sap security blog

SAP Fiori Xiting Starter Pack for SAP Identity Management

by

Historically, many customers have a strong need for action concerning a simple and intuitive user interface for SAP Identity Management (IDM), as the IDM’s standard user interface is not satisfying and is not user-friendly. For this reason, we developed a new, attractive user interface in 2017, the SAP Fiori Xiting Starter Pack for IDM. This IDM Launchpad is an attractive home page with several apps that includes the essential tasks of managing the IDM system (managing users, business roles, privileges (technical roles), company addresses, and resetting passwords). The SAP Fiori IDM apps from the SAP Fiori Xiting Starter Pack are authorized by IDM business roles and are located on the customizable start page, giving you quick access to the apps you need on a daily basis.

The SAP Fiori Xiting Starter Pack for IDM offers a new experience for your daily work with IDM. Compared to the old Web Dynpro UI, you can operate IDM easily, intuitively, role-based and comfortably in a modern interface. You can run IDM tasks, e.g., create, search, modify, view users, and manage business roles and privileges regardless of time, location, and device (computer, notebook, tablet, or smartphone).

The goal of this blog is to introduce our new interface, the SAP Fiori Xiting Starter Pack for IDM. This blog describes the launchpad and all SAP Fiori apps from the SAP Fiori Xiting Starter Pack.

What does the SAP Fiori Xiting Starter Pack for IDM offer?

  • IDM Launchpad: The launchpad is the start page, representing all five standard SAP Fiori apps.
  • Users: With this application, you can create new users, search for users, view users and change users. Also, the assignments of business roles and privileges can be managed.
  • Business Roles: With this application, business roles can be viewed and changed.
  • Privileges: With this application, privileges can be viewed and changed.
  • Company addresses: With this application, company address can be viewed and changed.
  • Reset Password: This application can be used to reset passwords in selected systems.

Customizable Home – The IDM Launchpad

The launchpad is the first page that the end user sees after logging in. It is the main entry point for all SAP Fiori apps on all devices. The tiles of the apps are available on the launchpad and are bundled into two predefined groups. These groups can be found in the anchor bar at the top of the page. When the end user selects a group name, the launchpad scrolls down to the selected group. To open an SAP Fiori app, click on the appropriate tile.

Customizable Home – The Launchpad

The launchpad is authorized using a UME role. Only end users assigned to this UME role can access the launchpad and the SAP Fiori apps. The login on the launchpad is first by Single Sign-On (SSO) if this login fails, the end user can log in with his username and password.

UME role IDM_LAUNCHPAD Contactor launchpad
Login on the launchpad with SSO
Login on the Launchpad with user and password
Logout from Launchpad

The SAP Fiori apps on the launchpad have the following business roles:

  • FIORI:ROLE:IDM_USER: Access to the users app.
  • FIORI:ROLE:IDM_ROLE: Access to the business roles app.
  • FIORI:ROLE:IDM_PRIVILEGE: Access privileges app.
  • FIORI:ROLE:IDM_COMPANY: Access to the company addresses app.
  • FIORI:ROLE:IDM_PW_RESET: Access password reset app.

The available tiles in the launchpad are dynamically determined based on the business roles listed above and assigned to the end user.

Users

In the users app, users can be created, searched, displayed and changed in the same way as the familiar Web Dynpro interface.

Searching for Users

As in Web Dynpro, users can be searched for. By default, you can search for the display name, the MSKEYVALUE, the first or last name, the e-mail address or the telephone number. By clicking on the arrows icon the search result can be sorted by any column. By clicking on the gear wheel icon, the search result can be personalized by showing and hiding columns.

User List Web dynpro VS Fiori App
Sort user list
Personalize user list

Display user

As in Web Dynpro, detailed information about a user is displayed when selected. In this app, four blocks are displayed: General Information, Organizational Information, Privilege Assignments, and Role Assignments. When the end user selects a block, the app scrolls down to the selected block.

Display user details in Fiori App

In addition to the simple display values, also referenced values of the user are displayed here. Thus, e.g., the manager and the company presented within a fragment. In other words, when the name is clicked, a small pop-up opens with more information about the manager or the company.

Display user’s manager in Fiori App
Display user’s company address in Fiori App

As mentioned above, the privilege and business role assignments are displayed. For the privileges, the validity, reason, and status of the assignment are displayed next to the name. If you click on the privilege, you jump to the privilege app, which displays more information about this special privilege. The business roles also display the validity, reason, and status. Here, however, the hierarchy is also displayed. This means that if there are nested business roles, the child business roles are displayed in addition to the privileges. If you click on the glasses icon, the information about the course of the assignment is displayed, as in the old Web Dynpro UI, e.g., who requested the business role and who released it? Clicking on the double arrow icon one jumps into the business role app, which displays further information about this special business role.

Display privilege assignments
Display a privilege in the privilege app
Display hierarchy of a business role
Assignment history of a business role
Display a business rolein the business role app
Sort privilege assigments

Change user

The layout of this page is identical to the page for displaying a user, except that user data can be changed here.

Clicking on the user with stylus icon in the Display Users app will load this app. The general information of the user, e.g., Display name, first and/or last name, validity, salutation or user type. Also, a new manager or a new company address can be assigned. To do this, click on the green plus icon. A pop-up window opens in which you can search for the managers or the company addresses. By clicking the red minus icon, these values are removed. In the Privilege Assignments and Role Assignments blocks, the user’s privilege and business role assignments can be maintained.

Change user salutation
Change the user’s salutation
Change the user’s validity
Change the user’s user type
Change the user’s manager
Search and select a manager
Remove the user’s manager
Change the user’s company address
Search and select a company address

As shown in Figure “Change user’s privilege assignments”, there are two icon tabs for the assignments. The Information icon tab displays the assigned and added privileges as well as the business roles; the Recycle Bin tab icon displays the permissions and business roles that should be removed by the user. As with assigning the manager or company address, one or more permissions or business roles can be selected by clicking on the green plus icon.

Change user’s privilege assignments
Select privileges

After selection the authorizations, the validity and reason for the assignment can be entered. The added privileges or business roles have the status New and are added to the user after saving. The privileges and business role assignments can be removed by the user by clicking on the red minus icon. This moves the selected privileges or business roles from the Information icon tab to the Recycle Bin icon tab. The assignments can be restored by clicking the red minus icon on the Recycle Bin tab icon.

Enter validity and reason for the privilege assignments
New added privilege assignments
Privilege assignments to be deleted

By clicking on the green floppy disk icon, all changes are saved and sent to the IDM via REST API. A pop-up gives the information that this identity has changed. If an error occurs, you will receive a meaningful error message indicating the exact error. By clicking on the red X all changes are discarded.

Change user success notification
Error message caused by a manager loop

Create user

The layout of this app is identical to the app for changing the user. The difference is that in this app, the fields are empty and a new user can an with data.

Clicking on the red document with the asterisk icon in the Display User app will load this app. As already mentioned when changing the user, a user can be created with the general information such as display name, first and last name, validity, salutation and user type, with reference values such as manager and company address, privileges and business roles. The fields MSKEYVLAUE, first and last name are mandatory fields. Since SAP ERP systems permit a user ID of up to 12 characters, the length of the MSKEYVALUE field is limited to 12 characters.

Create user

By clicking on the green document with the asterisk icon, the user is sent to the IDM system and will be created, just like when changing the user. After that, there is a positive or negative feedback. Click on the red X icon to cancel the creation process.

Create user – notification

Business roles, privilege and company address apps

The layout of the business role, privilege, and company address apps is the same as the user app. These apps can be used to search for business roles, privileges and company address in the IDM system and these can also be changed.

Reset Password

The password reset app resets passwords in all or only in special systems. In the password field, the end user enters his desired initial password and selects the appropriate systems in which the password is to be reset. Clicking on the green tick icon sends the password change request to the IDM system. After that, there is positive or negative feedback. Click on the red X icon to cancel the process.

Reset password
Reset Password – Notification

Your Benefits SAP Fiori for SAP Identity Management

Your benefits at a glance:

  • Modern and user-friendly interface with an easy and comfortable operation.
  • More effective use of IDM applications regardless of time, location, operating system, and device.
  • Faster access to the daily SAP Fiori apps via the IDM Launchpad.
  • Effective condition of IDM everyday tasks within an SAP Fiori Apps rather than calling various IDM applications.
  • Role-based SAP Fiori apps.
  • Currently in German and English (optional extension).

The screenshots in this blog are just examples from our sandbox system. The design and arrangement of and within the application are adjustable according to customer requirements.

The SAP Fiori Xiting Starter Pack makes SAP Identity Management more usable and user-friendly for the end user.

Our Experts

Chen Chen

Chen is a Junior SAP Security Consultant at Xiting GmbH in Germany with a strong focus on SAP Identity Management.

Latest posts by Chen Chen (see all)

    Fabian Honervogt

    Fabian Honervogt

    Fabian started his work in the field of IT with an apprenticeship in 2006. Since 2015 he is a SAP Security Consultant at Xiting GmbH in Germany with a strong focus on SAP Identity Management and SAP Fiori.
    Fabian Honervogt