SAP NetWeaver Identity Management Identity Center. Identity store schema. Version 7.2 Rev 14e. - Technical reference

(1)

SAP NetWeaver

®

_{Identity Management}

Identity Center

Identity store schema

- Technical reference

(2)

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary.

These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

(3)

i

Preface

The product

SAP NetWeaver Identity Management Identity Center is a high-end identity management solution, capable of handling a large amount of repositories containing an unlimited amount of information. The Identity Center offers a robust, flexible and scalable high-availability solution for workflow, provisioning, data synchronization and joining for a large number of data repositories.

The reader

This manual is written for people who are implementing and/or maintaining the SAP

NetWeaver Identity Management Identity Center, and others requiring a deeper understanding of the identity store schema.

Prerequisites

To get the most benefit from this manual, you should have the following knowledge: Thorough knowledge of the Identity Center.

This document is written according to SAP NetWeaver Identity Management Identity Center version 7.2 SP10.

The manual

(4)

(5)

iii

The identity store stores the identity data according to a schema that consists of entry types and attributes. The entry types describe how the different identity-relevant objects are represented in the Identity Center. Each entry type has a number of attributes containing values for each entry of the specific entry type.

The identity store is the hub between all components in Identity Center. Provisioning is based on the identity data stored in the identity store. Workflows are processing based on this data as well. Business roles and privileges are stored here. Meta directory operations will keep the information up-to-date.

Properties of the identity store are:

Keep historical data and full audit to support compliance Temporary attributes for tracking time critical values Roles and privileges - time to live definable

(8)

Section 1: Entry types

The identity store stores the identity data according to a schema that consists of entry types and attributes. The entry types are objects that describe how the different identity-relevant objects are represented in the Identity Center.

The entry types used are: MX_APPLICATION MX_ASYNC_REQUEST MX_COMPANY_ADDRESS MX_DYNAMIC_GROUP MX_GROUP MX_PENDING_VALUE MX_PERSON MX_PRIVILEGE MX_REPORT MX_ROLE MX_SAML_PROVIDER

Entry type MX_APPLICATION

Description

This optional entry type holds the information about an application. It is one of the three entry types being used by Identity Services when performing its operations (the other two are MX_PERSON and MX_PRIVILEGE).

MX_APPLICATION can be used to organize the privileges by grouping them by application (the application level, which is only an informational level and does not represent any physical repository). An application can also have a link to a repository, but is otherwise only a way to organize the privileges.

Attributes

This entry type contains the following twelve attributes:

Attribute Mandatory (Yes/No) Available as of SAP NetWeaver Identity

(9)

3

Section 1: Entry types

Management version MX_ENTRYTYPE Yes 7.2 MX_MANAGER No 7.2 MX_OWNER No 7.2 MX_REPOSITORYNAME No 7.2 MXMEMBER_MX_PRIVILEGE No 7.2

Relations

One MX_APPLICATION object can reference multiple MX_PRIVILEGE objects, while one MX_PRIVILEGE object belongs to only one MX_APPLICATION object.

Special considerations

None.

Entry type MX_ASYNC_REQUEST

Description

The Identity Services solution makes use of the MX_ASYNC_REQUEST entry type and its attributes.

The imported Identity Services provisioning framework must be connected to the entry type MX_ASYNC_REQUEST in order to automatically process incoming requests.

Attributes

The following attributes are defined for this entry type:

Attribute Mandatory (Yes/No) Available as of SAP NetWeaver

Identity Management version

(10)

Attribute Mandatory (Yes/No) Available as of SAP NetWeaver Identity Management version

MX_ASYNC_ORIG_OPERATION No 7.2 MX_ASYNC_PRIVILEGE No 7.2 MX_ASYNC_REQUEST_ID No 7.2 MX_ASYNC_ROLE No 7.2 MX_AUDIT_FLAGS No 7.2 MX_CERTIFICATE No 7.2 MX_DEPARTMENT No 7.2 MX_ENTRYTYPE Yes 7.2 MX_FAX_PRIMARY No 7.2 MX_FIRSTNAME No 7.2 MX_INITIALS No 7.2 MX_LANGUAGE No 7.2 MX_LASTNAME No 7.2 MX_MAIL_PRIMARY No 7.2 MX_MANAGER No 7.2 MX_MOBILE_PRIMARY No 7.2 MX_OWNER No 7.2 MX_PAGER_ADDITIONAL No 7.2 MX_PASSWORD No 7.2 MX_PHONE_ADDITIONAL No 7.2 MX_PHONE_PRIMARY No 7.2

See also section The ASYNC attributes on page 63.

Relations

None.

Special considerations

(11)

5

Entry type MX_COMPANY_ADDRESS

Description

This is the entry type for company address. It is nearly a 1:1 mapping of the COMPANY object in ABAP.

Attributes

This entry type has the following attributes defined:

Attribute Mandatory (Yes/No) Available as of SAP NetWeaver

Identity Management version

(12)

Attribute Mandatory (Yes/No) Available as of SAP NetWeaver Identity Management version

MX_ADDRESS_POSTAL_CODE No 7.2 MX_ADDRESS_REASON_DONT_USE_POBOX_ADDRESS No 7.2 MX_ADDRESS_REASON_DONT_USE_STREET_ADDRESS No 7.2 MX_ADDRESS_REGION No 7.2 MX_ADDRESS_REGION_GROUP No 7.2 MX_ADDRESS_ROOM_NO No 7.2 MX_ADDRESS_STREET_1 No 7.2 MX_ADDRESS_STREET_2 No 7.2 MX_ADDRESS_STREET_3 No 7.2 MX_ADDRESS_STREET_4 No 7.2 MX_ADDRESS_STREET_5 No 7.2 MX_ADDRESS_STREET_NO No 7.2 MX_ADDRESS_TAX_JURISDICTION_CODE No 7.2 MX_ADDRESS_TIME_ZONE No 7.2 MX_ADDRESS_TITLE No 7.2 MX_ADDRESS_TRANSPORT_ZONE No 7.2 MX_AUDIT_FLAGS No 7.2 MX_ENTRYTYPE Yes 7.2 MX_FAX_PRIMARY No 7.2 SP7 MX_MAIL_PRIMARY No 7.2 SP7 MX_MANAGER No 7.2 MX_OWNER No 7.2 MX_PHONE_PRIMARY No 7.2 SP7 MX_SEARCH_TERM_1 No 7.2 MX_SEARCH_TERM_2 No 7.2 MXMEMBER_MX_PERSON No 7.2 SAP_CHANGENUMBER No 7.2

Relations

One MX_COMPANY_ADDRESS object can reference multiple MX_PERSON objects, while one MX_PERSON object can reference only one MX_COMPANY_ADDRESS object.

Special considerations

(13)

7

Entry type MX_DYNAMIC_GROUP

Description

This entry type is used to hold the dynamic group attributes. Dynamic groups were established to have a way of selecting people based on attribute values, for example title and location, or a combination of these.

A dynamic group can for example be used as a source in a To-pass, or as auto-member and constraints criteria on the MX_ROLE entry type.

Attributes

The attributes defined for this entry type are:

Management version DESCRIPTION No 7.2 DISPLAYNAME Yes 7.2 MSKEYVALUE Yes 7.2 MX_AUDIT_FLAGS No 7.2 MX_DG_ATTRIBUTE No 7.2 MX_DG_AUTORESOLVE_INTERVAL No 7.2 MX_ENTRYTYPE Yes 7.2 MX_INACTIVE No 7.2 MX_MANAGER No 7.2 MX_OWNER No 7.2 MX_TARGET_AND No 7.2 MX_TARGET_DYNAMIC_GROUP No 7.2 MX_TARGET_ENTRY No 7.2 MX_TARGET_FILTER No 7.2 MX_TARGET_PRIVILEGE No 7.2 MX_TARGET_SUBTREE No 7.2 MXAC_ENTRY No 7.2 MXAC_MEMBERS No 7.2 MXMEMBER_MX_PERSON No 7.2

Relations

(14)

Special considerations

The attributes MX_TARGET_AND, MX_TARGET_DYNAMIC_GROUP,

MX_TARGET_ENTRY, MX_TARGET_PRIVILEGE and MX_TARGET_SUBTREE are for future use and are not in use in the current version.

The MX_TARGET_FILTER attribute is used to define the members of the dynamic group. The members of a MX_DYNAMIC_GROUP are automatically added when the filter is resolved. Any users added manually to the dynamic group will be removed unless they satisfy the filter.

When using dynamic groups, please consider carefully the performance of the SQL statement used to resolve the group members. Extensive use of dynamic groups is not recommended due to their impact on performance.

See also section Dynamic group attributes on page 64.

Entry type MX_GROUP

Description

This entry type is used to hold a group hierarchy.

Attributes

The entry type holds the following attributes:

(15)

9

Management version MXMEMBER_MX_GROUP No 7.2 MXMEMBER_MX_PERSON No 7.2 MXREF_MX_GROUP No 7.2 MXREF_MX_PRIVILEGE No 7.2 MXREF_MX_ROLE No 7.2

Relations

One MX_GROUP object can reference multiple MX_GROUP and MX_PERSON objects. One MX_PERSON object can reference more than one MX_GROUP object.

MX_GROUP object can be referenced to from MX_ROLE and MX_PRIVILEGE objects.

Special considerations

This entry type is used to hold a group hierarchy (the group and its members) and does not provide any inheritance.

Entry type MX_PENDING_VALUE

Description

This entry type is used to hold a value which may be added to the entry in the future, either as part of an approval process at a given time, or by a manual operation.

The MX_ENTRY_REFERENCE attribute holds the reference to the owner entry, while MX_ATTRIBUTE_NAME and MX_ATTRIBUTE_VALUE hold the values to be written to the entry when the MX_PENDING_VALUE is applied.

Attributes

This entry type contains the following attributes:

(16)

(17)

11

Relations

The MX_PENDING_VALUE entry type uses the MX_ENTRY_REFERENCE attribute to reference the entry it belongs to.

Special considerations

When the date and time defined by MX_VALIDFROM occur, the values held by the attributes MX_ATTRIBUTE_NAME and MX_ATTRIBUTE_VALUE are written to the entry before the MX_PENDING_VALUE object is removed.

See also section Pending value object attributes on page 75.

Entry type MX_PERSON

Description

This entry type is used to store information about person objects.

Attributes

The attributes are:

(18)

(19)

13

(20)

(21)

15

(22)

(23)

17

Management version MX_VALIDTO No 7.2 MX_WF_LOGIN_RUN_TASK No 7.2 MX_WF_MENU_APPROVALS No 7.2 MX_WF_MENU_CHANGEPWD No 7.2 MX_WF_MENU_HISTORY No 7.2 MX_WF_MENU_LOGOUT No 7.2 MX_WF_WELCOME_APPROVALS No 7.2 MX_WF_WELCOME_TASKS No 7.2 MX_WORKPLACE_BUILDING No 7.2 MX_WORKPLACE_FLOOR No 7.2 MX_WORKPLACE_FLOORPLAN_P No 7.2 MX_WORKPLACE_FUNCTION No 7.2 MX_WORKPLACE_ROOM No 7.2 MX_X400_ADDITIONAL No 7.2 MX_X400_PRIMARY No 7.2 MX_X509_ENABLED No 7.2 SP9 MX_X509_MAPPING No 7.2 SP9 MXREF_MX_COMPANY_ADDRESS No 7.2 MXREF_MX_DYNAMIC_GROUP No 7.2 MXREF_MX_GROUP No 7.2 MXREF_MX_PRIVILEGE No 7.2 MXREF_MX_ROLE No 7.2 SAP_CHANGENUMBER No 7.2

Relations

The MX_PERSON object can be referenced to from the objects MX_COMPANY_ADDRESS, MX_DYNAMIC_GROUP, MX_GROUP, MX_PRIVILEGE and MX_ROLE.

Special considerations

(24)

Entry type MX_PRIVILEGE

Description

This entry type is to hold privileges.

Attributes

The entry type contains the following attributes:

(25)

19

(26)

Attribute Mandatory (Yes/No) Available as of SAP NetWeaver Identity Management version MX_VALIDATE_DEL_TASK No 7.2 MX_VALIDATE_MOD_VALIDITY_TASK No 7.2 MX_VIEW_ATTRIBUTES No 7.2 MXAC_ENTRY No 7.2 MXAC_MEMBERS No 7.2 MXMEMBER_MX_GROUP No 7.2 MXMEMBER_MX_PERSON No 7.2 MXMEMBER_MX_ROLE No 7.2 MXREF_MX_APPLICATION No 7.2 MXREF_MX_ROLE No 7.2

Relations

One MX_PRIVILEGE object can reference multiple MX_GROUP, MX_PERSON and MX_ROLE objects. One MX_GROUP/MX_PERSON/MX_ROLE object can reference more than one MX_PRIVILEGE object.

MX_PRIVILEGE object can be referenced to from MX_APPLICATION object.

Special considerations

Attributes MX_ACCESS_CONTROL, MX_EDIT_ATTRIBUTES,

MX_EDIT_MEMBERSHIP, MX_TARGET_ALL, MX_TARGET_DYNAMIC_GROUP, MX_TARGET_SELF and MX_VIEW_ATTRIBUTES are for future use and are not in use at present time.

Although the MX_GROUP_INHERITANCE attribute is an allowed attribute for the entry type MX_PRIVILEGE, it is not in use. It is replaced by MX_INHERIT.

The name of a privilege must be unique within the identity store (MSKEYVALUE). The recommended syntax is PRIV:<Application name>.

(27)

21

Entry type MX_REPORT

Description

Entry type MX_REPORT is entry type for report requests.

Attributes

Management version DESCRIPTION No 7.2 DISPLAYNAME No 7.2 MSKEYVALUE Yes 7.2 MX_ENTRYTYPE Yes 7.2 MX_OWNER No 7.2 MX_REPORT_DATE No 7.2 MX_REPORT_DESTINATION No 7.2 MX_REPORT_ENTRY No 7.2 MX_REPORT_ERRORTEXT No 7.2 MX_REPORT_FILTERING No 7.2 MX_REPORT_FORMAT No 7.2 MX_REPORT_LANGUAGE No 7.2 MX_REPORT_LOCALE No 7.2 MX_REPORT_RESULT No 7.2 MX_REPORT_RESULT_REF No 7.2 MX_REPORT_SORTING No 7.2

See also section Report request attributes on page 88.

Relations

None.

Special considerations

(28)

Entry type MX_ROLE

Description

The entry type MX_ROLE holds the role information.

Attributes

(29)

23

Management version MX_MOD_VALIDITY_TASK No 7.2 MX_OFFSET_ADD_MEMBER No 7.2 MX_OFFSET_LINK_EXPIRY No 7.2 MX_OFFSET_VALIDATE_ADD No 7.2 MX_OWNER No 7.2 MX_RECONCILE_ALWAYS No 7.2 MX_RECONCILE_PENDING No 7.2 MX_REPOSITORY_ADD_MEMBER No 7.2 MX_REPOSITORY_DEL_MEMBER No 7.2 MX_REPOSITORY_VALIDATE No 7.2 MX_REPOSITORYNAME No 7.2 MX_ROLE_ALLOW_CHILD_CUTOFF No 7.2 MX_ROLE_ALLOWED_FOR No 7.2 MX_ROLE_ALLOWED_FOR_REVERSE No 7.2 MX_ROLE_AUTOASSIGN_TO No 7.2 MX_SEMAPHORE No 7.2 MX_VALIDATE_ADD_TASK No 7.2 MX_VALIDATE_DEL_TASK No 7.2 MX_VALIDATE_MOD_VALIDITY_TASK No 7.2 MXAC_ENTRY No 7.2 MXAC_MEMBERS No 7.2 MXMEMBER_MX_GROUP No 7.2 MXMEMBER_MX_PERSON No 7.2 MXMEMBER_MX_PRIVILEGE No 7.2 MXMEMBER_MX_ROLE No 7.2 MXREF_MX_PRIVILEGE No 7.2 MXREF_MX_ROLE No 7.2

See also section Role and privilege attributes on page 89.

Relations

One MX_ROLE object can reference multiple MX_GROUP, MX_PERSON, MX_PRIVILEGE and MX_ROLE objects. One MX_GROUP/MX_PERSON/MX_PRIVILEGE/MX_ROLE object can reference more than one MX_ROLE object.

Special considerations

(30)

Entry type MX_SAML_PROVIDER

Description

This entry type is used to hold the information about the SAML providers in the landscape. The attribute MX_SAML_TARGET_SYSTEM holds the names of the repositories where the SAML provider is connected.

The entry type is available in the schema as of SAP NetWeaver Identity Management version 7.2 SP10.

Attributes

Management version DESCRIPTION No 7.2 DISPLAYNAME No 7.2 MSKEYVALUE Yes 7.2 MX_ENTRYTYPE Yes 7.2 MX_SAML_TARGET_SYSTEM No 7.2 SP10

Relations

Each SAML provider is associated with one or more repositories through the attribute MX_SAML_TARGET_SYSTEM.

Special considerations

(31)

25

Section 2: Attribute specifications

Section 2: Attribute specifications

The schema contains a number of attributes holding information about each entry of the given entry type.

The following format for attribute description is used: Attribute

name

Description Type # of

values

ABAP mapping Comments

Types used:

* String * Boolean

* Numeric (i.e. Integer) * Binary * Date (Time) * Task reference * Entry reference * Attribute reference * Privilege reference * Role reference <Single/ Multi value> <ABAP attribute the given attribute is mapped to, if this mapping exists> <comments or examples of attribute definition> Boolean

The attribute value is presented as Boolean but stored as String.

Binary

The binary attribute value is used to hold binary data, for example a PDF report.

Date

Date, time or both. Always written on ISO8601 format, i.e. DD or YYYY-MM-DDThh:mm:ss.

Task reference

The task reference might be defined in two ways: 1) It can be TaskID (Numeric) or 2) Task GUID (String).

Attribute reference

The value is the name of the referenced attribute.

Privilege and role reference

These references are always defined by their MSKEY.

Entry reference

Always defined by its MSKEY. If the reference is to a container entry type, it is actually a

reference to the defined entry type's members.

A container entry type is here an entry type that is able to have other entry types as members, for instance a group with persons as members. Examples are MX_(DYNAMIC_)GROUP, MX_ROLE, MX_PRIVILEGE etc.

(32)

Alphabetical list of attributes with ABAP mapping

This is the alphabetical list of attributes in the identity store that are used by the ABAP connector:

Attribute name Description Type # of

values

DISPLAYNAME User friendly name

String Single displayname This attribute is used by IdM UI and Identity Center Management Console, and is displayed whenever showing a reference to the entry.

MSKEYVALUE Unique entry

identifier, which is also used for IdM UI login.

String Single logonuid Default logon id. Must be unique in the identity store (across all entry types). For more information, see section describing MSKEYVALUE on page 68. MX_ACADEMIC_TITLE_1 Academic title String Single AddressTitleAca1 Language

specific, CHAR4 field. Read customizing table (TSAD2): 100 0001 Dr. 100 0002 Prof. 100 0003 Prof. Dr. 100 0004 B.A. 100 0005 MBA 100 0006 Ph.D. MX_ACADEMIC_TITLE_2 2nd_academic_title _String _{Single AddressTitleAca2} _Language

specific, CHAR4 field. Read customizing table (TSAD2): 100 0001 Dr. 100 0002 Prof. 100 0003 Prof. Dr. 100 0004 B.A. 100 0005 MBA 100 0006 Ph.D. MX_ACCESSIBILITYLEVEL User accessibility

level

(33)

27

values

MX_ACCOUNTING_NUMBER Account number (id)

String Single LogondataAccnt CHAR12. Freely selectable account name or number (entering a user's cost center or company code recommended). The user's system usage is assigned to this account if using the SAP accounting system. Always enter an account name or number if using the SAP accounting system, otherwise the user's usage will be assigned to a collective "No account" category by the accounting system. MX_ADDRESS_BUILDING Building code String Single AddressBuildLong

MX_ADDRESS_CHECKSTATUS City file test status String Single AddressChckstatus CHAR1 field. Legal values: <space> not checked C checked against city index D differs from city index

MX_ADDRESS_CITY City String Single AddressCity CHAR40

MX_ADDRESS_CITY_NO City code for city/street file

String Single AddressCityNo CHAR12 field – no further restrictions. Usually a table with customer specific values (customizing table). MX_ADDRESS_CO_NAME c/o String Single AddressCOName

MX_ADDRESS_COMPANY_ POSTAL_CODE

Company postal code

String Single AddressPostlCod3 For large customers. CHAR10 field – no further restrictions. MX_ADDRESS_COUNTRY Country key String Single AddressCountryISO Contains the ISO

entry of the country (2-character) – ISO 3166. For more, see page 95. MX_ADDRESS_DIFFERENT_ CITY

(34)

Attribute name Description Type # of values

MX_ADDRESS_DIFFERENT_ CITY_NO

City code String Single AddressHomecityno CHAR12 field – no further restrictions. Usually a table with customer specific values (customizing table). MX_ADDRESS_DISTRICT District String Single AddressDistrict

MX_ADDRESS_DISTRICT_NO District number String Single AddressDistrctNo CHAR8 field – no further restrictions. Usually a table with customer specific values (customizing table). MX_ADDRESS_FLOOR Floor String Single AddressFloor

MX_ADDRESS_HOUSE_NO House number String Single AddressHouseNo CHAR10 field. MX_ADDRESS_HOUSE_NO_

SUPPLEMENT

Supplement String Single AddressHouseNo2

MX_ADDRESS_LANGUAGE Language key String Single AddressLanguISO LANG1 field. Legal values: ISO 639. See page 95 for more. MX_ADDRESS_NAME_1 Name String Single AddressName

MX_ADDRESS_NAME_2 Name 2 String Single AddressName2 MX_ADDRESS_NAME_3 Name 3 String Single AddressName3 MX_ADDRESS_NAME_4 Name 3 String Single AddressName4

MX_ADDRESS_NOTES Notes String Single AddressAdrNotes CHAR50 field – no further restrictions. MX_ADDRESS_POBOX PO box String Single AddressPoBox

MX_ADDRESS_POBOX_CITY PO box city String Single AddressPoBoxCit MX_ADDRESS_POBOX_CITY_

NO

City PO box code String Single AddressPboxcitNo CHAR12 field – no further restrictions. Usually a table with customer specific values (customizing table). MX_ADDRESS_POBOX_ COUNTRY

PO box country String Single AddressPoboxCtry CHAR3 field – ISO 3166 as legal values. For more, see page 95. MX_ADDRESS_POBOX_

POSTAL_CODE

PO box postal code

(35)

29

values

MX_ADDRESS_POBOX_ REGION

PO box region (Country, State, Province etc)

String Single AddressPoBoxReg CHAR3 field – no further restrictions. Usually a table with customer specific values (customizing table). MX_ADDRESS_POBOX_ WITHOUT_NUMBER

Flag: PO box w/o no

String Single AddressPoWONo CHAR1 field – no further

restrictions. MX_ADDRESS_POSTAL_CODE Postal code String Single AddressPostlCod1

MX_ADDRESS_REASON_ DONT_USE_POBOX_ADDRESS

PO Box address undeliverable flag

String Single AddressDontUseP CHAR4 field – no further restrictions. Usually a table with customer specific values (customizing table). MX_ADDRESS_REASON_ DONT_USE_STREET_ ADDRESS Street address undeliverable flag

String Single AddressDontUseS CHAR4 – no further restrictions. Usually a table with customer specific values (customizing table). MX_ADDRESS_REGION Region String Single AddressRegion

MX_ADDRESS_REGION_ GROUP

Regional structure grouping

String Single AddressRegiogroup CHAR8 – no further restrictions. Usually a table with customer specific values (customizing table). MX_ADDRESS_ROOM_NO Room or apartment number

(36)

MX_ADDRESS_STREET_NO Street number String Single AddressStreetNo CHAR12 field. This is a number that the postal service of a country issues for all streets of the country, e.g. in a directory

available on a CD. It is used to identify streets for enhanced check functionality. MX_ADDRESS_TAX_

JURISDICTION_CODE

Tax jurisdiction String Single AddressTaxjurcode CHAR15 field – no further restrictions. Usually a table with customer specific values (customizing table). MX_ADDRESS_TIME_ZONE Time zone String Single AddressTimeZone

MX_ADDRESS_TITLE Form-of-address key

String Single AddressTitle CHAR4 field – no further restrictions. Usually a table with customer specific values (customizing table). MX_ADDRESS_TRANSPORT_ ZONE Transportation zone to or from which the goods are delivered

(37)

31

values

MX_ADMIN_UNIT User group for authorization check – used for administrative tasks in ABAP. Defined on MX_PERSON

String Single companyid CHAR12: Read system specific groups (548 in BCE) from table USGRP and/or language specific texts from USGRPT customizing table. If you assign a user to this group, you can distribute user maintenance tasks among several user administrators. The system administrator can assign the respective user administrator the right to create and change users in a group. Users that are not assigned to any of the groups can be maintained by all administrators. MX_BIRTHNAME Name at birth String Single AddressBirthName

MX_CATT_TEST_STATUS CATT: Check Indicator

String Single DefaultsCattIndicator CHAR1 field. Possible values: "X" or " " (domain for radio button applications (X or blank)). MX_COMMUNICATION_ LANGUAGE Communication language key

String Single AddressLanguPISO LANG1 field. Legal values: ISO 639. Use fix list of 240 entries of T002 system table. See page 95 for more. MX_COMMUNICATION_

METHOD

Comm. method (key)

(38)

MX_DATEFORMAT User date format String Single dateformat CHAR1. Use fixed list in the Identity Center. Legal values: 1: DD.MM.YYYY 2: MM/DD/YYYY 3: MM-DD-YYYY 4: YYYY.MM.DD 5: YYYY/MM/DD 6: YYYY-MM-DD 7: GYY.MM.DD (Japanese Date) 8: GYY/MM/DD (Japanese Date) 9: GYY-MM-DD (Japanese Date) A: YYYY/MM/DD (Islamic Date 1) B: YYYY/MM/DD (Islamic Date 2) C: YYYY/MM/DD (Iranian Date) Domain XUDATFM.

MX_DEPARTMENT Department String Single department CHAR40

MX_ENCRYPTED_PASSWORD Encrypted password used for password provisioning

String Single password Used with MX_ PASSWORD, if "Enable password provisioning" is selected in the "Password policy" tab of the identity store details pane in the Identity Center Management Console. Stored as a hexadecimal representation of the encrypted string MX_FAX_ADDITIONAL Additional fax

numbers

String Multi additionalFaxes

MX_FAX_PRIMARY Primary fax number

(39)

33

values

MX_FS_ACADEMIC_TITLE_1_ ID

Identifier for Academic Title

String Single Part of ToSAPIdentity addInfo Language specific. Value is provided from HCM Titles in the Identity Center and map to ABAP attribute via script when

provisioning customizing table. MX_FS_BP_PERSON_ID Person identifier

for Business Partner

String Single Part of ToSAPIdentity addInfo

MX_FS_BUSINESS_AREA Text for Business Area

MX_FS_BUSINESS_AREA_ID Identifier for Business Area

MX_FS_CENTRALPERSON_ID Identifier for Central Person

MX_FS_COMPANY_CODE Text for Company Code

MX_FS_COMPANY_CODE_ID Identifier for Company Code

MX_FS_COST_CENTER Text for Cost Center

MX_FS_COST_CENTER_ID Identifier for Cost Center

MX_FS_CRM_BP_PERSON_ NUMBER

CRM Business partner number for person. Should correlate to MX_FS_BP_PER SON_ID

MX_FS_CRM_BP_ROLE_CAT_ PERS

BP role category for a person

String Multi Part of ToSAPIdentity addInfo

MX_FS_EMPLOYEE_GROUP Text for Employee Group

MX_FS_EMPLOYEE_GROUP_ ID

Identifier for Employee Group

MX_FS_EMPLOYEE_ SUBGROUP

Text for Employee Subgroup

String Single Part of ToSAPIdentity addInfo MX_FS_EMPLOYEE_ SUBGROUP_ID Identifier for Employee Subgroup

String Single Part of ToSAPIdentity addInfo MX_FS_EMPLOYMENT_ STATUS Text for Employment Status

String Single Part of ToSAPIdentity addInfo Used to detect deletions. LDAP entry will be deleted by HR. MX_FS_EMPLOYMENT_ STATUS_ID Identifier for Employment Status

(40)

MX_FS_HCM_PERSONID_EXT External person ID. Unique for an employee

MX_FS_IDENTITY_TYPE Type of identity String Single Part of ToSAPIdentity addInfo

Employee

MX_FS_JOB Text for job String Single Part of ToSAPIdentity addInfo

MX_FS_JOB_ID Identifier for job String Single Part of ToSAPIdentity addInfo MX_FS_ORGANIZATIONAL_ UNIT Text for Organizational Unit

String Single Part of ToSAPIdentity addInfo Long text. MX_FS_ORGANIZATIONAL_ UNIT_ID Identifier for Organizational Unit Text

MX_FS_PERNR_IS_MANAGER Triggers if a user assignment for management tasks is fine or not (calculated field)

Boolean Single Part of ToSAPIdentity addInfo

MX_FS_PERSONNEL_AREA Text for personnel area

MX_FS_PERSONNEL_AREA_ ID

Identifier for personnel area

MX_FS_PERSONNEL_NUMBER Personnel number String Single Part of ToSAPIdentity addInfo Employee number. MX_FS_PERSONNEL_NUMBER _OF_MANAGER Personnel number of next-level manager

String Single Part of ToSAPIdentity addInfo May be used in rules like "approve by next-level manager", which simplifies the workflows. MX_FS_PERSONNEL_ SUBAREA

Text for personnel sub-area

MX_FS_PERSONNEL_ SUBAREA_ID

Identifier for personnel sub-area

MX_FS_POSITION Text for position String Single Part of ToSAPIdentity addInfo

MX_FS_POSITION_ID Identifier for position

MX_FS_SALUTATION_ID Form-of-Address-Key

MX_FS_SCMEWM_PRR_ID Identifier for EWM Processor

MX_FS_SCMSNC_BP_ORG_ID Organization identifier for SNC Business Partner

String Single Part of ToSAPIdentity addInfo MX_FS_SCMSNC_VISIBILITY_ PROFILE SNC Visibility Profiles assigned to a user Entry reference

(41)

35

values

MX_FS_SCMTMS_BP_ORG_ID Identifier of the Business Partner of type

Organization (TSP), to which the identity has to be assigned to

MX_FS_SLCM_CAMPUS_ID Campus String Single Part of ToSAPIdentity addInfo

MX_FS_SLCM_GRADUATION_ STATUS

Graduation status String Multi Part of ToSAPIdentity addInfo

MX_FS_SLCM_HOLDS All holds on the student

String Multi Part of ToSAPIdentity addInfo MX_FS_SLCM_PRIMARY_ ORG_UNIT_ID Primary organizational unit of student

MX_FS_SLCM_PRIVACY_ LEVEL

Privacy level String Single Part of ToSAPIdentity addInfo

MX_FS_SLCM_PROGRAM_ TYPE

Program type String Multi Part of ToSAPIdentity addInfo

MX_FS_SLCM_STATUS All statuses of student, e.g. graduation, alumnus etc

MX_FS_SLCM_STUDENT_ GROUP

Student group String Single Part of ToSAPIdentity addInfo

MX_FS_SLCM_STUDENT_ID Student object ID String Single Part of ToSAPIdentity addInfo

MX_FS_SOURCE_SYSTEM Source system String Single Part of ToSAPIdentity addInfo

Employees imported from the EG4 client 000 will have the value EG4000. MX_FS_SRM_BP_ROLE_CAT_

PERS

BP role category for an organization

MX_FS_SRM_BP_ROLE_CAT_ ORG

BP role category for a person

MX_FS_WORK_CONTRACT Text for contract String Single Part of ToSAPIdentity addInfo Personnel assignment text. MX_FS_WORK_CONTRACT_ ID Identifier for contract

Personnel assignment MX_IDENITITYUUID Identity UUID String Single identityuuid For future use. MX_INHOUSE_MAIL Internal mail String Single AddressInhouseMl

MX_INITIALS Initials String Single AddressInitials CHAR10 MX_JOB_FUNCTION A short

description of the position.

(42)

MX_LANGUAGE User language String Single locale Exported fixed list of 41 entries of table T002 (Y7D client 000) system table. Values: ISO 639. For more, see page 95. MX_LASTMODIFIER MSKEY of the

user that changed the entry (in ABAP) last

Entry reference

Single LastmodifiedModifier CHAR12

MX_LASTMODTIME The last date/time the user was changed (in ABAP)

Date (Time) Single LastmodifiedModdate and

LastmodifiedModtime MX_LASTNAME User last name String Single lastname

MX_LOCKED Account is locked Boolean Single islocked When set, the logon is not possible. This attribute is not in use any more. Will be removed in future versions. MX_LOGONALIAS Alias for logon String Single useralias

MX_MAIL_ADDITIONAL Additional e-mail addresses

String Multi additionalMails

MX_MAIL_PRIMARY Primary e-mail address

String Single primaryMail This attribute is available for entry types MX_ASYNC_RE QUEST and MX_PERSON. As of version 7.2 SP7 it is available for entry type MX_COMPANY _ADDRESS to support SAP UI5 framework. MX_MIDDLENAME 2nd_forename _String _{Single AddressMiddlename} _CHAR40 MX_MOBILE_ADDITIONAL Additional mobile

numbers

String Multi additionalMobiles MX_MOBILE_PRIMARY Primary mobile

number

String Single primaryMobile MX_NAMCOUNTRY Country for name

format rule

(43)

37

values

MX_NAME_ABBREVIATION Short name String Single AddressInitsSig

MX_NAMEFORMAT Name format String Single AddressNameFormat Read system specific NameFormat (10 in BCE) from customizing table T005N: LAND1 NAMEFORMAT. MX_NAME_PREFIX_1 Name prefix String Single AddressPrefix1 CHAR20, read

customizing table (TSAD4). MX_NAME_PREFIX_2 2nd_{name prefix} _String _{Single AddressPrefix2} _{Read customizing}

table (TSAD4).

MX_NICKNAME Nickname/name

used

String Single AddressNickname MX_NUMBERFORMAT User number

format

String Single numberformat CHAR1, fixed list in the Identity Center. Legal values: : 1.234.567,89 X: 1,234,567.89 Y: 1 234 567,89 MX_PAGER_ADDITIONAL Additional pager

numbers

String Multi additionalPagers MX_PAGER_PRIMARY Primary pager

number

String Single primaryPager MX_PARAMETER System specific

parameter ID

String Multi parameter1 Set/Get parameter id. Read system specific parameters from table TPARA (Paramid, Partext) (1751 in BCE000) customizing table.

MX_PASSWORD_DISABLED User password is disabled

Boolean Single ispassworddisabled Set-only. This attribute is currently not in use.

MX_PERSONUUID Person UUID String Single personuuid Not in use by default. Potentially system-specific. Occurs in the initial load job and user provisioning tasks for Business Suite, but is commented out. MX_PHONE_ADDITIONAL Additional telephone numbers

(44)

MX_PHONE_PRIMARY Primary telephone number

String Single primaryPhone This attribute is available for entry types MX_ASYNC_RE QUEST and MX_PERSON. As of version 7.2 SP7 it is available for entry type MX_COMPANY _ADDRESS to support SAP UI5 framework. MX_PRINTERSETTINGS_SPDA Delete after output String Single DefaultsSpda Print parameter 3.

CHAR1 field. Values: H (Hold) D (Delete) MX_PRINTERSETTINGS_SPDB Print immediately String Single DefaultsSpdb Print parameter 2.

CHAR1 field. Values: K (Keep) G (Go) MX_PRINTERSETTINGS_SPLD Spool: Output

device

String Single DefaultsSpld Read (client independent) Printers (7428 in BCE000) from table TSP03: PADEST (Spool: Output Device), PATYPE (Spool: Device type name), PASTANDORT (Spool: Location and naming of an output device) TSP03T: does not contain texts but Tray-Information MX_PRINTERSETTINGS_SPLG Print parameter 1 String Single DefaultsSplg CHAR1 field. MX_PRT_ADDITIONAL Additional printer

address data

String Multi additionalPRT add ABAP fields are combined into string value. MX_PRT_PRIMARY Primary printer

address data

String Single primaryPRT add ABAP fields are combined into string value. MX_REFERENCE_USER User reference Entry

reference

Single ReferenceUser Reference to MX_PERSON only. System specific user ids. MX_RML_ADDITIONAL Additional remote

mail addresses

String Multi additionalRML add ABAP fields are combined into string value. MX_RML_PRIMARY Primary remote

mail address

(45)

39

values

MX_SALUTATION Title String Single salutation Language

specific. Read customizing table (TSAD3, TSAD3T) MX_SEARCH_TERM_1 Search term 1 String Single AddressSort1(P)

MX_SEARCH_TERM_2 Search term 2 String Single AddressSort2(P) MX_SECONDNAME 2nd_{family name} _String _{Single AddressSecondname} MX_SNC_FLAG SNC flag for

permission of non-secured

communications

Boolean Single SNCFlag CHAR1 field. Only displayed if using Secure Network Communications. Represented as 0 and 1 (checkbox-X or blank). MX_SNC_NAME SNC printable name

String Single SNCName CHAR255 field. Only displayed if using Secure Network Communications. MX_SPML_CALLER_ LANGUAGE System language of the calling SPML request

MX_SPML_CALLER_ MODIFIER

Last modifier via SPML interface

MX_SPML_CALLER_SYSTEM System name and client of the calling SPML request

MX_SSF_ADDITIONAL Additional SSF addresses

String Multi additionalSSF add ABAP fields are combined into string value. MX_SSF_PRIMARY Primary SSF

address

String Single primarySSF add ABAP fields are combined into string value. MX_START_MENU Start menu String Single DefaultsStartMenu System specific.

(46)

MX_TIMEFORMAT User time format String Single timeformat Use fixed list in the Identity Center. Domain XUTIMEFM. Legal values: 0: 24 hour format (12:05:10) 1: 12 hour format (12:05:10 PM) 2: 12 hour format (12:05:10 pm) 3: Hours 0 to 11 (00:05:10 PM) 4: Hours 0 to 11 (00:05:10 pm) MX_TIMEZONE User time zone String Single timezone Use fixed list of

101 entries (Y7D client 000) of TTZZ system table. MX_TITLE_SUPPLEMENT Name supplement,

e.g. noble title (key)

String Single AddressTitleSppl CHAR4 field. Language specific. Read customizing table (TSAD5). MX_TLX_ADDITIONAL Additional telex

addresses

String Multi additionalTLX add ABAP fields are combined into string value. MX_TLX_PRIMARY Primary telex

address

String Single primaryTLX add ABAP fields are combined into string value. MX_TTX_ADDITIONAL Additional teletex

addresses

String Multi additionalTTX add ABAP fields are combined into string value. MX_TTX_PRIMARY Primary teletex

address

String Single primaryTTX add ABAP fields are combined into string value. MX_URI_ADDITIONAL Additional URI

address data

String Multi additionalURI add ABAP fields are combined into string value. MX_URI_PRIMARY Primary URI

address data

String Single primaryURI add ABAP fields are combined into string value. MX_USER_CATEGORY User category String Multi groups Table of groups

(47)

41

values

MX_USERTYPE User type String Single securitypolicy User types are defined as hard-coded values for the attributes (fixed list for ABAP and Java): A: Dialog = Java type "default" B: System = Java type "technical" C: Communication L: Reference S: Service U: UME Service User

MX_VALIDFROM Time when the entry is valid from

Date (Time) Single validfrom UTC format. See page 76 for more.

MX_VALIDTO Time when the

entry is no longer valid

Date (Time) Single validto UTC format. See page 76 for more. MX_WORKPLACE_BUILDING Building code String Single AddressBuildingP

MX_WORKPLACE_FLOOR Floor String Single AddressFloorP MX_WORKPLACE_

FLOORPLAN_P

Workplace floor plan

String Single For future use.

MX_WORKPLACE_FUNCTION Function String Single jobfunction CHAR40. Replacing MX_JOB_ FUNCTION. MX_WORKPLACE_ROOM Room number String Single AddressRoomNoP

MX_X400_ADDITIONAL Additional X.400 attributes

String Multi additionalX400 add ABAP fields are combined into string value. MX_X400_PRIMARY Primary X.400

address

String Single primaryX400 add ABAP fields are combined into string value. MXREF_MX_COMPANY_ ADDRESS Reference to entry type MX_COMPANY_ ADDRESS Entry reference (MX_ COMPANY_ ADDRESS)

Single Company See page 68 for more.

MXREF_MX_PRIVILEGE Reference to entry type MX_PRIVILEGE Entry reference (MX_ PRIVILEGE)

(48)

Alphabetical list of non-ABAP attributes

Here is the list of all non-ABAP attributes in the identity store, in alphabetical order.

values

Comments

DESCRIPTION Entry description String Single Example: <All employees with Trondheim location.>

MX_AC_REQUESTID Request identifier String Single For more, see section describing the GRC attributes on page 66. MX_AC_RESULT Result String Single For more, see section describing the

GRC attributes on page 66. MX_AC_ROLEID Role identifier String Single For more, see section describing the

GRC attributes on page 66. MX_AC_ROLETYPE Role type String Single For more, see section describing the

GRC attributes on page 66. MX_ACCESS_CONTROL Entry used for

access control

Boolean Single For future use – not in use at present time.

MX_ADD_MEMBER_TASK Task to be executed when adding attribute value

Task reference Single This single-value task reference attribute holds a reference to a task which is executed when a member entry is added. For more information, see section describing the privilege and role assignment attributes on page 82 and approval attributes on page 58. MX_ADDMEM_DISABLE_ POLICY Bitmap indicating which assignments to turn pending value generation and task execution off for

Numeric (Integer)

Single Legal values: Bit 0 (0x1)=direct, Bit 1 (0x2)=inherited, Bit 2 (0x4)=via dynamic group (assignment). See section describing the role and privilege attributes on page 89 for more. MX_ADDRESS_

STREETADDRESS

Address String Single This attribute is calculated from street address components. Calculate from ABAP attributes: AddressStreet + AddressHouseNo + AddressHouseNo2 + AddressStrSuppl1-3. MX_APPLICATION_ CATEGORY Application category

String Single Attribute related to the Identity Services. The application category. Informative string. Examples: <DB>, <LDAP> MX_APPLICATION_ID Application

identifier

String Single Attribute related to the Identity Services. The unique ID of the application, available for entry types MX_APPLICATION and

MX_PRIVILEGE. It may later be used in the listprivileges command and/or other operations where filtering on the application is possible. Example: <App1>.

(49)

43

values

Comments

MX_APPROVAL_EXPIRY Holds the expiry of an approval (number of seconds until expiry)

Numeric (Integer)

Single In use as of 7.2 SP6. For more, see section describing the approval attributes on page 58.

MX_APPROVAL_REASON Holds the reason why the request (approval) is either approved or declined

String Single For more, see section describing the approval attributes on page 58.

MX_APPROVAL_TASK Approval task – a task reference from MX_ROLE or MX_PRIVILEGE

Task reference Single This attribute is replaced by MX_ADD_MEMBER_TASK. For more, see section describing the privilege and role assignment attributes on page 82 and approval attributes on page 58.

MX_APPROVAL_TIMEOUT Holds the number of seconds until the approval times out

Numeric (Integer)

MX_APPROVALS Approval attribute with approval information

String Multi Some approval values:

STATUS=DECLINED!!TASK=<42>!! AUDITID=<5143>!! APPROVER=<423>!!REASON=Don’t care STATUS=WAIT!!TASK=<32>!!AUDI TID=<455>!! APPROVER=<0>!!REASON= STATUS=APPROVED!!TASK=<422>! !AUDITID=<534>!! APPROVER=<4>!!REASON= Notice that there will be no line-breaks in the actual strings. For more, see page 59.

This attribute should not be altered. MX_APPROVERS List of approvers of

this entry, listed with their MSKEYs

Entry reference Multi For more, see page 60.

MX_ASSERTION_TICKET_ ENABLED

SAP Assertion Ticket authentication

Boolean Single Authentication method.

Used by SAP Provisioning Framework (SAP HANA connector).

MX_ASSIGNER Reference to the user who assigned the role

Entry reference Single For more, see section describing the pending object attributes on page 75 for more.

MX_ASSIGNMENT Holds all the assignments for a given user, both roles and privileges.

Entry reference Multi Attribute defined for the MX_PERSON entry type. Only available to User Interface tasks. For more, see page 87.

MX_ASYNC_IDENTIFIER Identifier of the ASYNC entry

String Single See section describing the ASYNC attributes on page 63. Example: <cn=John Parrot, ou=people,o=myorg> MX_ASYNC_MSKEYVALUE ASYNC entry

unique identifier, MSKEYVALUE

(50)

Comments

MX_ASYNC_OBJECTCLASS ASYNC object classes

String Multi See section describing the ASYNC attributes on page 63.

MX_ASYNC_ORIG_ OPERATION

ASYNC original operation

String Single See section describing the ASYNC attributes on page 63. Examples: <Add>, <Modify>

MX_ASYNC_PRIVILEGE ASYNC privileges String Multi See section describing the ASYNC attributes on page 63. Example: <Archive, Server_Room> MX_ASYNC_REQUEST_ID Identifier of the

ASYNC request

String Single See section describing the ASYNC attributes on page 63. Examples: <112>, <00001134>

MX_ASYNC_ROLE ASYNC roles String Multi See section describing the ASYNC attributes on page 63. Examples: <ROLE:IT>, <ROLE:Employee> MX_ATTEST_ACTIVE Currently active

attestation

Boolean Single See section describing the attestation attributes on page 64.

MX_ATTEST_LASTDATE Last attestation initiated

Date (Time) Single See section describing the attestation attributes on page 64.

MX_ATTEST_NEXTDATE Date for next attestation

Date (Time) Single See section describing the attestation attributes on page 64.

MX_ATTEST_TASK Attestation task Task reference Single See section describing the attestation attributes on page 64.

MX_ATTESTER Attester Entry reference Single See section describing the attestation attributes on page 64.

MX_ATTR_STATE State of this attribute

Numeric (Integer)

Single For more, see section describing the pending object attributes on page 75. Examples: <0>, <1>

MX_ATTRIBUTE_DELETE Indicates deletion when applying pending value

Boolean Single See page 75 for more.

MX_ATTRIBUTE_NAME Attribute name – reference to the attribute being stored in this pending value attribute

String Single For more, see section describing the pending object attributes on page 75. Examples: <MXREF_ MX_ROLE>, <MX_TITLE>

MX_ATTRIBUTE_VALUE Attribute value (the value being stored)

String Single Examples: <ROLE:IT>, <System Engineer>

MX_AUDIT_FLAGS Attribute holds the numeric values of the audit flags

Numeric (Integer)

Multi This attribute exists for all entry types.

MX_AUTHQ_001 Password reset question 1

String Single See page 73 for more. MX_AUTHQ_002 Password reset

question 2

question 3

question 4

question 5

(51)

45

values Comments MX_AUTODELEGATE_ MESSAGE Reason for automatic delegation

String Single For more, see section describing the approval attributes on page 58. MX_AUTODELEGATE_MSKEY User to

automatically delegate to

Entry reference Single For more, see section describing the approval attributes on page 58. MX_AUTOPRIVILEGE Inherited privileges Privilege

reference

Multi For more, see section describing some of the role and privilege attributes on page 89.

This attribute should not be altered. MX_AUTOROLE This attribute holds

all the role assignments, both directly assigned and inherited

Role reference Multi For more, see section describing some of the role and privilege attributes on page 89.

This attribute should not be altered. MX_AUTOROLE_DYNAMIC_

GROUP

Roles assigned by dynamic group membership

Role reference Multi For more, see section describing some of the role and privilege attributes on page 89.

This attribute should not be altered. MX_BUSINESS_AREA Business area String Multi This MX_PRIVILEGE and MX_ROLE

attribute is a "Multi-select" presentation type and language dependent. It is used to display business area when requesting a role.

The attribute is added to support SAP UI5 framework.

MX_CERTIFICATE Certificate String Multi

MX_CHANGEONFIRST Password change Boolean Single If the attribute is set the user has to change the password on next login.

MX_CTX Reference to the

context entry

Entry reference Single For more, see section describing the pending object attributes on page 75 for more.

MX_CTX_AUTO_STRATEGY Strategy for assigning auto-assigned context values

String Single For more, see section describing the assignment context attributes on page 61.

MX_CTX_AUTO_VALUES Auto-assigned contexts for a user

Entry reference Multi For more, see section describing the assignment context attributes on page 61. MX_CTX_CONDITIONAL Context that must

be present for a privilege to be assigned

Entry reference Multi For more, see section describing the assignment context attributes on page 61.

MX_CTX_TYPE Context types handled by a role/privilege

String Multi For more, see section describing the assignment context attributes on page 61. MX_DEL_MEMBER_TASK Task to be

executed when deleting attribute value

Task reference Single The attribute

(52)

Attribute name Description Type # of values Comments MX_DELMEM_DISABLE_ POLICY Bitmap indicating which removals to turn pending value generation and task execution off for

Numeric (Integer)

Single Legal values: 0x1=direct, 0x2=inherited, 0x4=via dynamic group (assignment). For more, see section describing the role and privilege attributes on page 89. MX_DEPROVISIONTASK Task to perform

de-provisioning

Task reference Single For more, see section describing the privilege and role assignment attributes on page 82.

MX_DG_ATTRIBUTE Attribute identifiers used for resolving the dynamic group

Attribute reference

Multi For more, see section describing the dynamic group attributes on page 64. Example: <MX_ ENTRYTYPE>, <MX_ADDRESS_CITY> MX_DG_AUTORESOLVE_ INTERVAL Number of seconds before the automatic resolve of the dynamic group Numeric (Integer)

Single For more, see section describing the dynamic group attributes on page 64. Examples: <NULL>, <1> (day), <20> (minutes)

MX_DISABLED Entry is disabled Boolean Single Attribute used only by MX_PERSON entry type. User is not able to login to IdM UI when disabled. For more, see page 93.

MX_EDIT_ATTRIBUTES The following attributes are editable. No attributes are editable at default Attribute reference

Multi For future use – not in use at present time.

MX_EDIT_MEMBERSHIP Allowed to edit the membership of groups and other container objects

Boolean Single For future use – not in use at present time.

MX_ENTRY_REFERENCE Entry reference (MSKEY)

Entry reference Single Used in pending value object and holds a reference to the entry owning the attribute stored in

MX_ATTRIBUTE_NAME. MX_ENTRYTYPE Type of entry String Single <MX_ROLE>, <MX_ PERSON>

This attribute should not be altered. MX_ESCALATION_

APPROVERS_1

Holds the first level escalation

approvers

Entry reference Multi For more, see section describing approval attributes on page 58. MX_ESCALATION_

APPROVERS_2

Holds the second level escalation approvers

Entry reference Multi For more, see section describing approval attributes on page 58.

MX_ESCALATION_ APPROVERS_3

Holds the third level escalation approvers

Entry reference Multi For more, see section describing approval attributes on page 58. MX_ESCALATION_

TIMEOUT_1

Holds the timeout (in days) for level 1 escalation

Numeric (Integer)

MX_ESCALATION_ TIMEOUT_2

Numeric (Integer)

MX_ESCALATION_ TIMEOUT_3

Numeric (Integer)

(53)

47

values

Comments

MX_EXCLUDEROLE A list of roles that cannot be combined with the current role

Role reference Multi Valid only for the entry type MX_ROLE. For more, see section describing some of the role and privilege attributes on page 89.

MX_FAILEDLOGIN Number of failed login attempts

Numeric (Integer)

Single MX_FAILEDRECOVER Number of failed

password reset attempts

Numeric (Integer)

Single See page 74 for more.

MX_FAVORITE_TASKS List of favorite tasks

Task reference Multi The attribute is used by the User Interface to display user's favorite tasks. MX_GRC_CHANGES_

DETECTED

GRC changes detected flag

Boolean Single See section describing the GRC attributes on page 66.

MX_GRC_REQUESTS_FAILED Failed GRC requests

String Multi See section describing the GRC attributes on page 66.

MX_GRC_REQUESTS_OK Successful GRC requests

MX_GRC_REQUESTS_ PENDING

Pending GRC requests

MX_GROUP_INHERITANCE Group inheritance String Single Not in use (replaced by MX_INHERIT). MX_GROUPING_DISABLED Used to disable

privilege grouping

Boolean Single See section describing the privilege assignment grouping attributes on page 79 for more.

MX_HANA_ROLE_TYPE SAP HANA role type

String Single The attribute is used to distinguish between different SAP HANA role types (SAP HANA roles are mapped to privileges in the Identity Management). MX_HCM_SYSUNAME HCM System user

name

String Single If the attribute is set, this value should be used as logon ID for the HCM system (proposal for MSKEYVALUE/account name if set).

MX_IDENTITY_CATEGORY Category of the identity

Numeric (Integer)

Single For more information, see page 94. MX_INACTIVE The entry is

inactive when this attribute is set

Boolean Single An entry set to inactive is "invisible" to all tasks and jobs, unless explicitly defined that disabled entries shall be handled. User is also not able to login to IdM UI when inactive. For more, see page 94.

MX_INHERIT Indicates how

privileges are inherited in the role/group hierarchy

String Single Replacing

MX_GROUP_INHERITANCE. For more, see section describing some of the role and privilege attributes on page 89. Examples: <One>, <Base>, <Sub> MX_IS_ACCOUNT Indicates whether a

privilege is an account privilege or not.

Boolean Single Attribute used by SAP Provisioning Framework.

MX_KERBEROS_ENABLED Kerberos authentication

(54)

Comments

MX_KERBEROS_IDENTITY Kerberos ID String Single External identity of the user.

MX_LANGUAGE_COUNTRY Country for language

String Single Values: ISO 3166. For more, see page 95.

MX_LANGUAGE_VARIANT Variant of the language

String Single Example: <Nynorsk>, <Bokmål> MX_LINK_EXPIRY_

NOTIFICATION

Notify about a link that is about to expire

MX_LINK_REFERENCE Reference to a link table

Numeric (Integer)

Single Attribute on entry type MX_PENDING_VALUE. MX_LOGINADDR Client's IP address String Single Not in use.

MX_LOGINTIME Time of last login Date (Time) Single Not in use. MX_LOGON_TICKET_

ENABLED

SAP Logon Ticket authentication

MX_MANAGER Manager of entry Entry reference Multi MX_MOD_VALIDITY_TASK Modify validity

task – used to perform a change in validity

MX_MODIFY_BY Information about who (MSKEY) modified this entry

String Single For more, see section describing the pending object attributes on page 75 for more.

MX_MODIFY_REASON Reason for modification

String Single For more, see section describing the pending object attributes on page 75 for more.

MX_MODIFYTASK Task to perform when privilege is modified

Task reference Single For more, see section describing the privilege and role assignment attributes on page 82. MX_MODIFYTASK_ATTR Attributes activating the modify task Attribute reference

Multi For more, see section describing the privilege and role assignment attributes on page 82.

MX_NOTES_CERTIFIER_FILE Certifier file String Single For more, see section describing the Lotus Notes attributes on page 69. MX_NOTES_CERTIFIER_PWD Certifier password String Single For more, see section describing the

Lotus Notes attributes on page 69. MX_NOTES_CLIENTTYPE Client type String Single For more, see section describing the

Lotus Notes attributes on page 69. MX_NOTES_COUNTRYCODE Country code String Single For more, see section describing the

Lotus Notes attributes on page 69. MX_NOTES_

EXPIRATIONDATE

Expiration date Date (Time) Single For more, see section describing the Lotus Notes attributes on page 69. MX_NOTES_FULLNAME Entry's full name String Single For more, see section describing the

Lotus Notes attributes on page 69. MX_NOTES_GROUP_

GROUPTYPE

Lotus Notes group types

String Single For more, see section describing the Lotus Notes attributes on page 69. MX_NOTES_GROUP_

GROUPTYPE_ DISPLAY

Displayed Lotus Notes group types

(55)

49

values

Comments

MX_NOTES_GROUP_ LISTNAME

Group name String Single For more, see section describing the Lotus Notes attributes on page 69. MX_NOTES_IDFILE ID file String Single For more, see section describing the

Lotus Notes attributes on page 69. MX_NOTES_INACTIVE Inactive user/group String Single For more, see section describing the

Lotus Notes attributes on page 69. MX_NOTES_IN_VAULT User in vault String Single For more, see section describing the

Lotus Notes attributes on page 69. MX_NOTES_MAILADDRESS Entry's mail

address

String Single For more, see section describing the Lotus Notes attributes on page 69. MX_NOTES_MAILDOMAIN Entry's mail

domain

String Single For more, see section describing the Lotus Notes attributes on page 69. MX_NOTES_MAILFILE Entry's mail file String Single For more, see section describing the

Lotus Notes attributes on page 69. MX_NOTES_MAILSERVER IP address of the

mail server

String Single For more, see section describing the Lotus Notes attributes on page 69. MX_NOTES_MAILSYSTEM Entry's mail system String Single For more, see section describing the

Lotus Notes attributes on page 69. MX_NOTES_NOTEID Notes ID on the

Lotus Domino server

String Single For more, see section describing the Lotus Notes attributes on page 69. MX_NOTES_OID Originator ID String Single For more, see section describing the

Lotus Notes attributes on page 69. MX_NOTES_OLD_PASSWORD Old password String Single For more, see section describing the

Lotus Notes attributes on page 69. MX_NOTES_OLDFULLNAME Entry's full name

before the name change

String Single For more, see section describing the Lotus Notes attributes on page 69.

MX_NOTES_ORG Entry's

organization

String Single For more, see section describing the Lotus Notes attributes on page 69. MX_NOTES_ORGUNIT Entry's

organization unit

String Single For more, see section describing the Lotus Notes attributes on page 69. MX_NOTES_OWNER Owner of the Lotus

Notes object.

Entry reference Multi For more, see section describing the Lotus Notes attributes on page 69. MX_NOTES_PATH_IDFILE Local path to

entry's ID file

String Single For more, see section describing the Lotus Notes attributes on page 69. MX_NOTES_POLICY Server policy String Single For more, see section describing the

Lotus Notes attributes on page 69. MX_NOTES_REGFULLNAME Entry's full name at

registration

String Single For more, see section describing the Lotus Notes attributes on page 69. MX_NOTES_

ROAMINGSERVER

Roaming server String Single For more, see section describing the Lotus Notes attributes on page 69. MX_NOTES_SERVERNAME Full server name String Single For more, see section describing the

Lotus Notes attributes on page 69. MX_NOTES_SHORTNAME Entry's short name String Single For more, see section describing the

Lotus Notes attributes on page 69. MX_NOTES_UNID Unified identifier String Single For more, see section describing the

Lotus Notes attributes on page 69. MX_OFFSET_ADD_MEMBER Offset for the add

member task

Numeric (Integer)

SAP NetWeaver Identity Management Identity Center. Identity store schema. Version 7.2 Rev 14e. - Technical reference

SAP NetWeaver

Identity Management

Identity Center

Identity store schema

- Technical reference

Preface

The product

The reader

Prerequisites

The manual

Table of contents

Introduction

The identity store

Section 1: Entry types

Entry type MX_APPLICATION

Description

Attributes

Relations

Special considerations

Entry type MX_ASYNC_REQUEST

Description

Attributes

Relations

Special considerations

Entry type MX_COMPANY_ADDRESS

Description

Attributes

Relations

Special considerations

Entry type MX_DYNAMIC_GROUP

Description

Attributes

Relations

Special considerations

Entry type MX_GROUP

Description

Attributes

Relations

Special considerations

Entry type MX_PENDING_VALUE

Description

Attributes

Relations

Special considerations

Entry type MX_PERSON

Description

Attributes

Relations

Special considerations

Entry type MX_PRIVILEGE

Description

Attributes

Relations

Special considerations

Entry type MX_REPORT

Description

Attributes

Relations

Special considerations

Entry type MX_ROLE

Description

Attributes

Relations

Special considerations

Entry type MX_SAML_PROVIDER

Description

Attributes

Relations

Special considerations

Section 2: Attribute specifications

Alphabetical list of attributes with ABAP mapping

Alphabetical list of non-ABAP attributes

_{Identity Management}