Xiting SAP Security Blog

SAP Identity Management meets SAP Fiori

by

Everybody who knows the old SAP Identity Management Web DynPro user interface knows how unattractive it is. Therefore, some of our customers requested a nicer, modern and user-friendlier UI. As a result, we had to develop something new for the market. Our decision fell on SAP Fiori because it works on every device (computer, smartphone or tablet) with almost the same properties. Because SAP took Fiori off the IDM roadmap, we had to develop it all on our own.

We started with the role approval app for our SAP Security Group Event in Zurich (Switzerland) in 2015. We were able to finish the business role request application for our SAP Security Group Event in Frankfurt (Germany) that took place some months later. Our next steps will be the connection to the Xiting Authorizations Management Suite (XAMS) and a development of a SAP Identity Management Fiori Starter Pack.

The connection between SAP Identity Management and XAMS is a unique approach. XAMS replicates technical roles (privileges) in the backend system with different Org Sets, and IDM will connect these Org Sets to each privilege. These Org Set values will function as filter attributes for the role request and enable the end user to select the desired roles from a set of up to thousands of roles.

In the IDM Fiori Starter Pack, we will offer some standard applications like Change Identity or Change Business Role.

Business Role Request

First, I would like to introduce our filter concept which reduces the available business roles drastically. It takes away the possibility for users to pick the wrong role because only the applicable ones will be displayed. Since end users cannot select the correct roles if they have 100,000, or more, business roles for selection, role mining is necessary.

In this case, each business role gets three new attributes –one for the region, country, and city. With these attributes, we can filter directly on the business roles and provide only a few business roles for selection.

SAP Identity Management meets SAP Fiori
Web DynPro request task

This task worked well in Web DynPro, so we wanted to create a Fiori app for the business role request.

We are using standard queries via the REST-API (Representational State Transfer – Application Programming Interface) on the AS JAVA Server to get the values that we need. In this case, all the information about the users and the roles from our SAP Identity Management system:

  • the logged in user
  • all available users
  • Role id
  • Role name
  • Filter selection

Business Role Request in SAP Fiori

The Consignee

In the first step, it is possible to select whether the request should be for the requestor itself, or for another user in the system.

SAP Identity Management meets SAP Fiori
Consignee will be the logged in user, ssg_user1
SAP Identity Management meets SAP Fiori
Selecting another user as consignee
SAP Identity Management meets SAP Fiori
Consignee will be the user ssg_user2

The Filter

After the consignee has been selected, the filter is used to narrow down the choice of available business roles. As with the Web DynPro task, we have a three-stage filter – beginning with the region, followed by country, and finally location.

Due to our hierarchy filter (Region > Country > Location), the requestor has different possibilities in the next dropdown filter depending on the prior selection. For example, if he selects AMER in the first filter, the second filter offers countries from the Americas. If he selects EMEA, the second filter only offers countries from Europe. If he selects * (all values), the filter will be treated as a wild card. As a result, the next filter shows all values that are available. For instance, if he selects the wild card in the first filter, the second filter offers all available countries in the system, independently from the region.

With the selection AMER > United States > Miami there are five business roles available. Those filter values are just sample values but are taken directly from the respective roles in the backend system. When the roles are set up correctly, and as recommended as best practice by SAP (e.g. by using XAMS), you do not have to worry about creating numerous CSV-files with made-up filter attributes. The filter values can be easily fed into IDM automatically from the already configured ABAP backend system. Of course, the type and the number of filters (or Org Sets) can be adapted and defined flexibly according to your company’s requirements.

SAP Identity Management meets SAP Fiori
First selection: Wild Card, AMER, APAC, EMEA
SAP Identity Management meets SAP Fiori
Second selection: Wild Card, Brazil, Canada, United States
SAP Identity Management meets SAP Fiori
Third selection: Wild Card, Dallas, Miami, New York, San Francisco
SAP Identity Management meets SAP Fiori
Available roles for selection AMER > United States > Miami

Available and Selected Roles

After the appearance of Available Roles, the requestor selects the needed business roles by clicking Add to move these business roles to the Selected Roles area.

SAP Identity Management meets SAP Fiori
Selected available roles
SAP Identity Management meets SAP Fiori
Selected roles

Additional Information

To get additional, necessary information, the requestor has to select a valid from and a valid to date and a reason why the consignee needs these authorizations.

SAP Identity Management meets SAP Fiori
Selecting a valid from date
SAP Identity Management meets SAP Fiori
Selecting a valid to date
SAP Identity Management meets SAP Fiori
Request reason selection
SAP Identity Management meets SAP Fiori
Request is ready to submit

After a successful submission of the request, a pop-up appears to inform the requestor.

SAP Identity Management meets SAP Fiori
Message for the requestor

 

Request Approval

The request approval in the old Web DynPro is a standard task and does not need to be created or modified. If an approver gets an approval, it shows on the To Do tab given that the approver has the IDM authorization to see this tab.

The approver must select each request by its own or multiple requests in one step and click Approve, Decline or Delegate.

SAP Identity Management meets SAP Fiori
Web DynPro approval task

In Fiori, it is possible to use standard REST-API URLs to receive approvals in the app. Based on that, in this master-detail Fiori app all open approvals that have to be approved or declined by user ssg_man1 will be shown.

SAP Identity Management meets SAP Fiori
All open approvals for an approver

If the approver selects a request, all information about the consignee, the validity and the reason are available in the right detail part of the app. When clicking on the icon, it is possible to see all privileges (technical roles from the backend systems) which are assigned to this business role. Additionally, the approver has the opportunity to give a reason for the approval or the rejection.

SAP Identity Management meets SAP Fiori
Details from a request
SAP Identity Management meets SAP Fiori
Details from a request
SAP Identity Management meets SAP Fiori
Added reason, ready for accept

After a successful approval or rejection of the request, the approver gets a pop-up to let them know that their decision was submitted.

 

SAP Identity Management meets SAP Fiori
Message for the approver

Main benefits for using SAP Identity Management with SAP Fiori

The main benefits for using SAP Identity Management with SAP Fiori are:

  • the design of the applications and
  • the usability for the end user

Due to modern technologies like HTML5 and CSS3, these Fiori apps are responsive and fully flexible and usable on all kind of devices in almost the same appearance.

The screenshots in this post are just example applications from our sandbox system. The design and arrangement of and within the application are adjustable per customers’ requirements.

Fiori applications will give great possibilities to design all kind of processes and workflows on the front-end of IDM. It finally makes SAP NetWeaver Identity Management more usable and Xiting for the end user.