Integration of HCM Organizational Units in SAP Identity Management
By default, you cannot create a hierarchy of organizational units in SAP Identity Management (IDM) when importing them from the Human Capital Management (HCM) because the organizational units are maintained flat in HCM. For this we have developed a job that regularly reads the entire organizational structure from the HCM and maps it in the IDM. Thus it is easier in the IDM to determine superiors dynamically at runtime or to access parent or subordinate organizational units.
How do you get the data from the HCM to the IDM?
The organizational units are maintained in the transaction PPOM of the SAP HCM module. In order to be able to access this data, the connection user must be sufficiently authorized. IDM accesses the table STRU_TAB with the function module and other input parameters, reads the desired values āāand stores them in a temporary table in the IDM.
In addition to the function module and the start table, the input parameters are particularly important in order to obtain the desired values. These values āācan be modifiedin the Admin UI.
Especially important are the following values:
- OTYPE: The object type of the start unit must be O for organizational unit.
- OBJID: The object ID of the start unit can be found in transaction PPOM.
- WEGID: In addition to the organizational units (O), ORGCHART also supplies the chief executive positions (S) and the personnel numbers (P) that sit on the chief executive positions.
- BEGDA: The start date of the organizational units considered.
- ENDDA: The end date of the organizational units considered.
With this data, the function module knows where to start and what information should be returned. Depending on the size of the company and the starting point, you get a more or less large, unclear table that provides all the important data.
Table 1 shows an example presentation of an organizational unit hierarchy. The entry pointis OBJID 60040263, which is the top node of the organization, here Xiting AG. In the second line is the chief executive position (object type S), which has been set up for the CEO. The parent organizational unit (PUP_OBJI) can be seen at the end of the table, in this case Xiting AG (OBJID 60040263). In the third line is the personnel number (object type P), which sits on the CEO’s chief position.
Table 1: Example of an organizational unit structure, including chief executive position and personnel number
| OT | OBJID | TEXT | BEGDA | ENDDA | LEVEL | PU | PUP_OBJI | PUP_TEXT |
| O | 60040263 | Xiting AG | 2000-01-01 | 9999-12-31 | 1 | (null) | (null) | (null) |
| S | 60040976 | CEO | 2000-01-01 | 9999-12-31 | 2 | O | 60040263 | Xiting AG |
| P | 80000068 | Patrick Bockel | 2000-01-01 | 9999-12-31 | 3 | S | 60040976 | CEO |
How is the data processed in IDM?
After the first pass of the job has brought the raw data from the HCM into the IDM, they have to be processed further.
First, new organizational units are created or existing ones receive updates, e.g. if the name has been changed or the organisational unit is no longer active.
Next, the links between the organisational units are set. As seen in Table 1, there are links between organizational units, chief executive positions and personnel numbers. However, it is also necessary that the organizational units are linked together to represent the hierarchy in the organisation.
Subsequently, the managers are placed on the organizational units. These can thus be drawn dynamically in other IDM processes, without the superiors being assigned directly to an employee.
Finally, a business role is created for each organizational unit, which is assigned to the employees of the respective organizational unit upon entry or organizational change process. In these business roles are, e.g. fileserver permissions which are espacially for each organizational unit.
The job should run regularly to always reflect the current status of organizational units in IDM. It is possible to view the job log in the Admin UI.
After the job has run for the first time, all organizational units are present in the IDM and can be used. In the IDM UI, under the manage tab, there is the selection Organizational Unit. If you select this option, all organizational units that exist in IDM are listed with the unique ID (OBJID from the PPOM) and their manager.
If you select an organizational unit and choose the Display Organizational Unit task, you will receive all relevant information about this organizational unit.
In addition to the name and unique ID, the manager, the parent organizational unit, the child organizational unit(s), and the associated users are displayed.
With the Xiting IDM OrgUnit Integration (XIOU) service, you get the possibility of an automated lifecycle of organizational units within SAP Identity Management for the firsttime.
After every run of the job, you have a picture of your organizational units as maintained in HCM. The now existing organizational units are displayed hierarchically and linked from the top to the lowest level. Thus, the correct managers of your employees in the IDM can be determined at any time and no approval process will reach the wrong, or possibly even already resigned, approver anymore.
- Integration of HCM Organizational Units in SAP Identity Management - 21. December 2018
- The Changes of the REST API v2 in SAP Identity Management SP06 at a glance - 14. December 2018
- SAP Fiori Xiting Starter Pack for SAP Identity Management - 30. August 2018
