Aconn

SAM Enterprise aConnect Manual
SAM Enterprise Release 1.1

Version:1 August 5, 2014
This PDF document contains hyperlinks referring to other PDF documents in the SAM Enterprise
user documentation set. In order for these hyperlinks to work, all PDF documents about SAM must be
located in the same directory (i.e., folder), and this directory must be the current one when invoking the
PDF viewer (e.g., Adobe Acrobat Reader.) If the viewer is invoked with a link, the Working Directory
or Execute In option in the link properties must be set to this directory.
Contents
About This Manual
Overview . . . . . . . . .
Intended Readers . . . . .
Abbreviations . . . . . . .
Trademarks . . . . . . . .
SAM Enterprise Manuals
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
9
10
10
11
11
12
aConnect and SAM

aConnect Security Concepts . . . . .
Administration Layer . . . . . .
Users . . . . . . . . . . . . . . .
Groups . . . . . . . . . . . . . .
Memberships . . . . . . . . . .
Process Spaces . . . . . . . . .
Object Spaces . . . . . . . . . .
Authorizations . . . . . . . . .
Configuration . . . . . . . . . .
Object Status . . . . . . . . . .
Assignable Status . . . . . . . .
Functional Support . . . . . . . . . .
aConnect Objects in SAM . . . . . .
aConnect Administration with SAM
Key Conversion . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
17
17
18
20
21
21
22
23
24
26
26
27
27
29
30
33
aConnect Business Objects

Objects List . . . . . . . . . . . .
Normal Objects . . . . . . . . . .
Accounts . . . . . . . . . .
General Data . . . .
Attributes . . . . . .
Attribute Values . .
Group Connections .
General Data
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
34
34
50
51
52
53
53
54
55
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Attributes . . . . . . . . . . .
Attribute Values . . . . . . .
Resource Group Connections . . . .
General Data . . . . . . . . .
Authorization . . . . . . . . .
Automatic Attribute Assignments .
Groups . . . . . . . . . . . . . . . . . . . . .
General Data . . . . . . . . . . . . .
Forbidden Groups . . . . . . . . . .
Attributes . . . . . . . . . . . . . . .
Attribute Values . . . . . . . . . . .
General Data . . . . . . . . .
Automatic Attribute Assignments .
Access Resources . . . . . . . . . . . . . . .
General Data . . . . . . . . . . . . .
Rules . . . . . . . . . . . . . . . . .
Rule Attributes . . . . . . . . . . . .
Rule Attribute Values . . . . . . . .
Access Resource Group Connections
General Data . . . . . . . . .
Rule Attributes and their Values . .
Object Resources . . . . . . . . . . . . . . .
General Data . . . . . . . . . . . . .
Rules . . . . . . . . . . . . . . . . .
Rule Attributes . . . . . . . . . . . .
Object Resource Group Connections
General Data . . . . . . . . .
Rule Attributes and their Values . .
Access Resource Groups . . . . . . . . . . .
General Data . . . . . . . . . . . . .
Object Resource Groups . . . . . . . . . . .
General Data . . . . . . . . . . . . .
Target Systems . . . . . . . . . . . . . . . .
aConnect Data . . . . . . . . . . . .
Classes . . . . . . . . . . . . . . . .
Class Attributes . . . . . . . . . . .
Class Attribute Values . . . . . . . .
Class Attribute References . . . . .
3
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
55
56
56
58
58
59
59
61
61
62
63
63
65
65
66
66
67
68
68
69
70
71
71
73
74
74
75
76
76
77
78
79
81
81
83
84
85
86
87
88
88
89
89
Allowed Classes . . . . . . . . . . . .
Class Attributes and their Values . .
Role-Based Objects . . . . . . . . . . . . . . . . .
Roles . . . . . . . . . . . . . . . . . . . . . .
Group Connections . . . . . . . . . .
General Data . . . . . . . . .
Generic Group Connections . . . . .
General Data . . . . . . . . .
Joker Group Connections . . . . . .
General Data . . . . . . . . .
Generic Joker Group Connections .
General Data . . . . . . . . .
Templates . . . . . . . . . . . . . . . . . . . . . .
Account Templates . . . . . . . . . . . . . .
General Data . . . . . . . . . . . . .
Attributes . . . . . . . . . . . . . . .
Group Connections . . . . . . . . . .
General Data . . . . . . . . .
Attributes . . . . . . . . . . .
General Data . . . . . . . . .
Authorizations . . . . . . . .
Group Templates . . . . . . . . . . . . . . .
General Data . . . . . . . . . . . . .
Attributes . . . . . . . . . . . . . . .
General Data . . . . . . . . .
Authorizations . . . . . . . .
Access Resource Templates . . . . . . . . .
General Data . . . . . . . . . . . . .
Rules . . . . . . . . . . . . . . . . .
Rule Attributes . . . . . . . . . . . .
Access Resource Group Connections
General Data . . . . . . . . .
Object Resource Templates . . . . . . . . .
General Data . . . . . . . . . . . . .
Rules . . . . . . . . . . . . . . . . .
Rule Attributes . . . . . . . . . . . .
4
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
90
91
93
93
93
94
94
96
96
97
97
97
98
99
101
101
102
102
104
104
104
105
106
107
107
109
109
110
110
111
112
113
113
115
115
116
116
117
118
118
120
120
121

General Data . . . . . . . . .
Access Resource Group Templates . . . . .
General Data . . . . . . . . . . . . .
Object Resource Group Templates . . . . .
General Data . . . . . . . . . . . . .
Defaults . . . . . . . . . . . . . . . . . . . . . . .
Account Defaults . . . . . . . . . . . . . . .
General Data . . . . . . . . . . . . .
Attribute . . . . . . . . . . . . . . .
Attribute Value . . . . . . . . . . . .
Group Connection . . . . . . . . . .
General Data . . . . . . . . .
Attributes . . . . . . . . . . .
Resource Group Connection . . . . .
General Data . . . . . . . . .
Group Defaults . . . . . . . . . . . . . . . .
General Data . . . . . . . . . . . . .
Forbidden Group . . . . . . . . . . .
Attribute . . . . . . . . . . . . . . .
Attribute Value . . . . . . . . . . . .
Resource Group Connection . . . . .
General Data . . . . . . . . .
Access Resource Defaults . . . . . . . . . .
General Data . . . . . . . . . . . . .
Rule . . . . . . . . . . . . . . . . . .
Rule Attribute . . . . . . . . . . . .
Rule Attribute Value . . . . . . . . .
Access Resource Group Connection .
Object Resource Defaults . . . . . . . . . .
General Data . . . . . . . . . . . . .
Rule . . . . . . . . . . . . . . . . . .
Rule Attribute . . . . . . . . . . . .
Rule Attribute Value . . . . . . . . .
Object Resource Group Connection
Access Resource Group Defaults . . . . . .
General Data . . . . . . . . . . . . .
5
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
121
122
123
123
124
125
126
127
127
128
129
130
130
130
131
131
132
132
132
133
133
134
134
135
135
135
136
136
137
137
138
138
139
139
139
140
141
141
141
141
142
142
143
Forbidden Group . . . . .
Object Resource Group Defaults
General Data . . . . . . .
Forbidden Group . . . . .
Target System Defaults . . . . .
aConnect Data . . . . . .
Class . . . . . . . . . . . .
Class Attribute . . . . . .
Class Attribute Value . .
Class Attribute Reference
Allowed Class . . . . . . .
Other . . . . . . . . . . . . . . . . . .
Help Desk Account . . . . . . . .
Configuration
1 - Installation and License . . .
2 - Administrator ID . . . . . . .
3 - Target System Defaults . . .
4 - Target System Creation . . .
5 - Target System Settings . . . .
6 - Target System aConnect Data
7 - Target System Enabling . . .
8 - Account Defaults . . . . . . .
9 - Group Defaults . . . . . . . .
10 - Resource Defaults . . . . . .
11 - Resource Group Defaults . .
12 - Security Data Takeover . . .
13 - Database Optimization . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
aConnect Agent
Prerequisites . . . . . . . . . . . . .
Character Sets and Code Conversion
Configuration . . . . . . . . . . . . .
1 - TOM . . . . . . . . . . . . .
2 - Remote Courier . . . . . . .
3 - Socket Daemon . . . . . . .
4 - Master Courier . . . . . . .
5 - Testing the Connection . . .
6 - Target System Settings . . .
Socket Daemon . . . . . . . . . . . .
SDINI File . . . . . . . . . . .
MsgINI File . . . . . . . . . . .
Start-Up . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
143
144
145
145
145
146
146
146
147
147
147
148
148
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
149
149
149
149
150
150
151
152
153
154
154
155
155
155
.
.
.
.
.
.
.
.
.
.
.
.
.
157
158
158
160
160
160
161
161
162
163
164
164
166
168
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
6
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Shut-Down . . . . . . .
Operator Commands . .
Remote Courier . . . . . . . .
RCINI File . . . . . . .
MsgINI File . . . . . . .
Start-Up . . . . . . . . .
Shut-Down . . . . . . .
Operator Commands . .
TOM . . . . . . . . . . . . .
TOM Configuration . .
TOM User . . . . . . . .
TOM Exit Conventions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Initial Load
Consistency Maintenance
Repair Rules . . . . . . . . . . . . . . .
Rule Actions . . . . . . . . . . . .
Rule Hierarchies . . . . . . . . . .
Type-Specific Repair Rules . . . .
Type Support for aConnect . . . .
Restrictions and Recommendations . . .
Tables List . . . . . . . . . . . . . . . .
Configuring Consistency Maintenance .
Configuration Object . . . . . . . .
Executing Consistency Maintenance . .
Interactive Run . . . . . . . . . . .
1 - Configuration Selection
2 - Utility Run Creation . .
3 - Utility Run Start . . . .
Batch Run . . . . . . . . . . . . . .
CM Unlock/Restart . . . . . . . .
168
168
169
169
169
172
172
172
172
173
173
173
174
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
aConnect Toolbox
Deleting Attributes . . . . . . . . . . . . . .
Deleting Resource Group Connections . . .
Updating Activity Status . . . . . . . . . .
Configuration . . . . . . . . . . . . . . . . .
Deleting Attributes . . . . . . . . . . .
Deleting Resource Group Connections
Updating Activity Status . . . . . . .
Execution . . . . . . . . . . . . . . . . . . .
Interactive Run . . . . . . . . . . . . .
1 - Configuration Selection . .
7
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
175
176
177
178
179
181
181
182
185
186
187
187
187
188
189
190
191
.
.
.
.
.
.
.
.
.
.
193
193
194
195
195
196
197
198
199
200
200
2 - Utility Run Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

3 - Utility Run Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Batch Run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
About This Manual

This publication applies to the product SAM Enterprise Release 1.1. This edition was created
on August 5, 2014. For all questions regarding SAM, please contact:
Beta Systems Software AG - Hotline Services

Hotline Europe
0800-BetaSys (0800-238 27 97, toll-free in Germany)
+49 (0)6321 49915 108 (from outside Germany)
eMail: support@betasystems.com
Hotline America
+1 877 231 9867 (toll-free in North America)
+1 403 231 9868 (from outside North America)
eMail: techsupport@betasystems.com
Beta Systems Software AG - URLs
Beta Systems
www.betasystems.com
SAM Enterprise
www.sam-security.com
Support De (by ac- support.betasystems.de
count)
Support En (by ac- support.betasystems.com
count)
Beta Systems Software AG - Headquarters
Alt Moabit 90d
D-10559 Berlin, Germany
Phone
+49 (0)30 726 118 0
Fax
+49 (0)30 726 118 800
Beta Systems Software AG - Cologne Office
Josef-Lammerting-Allee 14
D-50933 Koeln, Germany
Phone
+49 (0)221 65015 0
Fax
+49 (0)221 65015 400
Beta Systems of North America, Inc.

8300 Greensboro Drive, Suite 1150
McLean, VA 22102, USA
Phone
+1 703 889 1240
Fax
+1 703 889 1241
c
Copyright
Beta Systems Software AG, 2009. All rights reserved. This manual may not be copied
in part or in its entirety for distribution to third parties without the express written permission of the
publisher.
Overview
This manual documents SAM aConnect, the component in SAM Enterprise that provides support for application-specific security administering in applications in which access rights depend
on objects, their attributes, and the processes in which these objects are involved. This information is provided in the following chapters after the introduction About This Manual:
aConnect and SAM
Introduces the concept of application-specific security administration based on objects, processes, and their attributes.
aConnect Business Objects Describes the business objects provided by SAM aConnect.
Configuration
Explains how to define an aConnect target system in SAM and

configure it for security administration.
Initial Load
Is a placeholder for the chapter about this topic, which is expected

from every target system interface manual. In this case, however,
it is a single page to state that SAM aConnect does not support
Initial Load.
Consistency Maintenance Describes the utility to restore the consistency between SAMs image of a target system and the actual target system data.
aConnect Toolbox
Describes the utilities for SAM aConnect, which provide functions

in addition to the standard utilities Initial Load and Consistency
Maintenance.
Intended Readers
The SAM Enterprise aConnect Manual addresses system administrators and DBAs - those people
who are involved in the configuration and systems management.
If you are not yet familiar with SAMs online documentation, the following remarks are helpful:
10
This manual is a highly integrated online book, meaning that any word or passage which
refers to another page is presented as a hyperlink. Clicking the color-marked text takes
you to the referenced page.
Independently from these hyperlinks, the pages are ordered one after another, as in any
other book. You can go forward and backward using the appropriate buttons. You can
also return to the previously displayed pages.
A detailed explanation of the available browsing functions is provided in the section Reading Online Books.
We welcome your input regarding the content or style of this manual. Please direct your comments, suggestions, or questions to SAM Customer Support or any other SAM representative.
Abbreviations
The following list explains the abbreviations used in SAM and the SAM manuals. Abbreviations
that are specific to other applications are not included here. Where applicable, the glossary
includes definitions for product-specific terms and abbreviations.
BO
Business Object
CM
IL
Initial Load
MC
Master Courier
RC
Remote Courier
ToC
TOM
TS
TSI
Table of Contents
Target System Operation Module
Target System
Target System Interface
Trademarks
It is hereby confirmed that the various product names, concepts, and other proprietary terms
which are mentioned in this publication may be trademarks or registered trademarks of their
respective owners.
11
SAM Enterprise Manuals

SAM Enterprise Master Index The central reference for SAM Enterprise documentation, including the glossary, the How to ... collection of frequently asked questions, and other global
indexes.
SAM Enterprise Master Index

SAM Enterprise Release Guide The official description of public releases for SAM Enterprise,
including a summary of changes and a migration guide for each published version. This
manual also includes the official description of supported platforms, supported versions,
hardware prerequisites, and software prerequisites for all components in SAM Enterprise.
SAM Enterprise Release Guide

SAM Enterprise Messages and Codes Documents all messages, return codes, and reason codes
that can appear from/in any SAM Enterprise component.

SAM Enterprise Messages and Codes
SAM Enterprise User Manual The security administrators manual for SAM Enterprise. It
documents the graphical user interface for SAM Enterprise.
SAM Enterprise User Manual

SAM Enterprise Workflow Manual An introduction to the request workflow system SAM
Workflow.
SAM Enterprise Workflow Manual
SAM Enterprise Business Process Workflow User Manual Documents SAM Business Process
Workflow, an independent application with an interface to SAM Enterprise.
SAM Enterprise Business Process Workflow User Manual

SAM Enterprise Browser Client Manual An introduction to the browser client for requests in
SAM Workflow.
SAM Enterprise Browser Client Manual
SAM Enterprise Reporting Manual Describes the SAM Reporting System. The manual addresses security administrators and auditors who need reports about the security data in
SAM.
SAM Enterprise Reporting Manual

SAM Enterprise Installation Manual Documents the installation tasks for SAM Enterprise
components.
SAM Enterprise Installation Manual
12
SAM Enterprise Configuration Manual The system administrators manual for configuring
SAM Enterprise. This book covers all configuration options in SAM, from switch settings in
dialog boxes up to a complete customer-specific target system interface.
SAM Enterprise Configuration Manual
SAM Enterprise Operations Manual The system administrators manual for running SAM
Enterprise. This book includes documentation for utilities, system component start-up and
shutdown, and similar system operator tasks.
SAM Enterprise Operations Manual

SAM Enterprise Rule Engine Manual Documents SAM Enterprises rule engine, the compo-
nent in SAM Enterprise that provides services for automated data processing based on rules.
SAM Enterprise Rule Engine Manual
SAM Enterprise Business Object Reference Documents details and structures in SAMs en-
terprise data level, which includes the business object types independent of any particular
access control system. This book supplements the general information found in the SAM
Enterprise Operations Manual.
SAM Enterprise Business Object Reference
SAM Enterprise Internal Security Manual Documents details and structures in SAMs own
security system, which is organized like any other target system interface. This book supplements the general information found in the SAM Enterprise Operations Manual.
SAM Enterprise Internal Security Manual

SAM Enterprise Password Reset Manual Documents SAM Password Reset, the component
in SAM Enterprise that provides end users with functions for resetting their passwords.
SAM Enterprise Password Reset Manual

SAM Enterprise ACF2 Manual Documents ACF2-specific details and structures as implemented in the SAM ACF2 Interface. This book supplements the general information found
in the SAM Enterprise Operations Manual.
SAM Enterprise ACF2 Manual

SAM Enterprise AIX Manual Documents AIX-specific details and structures as implemented
in the SAM AIX Interface. This book supplements the general information found in the SAM
SAM Enterprise AIX Manual

13
SAM Enterprise BPW Manual Documents BPW-specific details and structures as imple-
mented in the SAM BPW Interface. This book supplements the general information found
SAM Enterprise BPW Manual
SAM Enterprise DB2 Manual Documents DB2-specific details and structures as implemented
in the SAM DB2 Interface. This book supplements the general information found in the SAM
SAM Enterprise DB2 Manual
SAM Enterprise eConnect Manual Documents LDAP-specific details and structures as im-
plemented in SAM eConnect. This book supplements the general information found in the
SAM Enterprise Operations Manual.
SAM Enterprise eConnect Manual
SAM Enterprise HP-UX Manual Documents HP-UX-specific details and structures as imple-
mented in the SAM HP-UX Interface. This book supplements the general information found
SAM Enterprise HP-UX Manual
SAM Enterprise Lotus Domino Manual Documents Lotus Domino-specific details and struc-
tures as implemented in the SAM Lotus Domino Interface. This book supplements the
general information found in the SAM Enterprise Operations Manual.
SAM Enterprise Lotus Domino Manual
SAM Enterprise mConnect Manual Documents the methods, features, and structures of SAM
mConnect, SAMs target system interface without a specific reference system and therefore
without standard import/export functions. This book supplements the general information
found in the SAM Enterprise Operations Manual.
SAM Enterprise mConnect Manual
SAM Enterprise NetWare Manual Documents NetWare-specific details and structures as implemented in the SAM NetWare Interface. This book supplements the general information
SAM Enterprise NetWare Manual

14
SAM Enterprise Oracle Manual Documents Oracle-specific details and structures as imple-
mented in the SAM Oracle Interface. This book supplements the general information found
SAM Enterprise Oracle Manual
SAM Enterprise OS/400 Manual Documents OS/400-specific details and structures as implemented in the SAM OS/400 Interface. This book supplements the general information
SAM Enterprise OS/400 Manual

SAM Enterprise RACF Manual Documents RACF-specific details and structures as imple-
mented in the SAM RACF Interface. This book supplements the general information found
SAM Enterprise RACF Manual
SAM Enterprise SAP Manual Documents SAP R/3-specific details and structures as implemented in the SAM SAP Interface. This book supplements the general information found in
the SAM Enterprise Operations Manual.
SAM Enterprise SAP Manual

SAM Enterprise Solaris Manual Documents Solaris-specific details and structures as imple-
mented in the SAM Solaris Interface. This book supplements the general information found
SAM Enterprise Solaris Manual
SAM Enterprise Tivoli Access Manager Manual Documents Tivoli Access Manager-specific
details and structures as implemented in the SAM Tivoli Access Manager Interface. This
book supplements the general information found in the SAM Enterprise Operations Manual.
SAM Enterprise Tivoli Access Manager Manual

SAM Enterprise Top Secret Manual Documents Top Secret-specific details and structures as
implemented in the SAM Top Secret Interface. This book supplements the general information found in the SAM Enterprise Operations Manual.
SAM Enterprise Top Secret Manual
15
SAM Enterprise TSO Manual Documents TSO-specific details and structures as implemented
in the SAM TSO Interface. This book supplements the general information found in the SAM
SAM Enterprise TSO Manual
SAM Enterprise uConnect Manual Documents the methods, features, and structures of SAM
uConnect, the development kit and prototype for quickly creating a target system interface
with standard structures and objects (accounts, groups, target systems). This book supplements the general information found in the SAM Enterprise Operations Manual and in the
SAM Enterprise Configuration Manual.
SAM Enterprise uConnect Manual

SAM Enterprise Configuration Manual
SAM Enterprise Windows 2000 Manual Documents Windows 2000-specific details and struc-
tures as implemented in the SAM Windows 2000 Interface. This book supplements the general information found in the SAM Enterprise Operations Manual.
SAM Enterprise Windows 2000 Manual
16
aConnect and SAM

SAM aConnect is a generic target system interface. This means that SAM aConnect is designed
to satisfy the typical demands of security administration in an application environment with
complex, value-related access right definitions, rather than for a specific system architecture.
SAM aConnect is based on the assumption that the represented application system is located
on an LDAP platform. However, this is just a recommendation; other platforms are possible
as well. For all further details regarding supported versions, prerequisites, and configuration
alternatives, see the section SAM Enterprise Release Guide: SAM aConnect in the chapter
SAM Enterprise Hardware/Software Reference of the SAM Enterprise Release Guide .
This chapter introduces SAM aConnect with its architecture and its features. Due to the generic
nature of SAM aConnect, this is more or less equivalent to describing the typical architecture
of an application system in which access rights can depend on dynamic values that vary from
one administrator to another.
aConnect Security Concepts

As a generic target system interface, SAM aConnect must be able to cooperate with application
systems that are based on entirely different implementation structures. This is achieved by
establishing an interface that is called administration layer:
SAM aConnect and the aConnect Agent provide the security definitions and store them
in an administration layer. The structure of this administration layer is fixed.
17
= The administration layer is not necessarily stored at the same platform as the application itself.
The customer needs a transformation process to connect the administration layer with
the application. It is beyond the scope of SAM aConnect and this manual to describe
how the transformation integrates the data and/or the function.
Where required, the internal security for the administration layer can be provided with the
LDAP feature Access Control List (ACL). Defining the required ACLs and incorporating
the transformation process as well as the aConnect Agent are configuration tasks when
integrating the security administration for an application in SAM Enterprise.
SAM aConnect itself does not define any ACL, nor does it offer specific support for their
definition.
The colors in the above diagram indicate which functionality is part of SAM aConnect and
which components are the customers responsibility.
Administration Layer
As a generic target system interface, SAM aConnect must include functions to define the security
concept and to design the entity types with a maximum of flexibility. The administration layer
represents the basic architecture that appears in an aConnect target system, similar to the system
architecture in other target system interfaces. The logical structure of the administration layer
is as follows:
18
The details of these entity types are explained on the subsequent pages. The highlights of this
architecture can be summarized as follows:
The relationship between users and groups is as expected. Users are connected to groups in
order to receive access rights. These relationships might be referred to as memberships.
For users, groups, and the memberships between them, a data space is available that can be
configured entirely. These data spaces consist of data attributes whose values can influence
access rights.
Process spaces represent processes, transactions, or generally any function that provides access
toward data objects in any access mode. The rules and their conditions define the details
which together create a profile that can be matched by any number of real-world application
functions.
Similarly, object spaces represent data objects of any kind and with any inherent complexity.
The rules and their conditions define the details which together create a profile that can be
matched by any number of real-world data objects.
19
Users or groups receive authorizations only toward pairs of resource spaces, consisting of one
process space and one object space. However, this model can be simplified by establishing an
all-qualifier for the process side or an all-qualifier for the object side.
Configuration stands for those objects which together might be called the dictionary of an
application system. In particular, this dictionary includes all attributes that may occur in
any data space, including their valid values.
Users
Users are represented in the administration layer in a straight-forward fashion, at least regarding
their identification. For user authentication, however, the design of SAM aConnect provides a
generic concept, as is illustrated in the following typical examples of access right conditions:
Imagine a corporation - bank, insurance company, etc. - that deals with contracts of any
kind. A typical access right condition in contract applications might be all contracts for
the same branch.
Similarly, a typical exclusion condition might be any contract (for the same branch), as
long as the contractor or client is not identical with the accessing administrator.
The concept that covers these and other demands uses attributes and attribute values. More
exactly, it uses attribute assignments, because attributes are defined in a central dictionary:
Users can have attributes in order to represent access-relevant information. With reference
to the above examples, users would have an attribute BRANCH and an attribute NAME.
Note: The values of certain attributes, e.g. NAME, might also appear as values somewhere
in the fixed data structure for users.
The assigned attributes must be defined in the system-wide dictionary of all attributes. For
SAM aConnect and its administration layer, this means that the attribute must be defined
in any of the resource classes of the respective target system.
Note: To cover requests beyond the scope of any resource, SAM aConnect supports classes
that are independent of resources.
User attributes can be referenced from placeholders that appear in authorizations instead
of fixed values. For example, the first of the above conditions can be expressed as CONTRACT.BRANCH = USER.BRANCH.
Note: User attributes might also be used to establish system-wide authorities. For example, in
order to establish the equivalent of SAMs own super administrator - a status that implies all
access rights - a user in the administration layer would need an additional attribute, perhaps
called STATUS, in which a value SUPER ADMIN occurs that is referenced from global
authorizations.
20
Groups
Groups in the administration layer play the same role as in any other access control organization. Groups act as containers for access rights that can be granted to users by establishing a
connection between user and group. So far, SAM aConnect behaves very much like any other
target system interface.
The first special aspect is the demand for a data space similar to that of users. The solution in
SAM aConnect is to use the same mechanisms for attributes and values as in the user organization. For example, with an attribute BRANCH, a group can be as branch-specific as any user,
and a branch-related condition in an authorization would refer to this attribute for both users
and groups.
The second special aspect is the demand for a data space even for user connections to groups.
This is covered by the same mechanism with attributes and values as is used for users and for
groups. The result is an increased flexibility, so that the same user can appear under different
roles or functions in different groups.
The final aspect is the concept of mutually exclusive conditions. For example, a standard
principle might be specified as follows: For any particular data object (e.g., contract), the
administrator cannot be identical with the approver or auditor. Assuming that access rights for
administration and access rights for approval or auditing are granted through different groups,
this principle leads to the condition that those groups are mutually exclusive. A common term
for this functionality is separation of duties.
SAM aConnect supports the concept by providing data entries to express the mutually exclusive
status between groups. This status takes effect when attempting to connect a user to both
groups.
Memberships
Memberships in the administration layer of SAM aConnect play the same role as in any other
access control organization. Memberships - or connections - represent the assignment of a user
to a group. The membership provides the user with access rights. In this, SAM aConnect does
not differ significantly from any other target system interface.
The first special aspect is the demand for a data space even for the memberships of users in
groups. This is covered by the same mechanism with attributes and values that is already used
for users and groups. The result is an increased flexibility, so that the same user can appear
under different roles or functions in different groups.
The second special aspect is the concept of mutually exclusive memberships. For example, a
standard principle might be specified as follows: For any particular data object (e.g., contract),
the administrator cannot be identical with the approver or auditor. Assuming that access
rights for administration and access rights for approval or auditing are granted through different
groups, this principle leads to the condition that these groups are mutually exclusive.
SAM aConnect supports the concept by providing data entries to express the mutually exclusive
status between groups. This status takes effect when attempting to connect a user to both
21
groups.
Process Spaces
In modern application systems, it is nearly impossible to define resources as single, isolated
objects that can be fully separated from other resources for the purpose of granting access
rights. Consequently, SAM aConnect does not pursue this approach. Instead, SAM aConnect
defines rules and rule sets which together create resource profiles. A particular resource is any
event or object or function or combination of the above, provided it matches the set of rules
that are bound together in a logical AND.
As a first step to structure the amorphous mass of resource profiles, SAM aConnect distinguishes between processes and objects. The full extent of this distinction is explained in
Authorizations. For the current discussion, it is sufficient to say that processes can be programs, procedures, transactions, or any other element type with the characteristics of an access
path or access function toward any kind of data.
The second structuring step is the definition of classes. From the perspective of SAM aConnect,
a process class is a category or container. How the class concept is actually implemented is
entirely up to the customer.
A particular process space in a particular class can still be quite complex. The following illustration presents an example in which the space spans three dimensions: transaction, letter, and
value:
The first condition states that the involved transaction must belong to the group 0815. In
numbers, this is equivalent to the range 081500 - 081599. In the diagram, the transactions
represent the vertical dimension.
The next condition states that the involved data keys must be in the letter range F - J. In
the diagram, the letters represent the horizontal dimension.
The third condition states that the involved value (e.g., contract value) cannot exceed 500.
In the diagram, the values represent the transversal dimension.
22
These conditions are combined with a logical AND. SAM aConnect establishes a hierarchy of
conditions, rules, resources, and resource groups as follows:
Conditions, which are combined in a logical AND, together form a rule.
Rules, which are combined in a logical OR, together form a resource, here an access
resource.
Resources are put into resource groups for the purpose of granting access rights and
according to factors that are specific to the application system. A significant aspect in
the grouping of resources is that the conditions of mutual exclusion, which take effect
in authorizations toward users and groups, are implemented as dependants of resource
groups.
Object Spaces
Object spaces can be described briefly as follows: An object space is the object equivalent to
a process space, while all structural conditions and elements are the same. Together with the
knowledge that object resources represent data objects of any kind, the definition is complete.
The subsequent text provides a more detailed definition.
In modern application systems, it is nearly impossible to define resources as single, isolated
objects that can be fully separated from other resources for the purpose of access rights granting.
Consequently, SAM aConnect does not pursue this approach. Instead, SAM aConnect defines
rules and rule sets which together create resource profiles. A particular resource is any event
or object or function or combination of the above, provided it matches the set of rules that are
bound together in a logical AND.
As a first step to structure the amorphous mass of resource profiles, SAM aConnect distinguishes
between processes and objects. The full extent of this distinction is explained in Authorizations. For the current discussion, it is sufficient to say that objects can be any type of data
element with the characteristics of an information that is manipulated through access functions.
The second structuring step is the definition of classes. From the perspective of SAM aConnect,
an object class is a category or container. How the class concept is actually implemented is
entirely up to the customer.
A particular object space in a particular class can still be quite complex. The following illustration presents an example in which the space spans three dimensions: account numbers, account
types, and account categories:
23
The first condition states that the involved account numbers must be in the range 471100 471199. In the diagram, the account numbers represent the vertical dimension.
The next condition states that the account main type must be S, with the sub-type range
I to IV. In the diagram, the types represent the horizontal dimension.
The third condition states that the account must be a private account, not a business account.
In the diagram, the category represents the transversal dimension.
As it turns out, this example creates a plane rather than a space in the conventional, threedimensional sense. However, the term object space must be understood in an abstract or
mathematical sense, in which even a one-dimensional object like a line represents a space.
These conditions are combined with a logical AND. SAM aConnect establishes a hierarchy of
conditions, rules, resources, and resource groups as follows:
Conditions, which are combined in a logical AND, together form a rule.
Rules, which are combined in a logical OR, together form a resource, here an object
resource.
Resources are put into resource groups for the purpose of granting access rights and
according to factors that are specific to the application system. A significant aspect in
the grouping of resources is that the conditions of mutual exclusion, which take effect
in authorizations toward users and groups, are implemented as dependants of resource
groups.
Authorizations
Authorizations in the administration layer of SAM aConnect are relationships between three
involved objects:
24
There is one object at the accessing side. As in other target system interfaces, this can be
an account representing a user, a group as the standard case, or a user policy as SAMs
object for role-based access control.
There are two objects at the accessed side, which always appear as pairs: one object
represents processes and the other one represents objects.
SAM aConnect uses resource groups as the objects for the accessed side. There is one access
resource group representing processes and one object resource group representing objects. The
resources in these groups create a matrix that is illustrated in the following diagram:
Initially, the matrix is empty. This means that the authorization framework, which combines
a particular account or group with a particular access resource group and a particular object
resource group, is empty in the sense that this relationship alone does not provide any access.
An element in the matrix represents a combination of an access resource, representing a process
or more generally an access function, with an object resource, representing an accessible item
(account, contract, data record, etc.).
Each matrix element can be administered individually, meaning that this particular authorization can be granted or not. SAM aConnect only supports positive authorizations, implying
that anything that is not explicitly allowed in the application system is forbidden.
In order to prevent combinations that do not make sense, SAM aConnect establishes definitions
of allowed classes for each resource class. These definitions make clear which access classes can
be paired with which object classes in authorizations. Obviously, this aspect is significant in the
organization of resource classes.
The opposite of allowed classes are forbidden classes. However, these class-to-class relationships
stay within the same category, Access or Object, and refer to the authorized users or groups,
rather than to the pairings. For example, if the object classes A and B are mutually exclusive,
the effect is that any user or group with an access right toward a resource in the class A cannot
receive an access right for a resource in the class B.
25
Configuration
The previous pages mention all configuration objects that occur in the administration layer of
SAM aConnect, each of them in its own context. The following list summarizes the configuration
objects, which are all implemented as dependants of the target system:
The main configuration elements are the classes, which must belong to one of the three
categories Access, Object, or Target System. While these classes could be interpreted as
resource classes, the third category can be understood as Other and represents things that
are not directly related to resources.
The next configuration element are the attributes, which must belong to any of the classes
as explained above. Attributes have attribute values and attribute references: While
a value defines a fixed value or value range, an attribute reference is a placeholder toward
a certain attribute (value) of an accessing object (user or group). These references are the
basis for the specification of dynamic value-dependent conditions such as administrator and
contract must belong to the same branch.
Finally, there are the allowed classes, which also appear as dependants of classes. Allowed
classes specify how certain access classes can be paired with certain object classes in authorizations. For example, these definitions prevent the accidental pairing of life insurances
(object side) with transactions that apply to car insurances (access side).
Object Status
SAM aConnect supports a status concept for its business objects. This concept is much more
detailed in SAM than in the administration layer, e.g. in an LDAP directory. The status is
administered and converted to LDAP conventions as follows:
SAM maintains three fields in the Status group of the respective business objects. These
fields are Active, Valid From, and Valid To.
Active is a switch that can be set ON or OFF. Switching it off is equivalent to temporarily
disabling the business object.
Valid From and Valid To are dates. As the names indicate, they define a period in which
the business object is valid, and periods before and/or after in which the business object is
known but invalid. If these dates are left empty, the business object is valid as long as its
definition exists - unless it is temporarily disabled as explained above.
The LDAP directory only knows a switch Active-internal, which can be ON or OFF. SAM
determines the switch setting from the above fields as follows:
Active-internal is ON under the following conditions, which all must be met:
Active is ON
26
Valid From is the current date or earlier or empty

Valid To is the current date or later or empty
In all other cases, Active-internal is OFF.
This status concept is supported for the folling business objects:
Account
Group
Group connection
Access resource
Object resource
Resource group connection (authorization)
Attributes (target system class attributes)
Assignable Status
In addition to the general status of a business object, SAM aConnect supports an assignable
status that determines whether a business object can be assigned to other objects:
The Assignable switch can have the values ON and OFF. Only if the value is ON, the
respective business object can appear in connections.
The switch is supported for the following business objects:
Group
Access resource
Object resource
Access resource group
Object resource group
Attributes (target system class attributes)
Functional Support
SAM aConnect supports security administration for application systems with value-specific and
dynamically changing access rights as follows:
An application system can be defined as a target system in SAM.
The administration of users is supported. Application users, which are mapped to aConnect
accounts in SAM, can be created, modified, and deleted. This support also extends to any
kind of user attribute that may be involved in the evaluation of access rights.
27
The administration of groups or any other type of container for the purpose of providing
access rights is supported. Such groups, which are mapped to aConnect groups in SAM,
can be created, modified, and deleted. This support also extends to any kind of user attribute
that may be involved in the evaluation of access rights.
The administration of user memberships in groups is supported. Such memberships, which
are mapped to aConnect group connections (account) in SAM, can be created, modified,
and deleted. This support also extends to any kind of membership attribute that may be
involved in the evaluation of access rights. Membership attributes can be independent from
corresponding attributes of the involved user or the involved group.
The administration of mutually exclusive conditions for groups or memberships in them is
supported. Such conditions, which are mapped to aConnect group forbidden groups, can
be created, modified, and deleted. In all these cases of entirely symmetrical relationships,
SAM aConnect automatically maintains the counterpart definition for the other group.
The administration of process spaces is supported. Such profiles, which are mapped to
aConnect access resources, can be created, modified, and deleted. This support includes the
definition of rules to determine the exact boundaries of the process spaces, and the definition
of conditions which together create the rules.
The administration of object spaces is supported. Such profiles, which are mapped to
aConnect object resources, can be created, modified, and deleted. This support includes the
definition of rules to determine the exact boundaries of the object spaces, and the definition
of conditions which together create the rules.
For the proper support of access rights and mutually exclusive conditions among process
spaces and object spaces, a container concept is supported for both of them. Such containers,
which are mapped to
aConnect access resource groups for process spaces
aConnect object resource groups for object spaces
can be created, modified, and deleted. This support includes the definition of mutually
exclusive conditions between resource groups of the same type. Such conditions are mapped
to
aConnect access resource groups forbidden groups for process spaces
aConnect object resource groups forbidden groups for object spaces
The administration of authorizations for users or groups toward pairs of process spaces and
object spaces is supported. Such authorizations, which are mapped to aConnect resource
group connections, can be created, modifed, and deleted. This support includes the definition
of access right details for every combination of process and object that may occur in such an
access rights matrix.
Furthermore, for each category of process space and object space, it is possible to define the
valid combinations. This, in turn, renders all other combinations invalid. Such relationships
28
are mapped to the configuration data which appears as dependants of the aConnect target
systems.
The configuration of an administration layer is supported by additional objects that are
implemented as dependants of aConnect target systems. This includes the following:
Classes for processes, objects, and their resource groups

Class-to-class relationships for the pairing of processes and objects
Attributes
Attribute values
Attribute references (placeholders for user/group attributes)
aConnect Objects in SAM

The following list explains how the business objects of SAM aConnect are used to represent
security objects in an application with value and context-related demands in access control.
More exactly, the list explains how the objects that are discussed in Administration Layer are
mapped to business objects of SAM aConnect. The hyperlinks at the end of each list entry lead
to the sections with a detailed description:
An application system can be defined in SAM as a business object of the type aConnect
target system.
Application users are mapped to SAM business objects of the type aConnect account.
Data spaces of users are mapped to SAM business objects of the types aConnect account
attributes and aConnect account attribute values.
Application groups and other forms of containers for the purpose of granting access rights are
mapped to SAM business objects of the type aConnect group.
Data spaces of groups are mapped to SAM business objects of the types aConnect group
attributes and aConnect group attribute values.
Memberships of users in groups and other forms of access right profile assignments are mapped
to SAM business objects of the type aConnect group connection (account).
Data spaces of memberships are mapped to SAM business objects of the types aConnect
group connection (account) attributes and aConnect group connection (account) attribute
values.
Conditions of mutual exclusions between groups - more exactly, between group memberships
- are mapped to SAM business objects of the type aConnect group forbidden groups.
Process spaces are mapped to SAM business objects of the types aConnect access resources,
aConnect access resource groups, and aConnect access resource group connection (resource)
29
Rules and their conditions for process spaces are mapped to SAM business objects of the types
aConnect access resource rules, aConnect access resource rule attributes, and aConnect
access resource rule attribute values.
Conditions of mutual exclusions between process spaces - more exactly, between authorizations
that involve these process spaces - are mapped to SAM business objects of the type aConnect
access resource group forbidden groups.
Object spaces are mapped to SAM business objects of the types aConnect object resources,
aConnect object resource groups, and aConnect object resource group connection (resource)
Rules and their conditions for object spaces are mapped to SAM business objects of the types
aConnect object resource rules, aConnect object resource rule attributes, and aConnect
object resource rule attribute values.
Conditions of mutual exclusions between object spaces - more exactly, between authorizations
that involve these object spaces - are mapped to SAM business objects of the type aConnect
object resource group forbidden groups.
Valid relationships between process spaces and object spaces for the purpose of pairing in
authorizations are mapped to SAM business objects of the type aConnect target system
allowed classes, which in turn are dependants of the class definitions for process spaces and
object spaces.
Authorizations of users toward process and object spaces are mapped to SAM business objects
of the type aConnect resource group connection (account).
Authorizations of groups toward process and object spaces are mapped to SAM business
objects of the type aConnect resource group connection (group).
Dictionary entries for attributes and their values are mapped to SAM business objects of the
types aConnect target system class attributes and aConnect target system class attribute
values.
Placeholders for the purpose of dynamic, value-related access rights evaluation are mapped
to SAM business objects of the types aConnect target system class attribute references.
aConnect Administration with SAM

The figure below shows the SAM Enterprise components that are involved in aConnect security
administration. The figure shows a SAM system with a connection to an application system
that appears in SAM as an aConnect target system.
30
The following example illustrates what the above components do and how they interact. Assume
that an administrator wants to create a new aConnect account for a user.
The administrator starts a SAM Client. SAMs graphical user interface (GUI) is presented and a communication line to the SAM Business Server is established:
The administrator opens a User Navigation Window. The SAM Client responds by
requesting a user list from the SAM Business Server. The data is fetched from the SAM
database and sent back to the SAM Client:
This data flow stays the same as long as the administrator only selects objects for viewing:
31
The SAM Client requests the data.

The SAM Business Server retrieves it from the database.
The SAM Client presents it.
The administrators next step is to open a User Edit Window for a single user. This
window provides - among others - the functions for creating new accounts. The administrator issues the New Account command and specifies an aConnect target system. The
SAM Client presents an empty Account Panel, which has to be filled in and submitted
for implementation. When the administrator clicks the Submit button, the SAM Client
sends the update job to the server, which processes it within its own scope and then relays
it to SAM:
SAM processes the update job. It inserts the account data into the SAM database and calls
the Master Courier to implement it in the application that is represented as an aConnect
targets system. The Master Courier relays the update job to the proper application
platform, where it is received by an Agent. The Agent updates the application database.
As a result, the new account exists in SAM and in the application.
The processing steps for update jobs are always the same:
SAM updates the target system image in the SAM database.
An Agent executes the update in the target system.
The communication chain for target system updates is: Engine -> Master Courier ->
Agent.
The successful completion of an update job requires that both parts be implemented without errors. The SAM database must always be consistent with the application database.
Otherwise, the job is cancelled and the administrator receives an error message.
32
The above scenario does not mention Consistency Maintenance. This batch utility is not
involved in regular security administration. It serves the following purpose:
Consistency Maintenance compares SAMs image of the application and the actual application data, more exactly the administration layer. The utility finds inconsistencies and
can repair the administration layer.
Key Conversion
SAM aConnect does not neet any particular key conversion because the administration layer and
the image data share the same key design. However, the following aspect is worth mentioning
in this context:
SAM aConnect creates artificial keys for all attribute values and for the authorization matrix in
resource group connections.
33
aConnect Business Objects

This chapter introduces the business objects provided by SAM aConnect, SAMs component
for application-specific security administration. Business objects form the foundation for security
administration in SAM. They encapsulate the application-specific data structures and make
them appear as integral parts of SAM. From a technical point of view, SAM merely handles
business objects, regardless of whether you use the graphical user interface (GUI), the Import
Interface, or a customer-developed program.
The layer in SAM that contains the business objects is transparent to normal security administrators. This chapter aims at people responsible for configuration, systems administration,
internal security, etc. The first page lists the business objects. The remainder of the chapter
provides background information, organized into four parts:
Normal Objects introduces the business objects representing objects in an application
system. This applies to accounts, groups, resources, resource groups, and the entire
aConnect system.
Role-Based Objects introduces the business objects supporting role-based access control (RBAC). These objects exist only in SAM. They do not correspond to objects in an
application system.
Templates introduces the business objects serving as templates when creating normal
objects of the respective type. Again, these objects exist only in SAM. They do not
correspond to objects in an application system.
Defaults introduces the business objects serving as prototypes in cases where a template
is not specified. These objects count as part of the installation.
The chapter provides references to correlated parts in other manuals. In particular, these references point to descriptions of the data panels (in the SAM Enterprise User Manual ) and
Import Interface structures (in the SAM Enterprise Operations Manual ).
Objects List
This section lists the business object of SAM aConnect, in the order in which they are documented in more detail in the subsequent sections. See Legend for an explanation of the entry
lines and hyperlinks per business object.
34
aConnect Account General Data
Name: aConnect Account General Data

Logic: A user in an aConnect system
BO ID:ACON Account Active
BO Links:Logic Panel Import ACONUS
aConnect Account Attributes
Name: aConnect Account Attribute

Logic: An attribute reference for the owning user
BO ID:ACON Account Active Attr
BO Links:Logic Panel Import ACONUSA
aConnect Account Attribute Values
Name: aConnect Account Attribute Value

Logic: A value definition for the owning attribute of the owning user
BO ID:ACON Account Active Attr Value
BO Links:Logic Panel Import ACONUSAV
aConnect Group Connection (Account) General Data
Name: aConnect Group Connection (Account) General Data

Logic: A membership of a user in a group
BO ID:ACON GroupConnection Active
BO Links:Logic Panel Import ACONUMS
aConnect Group Connection (Account) Attributes
Name: aConnect Group Connection (Account) Attribute

Logic: An attribute reference for the owning membership
BO ID:ACON GroupConnection Active Attr
BO Links:Logic Panel Import ACONUMSA
aConnect Group Connection (Account) Attribute Values
Name: aConnect Group Connection (Account) Attribute Value

Logic: A value definition for the owning attribute of the owning membership
BO ID:ACON GroupConnection Active Attr Value
BO Links:Logic Panel Import ACONUMSAV
aConnect Resource Group Connection (Account) General Data
Name: aConnect Resource Group Connection (Account) General Data

35
Logic: A framework for a users access rights toward resources

BO ID:ACON Authorization Active
BO Links:Logic Panel Import ACONAU
aConnect Resource Group Connection (Account) Authorization
Name: aConnect Resource Group Connection (Account) Authorization

Logic: A specific access right definition for a users access toward resources
BO ID:ACON Authorization Active Au
BO Links:Logic Panel Import ACONAUA
aConnect Group General Data
Name: aConnect Group General Data

Logic: A group in an aConnect system
BO ID:ACON Group Active
BO Links:Logic Panel Import ACONUG
aConnect Group Forbidden Groups
Name: aConnect Group Forbidden Group

Logic: A definition of mutually exclusive group memberships
BO ID:ACON Group Active Deny
BO Links:Logic Panel Import ACONUGD
aConnect Group Attributes
Name: aConnect Group Attribute

Logic: An attribute reference for the owning group
BO ID:ACON Group Active Attr
BO Links:Logic Panel Import ACONUGA
aConnect Group Attribute Values
Name: aConnect Group Attribute Value

Logic: A value definition for the owning attribute of the owning group
BO ID:ACON Group Active Attr Value
BO Links:Logic Panel Import ACONUGAV
aConnect Resource Group Connection (Group) General Data
Name: aConnect Resource Group Connection (Group) General Data

Logic: A framework for a groups access rights toward resources
BO ID:ACON Authorization Active
36
aConnect Resource Group Connection (Group) Authorization
Name: aConnect Resource Group Connection (Group) Authorization

Logic: A specific access right definition for a groups access toward resources
BO ID:ACON Authorization Active Au
aConnect Access Resource General Data
Name: aConnect Access Resource General Data

Logic: A data-accessing object (e.g., process) in an aConnect system
BO ID:ACON Resource Active Process
BO Links:Logic Panel Import ACONRS
aConnect Access Resource Rules
Name: aConnect Access Resource Rule

Logic: A rule definition for a data-accessing object (e.g., a process scope)
BO ID:ACON Resource Active Process R
BO Links:Logic Panel Import ACONRSR
aConnect Access Resource Rule Attributes
Name: aConnect Access Resource Rule Attribute

Logic: An attribute reference for the owning rule
BO ID:ACON Resource Active Process R C Attr
BO Links:Logic Panel Import ACONRSRA
aConnect Access Resource Rule Attribute Values
Name: aConnect Access Resource Rule Attribute Value

Logic: A value definition for the owning attribute of the owning rule
BO ID:ACON Resource Active Process R C Attr Value
BO Links:Logic Panel Import ACONRSRAV
aConnect Access Resource Group Connection (Resource) General Data
Name: aConnect Access Resource Group Connection (Resource)

Logic: A membership of a data-accessing object in a container for such resources
BO ID:ACON ResourceGroupConnection Active PF
BO Links:Logic Panel Import ACONRMS
aConnect Object Resource General Data
Name: aConnect Object Resource General Data

37
Logic: A data object (e.g., contract) in an aConnect system

BO ID:ACON Resource Active Object
aConnect Object Resource Rules
Name: aConnect Object Resource Rule

Logic: A rule definition for a data object (e.g., a transaction limit)
BO ID:ACON Resource Active Object R
aConnect Object Resource Rule Attributes
Name: aConnect Object Resource Rule Attribute

Logic: An attribute reference for the owning rule
BO ID:ACON Resource Active Object R C Attr
aConnect Object Resource Rule Attribute Values
Name: aConnect Object Resource Rule Attribute Value

Logic: A value definition for the owning attribute of the owning rule
BO ID:ACON Resource Active Object R C Attr Value
aConnect Object Resource Group Connection (Resource) General Data
Name: aConnect Object Resource Group Connection (Resource)

Logic: A membership of a data object in a container for such resources
BO ID:ACON ResourceGroupConnection Active OF
aConnect Access Resource Group General Data
Name: aConnect Access Resource Group General Data

Logic: A container for data-accessing resources in an aConnect system
BO ID:ACON ResourceGroup Active PF
BO Links:Logic Panel Import ACONRG
aConnect Access Resource Group Forbidden Groups
Name: aConnect Access Resource Group Forbidden Group

Logic: A definition of mutually exclusive access rights toward resource containers
BO ID:ACON ResourceGroup Active PF Deny
BO Links:Logic Panel Import ACONRGD
38
aConnect Object Resource Group General Data
Name: aConnect Object Resource Group General Data

Logic: A container for data resources in an aConnect system
BO ID:ACON ResourceGroup Active OF
aConnect Object Resource Group Forbidden Groups
Name: aConnect Object Resource Group Forbidden Group

Logic: A definition of mutually exclusive access rights toward resource containers
BO ID:ACON ResourceGroup Active OF Deny
aConnect Target System aConnect Data
Name: aConnect Target System aConnect Data

Logic: An aConnect system (e.g., an application)
BO ID:ACON TargetSystem Active
BO Links:Logic Panel Import ACONTS
aConnect Target System Classes
Name: aConnect Target System Class

Logic: A resource class definition in the owning system
BO ID:ACON TargetSystem Active Class
BO Links:Logic Panel Import ACONTSC
aConnect Target System Class Attributes
Name: aConnect Target System Class Attribute

Logic: An attribute definition within the owning class
BO ID:ACON TargetSystem Active Class Attr
BO Links:Logic Panel Import ACONTSCA
aConnect Target System Class Attribute Values
Name: aConnect Target System Class Attribute Value

Logic: A value definition of the owning attribute within the owning class
BO ID:ACON TargetSystem Active Class Attr Value
BO Links:Logic Panel Import ACONTSCV
aConnect Target System Class Attribute References
Name: aConnect Target System Class Attribute Reference

39
Logic: A reference definition of the owning attribute within the owning class
BO ID:ACON TargetSystem Active Class Attr Ref
BO Links:Logic Panel Import ACONTSCR
aConnect Target System Allowed Classes
Name: aConnect Target System Allowed Class

Logic: A resource class status definition in the owning system
BO ID:ACON TargetSystem Active Class Comp
BO Links:Logic Panel Import ACONTSCD
aConnect Group Connections (Role) General Data
Name: aConnect Group Connection (Role)

Logic: A membership of a role in a group
BO ID:ACON GroupConnection Role
aConnect Generic Group Connections (Role) General Data
Name: aConnect Generic Group Connection (Role)

Logic: The generic version of an aConnect group connection (role)
BO ID:ACON GroupConnection Role
aConnect Joker Group Connections (Role) General Data
Name: aConnect Joker Group Connection (Role)

Logic: Connection between a role and an aConnect joker group
BO ID:Base GroupConnection Role Joker
aConnect Generic Joker Group Connections (Role) General Data
Name: aConnect Generic Group Connection (Role)

Logic: The generic version of an aConnect joker group connection (role)
BO ID:Base GenGroupConnection Role Joker
aConnect Account Template General Data
Name: aConnect Account Template General Data

Logic: A customer template for an aConnect account general data
BO ID:ACON Account Template
40
BO Links:Logic
Panel
Import
ACONUS
aConnect Account Template Attributes
Name: aConnect Account Template Attribute

Logic: A customer template for an aConnect account attribute
BO ID:ACON Account Template Attr
aConnect Account Template Attribute Values
Name: aConnect Account Template Attribute Value

Logic: A customer template for an aConnect account attribute value
BO ID:ACON Account Template Attr Value
aConnect Group Connection (Account Template) General Data
Name: aConnect Group Connection (Account Template) General Data

Logic: A customer template for an aConnect group connection (account) general data
BO ID:ACON GroupConnection Template
aConnect Group Connection (Account Template) Attributes
Name: aConnect Group Connection (Account Template) Attribute

Logic: A customer template for an aConnect group connection (account) attribute
BO ID:ACON GroupConnection Template Attr
aConnect Group Connection (Account Template) Attribute Values
Name: aConnect Group Connection (Account Template) Attribute Value

Logic: A customer template for an aConnect group connection (account) attribute value
BO ID:ACON GroupConnection Template Attr Value
aConnect Resource Group Connection (Account Template) General Data
Name: aConnect Resource Group Connection (Account Template) General Data

Logic: A customer template for an aConnect resource group connection (account) general
data
BO ID:ACON Authorization Template
41
aConnect Resource Group Connection (Account Template) Authorizations
Name: aConnect Resource Group Connection (Account Template) Authorization

Logic: A customer template for an aConnect resource group connection (account) authorization
BO ID:ACON Authorization Template Au
aConnect Group Template General Data
Name: aConnect Group Template General Data

Logic: A customer template for an aConnect group general data
BO ID:ACON Group Template
aConnect Group Template Forbidden Groups
Name: aConnect Group Template Forbidden Group

Logic: A customer template for an aConnect group forbidden group
BO ID:ACON Group Template Deny
aConnect Group Template Attributes
Name: aConnect Group Template Attribute

Logic: A customer template for an aConnect group attribute
BO ID:ACON Group Template Attr
aConnect Group Template Attribute Values
Name: aConnect Group Template Attribute Value

Logic: A customer template for an aConnect group attribute value
BO ID:ACON Group Template Attr Value
aConnect Resource Group Connection (Group Template) General Data
Name: aConnect Resource Group Connection (Group Template) General Data

Logic: A customer template for an aConnect resource group connection (group) general
data
BO ID:ACON Authorization Template
aConnect Resource Group Connection (Group Template) Authorizations
42
Name: aConnect Resource Group Connection (Group Template) Authorization

Logic: A customer template for an aConnect resource group connection (group) authorization
BO ID:ACON Authorization Template Au
aConnect Access Resource Template General Data
Name: aConnect Access Resource Template General Data

Logic: A customer template for an aConnect access resource general data
BO ID:ACON Resource Template Process
aConnect Access Resource Template Rules
Name: aConnect Access Resource Template Rule

Logic: A customer template for an aConnect access resource rule
BO ID:ACON Resource Template Process R
aConnect Access Resource Template Rule Attributes
Name: aConnect Access Resource Template Rule Attribute

Logic: A customer template for an aConnect access resource rule attribute
BO ID:ACON Resource Template Process R C Attr
aConnect Access Resource Template Rule Attribute Values
Name: aConnect Access Resource Template Rule Attribute Value

Logic: A customer template for an aConnect access resource rule attribute value
BO ID:ACON Resource Template Process R C Attr Value
aConnect Access Resource Group Connection (Resource Template) General Data
Name: aConnect Access Resource Group Connection (Resource Template)

Logic: A customer template for an aConnect access resource group connection (resource)
BO ID:ACON ResourceGroupConnection Template PF
aConnect Object Resource Template General Data
Name: aConnect Object Resource Template General Data

Logic: A customer template for an aConnect object resource general data
43
BO ID:ACON Resource Template Object

aConnect Object Resource Template Rules
Name: aConnect Object Resource Template Rule

Logic: A customer template for an aConnect object resource rule
BO ID:ACON Resource Template Object R
aConnect Object Resource Template Rule Attributes
Name: aConnect Object Resource Template Rule Attribute

Logic: A customer template for an aConnect object resource rule attribute
BO ID:ACON Resource Template Object R C Attr
aConnect Object Resource Template Rule Attribute Values
Name: aConnect Object Resource Template Rule Attribute Value

Logic: A customer template for an aConnect object resource rule attribute value
BO ID:ACON Resource Template Object R C Attr Value
aConnect Object Resource Group Connection (Resource Template) General Data
Name: aConnect Object Resource Group Connection (Resource Template)

Logic: A customer template for an aConnect object resource group connection (resource)
BO ID:ACON ResourceGroupConnection Template OF
aConnect Access Resource Group Template General Data
Name: aConnect Access Resource Group Template General Data

Logic: A customer template for an aConnect access resource group general data
BO ID:ACON ResourceGroup Template PF
aConnect Access Resource Group Template Forbidden Groups
Name: aConnect Access Resource Group Template Forbidden Group

Logic: A customer template for an aConnect access resource group forbidden group
BO ID:ACON ResourceGroup Template PF Deny
44
aConnect Object Resource Group Template General Data
Name: aConnect Object Resource Group Template General Data

Logic: A customer template for an aConnect object resource group general data
BO ID:ACON ResourceGroup Template OF
aConnect Object Resource Group Template Forbidden Groups
Name: aConnect Object Resource Group Template Forbidden Group

Logic: A customer template for an aConnect object resource group forbidden group
BO ID:ACON ResourceGroup Template OF Deny
aConnect Account Defaults General Data
Name: aConnect Account Defaults General Data

Logic: A manufacturer template for an aConnect account general data
BO ID:ACON Account Template
aConnect Account Defaults Attribute
Name: aConnect Account Template Attribute

Logic: A manufacturer template for an aConnect account attribute
BO ID:ACON Account Template Attr
aConnect Account Defaults Attribute Value
Name: aConnect Account Template Attribute Value

Logic: A manufacturer template for an aConnect account attribute value
BO ID:ACON Account Template Attr Value
aConnect Group Connection (Account Defaults) General Data
Name: aConnect Group Connection (Account Defaults) General Data

Logic: A manufacturer template for an aConnect group connection (account) general data
BO ID:ACON GroupConnection Template Template
aConnect Group Connection (Account Defaults) Attributes
Name: aConnect Group Connection (Account Defaults) Attribute

45
Logic: A manufacturer template for an aConnect group connection (account) attribute

BO ID:ACON GroupConnection Template Template Attr
aConnect Group Connection (Account Defaults) Attribute Values
Name: aConnect Group Connection (Account Defaults) Attribute Value

Logic: A manufacturer template for an aConnect group connection (account) attribute value
BO ID:ACON GroupConnection Template Template Attr Value
aConnect R.Group Connection (Account Defaults) General Data
Name: aConnect Resource Group Connection (Account Defaults) General Data

Logic: A manufacturer template for an aConnect resource group connection (account) general data
BO ID:ACON Authorization Template Template
aConnect R.Group Connection (Account Defaults) Authorization
Name: aConnect Resource Group Connection (Account Defaults) Authorization

Logic: A manufacturer template for an aConnect resource group connection (account) authorization
BO ID:ACON Authorization Template Template Au
aConnect Group Defaults General Data
Name: aConnect Group Defaults General Data

Logic: A manufacturer template for an aConnect group general data
BO ID:ACON Group Template
aConnect Group Defaults Forbidden Group
Name: aConnect Group Defaults Forbidden Group

Logic: A manufacturer template for an aConnect group forbidden group
BO ID:ACON Group Template Deny
aConnect Group Defaults Attribute
Name: aConnect Group Defaults Attribute

Logic: A manufacturer template for an aConnect group attribute
46
BO ID:ACON Group Template Attr

aConnect Group Defaults Attribute Value
Name: aConnect Group Defaults Attribute Value

Logic: A manufacturer template for an aConnect group attribute value
BO ID:ACON Group Template Attr Value
aConnect R.Group Connection (Group Defaults) General Data
Name: aConnect Resource Group Connection (Group Defaults) General Data

Logic: A manufacturer template for an aConnect resource group connection (group) general
data
BO ID:ACON Authorization Template Template
aConnect R.Group Connection (Group Defaults) Authorization
Name: aConnect Resource Group Connection (Group Defaults) Authorization

Logic: A manufacturer template for an aConnect resource group connection (group) authorization
BO ID:ACON Authorization Template Template Au
aConnect Access Resource Defaults General Data
Name: aConnect Access Resource Defaults General Data

Logic: A manufacturer template for an aConnect access resource general data
BO ID:ACON Resource Template Process
aConnect Access Resource Defaults Rule
Name: aConnect Access Resource Defaults Rule

Logic: A manufacturer template for an aConnect access resource rule
BO ID:ACON Resource Template Process R
aConnect Access Resource Defaults Rule Attribute
Name: aConnect Access Resource Defaults Rule Attribute

Logic: A manufacturer template for an aConnect access resource rule attribute
BO ID:ACON Resource Template Process R C Attr
47
BO Links:Logic
Panel
Import
ACONRSRA
aConnect Access Resource Defaults Rule Attribute Value
Name: aConnect Access Resource Defaults Rule Attribute Value

Logic: A manufacturer template for an aConnect access resource rule attribute value
BO ID:ACON Resource Template Process R C Attr Value
aConnect Access Resource Group Connection (Resource Defaults)
Name: aConnect Access Resource Group Connection (Resource Defaults)

Logic: A manufacturer template for an aConnect access resource group connection (resource)
BO ID:ACON ResourceGroupConnection Template PF2
aConnect Object Resource Defaults General Data
Name: aConnect Object Resource Defaults General Data

Logic: A manufacturer template for an aConnect object resource general data
BO ID:ACON Resource Template Object
aConnect Object Resource Defaults Rule
Name: aConnect Object Resource Defaults Rule

Logic: A manufacturer template for an aConnect object resource rule
BO ID:ACON Resource Template Object R
aConnect Object Resource Defaults Rule Attribute
Name: aConnect Object Resource Defaults Rule Attribute

Logic: A manufacturer template for an aConnect object resource rule attribute
BO ID:ACON Resource Template Object R C Attr
aConnect Object Resource Defaults Rule Attribute Value
Name: aConnect Object Resource Defaults Rule Attribute Value

Logic: A manufacturer template for an aConnect object resource rule attribute value
BO ID:ACON Resource Template Object R C Attr Value
48
aConnect Object Resource Group Connection (Resource Defaults)
Name: aConnect Object Resource Group Connection (Resource Defaults)

Logic: A manufacturer template for an aConnect object resource group connection (resource)
BO ID:ACON ResourceGroupConnection Template OF2
aConnect Access Resource Group Defaults General Data
Name: aConnect Access Resource Group Defaults General Data

Logic: A manufacturer template for an aConnect access resource group general data
BO ID:ACON ResourceGroup Template PF
aConnect Access Resource Group Defaults Forbidden Group
Name: aConnect Access Resource Group Defaults Forbidden Group

Logic: A manufacturer template for an aConnect access resource group forbidden group
BO ID:ACON ResourceGroup Template PF Deny
aConnect Object Resource Group Defaults General Data
Name: aConnect Object Resource Group Defaults General Data

Logic: A manufacturer template for an aConnect object resource group general data
BO ID:ACON ResourceGroup Template OF
aConnect Object Resource Group Defaults Forbidden Group
Name: aConnect Object Resource Group Defaults Forbidden Group

Logic: A manufacturer template for an aConnect object resource group forbidden group
BO ID:ACON ResourceGroup Template OF Deny
BO Links:Logic Panel Import ACONRGD;
aConnect Target System Defaults aConnect Data
Name: aConnect Target System Defaults aConnect Data

Logic: A manufacturer template for an aConnect target system aConnect data
BO ID:ACON TargetSystem Template
BO Links:Logic Panel Import ACONTS
aConnect Target System Defaults Class
49
Name: aConnect Target System Defaults Class

Logic: A manufacturer template for an aConnect target system class
BO ID:ACON TargetSystem Template Class
BO Links:Logic Panel Import ACONTSC
aConnect Target System Defaults Class Attribute
Name: aConnect Target System Defaults Class Attribute

Logic: A manufacturer template for an aConnect target system class attribute
BO ID:ACON TargetSystem Template Class Attr
BO Links:Logic Panel Import ACONTSCA
aConnect Target System Defaults Class Attribute Value
Name: aConnect Target System Defaults Class Attribute Value

Logic: A manufacturer template for an aConnect target system class attribute value
BO ID:ACON TargetSystem Template Class Attr Value
BO Links:Logic Panel Import ACONTSCV
aConnect Target System Defaults Class Attribute Reference
Name: aConnect Target System Defaults Class Attribute Reference

Logic: A manufacturer template for an aConnect target system class attribute reference
BO ID:ACON TargetSystem Template Class Attr Ref
BO Links:Logic Panel Import ACONTSCR
aConnect Target System Defaults Allowed Class
Name: aConnect Target System Defaults Allowed Class

Logic: A manufacturer template for an aConnect target system allowed class
BO ID:ACON TargetSystem Template Class Comp
BO Links:Logic Panel Import ACONTSCD
aConnect Help Desk Account
Name: aConnect Help Desk Account

Logic: Help Desk version of an aConnect account
BO ID:ACON Account Helpdesk
Normal Objects
A business object in SAM Enterprise is called normal if it does not belong to any of the special
object categories. A normal object is one of the objects that exist in the system for which
security administration is performed using SAM. Normal objects can be defined as follows:
50
Normal objects are not role-based objects, which are used to perform role-based access
control (RBAC).
Normal objects are not templates, which are customer-defined prototypes and blueprints
for creating normal objects.
Normal objects are not defaults objects, which are the manufacturer-provided prototypes
for creating objects when no template is available or specified.
Normal objects are not special, technical, or service objects, such as Help Desk accounts
- the account version used for Help Desk services.
aConnect Accounts
The business object aConnect account represents a user in the application that is represented
as an aConnect target system. The diagram below shows the relationships between aConnect
accounts and other business objects.
In SAM terminology, accounts are image objects because they mirror the data structures in a
specific type of target system. SAM uses the following business objects to represent aConnect
accounts:
aConnect account general data
aConnect account attribute
51
aConnect account attribute value

aConnect accounts have two mandatory relationships to business objects at enterprise level:
Each aConnect account belongs to a user - the one represented by the account in an
external system.
Each aConnect account is defined in a specific aConnect target system - the one in which
the user is defined.
At image level, an aConnect account can have the following relationships to other business
objects for the purpose of receiving access rights:
A connection to an aConnect group grants the groups access rights to the account.
A connection to a pair of resource groups - an aConnect access resource group and an aConnect
object resource group - grants direct access rights to the resources that are members in these
resource groups.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
account:
aConnect account
The representation of a user in an aConnect target system.
aConnect account template
A customer-specific prototype for creating aConnect accounts.
aConnect account defaults
The manufacturer-provided default prototype for creating aConnect accounts.
aConnect Account General Data

The business object aConnect account general data is the main object of an account in an
aConnect target system. It contains general information about the account, such as the account
ID, the access code, etc.
See SAM Enterprise Business Object Reference: Administering Accounts for a summary of
functions for creating, modifying, and deleting accounts. These functions apply to aConnect
accounts as described.
52
aConnect Account Attributes

The business object aConnect account attribute defines an attribute assignment for the owning
account. An account can have any number of attributes assigned, as long as these assignments
meet the following conditions:
The attribute can cover any purpose. Typically, an account attribute defines access-relevant
information. For example, an attribute Limit might specify the maximum transaction value
up to which a particular user is authorized without requiring approval from another person
in the organization.
It is only possible to assign attributes that are defined in the target system. This means that
the same attribute must be defined in any of the classes of the target system.
A particular attribute, which is defined by its attribute ID and by the class to which it
belongs, can only be assigned once. Additional variations can be specified only at attribute
value level.
Under the two above conditions, it is possible to manually assign any attribute that is defined
in the target system and appears in the selection list for the assignable attributes. However,
in a well-configured target system, important account attributes are assigned automatically
when creating the account. This effect is achieved through attribute references that are
defined in the target system. See Automatic Attribute Assignments for a detailed discussion
of this topic.
functions for creating, modifying, and deleting such objects and their dependent data. For
aConnect account attributes, the functions listed under Multiple Dependants are applicable
with the restrictions as explained above.
aConnect Account Attribute Values
The business object aConnect account attribute value defines the owning accounts value for the
owning attribute. If the attribute is defined with a value range or a list of valid values, the value
here must meet this condition.
If the switch Valid Values Mandatory is set for the owning attribute, the value here must also
match any of the valid value definitions for the attribute. Otherwise, the valid value definitions
represent suggestions, and any other value is valid as well.
Each attribute which is assigned to an account must hold at least one attribute value. Whether
an account can have more than one value for the same attribute assignment depends on the
attribute definition.
aConnect account attribute values, the functions listed under Single Dependants or those
listed under Multiple Dependants can be applicable, depending on the attribute nature.
53
aConnect Group Connections (Account)

In SAM terminology, the business object aConnect group connection (account) represents
a connection between an aConnect account and an aConnect group. In the terminology of the
represented application, this is equivalent to a users membership in a group that provides access
rights toward certain resources. The diagram below shows the relationships between aConnect
group connections for accounts and other business objects.
In SAM terminology, group connections are image objects because they mirror the data structures in a specific type of target system. SAM uses the following data objects to represent
aConnect group connections for accounts:
aConnect account attribute
aConnect account attribute value
Such connections have relationships to two other necessary objects: an aConnect account and
an aConnect group. Both must exist before the group connection can be created.
The relationship between accounts and groups in SAM is nearly symmetrical. A connection can
be created from both sides. The connection counts as property of both the account and the group.
This is expressed in SAMs graphical user interface (GUI) by presenting group connections for
accounts as dependants of both the account and the group. There is one difference between the
two perspectives. While deleting an account automatically deletes all of its group connections,
a group can only be deleted if it has no account connections. The presence of at least one such
connection prevents deletion. In this sense, aConnect does not differ from other target system
interfaces in SAM.
group connection:
54
aConnect group connection (account)

An aConnect accounts assignment to an aConnect group.
aConnect group connection (account template)
A customer-specific prototype for creating aConnect group connections (account).
aConnect group connection (account defaults)
The manufacturer-provided default prototype for creating aConnect group connections (account).
aConnect group connection (role)
A roles prototype for creating and controlling aConnect group connections (account).
aConnect Group Connections (Account) General Data The business object aConnect
group connection (account) general data is the main object of a group connection for an account
in an aConnect target system. It contains general information about the connection, such as
the account and the group ID, the access code, etc.
See SAM Enterprise Business Object Reference: Administering Group Connections (Account)
for a summary of functions for creating, modifying, and deleting such business objects. These
functions apply to aConnect group connections for accounts as described.
aConnect Group Connections (Account) Attributes The business object aConnect
group connection (account) attribute defines an attribute assignment for the owning group connection. A group connection can have any number of attributes assigned, as long as these
assignments meet the following conditions:
The attribute can cover any purpose. Typically, a group connection attribute defines accessrelevant information. For example, an attribute Limit might specify the maximum transaction value up to which a particular user is authorized without requiring approval from another
person in the organization. If such an attribute is assigned to a group connection, it applies
to the data objects that are accessible through the group connection, rather than to the user
in general.
belongs, can be assigned only once. Additional variations can be specified only at attribute
value level.
in a well-configured target system, important group connection attributes are assigned automatically when creating the connection. This effect is achieved through attribute references
55
that are defined in the target system. See Automatic Attribute Assignments for a detailed
discussion of this topic.
for a summary of functions for creating, modifying, and deleting such business objects and their
dependent data. For aConnect group connection (account) attributes, the functions listed under
Multiple Dependants are applicable with the restrictions as explained above.
aConnect Group Connections (Account) Attribute Values The business object aConnect group connection (account) attribute value defines the owning group connections value for
the owning attribute. If the attribute is defined with a value range or a list of valid values, the
value here must meet this condition.
Each attribute which is assigned to a group connection must hold at least one attribute value.
It depends on the attribute definition whether a group connection can have more than one value
for the same attribute assignment.
for a summary of functions for creating, modifying, and deleting such business objects and
their dependent data. For aConnect group connection (account) attribute values, the functions
listed under Single Dependants or those listed under Multiple Dependants can be applicable,
depending on the attribute nature.
aConnect Resource Group Connections (Account)
In SAM terminology, the business object aConnect resource group connection (account)
represents a triple connection between an aConnect account, an aConnect access resource group,
and an aConnect object resource group. In the terminology of the represented application, this
is equivalent to a users access matrix that involves certain access resources for the access method
and certain object resources for the accessed data. The diagram below shows the relationships
between aConnect resource group connections for accounts and other business objects.
56
In SAM terminology, resource group connections are image objects because they mirror the data
structures in a specific type of target system. SAM uses the following data objects to represent
aConnect resource group connections for accounts:
aConnect account authorization
aConnect resource group connections for accounts have relationships to the three necessary
objects that are already indicated by the name: an aConnect account, an aConnect access
resource group, and an aConnect object resource group. All three of them must exist before the
connection can be created.
The relationship between accounts and resource groups in SAM is asymmetrical. This is because
at the resource group side there must always be a pair with one resource group of either type,
access and object. However, despite this asymmetrical nature, SAMs graphical user interface
(GUI) presents such connections as dependants for each of the three involved business objects.
resource group connection:
aConnect resource group connection (account)
An aConnect accounts assignment to a resource group pair consisting of an aConnect access
resource group and an aConnect object resource group.
aConnect resource group connection (account template)
A customer-specific prototype for creating aConnect resource group connections (account).
aConnect resource group connection (account defaults)
The manufacturer-provided default prototype for creating aConnect resource group connections (account).
aConnect resource group connection (group)
An aConnect groups assignment to a resource group pair consisting of an aConnect access
57
aConnect resource group connection (group template)

A customer-specific prototype for creating aConnect resource group connections (group).
aConnect resource group connection (group defaults)
The manufacturer-provided default prototype for creating aConnect resource group connections (group).
Note: Be also sure to distinguish between access resource group connections, object resource
group connections, and (unspecific) resource group connections. The first two categories link
the resources to their respective groups, and the last category links the resulting groups to the
objects with access demands, i.e. accounts and groups.
aConnect Resource Group Connections (Account) General Data The business object
aConnect resource group connection (account) general data is the main object of a resource group
connection for an account in an aConnect target system. It contains general information about
the connection, such as the account and the resource group IDs, the access code, etc. From
the application perspective, the connection alone - without authorizations as dependants - is
equivalent to an empty access matrix in which the access resources represent the rows and the
object resources represent the columns.
See SAM Enterprise Business Object Reference: Administering Resource Group Connections
(Account) for a summary of functions for creating, modifying, and deleting such business objects.
These functions apply to aConnect resource group connections for accounts as described, however
under the additional condition that this is a triple connection in which there is always a balanced
pair of resource groups - access and object - at the other side.
aConnect Resource Group Connections (Account) Authorization The business object
aConnect resource group connection (account) authorization defines a single authorization in the
access matrix that is represented by the resource group connection altogether and in which access
resources appear as rows and object resources appear as columns. A particular authorization
defines the following:
the access resource as the authorized access path

the object resource as the authorized data
a start date (optional)
an end date (optional)
Other details of the authorized access methods are expressed in the resources themselves, more
specifically in their rules. Rules may refer to attributes of the accessing group, the accessing
account, or the group connection through which an account can use a groups access rights.
For any particular pair of access resource and object resource, a resource group connection can
have just one authorization. A resource group connection can have any number of authorizations,
up to a completely filled access matrix as the maximum.
58
(Account) for a summary of functions for creating, modifying, and deleting such business objects
and their dependent data. For aConnect resource group connection (account) authorizations,
the functions listed under Multiple Dependants are applicable.
Automatic Attribute Assignments
When creating an account, it is possible to automatically assign certain attribute independently

from, and in addition to, the attributes that are defined in a template that was used for the
creation:
The attribute definition in the target system data can contain references; see Class Attribute
References.
If the reference entity is Account, the respective attribute is assigned for each new account
at the time of creation.
The above description applies to aConnect account attributes. The same is true for aConnect
group connection (account) attributes, except that here the reference entity must be Group
connection (account).
aConnect Groups
The business object aConnect group represents a container for access rights in the application
that is administered as an aConnect target system. The diagram below shows the relationships
between aConnect groups and other business objects.
59
Group Connection The box Group Connection stands for four different object types. The
hyperlinks below lead to the respective descriptions:

An aConnect group connection (account) expresses a relationship between an aConnect
group and an aConnect account.
An aConnect group connection (account template) expresses a relationship between an
aConnect group and an aConnect account template.
An aConnect group connection (role) expresses a relationship between an aConnect group
and a role - the only object in this list that belongs to the enterprise level rather than
to the image level.
In SAM terminology, groups are image objects because they mirror the data structures in a
specific type of target system. SAM uses the following business objects to represent aConnect
groups:
aConnect
aConnect
aConnect
aConnect
group
group
group
group
general data
forbidden group
attribute
attribute value
aConnect groups have a mandatory relationship to a business object at enterprise level: Each
aConnect group belongs to a aConnect target system - the one in which it holds certain access
rights that can be granted further.
In order to receive access rights that can be granted further, aConnect groups can have the
following relationships to business objects at image level:
60
An aConnect group can be connected to a pair consisting of an aConnect access resource

group and an aConnect object resource group. This connection grants access rights to the
resources that are members in these resource groups.
aConnect groups can grant their own access rights to other business objects at image level
through any of the following relationships:
A connection to an aConnect account grants the access rights to the account.
A connection to an aConnect account template grants the access rights to the normal
accounts that are formed after the account template.
A connection to a role grants the access rights to the aConnect accounts of the users to
which the role is assigned.
group:
aConnect group
A container structure for access rights in an aConnect target system.
aConnect group template
A customer-specific prototype for creating aConnect groups.
aConnect group defaults
The manufacturer-provided default prototype for creating aConnect groups.
aConnect Group General Data
The business object aConnect group general data is the main object of a group in an aConnect
target system. It contains general information about the group, such as the group ID, the access
code, etc.
See SAM Enterprise Business Object Reference: Administering Groups for a summary of functions for creating, modifying, and deleting groups. These functions apply to aConnect groups
as described.
aConnect Group Forbidden Groups
The business object aConnect group forbidden group defines a condition of mutual exclusion that
applies to group connections for accounts in which the owning group is involved. The following
example illustrates this principle:
Assume that a rule in an enterprise requires that certain contracts must be approved by two
different people. The two approvals are called Approval A and Approval B.
61
Assume that there is a group APP-A that grants the necessary access rights for Approval
A, and another group APP-B that grants the necessary access rights for Approval B.
To establish the rule, the group APP-A needs a forbidden group entry for APP-B, and vice
versa the group APP-B needs one for APP-A.
= Forbidden group entries are symmetrical by definition. SAM aConnect reflects this by
automatically creating the counterpart. For example, when you create the entry under
APP-A that forbids APP-B, SAM aConnect automatically adds the entry under APPB that forbids APP-A.
Assume an account has a group connection toward APP-A. This connection provides the
owning user with the necessary access rights to perform the first approval. When attempting
to provide a connection to the group APP-B, SAM aConnect refuses the creation with
reference to this forbidden group entry.
A forbidden group is a group-to-group relationship. A group can have any number of forbidden
groups, provided that the other group is defined in the same target system, and all entries refer
to different groups.
See SAM Enterprise Business Object Reference: Administering Groups for a summary of functions for creating, modifying, and deleting such objects and their dependent data. For aConnect
group forbidden groups, the functions listed under Multiple Dependants are applicable.
aConnect Group Attributes
The business object aConnect group attribute defines an attribute assignment for the owning
group. A group can have any number of attributes assigned, as long as these assignments meet
the following conditions:
The attribute can cover any purpose. Typically, a group attribute defines access-relevant
up to which a particular user is authorized as far as these access rights are inherited from a
membership in that group.
value level.
in a well configured target system, important group attributes are assigned automatically
when creating the group. This effect is achieved through attribute references that are defined
62
in the target system. See Automatic Attribute Assignments for a detailed discussion of this
topic.
group attributes, the functions listed under Multiple Dependants are applicable with the restrictions as explained above.
aConnect Group Attribute Values

The business object aConnect group attribute value defines the owning groups value for the
owning attribute. If the attribute is defined with a value range or a list of valid values, the value
here must meet this condition.
Each attribute which is assigned to a group must hold at least one attribute value. It depends
on the attribute definition whether a group can have more than one value for the same attribute
assignment.
group attribute values, the functions listed under Single Dependants or those listed under
Multiple Dependants can be applicable, depending on the attribute nature.
aConnect Resource Group Connections (Group)

In SAM terminology, the business object aConnect resource group connection (group)
represents a triple connection between an aConnect group, an aConnect access resource group,
and an aConnect object resource group. In the terminology of the represented application, this is
equivalent to a groupss access matrix that involves certain access resources for the access method
and certain object resources for the accessed data. The diagram below shows the relationships
between aConnect resource group connections for groups and other business objects.
63
In SAM terminology, resource group connections are image object because they mirror the data
structures in a specific type of target system. SAM uses the following objects to represent
aConnect resource group connections for groups:
aConnect resource group connection (group) general data
aConnect resource group connection (group) authorization
aConnect resource group connections for groups have relationships to the three necessary objects
that are already indicated by the name: an aConnect group, an aConnect access resource group,
and an aConnect object resource group. All three of them must exist before the connection can
be created.
The relationship between groups and resource groups in SAM is asymmetrical. This is because
at the resource group side there must always be a pair with one resource group of either type,
access and object. However, despite this asymmetrical nature, SAMs graphical user interface
(GUI) presents such connections as dependants for each of the three involved business objects.
64

aConnect Resource Group Connections (Group) General Data The business object
aConnect resource group connection (group) general data is the main object of a resource group
connection for a group in an aConnect target system. It contains general information about
the connection, such as the group and the resource group IDs, the access code, etc. From
the application perspective, the connection alone - without authorizations as dependants - is
equivalent to an empty access matrix in which the access resources represent the rows and the
object resources represent the columns.
(Group) for a summary of functions for creating, modifying, and deleting such business objects.
These functions apply to aConnect resource group connections for groups as described, however
under the additional condition that this is a triple connection in which there is always a balanced
pair of resource groups - access and object - at the other side.
aConnect Resource Group Connections (Group) Authorization The business object
aConnect resource group connection (group) authorization defines a single authorization in the
access matrix that is represented by the resource group connection altogether and in which access
resources appear as rows and object resources appear as columns. A particular authorization
defines the following:

specifically in their rules. Rules may refer to attributes of the accessing group, the accessing
have just one authorization. This provided, a resource group connection can have any number
of authorizations, up to a completely filled access matrix as the maximum.
65
(Group) for a summary of functions for creating, modifying, and deleting such business objects
and their dependent data. For aConnect resource group connection (group) authorizations, the
functions listed under Multiple Dependants are applicable.
Automatic Attribute Assignments
When creating a group, it is possible to automatically assign certain attribute independently
from, and in addition to, the attributes that are defined in a template that was used for the
creation:
The attribute definition in the target system data can contain references; see Class Attribute
References.
If the reference entity is Group, the respective attribute is assigned for each new group at
the time of creation.
aConnect Access Resources

The business object aConnect access resource represents a process, program, transaction, or
other object that provides functions and methods to access data, i.e. object resources. Whether
a particular access resource represents one or multiple real-world functions depends on details
at rule and rule attribute level. The diagram below shows the relationships between aConnect
access resources and other business objects.
66
In SAM terminology, access resources are image objects because they mirror the data structures
in a specific type of target system. SAM uses the following business objects to represent aConnect
access resources:
aConnect
aConnect
aConnect
aConnect
access
access
access
access
resource
resource
resource
resource
general data
rule
rule attribute
rule attribute value
An aConnect access resource has relationships to one enterprise object and one image object.
Each access resource belongs to a target system - the one in which it provides a function to
access data. This relationship is always given.
In addition to this implicit relationship, an access resource can have relationships to access
resource groups with the eventual purpose of being accessed (i.e., used) by group members or
directly by accounts. However, before this can take place, the access resource group must be
coupled with an object resource group, and both together must appear in a resource group
connection for an account or group. In contrast, direct authorizations toward access resources
alone are not supported by SAM aConnect.
access resource:
aConnect access resource
A representative for data access functions in an aConnect target system.
aConnect access resource template
A customer-specific prototype for creating aConnect access resources
aConnect access resource defaults
The manufacturer-provided default prototype for creating aConnect access resources.
aConnect Access Resource General Data
The business object aConnect access resource general data is the main object of an access resource
in an aConnect target system. It contains general information about the resource, such as the
resource class, the resource ID, the access code, etc.
An aConnect access resource must belong to a class for access resources. This means that the
class that is specified when creating the access resource must be found in the list of aConnect
target system classes, and must have the type Access.
See SAM Enterprise Business Object Reference: Administering Resources for a summary of
functions for creating, modifying, and deleting resources. These functions apply to aConnect
access resources as described.
67
aConnect Access Resource Rules

The business object aConnect access resource rule defines a set of conditions for the owning
access resource. This can always be understood as an access restriction. Depending on the
nature of the represented functions, it may also be understood as a resource-defining condition.
The following details clarify how to distinguish between real-world functions and access resources
on one hand and the various levels of conditions on the other hand:
A particular access resource is hardly ever equivalent to one specific access function. In an
environment in which unconditional access rights can be granted for specific functions or
programs, SAM aConnect is rarely required.
Instead, the access resource defines an access profile, and any function that meets this profile
under given circumstances can be a valid real-world equivalent. For example, such a profile
might be specified as any transaction in the CLK17* category, as long as the transaction
value does not exceed 10.000.
A rule is a set of conditions that are combined in a logical AND. The above profile can be
reflected in one rule. This rule would contain two attributes, one for the transaction category
and one for the transaction value. The condition operator for the first attribute would be =
and that for the second would be <. The value for the first attribute would be CLK17*
and that for the second would be 10.000 (or 10.001, to be most accurate with the LESS
operator).
The same access resource might contain several rules. Each of them represents another condition set, and these sets are combined in a logical OR. Whether several independent condition
sets are reflected in one resource with several rules or in several resources with one rule for
each of them is a matter of taste and of additional environment conditions.
A rule with its attributes, their comparison operators and values is always both a defining
condition for the resource and an access restriction that establishes an upper limit for any
access right that might be granted toward the resource through resource group connections.
aConnect access resource rules, the functions listed under Multiple Dependants are applicable.
aConnect Access Resource Rule Attributes
The business object aConnect access resource rule attribute defines a single condition within the
owning rule by specifying the following:
the involved attribute and
the comparison operator for the condition
68
For each of its rules, an access resource can have any number of attributes assigned, as long as
these assignments meet the following conditions:
Each attribute reflects an elementary condition within the owning rule, which is defined by
the sum of all conditions combined in a logical AND. This implies that a useful rule cannot
combine attribute conditions that are mutually exclusive in a logical sense.
It is only possible to assign attributes that are defined in the target system and in the same
class to which the owning access resource belongs.
A particular attribute can be assigned only once. A real-world condition in which the same
attribute occurs several times in a logical OR combination is reflected either with several values
under the rule attribute or with several rules, each of them containing the same attribute once.
aConnect access resource rule attributes, the functions listed under Multiple Dependants are
applicable.
aConnect Access Resource Rule Attribute Values
The business object aConnect access resource rule attribute value defines a value constraint
for the owning attribute within the owning rule of the owning access resource. The following
example illustrates how this third level of dependency is used:
Assume an access resource is supposed to represent the profile any transaction in the
CLK17* category, as long as the transaction value does not exceed 10.000.
The access resource needs one rule to represent this profile, because the elementary conditions
within a rule are combined in a logical AND.
This rule needs two rule attributes, one for the transaction category and one for the maximum
value. Note: A rule attribute also defines the comparison operator that is applied toward
the values.
Each of the two rule attributes have one attribute value. The value for the first attribute would
be CLK17*, and the value for the second attribute would be 10.000 or 10.001, depending on
which comparison operator is used, LESS THAN or LESS THAN OR EQUAL.
If the switch Valid Values Mandatory is set for the owning rule attribute, the value here
must also match any of the valid value definitions for the attribute. Otherwise, the valid value
definitions represent suggestions, and any other value is valid as well.
Each rule attribute needs at least one rule attribute value. Whether multiple values are allowed
depends on the operator (and perhaps also on the attribute). Multiple values are only meaningful
with the EQUAL operator to express alternatives that are combined in a logical OR.
69
aConnect access resource rule attribute values, the functions listed under Single Dependants
or those listed under Multiple Dependants can apply, depending on the implicit condition.
aConnect Access Resource Group Connections (Access Resource)
The business object aConnect access resource group connection represents a connection
between an aConnect access resource and an aConnect access resource group. Such connections
are a prerequisite for granting access of any kind toward access resources, because accounts
and groups can only have access rights toward resource groups. The diagram below shows the
relationships between aConnect access resource group connections and other business objects.
structures in a specific type of target system. aConnect access resource group connections have
no dependent objects. They have relationships to two other necessary objects: an aConnect
access resource and an aConnect access resource group. Both must exist before the connection
can be created.
The relationship between resources and resource groups in SAM aConnect is nearly symmetrical.
A connection can be created from both sides. The connection counts as property of both the
resource and the resource group. This is expressed in SAMs graphical user interface (GUI) by
presenting resource group connections for resources as dependants of both the resource and the
resource group.
There is one difference between the two perspectives. While deleting a resource automatically
deletes all of its resource group connections, a resource group can only be deleted if it has no
resource connections. The presence of at least one such connection prevents deletion. In this
sense, SAM aConnect does not differ from other target system interfaces in SAM, as far as they
support resources and resource groups.
Similarly, a resource group connection can be deleted in a dialog session (i.e., in SAMs graphical
user interface) only if there is no authorization matrix (in an accounts or a groups resource
group connection) in which the respective resource is involved. This restriction is specific to SAM
aConnect, which handles the two types of resources and resource groups differently. However,
it is possible to mark the connections to be deleted in the next run of a batch utility for this
purpose. The utility will consistently delete the connection as well as all related authorizations.
70
access resource group connection:
aConnect access resource group connection
An aConnect access resources assignment to a resource group.
aConnect access resource group connection template
A customer-specific prototype for creating aConnect access resource group connections.
aConnect access resource group connection defaults
The manufacturer-provided default prototype for creating aConnect access resource group
connections.
aConnect Access Resource Group Connections (Access Resource) General Data
An aConnect access resource group connection for a resource consists of one part. This item
contains general data about the connection.
functions for creating, modifying, and deleting such business objects. These functions apply to
aConnect access resource group connections for resources as described.
Rule Attributes and their Values
The following text summarizes the relationships between rule attributes, class attributes, their
values, and their defaults. This summary is necessary because in this topic several business
object types and dependants play together, each of which is documented with its own purpose
in focus.
Rules are dependants of access resources and object resources, for which they represent conditions determining how the respective resource can exist. The rule itself is just a framework
or container; only the attributes of a rule determine the left-side operands of the condition,
and and only the values of an attribute determine the right-side operands.
Attributes exist as basic attribute definition in an attribute pool, implemented as dependants
of the aConnect target system. Any attribute assigned to any business object - the resources
mentioned above as well as accounts and groups - must first be defined in this pool.
Attributes in the pool belong to a certain class. This class membership determines to which
resources an attribute can be assigned as dependant of a rule: A resource of the class X can
only have attributes of the same class assigned under its rules, while the rules themselves are
classless.
71
Attributes in the pool also have value/value range entries which determine the values and
value ranges valid for an assigned attribute, i.e. for a dependant of a rule in a resource.
Attributes in the pool finally have two switches, which are the key factors in the playingtogether of rules, attributes, and values. In SAMs graphical user interface (GUI), these
switches are of course checkboxes:
The checkbox SAM Enterprise User Manual: Attribute Mandatory in Resource determines
whether the attribute is automatically assigned to every rule of any resource in the same
class as the attribute: If the checkbox is marked, each rule created for a resource in the same
class automatically receives this attribute as an assignment.
If the checkbox is unmarked, the attribute can still be assigned, but then as an explicit
administrator action, rather than an automatic function.
The checkbox SAM Enterprise User Manual: Valid Values Mandatory has a basic effect and
an implicit effect: A marked checkbox specifies that this attribute can only have values within
the boundaries expressed by the value/range definitions in the attribute pool. This is the basic
effect.
An attribute with this checkbox unmarked can be set to any value, and value/range entries
in the pool represent just suggestions or plannings but no constraints.
The implicit effect is that, when automatically assigning the attribute to a rule in a resource,
a valid value/range must be set; otherwise the automatic assignment would violate the value
constraint in the attribute definition. The default value/range used for this situation is part
of the attribute definition and stored in the three fields
Default Operator
Default From Value
Default To Value
In the rule of the resource, the automatically assigned attribute is a child object of the rule,
and the automatically assigned valid value/range is a child object of the attribute assignment,
i.e. a grandchild object of the rule. The above three fields correspond to the following fields
in the aConnext <type> resource rule attribute value objects:
Operator
Value From
Value To
It should be obvious that the default values in the attribute definition must match the value
constraints in the same definition.
When clearing a previously set checkbox Valid Values Mandatory, neither the three default
fields nor the dependent value/range specifications are deleted, but from this moment on they
are unused - until the checkbox is marked again.
72
aConnect Object Resources

The business object aConnect object resource represents a data object that is subject to
accesses of viewing or manipulating nature, e.g. contracts, accounts, etc. It depends on details at
rule and rule attribute level whether a particular object resource represents one or multiple realworld objects. The diagram below shows the relationships between aConnect object resources
and other business objects.
In SAM terminology, object resources are image objects because they mirror the data structures
in a specific type of target system. SAM uses the following business objects to represent aConnect
object resources:
aConnect
aConnect
aConnect
aConnect
object
object
object
object
resource
resource
resource
resource
general data
rule
rule attribute
An aConnect object resource has relationships to one enterprise object and one image object.
Each object resource belongs to a target system - the one in which it represents real-world data.
This relationship is always given.
In addition to this implicit relationship, an object resource can have relationships to object
resource groups with the eventual purpose of being accessed by group members or directly by
accounts. However, before this can take place, the object resource group must be coupled with
73
an access resource group, and both together must appear in a resource group connection for
an account or group. In contrast, direct authorizations toward object resources alone are not
supported by SAM aConnect.
object resource:
aConnect object resource
A representative for accessible objects in an aConnect target system.
aConnect object resource template
A customer-specific prototype for creating aConnect object resources
aConnect object resource defaults
The manufacturer-provided default prototype for creating aConnect object resources.
aConnect Object Resource General Data
The business object aConnect object resource general data is the main object of an object resource
in an aConnect target system. It contains general information about the resource, such as the
resource class, the resource ID, the access code, etc.
An aConnect object resource must belong to a class for object resources. This means that the
class that is specified when creating the object resource must be found in the list of aConnect
target system classes, and must have the type Object.
functions for creating, modifying, and deleting resources. These functions apply to aConnect
object resources as described.
aConnect Object Resource Rules
The business object aConnect object resource rule defines a set of conditions for the owning object
resource. This can always be understood as an access restriction. Depending on the nature of
the represented documents, it may also be understood as a resource-defining condition. The
following details clarify how to distinguish between real-world documents and object resources
at one side and the various levels of conditions at the other side:
A particular object resource is hardly ever equivalent to one specific data object. In an
environment in which unconditional access rights can be granted for specific documents and
files, SAM aConnect is rarely required.
Instead, the object resource defines an object profile, and any document that meets this profile
might be specified as any contract in the Real Estate category, as long as the contract value
does not exceed 250.000.
74
reflected in one rule. This rule would contain two attributes, one for the document category
and one for the contract value. The condition operator for the first attribute would be =
and that for the second would be <. The value for the first attribute would be Real Estate
operator).
The same object resource might contain several rules. Each of them represents another
condition set, and these sets are combined in a logical OR. Whether several independent
condition sets are reflected in one resource with several rules or in several resources with one
rule for each of them is a matter of taste and of additional environment conditions.
aConnect object resource rules, the functions listed under Multiple Dependants are applicable.
aConnect Object Resource Rule Attributes
The business object aConnect object resource rule attribute defines a single condition within the
owning rule by specifying the following:
For each of its rules, an object resource can have any number of attributes assigned, as long as
these assignments meet the following conditions:
class to which the owning object resource belongs.
aConnect object resource rule attributes, the functions listed under Multiple Dependants are
applicable.
75
aConnect Object Resource Rule Attribute Values

The business object aConnect object resource rule attribute value defines a value constraint
for the owning attribute within the owning rule of the owning object resource. The following
example illustrates how this third level of dependency is used:
Assume that an object resource is supposed to represent the profile any contract in the Real
Estate category, as long as the contract value does not exceed 250.000.
The object resource needs one rule to represent this profile, because the elementary conditions
This rule needs two rule attributes, one for the contract category and one for the contract
the values.
Each of the two rule attributes has one attribute value. The value for the first attribute
is Real Estate, and the value for the second attribute is 250.000 or 250.001, depending on
which comparison operator is used, LESS THAN or LESS THAN OR EQUAL.
aConnect object resource rule attribute values, the functions listed under Single Dependants
or those listed under Multiple Dependants can apply, depending on the implicit condition.
The business object aConnect object resource group connection represents a connection
between an aConnect object resource and an aConnect object resource group. Such connections
are a prerequisite for granting access of any kind toward object resources, because accounts
and groups can only have access rights toward resource groups. The diagram below shows the
relationships between aConnect object resource group connections and other business objects.
76
structures in a specific type of target system. aConnect object resource group connections have
no dependent objects. They have relationships to two other necessary objects: an aConnect
object resource and an aConnect object resource group. Both must exist before the connection
can be created.
The relationship between resources and resource groups in SAM aConnect is nearly symmetrical.
A connection can be created from both sides. The connection counts as property of both the
resource and the resource group. This is expressed in SAMs graphical user interface (GUI) by
presenting resource group connections for resources as dependants of both the resource and the
resource group.
There is one difference between the two perspectives. While deleting a resource automatically
deletes all of its resource group connections, a resource group can only be deleted if it has no
resource connections. The presence of at least one such connection prevents deletion. In this
sense, SAM aConnect does not differ from other target system interfaces in SAM, as far as they
support resources and resource groups.
Similarly, a resource group connection can be deleted in a dialog session (i.e., in SAMs graphical
user interface) only if there is no authorization matrix (in an accounts or a groups resource
group connection) in which the respective resource is involved. This restriction is specific to SAM
aConnect, which handles the two types of resources and resource groups differently. However,
it is possible to mark the connections to be deleted in the next run of a batch utility for this
purpose. The utility will consistently delete the connection as well as all related authorizations.
object resource group connection:
aConnect object resource group connection
An aConnect object resources assignment to a resource group.
aConnect object resource group connection template
A customer-specific prototype for creating aConnect object resource group connections.
aConnect object resource group connection defaults
The manufacturer-provided default prototype for creating aConnect object resource group
connections.
General Data An aConnect object resource group connection for a resource consists of one
part. This item contains general data about the connection.
77
functions for creating, modifying, and deleting such business objects. These functions apply to
aConnect object resource group connections for resources as described.
Rule Attributes and their Values
in focus.
classless.
effect.
78
Default Operator
Default From Value
Default To Value
Operator
Value From
Value To
aConnect Access Resource Groups

The business object aConnect access resource group represents a container for access resources. Such a container is a necessary part of every access rights organization because accounts
or groups can only receive access rights toward pairs of containers, one for access resources and
the other for object resources. The diagram below shows the relationships between aConnect
access resource groups and other business objects.
79
Resource Group Connection The box Resource Group Connection stands for five different
object types. The hyperlinks below lead to the respective descriptions:
An aConnect resource group connection (account) expresses a relationship between an

aConnect account and a pair of aConnect resource groups.
An aConnect resource group connection (account template) expresses a relationship between an aConnect account template and a pair of aConnect resource groups.
An aConnect resource group connection (group) expresses a relationship between an aConnect group and a pair of aConnect resource groups.
An aConnect resource group connection (group template) expresses a relationship between
an aConnect group template and a pair of aConnect resource groups.
In SAM terminology, access resource groups are image objects because they mirror the data
structures in a specific type of target system. SAM uses the following business objects to
represent aConnect access resource groups:
aConnect access resource group general data
aConnect access resource group forbidden group
An aConnect access resource group has relationships to one enterprise object and several image
objects. Each group belongs to a target system - the one in which it acts as a container for
access resources. This relationship is always given.
In order to provide its container services, an access resource group can have relationships to
aConnect access resources. Without them, the resource group would be empty and useless.
In order to provide access to the represented resources, an access resource group can participate
in a triple relationship in which only the access-requesting partner can vary:
80
The first partner is the aConnect access resource group itself. It provides the access functions
involved in the access operations.
The second partner is an aConnect object resource group. It provides the data objects
The third partner is the access-requesting object. This can be any of the following:
-
aConnect
aConnect
aConnect
aConnect
account
account template
group
template
The third partner determines and completes the name for this business object. For example, if an
account is the third partner, the business object is called resource group connection (account).
Such an object can be created with any of the three objects as the starting point. The process
is always the same, only the pre-defined entry in the dialog box varies depending on from where
the dialog was invoked.
access resource group:
aConnect access resource group
A container for aConnect access resources.
aConnect access resource group template
A customer-specific prototype for creating aConnect access resource groups.
aConnect access resource group defaults
The manufacturer-provided default prototype for creating aConnect access resource groups.
aConnect Access Resource Group General Data
The business object aConnect access resource group general data is the main object of an access
resource group in an aConnect target system. It contains general information about the group,
such as the group ID, the access code, etc.
See SAM Enterprise Business Object Reference: Administering Resource Groups for a summary
of functions for creating, modifying, and deleting such business objects. These functions apply
to aConnect access resource groups as described.
aConnect Access Resource Group Forbidden Groups
The business object aConnect access resource group forbidden group defines a condition of mutual
exclusion that applies to resource group connections for accounts or groups in which the owning
resource group is involved. The following example illustrates what this means:
81
Assume that a rule in an enterprise specifies that someone with administrative access rights
toward a category of contracts cannot also have auditing or approving access rights, and vice
versa.
Assume there is one access resource group ADM that provides the functions for contract
administration, and there is another access resource group AUD that provides the functions
for auditing. Assume also that the contracts are represented in an object resource group
CON.
To establish the rule, the group ADM needs a forbidden group entry for AUD, and the
group AUD needs a forbidden group entry for ADM.
ADM that forbids AUD, SAM aConnect automatically adds the entry under AUD
that forbids ADM.
Assume that a group has a resource group connection in which ADM is the access partner
and CON is the object partner. This connection provides the necessary access rights to
administer the contracts. Now, when attempting to provide a connection to a pair with
AUD and CON as the partners, SAM aConnect refuses the creation with reference to this
forbidden group entry.
The same happens when attempting to provide a connection for an account which has inherited
the access rights from the ADM/CON connection through a normal group connection.
The forbidden group can only be another access resource group. An access resource group can
have any number of forbidden groups, provided that the other group is defined in the same
target system, and all entries refer to different groups.
= SAM checks mutual exclusions from forbidden groups only when creating resource group
connections for accounts or groups. As a side effect, it would be possible to provide an
account with mutually exclusive resource group connections, simply by using different
group connections.
For the sake of performance, SAM does not prevent this situation via standard checks.
Instead, one of the default reports for SAM aConnect runs a check across all resource
group connections and reports any such case.
of functions for creating, modifying, and deleting such objects and their dependent data. For
aConnect access resource group forbidden groups, the functions listed under Multiple Dependants are applicable.
82
aConnect Object Resource Groups

The business object aConnect object resource group represents a container for object resources. Such a container is a necessary part of every access rights organization because accounts
or groups can only receive access rights toward pairs of containers, one for access resources and
the other for object resources. The diagram below shows the relationships between aConnect
object resource groups and other business objects.
Resource Group Connection The box Resource Group Connection stands for five different
object types. The hyperlinks below lead to the respective descriptions:

An aConnect resource group connection (account) expresses a relationship between an
aConnect account and a pair of aConnect resource groups.
An aConnect resource group connection (account template) expresses a relationship between an aConnect account template and a pair of aConnect resource groups.
An aConnect resource group connection (group) expresses a relationship between an aConnect group and a pair of aConnect resource groups.
An aConnect resource group connection (group template) expresses a relationship between
an aConnect group template and a pair of aConnect resource groups.
In SAM terminology, object resource groups are image objects because they mirror the data
structures in a specific type of target system. SAM uses the following business objects to
represent aConnect object resource groups:
aConnect object resource group general data
aConnect object resource group forbidden group
83
An aConnect object resource group has relationships to one enterprise object and several image
objects. Each group belongs to a target system - the one in which it acts as a container for
object resources. This relationship is always given.
In order to provide its container services, an object resource group can have relationships to
aConnect object resources. Without them, the resource group would be empty and useless.
In order to provide access to the represented resources, an object resource group can participate
in a triple relationship in which only the access-requesting partner can vary:
The first partner is the aConnect object resource group itself. It provides the data objects
The second partner is an aConnect access resource group. It provides the access functions
The third partner is the access-requesting object. This can be any of the following:
-
aConnect
aConnect
aConnect
aConnect
account
account template
group
template
The third partner determines and completes the name for this business object. For example, if an
account is the third partner, the business object is called resource group connection (account).
Such an object can be created with any of the three objects as the starting point. The process
is always the same, only the pre-defined entry in the dialog box varies depending on from where
the dialog was invoked.
object resource group:
aConnect object resource group
A container for aConnect object resources.
aConnect object resource group template
A customer-specific prototype for creating aConnect object resource groups.
aConnect object resource group defaults
The manufacturer-provided default prototype for creating aConnect object resource groups.
aConnect Object Resource Group General Data
The business object aConnect object resource group general data is the main object of an object
resource group in an aConnect target system. It contains general information about the group,
such as the group ID, the access code, etc.
84
to aConnect object resource groups as described.
aConnect Object Resource Group Forbidden Groups
The business object aConnect object resource group forbidden group defines a condition of mutual
exclusion that applies to resource group connections for accounts or groups in which the owning
resource group is involved. The following example illustrates what this means:
toward one category of contracts cannot also have access rights toward another category.
Assume that there are three contract categories called CA, CB, and CC.
Assume that there is one object resource group for each of the three categories. These resource
groups are called GCA, GCB, and GCC. The access functions for all three categories are
the same and are represented in the access resource group TRAN-CON.
To establish the rule, the group CA needs a forbidden group entry for CB and another one
for CC. The other two groups need their respective entries in return.
GCA that forbids GCB, SAM aConnect automatically adds the entry under GCB
that forbids GCA. Similarly, when you create the entry under GCA that forbids GCC,
SAM aConnect adds the entry under GCC that forbids GCA.
Assume that a group has a resource group connection in which TRAN-CON is the access
partner and GCA is the object partner. This connection provides the necessary access rights
for administering the contracts in the category CA. Now, when attempting to provide a
connection to a pair with TRAN-CON and GCB or GCC as the partners, SAM aConnect
refuses the creation with reference to these forbidden group entries.
The same happens when attempting to provide a connection for an account which has inherited the access rights from the TRAN-CON/GCA connection through a normal group
connection.
The forbidden group can only be another object resource group. An object resource group can
have any number of forbidden groups, provided that the other group is defined in the same
target system, and all entries refer to different groups.
= SAM checks mutual exclusions from forbidden groups only when creating resource group
connections for accounts or groups. As a side effect, it would be possible to provide an
account with mutually exclusive resource group connections, simply by using different
group connections.
85
For the sake of performance, SAM does not prevent this situation via standard checks.
Instead, one of the default reports for SAM aConnect runs a check across all resource
group connections and reports any such case.
of functions for creating, modifying, and deleting such objects and their dependent data. For
aConnect object resource group forbidden groups, the functions listed under Multiple Dependants are applicable.
aConnect Target Systems

The business object aConnect target system represents an application system for which
security administration is performed using SAM aConnect. The diagram below shows the relationships between aConnect target systems and other business objects.
86
In SAM terminology, an aConnect target system is an image object and an enterprise object.
The systems image data, which represents the system-specific details, is correlated with the
target system definition at enterprise level. This definition is structurally identical for target
systems of all types. SAM uses the following business objects for the representation of target
systems at enterprise level:
Target
Target
Target
Target
Target
Target
Target
Target
Target
system
system
system
system
system
system
system
system
system
technical data
names
parameters
tables
table type rules
table parameters
fields
field type rules
field parameters
At image level, SAM uses the following objects to represent an aConnect target system:
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
target
target
target
target
target
target
system
system
system
system
system
system
aConnect data
classes
class attributes
class attribute values
class attribute references
allowed classes
A target system has implicit relationships to all image objects that can occur in the system. For
aConnect target systems, this applies to
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
accounts
groups
access resources
object resources
access resource groups
object resource groups
as well as connections between them. The list is further enhanced by the templates and defaults
for the above business objects, as far as they exist.
All target systems can also be elements in a target system set. This business object is one of
SAMs features for role-based access control (RBAC).
aConnect Target System aConnect Data
The business object aConnect target system aConnect data is the main image object of an
aConnect target system. It contains general information about the target system, such as the
TS ID, the access code, etc.
87
As target systems are both enterprise objects and image objects, the aConnect target system
aConnect data is a dependant of the target system technical data. Technical data is the main
object at enterprise level.
See SAM Enterprise Business Object Reference: Administering Target Systems for a summary of
functions for creating, modifying, and deleting such objects. These functions apply to aConnect
target systems as described. See also the configuration Step 4 as the task in which a new
aConnect target system is created.
aConnect Target System Classes
The business object aConnect class defines a category that is primarily intended for resources,
but also serves for the categorization of attributes:
Aside from its class ID, the central attribute of an aConnect target system class is its type,
which can be Access, Object, or Target System.
Every aConnect access resource must belong to a class of the type Access. A class of this
type must exist before creating access resources.
Similarly, every aConnect object resource must belong to a class of the type Object. A class
of this type must exist before creating object resources.
Any attribute that is assigned to an account, user policy account, group, or group connection
must be defined in any of the classes for the target system. This implies the request for a
class that is only relevant in the context of attributes but not for resources. Such a class can
be defined under the type Target System, which can also be understood as Other.
Note: SAM only accepts one class of the type Target System. This is because multiple
classes, each of them representing the collecting category Other, would be just confusing.
An aConnect target system can have any number of classes. The above description makes clear
that one class in each type is the realistic minimum in order to support the full spectrum of
features.
See SAM Enterprise Business Object Reference: Administering Target Systems for a summary
of functions for creating, modifying, and deleting such objects and their dependant data. For
aConnect target system classes, the functions listed under Multiple Dependants are applicable.
aConnect Target System Class Attributes
The business object aConnect class attribute defines an attribute that can occur in resources of
the respective class and in accounts, user policy accounts, groups, or group connections:
A condition for the rule attributes of a resource indicates that the attribute must be defined
in the same class to which the resource belongs. In this regard, the sum of all attributes under
the owning class serves as a look-up table.
88
Note: An attribute reference from a resource prevents the deletion of this attribute. See
the Deleting Attributes function of the aConnect Toolbox for a method to find and remove
such references.
A condition for the attribute assignments of accounts, user policy accounts, groups, and group
connections indicates that the attribute must be defined in any class of any type within the
target system. In this regard, the sum of all attributes across all classes serves as a look-up
table.
Note: An attribute reference from these business object types does not prevent the deletion
of the attribute. Instead, such references are removed as part of the attribute deletion process.
A basic condition for all attributes is that they must be defined in the enterprise-wide
Attribute Pool.
An aConnect target system class can hold any number of attributes. Note that the attribute ID
alone must be unique across the entire target system, even though attribute belong to different
classes.
aConnect target system class attributes, the functions listed under Multiple Dependants are
applicable.
aConnect Target System Class Attribute Values
The business object aConnect target system attribute value defines a valid value or value range
for the owning attribute - however only within the aConnect target system itself. For SAM,
the only relevant value constraints for an attribute are found in the attribute pool, and the
checkbox SAM Enterprise User Manual: Valid Values Mandatory in the aConnect target system
class attribute determines whether or not they apply to this attribute usage as well.
The conclusion for the values here: An administrator is responsible for keeping the value constraints here synchronous with those in the attribute pool. The presence of an entry here only
means that SAM will transfer this definition to the aConnect target system.
Note also that attribute values are mutually exclusive with attribute references, which represent
placeholders for dynamic value assignment. A particular attribute can have only one of these
two types of dependants.
aConnect target system class attribute values, the functions listed under Single Dependants or
under Multiple Dependants can apply, depending on the nature of the owning attribute.
aConnect Target System Class Attribute References
The business object aConnect target system attribute reference defines a placeholder instead of
a direct value. It refers to an attribute of an account, user policy account, group, or group
89
connection, and this reference is a specification where the real value can be obtained. Such
references are the basis on which value-specific access rights can be granted, as is illustrated in
the following example:
Imagine an access profile according to which a user is authorized to administer contracts, but
only for the same branch to which the user belongs.
To establish such a profile with aConnect objects, the first prerequisite is that the accounts
have an attribute USER.BRANCH assigned.
The next prerequisite is that the contracts, which appear as object resources of a certain
class, have an attribute CONTRACT.BRANCH assigned. However, this attribute appears
as a condition in a rule, and the condition value is the name of a reference.
The effect is that the rule is checked by resolving the reference first. The condition is met if
both the contract and the accessing user belong to the same branch.
According to the nature of references, an owning attribute can hold just one such entry.
aConnect target system class attribute references, the functions listed under Single Dependants
are applicable.
aConnect Target System Allowed Classes
The business object aConnect allowed class defines a class of the opposite type - access or
object - with which resources of the owning class can be paired in the access matrix of a
resource group connection for an account, user policy account, or group. These entries are the
basis for the proper coupling of access resources with object resources, as is illustrated in the
following example:
Imagine an insurance company that offers life insurances, real estate insurances, and car
insurances. These three types of contracts are reflected in three different object classes: CLife, C-Estate, and C-Car.
The contracts are administered with a number of transactions. Assume that there is a transaction category General that can apply to contracts of any kind. A category Life applies
only to life insurances, a category Estate only to real estate, and a category Car only to
car insurances.
Consequently, the transactions are reflected in four different object classes: T-General, TLife, T-Estate, and T-Car.
Each of these seven classes needs allowed class entries to make clear which pairings are allowed
in resource group connections for accounts and groups. One example is sufficient:
90
The object class C-Life can be paired with the access classes T-General and T-Life. This
is expressed with two allowed class entries, one for T-General and one for T-Life.
= Allowed class entries are symmetrical by definition. SAM aConnect reflects this by
C-Life that allows T-General, SAM aConnect automatically adds the entry under
T-General that allows C-Life.
An allowed class is a class-to-class relationship in which the other class must always belong
to the opposite type of access and object. This provided, and provided all entries refer to
different classes, a class can have any number of allowed classes.
= According to the exact naming conventions, these objects must be called aConnect target
system class allowed classes, because they are dependants of the aConnect target system
classes. In this case, however, exactly following the rule would have created a confusing
object title.
aConnect target system allowed classes, the functions listed under Multiple Dependants are
applicable.
Class Attributes and their Values
in focus.
classless.
91
effect.
Default Operator
Default From Value
Default To Value
Operator
Value From
Value To
92
Role-Based Objects
The object category Role-based comprises those business objects in SAM Enterprise that are
used for role-based access control (RBAC). These objects imply a certain mode of control over
accounts as the objects representing users in specific systems.
Conceptually, role-based objects reside at enterprise level. However, in order to establish
control over accounts, these objects require a system-specific instance in the same system in
which the account is defined.
Roles
The business object type role belongs to the enterprise level and appears the same for any
target system interface. However, the purpose of roles is to provide group connections, and this
indeed implies image level objects - system-specific group connections for roles. This section
documents the two types of aConnect group connections for roles.
Providing group connections is the only function of roles. This is why the roles themselves
are not represented at image level. In contrast to user policy accounts, roles provide neither
attribute values nor dependent data. Nonetheless, roles can cause the creation of accounts:
When a user is connected to a role, SAM duplicates the roles group connections for the
users accounts.
If a user does not yet have an account in any involved systems, SAM creates the account
automatically. In the case of user policy assignment, SAM uses the user policy account
as prototype. For roles, SAM uses the system-specific account defaults.
aConnect Group Connections (Role)
The business object type aConnect group connection (role) represents a relationship between an aConnect group and a role. The connection grants the groups access rights to the
accounts belonging to the roles assigned users. The diagram below shows the relationships
between aConnect group connections for roles and other business objects.
93
In SAM terminology, group connections are image object because they mirror the data structures
in a specific type of target system. This is also true for connections to roles, although these
connections exist only in SAM and not in the target system.
aConnect group connections for roles have no dependent objects, which is in contrast to all other
group connections in SAM aConnect. They have relationships to two other necessary objects:
a role and an aConnect group. Both must exist before the group connection can be created.
The relationship between a role and a group is not symmetrical. A group connection can be
created and deleted only from the role side. SAMs graphical user interface (GUI) shows such
connections as dependents of groups, but only for viewing purposes.
group connection:
aConnect Group Connections (Role) General Data An aConnect group connection for
a role consists of one element. This item contains general data about the connection.
See SAM Enterprise Business Object Reference: Administering Group Connections (Role) for
a summary of functions for creating, modifying, and deleting such business objects. These
functions apply to aConnect group connections for roles as described.
aConnect Generic Group Connections (Role)
The generic version of an aConnect group connection for a role can be defined only through a
target system set. The generic connection serves as a prototype for normal aConnect group
connections for accounts in the target systems that are elements in the TS set. There are two
implicit conditions for generic group connections for roles:
The group must reside in the sets reference system.
The group connection must be done toward the TS set, appearing as a generic target
system, rather than directly toward the reference system.
94
Note: The role can receive a connection to the same group directly toward the reference system.
However, the result is then a normal (discrete) group connection for the role, and none of the
details discussed apply in this case.
The following example outlines how a generic group connection for a role is used and where the
involved business objects appear as physical occurrences:
1. Assume there is a TS set SET-1. This set has three target systems as elements - ACON-A,
ACON-B, and ACON-C. All three of them are aConnect target systems. The sets reference
system is ACON-A.
Note: A TS set can only have elements of the same target system type, here aConnect.
2. Assume there is a role PROJECT1. Now the administrator connects this role with the group
TEAM23 by specifying SET-1 as the TS set ID.
Because SET-1 identifies a TS set, SAM evaluates the sets reference system - here ACON-A
- and checks whether the group TEAM23 is defined in the system. This provided, the group
connection is created. From its definition through a TS set, it automatically becomes
generic.
3. The new group connection has no effects yet. It exists only in SAM. Logically, you can
consider the connection as stored under the sets reference system ACON-A. Physically,
however, this occurrence is in the same table as all other aConnect group connections.
4. Now the administrator assigns the role PROJECT1 to the user CLARK. The user CLARK then
automatically receives all discrete group connections the role offers. However, generic
objects are not passed on automatically.
The generic account establishes a pool of target systems in which the user CLARK can
receive group connections according to the assigned role. This pool includes the systems
ACON-A, ACON-B, and ACON-C.
5. The administrator now assigns another aConnect target system as an element of the TS
set SET-1 - the system ACON-D. The new element increases the pool by one. This causes
no immediate changes for the controlled user CLARK.
6. Now the administrator returns to the user CLARK and selects two systems from the pool ACON-B and ACON-D. SAM performs this order as follows:
First, SAM checks whether the user CLARK is already represented with an account
in these systems. If not, accounts are created using the system-specific account
defaults as prototype.
SAM then connects these accounts with the groups TEAM23 in the respective systems
by creating normal aConnect group connections for the accounts.
The new normal aConnect group connections for the accounts reside in the respective systems
as if created by some other method. However, in contrast to a directly created connection, they
depend on the involved conditions. For example, any of the following events causes the deletion
of the connection between the account CLARK and the group TEAM23 in the system ACON-B:
The role PROJECT1 loses the connection to the group TEAM23.
95
The role PROJECT1 is deleted.

The user CLARK loses the assignment to the role PROJECT1.
Removing the target system ACON-B from the set SET-1 is only possible if no active occurrences
refer to it. This event cannot result in the deletion of the group connection.
aConnect Generic Group Connections (Role) General Data An aConnect generic
group connection for a role consists of one occurrence. This item contains general data about
the connection.
See SAM Enterprise Business Object Reference: Administering Generic Group Connections
(Role) for a summary of the functions for creating, modifying, and deleting such objects. These
functions apply to aConnect generic group connections for roles as described.
aConnect Joker Group Connections (Role)
The business object type aConnect joker group connection (role) represents a relationship
between an aConnect joker group and a role. The connection has the effect that a customerspecific program determines which normal aConnect group connection should be given to any
particular aConnect account of the users to which the role is assigned, with none at all
being a valid result. The diagram below shows the relationships between aConnect joker group
connections for roles and other business objects.
It as a matter of perspective whether joker group connections - and joker groups themselves should be called enterprise objects or image objects. The following table allows you to form
your own opinion:
Concerning business object ID, Import Interface transaction, data panel and help IDs, there
is just one object called joker group connection, and the BO ID prefix is Base, which
otherwise is exclusively used for enterprise data. These facts indicate an enterprise object
which, for some reason, has an attribute called TS ID.
96
Joker group connections are asymmetrical, meaning they can only be administered from within
the roles context. This fact is neutral and does not imply anything because the same is true
for normal group connections of a role, which are definitely image objects.
The attribute TS ID is a key attribute. The group connection that results from the associated
customer-specific program can only be a connection to an aConnect group (or none at all).
These facts indicate an image object which, for some reason, is structurally the same in all
target system interfaces.
Only roles can connect to joker groups, so joker group connection and joker group connection
(role) mean the same. Joker group connections have no dependent objects. They have relationships to two other necessary objects: a role and a joker group. Both must exist before the joker
group connection can be created.
The relationship between a role and a joker group is not symmetrical. A joker group connection
can be created and deleted only from the role side. SAMs graphical user interface (GUI) shows
such connections as dependants of joker groups, but only for viewing purposes.
aConnect Joker Group Connections (Role) General Data An aConnect joker group
connection consists of one occurrence. This item contains the general data about the connection.
See SAM Enterprise Business Object Reference: Administering Joker Group Connections (Role)
for a summary of functions for creating, modifying, and deleting such objects. These functions
apply to aConnect joker group connections for roles as described.
aConnect Generic Joker Group Connections (Role)

The generic version of an aConnect joker group connection follows the same principles as fully
discussed in Generic Group Connections for normal groups. The only difference between a
generic group connection and a generic joker group connection is this:
When the administrator selects an entry from the pool that is formed by the elements in the
referenced target system set, the effect is not an immediate normal group connection. Instead,
the customer-specific program is called as in all other cases of joker group assignment, and only
the programs decision yields a normal group connection - or none at all, which is a valid result
here as in any other joker group resolution.
aConnect Generic Joker Group Connections (Role) General Data An aConnect

generic joker group connection for a role consists of one occurrence. This item contains general
data about the connection.
See SAM Enterprise Business Object Reference: Administering Generic Joker Group Connections (Role) for a summary of the functions for creating, modifying, and deleting such objects.
These functions apply to aConnect generic group connections for roles as described.
97
Templates
The object category Template comprises those business objects in SAM Enterprise that serve
as prototypes and blueprints when creating normal objects of the respective type. Templates
have the following characteristics:
A template can include everything that is needed to represent a certain prototype. For
example, a template can include connections to other business objects. Templates can provide
attribute values, dependent data, and connections to other business objects, if available for a
template type.
A template is always a customer-defined business object. SAM Enterprise is delivered without
standard templates.
A template must be explicitly specified when creating an object. When creating an object
without specifying a template, SAM Enterprise uses the respective defaults object, which is a
manufacturer-provided prototype. However, defaults objects cannot provide dependent data
or connections to other objects.
A template does not retain control over the objects created by copying it. After an object is
created using a template, the object and template can change without affecting each other.
This is in contrast to role-based objects which combine a template-like aspect with a control
function.
When discussing users and their accounts, templates and user policies seem very similar. The
following table summarizes their common factors and differences using user policy accounts and
account templates as example:
Aspect
User Policy Account
Account Template
Function:
Usage:
Template and control instance

Used when the administrator assigns the user policy to a user. The
user then receives versions of all
accounts defined for the user policy. If some accounts already exist, they are reshaped to match the
policy account.
Initial count:
None, right after SAM installation.
Administration: Can be created, modified, and
deleted.
Interfaces:
Supported in the GUI and in the
Import Interface.
98
Template
Used when the administrator creates an account without role-based
administration but with a certain
structure in mind. The template
must be explicitly specified in the
creation order.
Can be created, modified, and
deleted.
Import Interface.
Aspect
User Policy Account
Account Template
Dependants:
Can have dependants like the respective normal business object. A

normal object created by copying
the policy account also receives the
same dependants.
Can have connections (to groups
or resources) like the respective
normal business object. A normal
object created by copying the policy account also receives the same
connections.
The user policy retains control
over the normal objects built according to the policy account. A
value can be changed directly at
the normal account only if the user
policy account does not control the
attribute.

the template also receives the same
dependants.
object created by copying the template also receives the same connections.
No control function. Subsequent
changes in the template have no
effect for created objects. Changes
in the created objects can be made
without affecting the template.
Connections:
Control
aConnect Account Templates
The business object type aConnect account template represents a customer-specific prototype and blueprint for creating normal aConnect accounts. The diagram below shows the
relationships between aConnect account templates and other business objects:
99
specific type of target system. This is also true for account templates, although they exist only
in SAM and not in the target system itself. SAM uses the following business objects to represent
aConnect account templates:
aConnect account template general data
aConnect account template attributes
aConnect account template attribute values
aConnect account templates have two mandatory relationships to business objects at enterprise
level:
Each aConnect account template belongs to a user template - the one for which it serves
as the blueprint when creating normal aConnect accounts in the respective target system.
Each aConnect account template is defined in a specific aConnect target system - the one
in which it can act as a prototype for normal accounts.
At image level, an aConnect account template can have relationships to the following objects,
always for the purpose of receiving access rights that will be granted to the normal accounts
that are created after the account template:
A connection to an aConnect group grants the access rights given to that group.
100
A connection to a pair of resource groups - an aConnect access resource group and an

aConnect object resource group - grants direct access rights to the resources that are members in these resource groups.
account:
aConnect account
aConnect Account Template General Data
The business object aConnect account template general data is the main object of an account
template in an aConnect target system. It contains general information about the template,
such as the template ID, the access codes for the template itself and for the created accounts,
etc.
See SAM Enterprise Business Object Reference: Administering Account Templates for a summary of functions for creating, modifying, and deleting such objects. These functions apply to
aConnect account templates as described.
aConnect Account Template Attributes
The business object aConnect account template attribute defines an attribute assignment for
the owning account template, with the purpose to establish the same assignment in all normal
accounts that are created using this template. An account can have any number of attributes
assigned, as long as these assignments meet the following conditions:
The attribute can cover any purpose. Typically, an account attribute defines access-relevant
up to which a particular user is authorized without requiring an approval from another person
in the organization.
value level.
101
Under the conditions mentioned above, it is possible to manually assign any attribute that
is defined in the target system and appears in the selection list for the assignable attributes.
However, in a well configured target system, important account attributes are assigned automatically when creating the account. This effect is achieved through attribute references
that are defined in the target system. See Automatic Attribute Assignments for a detailed
discussion of this topic.
See SAM Enterprise Business Object Reference: Administering Account Templates for a summary of functions for creating, modifying, and deleting such objects and their dependent data.
For aConnect account template attributes, the functions listed under Multiple Dependants are
applicable with the restrictions as explained above.
aConnect Account Template Attribute Values

The business object aConnect account template attribute value defines the owning account templates value for the owning attribute. If the attribute is defined with a value range or a list of
valid values, the value here must meet this condition.
Each attribute which is assigned to an account or account template must hold at least one
attribute value. Whether an account template can have more than one value for the same
attribute assignment depends on the attribute definition.
See SAM Enterprise Business Object Reference: Administering Account Templates for a summary of functions for creating, modifying, and deleting such objects and their dependent data.
For aConnect account template attribute values, the functions listed under Single Dependants
or those listed under Multiple Dependants can be applicable, depending on the attribute nature.
aConnect Group Connections (Account Template)

The business object aConnect group connection (account template) represents a relationship between an aConnect group and an aConnect account template. When using the account template
for creating a normal account, the account receives a connection to the same group and the access rights held by the group. The diagram below shows the relationships between aConnect
group connections for account templates and other business objects.
102
In SAM terminology, group connections are image objects because they mirror the data structures in a specific type of target system. This is also true for connections to account templates,
although they only exist in SAM and not in the target system. SAM uses the following business
objects to represent aConnect group connections for account templates:
aConnect group connection (role) general data
aConnect group connection (role) attribute
aConnect group connection (role) attribute value
aConnect group connections for account templates have relationships to two other necessary
objects: an aConnect account template and an aConnect group. Both must exist before the
group connection can be created.
The relationship between an account template and a group is not symmetrical. A group connection can be created and deleted only from the template side. SAMs graphical user interface
(GUI) shows such connections also as dependents of groups, but only for viewing purposes.
group connection:
103
aConnect Group Connections (Account Template) General Data The business object
aConnect group connection (account template) general data is the main object of a group connection for an account template in an aConnect target system. It contains general information
about the connection, such as the template and the group ID, the access code for the template
and for the created object, etc.
See SAM Enterprise Business Object Reference: Administering Group Connections (Account
Template) for a summary of functions for creating, modifying, and deleting such objects. These
functions apply to aConnect group connections for account templates as described.
aConnect Group Connections (Account Template) Attributes The business object
aConnect group connection (account template) attribute defines an attribute assignment for the
owning group connection. A group connection can have any number of attributes assigned, as
long as these assignments meet the following conditions:
The attribute can cover any purpose. Typically, a group connection attribute defines accessrelevant information. For example, an attribute Limit might specify the maximum transaction value up to which a particular user is authorized without requiring an approval from
another person in the organization. If such an attribute is assigned to a group connection, it
applies to the data objects that are accessible through this group connection, rather than to
the user in general.
value level.
Under the conditions mentioned above, it is possible to assign any attribute that is defined
in the target system and appears in the selection list for the assignable attributes. When
using the template to create normal group connections, the same attribute is assigned to the
created connection. However, in a well configured target system, important group connection
attributes are assigned automatically when creating the connection. This effect is achieved
through attribute references that are defined in the target system. See Automatic Attribute
Assignments for a detailed discussion of this topic.
Template) for a summary of functions for creating, modifying, and deleting such objects and their
dependent data. For aConnect group connection (account template) attributes, the functions
listed under Multiple Dependants are applicable with the restrictions as explained above.
aConnect Group Connections (Account Template) Attribute Values The business
object aConnect group connection (account template) attribute value defines the owning group
104
connections value for the owning attribute. If the attribute is defined with a value range or a
list of valid values, the value here must meet this condition.
Each attribute which is assigned to a group connection must hold at least one attribute value.
Whether a group connection can have more than one value for the same attribute assignment
depends on the attribute definition.
Template) for a summary of functions for creating, modifying, and deleting such objects and
their dependent data. For aConnect group connection (account template) attribute values, the
functions listed under Single Dependants or those listed under Multiple Dependants can be
applicable, depending on the attribute nature.
aConnect Resource Group Connections (Account Template)
The business object aConnect resource group connection (account template) represents a relationship between an aConnect resource group and an aConnect account template. When using
the account template for creating a normal account, the account receives a connection to the
same resource group and the access rights held by the resource group. The diagram below shows
the relationships between aConnect resource group connections for account templates and other
business objects.
In SAM terminology, resource group connections are image objects because they mirror the
data structures in a specific type of target system. This is also true for connections to account
templates, although they only exist in SAM and not in the target system. SAM uses the following
business objects to represent aConnect resource group connections for account templates:
105
aConnect group connection (role) authorization

aConnect resource group connections for account templates have relationships to the three necessary objects that are already indicated by the name: an aConnect account template, an aConnect
access resource group, and an aConnect object resource group. All three of them must exist
before the connection can be created.
The relationship between account templates and resource groups in SAM is asymmetrical. This
is because at the resource group side there must always be a pair with one resource group of
either type, access and object. However, despite this asymmetrical nature, SAMs graphical
user interface (GUI) presents such connections as dependants for each of the three involved
business objects.
aConnect Resource Group Connections (Account Template) General Data The
business object aConnect resource group connection (account template) general data is the main
object of a resource group connection for an account template in an aConnect target system.
106
It contains general information about the connection, such as the template and the resource
group IDs, the access code, etc. From the application perspective, the connection alone - without authorizations as dependants - is equivalent to an empty access matrix in which the access
resources represent the rows and the object resources represent the columns.
(Account Template) for a summary of functions for creating, modifying, and deleting such
business objects. These functions apply to aConnect resource group connections for account
templates as described, however under the additional condition that this is a triple connection
in which there is always a balanced pair of resource groups - access and object - at the other
side.
aConnect Resource Group Connections (Account Template) Authorizations The

business object aConnect resource group connection (account template) authorization defines a
single authorization in the access matrix that is represented by the resource group connection
altogether and in which access resources appear as rows and object resources appear as columns.
A particular authorization defines the following:

specifically in their rules. The rules may refer to attributes of the accessing group, the accessing
(Account Template) for a summary of functions for creating, modifying, and deleting such
business objects and their dependent data. For aConnect resource group connection (account
template) authorizations, the functions listed under Multiple Dependants are applicable.
aConnect Group Templates

The business object type aConnect group template represents a customer-specific prototype
and blueprint for creating normal aConnect groups. The diagram below shows the relationships
between aConnect group templates and other business objects:
107
specific type of target system. This is also true for group templates, although they exist only in
SAM and not in the target system itself. SAM uses the following business objects to represent
aConnect group templates:
aConnect
aConnect
aConnect
aConnect
group
group
group
group
template
template
template
template
general data
forbidden group
attribute
attribute value
aConnect group templates have one mandatory relationship to another business object at enterprise level. This is the aConnect target system to which they belong - the one in which they
can act as a prototype for normal groups.
In addition to this implicit relationship, an aConnect group template can have relationships to
pairs of resource groups with the purpose of receiving access rights that are given to every group
formed after the template. Such a pair always includes an aConnect access resource group
and an aConnect object resource group.
group:
aConnect group
108

aConnect Group Template General Data
The business object aConnect group template general data is the main object of a group template
in an aConnect target system. It contains general information about the group template, such
as the template ID, the access code for the template and for the created groups, etc.
See SAM Enterprise Business Object Reference: Administering Group Templates for a summary
to aConnect group templates as described.
aConnect Group Template Forbidden Groups
The business object aConnect group template forbidden group defines a condition of mutual
exclusion that applies to group connections for accounts in which groups formed after the owning
template are involved. An example may illustrate what this means:
Assume that a rule in an enterprise specifies that certain contracts must be approved by two
different people. The two approvals are called Approval A and Approval B.
Assume that there is a group APP-A that grants the necessary access rights for Approval
A, and another group APP-B that grants the necessary access rights for Approval B.
To establish the rule, the group APP-A needs a forbidden group entry for APP-B, and vice
versa the group APP-B needs one for APP-A.
= Forbidden group entries are symmetrical by definition. In a relationship between two
groups, SAM aConnect would reflect this by automatically creating the counterpart. In
a relationship between a group template and a group, SAM aConnect reflects this by
creating the counterpart when creating a group with the template. For example, assume
a template TEMP-A with an entry that forbids GRP-B. When creating a group GRPA by using that template, SAM aConnect adds an entry under GRP-B that forbids
GRP-A.
Assume that an account has a group connection toward APP-A. This connection provides the
owning user with the necessary access rights to perform the first approval. When attempting
to provide a connection to the group APP-B, SAM aConnect refuses the creation with
reference to this forbidden group entry.
109
A forbidden group under a normal group is a group-to-group relationship, and a forbidden group
under a group template is a group template-to-group relationship. A group template can have
any number of forbidden groups, provided that the forbidden group is defined in the same target
system, and all entries refer to different groups.
of functions for creating, modifying, and deleting such business objects and their dependent data.
For aConnect group template forbidden groups, the functions listed under Multiple Dependants
are applicable.
aConnect Group Template Attributes
The business object aConnect group template attribute defines an attribute assignment for the
owning group template, with the purpose of providing a group that is created from this template
with the same assignment. A group can have any number of attributes assigned, as long as these
assignments meet the following conditions:
The attribute can cover any purpose. Typically, a group attribute defines access-relevant
up to which a particular user is authorized as far as these access rights are inherited from a
membership in that group.
value level.
Under the conditions mentioned above, it is possible to assign any attribute that is defined in
the target system and appears in the selection list for the assignable attributes. However, in
a well configured target system, important group attributes are assigned automatically when
creating the group. This effect is achieved through attribute references that are defined in the
target system. See Automatic Attribute Assignments for a detailed discussion of this topic.
For aConnect group template attributes, the functions listed under Multiple Dependants are
applicable.
aConnect Group Template Attribute Values
The business object aConnect group template attribute value defines the owning group templates
value for the owning attribute. If the attribute is defined with a value range or a list of valid
values, the value here must meet this condition.
110
Each attribute which is assigned to a group or group template must hold at least one attribute
value. Whether a group template can have more than one value for the same attribute assignment
depends on the attribute definition.
For aConnect group template attribute values, the functions listed under Single Dependants or
those listed under Multiple Dependants can be applicable, depending on the attribute nature.
aConnect Resource Group Connections (Group Template)
The business object aConnect resource group connection (group template) represents a relationship between an aConnect resource group and an aConnect group template. When using
the group template for creating a normal group, the group receives a connection to the same
resource group and the access rights held by the resource group. The diagram below shows
the relationships between aConnect resource group connections for group templates and other
business objects.
In SAM terminology, resource group connections are image objects because they mirror the data
structures in a specific type of target system. This is also true for connections to group templates,
although they only exist in SAM and not in the target system. SAM uses the following business
objects to represent aConnect resource group connections for group templates:
aConnect group connection (role) authorization
Resource group connections for group templates have relationships to the three necessary objects
that are already indicated by the name: an aConnect group template, an aConnect access
111
resource group, and an aConnect object resource group. All three of them must exist before the
connection can be created.
The relationship between group templates and resource groups in SAM is asymmetrical. This is
because at the resource group side there must always be a pair with one resource group of either
type, access and object. However, despite this asymmetrical nature, SAMs graphical user
interface (GUI) presents such connections as dependants for each of the three involved business
objects.
aConnect Resource Group Connections (Group Template) General Data The business object aConnect resource group connection (group template) general data is the main object
of a resource group connection for a group template in an aConnect target system. It contains
general information about the connection, such as the template and the resource group IDs, the
access code, etc. From the application perspective, the connection alone - without authorizations
as dependants - is equivalent to an empty access matrix in which the access resources represent
the rows and the object resources represent the columns.
112
(Group Template) for a summary of functions for creating, modifying, and deleting such business
objects. These functions apply to aConnect resource group connections for group templates as
described, however under the additional condition that this is a triple connection in which there
is always a balanced pair of resource groups - access and object - at the other side.
aConnect Resource Group Connections (Group Template) Authorizations The business object aConnect resource group connection (group template) authorization defines a single
authorization in the access matrix that is represented by the resource group connection altogether and in which access resources appear as rows and object resources appear as columns. A
particular authorization defines the following:

specifically in their rules. The rules may refer to attributes of the accessing group, the accessing
(Group Template) for a summary of functions for creating, modifying, and deleting such business
objects and their dependent data. For aConnect resource group connection (group template)
authorizations, the functions listed under Multiple Dependants are applicable.
aConnect Access Resource Templates

The business object type aConnect access resource template represents a customer-specific
prototype and blueprint for creating normal aConnect access resources. The diagram below
shows the relationships between aConnect access resource templates and other business objects:
113
in a specific type of target system. This is also true for access resource templates, although they
exist only in SAM and not in the target system itself. SAM uses the following business objects
to represent aConnect access resource templates:
aConnect
aConnect
aConnect
aConnect
access
access
access
access
resource
resource
resource
resource
template
template
template
template
general data
rule
rule attribute
aConnect access resource templates have one mandatory relationship to another business object
at enterprise level. This is the aConnect target system to which they belong - the one in which
they can act as a prototype for normal access resources.
In addition to this implicit relationship, an access resource template can have relationships to
access resource groups with the purpose of creating the same relationships for the normal access
resources that are formed after the owning template.
access resource:
114

aConnect Access Resource Template General Data
The business object aConnect access resource template general data is the main object of an
access resource template in an aConnect target system. It contains general information about
the resource template, such as the resource class, the template ID, the access codes for the
template and for the created resource, etc.
An aConnect access resource template must belong to a class for access resources. This means
that the class that is specified when creating the access resource template must be found in the
list of aConnect target system classes, and must have the type Access.
See SAM Enterprise Business Object Reference: Administering Resource Templates for a summary of functions for creating, modifying, and deleting such objects. These functions apply to
aConnect access resource templates as described.
aConnect Access Resource Template Rules
The business object aConnect access resource template rule defines a set of conditions for the
owning access resource template. This can always be understood as an access restriction that
will apply to the access resources created by copying the template. Depending on the nature
of the represented functions, it may also be understood as a resource-defining condition. The
following details clarify how to distinguish between real-world functions and access resources on
one hand and the various levels of conditions on the other hand:
A particular access resource is hardly ever equivalent to one specific access function. In an
environment in which unconditional access rights can be granted for specific functions or
programs, SAM aConnect is rarely required.
Instead, the access resource defines an access profile, and any function that meets this profile
might be specified as any transaction in the CLK17* category, as long as the transaction
value does not exceed 10.000.
reflected in one rule. This rule would contain two attributes, one for the transaction category
and one for the transaction value. The condition operator for the first attribute would be =
and that for the second would be <. The value for the first attribute would be CLK17*
operator).
The same access resource might contain several rules. Each of them represents another condition set, and these sets are combined in a logical OR. Whether several independent condition
sets are reflected in one resource with several rules or in several resources with one rule for
each of them is a matter of taste and of additional environment conditions.
115
See SAM Enterprise Business Object Reference: Administering Resource Templates for a summary of functions for creating, modifying, and deleting such objects and their dependent data.
For aConnect access resource template rules, the functions listed under Multiple Dependants
are applicable.
aConnect Access Resource Template Rule Attributes
The business object aConnect access resource template rule attribute defines a single condition
within the owning rule by specifying the following:
For each of its rules, an access resource or access resource template can have any number of
attributes assigned, as long as these assignments meet the following conditions:
class to which the owning access resource or template belongs.
See SAM Enterprise Business Object Reference: Administering Resources Templates for a summary of functions for creating, modifying, and deleting such objects and their dependent data.
For aConnect access resource template rule attributes, the functions listed under Multiple Dependants are applicable.
aConnect Access Resource Template Rule Attribute Values
The business object aConnect access resource template rule attribute value defines a value constraint for the owning attribute within the owning rule of the owning access resource template.
The following example illustrates how this third level of dependency is used in the normal access
resources that are created by copying the template:
Assume that an access resource is supposed to represent the profile any transaction in the
CLK17* category, as long as the transaction value does not exceed 10.000.
116
The access resource needs one rule to represent this profile, because the elementary conditions
This rule needs two rule attributes, one for the transaction category and one for the maximum
the values.
Each of the two rule attributes have one attribute value. The value for the first attribute
is CLK17*, and the value for the second attribute is 10.000 or 10.001, depending on which
comparison operator is used, LESS THAN or LESS THAN OR EQUAL.
For aConnect access resource template rule attribute values, the functions listed under Single
Dependants or those listed under Multiple Dependants can apply, depending on the implicit
condition.
aConnect Access Resource Group Connections
The business object aConnect access resource group connection template represents
a connection between an aConnect access resource template and an aConnect access resource
group, with the purpose of providing the same connection to normal access resources that are
formed after the template. Such connections are a prerequisite for granting access of any kind
toward access resources, because accounts and groups can only have access rights toward resource
groups. The diagram below shows the relationships between aConnect access resource group
connection templates and other business objects.
structures in a specific type of target system. This is also true for templates, although they
117
only exist in SAM, not in the target system itself. aConnect access resource group connection
templates have no dependent objects. They have relationships to two other necessary objects:
an aConnect access resource template and an aConnect access resource group. Both must exist
The relationship between resource templates and resource groups in SAM is asymmetrical. A
connection can only be created or deleted from the template side. Nonetheless, SAMs graphical
user interface (GUI) presents them as dependants of both involved business objects.
connections.
aConnect Access Resource Template General Data An aConnect access resource group
connection for a resource template consists of one part. This item contains general data about
the connection.
(Resource Template) for a summary of functions for creating, modifying, and deleting such
business objects. These functions apply to aConnect access resource group connections for
resource templates as described.
aConnect Object Resource Templates

The business object type aConnect object resource template represents a customer-specific
prototype and blueprint for creating normal aConnect object resources. The diagram below
shows the relationships between aConnect object resource templates and other business objects:
118
in a specific type of target system. This is also true for object resource templates, although they
exist only in SAM and not in the target system itself. SAM uses the following business objects
to represent aConnect object resource templates:
aConnect
aConnect
aConnect
aConnect
object
object
object
object
resource
resource
resource
resource
template
template
template
template
general data
rule
rule attribute
aConnect object resource templates have one mandatory relationship to another business object
at enterprise level. This is the aConnect target system to which they belong - the one in which
they can act as a prototype for normal object resources.
In addition to this implicit relationship, an object resource template can have relationships
to object resource groups with the purpose of establishing the same connections at the object
resources that are created from this template.
object resource:
119

aConnect Object Resource Template General Data
The business object aConnect object resource template general data is the main object of an
object resource template in an aConnect target system. It contains general information about
the resource template, such as the resource class, the template ID, the access codes for the
template and for the created resource, etc.
An aConnect object resource template must belong to a class for object resources. This means
that the class that is specified when creating the object resource template must be found in the
list of aConnect target system classes, and must have the type Object.
See SAM Enterprise Business Object Reference: Administering Resource Templates for a summary of functions for creating, modifying, and deleting such objects. These functions apply to
aConnect object resource templates as described.
aConnect Object Resource Template Rules
The business object aConnect object resource template rule defines a set of conditions for the
owning object resource template. This can always be understood as an access restriction that
will apply to the object resources formed after the template. Depending on the nature of the
represented functions, it may also be understood as a resource-defining condition. The following
details clarify how to distinguish between real-world functions and object resources on one hand
and the various levels of conditions on the other hand:
A particular object resource is hardly ever equivalent to one specific data object. In an
environment in which unconditional access rights can be granted for specific documents and
files, SAM aConnect is rarely required.
Instead, the object resource defines an object profile, and any document that meets this profile
might be specified as any contract in the Real Estate category, as long as the contract value
does not exceed 250.000.
reflected in one rule. This rule would contain two attributes, one for the document category
and one for the contract value. The condition operator for the first attribute would be =
and that for the second would be <. The value for the first attribute would be Real Estate
operator).
The same object resource might contain several rules. Each of them represents another
condition set, and these sets are combined in a logical OR. Whether several independent
condition sets are reflected in one resource with several rules or in several resources with one
rule for each of them is a matter of taste and of additional environment conditions.
120
For aConnect object resource template rules, the functions listed under Multiple Dependants
are applicable.
aConnect Object Resource Template Rule Attributes
The business object aConnect object resource template rule attribute defines a single condition
within the owning rule by specifying the following:
For each of its rules, an object resource or object resource template can have any number of
attributes assigned, as long as these assignments meet the following conditions:
class to which the owning object resource or template belongs.
See SAM Enterprise Business Object Reference: Administering Resources Templates for a summary of functions for creating, modifying, and deleting such objects and their dependent data.
For aConnect object resource template rule attributes, the functions listed under Multiple Dependants are applicable.
aConnect Object Resource Template Rule Attribute Values
The business object aConnect object resource template rule attribute value defines a value constraint for the owning attribute within the owning rule of the owning object resource template.
The following example illustrates how this third level of dependency is used in the normal object
resources that are created by copying the template:
Assume that an object resource is supposed to represent the profile any contract in the Real
Estate category, as long as the contract value does not exceed 250.000.
121
The object resource needs one rule to represent this profile, because the elementary conditions
This rule needs two rule attributes, one for the contract category and one for the contract
the values.
Each of the two rule attributes have one attribute value. The value for the first attribute would
be Real Estate, and the value for the second attribute would be 250.000 or 250.001, depending
on which comparison operator is used, LESS THAN or LESS THAN OR EQUAL.
For aConnect object resource template rule attribute values, the functions listed under Single
Dependants or those listed under Multiple Dependants can apply, depending on the implicit
condition.
aConnect Object Resource Group Connections
The business object aConnect object resource group connection template represents
a connection between an aConnect object resource template and an aConnect object resource
group, with the purpose of providing the same connection to normal object resources that are
formed after the template. Such connections are a prerequisite for granting access of any kind
toward object resources, because accounts and groups can only have access rights toward resource
groups. The diagram below shows the relationships between aConnect s and other business
objects.
structures in a specific type of target system. This is also true for templates, although they
122
only exist in SAM, not in the target system itself. aConnect object resource group connection
templates have no dependent objects. They have relationships to two other necessary objects:
an aConnect object resource template and an aConnect object resource group. Both must exist
The relationship between resource templates and resource groups in SAM is asymmetrical. A
connection can only be created or deleted from the template side. Nonetheless, SAMs graphical
user interface (GUI) presents them as dependants of both involved business objects.
connections.
aConnect Object Resource Template General Data An aConnect object resource group
connection for a resource template consists of one part. This item contains general data about
the connection.
(Resource Template) for a summary of functions for creating, modifying, and deleting such
business objects. These functions apply to aConnect object resource group connections for
resource templates as described.
aConnect Access Resource Group Templates

The business object type aConnect access resource group template represents a customerspecific prototype and blueprint for creating normal aConnect access resource groups. The
diagram below shows the relationships between aConnect access resource group templates and
other business objects:
123
structures in a specific type of target system. This is also true for access resource group templates, although they exist only in SAM and not in the target system itself. SAM uses the
following business objects to represent aConnect access resource group templates:
aConnect access resource group template general data
aConnect access resource group template orbidden group
aConnect access resource group templates have one mandatory relationship to another business
object at enterprise level. This is the aConnect target system to which they belong - the one in
which they can act as a prototype for normal access resource groups.
aConnect Access Resource Group Template General Data
The business object aConnect access resource group template general data is the main object of
an access resource group template in an aConnect target system. It contains general information
about the template, such as the template ID, the access codes for the template and the normal
objects, etc.
124
See SAM Enterprise Business Object Reference: Administering Resource Group Templates for
functions apply to aConnect access resource group templates as described.
aConnect Access Resource Group Template Forbidden Groups
The business object aConnect access resource group template forbidden group defines a condition
of mutual exclusion that applies to resource group connections for accounts or groups in which
a resource group is involved that was created after the owning template. An example may
illustrate what this means:
toward a category of contracts cannot also have auditing or approving access rights, and vice
versa.
Assume that there is one access resource group ADM that provides the functions for contract
administration, and there is another access resource group AUD that provides the functions
for auditing. Assume further that the contracts are represented in an object resource group
CON.
To establish the rule, the group ADM needs a forbidden group entry for AUD, and the
group AUD needs a forbidden group entry for ADM.
resource groups, SAM aConnect would reflect this by automatically creating the counterpart. In a relationship between a resource group template and a resource group, SAM
aConnect reflects this by creating the counterpart when creating a resource group with
the template. For example, assume a template TEMP-A with an entry that forbids
GRP-B. When creating a group GRP-A by using that template, SAM aConnect adds
an entry under GRP-B that forbids GRP-A.
Assume a group has a resource group connection in which ADM is the access partner and
CON is the object partner. This connection provides the necessary access rights for administering the contracts. When attempting to provide a connection to a pair with AUD and
CON as the partners, SAM aConnect refuses the creation with reference to this forbidden
group entry.
The same happens when attempting to provide a connection for an account which has inherited
the access rights from the ADM/CON connection through a normal group connection.
The forbidden group can only be an access resource group. An access resource group template
can have any number of forbidden groups, provided that the forbidden group is defined in the
same target system, and all entries refer to different groups.
a summary of functions for creating, modifying, and deleting such objects and their dependent
125
data. For aConnect access resource group template forbidden groups, the functions listed under
Multiple Dependants are applicable.
aConnect Object Resource Group Templates

The business object type aConnect object resource group template represents a customerspecific prototype and blueprint for creating normal aConnect object resource groups. The
diagram below shows the relationships between aConnect object resource group templates and
other business objects:
structures in a specific type of target system. This is also true for object resource group templates, although they exist only in SAM and not in the target system itself. SAM uses the
following business objects to represent aConnect object resource group templates:
aConnect object resource group template general data
aConnect object resource group template forbidden group
aConnect object resource group templates have one mandatory relationship to another business
object at enterprise level. This is the aConnect target system to which they belong - the one in
which they can act as a prototype for normal object resource groups.
126
aConnect Object Resource Group Template General Data

The business object aConnect object resource group template general data is the main object of
an object resource group template in an aConnect target system. It contains general information
about the template, such as the template ID, the access codes for the template and the normal
objects, etc.
functions apply to aConnect object resource group templates as described.
aConnect Object Resource Group Template Forbidden Groups
The business object aConnect object resource group template forbidden group defines a condition
of mutual exclusion that applies to resource group connections for accounts or groups in which
a resource group is involved that was created by copying the owning template. The following
example illustrates what this means:
toward one category of contracts cannot also have access rights toward another category.
Assume that there are three contract categories: CA, CB, and CC.
Assume that there is one object resource group for each of the three categories. These resource groups are: GCA, GCB, and GCC. Assume that the access functions for all three
categories are the same and represented in the access resource group TRAN-CON.
To establish the rule, the group CA needs a forbidden group entry for CB and another one
for CC. The other two groups need their respective entries in return.
resource groups, SAM aConnect would reflect this by automatically creating the counterpart. In a relationship between a resource group template and a resource group, SAM
aConnect reflects this by creating the counterpart when creating a resource group with
the template. For example, assume a template TEMP-A with an entry that forbids
GRP-B. When creating a group GRP-A by using that template, SAM aConnect adds
an entry under GRP-B that forbids GRP-A.
Assume that a group has a resource group connection in which TRAN-CON is the access
partner and GCA is the object partner. This connection provides the necessary access
rights for administering the contracts in the category CA. When attempting to provide a
connection to a pair with TRAN-CON and GCB or GCC as the partners, SAM aConnect
refuses the creation with reference to these forbidden group entries.
The same happens when attempting to provide a connection for an account which has inherited the access rights from the TRAN-CON/GCA connection through a normal group
connection.
127
The forbidden group can only be an object resource group. An object resource group template
can have any number of forbidden groups, provided that the forbidden group is defined in the
same target system, and all entries refer to different groups.
a summary of functions for creating, modifying, and deleting such objects and their dependent
data. For aConnect object resource group template forbidden groups, the functions listed under
Multiple Dependants are applicable.
Defaults
The object category Defaults comprises those business objects in SAM Enterprise that serve
as prototypes when creating objects when no template is specified. In short, defaults combine
three characteristics:
A defaults object is manufacturer-provided and counts as part of the installation. There is
exactly one defaults object for any type of business object in SAM Enterprise.
A defaults object cannot be created or deleted by a customer. Only the attribute values are
subject to administration or configuration.
A defaults object shares the prototype function with a template of the same type. However,
in contrast to them, defaults cannot include dependants or connections to other objects. The
sole purpose of a defaults object is to make object creation possible when a user provides only
the key values and maybe a name but nothing else.
Defaults and templates are closely related, but at the same time significantly different. The
following table provides an overview of their common factors and differences:
Aspect
Template
Defaults
Function:
Usage:
Customer-created template
Used when the administrator explicitly specifies a template when
creating a new object.
Initial count:
Manufacturer-created template
Used when the administrator does
not specify a template when creating a new object, or when a
template cannot be specified (e.g.,
when creating objects through
role-based administration).
One per object type and target
system.
Exist for all business objects.
Types:
Exist for all business objects except target systems and their dependants.
Administration: Can be created, modified, and
deleted.
128
Can only be modified regarding attribute values.
Aspect
Template
Defaults
Interfaces:

Import Interface.
the template also receives the same
dependants.
Supported only in the GUI.
Dependants:
Connections:

object created by copying the template also receives the same connections.
Cannot have dependants because defaults are always singleoccurrence templates.

The
presence of dependants is a
method of internal organization
and does not affect created normal
objects.
Cannot have connections to other
objects.
aConnect Account Defaults

The business object aConnect account defaults is the manufacturer-provided prototype for
creating normal aConnect accounts. As explained on the section cover page for all defaults,
there is no sense in discussing dependent objects or relationships to other objects:
In a strict sense, a business object of the type aConnect account defaults does not exist.
This term comprises the following object type(s):
aConnect account general data defaults
aConnect account attribute defaults
aConnect account attribute value defaults
which are kept together for internal organization purposes but have nothing else in common.
Nonetheless, the standard terminology is used for the sake of simplicity.
Like any other aConnect business object, aConnect account defaults have an implicit relationship to a certain aConnect target system. They have no relationships to other business
objects.
specific type of target system. This is also true for account defaults, although they exist only in
SAM and not in the target system itself.
account:
129
aConnect account
aConnect Account Defaults General Data
The business object aConnect account general data defaults is the manufacturer-provided standard prototype for creating aConnect account general data in cases where a template is not
specified. There is exactly one such object in an aConnect target system.
Note: The term aConnect account defaults general data would also be correct - as long as it
is clear that a defaults object cannot be a compound object with a main part and dependent
parts.
See SAM Enterprise Business Object Reference: Administering Account Defaults for a summary
of functions for administering such objects. These functions apply to aConnect account general
data defaults as described.
aConnect Account Defaults Attribute
The business object aConnect account attribute defaults is the manufacturer-provided standard
prototype for creating aConnect account attributes in cases where a template is not specified.
There is exactly one such object in an aConnect target system.
Note: The term aConnect account defaults attributes would also be correct - as long as it
parts.
of functions for administering such objects. These functions apply to aConnect account attribute
defaults as described.
aConnect Account Defaults Attribute Value
The business object aConnect account attribute value defaults is the manufacturer-provided
standard prototype for creating aConnect account attribute values in cases where a template is
not specified. There is exactly one such object in an aConnect target system.
Note: The term aConnect account defaults attribute values would also be correct - as long as
it is clear that a defaults object cannot be a compound object with a main part and dependent
parts.
130
of functions for administering such objects. These functions apply to aConnect account attribute
value defaults as described.
aConnect Group Connection (Account Defaults)

The business object aConnect group connection (account defaults) is the manufacturer-provided
prototype for creating aConnect group connections for accounts in cases where a template is not
specified.
There is exactly one such object in any particular aConnect target system. It is created automatically when creating a new target system. See Configuration for the steps in which first the
target system and then its defaults objects are defined.
group connection:
aConnect Group Connection (Account Defaults) General Data The business object
aConnect group connection (account) general data defaults is the manufacturer-provided standard prototype for creating general data in aConnect group connections for accounts in cases
where a template is not specified. There is exactly one such object in an aConnect target system.
Note: The term aConnect group connection (account defaults) general data would also be
correct - as long as it is clear that a defaults object cannot be a compound object with a main
part and dependent parts.
Defaults) for a summary of functions for administering such objects. These functions apply to
aConnect group connections for account defaults as described. See also the configuration Step
4 for the creation of defaults in a new aConnect target system.
131
aConnect Group Connection (Account Defaults) Attributes The business object aConnect group connection (account) attribute defaults is the manufacturer-provided standard prototype for creating attributes in aConnect group connections for accounts in cases where a template
is not specified. There is exactly one such object in an aConnect target system.
Note: The term aConnect group connection (account defaults) attribute would also be correct
- as long as it is clear that a defaults object cannot be a compound object with a main part and
dependent parts.
aConnect Group Connection (Account Defaults) Attribute Values The business object aConnect group connection (account) attribute value defaults is the manufacturer-provided
standard prototype for creating attribute values in aConnect group connections for accounts in
cases where a template is not specified. There is exactly one such object in an aConnect target
system.
Note: The term aConnect group connection (account defaults) attribute value would also be
correct - as long as it is clear that a defaults object cannot be a compound object with a main
part and dependent parts.
aConnect Resource Group Connection (Account Defaults)
The business object aConnect resource group connection (account defaults) is the manufacturerprovided prototype for creating aConnect resource group connections for accounts in cases where
a template is not specified.
132

aConnect Resource Group Connection (Account Defaults) General Data The business object aConnect resource group connection (account) general data defaults is the manufacturerprovided standard prototype for creating general data in aConnect resource group connections
for accounts in cases where a template is not specified. There is exactly one such object in an
aConnect target system.
Note: The term aConnect resource group connection (account defaults) general data would
also be correct - as long as it is clear that a defaults object cannot be a compound object with
a main part and dependent parts.
(Account Defaults) for a summary of functions for administering such objects. These functions
apply to aConnect resource group connections for account defaults as described. See also the
configuration Step 4 for the creation of defaults in a new aConnect target system.
aConnect Resource Group Connection (Account Defaults) Authorization The business object aConnect resource group connection (account) authorization defaults is the manufacturerprovided standard prototype for creating authorizations in aConnect resource group connections
for accounts in cases where a template is not specified. There is exactly one such object in an
Note: The term aConnect resource group connection (account defaults) authorization would
(Account Defaults) for a summary of functions for administering such objects. These functions
133
apply to aConnect resource group connections for account defaults as described. See also the
aConnect Group Defaults

The business object aConnect group defaults is the manufacturer-provided prototype for
creating normal aConnect groups. As explained on the section cover page for all defaults, there
is no sense in discussing dependent objects or relationships to other objects:
In a strict sense, a business object of the type aConnect group defaults does not exist. This
term comprises the following object type(s):
aConnect group general data defaults
aConnect group attribute defaults
aConnect group attribute value defaults
Like any other aConnect business object, aConnect group defaults have an implicit relationship to a certain aConnect target system. They have no relationships to other business
objects.
specific type of target system. This is also true for group defaults, although they exist only in
SAM and not in the target system itself.
group:
aConnect group
aConnect Group Defaults General Data
The business object aConnect group general data defaults is the manufacturer-provided standard
prototype for creating aConnect group general data in cases where a template is not specified.
134
Note: The term aConnect group defaults general data would also be correct - as long as it
parts.
See SAM Enterprise Business Object Reference: Administering Group Defaults for a summary
of functions for administering such objects. These functions apply to aConnect group general
data defaults as described.
aConnect Group Defaults Forbidden Group
The business object aConnect group forbidden group defaults is the manufacturer-provided standard prototype for creating aConnect group forbidden groups in cases where a template is not
Note: The term aConnect group defaults forbidden group would also be correct - as long as
it is clear that a defaults object cannot be a compound object with a main part and dependent
parts.
of functions for administering such objects. These functions apply to aConnect group forbidden
group defaults as described.
aConnect Group Defaults Attribute
The business object aConnect group attribute defaults is the manufacturer-provided standard
prototype for creating aConnect group attributes in cases where a template is not specified.
Note: The term aConnect group defaults attribute would also be correct - as long as it is clear
that a defaults object cannot be a compound object with a main part and dependent parts.
of functions for administering such objects. These functions apply to aConnect group attribute
defaults as described.
aConnect Group Defaults Attribute Value
The business object aConnect group attribute value defaults is the manufacturer-provided standard prototype for creating aConnect group attribute values in cases where a template is not
Note: The term aConnect group defaults attribute value would also be correct - as long as it
parts.
of functions for administering such objects. These functions apply to aConnect group attribute
value defaults as described.
135
aConnect Resource Group Connection (Group Defaults)

The business object aConnect resource group connection (group defaults) is the manufacturerprovided prototype for creating aConnect resource group connections for groups in cases where
a template is not specified.
aConnect Resource Group Connection (Group Defaults) General Data The business
object aConnect resource group connection (group) general data defaults is the manufacturerprovided standard prototype for creating general data in aConnect resource group connections
for groups in cases where a template is not specified. There is exactly one such object in an
136
Note: The term aConnect resource group connection (group defaults) general data would also
be correct - as long as it is clear that a defaults object cannot be a compound object with a
main part and dependent parts.
(Group Defaults) for a summary of functions for administering such objects. These functions
apply to aConnect resource group connections for group defaults as described. See also the
aConnect Resource Group Connection (Group Defaults) Authorization The business object aConnect resource group connection (group) authorization defaults is the manufacturerprovided standard prototype for creating authorizations in aConnect resource group connections
for groups in cases where a template is not specified. There is exactly one such object in an
Note: The term aConnect resource group connection (group defaults) authorization would
(Group Defaults) for a summary of functions for administering such objects. These functions
apply to aConnect resource group connections for group defaults as described. See also the
aConnect Access Resource Defaults

The business object aConnect access resource defaults is the manufacturer-provided prototype for creating normal aConnect access resources. As explained on the section cover page for
all defaults, there is no sense in discussing dependent objects or relationships to other objects:
In a strict sense, a business object of the type aConnect access resource defaults does not
exist. This term comprises the following object type(s):
aConnect
aConnect
aConnect
aConnect
access
access
access
access
resource
resource
resource
resource
general data defaults

rule defaults
rule attribute defaults
rule attribute value defaults
Like any other aConnect business object, aConnect access resource defaults have an implicit
relationship to a certain aConnect target system. They have no relationships to other business
objects.
137
in a specific type of target system. This is also true for access resource defaults, although they
exist only in SAM and not in the target system itself.
access resource:
aConnect Access Resource Defaults General Data

The business object aConnect access resource general data defaults is the manufacturer-provided
standard prototype for creating aConnect access resource general data in cases where a template
Note: The term aConnect access resource defaults general data would also be correct - as
long as it is clear that a defaults object cannot be a compound object with a main part and
dependent parts.
See SAM Enterprise Business Object Reference: Administering Resource Defaults for a summary
of functions for administering such objects. These functions apply to aConnect access resource
general data defaults as described.
aConnect Access Resource Defaults Rule

The business object aConnect access resource rule defaults is the manufacturer-provided standard prototype for creating aConnect access resource rules in cases where a template is not
Note: The term aConnect access resource defaults rule would also be correct - as long as it
parts.
rule defaults as described.
138
aConnect Access Resource Defaults Rule Attribute

The business object aConnect access resource rule attribute defaults is the manufacturer-provided
standard prototype for creating aConnect access resource rule attributes in cases where a template is not specified. There is exactly one such object in an aConnect target system.
Note: The term aConnect access resource defaults rule attribute would also be correct - as
dependent parts.
rule attribute defaults as described.
aConnect Access Resource Defaults Rule Attribute Value
The business object aConnect access resource rule attribute value defaults is the manufacturerprovided standard prototype for creating aConnect access resource rule attribute values in cases
Note: The term aConnect access resource defaults rule attribute value would also be correct
dependent parts.
rule attribute value defaults as described.
aConnect Access Resource Group Connection
The business object aConnect access resource group connection (resource defaults) is the manufacturerprovided prototype for creating aConnect access resource group connections for access resources
in cases where a template is not specified.
139

connections.
aConnect Object Resource Defaults

The business object aConnect object resource defaults is the manufacturer-provided prototype for creating normal aConnect object resources. As explained on the section cover page for
all defaults, there is no sense in discussing dependent objects or relationships to other objects:
In a strict sense, a business object of the type aConnect object resource defaults does not
aConnect
aConnect
aConnect
aConnect
object
object
object
object
resource
resource
resource
resource
general data defaults

rule defaults
rule attribute defaults
rule attribute value defaults
Like any other aConnect business object, aConnect object resource defaults have an implicit
objects.
in a specific type of target system. This is also true for object resource defaults, although they
exist only in SAM and not in the target system itself.
object resource:
140
aConnect Object Resource Defaults General Data

The business object aConnect object resource general data defaults is the manufacturer-provided
standard prototype for creating aConnect object resource general data in cases where a template
Note: The term aConnect object resource defaults general data would also be correct - as
dependent parts.
of functions for administering such objects. These functions apply to aConnect object resource
general data defaults as described.
aConnect Object Resource Defaults Rule
The business object aConnect object resource rule defaults is the manufacturer-provided standard
prototype for creating aConnect object resource rules in cases where a template is not specified.
Note: The term aConnect object resource defaults rule would also be correct - as long as it
parts.
rule defaults as described.
aConnect Object Resource Defaults Rule Attribute
The business object aConnect object resource rule attribute defaults is the manufacturer-provided
standard prototype for creating aConnect object resource rule attributes in cases where a template is not specified. There is exactly one such object in an aConnect target system.
Note: The term aConnect object resource defaults rule attribute would also be correct - as
dependent parts.
rule attribute defaults as described.
aConnect Object Resource Defaults Rule Attribute Value
The business object aConnect object resource rule attribute value defaults is the manufacturerprovided standard prototype for creating aConnect object resource rule attribute values in cases
141
Note: The term aConnect object resource defaults rule attribute value would also be correct
dependent parts.
rule attribute value defaults as described.
aConnect Object Resource Group Connection
The business object aConnect object resource group connection (resource defaults) is the manufacturerprovided prototype for creating aConnect object resource group connections for object resources
in cases where a template is not specified.
connections.
aConnect Access Resource Group Defaults

The business object aConnect access resource group defaults is the manufacturer-provided
prototype for creating normal aConnect access resource groups. As explained on the section cover
page for all defaults, there is no sense in discussing dependent objects or relationships to other
objects:
In a strict sense, a business object of the type aConnect access resource group defaults does
not exist. This term comprises the following object type(s):
142
aConnect access resource group general data defaults

aConnect access resource group forbidden group defaults
Like any other aConnect business object, aConnect access resource group defaults have an
implicit relationship to a certain aConnect target system. They have no relationships to other
business objects.
structures in a specific type of target system. This is also true for access resource group defaults,
although they exist only in SAM and not in the target system itself.
aConnect Access Resource Group Defaults General Data
The business object aConnect access resource group general data defaults is the manufacturerprovided standard prototype for creating aConnect access resource group general data in cases
Note: The term aConnect access resource group defaults general data would also be correct as long as it is clear that a defaults object cannot be a compound object with a main part and
dependent parts.
See SAM Enterprise Business Object Reference: Administering Resource Group Defaults for a
summary of functions for administering such objects. These functions apply to aConnect access
resource group general data defaults as described.
aConnect Access Resource Group Defaults Forbidden Group
The business object aConnect access resource group forbidden group defaults is the manufacturerprovided standard prototype for creating aConnect access resource group forbidden groups in
system.
143
Note: The term aConnect access resource group defaults forbidden group would also be correct
dependent parts.
summary of functions for administering such objects. These functions apply to aConnect access
resource group forbidden group defaults as described.
aConnect Object Resource Group Defaults

The business object aConnect object resource group defaults is the manufacturer-provided
prototype for creating normal aConnect object resource groups. As explained on the section
cover page for all defaults, there is no sense in discussing dependent objects or relationships to
other objects:
In a strict sense, a business object of the type aConnect object resource group defaults does
not exist. This term comprises the following object type(s):
aConnect object resource group general data defaults
aConnect object resource group forbidden group defaults
Like any other aConnect business object, aConnect object resource group defaults have an
implicit relationship to a certain aConnect target system. They have no relationships to other
business objects.
structures in a specific type of target system. This is also true for object resource group defaults,
although they exist only in SAM and not in the target system itself.
144
aConnect Object Resource Group Defaults General Data

The business object aConnect object resource group general data defaults is the manufacturerprovided standard prototype for creating aConnect object resource group general data in cases
Note: The term aConnect object resource group defaults general data would also be correct as long as it is clear that a defaults object cannot be a compound object with a main part and
dependent parts.
summary of functions for administering such objects. These functions apply to aConnect object
resource group general data defaults as described.
aConnect Object Resource Group Defaults Forbidden Group
The business object aConnect object resource group forbidden group defaults is the manufacturerprovided standard prototype for creating aConnect object resource group forbidden groups in
system.
Note: The term aConnect object resource group defaults forbidden group would also be correct
dependent parts.
summary of functions for administering such objects. These functions apply to aConnect object
resource group forbidden group defaults as described.
aConnect Target System Defaults

The business object aConnect target system defaults is the manufacturer-provided prototype for creating normal aConnect target systems. In contrast to all other business objects,
target systems have no customer-specific templates. The defaults are the only prototype objects
for them.
As explained on the section cover page for all defaults, these objects cannot be created or deleted
by the customer, and there is no sense in discussing dependent objects or relationships to other
objects:
In a strict sense, a business object of the type aConnect target system defaults does not
-
aConnect
aConnect
aConnect
aConnect
target
target
target
target
system
system
system
system
aConnect data defaults

class defaults
class attribute defaults
class attribute value defaults
145
- aConnect target system class attribute reference defaults

- aConnect target system allowed class defaults
Like any other aConnect business object, aConnect target system defaults have an implicit
objects.
aConnect Target System Defaults aConnect Data
The business object aConnect target system aConnect data defaults is the manufacturer-provided
standard prototype for creating aConnect target system aConnect data. There is exactly one
such object in an aConnect target system.
Note: The term aConnect target system defaults aConnect data would also be correct - as
dependent parts.
See SAM Enterprise Business Object Reference: Administering Target System Defaults for a
summary of functions for administering such objects. These functions apply to aConnect target
system aConnect data defaults as described.
aConnect Target System Defaults Class
The business object aConnect target system class defaults is the manufacturer-provided standard
prototype for creating aConnect target system classes. There is exactly one such object in an
Note: The term aConnect target system defaults class would also be correct - as long as it
parts.
system class defaults as described.
aConnect Target System Defaults Class Attribute
The business object aConnect target system class attribute defaults is the manufacturer-provided
standard prototype for creating aConnect target system class attributes. There is exactly one
Note: The term aConnect target system defaults class attribute would also be correct - as
dependent parts.
146
system class attribute defaults as described.
aConnect Target System Defaults Class Attribute Value

The business object aConnect target system class attribute value defaults is the manufacturerprovided standard prototype for creating aConnect target system class attribute values. There
is exactly one such object in an aConnect target system.
Note: The term aConnect target system defaults class attribute value would also be correct as long as it is clear that a defaults object cannot be a compound object with a main part and
dependent parts.
system class attribute value defaults as described.
aConnect Target System Defaults Class Attribute Reference

The business object aConnect target system class attribute reference defaults is the manufacturerprovided standard prototype for creating aConnect target system class attribute references.
Note: The term aConnect target system defaults class attribute reference would also be correct
dependent parts.
system class attribute reference defaults as described.
aConnect Target System Defaults Allowed Class

The business object aConnect target system allowed class defaults is the manufacturer-provided
standard prototype for creating aConnect target system allowed classes. There is exactly one
Note: The term aConnect target system defaults allowed class would also be correct - as long
as it is clear that a defaults object cannot be a compound object with a main part and dependent
parts.
system allowed class defaults as described.
147
Other
The object category Other comprises those business objects in SAM Enterprise that do not
belong to any of the previous categories. Usually, this leaves just the Help Desk accounts.
However, even if there are more candidates, this category cannot include objects that exist in
the administered target system because such objects are always normal by definition. Other
objects can only exist in SAM.
aConnect Help Desk Account

The business object aConnect Help Desk account represents a normal aConnect account as
it appears in SAM Help Desk. As this component only deals with the passwords and the
enable/disable states of accounts, a Help Desk account is just a view on the normal account
restricted to those fields that are relevant for Help Desk services.
While a Help Desk account basically has the same relationships to other objects as the original
account, none of them are relevant in this context. Similarly, there are no administration
functions to consider - SAM Help Desk itself is the set of administration functions as documented
in SAM Enterprise Business Object Reference: Help Desk.
148
Configuration
This chapter explains how to configure SAM aConnect for the security administration of an
application system with SAM Enterprise. The table of contents above shows the configuration
steps that must be performed and the sequence in which they occur.
1 - Installation and License

In Step 1, you make sure that the following prerequisites are met:
SAM aConnect must be installed.
SAM aConnect must be activated as a licensed system component. Technically, this means
that SAM aConnect must be part of the license string entered during the installation.
The chapter SAM Enterprise Installation Manual: SAM aConnect Installation in the SAM
Enterprise Installation Manual describes the installation and license activation.
2 - Administrator ID
In Step 2, you make sure that the administrator who performs the configuration has appropriate
authorizations in SAM.
The administrator needs an account in ISEC, SAMs own security system. This account must
be authorized to update target system definitions. See the SAM Enterprise Internal Security
Manual for details about ISEC.
3 - Target System Defaults

In Step 3, you update the aConnect target system defaults. These default values take effect
when an administrator creates a new target system. This step is optional. If most of your
aConnect target systems share certain settings, the defaults save you some typing and ensure
that each new aConnect target system receives the same initial values.
The aConnect target system defaults object was created automatically during the installation.
Assuming you are logged in to SAM and the Workplace Window is open, perform these steps:
149
1. Open a Target System Defaults Navigation Windows. You can use the Configuration
-> Defaults -> Target System Defaults command from the menu bar. The window
displays a list of all target system defaults.
2. Locate the item ACON in the list. Double-click the item to open an Edit Window.
3. Update the settings as required for your target system defaults object. The default values
will be used whenever a new aConnect target system is created.
4. Submit your updates by pressing the Submit button. You can close the Target System
Defaults Edit Window.
4 - Target System Creation

In Step 4, you define your aConnect system as a new target system in SAM. This is done by
creating a business object of the type aConnect target system at enterprise level:
1. Log in to SAM Enterprise as explained in SAM Enterprise User Manual: SAM Login.
After a successful login, the Workplace Window appears.
2. Invoke the creation dialog via File -> New -> Target System in the menu bar on top.
This opens the following dialog box:
3. Enter the ID for the new target system in the field TS ID.
Select aConnect as the target system type. The value will be placed in the field TS Type.
Enter a descriptive name for the new target system in the field Name.
4. Submit your input by pressing the Submit button. Be aware that pressing the Submit
button creates the new target system immediately in SAM. You cannot cancel this action
later on. When you press Submit, SAM closes the dialog box and opens a Target System
Edit Window with the new target system in display. See the next step for the required
settings there.
5 - Target System Settings

In Step 5, you enter the required values for your new aConnect target system. Fill in the fields on
the Technical Data Panel of the Target System Edit Window that displays the new aConnect
target system:
150
1. Make sure that the Enabled checkbox is empty. This checkbox must remain unmarked
until some more configuration steps are completed.
2. Fill in the Version field.
3. Fill in the Location field. The field must contain the same ID as the <location> element
in the Master Courier initialization file. The location ID identifies the connection to the
application system that is represented as an aConnect target system. The Master Courier
looks up the location ID in its initialization file to determine the parameters that are
needed for the communication with an aConnect Agent.
4. Submit your changes by pressing the Submit button. SAM implements the update.
6 - Target System aConnect Data

In Step 6, you enter the required system-specific values for your new aConnect target system.
Fill in the fields on the SAM Enterprise User Manual: aConnect Data Panel of the Target
System Edit Window that displays the new aConnect target system:
151
1. If required, insert the node aConnect Data by selecting the box.

2. Fill SAM Enterprise User Manual: LDAP Server with the name of the LDAP server on
which the aConnect target system is located.
3. Fill SAM Enterprise User Manual: LDAP Port No. with the port number that is used in
the communication with the LDAP server. This number must be identical with the port
number that is specified
4. Fill SAM Enterprise User Manual: Namespace with the ID of the LDAP namespace in
which the application system resides.
5. Fill SAM Enterprise User Manual: SSL Connection and SAM Enterprise User Manual:
SSL Keyring with the encryption parameters for the communication with the application
system.
6. Fill SAM Enterprise User Manual: TOM User ID with the full DN of the LDAP user ID
under which the aConnect TOM operates in the application system.
7. Submit your changes by pressing the Submit button. This triggers an attempt of the
specified TOM user ID to sign on to SAM. Upon successful return, SAM implements the
updates. Note: The test sign-on does not check the mandatory access rights in aConnect.
7 - Target System Enabling

In Step 7, you enable your new aConnect target system. The step starts where the previous step
ended - in the Target System Edit Window with the new target system in display. The step is
152
performed as follows:
1. Select the entry Technical Data in the tree at the left. This recalls the previous data
panel at the right.
2. Mark the checkbox Enabled.
3. Select the entry Aconnect Data in the tree at the left. This recalls the data panel from a
previous step.
4. Enter the password for the TOM user.
5. Submit your update by pressing the Submit button. Now, with the aConnect data defined,
this update is accepted.
6. Close the window. This was the last activity toward the aConnect target system definition.
8 - Account Defaults
In Step 8, you update the aConnect account defaults object for the new target system by
establishing the required and the desired values. This object was created automatically as part
of the target system creation. Assuming you are logged in to SAM and the Workplace Window
is open, the step sequence is as follows:
1. Open a User Defaults Navigation Windows. You can use the Configuration -> Defaults
-> User Defaults command from the menu bar. The window displays a list of all user
defaults.
2. Locate the item DEFAULT in the list. Double-click the item to open a User Defaults
Edit Window.
3. Select Accounts in the tree at the left. This displays a selection list with all account
defaults at the right. Each target system has exactly one account defaults objects and,
hence, one item in the list.
4. Locate the ID of your aConnect target system in the list. The account defaults object for
your aConnect target system appears under this ID. Double-click the item in the list to
display the General Data Panel. Make sure the following fields have proper values:
Account ID
Name
See SAM Enterprise User Manual: Smart Defaults for object-specific placeholders in such
fields.
Update other settings as required for your account defaults object. SAM uses the default
values if an object is created, and no other source provides the initial values. For example,
account templates or policies can also be sources for initial values.
5. Submit your updates by pressing the Submit button. You can close the User Defaults Edit
Window.
153
9 - Group Defaults
In Step 9, you update the aConnect group defaults object for the new target system by establishing the required and the desired values. This object was created automatically as part of
the target system creation. Assuming you are logged in to SAM and the Workplace Window
is open, the step sequence is as follows:
1. Open a Group Defaults Navigation Window. You can use the Configuration -> Defaults
-> Group Defaults command from the menu bar. The window displays a list of all group
defaults.
2. Locate the item DEFAULT in the list. Double-click the item to open a Group Defaults
Edit Window.
3. Select General Data in the tree and make sure the fields have proper values. See SAM
Enterprise User Manual: Smart Defaults for object-specific placeholders in such fields.
Update other settings as required for your group defaults object. SAM uses the default
values if an object is created, and no other source provides the initial values. For example,
group templates can also be sources for initial values.
4. Submit your updates by pressing the Submit button. You can close the Group Defaults
Edit Window.
10 - Resource Defaults
In Step 10, you update the two aConnect resource defaults objects for the new target system
by establishing the required and the desired values. These objects, one for each of the two
resource types, were created automatically as part of the target system creation. Assuming you
are logged in to SAM and the Workplace Window is open, the step sequence is as follows:
1. Open a Resource Defaults Navigation Window. You can use the Configuration ->
Defaults -> Resource Defaults command from the menu bar. The window displays
a list of all resource defaults.
2. Locate the ID of your aConnect target system in the list. There are two resource defaults
objects per aConnect target system, one for access resources and one for object resources.
Double-click the first of them to open an Edit Window.
Enterprise User Manual: Smart Defaults for object-specific placeholders in a field. SAM
uses the default values if an object is created, and no other source provides the initial
values. For example, resource templates can also be sources for initial values.
4. Submit your updates by pressing the Submit button.
5. Proceed through the second resource type as well.
6. Finally, you can close the Resource Defaults Edit Window.
154
11 - Resource Group Defaults

In Step 11, you update the two aConnect resource group defaults objects for the new target
system by establishing the required and the desired values. These objects, one for each of the
two resource group types, were created automatically as part of the target system creation.
Assuming you are logged in to SAM and the Workplace Window is open, the step sequence
is as follows:
1. Open a Resource Group Defaults Navigation Window. You can use the Configuration
-> Defaults -> Resource Group Defaults command from the menu bar. The window
displays a list of all resource group defaults.
2. Locate the ID of your aConnect target system in the list. There are two resource group
defaults objects per aConnect target system, one for access resource groups and one for
object resource groups. Double-click the first of them to open an Edit Window.
Enterprise User Manual: Smart Defaults for object-specific placeholders in a field. SAM
uses the default values if an object is created, and no other source provides the initial
values. For example, resource group templates can also be sources for initial values.
4. Submit your updates by pressing the Submit button.
5. Proceed through the second resource group type as well.
6. Finally, you can close the Resource Group Defaults Edit Window.
12 - Security Data Takeover

This Step 12 is a placeholder to specify the proper position in the configuration sequence for the
task of taking over the existing security data from the application system into the representing
aConnect target system. This position is specified by these fixpoints:
The various defaults objects are configured, so the system is optimally prepared for creating new objects for which the application system might not provide all field values.
The step is followed by the database optimization step, which is only meaningful after a
substantial amount of database operations.
Since the current version of SAM aConnect does not support Initial Load functions, a security
data takeover will most likely use the functions of the Import Interface, combined with a
customer program to create the import transactions from the existing data.
13 - Database Optimization
In Step 13, you run a database optimization job. This is an optional step. However, it is highly
recommended to optimize the performance.
155
Database Optimization for DB2

If your SAM database uses DB2 as the DBMS, you can use the option R - SAM DB2 Database
Reorg Utility on the DB2 Maintenance Menu to generate a database optimization job.
For a comprehensive description of the screen in general and this option in particular, see SAM
Enterprise Operations Manual: DB2 Maintenance Menu in the SAM Enterprise Operations
Manual.
Database Optimization for Oracle
If your SAM database uses Oracle as the DBMS, you execute the ALTER INDEX command
toward every database index that is affected, i.e. toward every index for aConnect data and
toward every index for enterprise data tables of users, accounts, groups etc. The command
structure is
ALTER INDEX <schema>.<index> REBUILD COMPUTE STATISTICS ;
where <schema> is the schema name as defined during installation and <index> is the
current index name. See the appendix Oracle Indexes for a list of all indexes in the SAM
database, ordered by index name. The prefixes in the index and table names make clear which
indexes need to be updated.
Database Optimization for SQL Server
If your SAM database uses Microsoft SQL Server as the DBMS, you execute the ALTER INDEX
command toward every database index that is affected, i.e. toward every index for aConnect
data and toward every index for enterprise data tables of users, accounts, groups etc. The
standard command structure is
ALTER INDEX <index> on <schema>.<table> REBUILD ;
but the recommended command structure is optimized as follows:
ALTER INDEX <index> on <schema>.<table> REBUILD WITH
(FILLFACTOR = 80 , PAD INDEX = ON , SORT IN TEMPDB = ON) ;
where <schema> is the schema name as defined during installation, <index> is the current
index name, and <table> is the name of the table to which the index applies. See SQL
Server Indexes for a list of all indexes in the SAM database, ordered by index name. The
prefixes in the index and table names make clear which indexes need to be updated.
156
The aConnect Agent

An Agent is SAMs local representative in a target system. As explained in greater detail in
the chapter SAM Enterprise Operations Manual: Agents of the SAM Enterprise Operations
Manual, an Agent consists of these sub-components:
Socket Daemon
Remote Courier
TOM
The diagram below illustrates the sub-components and their essential functions. The Socket
Daemon is just a watchdog that wakes up the Remote Courier when a request from the Master
Courier occurs. The Remote Courier handles the communication. The TOM performs the read
and write accesses to the target system database:
There are as many different Agents as there are target system interfaces in SAM Enterprise,
and the basic rule is one Agent for each target system. An Agent for a particular interface
uses the interface name as prefix, so for SAM aConnect, the Agent is called aConnect Agent,
and its three sub-components are called
aConnect Socket Daemon
aConnect Remote Courier
157
aConnect TOM
This is despite the fact that the Socket Daemon and the Remote Courier are always platformspecific. The characteristics of the aConnect Agent and its sub-components can be summarized
as follows:
Concerning Socket Daemon and Remote Courier, the aConnect Agent is technically identical
with any other z/OS-based agent, because these components are fully determined by the
platform on which they reside. As explained in greater details in the respective sections, it
would even be possible to share one Socket Daemon and/or one Remote Courier among all
target systems on the same z/OS platform.
Concerning its TOM, the aConnect Agent is unique. The aConnect TOM supports the full
spectrum of TOM functions in SAM Enterprise.
This chapter documents the configuration as well as the handling of the aConnect Agent. As it
turns out, both parts deal with the setting of configuration files for the three sub-components
Socket Daemon, Remote Courier, and TOM.
= All z/OS-based Agents share the same libraries. As a consequence, if you install the
aConnect Agent, you actually get all z/OS-based Agents - even though your license may
not allow you to use them all.
Prerequisites
All prerequisites for the aConnect Agent are met during the installation of SAM aConnect, with
the Agent Installation being an integral part of it. The installation task can immediately be
followed by the configuration task described in this chapter.
Character Sets and Code Conversion

For SAM aConnect being a mainframe-based security system with an LDAP administration
layer, chances are high that SAM is installed on the same mainframe, with the effect that all
data processing between SAM and the administration layer runs on the same platform and thus
with the same code page. So far, the following text is only relevant for installations that involve
more than one platform and more than one code page.
In addition, the application for which security is administered using SAM can reside on still
another platform, with code conversion necessary between this platform and the mainframebased LDAP administration layer. This part of the conversion issue is not discussed further
here and remains a topic for customer-developed conversion programs and tables.
Code Conversion Between SAM and LDAP
158
The Master Courier uses the same code page as the SAM database. This code page was
implicitly specified during system installation when installing the SAM back end components
on the selected platform and the selected DBMS.
The Agent uses a code page that is specified during the Agent installation, in the step in which
the connection between the Agent and the Master Courier is configured. For SAM aConnect,
this is SAM Enterprise Installation Manual: Phase 4 - Handler Connection Screen. This panel
refers back to a parameter panel where the Remote Courier code page was really defined, while
the Master Courier code page was specified identical to its real definition in an XML file.
Unless these two code pages happen to be identical, any data that is transferred between the
Master Courier and the Agent is converted using a conversion table which is part of the RCINI
File.
Note: The code page for the LDAP server is defined in the slapd.envvars file in the LANG
environment variable.
Code Conversion Inconsistencies
For a proper code conversion, it is recommended to use only those characters which are common
to all involved code pages. Otherwise, it might happen that different source codes are mapped
to one target code. This, in turn, can raise inconsistencies between SAM and the target system.
The only safe indicator for such inconsistencies is a verification failure during an update.
Consistency Maintenance can neither detect non-mappable codes nor errors in the conversion table. Once detected, the inconsistencies can be repaired with the following steps, which
require some manual work:
First, check the used conversion table to see whether it maps all mappable codes, and all
of them to different destinations. If required, repair the table.
Next, perform a Consistency Maintenance run which only reports inconsistencies.
If the CM report contains the inconsistent object, it can be corrected via CM with the
specification Repair SAM.
If the CM report does not contain the inconsistent object, and the difference is in a non-key
field, a double update in SAM - with the Overwrite flag set - performs the correction.
The first update is required to forcibly change the occurrence in the target system. The
second update brings the occurrence back to the proper value status.
If the CM report does not contain the inconsistent object, and the difference is in a
key field, the objects must be deleted on both sides and then recreated with proper
values/codes. The deletion in the target system must be performed manually. The deletion
in SAM requires either of the following:
The target system-specific Update flag is not set.
The target system-specific Verify flag is not set.
159
The first alternative suppresses the corresponding delete operation in the target system
(which would fail). The second alternative ensures that the failed delete operation in the
target system does not cause a failure of the SAM operation.
Configuration
The configuration of the aConnect Agent takes place after this Agent has been installed as
explained in the section SAM Enterprise Installation Manual: aConnect Agent Installation of
the SAM Enterprise Installation Manual. The installed Agent is fully operative concerning
communication and order flow, or at least will be in that state after the configuration.
Configuring the aConnect Agent means setting entries in configuration files so that the communication between the Master Courier and the Remote Courier works, and verifying the successful
configuration with a test communication. The subsequent pages describe the details.
1 - TOM
Step 1 applies to the aConnect TOM. While the TOM itself does not need any configuration, the
aConnect target system must be prepared by defining the account through which SAM accesses
the database:
TOM User
The TOM user is SAMs user ID in an administration layer, i.e. in an LDAP directory. All
security maintenance operations are performed using this user ID. A user ID with sufficient
access rights is a prerequisite for the aConnect TOM.
See SAM Enterprise Release Guide: SAM aConnect in the chapter HW/SW Reference of the
SAM Enterprise Release Guide for information about the TOM users access rights.
2 - Remote Courier
In Step 2, you complete the Remote Courier configuration which was started during the installation of the aConnect Agent. The complete configuration involves two configuration files:
The RCINI file, which is short for Remote Courier initialization file, specifies details of the
communication mode with the Master Courier. This file was generated during the Agent
installation. See SAM Enterprise Installation Manual: Connection Definition in the SAM
Enterprise Installation Manual for the installation step in which the input was provided, see
RCINI File for a sample file, and see SAM Enterprise Operations Manual: RCINI Files in the
SAM Enterprise Operations Manual for details about the syntax.
The MsgINI file, which is short for Remote Courier messaging initialization file, specifies
details of the message routing from the Remote Courier to the central SAM components. See
MsgINI File for a sample file; see SAM Enterprise Operations Manual: Message Routing in
the SAM Enterprise Operations Manual for details about the syntax. The PHOST and PORT
160
statements in the MsgINI file specify the TCP/IP address and port of the SAM Messaging
Server. These values wer set during installation.
3 - Socket Daemon
In Step 3, you configure the Socket Daemon for proper operation as a started task and for proper
communication with the Master Courier. This is done by confirming or updating the settings
in two configuration files that were generated during the Agent installation, and by starting the
Socket Daemon:
The SDINI file, which is short for Socket Daemon initialization file, specifies details of the
communication mode with the Master Courier on one side and the Remote Courier on the
other. See SAM Enterprise Installation Manual: Connection Definition in the SAM Enterprise
Installation Manual for the installation step in which the file was created; see RCINI File for a
sample file; and see SAM Enterprise Operations Manual: SDINI Files in the SAM Enterprise
Operations Manual for details about the syntax.
The MsgINI file, which is short for Socket Daemon messaging initialization file, specifies
details of the message routing from the Socket Daemon to the central SAM components. See
MsgINI File for a sample file; see SAM Enterprise Operations Manual: Message Routing in
the SAM Enterprise Operations Manual for details about the syntax.
The installation program created these configuration files according to the values that were
entered during the installation dialog. Check whether the settings are as required. Then you
can proceed as follows to start the Socket Daemon:
1. Find out which name was given to the start procedure during the SAM installation on the
Handler Started Task Screen. The name was entered in the input field Socket Daemon
Started Task Name, and the installation program created the corresponding member in
the CNTLLIB.
2. Issue a START command for this procedure from the operator console for the z/OS environment in which the Remote Courier is running.
= It is strongly recommended to include the start procedure in your system start-up processing. A running Socket Daemon is required for the communication with the Master
Courier.
4 - Master Courier
In Step 4, you register the aConnect Remote Courier as one of the locations to which the Master
Courier can connect. This is done as follows:
161
1. Add a new <Location> element to the SAM global initialization file that applies to
the Master Courier. A <Location> element defines a Remote Courier for the Master
Courier. It must be contained in the <MasterCourier> element. Be aware that the
following parameters must be synchronized with settings on other platforms:
The id attribute in the <Location> element must be unique. This value is required
when you define the aConnect target system.
The attributes hostName and port in the child element <Connection> specify the
IP address and port of the Remote Courier, more exactly of the Socket Daemon.
They must be synchronized with the settings in the SDINI file.
For a description of the above XML elements, see the section SAM Enterprise Operations
Manual: SAM Global Initialization File in the SAM Enterprise Operations Manual.
2. After changing the SAM global initialization file, propagate the new settings to the components private initialization files; see SAM Enterprise Operations Manual: Making Changes
Effective for a description how to do this.
3. Start the SAM Client and issue the command SAM Enterprise User Manual: Management
Console to open a Management Console Navigation Window. Click go! to receive the list
entries for the manageable components, and double-click the list entry Master Courier to
open an Edit Window for the Master Courier.
4. The Edit Window presents the Master Courier General Data, which includes the command
checkbox SAM Enterprise User Manual: Reload MCINI. Mark this checkbox and press the
[Submit] button to have the command executed. The effect is that the Master Courier
reloads its <Location> definitions while leaving global settings unchanged.
With this step successfully performed, the Master Courier knows the new aConnect Agent,
which will be verified in the test of the next configuration step.
5 - Testing the Connection

In Step 5, you perform a test communication to verify proper configuration in all involved
components. Proceed as follows:
1. Start the SAM Client and issue the command SAM Enterprise User Manual: Management
Console to open a Management Console Navigation Window. Click go! to receive the list
entries for the manageable components, and double-click the list entry Master Courier to
open an Edit Window for the Master Courier.
2. Find the location ID for your new target system in the list and double-click the list entry.
SAM displays a panel with information about the connection to the Agent for the target
system.
3. Immediately after the implementation, the status of the connection is Disconnected.
Mark the checkbox Connect and press Submit to check if the Master Courier can connect
to the Agent.
162
4. Refresh the Management Console and check the connection status. The value Connected
is proof of a successful test: It indicates that the Master Courier succeeded in connecting
to the Agent.
The connection will time out after some time, but you can also force a disconnect. Mark
the checkbox Disconnect and press Submit.
If a connection cannot be established, check the various INI files again, especially for identical
settings concerning TCP/IP address and port number.
6 - Target System Settings

In Step 6, you update the definition of your aConnect target system in SAM. Proceed as follows:
1. Start the SAM Client and open a Target System Edit Window for your aConnect target
system.
2. The right half of the window should present the Technical Data Panel. If not, select this
data in the tree at the left:
3. Fill in the Location field. The field must contain the same ID as the <location> element
in the MCINI file; see Step 4.
4. Save your updates and close the window.
163
aConnect Socket Daemon

The Socket Daemon is the sub-component in an Agent which serves as a watchdog. It listens
on a TCP/IP port until the Master Courier sends a communication request. Then it starts the
Remote Courier, which is the real communication partner for the Master Courier.
Providing the watchdog service is the only purpose of a Socket Daemon. This small program is
the only part of an Agent which runs permanently. Furthermore, as one of the platform-specific
sub-components, the aConnect Socket Daemon is technically identical with the Socket Daemon
in any other z/OS-based Agent.
The handling of the aConnect Socket Daemon is the topic of this section. The descriptions on
the following pages can be summarized as follows:
The Socket Daemon is controlled by an INI file which was generated during the
Agent installation. The procedure that is used for starting the Socket Daemon was
specified during the SAM installation. The assumption is that you included this
procedure in your system start-up.
A z/OS platform requires only one Socket Daemon. If several target systems reside
on one platform, the single Socket Daemon can start several Remote Couriers if
necessary. For example, if you have DB2 and RACF on one z/OS system, the
Socket Daemon can start a Remote Courier for DB2 and another Remote Courier
for administering RACF.
SDINI File
A Socket Daemon is controlled by an initialization file, called SDINI file for short. This file
was generated as part of the Agent installation and verified in the configuration Step 3.
The listing below shows SDINI00, a sample SDINI file. Follow the hyperlinks for details about
the various parameters:
/***************************************************************/
/***
***/
/***
SAMPLE DAEMON INI-FILE
***/
/***
***/
/*** THIS MEMBER WAS GENERATED DURING INSTALLATION
***/
/*** (2006/09/19, 15:39).
***/
/***
***/
/***************************************************************/
D:SAMSOCKETDAEMON:PORT=5110:EXECN=SAMSE3XR:TIMEOUT=180:
D:SAMADAPTER:EXECN=SAMSE3XL:
D:RCADD:EXECN=SAMSE3XR:INI=RCINI02
S:SAMWATCHDOG:TYP=SOCK:DAEMON=RPC:
The start procedure for the aConnect Socket Daemon refers to the SDINI file in the SDINI
DD-statement:
164
//SDINI DD DSN=&PREFIXB..USER.CNTLLIB(SDINI&INI),DISP=SHR
SDINI&INI is the name of the SDINI file, for example SDINI00.
SAMSOCKETDAEMON A symbolic name for a connection to the aConnect Remote Courier.
The first line specifies the default connection. This is the connection that will be started
unless the communication partner requests one of the other connections on the other lines.
You can use any string as the symbolic name. The only condition is that the same name
must be used in the Socket Daemon start procedure.
SAMADAPTER A symbolic name for a connection to the SAM Adapter. The connection
defined on this line is used by the SAM Business Server.

RCADD A symbolic name for a connection to the aConnect Remote Courier. The connection
defined on this line is used by the Master Courier.
You can use any string as the symbolic name. The only condition is that the same name
must appear in the MCINI file as the ID attribute in the <connection> element.
If the Master Courier connects to the Socket Daemon sending the symbolic name, a Remote
Courier with a particular RCINI file is used, rather than the default specified on the first
line. For example, if one z/OS system runs RACF and DB2, you can define two connections,
each of them with a specific RCINI file.
SAMWATCHDOG A symbolic name for a special connection that is currently not used.
EXECN The name of the start procedure that will be called when the communication partner
of the respective line requests a connection.
PORT The TCP/IP port number. This number must be the same as specified in the
<port> entry (in the <location> block for this Remote Courier) in the MCINI file of
the Master Courier.
TIMEOUT An optional parameter that specifies the number of seconds during which the
Socket Daemon must start and hand over the communication to the Remote Courier. The
default value is 120 seconds.
Valid values are numbers in the range 10 - 300 (seconds). Any value must be followed by a
closing colon :.
INI The name of the RCINI file to be used for the connection that is specified on on this
line.
165
MsgINI File
Like any other component in a SAM Enterprise system, the Socket Daemon can issue error
messages according to the rules of SAMs messaging system. This system expects a messaging
initialization file for each component, called MsgINI file for short. The MsgINI file for the
Socket Daemon was generated during the Agent installation.
The listing below shows sdmsgini.xml, a sample MsgINI file for the aConnect Socket Daemon.
See SAM Enterprise Operations Manual: Message Routing in the SAM Enterprise Operations
Manual for details about the syntax.
<?xml version="1.0"?>
<!DOCTYPE messaging SYSTEM "../dtd/Messaging.dtd">
<messaging>
<msgController>
<host>AIXSERVER</host>
<prog>sockdaem</prog>
<vers>3.3</vers>
<prefix>SAM</prefix>
<user>sam</user>
<lang>en</lang>
<country>US</country>
<level>5</level>
<code>ISO8859-1</code>
</msgController>
<msgCatalog>
<id>1</id>
<name>SDCatalog</name>
<type>file</type>
<medium1>../messaging/catalog/sdmsg.xml</medium1>
<preload>true</preload>
</msgCatalog>
<msgCatalog>
<id>2</id>
<name>MPPICatalog</name>
<type>file</type>
<medium1>../messaging/catalog/mppimsg.xml</medium1>
</msgCatalog>
<msgDirectory>
<name>../messaging</name>
</msgDirectory>

166
<msgDevice>
<id>1</id>
<level>4</level>
<name>RCLogFile</name>
<type>file</type>
<preformat>true</preformat>
<length>80</length>
<indent>
</indent>
<msgWriteDeviceHandler>
<handler>MsgWriteDeviceHandlerFile</handler>
<fileName>../log/sdlog.txt</fileName>
</msgWriteDeviceHandler>
<msgFormatter>
<handler>MsgFormatterText</handler>
<addField>timestamp</addField>
<addField>prefix</addField>
<addField>className</addField>
<addField>number</addField>
<addField>level</addField>
<addField>pid</addField>
<addField>thread</addField>
</msgFormatter>
</msgDevice>

<msgDevice>
<id>2</id>
<level>3</level>
<name>TCP</name>
<type>console</type>
<preformat>false</preformat>
<maxErr>1</maxErr>
<handler>MsgWriteDeviceHandlerServer</handler>
<tpname>MSG</tpname>
<profile>C:MSG:TYP=SOCK:PHOST=MSGSERVER:PORT=5151:</profile>
<codepage>ISO8859-1</codepage>
</msgDevice>
</messaging>
167
Start-Up
The name for the start procedure of the z/OS Socket Daemon is specified during the SAM
Installation on the Handler Started Task Screen. The name is entered in the input field
Socket Daemon Started Task Name, and the installation program creates the corresponding
member in the CNTLLIB.
= In the subsequent text, <start-proc> stands for this procedure and/or its name.
The start-up is performed with a START command from the operator console for the z/OS
environment in which the Remote Courier is running. After a successful start, the Socket
Daemon issues this message:
2006-12-16 20:01:44.000 SAMPSD221I - Socket Daemon <name> started.

Sample Log File
If the command fails and this message does not occur, check the following:
The settings in the start procedure
The settings in the SDINI file
The z/OS system log for any error message in this context
If you cannot locate the error reason, contact SAM Customer Support.
Shut-Down
A z/OS Socket Daemon can be shut down with an operator console command. There are two
alternatives:
P <stc-name>
F <stc-name>,STOP
where <stc-name> is the started task name of the Socket Daemon, i.e. the name of the
procedure by which it was started.
Operator Commands
The only operator commands accepted by the z/OS Socket Daemon are those used for shutdown. See Shut-Down for details.
168
aConnect Remote Courier

The Remote Courier is the controlling sub-component in an Agent. It receives orders from the
Master Courier, invokes the TOM to have them carried out, and returns the feedback information
to the Master Courier. The Remote Courier is started by the Socket Daemon, as a response to
a communication request from the Master Courier. Once the request is completed, the Remote
Courier shuts down according to orders from the Master Courier.
As one of the platform-specific sub-components, the aConnect Remote Courier is technically
identical with the Remote Courier in any other z/OS-based Agent. Its handling is the topic of
this section. The descriptions on the following pages can be summarized as follows:
The Remote Courier relies on a running Socket Daemon to be started. From then on,
it is controlled by the settings in an INI file which was generated during the Agent
installation, but still more by the orders from the Master Courier. No function or
command directly manipulates the Remote Courier.
A z/OS platform requires only one Remote Courier installation. If several target
systems reside on one platform, the Remote Courier is started several times and each
Remote Courier instance uses a different TOM. For example, if you have RACF and
DB2 on one z/OS system, the Socket Daemon can start two instances of the Remote
Courier. One instance uses a RACF TOM and the other a DB2 TOM.
RCINI File
A Remote Courier is controlled by an initialization file, called RCINI file for short. This file
was generated as part of the Agent installation and verified in the configuration Step 2.
The listing below shows RCINI00, the z/OS-specific template for RCINI files. The installation
routine takes this template, enhances it according to the input from the installing administrator,
and stores it in a member whose name is also part of the input:
(Gen)
Daemon = YES
CallTomEndExit=YES
MsgINI File
Like any other component in a SAM Enterprise system, the Remote Courier can issue error
messages according to the rules of SAMs messaging system. This system expects a messaging
initialization file for each component, called MSGINI file for short. The file for the Remote
Courier was generated as part of the aConnect Agent installation.
The listing below shows rcmsgini.xml, an example of a messaging initialization file for the Remote
Courier. See SAM Enterprise Operations Manual: Message Routing in the SAM Enterprise
Operations Manual for details about the syntax.
169
<?xml version="1.0"?>
<!DOCTYPE messaging SYSTEM "../Messaging.dtd">
<messaging>
<msgController>
<host>AIXSERVER</host>
<prog>rc_tcpip</prog>
<vers>3.3</vers>
<prefix>SAM</prefix>
<user>sam</user>
<lang>en</lang>
<country>US</country>
<level>5</level>
<code>ISO8859-1</code>
</msgController>
<msgCatalog>
<id>1</id>
<name>RCUNIXCatalog</name>
<type>file</type>
<medium1>../messaging/catalog/rcuxmsg.xml</medium1>
</msgCatalog>
<msgCatalog>
<id>2</id>
<name>RCindepCatalog</name>
<type>file</type>
<medium1>../messaging/catalog/rcindmsg.xml</medium1>
</msgCatalog>
<msgCatalog>
<id>3</id>
<name>MPPICatalog</name>
<type>file</type>
<medium1>../messaging/catalog/mppimsg.xml</medium1>
</msgCatalog>
<msgCatalog>
<id>4</id>
<name>TTOMCatalog</name>
<type>file</type>
<medium1>../messaging/catalog/ttommsg.xml</medium1>
170
</msgCatalog>
<msgCatalog>
<id>4</id>
<name>OBOXCatalog</name>
<type>file</type>
<medium1>../messaging/catalog/OBOXmsg.xml</medium1>
</msgCatalog>
<msgCatalog>
<id>5</id>
<name>TSICatalog</name>
<type>file</type>
<medium1>../messaging/catalog/TSImsg.xml</medium1>
</msgCatalog>
<msgDirectory>
<name>../messaging</name>
</msgDirectory>

<msgDevice>
<id>1</id>
<level>4</level>
<name>RCLogFile</name>
<type>file</type>
<preformat>true</preformat>
<length>80</length>
<indent>
</indent>
<handler>MsgWriteDeviceHandlerFile</handler>
<fileName>../log/rclog.txt</fileName>
<msgFormatter>
<handler>MsgFormatterText</handler>
<addField>timestamp</addField>
<addField>prefix</addField>
<addField>className</addField>
<addField>number</addField>
<addField>level</addField>
<addField>callingClass</addField>
<addField>callingFunction</addField>
</msgFormatter>
</msgDevice>
171


<msgDevice>
<id>2</id>
<level>3</level>
<name>TCP</name>
<type>console</type>
<preformat>false</preformat>
<maxErr>1</maxErr>
<handler>MsgWriteDeviceHandlerServer</handler>
<tpname>MSG</tpname>
<profile>C:MSG:TYP=SOCK:PHOST=MSGSERVER:PORT=5151:</profile>
<codepage>ISO8859-1</codepage>
</msgDevice>
</messaging>
Start-Up
A z/OS-based Remote Courier is exclusively started by the Socket Daemon, after this watchdog
program received a communication request from the Master Courier. The orders from the Master
Courier determine when the Remote Courier shuts down again.
There is no way of manually starting or shutting down the Remote Courier.
Shut-Down
A z/OS-based Remote Courier is exclusively started by the Socket Daemon, after this watchdog
program received a communication request from the Master Courier. The orders from the Master
Courier determine when the Remote Courier shuts down again.
There is no way of manually starting or shutting down the Remote Courier.
Operator Commands
A z/OS-based Remote Courier does not accept direct commands.
aConnect TOM
The TOM (meaning Target System Operation Module) is the sub-component in an Agent
which directly contacts the target system and therefore appears as SAMs representative from
the perspective of the target system or its access control subsystem. Only the TOM knows
172
how to read from or write into the target system database. As the other sub-components in an
Agent are platform-specific, the TOM is the only sub-component that is really specific to the
particular target system interface, here aConnect.
In order to perform its duty, the aConnect TOM needs an account in the access control system
that protects the target system. This account must be properly authorized to perform the
necessary accesses.
Technically, the TOM is started as a sub-task of the Remote Courier. The handling of the
aConnect TOM is the topic of this section. The descriptions on the following pages can be
summarized as follows:
The TOM was completely provided by the manufacturer and configured as part of
the Agent installation. In contrast to other TOMs, the aConnect TOM does not
have a configuration file because there is nothing to be configured.
TOM Configuration
In short: the aConnect TOM has no configuration file. In the longer version, the explanation is
as follows:
A TOM configuration file specifies whether the TOM for the respective target system is scriptbased or DLL-based and, in the latter case, the name of the DLL. For the aConnect TOM,
which is completely provided by the manufacturer, there are no alternatives that might result
from any customer-specific development. So the TOM configuration file is unnecessary.
TOM User
The TOM user is SAMs user ID in an administration layer, i.e. in an LDAP directory. All
security maintenance operations are performed using this user ID. A user ID with sufficient
access rights is a prerequisite for the aConnect TOM.
See SAM Enterprise Release Guide: SAM aConnect in the chapter HW/SW Reference of the
SAM Enterprise Release Guide for information about the TOM users access rights.
TOM Exit Conventions

SAM aConnect does not support user exits in the aConnect TOM. Consequently, there are no
TOM exit conventions either.
173
Initial Load
The current version of SAM aConnect does not support functions for Initial Load.
In order to take over security data from an existing application system, the functions of the
Import Interface are the most likely candidates for a replacement. Such an approach requires
a customer-specific program that creates the import transactions from the existing security data
in the application.
174
Consistency Maintenance (CM) is a SAM utility which compares SAMs image data with the
security data in the aConnect target system. If the two are inconsistent, CM can automatically
update the SAM database and/or the application database to restore consistency.
= You should run CM on a regular basis to ensure that security administration with SAM
is based on consistent data.
The following diagram provides an overview of a CM run. The steps and actions are explained
below:
1. An administrator specifies the scope of the CM run. The maximum scope is an entire
aConnect target system, but it is also possible to select individual business object types
or image tables.
For example, an administrator can choose to run CM for all aConnect accounts. Alternatively, the administrator can restrict CM to the account general data table or any other
175
image table. Whatever the specification may be, CM resolves it into a list of image tables
to be processed.
2. CM locks the target system to prevent administrators from making updates in SAM while
CM is running.
3. CM unloads the required image data from the SAM database. If necessary, this data is
sorted.
4. For every selected image table, CM instructs the Master Courier to extract the target
system data from the application database. If necessary, this data is sorted.
5. The data from both sides goes through a check process whose unit of work is a single
occurrence in a table. These are the possible results:
Exists
Exists
Exists
Exists
only in SAM
only in the target system
in both but with different attributes
in both and with identical attributes
6. If an inconsistency is found, CM consults the repair rules to find out what to do. These
are the possible actions:
Generate repair transactions
Report the inconsistency
Ignore the inconsistency
For example, the CM check may find a user that exists only in SAM. If the repair rule is
Repair TS, CM generates transactions to create the user in the application database.
7. SAM executes the repair transactions to restore consistency between the SAM database
and the application database. The effects are the same as if an administrator had manually
performed the updates.
8. Finally, CM unlocks the target system.
CM creates a report about all inconsistencies. This report can be found in the CMMSGOUT dataset.
It lists successful repair actions, failures, and those occurrences that were excluded from the
automatic repair. The information helps administrators to analyze the results of a CM run.
CM Repair Rules
A Consistency Maintenance (CM) repair rule specifies what to do after finding an inconsistency
during CM. SAM provides rules in a category matrix, in a hierarchy matrix, and with six different
values representing the action to be taken. The following inconsistencies can occur:
Not in SAM
Not in TS
176
Different Attributes
Not in SAM means that a particular business object is found in the target system but not in
SAM. The repair action applies to the entire object. However, different attributes of the object
can be handled according to repair rules from different hierarchy levels.
Not in TS means that a particular business object is found in SAM but not in the target
system. As before, the repair action applies to the entire object and can involve repair rules
from different hierarchy levels for different attributes.
Different Attributes means that a particular business object is found in both SAM and the
target system but with different values in one or several attributes. The repair action applies
to the different attributes, and each attribute can be considered as an inconsistency of its own
with its own repair rule.
These inconsistency types represent the first dimension of the category matrix. The second
dimension is formed by the scope to which a particular rule applies. The supported scopes are
System
Table
Key range in table
Key in table
This is further discussed in Rule Hierarchies, because the scopes also represent a dimension
in the hierarchy matrix, in which the second dimension is formed by the question whether an
inconsistency applies to an entire business object or just to a particular attribute.
All repair rules for a particular target system are stored in attributes of the target system
definition at enterprise level. Follow the above hyperlink to find a graphic with click-sensitive
boxes leading to them.
For any repair rule more specific than Table Level, SAM defines a list of tables and fields for
which key ranges and single key values can be specified. The last two pages in this section deal
with this topic.
CM Repair Rule Actions

A Consistency Maintenance (CM) repair rule can specify one out of six possible values. However,
some of these values are restricted to certain object types, attribute types, or hierarchy levels.
These restrictions are summarized in the following explanations.
Repair SAM is an instruction to list the inconsistency in the CM report and trigger an automatic repair action by which the SAM image is adjusted to the status of the target system
data. Depending on the type of inconsistency, this action can be an insertion (Not in SAM), a
deletion (Not in TS), or a value change (Different Attributes). This action is valid for all object
types, attribute types, and levels.
Repair TS is an instruction to list the inconsistency in the CM report and trigger an automatic
repair action by which the target system data is adjusted to the status of the SAM image.
177
Depending on the type of inconsistency, this action can be an insertion (Not in TS), a deletion
(Not in SAM), or a value change (Different Attributes). This action can be invalid for certain
object types and attribute types. For example, a time stamp Last Login can never be repaired
in this way.
Report is an instruction to list the inconsistency in the CM report but not do anything that
would perform an automatic repair operation. This action is valid for all object types, attribute
types, and levels.
Ignore is an instruction to ignore the inconsistency so that it does not even cause an entry in
the CM report. This action is valid for all object types, attribute types, and levels.
Update Statistics is an instruction to silently repair the inconsistency. This is a special case
of Repair SAM which can only be applied to statistical or time stamp attributes. It means that
the SAM image is updated to the status of the target system data without creating an entry in
the CM report. This rule is applied to attributes which cannot be right in SAM, such as Last
Login.
Use Default is an instruction to resort to the next higher level in the hierarchy matrix and
apply the rule specified there. See Rule Hierarchies for the matrix and the default references,
which are expressed by arrows in the graphic on this page. This action is invalid on the system
level, because there is no higher level to which to resort, and for rules that are specific to fields.
CM Repair Rule Hierarchies

Consistency Maintenance (CM) repair rules are organized in a hierarchy concerning scopes,
ranges, and the corresponding paths on which Use Default references are resolved at the next
higher level. The following diagram, in which the click-sensitive white dots represent specific
repair rules, illustrates the hierarchies:
SAM always uses the most specific rule it can find for a particular type of inconsistency and
data element. The evaluation process determines the most specific rule as follows:
System Level stands for the least specific rule, stored in the technical data of the respective
target system. This rule is used if nothing better is found, or if the case-related rule at table
level says Use Default.
178
Table Level is the next better level, the standard for ninety-five percent of all cases and the
most specific level for all target system types which do not support type-specific rules. These
rules - one for each table type - are stored in the table definitions of the respective target
system. They are used if nothing better is found, or if the case-related rule at key range level
says Use Default. Furthermore, these rules are used for all attributes in the object for which
there is no entry at field level.
Key Range Level requires that the target system interface supports type-specific repair
rules; see the next two pages for details. Such rules define that certain object types and/or
key ranges in a table should be treated according the the specified action, rather than the
table-wide setting. Such rules are always customer-specific. They are stored in the table type
data of the respective target system. They are used unless there is an even more specific rule
at key value level. Furthermore, these rules are used for all attributes in the object for which
there is no entry at field level.
Key Level is a special case of Key Range Level in which the rule applies to just one key
value, i.e. to a single business object. In all other regards, this case is equivalent to the one
explained above.
The description so far explains how the relevant repair rule is evaluated if a business object with
inconsistencies is found. If the inconsistency is one of the cases Not in SAM or Not in TS,
the evaluation ends here because field-specific settings are irrelevant for them. the evaluation
continues only if the object exists on both sides but with different attributes:
Fields at table level are only relevant if the rule evaluation at occurrence level stopped at
table level, i.e. if there was no type-specific rule. Then, a particular attribute (i.e., field) is
repaired according to its rule in the field data of the target system or, if this rule says Use
Default, according to the table rule at occurrence level.
Field Types at key range level are only relevant if the rule evaluation at occurrence level
reached the key range level and there was no more specific rule at key level. Then, a particular
attribute (i.e., field) is repaired according to its rule in the field types data of the target system
or, if this rule says Use Default, according to the table type rule at occurrence level. Note:
When inserting a type rule at table level, SAM automatically creates the complete list of field
types for it, initially all set to Use Default.
Field Types at key level are only relevant if the rule evaluation at occurrence level reached
this most specific level. Otherwise, the handling is the same as for field types at key range
level.
Type-Specific Repair Rules for CM

A type-specific Consistency Maintenance (CM) repair rule applies to a situation in which the
standard, i.e. the table-specific repair rule, is not specific enough. Type-specific rules provide
three more levels of granularity, and the first of them explains where they received their name:
179
Object type: There are many cases in which one table contains different types of business
objects. For example, if there is one table for resource connections, but the target system
supports several types of resources and several types of objects requiring access, the object
category resource connection can split into multiple types. Another common case are the
tables for dependent data in uConnect-based target system interfaces, in which the concept
of sub-types is fully incorporated.
Key Range: Even within a sub-type or sub-category, a customer may need repair rules that
apply only to a certain key range. Key ranges are defined by their key prefix. Every business
object whose key matches the key prefix in the rule is handled according to this rule (unless
there is a more specific rule; see below.)
Key Value: It is possible to define a rule with a key prefix that can be matched by just one
specific business object. Such rules are used if certain single objects play a very special role
in the target system.
Type-specific repair rules can only be used within the supported scope of tables and key fields,
which differ depending on the target system interface. The page Type Support specifies the
supported range for this target system interface. The method is always the same:
The business object Target System Table Types appears in the GUI when expanding the
tree for a target system via Technical Data -> Tables -> Types; see SAM Enterprise User
Manual: Types. This means that the assignment to a specific table is already implicit. (When
using the Import Interface, the associated table is one of the values that must be specified.)
The data panel for a table type object shows a field Entity Key and the three rule fields for
the three cases Not in SAM, Not in TS, and Diff. Attr. (plus the usual time stamps). In
other words, the single attribute Entity Key determines the type and key range to which
the rule applies.
The value for the Entity Key attribute can be a key prefix or a concatenation that is split
into field-specific sections according to a table-specific algorithm. The next page explains
which fields to use/concatenate for a particular table.
For example, uConnect tables for dependent data use a type field and a key field. The type
field specifies the object type. The key field specifies the object to which the dependent data
belongs. Type-specific repair rules for such tables have a value in Entity Key which is a
concatenation of (complete) type value and key prefix.
If the value in Entity Key represents a concatenation of two fields, its value is interpreted in
a way that can best be illustrated in an example:
Assume a TYPE field of 16 bytes and a KEY field of 64 bytes being the ones for which
a concatenation is placed in Entity Key
Any value of less than 16 bytes is interpreted as a selector for a type range: all objects
whose TYPE prefix matches the selector are qualified.
180
A value of exactly 16 bytes is interpreted as a type selector. All objects whose TYPE
value matches the selector are qualified.
A value of more than 16 bytes is interpreted as a key range selector within a certain
type. All objects whose TYPE value matches the first 16 bytes in the selector and
whose KEY prefix matches the remaining bytes in the selector are qualified.
This concept can be extended until the selector matches just one specific object: the
remaining bytes after the 16-byte type prefix match the KEY value of just one object.
When inserting a new table type in the target system, SAM automatically copies the full list of
field definitions as field types under this entry. By default, all are set to Use Default, meaning
the table type applies to it. Setting field-specific rules for the case Different Attributes is
done by opening the respective field type and changing the repair rule to something else.
Type-Specific Support for aConnect

#?#
Restrictions and Recommendations

The general limitations of SAM aConnect also apply to Consistency Maintenance. See Functional Support for further information.
In contrast to other target system interfaces, SAM aConnect supports CM only for the repair
rule Repair TS, in addition to all repair rules that do not cause any update. The repair rule
Repair SAM is not supported.
The Tables List presents the table-specific sequence numbers according to which CM processes
the tables, as far as they are affected in a CM job. Tables without numbers do not participate
in CM because they only exist in SAM.
When running Consistency Maintenance for single tables, the table sequence should always be
as shown in the list. However, a single-table run cannot solve all inconsistencies. Even including
all tables may not be sufficient to completely restore the consistency. The example below shows
such a situation:
A Consistency Maintenance job refers to groups and memberships in aConnect. The
repair rules are set to Repair SAM.
These inconsistencies exist:
IC1: An aConnect group and a membership are not defined in SAM
IC2: A SAM group and a group connection are not defined in aConnect.
In the standard sequence, groups are processed before connections. Consistency Maintenance fails for IC2. The group cannot be deleted from the SAM database because a
connection is referring to it.
181
Changing the sequence to process groups after connections is no solution either. IC2 can
now be solved but IC1 causes an error. The connection that corresponds to the AIX
membership cannot be created in SAM because the group does not yet exist.
The conclusion from this example is that Consistency Maintenance must be run twice.
There is another case in which Consistency Maintenance seems to fail, but in fact does everything
according to the definitions. For each image table definition in SAM, the field List TOM specifies
the TOM which retrieves data from the target system. If the value is NOTOM, Consistency
Maintenance does nothing for this table. This is reported with a message in the job protocol.
Tables List
This section lists the image tables for SAM aConnect with their important attributes and the
list of business objects stored in them:
Click a column title to open a pop-up that explains the column logic.
Click a table name/repeater to open an Import Interface XML structure.
Click a business object name to open the logical object description.
For more details, see the pop-up for the respective column. Note that generic business objects
are not listed below. If a business object has a generic version - e.g., a user policy account - this
version is found in the same table as the discrete counterpart.
CMSN
Table Name
Business Object
10
ACONTS
****
ACONTSC
****
ACONTSCA
****
ACONTSCV
****
ACONTSCR
****
ACONTSCD
****
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
Target
Target
Target
Target
Target
Target
Target
Target
Target
Target
Target
Target
ACONUS
****
****
ACONUSA
****
****
ACONUSAV
****
****
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
Account
Account
Account
Account
Account
Account
Account
Account
Account
11
13
14
15
--
20
21
22
Object Data
System
System
System
System
System
System
System
System
System
System
System
System
aConnect Data
Defaults
Class
Defaults
Class Attribute
Defaults
Class Attribute Value
Defaults
Class Attribute Reference
Defaults
Allowed Class
Defaults
General Data
Template
Defaults
Attribute
Template
Defaults
Attribute
Template
Defaults
182
Attribute Value
CMSN
Table Name
Business Object
30
ACONUG
****
****
ACONUGA
****
****
ACONUGAV
****
****
ACONUGD
****
****
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
Group
Group
Group
Group
Group
Group
Group
Group
Group
Group
Group
Group
ACONUMS
****
aConnect
aConnect
plate)
aConnect
faults)
aConnect
aConnect
aConnect
aConnect
plate)
aConnect
faults)
aConnect
aConnect
plate)
aConnect
faults)
Group Connection (Account)

Group Connection (Account Tem-
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
Access Resource
Access Resource Template
Access Resource Defaults
Object Resource
Object Resource Template
Object Resource Defaults
Access Resource
Object Resource
Access Resource
Object Resource
Access Resource
32
33
--
40
****
41
****
****
ACONUMSA
****
****
42
ACONUMSAV
****
****
50
51
52
53
ACONRS
****
****
****
****
****
ACONRSR
****
****
****
****
****
ACONRSRA
****
****
****
****
****
ACONRSRV
Object Data
General Data
Template
Defaults
Attribute
Template
Defaults
Attribute Value
Template
Defaults
Forbidden Group
Template
Defaults
General Data
Group Connection (Account DeGroup Connection (Role)

Joker Group Connection (Role)
Group Connection (Account)
Attribute
Group Connection (Account DeGroup Connection (Account)

Attribute Value
Group Connection (Account De-
183
General Data
Rule
Rule Attribute
Rule Attribute Value
CMSN
--
--
--
Table Name
Business Object
****
****
****
****
****
aConnect
aConnect
aConnect
aConnect
aConnect

Object Resource
ACONRG
****
****
****
****
****
ACONRGD
****
****
****
****
****
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
Access R.Group
Access R.Group Template
Access R.Group Defaults
Object R.Group
Object R.Group Template
Object R.Group Defaults
Access R.Group
Access R.Group Template
Access R.Group Defaults
Object R.Group
Object R.Group Template
Object R.Group Defaults
ACONRMS
aConnect Access
source)
aConnect Access
source Template)
aConnect Access
source Defaults)
aConnect Object
source)
aConnect Object
source Template)
aConnect Object
source Defaults)
****
****
****
****
****
80
ACONAU
****
****
****
****
****
81
ACONAUA
****
****
****
****
Object Data
R.Group Connection (Re-
General Data
Forbidden Group
complete
R.Group Connection (ReR.Group Connection (ReR.Group Connection (ReR.Group Connection (ReR.Group Connection (Re-
aConnect R.Group Connection (Account)

aConnect R.Group Connection (Account
Template)
aConnect R.Group Connection (Account Defaults)
aConnect R.Group Connection (Group)
aConnect R.Group Connection (Group Template)
aConnect R.Group Connection (Group Defaults)
aConnect R.Group Connection (Account)
aConnect R.Group Connection (Account
Template)
aConnect R.Group Connection (Account Defaults)
aConnect R.Group Connection (Group)
aConnect R.Group Connection (Group Template)
184
General Data
Authorization
CMSN
Table Name
Business Object
Object Data
****
aConnect R.Group Connection (Group Defaults)
CMSN The table sequence number determines the order in which the tables are processed
during Consistency Maintenance and Initial Load.
For example, if table A has the number 10 and table B has the number 5, table B is processed
before table A. The value itself is meaningless; only the order is relevant.
Table Name The table name in the SAM database.
Clicking the table name or the repeater **** opens the XML structure description in the
Import Interface for the business object (data) listed in the same row.
Note: If a row has no link in the column, the respective business object cannot be administered using the Import Interface. This is always the case for defaults objects.
Business Object The name of the business object stored in the table - either with the data
specified in the Object Data column or with its complete data.

Clicking the business object name opens the logical description for the object data.
Object Data The name of the business objects dependent data stored in the listed table.
The name complete appears for single-part business objects which do not consist of general
data and dependent data objects.
The name for the dependent data remains the same for all business objects in a group.
Accordingly, the name is listed only in the first row of such a group.
Configuring Consistency Maintenance

Configuring Consistency Maintenance (CM) means performing all preparations so that a CM
job which behaves as desired can be started any time. In this sense, there are two configuration
tasks, of which only the first one is mandatory:
Configuration object: in order to create a run object for the job to be executed, you need a
CM configuration object. The underlying concept is explained in Business Objects for Utility
Management.
User exits: in order to enhance the standard processing in the CM utility by customer-specific
logic, you can implement user exits. The respective methods are explained in Exits and APIs,
and the respective user exits are explained in SAM Enterprise Configuration Manual: User Exits
for Initial Load and Consistency Maintenance, which is a section in this chapter.
185
Configuration Object
A CM configuration is a business object of the category utility configuration which refers to
Consistency Maintenance (CM) as the utility to be configured, and to aConnect as the target
system interface. Both settings specify the exact list of image tables that may or may not be
included in a particular utility invocation.
= A CM configuration is necessary for starting a CM run. Make sure that at least one
CM configuration is available for target systems of the type aConnect if you administer
aConnect systems with SAM.
Depending on how you organize CM, a single CM configuration with generic settings may be
sufficient for all your aConnect target systems. Alternatively, you can create CM configurations
with specific settings for every single target system. To create a new CM configuration, proceed
as follows:
1. Start the SAM Client and open a Utility Configuration Navigation Window.
You can use the command Tools -> Utility Configurations from the menu bar.
2. Open the creation dialog.
You can use the command Edit -> New Utility Configuration from the menu bar.
The dialog starts up with a single field. When you fill in a field and press Next, the next
field is displayed. You must fill in these fields to create a new CM configuration:
Utility must contain the value CM.
TS Type must contain the value aConnect.
Configuration ID is an arbitrary ID for your CM configuration.
3. After you have filled in all fields in the dialog box, pressing Next once more opens an
Edit Window with your new CM configuration. Fill in the fields and press Submit to
submit your changes and save the configuration. See SAM Enterprise User Manual: CM
Configuration in the SAM Enterprise User Manual for a description of all settings in this
business object.
186
Executing Consistency Maintenance

Executing Consistency Maintenance (CM) means creating a CM run object, which is the representative for the job to be scheduled. The job for the new run object is automatically stored in
the SAM Queue, where it waits for its execution until it is due, either as soon as possible or at
the specified date and time.
SAM offers two modes for creating such a run object, interactively in SAMs graphical user
interface (GUI) or with a batch order using the Import Interface. Follow the links in the above
ToC (Table of Contents) for the two detail descriptions.
Prerequisites: Creating a CM run object has two prerequisites. The first is the CM configuration from which the run object is created; this topic is discussed in Configuration Object.
The second and inherent prerequisite is a SAM account with the necessary authorizations. If
your account is authorized for the business object type Consistency Maintenance run, you can
execute the utility. See the SAM Enterprise Internal Security Manual for object-specific access
rights.
Interactive Run
SAM Enterprise provides two methods for invoking Consistency Maintenance (CM), an interactive one and a batch function. This section explains how to invoke CM interactively using
standard functions in SAMs graphical user interface (GUI).
Both methods refer to the CM configuration object whose creation is explained in Configuration Object. Remembering the configuration ID given to the business object is a prerequisite,
although the interactive method simplifies the task by providing a selection list in which the
configuration can be easily found.
In Step 1 of the interactive invocation, you select a CM configuration to be executed in a new

utility run. This is done in the Utility Configuration Navigation Window:
187
1. Start the SAM Client.

2. Open a Utility Configuration Navigation Window.
3. Select a CM configuration that meets the requirements.
You can select a configuration specific to your target system or a configuration that applies
to all aConnect target systems.
4. Double-clicking the selected object opens a Utility Configuration Edit Window displaying
the selected configuration; see next page.
See SAM Enterprise User Manual: Consistency Maintenance in the SAM Enterprise User Manual
for a full description of the involved windows and data panels.
2 - Utility Run Creation

In Step 2 of the interactive invocation, you create a utility run object from the previously
selected utility configuration object. The run object will be the one in which the exact settings
for the utility execution are specified. This is done in the Utility Configuration Edit Window
displaying the selected utility configuration:
188
1. Create the utility run object.

You can use the command Edit -> New Utility Run from the menu bar.
SAM opens a Utility Run Edit Window in which the new run object is presented, ready
for editing and/or starting.
2. Change the settings according to your requirements.
In particular, if the selected utility configuration applied to more than one target system,
specify the proper target system ID for the execution.
3 - Utility Run Start
In Step 3 of the interactive invocation, you start the previously created utility run object. This
is equivalent to invoking Consistency Maintenance with the settings in the run object. This is
done in the Utility Run Edit Window displaying the created run object:
189
1. Make sure the settings are as desired for the planned job.
2. Press Start to start the utility run object.
SAM stores the equivalent batch job in the Queue and executes it according to the settings
and conditions.
See SAM Enterprise User Manual: Consistency Maintenance in the SAM Enterprise User Manual
for a full description of the involved windows, panels, and dialog functions.
Batch Run
As an alternative to the interactive method described in Interactive Run, Consistency Maintenance (CM) can be executed with a batch transaction for the Import Interface. This transaction
starts a utility run object that is created from a utility configuration object, which is the same
action as in the interactive run. Proceed as follows to build and submit a batch transaction for
invoking CM:
1. Create an import transaction that refers to an existing CM utility configuration.
The business object ID is SUTL CM Template. You must use the operation name start
to start a new CM run. The following listing shows an example in which My-aConnectTS represents the TS ID of the aConnect target system for which CM should be performed:
190
<?xml version="1.0" encoding ="ISO-8859-1" ?>

<!DOCTYPE qInput SYSTEM "http://www.betasystems.com/sam/dtd/Import.dtd">
<qInput>
<businessObject name="SUTL_CM_Template" opName="start">

<attribute name="BASETAB_SAM_ID2" value="aConnect" />


<attribute name="BASETAB_C_16_01" value="aConnect" />

<attribute name="BASETAB_C_08_01" value="My-aConnect-TS" />
</businessObject>
</qInput>
= Due to the special nature of the Start command, a batch run is practically limited
to the settings found in the originating utility configuration. More exactly, the Start
command is limited to changes in the root object of the utility run. So if this run
should be special in any regard, the respective settings and candidate selections must
be made in the configuration. In this sense, the batch method is not quite as flexible
as the interactive method.
= In contrast to an interactive start, the batch transaction start supports file transfer
orders that take place after the utility job and deal with job logs and protocols and
their transfer to another destination. See SAM Enterprise Operations Manual: File
Management Functions for a detailed description.
2. Save the file with your import transaction.
3. Call the Import Interface passing the file name. You can use this command:
startSamImport.bat <file> <user id> <password>
<file> stands for the file name or URL of your import transaction. <user id> is a
user ID and <password> the corresponding password. The user must be authorized to
use the Import Interface.
CM Unlock/Restart
The most significant control attribute in a CM utility run is the SAM Enterprise User Manual:
CM Mode, a drop-down combo box that offers three options, representing three operation modes:
Normal applies to a target system in normal state.
Restart applies to a target system on which a previous CM job failed.
191
Unlock/Stop also applies to a target system on which a previous CM job failed, but in
contrast to Restart, it cancels the job, rather than to attempt a completion by running
the tables that did not run in the failed job, starting with the one that caused the failure.
Follow the above link to the field description for more details about the three operation modes.
Note, though, that only the Normal mode must be accompanied by a list of tables: Restart
processes the tables left from the failed job, and Unlock/Stop does not process tables at all.
192
The aConnect Toolbox

The aConnect Toolbox is the utility collection for SAM aConnect. Depending on the perspective,
the aConnect Toolbox offers three utilities with one function each, or one utility with three
functions. At any rate, the toolbox allows you to
delete those references to attributes that prevent their deletion
delete all connections to selected resource groups
update the activity status of selected entities.
Entity in the third function refers to accounts, groups, resources, and connection between
these types. Updating the activity status applies to business objects with an active time
period defined in fields Valid From and Valid To; running the utility is necessary to let these
time period settings take effect.
Common to all three functions is the support of a statistics mode and an update mode. In
statisticss mode, the utility just collects statistics of what would happen in update mode, the
one in which the changes are really performed.
The aConnect Toolbox belongs to the object-based utilities with configuration objects and run
objects. The subsequent pages in this section introduce the three utility functions in more detail
and explain how to configure and execute them.
Deleting Attributes
Attributes in an aConnect system can be connected to nearly every other business object type.
When it comes to the deletion of an attribute, the list of possible references splits into two
categories:
References from within resources prevent the deletion of the respective attribute: Any
attempt to delete an attribute still referenced from a resource rule entry causes an error
message.
References from other business object types, e.g. accounts or groups, do not prevent
the deletion; they will be automatically deleted as part of the process which deletes the
respective attribute.
193
Contrary to what the function title suggests, Delete Attributes only deletes references to the
specified attributes. Furthermore it only deletes those references which prevent the deletion of
the attribute itself. The other references will be automatically deleted as part of the process in
which the attribute itself is deleted. Note: Deleting the attributes themselves is not part of the
function nor of another function in the aConnect Toolbox; this is done manually or in a batch
job.
The utility can be configured for any number of attributes, each of them specified by a separate
entry in the list of dependent objects for the configuration and later for the run object. Assigning
the attributes to be prepared for deletion is a simple task in a dialog session. The assignment
dialog allows you to select first the attribute class and then attributes of this class, or all of
them. This list can still be modified, until the run object for the job is started: This is the time
when all settings are fixed.
Like the other functions, Delete Attributes supports a statistics mode in which the utility
only provides reports of what would have been done, had this job been run in sharp mode, i.e.
update mode. The same reports are also provided from a run which really deletes the references.
Deleting Resource Group Connections

SAMs graphical user interface (GUI) does not allow you to delete a connection between a
resource and a resource group if the resource group in turn is connected to an account or a
group. All you can do in a dialog session is marking the checkbox SAM Enterprise User Manual:
Delete in Batch and afterwards run the aConnect Toolbox.
The Delete Resource Group Connections function in the aConnect Toolbox is the counterpart
for this purpose. It searches for resource group connections marked this way and deletes them
- provided the two additional conditions are met:
the resource group is in the list of relevant groups for this run
the run is performed in update mode, rather than statistics mode.
If the restriction to the specified list of resource groups is unnecessary and undesired, the checkbox SAM Enterprise User Manual: All Resource Groups can be marked to process all resource
group connections with a deletion mark. Otherwise, the utility is configured for any number of
resource groups, each of them specified by a separate entry in the list of dependent objects for
the configuration and later for the run object.
Assigning the resource groups whose connections should be deleted is a simple task in a dialog
session. The assignment dialog allows you to select first the resource group type and then groups
of this type, or all of them. This list can still be modified, until the run object for the job is
started: This is the time when all settings are fixed.
Like the other functions, Delete Resource Group Connections supports a statistics mode in
which the utility only provides reports of what would have been done, had this job been run in
sharp mode, i.e. update mode. The same reports are also provided from a run which really
performs the deletions.
194
Updating Activity Status

Most business objects in SAM aConnect support a switch and time-controlled activity status.
The feature is summarized with the subsequent links referring to aConnect accounts as example:
The checkbox SAM Enterprise User Manual: Active specifies whether the business object
represents something real or something planned: If the checkbox is marked, the object is,
was, or will be real, whereas an unmarked checkbox identifies a planning that is ignored in
every regard, including the aConnect Toolbox.
The fields SAM Enterprise User Manual: Valid From and SAM Enterprise User Manual:
Valid To define the time period during which the business object is active - provided the
above checkbox is marked. Before or after the valid time period, the business object counts
as disabled.
The utility function Updating Activity Status is designed to scan the relevant entities - i.e.,
business object categories - and update them according to the valid time period in relationship
to the current date. Business objects with an unmarked Active checkbox are ignored.
The utility is configured for this function and for the desired list of entities, which includes
accounts, groups, resources, and connections between them. There is one entry per entity,
specifying whether the business objects in this category are attended to or ignored in this run.
Attending to means that the business object
is enabled, if the time period indicates so and the object was previously disabled
is disabled, if the time period is over and the object was still enabled
always under the condition that the Active checkbox is marked and that the run is sharp:
Like the other functions, Update Activity Status supports a statistics mode in which the utility
only provides reports of what would have been done, had this job been run in sharp mode,
i.e. update mode. The same reports are also provided from a run which really performs the
updates.
Configuring the aConnect Toolbox

Configuring the aConnect Toolbox means performing all preparations so that a toolbox job
which behaves as desired can be started any time. This is done by creating an aConnect Toolbox
configuration object as the prerequisite for creating the desired run object for the job. The
underlying concept is explained in Business Objects for Utility Management.
Unlike other utilities, the aConnect Toolbox offers three different functions, and the desired
function is specified in the dialog box in which a configuration object is created. In other words,
an existing aConnect Toolbox configuration is fixed to the function specified then.
This limitation is necessary because each of the three functions has a different type of dependent
objects: attributes, resource groups, and entities. This is also the aspect where the toolbox starts
to behave like three different utilities.
195
Configuration Object for Deleting Attributes

Configuring the aConnect Toolbox for the function Deleting Attributes differs from the configuration for other functions in two aspects: the proper function must be selected in the creation
dialog, and the dependent objects represent attributes. In all other regards, the following text
does not differ from the one in the other pages of this sub-section:
An aConnect Toolbox configuration is a business object of the category utility configuration
which refers to the aConnect Toolbox as the utility to be configured. This automatically implies
SAM aConnect as the target system interface and limits the list of assignable target systems to
ACON systems.
In contrast to other utility configurations in SAM, an aConnect Toolbox configuration is created
for a certain function: Once the creation dialog box is closed, this function is fixed and cannot be
altered. To create a new aConnect Toolbox configuration for the function Deleting Attributes,
proceed as follows:
The dialog starts up with a single field. When you fill in a field and press Next, the
next field is displayed. You must fill in these fields to create a new aConnect Toolbox
configuration:
Utility must contain the value aConnect Toolbox.
Function must contain the value Delete Attributes.
Configuration ID is an arbitrary ID for your configuration.
Edit Window with your new aConnect Toolbox configuration. Fill in the fields of the
configuration general data and then deal with the dependants:
4. Expanding General Data in the tree at the left reveals an entry Deleting Attributes
which is initially empty. As explained in more detail in SAM Enterprise User Manual:
Configuration - Delete Attributes, you can add and remove attributes to be deleted by
opening a dialog box in which entire attribute classes or single attributes are selected.
196
5. Press Submit to submit your changes and save the configuration. These settings - including
the list of dependants - serve as template for run objects; only when starting a run object,
the job settings are really fixed.
Configuration Object for Deleting Resource Group Connections

Configuring the aConnect Toolbox for the function Deleting Resource Group Connections differs from the configuration for other functions in two aspects: the proper function must be
selected in the creation dialog, and the dependent objects represent resource groups. In all
other regards, the following text does not differ from the one in the other pages of this subsection:
ACON systems.
for a certain function: Once the creation dialog box is closed, this function is fixed and cannot
be altered. To create a new aConnect Toolbox configuration for the function Deleting Resource
Group Connections, proceed as follows:
configuration:
Function must contain the value Delete Resource Group Connections.
197
4. Expanding General Data in the tree at the left reveals an entry Deleting Resource
Group Connections which is initially empty. As explained in more detail in SAM Enterprise User Manual: Configuration - Delete Resource Group Connections, you can add and
remove resource groups to be deleted by opening a dialog box in which entire type sets or
single groups are selected.
Configuration Object for Updating Activity Status

Configuring the aConnect Toolbox for the function Updating Activity Status differs from the
configuration for other functions in two aspects: the proper function must be selected in the
creation dialog, and the dependent objects represent entities, i.e. business object categories.
In all other regards, the following text does not differ from the one in the other pages of this
sub-section:
ACON systems.
for a certain function: Once the creation dialog box is closed, this function is fixed and cannot
be altered. To create a new aConnect Toolbox configuration for the function Updating Activity
Status, proceed as follows:
configuration:
Function must contain the value Update Activity Status.
198
4. Expanding General Data in the tree at the left reveals an entry Updating Activity
Status which, when expanded by itself, reveals the list of entities. This list is fixed, but
the setting for a particular entity can be Attend or Ignore. Go through all entities and
make sure to switch them on or off as desired. This is explained in more detail in SAM
Enterprise User Manual: Configuration - Entity.
Executing the aConnect Toolbox

Executing aConnect Toolbox means creating a aConnect Toolbox run object, which is the representative for the job to be scheduled. You can create a new run object interactively, using the
SAM Client, or in a batch job, using the Import Interface.
If the new run object is created interactively, a job for this run object is automatically stored
in the SAM Queue, where it awaits execution - either as soon as possible or, if you assigned
date and time, at the specified date and time.
If the new run object is created in batch, i.e. with the Start command from the Import
Interface, execution of this command is equivalent to starting the job, so these utility runs do
not have a representation in the SAM Queue.
Prerequisites: Each aConnect Toolbox run object requires a aConnect Toolbox configuration
object. You reference the configuration object during the run object creation.
Another prerequisite for starting new utility runs is an ISEC account with the necessary
authorizations. As a minimum, such an account needs the following:
the entry points SAM Utility Conf and SAM Utility Run
view authorization for the business object ACON Acontool Template BO
insert and change authorization for the business object ACON Acontool Active BO
authorizations for the access codes used by the two above business objects
199
If the business object IDs (BO IDs) for the involved objects are required in the course of access
right granting, they can be found in the context menus of these objects in SAMs graphical user
interface (GUI). The documentation of the Import Interface transactions for the configuration
object includes the specification of the BO IDs; the corresponding BO ID for a run object is the
same ID, only with Active instead of Template at the end.
aConnect Toolbox - Interactive Run

SAM Enterprise provides two methods for invoking the aConnect Toolbox, an interactive one
and a batch function. This section explains how to invoke the aConnect Toolbox interactively
using standard functions in SAMs graphical user interface (GUI).
Both methods refer to the aConnect Toolbox configuration object whose creation is explained in
Configuration. Remembering the configuration ID given to the business object is a prerequisite,
although the interactive method simplifies the task by providing a selection list in which the
configuration can be easily found.
In Step 1 of the interactive invocation, you select an aConnect Toolbox configuration to be
executed in a new utility run. This is done as follows:
1. Start the SAM Client.
2. Open a Utility Configuration Navigation Window.
You can use the command Tools -> Utility Configurations from the menu bar. The
window may look as follows:
200
3. Select an aConnect Toolbox configuration that meets the requirements. Note: As the
field Function does not appear as a column in the selection list, you will appreciate
configuration IDs and/or description texts which identify the represented function, as
shown in the above example.
4. Double-clicking the selected object opens a Utility Configuration Edit Window displaying
the selected configuration; see next page.
See SAM Enterprise User Manual: aConnect Toolbox in the SAM Enterprise User Manual for
a full description of the involved windows and data panels.
2 - Utility Run Creation
In Step 2 of the interactive invocation, you create a utility run object from the previously selected
utility configuration object. The run object will be the one in which the exact settings for the
utility execution are specified. This is done as follows:
1. The assumption is that the previously selected aConnect Toolbox configuration is displayed
in a Utility Configuration Edit Window. This window may look as follows:
2. Create the utility run object.

You can use the command Edit -> New Utility Run from the menu bar or the leftmost
icon in the Edit Window Toolbar.
SAM opens a Utility Run Edit Window in which the new run object is presented, ready
for editing and/or starting (see next page).
3. Change the settings according to your requirements. In particular, add or remove dependants (attributes, resource groups) or deactivate dependants (entities) according to the
201
function to which the run object applies.
3 - Utility Run Start

In Step 3 of the interactive invocation, you start the previously created utility run object. This
is equivalent to invoking the aConnect Toolbox with the settings in the run object, and it is
done as follows:
1. The assumption is that the run object has just been created and is displayed in the Utility
Run Edit Window. The window may look as follows:
2. Make sure the settings are as desired for the planned job: The Start command is the
time when all settings are fixed.
3. Press Start to start the utility run object.
SAM stores the equivalent batch job in the Queue and executes it according to the settings
and conditions.
See SAM Enterprise User Manual: aConnect Toolbox in the SAM Enterprise User Manual for
a full description of the involved windows, panels, and dialog functions.
Batch Run
To execute the aConnect Toolbox in batch mode, you create and submit an aConnect Toolbox
run object using the Import Interface. This is done as follows:
202
1. Create a file with an import transaction that refers to an existing aConnect Toolbox
configuration. The business object ID is Acon Acontool Template BO. You must use the
operation name start to start a new aConnect Toolbox run. The following listing shows
an example:
<?xml version="1.0" encoding ="ISO-8859-1" ?>
<!DOCTYPE qInput SYSTEM "http://www.betasystems.com/sam/dtd/Import.dtd">
<qInput>
<businessObject name="ACON_AconTool_Template_BO" opName="start">

<attribute name="BASETAB-SAM-ID2" value="MyAconToolbox" />


<attribute name="BASETAB-C-08-01" value="MYACONTS" />
</businessObject>
</qInput>
= Because of the special nature of the Start command, a batch run is practically
limited to the settings found in the originating utility configuration. More exactly,
the Start command is limited to changes in the root object of the utility run. So
if this run should be special in any regard, the respective settings and candidate
selections must be made in the configuration. In this sense, the batch method is not
quite as flexible as the interactive method.
= In contrast to an interactive start, the batch transaction start supports file transfer
orders that take place after the utility job and deal with job logs and protocols and
their transfer to another destination. See SAM Enterprise Operations Manual: File
Management Functions for a detailed description.
2. Save the file with your import transaction.
3. Call the Import Interface passing the file name. You can use this command:
startSamImport.bat <file> <user id> <password>
<file> stands for the file name or URL of your import transaction. <user id> is a
user ID and <password> the corresponding password. The user must be authorized to
use the Import Interface.
203

Aconn

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Aconn

Загружено:

Авторское право:

Доступные форматы

SAM Enterprise aConnect Manual

SAM Enterprise Release 1.1

aConnect and SAM

aConnect Business Objects

Rule Attribute Values . . . . . . . .

2 - Utility Run Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

About This Manual

Beta Systems Software AG - Hotline Services

Beta Systems of North America, Inc.

Explains how to define an aConnect target system in SAM and

Is a placeholder for the chapter about this topic, which is expected

Describes the utilities for SAM aConnect, which provide functions

SAM Enterprise Manuals

SAM Enterprise Master Index

SAM Enterprise Release Guide

that can appear from/in any SAM Enterprise component.

SAM Enterprise User Manual

SAM Enterprise Business Process Workflow User Manual

SAM Enterprise Reporting Manual

SAM Enterprise Operations Manual

SAM Enterprise Internal Security Manual

SAM Enterprise Password Reset Manual

SAM Enterprise ACF2 Manual

SAM Enterprise AIX Manual

SAM Enterprise NetWare Manual

SAM Enterprise OS/400 Manual

SAM Enterprise SAP Manual

SAM Enterprise Tivoli Access Manager Manual

SAM Enterprise uConnect Manual

aConnect and SAM

aConnect Security Concepts

Conditions, which are combined in a logical AND, together form a rule.

Valid From is the current date or earlier or empty

Classes for processes, objects, and their resource groups

aConnect Objects in SAM

aConnect Administration with SAM

The SAM Client requests the data.

aConnect Business Objects

aConnect Account General Data

Name: aConnect Account General Data

Name: aConnect Account Attribute

Name: aConnect Account Attribute Value

Name: aConnect Group Connection (Account) General Data

Name: aConnect Group Connection (Account) Attribute

Name: aConnect Group Connection (Account) Attribute Value

Name: aConnect Resource Group Connection (Account) General Data

Logic: A framework for a users access rights toward resources

Name: aConnect Resource Group Connection (Account) Authorization

Name: aConnect Group General Data

Name: aConnect Group Forbidden Group

Name: aConnect Group Attribute

Name: aConnect Group Attribute Value

Name: aConnect Resource Group Connection (Group) General Data

aConnect Resource Group Connection (Group) Authorization

Name: aConnect Resource Group Connection (Group) Authorization

Name: aConnect Access Resource General Data

Name: aConnect Access Resource Rule

Name: aConnect Access Resource Rule Attribute

Name: aConnect Access Resource Rule Attribute Value

Name: aConnect Access Resource Group Connection (Resource)

Name: aConnect Object Resource General Data

Logic: A data object (e.g., contract) in an aConnect system

Name: aConnect Object Resource Rule