sap security blog

Integration of HCM Organizational Units in SAP Identity Management

by

By default, you cannot create a hierarchy of organizational units in SAP Identity Management (IDM) when importing them from the Human Capital Management (HCM) because the organizational units are maintained flat in HCM. For this we have developed a job that regularly reads the entire organizational structure from the HCM and maps it in the IDM. Thus it is easier in the IDM to determine superiors dynamically at runtime or to access parent or subordinate organizational units.

How do you get the data from the HCM to the IDM?

Presentation of the job

The organizational units are maintained in the transaction PPOM of the SAP HCM module. In order to be able to access this data, the connection user must be sufficiently authorized. IDM accesses the table STRU_TAB with the function module and other input parameters, reads the desired values ​​and stores them in a temporary table in the IDM.

In addition to the function module and the start table, the input parameters are particularly important in order to obtain the desired values. These values ​​can be modifiedin the Admin UI.

Especially important are the following values:

  • OTYPE: The object type of the start unit must be O for organizational unit.
  • OBJID: The object ID of the start unit can be found in transaction PPOM.
  • WEGID: In addition to the organizational units (O), ORGCHART also supplies the chief executive positions (S) and the personnel numbers (P) that sit on the chief executive positions.
  • BEGDA: The start date of the organizational units considered.
  • ENDDA: The end date of the organizational units considered.

With this data, the function module knows where to start and what information should be returned. Depending on the size of the company and the starting point, you get a more or less large, unclear table that provides all the important data.

Unedited, temporary table after reading the data

Table 1 shows an example presentation of an organizational unit hierarchy. The entry pointis OBJID 60040263, which is the top node of the organization, here Xiting AG. In the second line is the chief executive position (object type S), which has been set up for the CEO. The parent organizational unit (PUP_OBJI) can be seen at the end of the table, in this case Xiting AG (OBJID 60040263). In the third line is the personnel number (object type P), which sits on the CEO’s chief position.

Table 1: Example of an organizational unit structure, including chief executive position and personnel number

OTOBJIDTEXTBEGDAENDDALEVELPUPUP_OBJIPUP_TEXT
O60040263Xiting AG2000-01-019999-12-311(null)(null)(null)
S60040976CEO2000-01-019999-12-312O60040263Xiting AG
P80000068Patrick Bockel2000-01-019999-12-313S60040976CEO

How is the data processed in IDM?

After the first pass of the job has brought the raw data from the HCM into the IDM, they have to be processed further.

Passes of the job

First, new organizational units are created or existing ones receive updates, e.g. if the name has been changed or the organisational unit is no longer active.

Next, the links between the organisational units are set. As seen in Table 1, there are links between organizational units, chief executive positions and personnel numbers. However, it is also necessary that the organizational units are linked together to represent the hierarchy in the organisation.

Subsequently, the managers are placed on the organizational units. These can thus be drawn dynamically in other IDM processes, without the superiors being assigned directly to an employee.

Finally, a business role is created for each organizational unit, which is assigned to the employees of the respective organizational unit upon entry or organizational change process. In these business roles are, e.g. fileserver permissions which are espacially for each organizational unit.

Business roles of the different organizational units

The job should run regularly to always reflect the current status of organizational units in IDM. It is possible to view the job log in the Admin UI.

Job Log in the Admin UI

After the job has run for the first time, all organizational units are present in the IDM and can be used. In the IDM UI, under the manage tab, there is the selection Organizational Unit. If you select this option, all organizational units that exist in IDM are listed with the unique ID (OBJID from the PPOM) and their manager.

Overview of the organizational units in the IDM

If you select an organizational unit and choose the Display Organizational Unit task, you will receive all relevant information about this organizational unit.

In addition to the name and unique ID, the manager, the parent organizational unit, the child organizational unit(s), and the associated users are displayed.

Detailed display of an organizational unit

With the Xiting IDM OrgUnit Integration (XIOU) service, you get the possibility of an automated lifecycle of organizational units within SAP Identity Management for the firsttime.

After every run of the job, you have a picture of your organizational units as maintained in HCM. The now existing organizational units are displayed hierarchically and linked from the top to the lowest level. Thus, the correct managers of your employees in the IDM can be determined at any time and no approval process will reach the wrong, or possibly even already resigned, approver anymore.

Fabian Honervogt

Fabian Honervogt

Fabian started his work in the field of IT with an apprenticeship in 2006. Since 2015 he is a SAP Security Consultant at Xiting GmbH in Germany with a strong focus on SAP Identity Management and SAP Fiori.
Fabian Honervogt