giese · ‎11-15-2018

There is one dollar sign too few in your version of the pass “Set modify triggers from package constant” in the initial load job. The correct code (as found in GitHub) on the source tab should look like this:

--SQL file: fx_bobj_load_set_triggers.sql

$FUNCTION.fx_trace(



select

    attr_id

    ,attrname

    from mxi_attributes $FUNCTION.fx_db_nolock()$$

    where attrname in ( $FUNCTION.fx_bobj_getModifyTriggers()$$ )

    and is_id=$FUNCTION.fx_IDSID()$$



)$$

In your version, the $ right before FUNCTION.fx_IDSID()$$ – near the bottom of the query- seems to be missing. Can you please check?

If that’s the case, correct the SQL query as shown above, then run the job again. After that, the modify triggers of the privs and groups loaded by the job will be correct. Hence, provisioning of group assignments should work as expected afterwards.

francisadrian_panilla3 · ‎12-03-2018

Now it works perfectly! Thanks Lambert!

felixhahn1 · ‎05-24-2019

Hi Lambert,

thank you for this nice document!

One question: We are using Active Directory Alias in our BO-System for Single Sign On. Is there a possibility to set this alias from the IDM to the BO-System? In my tests this is not working. Is there a setting i have to adjust before?

Kind Regards,

Felix

lambert-giese · ‎05-25-2019

The SAP IDM BusinessObjects connector does not support managing third party aliases (including Active Dirctory) out of the box, unfortunately. I've heard several people mentioning that they use the so-called "BI Support Tool" for this task instead. SAP Note 2667858 talks in detail about this.

Assuming that the SDK can manage third party aliases, it might also be an option to add custom code to the connector that provides this capability. I have no clue about the effort, though. If you decide to evaluate this option, I recommend to implement a stand-alone Java prototype for managing the AD aliases first. Once that works, you can port it to JavaScript and add that to the connector.

felixhahn1 · ‎06-21-2019

Tanks for your answer!

If I understand it correctly, is provisioning the AD alias already stored in the IDM to the BO more than just an attribute assignment? Would program logic be needed for this?

lambert-giese · ‎06-25-2019

Yes, additional program logic / JavaScript code would be needed.

Chenyang · ‎07-02-2019

Hi Lambert,

Thank you for the great document. I have followed the document to test IdM connection and found out one more BO library file is required. Please kindly update the blog. 🙂

jcmFIPS.jar

Thanks,

Chenyang

former_member617657 · ‎07-03-2019

Hi Lambert,

This is an excellent resource for connecting the BOBJ to idm, thank you for the blog and the connector.

I have a question from the security perspective, how can we achieve the secure connection , either by the SAML token or by the exchange of the certs or by any other means.

Regards

Ravi

former_member645469 · ‎11-27-2019

Dear Lambert,

Thank you for the great document.

I want to create a report that shows the list of SAP Business Object Reports the BO users has access to. Is it possible with SAP Identity Manager? (Which users can access which reports?)

Kind Regards;

Ismail Arslan

lambert-giese · ‎11-29-2019

SAP IDM only stores BOBJ users, BOBJ groups and the links between the two. That's all we have.

More detailed authorization information, like which group or user has access to which Business Object Report, is only available in the BI platform itself. A report like the one you have in mind would hence need to be created from the BI platform's data directly.

lambert-giese · ‎11-29-2019

The BI Java SDK has support for encrypting and authenticating network communcation using SSL/TLS. One good resource including links into more detailed documentation is SAP Note 2634052.

Since the connector internally uses the BI Java SDK, it's reasonable to assume that SSL could be enabled for the connector as well. I never used SSL in a customer project, though. Hence I can't confirm whether SSL really works for the connector or not. Give it a try.

lambert-giese · ‎12-02-2019

Done. Thanks for your feedback.

Installing the SAP BusinessObjects Connector on SAP IDM 8.0

Download and install SAP BI platform Java SDK

Add SDK JARs to SAP IDM dispatcher classpath

Download connector and import IDM package

Create a SAP IDM repository

Execute initial load and finalize repository configuration

SAP PI for Beginners

ABAP 7.40 Quick Reference

Fiori: technical installation and configuration of one app from A - Z