NOVELL TECHNICAL INFORMATION DOCUMENT

TITLE:  Updated SAP User driver 1.0.6 for IDM2.0.x
TID #:  2972639
README FOR:  idm20xsapusrir2.tgz

NOVELL PRODUCTS and VERSIONS:
Novell Identity Manager 2.0.1/2.0.2

ABSTRACT:

This updates the SAP user driver to 1.0.5 and also readme information has been
added. The driver runs on Identity Manager 2.0.1/2.0.2(OES)

For Windows and Netware servers, use a windows decompression utility that
supports tgz, I.E. WinZip to extract this file to a temporary directory on
the server on which the patch will be applied. 

Note:  The Identity Manager Driver for User Management of SAP Software (driver)
is being revised to overcome password synchronization restrictions recently
introduced by SAP into their R/3 and Enterprise R/3 Application servers.
Additional changes have been made to support new functionality, data structures
and tables made available in recent SAP patches.



-----------------------------------------------------------------
DISCLAIMER
THE ORIGIN OF THIS INFORMATION MAY BE INTERNAL OR EXTERNAL TO 
NOVELL.  NOVELL MAKES ALL REASONABLE EFFORTS TO VERIFY THIS 
INFORMATION.  HOWEVER, THE INFORMATION PROVIDED IN THIS DOCUMENT 
IS FOR YOUR INFORMATION ONLY.  NOVELL MAKES NO EXPLICIT OR IMPLIED 
CLAIMS TO THE VALIDITY OF THIS INFORMATION.
-----------------------------------------------------------------


INSTALLATION INSTRUCTIONS:

1. Shutdown the driver.
2. Copy the patched jar file to the following directories based on the
platform:
Windows -  \novell\nds\lib
Unix\Linux - /usr/lib/dirxml/classes
Netware - sys:system\lib
If using the remote loader copy the file to \remoteloader\lib on Windows or
/usr/lib/dirxml/classes for (Unix\Linux).
4. Modify the schema and add new functionality if desired.
5. Cycle eDirectory if running local or the remote loader server if running
remote.
6. Start the driver 



ISSUE: 

CURRENT ISSUES

- The old 1.0.5 version of the driver utilized an SAP administrative business
API (BAPI) call to set User passwords on the SAP Application server.  The BAPIs
used to set passwords are BAPI_USER_CREATE1 and BAPI_USER_CHANGE.  The default
behavior of these BAPIs allows the driver to act as an SAP administrator to set
the passwords for Users.  Since the intent of the BAPIs is to provide an
administrative 'reset' functionality for new and forgotten User passwords,
these BAPIs set the password in a way that requires the Users to immediately
change their passwords after their next login.  In order to provide a more
desirable 'persistent' password set capability, the driver incorporates an
additional set of function calls to modify the 'Last Login Time' data flag for
the User.  This modification bypasses the SAP security that requires the User
to change the password.

A recent SAP Note 750390 and subsequent SAP Basis security software patches
have blocked the ability of the driver to modify the 'Last Login Time' flag for
User passwords.  When the patches are installed, all passwords set by the
driver become one-time use passwords, which must be changed by the User after
his next login.  No errors or warnings are returned by the SAP servers.  SAP
feels that an administrative account should not have the ability to set a
persistent password for a User.

The 1.0.6 driver has been modified to support two different modes of Subscriber
channel password set capabilty:
1. Administrator Set
2. User Set

1.  The Administrator Set mode will function in the manner of the previous
1.0.5 version of the driver.  This mode is highly efficient for SAP servers
that have not been updated with the aforementioned SAP Security patches.

2.  The User Set mode utilizes a standard SAP Remote Function Call (RFC) to set
the password while using the identity of the User whose password is being
changed.  This is the mode recommended by SAP and is used internally by some of
their authentication tools.  When using this mode, all of the password security
policies set on the SAP server will be enforced.  This includes restrictions
such as password re-use (history), password length, special character use, etc.
Since it is possible that a Universal password value that is distributed to the
SAP server will be rejected by the SAP Server, the driver is configured with a
'Default Reset Password' when the User Set mode is selected.  If password
changes fail, the SAP User account will be set with this reset password which
is a one-time use password.  This default password is encrypted in the driver
configuration.  If desired, it may be set to a value unknown to Users to
effectively lock an SAP account that encountered a failed password set. 
Additionally, the driver has been modified to return specific
'password-set-operation' type errors when password set failures occur during
User <add> or <modify-password> events.  This allows the use of password
failure notification techniques and policies.

The driver configuration must be modified to support the new functionality.

The following parameters are required in the <subscriber-options>

<nsap-passwd display-name="Require User To Change Set
Passwords">0</nsap-passwd>

0 = No Change Required, 1 = Change Required

If value = 0, the following option must be configured:

<nsap-sub-password-opt display-name="Password Set
Method">0</nsap-sub-password-opt>

0 = User Set mode, 1 = Administrator Set mode

If value = 0, the following named password option must be configured:

NOTE: This is a Named Password configuration parameter!  This value is added
through the 'Named Passwords' editor in iManager.

<nsap-default-password display-name="Default Reset Password"
is-sensitive="true" type="password-ref"><!-- content suppressed
--></nsap-default-password>

The following parameters are required in the <publisher-options>

<nsap-pub-enabled display-name="Publisher Channel Enabled">1</nsap-pub-enabled>
1 = Enabled, 0 = Disabled

If value = 1, the following parameter must be configured:

<nsap-port-type display-name="Publisher Channel Port
Type">TRFC</nsap-port-type>

There are only two valid options: TRFC or FILE.

The BAPI_USER_GET_DETAIL function has recently been updated by SAP to include 2
new structures and 1 new table.  The structures are ISLOCKED and LASTMODIFIED,
the table is SYSTEMS.  These structures are only utilized by query (Read)
operations and therefore values can not be modified by the driver.  To utilize
the new data, execute the 'Refresh Application Schema' utility in the Mapping
Policy editor to obtain definitions of the new schema.  Edit policies as needed
to obtain desired values.

- New Structure and Table Changes
In recent patches, SAP has added two new structures and a new table to the
information that can be obtained via the BAPI_USER_GET_DETAIL function.  These
parameters can be Published or obtained via Query, but the values can not be
Subscribed back into SAP.  The new structures are ISLOCKED and LASTMODIFIED. 
ISLOCKED provides four fields to indicate if a User account is locked and for
what reason.  LASTMODIFIED indicates the date and time that a User account was
last modified.  The new table SYSTEMS provides the values of Logical System
names to which the User is assigned.

After updating the driver, a schema refresh will populate the application
schema with the following new values:

New Structure Fields
ISLOCKED:GLOB_LOCK
ISLOCKED:LOCAL_LOCK
ISLOCKED:NO_USER_PW
ISLOCKED:WRNG_LOGON
LASTMODIFIED:MODDATE
LASTMODIFIED:MODTIME

New Table
SYSTEMS
SYSTEMS:SUBSYSTEM

- New Forced System Assignment Functionality
If available on the target system, the driver will now utilize the
FORCE_SYSTEM_ASSIGNMENT flag during new User creation.  This flag will set the
Logical System name of the target SAP client in the User's 'Systems' table if
CUA is being utilized.  Previous versions of the driver required an assignment
of a Local Role or Local Profile for the target Logical System to achieve this
functionality.  Setting this flag allows the User to authenticate to the target
SAP system and allows password modifications in CUA environments. If using the
Publisher channel in a CUA environment, this flag does NOT replace the need to
set an empty Local Role or Local Profile for the Driver's Logical System!
does NOT replace the need to set an empty Local Role or Local Profile for the
Driver's Logical System!

-------------------------------
PREVIOUS ISSUES

This section is in two parts. The 1.0.5 version changes are listed first. Then
the 1.0.4 changes.

Version 1.0.5 changes
The DirXML Driver for User Management of SAP Software ("driver") is being
revised to enhance provisioning capabilities in SAP CUA landscapes and to
improve primary object key (USERNAME:BAPIBNAME) search times This following
explains the details and impact of these changes. 

- The current version of the driver provides the capability to provision User
objects to a single target SAP application server. This capability includes the
ability to set Activity Group and Profile information on the target server.
Even though the driver can provision a target CUA Central system, it can not
trigger the distribution of User data or set Activity Group and Profile
information to CUA Child systems that are configured for User object
distribution from the target CUA Central system. Additionally, the previous
driver can not set the "Systems" tab data on the CUA Central system that allows
the Central system to distribute changes back to the driver. Without this
capability, a CUA solution requires manual data entry on the CUA Central system
to complete data distribution. (Enhancement)

- The SAP USER object interface (BAPI) does not contain a "search" capability.
This deficiency has a severe impact in many deployments which utilize a
Subscriber Matching rule that utilizes any attributes other than the single
object key field USERNAME:BAPIBNAME since the current driver version can only
search by obtaining a list of all Users and then performing a read/match
operation on each User found. (Enhancement)

- The current version of the driver can not receive TRFC Publication events
from an application server containing a Unicode database. (Enhancement)

- The current version of the driver utilizes a static class attribute to hold
the "instance" attribute value provided on all driver <source><product>
elements. This has the effect of placing the same driver CN name on all
instances of the driver running on a host system. (Defect)

- The current version of the driver will produce a NullPointerException and
will shut down if it receives an empty output element ( <output/> ) in response
to a Publication event. (Defect)

- The current version of the driver does not work with recent SAP patches in
regard to the password change operation. (Defect)

Patch Details
The following modifications have been made to the driver shim, policies, and
configuration instructions to address the Enhancement issues listed above.
Those items listed as Defects have been fixed.

Support for CUA BAPIs
The driver has been modified to handled a new set of BAPIs that provided the
ability to read, write, and delete Local Activity Groups and Local Profiles.
The set of BAPIs that have been added are:

BAPI_USER_LOCPROFILES_READ
BAPI_USER_LOCPROFILES_ASSIGN
BAPI_USER_LOCPROFILES_DELETE
BAPI_USER_LOCACTGROUPS_READ
BAPI_USER_LOCACTGROUPS_ASSIGN
BAPI_USER_LOCACTGROUPS_DELETE

The term "Local" means that in addition to specifying the Activity Group or
Profile to be set, you must also specify the SAP Logical System in the CUA
landscape on which it will be set. When a Local Activity Group or Profile is
set for a CUA Child system it has the following effect:
Triggers the distribution of User data from the Central system to the specified
Child system
Setting the Activity Group or Profile on the Child system
Setting the "Systems" tab entry for the Child system on the CUA Central system.
Since the driver can act as a Child system in the CUA landscape in order to
receive Publication events from the SAP User Management system, it is usually
desirable to utilize this functionality to trigger distribution to the driver
as well.

Solution components and notes
NOTE: This new functionality is only available on SAP R/3 version 4.6C or later
and on all Web Application Server versions. On 4.6C systems the functionality
is not documented by SAP and support may not be available. 

NOTE: Password distribution will only work for initial password set to all
Child systems! Password changes may be made by the driver to the Central
system, but SAP functionality explicitly prevents the modification of passwords
to Child systems via CUA.

There are new eDirectory schema extension files available to handle the
multi-valued Local Activity Group and Local Profile attributes. The attribute
names are: DirXML-locSapRoles and DirXML-locSapProfiles. Two new schema
extension files may be used to extend the current sapAddOnUM auxiliary class if
previously installed in eDirectory. The files are:

sapuserupgrade.ldif 
sapuserupgrade.sch.

(Refer to
http://www.novell.com/documentation/edir873/pdfdoc/edir873/edir873.pdf for
instructions on how to modify the schema)

Since the original R3-Novell-Ldif-Schema-extension.ldif file was provided by
SAP, it has not been modified for new installations. The sapuser.sch file has
been updated with the new schema attributes for use in new installations.
Please note that the sapuser.sch file no longer has the "MustContain" flag set
on the sapUserName attribute in the sapAddOnUM auxiliary class!

The DirXML-sapLocRoles and DirXML-sapLocProfiles attributes are multi-valued
string attributes. A default recommended form for values is: <Logical System
Name>:<Role or Profile Name>. Full example stylesheets utilizing these
attributes are provided with the patch. The following XLST illustrates the
setting of these values in a "Create" transform:

<add-attr attr-name="DirXML-sapLocRoles">
    <!--
    In a CUA environment, set driver's LS name with a blank role.
    This allows the driver to receive events from SAP.
    -->
    <value>
        <xsl:value-of select="'DRVCLNT100:'"/>
    </value>
    <!--
    Setting the target LS name with a blank CUA role allows the
    User object to log on to the target child system but receive no
rights.
    -->
    <value>
        <xsl:value-of select="'ADMCLNT100:'"/>
    </value>
    <!--
    The third value shows how to set a 'real' CUA role for a target
logical system. This causes distribution from the Central system
to the child system and sets the Employee Self-Service role.
    -->
    <value>
        <xsl:value-of select="'ADMCLNT500:SAP_ESSUSER'"/>
    </value>
</add-attr>

The DirXML-sapLocRoles and DirXML-sapLocProfiles attributes must be transformed
into a component value for use by the driver. The SAP schema names for these
table attributes are LOCACTIVITYGROUPS and LOCPROFILES. The following XSLT
template illustrates a conversion in an "Output" transform. Note that the
subsystem value MUST be present!
    
<!-
###########################################################
Change the format of LOCACTIVITYGROUPS from a ':' delimited string
to the structured format expected by the driver shim
############################################################
-->
<xsl:template match="value[ancestor::*/@attr-name='LOCACTIVITYGROUPS']">
<xsl:variable name="locAG">
<xsl:value-of select="."/>
</xsl:variable>
<xsl:variable name="subSystem">
<xsl:value-of select="substring-before($locAG, ':')"/>
</xsl:variable>
<xsl:variable name="role">
<xsl:value-of select="substring-after($locAG, ':')"/>
</xsl:variable>
<xsl:if test="$subSystem != ''">
<value timestamp="{@timestamp}" type="structured">
    <component name="SUBSYSTEM">
        <xsl:value-of select="$subSystem"/>
    </component>
    <component name="AGR_NAME">
        <xsl:value-of select="$role"/>
    </component>
</value>
</xsl:if>
</xsl:template>

- Support for wildcard searches on USERNAME:BAPIBNAME key field
The driver has been modified to allow three types of wildcard searches for
values in the USERNAME:BAPIBNAME key field of SAP User objects. By utilizing
this functionality, policies can be written that leverage the SAP User naming
rules to restrict the number of User objects that must be searched for matching
purposes. The three types supported are as follows, and are always indicated to
the driver by the use of single-quotes around the values. (Since the wildcard
'*' character is a valid naming character in SAP, a search value not surrounded
by single-quotes will be used as an explicit search value!)
"starts-with" syntax - 'MW*'
"ends-with" syntax - '*TZ'
"contains" syntax - '*ORW*'

For example, the default driver configuration utilizes a naming scheme of First
Initial + Last Name + number (if needed). A sample new User "Mark Worwetz"
would be given the SAP User name "MWORWETZ" by default. The default driver
Subscriber Matching Rule matches on Surname and Given Name. By using the
wildcard capabilities, a policy can be written to add the USERNAME:BAPIBNAME
search attribute to the matching query, thus substantially reducing the number
of object hits that must be read for matching on Surname and Given Name. The
following XLST code illustrates this functionality from an "Output" Transform:

<!--
###################################################################
If we get a query that contains ADDRESS:FIRSTNAME and ADDRESS:LASTNAME 
but does not contain a USERNAME:BAPIBNAME search-attr, add one with the
"starts with" syntax (value + * (wildcard) surrounded by single quotes) and
containing first initial and last name. 
Example: 'MW*'

THIS ALLEVIATES THE FACT THAT SAP DOES NOT SUPPORT ATTRIBUTE 
LEVEL SEARCH. IMPLEMENT YOUR OWN NAMING POLICY VERSION HERE. IN DEFAULT NAMING
POLICY, NAMES ALWAYS START WITH FIRST INITIAL AND LAST NAME. 
###################################################################
-->
<xsl:template match="query">
    <xsl:copy>
        <xsl:apply-templates select="@*"/>
        <xsl:apply-templates select="* | comment() | processing-instruction() |
text()"/>
        <xsl:if test="ancestor-or-self::query[@class-name='US']">
        <!-- ensure we have required NDS attributes we need for the name -->
            <xsl:if test="search-attr[@attr-name='ADDRESS:LASTNAME'] and
search-attr[@attr-name='ADDRESS:FIRSTNAME'] and
not(search-attr[@attr-name='USERNAME:BAPIBNAME'])">
                <xsl:variable name="givenName">
                    <xsl:value-of select="search-attr[@attr-name =
'ADDRESS:FIRSTNAME']/value"/>
                </xsl:variable>
                <xsl:variable name="surname">
                    <xsl:value-of select="search-attr[@attr-name =
'ADDRESS:LASTNAME']/value"/>
                </xsl:variable>
                <search-attr attr-name="USERNAME:BAPIBNAME">
                    <value><![CDATA[']]><xsl:value-of
select="concat(substring($givenName,1,1), $surname)"/><![CDATA[*']]></value>
                </search-attr>
            </xsl:if>
        </xsl:if>
    </xsl:copy>
</xsl:template>

- Support for Unicode Databases
As of SAP version 4.7 (Web Application Server 6.10), SAP has provided the
capability to maintain a Unicode database for their application servers. This
change has an effect on data distribution via CUA since the data goes from a
Multi-byte localized character set to a double-byte character set. In order to
handle Publication TRFC event transmissions from Unicode database servers, the
driver's JCO Server instantiation has been modified to tune itself based on
application server configuration parameters read during initialization, thus
requiring no new parameters or configuration for the driver shim. However,
there are additional configuration instructions for the "Configuring the SAP
System" instructions in Chapter 4 of the Implementation guide. The following
directions should follow the first 8 steps of the "TRFC Port Definition"
configuration on page 27 of the Implementation Guide:

If SAP Application Server utilizes a Unicode database, you must also perform
the following steps:

  9 Select the "Special Options" tab.
10 Under the "Character Width in Target System" section, select the "Unicode"
radio button.
11 Save your entry.

Files contained the this patch:

- sapusershim.jar (New SAP User Driver)

- sapuser.sch (New installation schema extension)
- sapuserupgrade.sch (Patch schema extension for SCH)
- sapuserupgrade.ldif (Patch schema extension for LDIF)

- CUASchemaMappings.txt (Sample schema mappings for new attributes)
- CUAAuthsCreateTransform.txt (Sample template for setting CUA Auths in Create
Stylesheet)
- CUAAuthsInputTransform.txt (Sample templates for converting formats from
structured to string)
- CUAAuthsOutputTransform.txt (Sample templates for converting formats from
string to structured, handling "from-merge")
- WildCardSearchOutputTransform.txt (Sample showing use of wildcard search
functionality with default Mapping Rule)

Version 1.0.4 changes
DirXML Driver for User Management of SAP Software
Field Patch Version 1.0.4

Introduction
The DirXML Driver for User Management of SAP Software ("driver") is being
revised to enhance integration capabilities with regard to the retrieval of
non-User PD Object Table data in the SAP User Management ("UM") system. This
document explains the details and impact of these changes.

Background
Previous versions of this driver provide the capability to create, delete, and
modify SAP objects of class "User". One of the data tables that can be
manipulated by the driver is the ACTIVITYGROUPS, or Roles, that can be assigned
to an SAP User. Up to this time, the actual values that may be assigned to a
synchronized User in eDirectory were not available to the eDirectory
administrator. This requires the administrator to manually enter Roles or
provide policies that could assign Roles based on various customer criteria.

The schema extension for SAP Roles is a multiple-valued CI_STRING attribute
called sapRoles. The names of Roles are manually added to this attribute by
accessing the "Other" tab of a User's properties.

Patch Details
The primary modification made for the Version 1.0.4 Field Patch of the driver
involves the ability to query the driver for ACTIVITYGROUP objects and other PD
Objects in SAP so that they may be synchronized into eDirectory and thus be
used by the User administrator via a browse interface. The SAP BAPI that
supports this functionality has been present in the driver from its inception,
so only the query handling capability and schema presentation of the driver
needed to be modified.

The reply to a "Refresh Schema" request will now include an additional
class-def called "PDOBJECT". The schema response is shown below:

<class-def class-name="PDOBJECT">
    <attr-def attr-name="OBJECTS" multi-valued="false" type="structured"/>
    <attr-def attr-name="OBJECTS:PLAN_VERS" multi-valued="false"/>
    <attr-def attr-name="OBJECTS:OBJECTTYPE" multi-valued="false"/>
    <attr-def attr-name="OBJECTS:OBJECT_ID" multi-valued="false"/>
    <attr-def attr-name="OBJECTS:START_DATE" multi-valued="false"/>
    <attr-def attr-name="OBJECTS:END_DATE" multi-valued="false"/>
    <attr-def attr-name="OBJECTS:PLAN_STAT" multi-valued="false"/>
    <attr-def attr-name="OBJECTS:HISTO_FLAG" multi-valued="false"/>
    <attr-def attr-name="OBJECTS:SHORT_TEXT" multi-valued="false"/>
    <attr-def attr-name="OBJECTS:LONG_TEXT" multi-valued="false"/>
    <attr-def attr-name="OBJECTS:EXT_OBJ_ID" multi-valued="false"/>
</class-def>

The PDOBJECTS class contains one table value, OBJECTS. This table contains the
various fields listed above. There is one table entry for each SAP PDOBJECT.

As with the specification of User object tables, if all attributes are desired
for a PDOBJECT, they may be retrieved by specifying the attribute name
"OBJECTS" in a query. The various fields will be returned as components of the
value. If individual fields are desired for a PDOBJECT, they are specified in
OBJECTS:<field name> format in a query.

The EXT_OBJ_ID field is the primary key field of the OBJECTS table. It is this
value that is used by the driver to generate an association value. Using the
standard association generation syntax for this driver, the association value
for the SAP_ESSUSER Role object would be the object class, "AG", plus the
delimiter "d", plus the value of the EXT_OBJ_ID field, "SAP_ESSUSER". The
resulting association value is "AGdSAP_ESSUSER".

Since the PDOBJECT class is a superclass that may be applied to any PDOBJECT
class, it will be necessary for schema mapping to be manually changed after
attribute mapping is complete.

For example, using the Mapping GUI, it is possible to map the eDirectory
"Organizational Role" object to the SAP "PDOBJECT". It is then possible to map
the Organizational Role "CN" and "Description" attributes to
"OBJECTS:EXT_OBJ_ID" and "OBJECTS:LONG_TEXT". After saving the mapping, the
Mapping XML should be manually changed to change the SAP object from "PDOBJECT"
to the appropriate 2-letter class type. In our example this is "AG". This
sample would look similar to this in the SAP Mapping rule:

<class-name>
    <nds-name>Organizational Role</nds-name>
    <app-name>AG</app-name>
</class-name>
<attr-name class-name="Organizational Role">
    <nds-name>Description</nds-name>
    <app-name>OBJECTS:LONG_TEXT</app-name>
</attr-name>
<attr-name class-name="Organizational Role">
    <nds-name>CN</nds-name>
    <app-name>OBJECTS:EXT_OBJ_ID</app-name>
</attr-name>

Sample query request and reply formats
All of the sample query/reply examples utilize the sample schema mapping shown
above. The "Organizational Role" object and the attributes "CN" and
"Description" are in the driver Publisher Filter

Query using "Migrate into NDS"

1)Migrate a single Activity Group (SAP_ESSUSER)

Request #1 from Engine
<nds dtdversion="1.1" ndsversion="8.6">
    <source>
        <product version="1.1.2">DirXML</product>
        <contact>Novell, Inc.</contact>
    </source>
    <input>
<query class-name="AG" event-id="0" scope="subtree" timestamp="1090964089#0">
            <search-class class-name="AG"/>
                 attr-name="OBJECTS:EXT_OBJ_ID">
                <value>SAP_ESSUSER</value>
            </search-attr>
            <read-attr/>
        </query>
    </input>
</nds>

Reply from Driver
<nds dtdversion="1.0" ndsversion="8.5">
    <source>
        <product build="FPTEST_BUILD_20040726" instance="SAP-USER"
version="1.0.4">DirXML Driver for User Management of SAP Software</product>
        <contact>Novell, Inc.</contact>
    </source>
    <output>
        <instance class-name="AG" event-id="0">
            <association>AGdSAP_ESSUSER</association>
        </instance>
        <status event-id="0" level="success" type="driver-general">
            <description>Subscriber Query Successful.</description>
        </status>
    </output>
</nds>

Request #2 from Engine
<nds dtdversion="1.1" ndsversion="8.6">
    <source>
        <product version="1.1.2">DirXML</product>
        <contact>Novell, Inc.</contact>
    </source>
    <input>
        <query class-name="AG" event-id="0" scope="entry">
            <association>AGdSAP_ESSUSER</association>
            <read-attr attr-name="OBJECTS:LONG_TEXT"/>
            <read-attr attr-name="OBJECTS:EXT_OBJ_ID"/>
        </query>
    </input>
</nds>

Reply from Driver
<nds dtdversion="1.0" ndsversion="8.5">
    <source>
        <product build="FPTEST_BUILD_20040726" instance="SAP-USER"
version="1.0.4">DirXML Driver for User Management of SAP Software</product>
        <contact>Novell, Inc.</contact>
    </source>
    <output>
        <instance class-name="AG" event-id="0">
            <association>AGdSAP_ESSUSER</association>
            <attr attr-name="OBJECTS:LONG_TEXT">
                <value>Employee Self-Service (HR)</value>
            </attr>
            <attr attr-name="OBJECTS:EXT_OBJ_ID">
                <value>SAP_ESSUSER</value>
            </attr>
        </instance>
        <status event-id="0" level="success" type="driver-general">
            <description>Subscriber Query Successful.</description>
        </status>
    </output>
</nds>

2)Migrate all Activity Groups

Request #1 from Engine
<nds dtdversion="1.1" ndsversion="8.6">
    <source>
        <product version="1.1.2">DirXML</product>
        <contact>Novell, Inc.</contact>
    </source>
    <input>
        <query class-name="AG" event-id="0" scope="subtree"
timestamp="1090964681#0">
            <search-class class-name="AG"/>
            <read-attr/>
        </query>
    </input>
</nds>

Reply from Driver
<nds dtdversion="1.0" ndsversion="8.5">
    <source>
        <product build="FPTEST_BUILD_20040726" instance="SAP-USER"
version="1.0.4">DirXML Driver for User Management of SAP Software</product>
        <contact>Novell, Inc.</contact>
    </source>
    <output>
        <instance class-name="AG" event-id="0">
            <association>AGdNOVELL_EMP</association>
        </instance>
        <instance class-name="AG" event-id="0">
            <association>AGdSAP_ALL_DISPLAY</association>
        </instance>
    ...
    ...
        <instance class-name="AG" event-id="0">
            <association>AGdZ_SAMM_TEST</association>
        </instance>
        <status event-id="0" level="success" type="driver-general">
            <description>Subscriber Query Successful.</description>
        </status>
</output>
</nds>

        Requests #2 from Engine
        (Similar to example #1 for each AG object Instance)

        Replys #2 from Driver
        (Similar to example #1 for each AG object Instance)

    Query using full table attribute request
    The following example utilizes a read of all attributes of the OBJECTS
table. The query is triggered using the Publisher channel heartbeat document as
shown in this template in the driver InputTransformation stylesheet:

<xsl:template match="status">
<xsl:variable name="type">
        <xsl:value-of select="@type"/>
    </xsl:variable>
    <xsl:if test="$type = 'heartbeat'">
        <xsl:variable name="AGquery">
            <query class-name="AG" event-id="0" scope="subtree">
                <search-class class-name="AG"/>
                <read-attr attr-name="OBJECTS"/>
            </query>
        </xsl:variable>
        <xsl:variable name="temp"
select="query:query($srcQueryProcessor,$AGquery)//instance"/>
    </xsl:if>
</xsl:template>

        Request from Engine
<nds dtdversion="1.1" ndsversion="8.6">
    <input>
        <query class-name="AG" event-id="0" scope="subtree"
xmlns:cmd="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsComm
andProcessor"
xmlns:query="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsQu
eryProcessor">
            <search-class class-name="AG"/>
            <read-attr attr-name="OBJECTS"/>
        </query>
    </input>
</nds>

        Reply from Driver
<nds dtdversion="1.0" ndsversion="8.5">
    <source>
        <product build="FPTEST_BUILD_20040726" instance="SAP-USER"
version="1.0.4">DirXML Driver for User Management of SAP Software</product>
        <contact>Novell, Inc.</contact>
    </source>
    <output>
        <instance class-name="AG" event-id="0">
            <association>AGdNOVELL_EMP</association>
            <attr attr-name="OBJECTS">
                <value type="structured">
                    <component name="OBJECTS:EXT_OBJ_ID">NOVELL_EMP</component>
<component name="OBJECTS:END_DATE">9999-12-31</component>
                    <component name="OBJECTS:SHORT_TEXT">NOVELL_EMP</component>
<component name="OBJECTS:START_DATE">1900-01-01</component>
                    <component name="OBJECTS:OBJECTTYPE">AG</component>
                    <component name="OBJECTS:OBJECT_ID">00000000</component>
                    <component name="OBJECTS:PLAN_STAT">1</component>
                    <component name="OBJECTS:LONG_TEXT">Novell
Employee</component>
                    <component name="OBJECTS:PLAN_VERS">01</component>
                </value>
            </attr>
        </instance>
        <instance class-name="AG" event-id="0">
            <association>AGdSAP_ALL_DISPLAY</association>
            <attr attr-name="OBJECTS">
                <value type="structured">
                    <component
name="OBJECTS:EXT_OBJ_ID">SAP_ALL_DISPLAY</component>
                    <component name="OBJECTS:END_DATE">9999-12-31</component>
                    <component
name="OBJECTS:SHORT_TEXT">SAP_ALL_DISP</component>
                    <component name="OBJECTS:START_DATE">1900-01-01</component>
<component name="OBJECTS:OBJECTTYPE">AG</component>
                    <component name="OBJECTS:OBJECT_ID">00000000</component>
                    <component name="OBJECTS:PLAN_STAT">1</component>
                    <component name="OBJECTS:LONG_TEXT">Display authorizations
for all modules (</component>
                    <component name="OBJECTS:PLAN_VERS">01</component>
                </value>
            </attr>
        </instance>
        ...
        ...
        <instance class-name="AG" event-id="0">
            <association>AGdZ_SAMM_TEST</association>
            <attr attr-name="OBJECTS">
                <value type="structured">
                    <component
name="OBJECTS:EXT_OBJ_ID">Z_SAMM_TEST</component>
                    <component name="OBJECTS:END_DATE">9999-12-31</component>
                    <component
name="OBJECTS:SHORT_TEXT">Z_SAMM_TEST</component>
                    <component name="OBJECTS:START_DATE">1900-01-01</component>
<component name="OBJECTS:OBJECTTYPE">AG</component>
                    <component name="OBJECTS:OBJECT_ID">00000000</component>
                    <component name="OBJECTS:PLAN_STAT">1</component>
                    <component name="OBJECTS:PLAN_VERS">01</component>
                </value>
            </attr>
        </instance>
        <status event-id="0" level="success" type="driver-general">
            <description>Subscriber Query Successful.</description>
        </status>
    </output>
</nds> 



-----------------------------------------------------------------
Any trademarks referenced in this document are the property of their respective
owners.  Consult your product manuals for complete trademark information.
-----------------------------------------------------------------

