Data provisioning
Enter a unique name for the new connector. If you selected and configured a template connector, the configured template is stored in Omada Identity. When Omada rolls out changes to the template connectors, your configurations remain intact in your own version.
Connector settings
| Setting | Description |
|---|---|
| Connection string | Type a connection string to connect to the database. This is a mandatory setting. |
| Disable schema validation | Optionally, select the checkbox Disable schema validation to disable the function where the connector validates the database schema. |
| DB Access Technology Type | Indicates that SAP HANA is the selected database access technology type. |
| Test connection | Enable this setting to test the specified connection details. |
General settings
| Setting | Description |
|---|---|
| Enable password reset | Enable self-service password reset for the system. |
| Password policy | Choose a password policy to associate with the system, for example, if you want to enforce a certain password length or the use of specific characters. |
| Provisioning claims validity | Type the number of days for which a provisioning claim is valid. If this field is set to 0 or empty, the provisioning claim is not valid and the provisioning call is sent once more. |
| Account deletion unsupported | Enable Account deletion unsupported option if accounts are not to be deleted in the target system. Enabling this instructs the system to perform provisioning updates rather than de-provisioning. The provisioning update task will contain information on disabling the account. |
Enable provisioning
| Setting | Description |
|---|---|
| Method for accounts | Select the provisioning method to use to provision assignments. You can select: - None (no provisioning of account assignments) - Omada Provisioning Service - Manual provisioning - Microsoft Identity Manager (MIM) |
| Method for assignments | Select the provisioning method to use for provisioning assignments. You can select: Select the provisioning method to use for provisioning assignments.You can select: - None (no provisioning of permission assignments) - Omada Provisioning Service - Manual provisioning - Microsoft Identity Manager (MIM) |
| Provisioning connector | If you select Omada Provisioning Service as the Provisioning Method, you must also select a provisioning connector. Select the SAP HANA DB connector. |
| Use default configuration | Select the checkbox to use the default configuration. If you enable this option, it overwrites any existing configuration. |
| Name | Type the name of the connector to use. |
Data model
| Setting | Description |
|---|---|
| Data model | Type or paste code related to the connector’s data model. Find information about the relevant system’s data model in the Data model section. |
Task mappings
| Setting | Description |
|---|---|
| Enabled | Select the checkbox to enable the relevant setting in the following column. |
| Resource type | Lists the resource type. |
| Assignments | Select a task mapping for added, modified and deleted resource assignments. |
| Resources | You can create task mapping for resource lifecycle management tasks. |
Advanced settings
- General
- Archiving
- Purging
| Setting | Description |
|---|---|
| Concurrent connections | The number of simultaneous connections to open against the target system for provisioning purposes. The default value is 1. |
| Review jobs | Enable this setting to allow manual reviews of jobs before the jobs are run. |
| Setting | Description |
|---|---|
| Automatically archive completed jobs | Enable this setting to allow automatic archiving of completed jobs. |
| No.of days after completion to archive | Type the number of days after which the completed jobs will be archived.The default value is 10. |
| Include failed jobs | Enable this setting to allow archiving of failed jobs. |
| Include jobs in review | Enable this setting to allow archiving of jobs that have not been reviewed for the configured number of days. |
| Setting | Description |
|---|---|
| Automatically purge archived jobs | Enable this setting to allow automatic removal of archived jobs. |
| No.of days after archive | Type the number of days after which the archived jobs will be deleted. The default value is 10. |
Task mappings
SAP HANA DB connector uses the following mappings.
| Parameter | Description |
|---|---|
| ROPE Account to SAP HANA DB user | Contains mappings of assignments from the ROPE Account to SAP HANA DB user. By default the task mapping for the user utilizes the user and password authentication. Other options are also available and can be configured by adapting the SQL templates in the data model. |
| SapHanaDb Usergroup | Task mapping that can be adapted for provisioning user group assignments. It is mapped to the _SAP\_HANA\_DB_UserGroup_ resource type. |
| SapHanaDbAssignment | Task mapping that can be adapted to for provisioning of the SAP HANA DB database role assignments. It is mapped to the _SAP\_HANA\_DB_ROLES_ resource type. |
| SSPR | Contains mappings of resetting the password for the SAP HANA DB users. This task mapping isn't pre-selected and can be selected manually. Choosing this task mapping requires changing the mapping type to _Password Reset_. |
Users provisioned with the default task mapping are assigned the PUBLIC role. It is a default SAP HANA DB role that is assigned to all HANA DB users, granting minimum privileges required to work with the database. For more information, go to SAP HANA DB Database Users documentation.
The attribute names between DataModel and taskMappings are case sensitive.
Data model
The data model is adapted individually to each database to which you want to write. You must describe each database table as an \<object\> in the model. Define each column to write to in the table as a \<property\>.
Sample of connector data model:
<connectorDataModel xmlns="http://schemas.omada.net/ops/2015/ConnectorDataModelML" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<properties>
<property name="USER_NAME"/>
<property name="USERGROUP_NAME"/>
<property name="PASSWORD"/>
<property name="EMAIL"/>
<property name="ROLE_NAME"/>
</properties>
<objects>
<object name="SapHanaDbUser">
<objectDetails>
<objectDetail name="CreateSQLTemplate" value="CREATE USER <USER_NAME> PASSWORD <Password> SET PARAMETER EMAIL ADDRESS = '&t;EMAIL>' SET USERGROUP DEFAULT"/>
<objectDetail name="UpdateSqlTemplate" value="ALTER USER <USER_NAME> SET PARAMETER EMAIL ADDRESS = '<EMAIL>'"/>
<objectDetail name="DdeleteSqlTemplate" value="DROP USER <USER_NAME>"/>
</objectDetails>
<objectProperties>
<objectProperty>USER_NAME</objectProperty>
<objectProperty>PASSWORD</objectProperty>
<objectProperty>EMAIL</objectProperty>
</objectProperties>
</object>
<object name="SSPR">
<objectDetails>
<objectDetail name="UpdateSqlTemplate" value="ALTER USER <USER_NAME> PASSWORD "<PASSWORD>$#34;"/>
</objectDetails>
<objectProperties>
<objectProperty>USER_NAME</objectProperty>
<objectProperty>PASSWORD</objectProperty>
</objectProperties>
</object>
<object name="SapHanaDbUsergroup">
<objectDetails>
<objectDetail name="CreateSqlTemplate" value="ALTER USER <USER_NAME> SET USERGROUP <USERGROUP_NAME>"/>
<objectDetail name="DeleteSqlTemplate" value="ALTER USER <USER_NAME> UNSET USERGROUP"/>
</objectDetails>
<objectProperties>
<objectProperty>USER_NAME</objectProperty>
<objectProperty>USERGROUP_NAME</objectPropert>
</objectProperties>
</object>
<object name="SapHanaDbAssignment">
<objectDetails>
<objectDetail name="CreateSqlTemplate" value="GRANT <ROLE_NAME> TO <USER_NAME>"/>
<objectDetail name="DeleteSqlTemplate" value="REVOKE <ROLE_NAME> FROM <USER_NAME>"/>
</objectDetails>
<objectProperties>
<objectProperty>USER_NAME</objectProperty>
<objectProperty>ROLE_NAME</objectProeprty>
</objectProperties>
</object>
</objects>
</connectorDataModel>
Note that the UserId is left out as it is an identity column that should not be in use. To perform update and delete operations, you must specify which column or columns that indicates the key on the table. The column does not have to be the actual primary key, but it must contain a unique value in the table.
To indicate the key columns, add the isKey attribute to the objectProperty element:
<objectProperty isKey="true">UserName</objectProperty>
Object details
The OPS database connector and SAP HANA DB connector have three object details available that are related to the SQL template:
- CreateSqlTemplate
- UpdateSqlTemplate
- DeleteSqlTemplate
Those object details allow you to specify the SQL statement that is executed for a specific operation on a particular object. The templates contain placeholders, replaced by the connector with appropriate values.
The placeholders should be enclosed by curly {} or angle <> brackets.
Differences between placeholders
Placeholders within curly brackets {PLACEHOLDER} are provided as SQL command parameters.
Placeholders within angle brackets <PLACEHOLDER> are filled via text replacement using SQL-injection prevention (the templates contain placeholders – they are replaced by the connector with the values from the object properties). As the data model is provided in XML format, the encoding of the brackets must be performed. As a result the <PLACEHOLDER> becomes <PLACEHOLDER>.
For object details CREATE USER <USERNAME>, specify the USERNAME property. This value will replace the placeholder in the final syntax.
CREATE USER <ADAM_SMITH> executes as CREATE USER ADAM_SMITH.
If the parameter that is provided in the SQL statement supports parametrized queries, use curly brackets. Otherwise use angle brackets.
Provisioning user utilizes SQL statement containing a password. Since the password can contain special characters that are invalid in SQL statement, the password is contained within quotation marks. Due to the encoding, the quotation marks are specified as ". For more information, go to the SAP HANA DB password policy layout.
The SQL template statements in the object details can be adapted to include provisioning of properties as necessary.