Академический Документы
Профессиональный Документы
Культура Документы
This PDF document contains hyperlinks referring to other PDF documents in the SAM Enterprise
user documentation set. In order for these hyperlinks to work, all PDF documents about SAM must be
located in the same directory (i.e., folder), and this directory must be the current one when invoking the
PDF viewer (e.g., Adobe Acrobat Reader.) If the viewer is invoked with a link, the Working Directory
or Execute In option in the link properties must be set to this directory.
Contents
About This Manual
Overview . . . . . . . . .
Intended Readers . . . . .
Abbreviations . . . . . . .
Trademarks . . . . . . . .
SAM Enterprise Manuals
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
9
10
10
11
11
12
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
17
17
18
20
21
21
22
23
24
26
26
27
27
29
30
33
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
34
34
50
51
52
53
53
54
55
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Attributes . . . . . . . . . . .
Attribute Values . . . . . . .
Resource Group Connections . . . .
General Data . . . . . . . . .
Authorization . . . . . . . . .
Automatic Attribute Assignments .
Groups . . . . . . . . . . . . . . . . . . . . .
General Data . . . . . . . . . . . . .
Forbidden Groups . . . . . . . . . .
Attributes . . . . . . . . . . . . . . .
Attribute Values . . . . . . . . . . .
Resource Group Connections . . . .
General Data . . . . . . . . .
Authorization . . . . . . . . .
Automatic Attribute Assignments .
Access Resources . . . . . . . . . . . . . . .
General Data . . . . . . . . . . . . .
Rules . . . . . . . . . . . . . . . . .
Rule Attributes . . . . . . . . . . . .
Rule Attribute Values . . . . . . . .
Access Resource Group Connections
General Data . . . . . . . . .
Rule Attributes and their Values . .
Object Resources . . . . . . . . . . . . . . .
General Data . . . . . . . . . . . . .
Rules . . . . . . . . . . . . . . . . .
Rule Attributes . . . . . . . . . . . .
Rule Attribute Values . . . . . . . .
Object Resource Group Connections
General Data . . . . . . . . .
Rule Attributes and their Values . .
Access Resource Groups . . . . . . . . . . .
General Data . . . . . . . . . . . . .
Forbidden Groups . . . . . . . . . .
Object Resource Groups . . . . . . . . . . .
General Data . . . . . . . . . . . . .
Forbidden Groups . . . . . . . . . .
Target Systems . . . . . . . . . . . . . . . .
aConnect Data . . . . . . . . . . . .
Classes . . . . . . . . . . . . . . . .
Class Attributes . . . . . . . . . . .
Class Attribute Values . . . . . . . .
Class Attribute References . . . . .
3
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
55
56
56
58
58
59
59
61
61
62
63
63
65
65
66
66
67
68
68
69
70
71
71
73
74
74
75
76
76
77
78
79
81
81
83
84
85
86
87
88
88
89
89
Allowed Classes . . . . . . . . . . . .
Class Attributes and their Values . .
Role-Based Objects . . . . . . . . . . . . . . . . .
Roles . . . . . . . . . . . . . . . . . . . . . .
Group Connections . . . . . . . . . .
General Data . . . . . . . . .
Generic Group Connections . . . . .
General Data . . . . . . . . .
Joker Group Connections . . . . . .
General Data . . . . . . . . .
Generic Joker Group Connections .
General Data . . . . . . . . .
Templates . . . . . . . . . . . . . . . . . . . . . .
Account Templates . . . . . . . . . . . . . .
General Data . . . . . . . . . . . . .
Attributes . . . . . . . . . . . . . . .
Attribute Values . . . . . . . . . . .
Group Connections . . . . . . . . . .
General Data . . . . . . . . .
Attributes . . . . . . . . . . .
Attribute Values . . . . . . .
Resource Group Connections . . . .
General Data . . . . . . . . .
Authorizations . . . . . . . .
Group Templates . . . . . . . . . . . . . . .
General Data . . . . . . . . . . . . .
Forbidden Groups . . . . . . . . . .
Attributes . . . . . . . . . . . . . . .
Attribute Values . . . . . . . . . . .
Resource Group Connections . . . .
General Data . . . . . . . . .
Authorizations . . . . . . . .
Access Resource Templates . . . . . . . . .
General Data . . . . . . . . . . . . .
Rules . . . . . . . . . . . . . . . . .
Rule Attributes . . . . . . . . . . . .
Rule Attribute Values . . . . . . . .
Access Resource Group Connections
General Data . . . . . . . . .
Object Resource Templates . . . . . . . . .
General Data . . . . . . . . . . . . .
Rules . . . . . . . . . . . . . . . . .
Rule Attributes . . . . . . . . . . . .
4
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
90
91
93
93
93
94
94
96
96
97
97
97
98
99
101
101
102
102
104
104
104
105
106
107
107
109
109
110
110
111
112
113
113
115
115
116
116
117
118
118
120
120
121
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
121
122
123
123
124
125
126
127
127
128
129
130
130
130
131
131
132
132
132
133
133
134
134
135
135
135
136
136
137
137
138
138
139
139
139
140
141
141
141
141
142
142
143
Forbidden Group . . . . .
Object Resource Group Defaults
General Data . . . . . . .
Forbidden Group . . . . .
Target System Defaults . . . . .
aConnect Data . . . . . .
Class . . . . . . . . . . . .
Class Attribute . . . . . .
Class Attribute Value . .
Class Attribute Reference
Allowed Class . . . . . . .
Other . . . . . . . . . . . . . . . . . .
Help Desk Account . . . . . . . .
Configuration
1 - Installation and License . . .
2 - Administrator ID . . . . . . .
3 - Target System Defaults . . .
4 - Target System Creation . . .
5 - Target System Settings . . . .
6 - Target System aConnect Data
7 - Target System Enabling . . .
8 - Account Defaults . . . . . . .
9 - Group Defaults . . . . . . . .
10 - Resource Defaults . . . . . .
11 - Resource Group Defaults . .
12 - Security Data Takeover . . .
13 - Database Optimization . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
aConnect Agent
Prerequisites . . . . . . . . . . . . .
Character Sets and Code Conversion
Configuration . . . . . . . . . . . . .
1 - TOM . . . . . . . . . . . . .
2 - Remote Courier . . . . . . .
3 - Socket Daemon . . . . . . .
4 - Master Courier . . . . . . .
5 - Testing the Connection . . .
6 - Target System Settings . . .
Socket Daemon . . . . . . . . . . . .
SDINI File . . . . . . . . . . .
MsgINI File . . . . . . . . . . .
Start-Up . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
143
144
145
145
145
146
146
146
147
147
147
148
148
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
149
149
149
149
150
150
151
152
153
154
154
155
155
155
.
.
.
.
.
.
.
.
.
.
.
.
.
157
158
158
160
160
160
161
161
162
163
164
164
166
168
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
6
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Shut-Down . . . . . . .
Operator Commands . .
Remote Courier . . . . . . . .
RCINI File . . . . . . .
MsgINI File . . . . . . .
Start-Up . . . . . . . . .
Shut-Down . . . . . . .
Operator Commands . .
TOM . . . . . . . . . . . . .
TOM Configuration . .
TOM User . . . . . . . .
TOM Exit Conventions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Initial Load
Consistency Maintenance
Repair Rules . . . . . . . . . . . . . . .
Rule Actions . . . . . . . . . . . .
Rule Hierarchies . . . . . . . . . .
Type-Specific Repair Rules . . . .
Type Support for aConnect . . . .
Restrictions and Recommendations . . .
Tables List . . . . . . . . . . . . . . . .
Configuring Consistency Maintenance .
Configuration Object . . . . . . . .
Executing Consistency Maintenance . .
Interactive Run . . . . . . . . . . .
1 - Configuration Selection
2 - Utility Run Creation . .
3 - Utility Run Start . . . .
Batch Run . . . . . . . . . . . . . .
CM Unlock/Restart . . . . . . . .
168
168
169
169
169
172
172
172
172
173
173
173
174
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
aConnect Toolbox
Deleting Attributes . . . . . . . . . . . . . .
Deleting Resource Group Connections . . .
Updating Activity Status . . . . . . . . . .
Configuration . . . . . . . . . . . . . . . . .
Deleting Attributes . . . . . . . . . . .
Deleting Resource Group Connections
Updating Activity Status . . . . . . .
Execution . . . . . . . . . . . . . . . . . . .
Interactive Run . . . . . . . . . . . . .
1 - Configuration Selection . .
7
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
175
176
177
178
179
181
181
182
185
186
187
187
187
188
189
190
191
.
.
.
.
.
.
.
.
.
.
193
193
194
195
195
196
197
198
199
200
200
Overview
This manual documents SAM aConnect, the component in SAM Enterprise that provides support for application-specific security administering in applications in which access rights depend
on objects, their attributes, and the processes in which these objects are involved. This information is provided in the following chapters after the introduction About This Manual:
aConnect and SAM
Introduces the concept of application-specific security administration based on objects, processes, and their attributes.
aConnect Business Objects Describes the business objects provided by SAM aConnect.
Configuration
Initial Load
Consistency Maintenance Describes the utility to restore the consistency between SAMs image of a target system and the actual target system data.
aConnect Toolbox
Intended Readers
The SAM Enterprise aConnect Manual addresses system administrators and DBAs - those people
who are involved in the configuration and systems management.
If you are not yet familiar with SAMs online documentation, the following remarks are helpful:
10
This manual is a highly integrated online book, meaning that any word or passage which
refers to another page is presented as a hyperlink. Clicking the color-marked text takes
you to the referenced page.
Independently from these hyperlinks, the pages are ordered one after another, as in any
other book. You can go forward and backward using the appropriate buttons. You can
also return to the previously displayed pages.
A detailed explanation of the available browsing functions is provided in the section Reading Online Books.
We welcome your input regarding the content or style of this manual. Please direct your comments, suggestions, or questions to SAM Customer Support or any other SAM representative.
Abbreviations
The following list explains the abbreviations used in SAM and the SAM manuals. Abbreviations
that are specific to other applications are not included here. Where applicable, the glossary
includes definitions for product-specific terms and abbreviations.
BO
Business Object
CM
Consistency Maintenance
IL
Initial Load
MC
Master Courier
RC
Remote Courier
ToC
TOM
TS
TSI
Table of Contents
Target System Operation Module
Target System
Target System Interface
Trademarks
It is hereby confirmed that the various product names, concepts, and other proprietary terms
which are mentioned in this publication may be trademarks or registered trademarks of their
respective owners.
11
Workflow.
SAM Enterprise Workflow Manual
SAM Enterprise Business Process Workflow User Manual Documents SAM Business Process
Workflow, an independent application with an interface to SAM Enterprise.
SAM Workflow.
SAM Enterprise Browser Client Manual
SAM Enterprise Reporting Manual Describes the SAM Reporting System. The manual addresses security administrators and auditors who need reports about the security data in
SAM.
components.
SAM Enterprise Installation Manual
12
SAM Enterprise Configuration Manual The system administrators manual for configuring
SAM Enterprise. This book covers all configuration options in SAM, from switch settings in
dialog boxes up to a complete customer-specific target system interface.
SAM Enterprise Configuration Manual
SAM Enterprise Operations Manual The system administrators manual for running SAM
Enterprise. This book includes documentation for utilities, system component start-up and
shutdown, and similar system operator tasks.
nent in SAM Enterprise that provides services for automated data processing based on rules.
SAM Enterprise Rule Engine Manual
SAM Enterprise Business Object Reference Documents details and structures in SAMs en-
terprise data level, which includes the business object types independent of any particular
access control system. This book supplements the general information found in the SAM
Enterprise Operations Manual.
SAM Enterprise Business Object Reference
SAM Enterprise Operations Manual
SAM Enterprise Internal Security Manual Documents details and structures in SAMs own
security system, which is organized like any other target system interface. This book supplements the general information found in the SAM Enterprise Operations Manual.
SAM Enterprise BPW Manual Documents BPW-specific details and structures as imple-
mented in the SAM BPW Interface. This book supplements the general information found
in the SAM Enterprise Operations Manual.
SAM Enterprise BPW Manual
SAM Enterprise Operations Manual
SAM Enterprise DB2 Manual Documents DB2-specific details and structures as implemented
in the SAM DB2 Interface. This book supplements the general information found in the SAM
Enterprise Operations Manual.
SAM Enterprise DB2 Manual
SAM Enterprise Operations Manual
SAM Enterprise eConnect Manual Documents LDAP-specific details and structures as im-
plemented in SAM eConnect. This book supplements the general information found in the
SAM Enterprise Operations Manual.
SAM Enterprise eConnect Manual
SAM Enterprise Operations Manual
SAM Enterprise HP-UX Manual Documents HP-UX-specific details and structures as imple-
mented in the SAM HP-UX Interface. This book supplements the general information found
in the SAM Enterprise Operations Manual.
SAM Enterprise HP-UX Manual
SAM Enterprise Operations Manual
SAM Enterprise Lotus Domino Manual Documents Lotus Domino-specific details and struc-
tures as implemented in the SAM Lotus Domino Interface. This book supplements the
general information found in the SAM Enterprise Operations Manual.
SAM Enterprise Lotus Domino Manual
SAM Enterprise Operations Manual
SAM Enterprise mConnect Manual Documents the methods, features, and structures of SAM
mConnect, SAMs target system interface without a specific reference system and therefore
without standard import/export functions. This book supplements the general information
found in the SAM Enterprise Operations Manual.
SAM Enterprise mConnect Manual
SAM Enterprise Operations Manual
SAM Enterprise NetWare Manual Documents NetWare-specific details and structures as implemented in the SAM NetWare Interface. This book supplements the general information
found in the SAM Enterprise Operations Manual.
SAM Enterprise Oracle Manual Documents Oracle-specific details and structures as imple-
mented in the SAM Oracle Interface. This book supplements the general information found
in the SAM Enterprise Operations Manual.
SAM Enterprise Oracle Manual
SAM Enterprise Operations Manual
SAM Enterprise OS/400 Manual Documents OS/400-specific details and structures as implemented in the SAM OS/400 Interface. This book supplements the general information
found in the SAM Enterprise Operations Manual.
mented in the SAM RACF Interface. This book supplements the general information found
in the SAM Enterprise Operations Manual.
SAM Enterprise RACF Manual
SAM Enterprise Operations Manual
SAM Enterprise SAP Manual Documents SAP R/3-specific details and structures as implemented in the SAM SAP Interface. This book supplements the general information found in
the SAM Enterprise Operations Manual.
mented in the SAM Solaris Interface. This book supplements the general information found
in the SAM Enterprise Operations Manual.
SAM Enterprise Solaris Manual
SAM Enterprise Operations Manual
SAM Enterprise Tivoli Access Manager Manual Documents Tivoli Access Manager-specific
details and structures as implemented in the SAM Tivoli Access Manager Interface. This
book supplements the general information found in the SAM Enterprise Operations Manual.
implemented in the SAM Top Secret Interface. This book supplements the general information found in the SAM Enterprise Operations Manual.
SAM Enterprise Top Secret Manual
SAM Enterprise Operations Manual
15
SAM Enterprise TSO Manual Documents TSO-specific details and structures as implemented
in the SAM TSO Interface. This book supplements the general information found in the SAM
Enterprise Operations Manual.
SAM Enterprise TSO Manual
SAM Enterprise Operations Manual
SAM Enterprise uConnect Manual Documents the methods, features, and structures of SAM
uConnect, the development kit and prototype for quickly creating a target system interface
with standard structures and objects (accounts, groups, target systems). This book supplements the general information found in the SAM Enterprise Operations Manual and in the
SAM Enterprise Configuration Manual.
tures as implemented in the SAM Windows 2000 Interface. This book supplements the general information found in the SAM Enterprise Operations Manual.
SAM Enterprise Windows 2000 Manual
SAM Enterprise Operations Manual
16
SAM aConnect and the aConnect Agent provide the security definitions and store them
in an administration layer. The structure of this administration layer is fixed.
17
= The administration layer is not necessarily stored at the same platform as the application itself.
The customer needs a transformation process to connect the administration layer with
the application. It is beyond the scope of SAM aConnect and this manual to describe
how the transformation integrates the data and/or the function.
Where required, the internal security for the administration layer can be provided with the
LDAP feature Access Control List (ACL). Defining the required ACLs and incorporating
the transformation process as well as the aConnect Agent are configuration tasks when
integrating the security administration for an application in SAM Enterprise.
SAM aConnect itself does not define any ACL, nor does it offer specific support for their
definition.
The colors in the above diagram indicate which functionality is part of SAM aConnect and
which components are the customers responsibility.
Administration Layer
As a generic target system interface, SAM aConnect must include functions to define the security
concept and to design the entity types with a maximum of flexibility. The administration layer
represents the basic architecture that appears in an aConnect target system, similar to the system
architecture in other target system interfaces. The logical structure of the administration layer
is as follows:
18
The details of these entity types are explained on the subsequent pages. The highlights of this
architecture can be summarized as follows:
The relationship between users and groups is as expected. Users are connected to groups in
order to receive access rights. These relationships might be referred to as memberships.
For users, groups, and the memberships between them, a data space is available that can be
configured entirely. These data spaces consist of data attributes whose values can influence
access rights.
Process spaces represent processes, transactions, or generally any function that provides access
toward data objects in any access mode. The rules and their conditions define the details
which together create a profile that can be matched by any number of real-world application
functions.
Similarly, object spaces represent data objects of any kind and with any inherent complexity.
The rules and their conditions define the details which together create a profile that can be
matched by any number of real-world data objects.
19
Users or groups receive authorizations only toward pairs of resource spaces, consisting of one
process space and one object space. However, this model can be simplified by establishing an
all-qualifier for the process side or an all-qualifier for the object side.
Configuration stands for those objects which together might be called the dictionary of an
application system. In particular, this dictionary includes all attributes that may occur in
any data space, including their valid values.
Users
Users are represented in the administration layer in a straight-forward fashion, at least regarding
their identification. For user authentication, however, the design of SAM aConnect provides a
generic concept, as is illustrated in the following typical examples of access right conditions:
Imagine a corporation - bank, insurance company, etc. - that deals with contracts of any
kind. A typical access right condition in contract applications might be all contracts for
the same branch.
Similarly, a typical exclusion condition might be any contract (for the same branch), as
long as the contractor or client is not identical with the accessing administrator.
The concept that covers these and other demands uses attributes and attribute values. More
exactly, it uses attribute assignments, because attributes are defined in a central dictionary:
Users can have attributes in order to represent access-relevant information. With reference
to the above examples, users would have an attribute BRANCH and an attribute NAME.
Note: The values of certain attributes, e.g. NAME, might also appear as values somewhere
in the fixed data structure for users.
The assigned attributes must be defined in the system-wide dictionary of all attributes. For
SAM aConnect and its administration layer, this means that the attribute must be defined
in any of the resource classes of the respective target system.
Note: To cover requests beyond the scope of any resource, SAM aConnect supports classes
that are independent of resources.
User attributes can be referenced from placeholders that appear in authorizations instead
of fixed values. For example, the first of the above conditions can be expressed as CONTRACT.BRANCH = USER.BRANCH.
Note: User attributes might also be used to establish system-wide authorities. For example, in
order to establish the equivalent of SAMs own super administrator - a status that implies all
access rights - a user in the administration layer would need an additional attribute, perhaps
called STATUS, in which a value SUPER ADMIN occurs that is referenced from global
authorizations.
20
Groups
Groups in the administration layer play the same role as in any other access control organization. Groups act as containers for access rights that can be granted to users by establishing a
connection between user and group. So far, SAM aConnect behaves very much like any other
target system interface.
The first special aspect is the demand for a data space similar to that of users. The solution in
SAM aConnect is to use the same mechanisms for attributes and values as in the user organization. For example, with an attribute BRANCH, a group can be as branch-specific as any user,
and a branch-related condition in an authorization would refer to this attribute for both users
and groups.
The second special aspect is the demand for a data space even for user connections to groups.
This is covered by the same mechanism with attributes and values as is used for users and for
groups. The result is an increased flexibility, so that the same user can appear under different
roles or functions in different groups.
The final aspect is the concept of mutually exclusive conditions. For example, a standard
principle might be specified as follows: For any particular data object (e.g., contract), the
administrator cannot be identical with the approver or auditor. Assuming that access rights for
administration and access rights for approval or auditing are granted through different groups,
this principle leads to the condition that those groups are mutually exclusive. A common term
for this functionality is separation of duties.
SAM aConnect supports the concept by providing data entries to express the mutually exclusive
status between groups. This status takes effect when attempting to connect a user to both
groups.
Memberships
Memberships in the administration layer of SAM aConnect play the same role as in any other
access control organization. Memberships - or connections - represent the assignment of a user
to a group. The membership provides the user with access rights. In this, SAM aConnect does
not differ significantly from any other target system interface.
The first special aspect is the demand for a data space even for the memberships of users in
groups. This is covered by the same mechanism with attributes and values that is already used
for users and groups. The result is an increased flexibility, so that the same user can appear
under different roles or functions in different groups.
The second special aspect is the concept of mutually exclusive memberships. For example, a
standard principle might be specified as follows: For any particular data object (e.g., contract),
the administrator cannot be identical with the approver or auditor. Assuming that access
rights for administration and access rights for approval or auditing are granted through different
groups, this principle leads to the condition that these groups are mutually exclusive.
SAM aConnect supports the concept by providing data entries to express the mutually exclusive
status between groups. This status takes effect when attempting to connect a user to both
21
groups.
Process Spaces
In modern application systems, it is nearly impossible to define resources as single, isolated
objects that can be fully separated from other resources for the purpose of granting access
rights. Consequently, SAM aConnect does not pursue this approach. Instead, SAM aConnect
defines rules and rule sets which together create resource profiles. A particular resource is any
event or object or function or combination of the above, provided it matches the set of rules
that are bound together in a logical AND.
As a first step to structure the amorphous mass of resource profiles, SAM aConnect distinguishes between processes and objects. The full extent of this distinction is explained in
Authorizations. For the current discussion, it is sufficient to say that processes can be programs, procedures, transactions, or any other element type with the characteristics of an access
path or access function toward any kind of data.
The second structuring step is the definition of classes. From the perspective of SAM aConnect,
a process class is a category or container. How the class concept is actually implemented is
entirely up to the customer.
A particular process space in a particular class can still be quite complex. The following illustration presents an example in which the space spans three dimensions: transaction, letter, and
value:
The first condition states that the involved transaction must belong to the group 0815. In
numbers, this is equivalent to the range 081500 - 081599. In the diagram, the transactions
represent the vertical dimension.
The next condition states that the involved data keys must be in the letter range F - J. In
the diagram, the letters represent the horizontal dimension.
The third condition states that the involved value (e.g., contract value) cannot exceed 500.
In the diagram, the values represent the transversal dimension.
22
These conditions are combined with a logical AND. SAM aConnect establishes a hierarchy of
conditions, rules, resources, and resource groups as follows:
Rules, which are combined in a logical OR, together form a resource, here an access
resource.
Resources are put into resource groups for the purpose of granting access rights and
according to factors that are specific to the application system. A significant aspect in
the grouping of resources is that the conditions of mutual exclusion, which take effect
in authorizations toward users and groups, are implemented as dependants of resource
groups.
Object Spaces
Object spaces can be described briefly as follows: An object space is the object equivalent to
a process space, while all structural conditions and elements are the same. Together with the
knowledge that object resources represent data objects of any kind, the definition is complete.
The subsequent text provides a more detailed definition.
In modern application systems, it is nearly impossible to define resources as single, isolated
objects that can be fully separated from other resources for the purpose of access rights granting.
Consequently, SAM aConnect does not pursue this approach. Instead, SAM aConnect defines
rules and rule sets which together create resource profiles. A particular resource is any event
or object or function or combination of the above, provided it matches the set of rules that are
bound together in a logical AND.
As a first step to structure the amorphous mass of resource profiles, SAM aConnect distinguishes
between processes and objects. The full extent of this distinction is explained in Authorizations. For the current discussion, it is sufficient to say that objects can be any type of data
element with the characteristics of an information that is manipulated through access functions.
The second structuring step is the definition of classes. From the perspective of SAM aConnect,
an object class is a category or container. How the class concept is actually implemented is
entirely up to the customer.
A particular object space in a particular class can still be quite complex. The following illustration presents an example in which the space spans three dimensions: account numbers, account
types, and account categories:
23
The first condition states that the involved account numbers must be in the range 471100 471199. In the diagram, the account numbers represent the vertical dimension.
The next condition states that the account main type must be S, with the sub-type range
I to IV. In the diagram, the types represent the horizontal dimension.
The third condition states that the account must be a private account, not a business account.
In the diagram, the category represents the transversal dimension.
As it turns out, this example creates a plane rather than a space in the conventional, threedimensional sense. However, the term object space must be understood in an abstract or
mathematical sense, in which even a one-dimensional object like a line represents a space.
These conditions are combined with a logical AND. SAM aConnect establishes a hierarchy of
conditions, rules, resources, and resource groups as follows:
Conditions, which are combined in a logical AND, together form a rule.
Rules, which are combined in a logical OR, together form a resource, here an object
resource.
Resources are put into resource groups for the purpose of granting access rights and
according to factors that are specific to the application system. A significant aspect in
the grouping of resources is that the conditions of mutual exclusion, which take effect
in authorizations toward users and groups, are implemented as dependants of resource
groups.
Authorizations
Authorizations in the administration layer of SAM aConnect are relationships between three
involved objects:
24
There is one object at the accessing side. As in other target system interfaces, this can be
an account representing a user, a group as the standard case, or a user policy as SAMs
object for role-based access control.
There are two objects at the accessed side, which always appear as pairs: one object
represents processes and the other one represents objects.
SAM aConnect uses resource groups as the objects for the accessed side. There is one access
resource group representing processes and one object resource group representing objects. The
resources in these groups create a matrix that is illustrated in the following diagram:
Initially, the matrix is empty. This means that the authorization framework, which combines
a particular account or group with a particular access resource group and a particular object
resource group, is empty in the sense that this relationship alone does not provide any access.
An element in the matrix represents a combination of an access resource, representing a process
or more generally an access function, with an object resource, representing an accessible item
(account, contract, data record, etc.).
Each matrix element can be administered individually, meaning that this particular authorization can be granted or not. SAM aConnect only supports positive authorizations, implying
that anything that is not explicitly allowed in the application system is forbidden.
In order to prevent combinations that do not make sense, SAM aConnect establishes definitions
of allowed classes for each resource class. These definitions make clear which access classes can
be paired with which object classes in authorizations. Obviously, this aspect is significant in the
organization of resource classes.
The opposite of allowed classes are forbidden classes. However, these class-to-class relationships
stay within the same category, Access or Object, and refer to the authorized users or groups,
rather than to the pairings. For example, if the object classes A and B are mutually exclusive,
the effect is that any user or group with an access right toward a resource in the class A cannot
receive an access right for a resource in the class B.
25
Configuration
The previous pages mention all configuration objects that occur in the administration layer of
SAM aConnect, each of them in its own context. The following list summarizes the configuration
objects, which are all implemented as dependants of the target system:
The main configuration elements are the classes, which must belong to one of the three
categories Access, Object, or Target System. While these classes could be interpreted as
resource classes, the third category can be understood as Other and represents things that
are not directly related to resources.
The next configuration element are the attributes, which must belong to any of the classes
as explained above. Attributes have attribute values and attribute references: While
a value defines a fixed value or value range, an attribute reference is a placeholder toward
a certain attribute (value) of an accessing object (user or group). These references are the
basis for the specification of dynamic value-dependent conditions such as administrator and
contract must belong to the same branch.
Finally, there are the allowed classes, which also appear as dependants of classes. Allowed
classes specify how certain access classes can be paired with certain object classes in authorizations. For example, these definitions prevent the accidental pairing of life insurances
(object side) with transactions that apply to car insurances (access side).
Object Status
SAM aConnect supports a status concept for its business objects. This concept is much more
detailed in SAM than in the administration layer, e.g. in an LDAP directory. The status is
administered and converted to LDAP conventions as follows:
SAM maintains three fields in the Status group of the respective business objects. These
fields are Active, Valid From, and Valid To.
Active is a switch that can be set ON or OFF. Switching it off is equivalent to temporarily
disabling the business object.
Valid From and Valid To are dates. As the names indicate, they define a period in which
the business object is valid, and periods before and/or after in which the business object is
known but invalid. If these dates are left empty, the business object is valid as long as its
definition exists - unless it is temporarily disabled as explained above.
The LDAP directory only knows a switch Active-internal, which can be ON or OFF. SAM
determines the switch setting from the above fields as follows:
Active-internal is ON under the following conditions, which all must be met:
Active is ON
26
Account
Group
Group connection
Access resource
Object resource
Resource group connection (authorization)
Attributes (target system class attributes)
Assignable Status
In addition to the general status of a business object, SAM aConnect supports an assignable
status that determines whether a business object can be assigned to other objects:
The Assignable switch can have the values ON and OFF. Only if the value is ON, the
respective business object can appear in connections.
The switch is supported for the following business objects:
Group
Access resource
Object resource
Access resource group
Object resource group
Attributes (target system class attributes)
Functional Support
SAM aConnect supports security administration for application systems with value-specific and
dynamically changing access rights as follows:
An application system can be defined as a target system in SAM.
The administration of users is supported. Application users, which are mapped to aConnect
accounts in SAM, can be created, modified, and deleted. This support also extends to any
kind of user attribute that may be involved in the evaluation of access rights.
27
The administration of groups or any other type of container for the purpose of providing
access rights is supported. Such groups, which are mapped to aConnect groups in SAM,
can be created, modified, and deleted. This support also extends to any kind of user attribute
that may be involved in the evaluation of access rights.
The administration of user memberships in groups is supported. Such memberships, which
are mapped to aConnect group connections (account) in SAM, can be created, modified,
and deleted. This support also extends to any kind of membership attribute that may be
involved in the evaluation of access rights. Membership attributes can be independent from
corresponding attributes of the involved user or the involved group.
The administration of mutually exclusive conditions for groups or memberships in them is
supported. Such conditions, which are mapped to aConnect group forbidden groups, can
be created, modified, and deleted. In all these cases of entirely symmetrical relationships,
SAM aConnect automatically maintains the counterpart definition for the other group.
The administration of process spaces is supported. Such profiles, which are mapped to
aConnect access resources, can be created, modified, and deleted. This support includes the
definition of rules to determine the exact boundaries of the process spaces, and the definition
of conditions which together create the rules.
The administration of object spaces is supported. Such profiles, which are mapped to
aConnect object resources, can be created, modified, and deleted. This support includes the
definition of rules to determine the exact boundaries of the object spaces, and the definition
of conditions which together create the rules.
For the proper support of access rights and mutually exclusive conditions among process
spaces and object spaces, a container concept is supported for both of them. Such containers,
which are mapped to
aConnect access resource groups for process spaces
aConnect object resource groups for object spaces
can be created, modified, and deleted. This support includes the definition of mutually
exclusive conditions between resource groups of the same type. Such conditions are mapped
to
aConnect access resource groups forbidden groups for process spaces
aConnect object resource groups forbidden groups for object spaces
The administration of authorizations for users or groups toward pairs of process spaces and
object spaces is supported. Such authorizations, which are mapped to aConnect resource
group connections, can be created, modifed, and deleted. This support includes the definition
of access right details for every combination of process and object that may occur in such an
access rights matrix.
Furthermore, for each category of process space and object space, it is possible to define the
valid combinations. This, in turn, renders all other combinations invalid. Such relationships
28
are mapped to the configuration data which appears as dependants of the aConnect target
systems.
The configuration of an administration layer is supported by additional objects that are
implemented as dependants of aConnect target systems. This includes the following:
Rules and their conditions for process spaces are mapped to SAM business objects of the types
aConnect access resource rules, aConnect access resource rule attributes, and aConnect
access resource rule attribute values.
Conditions of mutual exclusions between process spaces - more exactly, between authorizations
that involve these process spaces - are mapped to SAM business objects of the type aConnect
access resource group forbidden groups.
Object spaces are mapped to SAM business objects of the types aConnect object resources,
aConnect object resource groups, and aConnect object resource group connection (resource)
Rules and their conditions for object spaces are mapped to SAM business objects of the types
aConnect object resource rules, aConnect object resource rule attributes, and aConnect
object resource rule attribute values.
Conditions of mutual exclusions between object spaces - more exactly, between authorizations
that involve these object spaces - are mapped to SAM business objects of the type aConnect
object resource group forbidden groups.
Valid relationships between process spaces and object spaces for the purpose of pairing in
authorizations are mapped to SAM business objects of the type aConnect target system
allowed classes, which in turn are dependants of the class definitions for process spaces and
object spaces.
Authorizations of users toward process and object spaces are mapped to SAM business objects
of the type aConnect resource group connection (account).
Authorizations of groups toward process and object spaces are mapped to SAM business
objects of the type aConnect resource group connection (group).
Dictionary entries for attributes and their values are mapped to SAM business objects of the
types aConnect target system class attributes and aConnect target system class attribute
values.
Placeholders for the purpose of dynamic, value-related access rights evaluation are mapped
to SAM business objects of the types aConnect target system class attribute references.
The following example illustrates what the above components do and how they interact. Assume
that an administrator wants to create a new aConnect account for a user.
The administrator starts a SAM Client. SAMs graphical user interface (GUI) is presented and a communication line to the SAM Business Server is established:
The administrator opens a User Navigation Window. The SAM Client responds by
requesting a user list from the SAM Business Server. The data is fetched from the SAM
database and sent back to the SAM Client:
This data flow stays the same as long as the administrator only selects objects for viewing:
31
SAM processes the update job. It inserts the account data into the SAM database and calls
the Master Courier to implement it in the application that is represented as an aConnect
targets system. The Master Courier relays the update job to the proper application
platform, where it is received by an Agent. The Agent updates the application database.
As a result, the new account exists in SAM and in the application.
The processing steps for update jobs are always the same:
SAM updates the target system image in the SAM database.
An Agent executes the update in the target system.
The communication chain for target system updates is: Engine -> Master Courier ->
Agent.
The successful completion of an update job requires that both parts be implemented without errors. The SAM database must always be consistent with the application database.
Otherwise, the job is cancelled and the administrator receives an error message.
32
The above scenario does not mention Consistency Maintenance. This batch utility is not
involved in regular security administration. It serves the following purpose:
Consistency Maintenance compares SAMs image of the application and the actual application data, more exactly the administration layer. The utility finds inconsistencies and
can repair the administration layer.
Key Conversion
SAM aConnect does not neet any particular key conversion because the administration layer and
the image data share the same key design. However, the following aspect is worth mentioning
in this context:
SAM aConnect creates artificial keys for all attribute values and for the authorization matrix in
resource group connections.
33
Objects List
This section lists the business object of SAM aConnect, in the order in which they are documented in more detail in the subsequent sections. See Legend for an explanation of the entry
lines and hyperlinks per business object.
34
Logic: A reference definition of the owning attribute within the owning class
BO ID:ACON TargetSystem Active Class Attr Ref
BO Links:Logic Panel Import ACONTSCR
aConnect Target System Allowed Classes
BO Links:Logic
Panel
Import
ACONUS
42
BO Links:Logic
Panel
Import
ACONRSRA
49
Normal Objects
A business object in SAM Enterprise is called normal if it does not belong to any of the special
object categories. A normal object is one of the objects that exist in the system for which
security administration is performed using SAM. Normal objects can be defined as follows:
50
Normal objects are not role-based objects, which are used to perform role-based access
control (RBAC).
Normal objects are not templates, which are customer-defined prototypes and blueprints
for creating normal objects.
Normal objects are not defaults objects, which are the manufacturer-provided prototypes
for creating objects when no template is available or specified.
Normal objects are not special, technical, or service objects, such as Help Desk accounts
- the account version used for Help Desk services.
aConnect Accounts
The business object aConnect account represents a user in the application that is represented
as an aConnect target system. The diagram below shows the relationships between aConnect
accounts and other business objects.
In SAM terminology, accounts are image objects because they mirror the data structures in a
specific type of target system. SAM uses the following business objects to represent aConnect
accounts:
aConnect account general data
aConnect account attribute
51
In SAM terminology, group connections are image objects because they mirror the data structures in a specific type of target system. SAM uses the following data objects to represent
aConnect group connections for accounts:
aConnect account general data
aConnect account attribute
aConnect account attribute value
Such connections have relationships to two other necessary objects: an aConnect account and
an aConnect group. Both must exist before the group connection can be created.
The relationship between accounts and groups in SAM is nearly symmetrical. A connection can
be created from both sides. The connection counts as property of both the account and the group.
This is expressed in SAMs graphical user interface (GUI) by presenting group connections for
accounts as dependants of both the account and the group. There is one difference between the
two perspectives. While deleting an account automatically deletes all of its group connections,
a group can only be deleted if it has no account connections. The presence of at least one such
connection prevents deletion. In this sense, aConnect does not differ from other target system
interfaces in SAM.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
group connection:
54
that are defined in the target system. See Automatic Attribute Assignments for a detailed
discussion of this topic.
See SAM Enterprise Business Object Reference: Administering Group Connections (Account)
for a summary of functions for creating, modifying, and deleting such business objects and their
dependent data. For aConnect group connection (account) attributes, the functions listed under
Multiple Dependants are applicable with the restrictions as explained above.
aConnect Group Connections (Account) Attribute Values The business object aConnect group connection (account) attribute value defines the owning group connections value for
the owning attribute. If the attribute is defined with a value range or a list of valid values, the
value here must meet this condition.
If the switch Valid Values Mandatory is set for the owning attribute, the value here must also
match any of the valid value definitions for the attribute. Otherwise, the valid value definitions
represent suggestions, and any other value is valid as well.
Each attribute which is assigned to a group connection must hold at least one attribute value.
It depends on the attribute definition whether a group connection can have more than one value
for the same attribute assignment.
See SAM Enterprise Business Object Reference: Administering Group Connections (Account)
for a summary of functions for creating, modifying, and deleting such business objects and
their dependent data. For aConnect group connection (account) attribute values, the functions
listed under Single Dependants or those listed under Multiple Dependants can be applicable,
depending on the attribute nature.
In SAM terminology, the business object aConnect resource group connection (account)
represents a triple connection between an aConnect account, an aConnect access resource group,
and an aConnect object resource group. In the terminology of the represented application, this
is equivalent to a users access matrix that involves certain access resources for the access method
and certain object resources for the accessed data. The diagram below shows the relationships
between aConnect resource group connections for accounts and other business objects.
56
In SAM terminology, resource group connections are image objects because they mirror the data
structures in a specific type of target system. SAM uses the following data objects to represent
aConnect resource group connections for accounts:
aConnect account general data
aConnect account authorization
aConnect resource group connections for accounts have relationships to the three necessary
objects that are already indicated by the name: an aConnect account, an aConnect access
resource group, and an aConnect object resource group. All three of them must exist before the
connection can be created.
The relationship between accounts and resource groups in SAM is asymmetrical. This is because
at the resource group side there must always be a pair with one resource group of either type,
access and object. However, despite this asymmetrical nature, SAMs graphical user interface
(GUI) presents such connections as dependants for each of the three involved business objects.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
resource group connection:
aConnect resource group connection (account)
An aConnect accounts assignment to a resource group pair consisting of an aConnect access
resource group and an aConnect object resource group.
aConnect resource group connection (account template)
A customer-specific prototype for creating aConnect resource group connections (account).
aConnect resource group connection (account defaults)
The manufacturer-provided default prototype for creating aConnect resource group connections (account).
aConnect resource group connection (group)
An aConnect groups assignment to a resource group pair consisting of an aConnect access
resource group and an aConnect object resource group.
57
Other details of the authorized access methods are expressed in the resources themselves, more
specifically in their rules. Rules may refer to attributes of the accessing group, the accessing
account, or the group connection through which an account can use a groups access rights.
For any particular pair of access resource and object resource, a resource group connection can
have just one authorization. A resource group connection can have any number of authorizations,
up to a completely filled access matrix as the maximum.
58
See SAM Enterprise Business Object Reference: Administering Resource Group Connections
(Account) for a summary of functions for creating, modifying, and deleting such business objects
and their dependent data. For aConnect resource group connection (account) authorizations,
the functions listed under Multiple Dependants are applicable.
The attribute definition in the target system data can contain references; see Class Attribute
References.
If the reference entity is Account, the respective attribute is assigned for each new account
at the time of creation.
The above description applies to aConnect account attributes. The same is true for aConnect
group connection (account) attributes, except that here the reference entity must be Group
connection (account).
aConnect Groups
The business object aConnect group represents a container for access rights in the application
that is administered as an aConnect target system. The diagram below shows the relationships
between aConnect groups and other business objects.
59
Group Connection The box Group Connection stands for four different object types. The
aConnect
aConnect
aConnect
aConnect
group
group
group
group
general data
forbidden group
attribute
attribute value
aConnect groups have a mandatory relationship to a business object at enterprise level: Each
aConnect group belongs to a aConnect target system - the one in which it holds certain access
rights that can be granted further.
In order to receive access rights that can be granted further, aConnect groups can have the
following relationships to business objects at image level:
60
Assume that there is a group APP-A that grants the necessary access rights for Approval
A, and another group APP-B that grants the necessary access rights for Approval B.
To establish the rule, the group APP-A needs a forbidden group entry for APP-B, and vice
versa the group APP-B needs one for APP-A.
= Forbidden group entries are symmetrical by definition. SAM aConnect reflects this by
automatically creating the counterpart. For example, when you create the entry under
APP-A that forbids APP-B, SAM aConnect automatically adds the entry under APPB that forbids APP-A.
Assume an account has a group connection toward APP-A. This connection provides the
owning user with the necessary access rights to perform the first approval. When attempting
to provide a connection to the group APP-B, SAM aConnect refuses the creation with
reference to this forbidden group entry.
A forbidden group is a group-to-group relationship. A group can have any number of forbidden
groups, provided that the other group is defined in the same target system, and all entries refer
to different groups.
See SAM Enterprise Business Object Reference: Administering Groups for a summary of functions for creating, modifying, and deleting such objects and their dependent data. For aConnect
group forbidden groups, the functions listed under Multiple Dependants are applicable.
aConnect Group Attributes
The business object aConnect group attribute defines an attribute assignment for the owning
group. A group can have any number of attributes assigned, as long as these assignments meet
the following conditions:
The attribute can cover any purpose. Typically, a group attribute defines access-relevant
information. For example, an attribute Limit might specify the maximum transaction value
up to which a particular user is authorized as far as these access rights are inherited from a
membership in that group.
It is only possible to assign attributes that are defined in the target system. This means that
the same attribute must be defined in any of the classes of the target system.
A particular attribute, which is defined by its attribute ID and by the class to which it
belongs, can be assigned only once. Additional variations can be specified only at attribute
value level.
Under the two above conditions, it is possible to manually assign any attribute that is defined
in the target system and appears in the selection list for the assignable attributes. However,
in a well configured target system, important group attributes are assigned automatically
when creating the group. This effect is achieved through attribute references that are defined
62
in the target system. See Automatic Attribute Assignments for a detailed discussion of this
topic.
See SAM Enterprise Business Object Reference: Administering Groups for a summary of functions for creating, modifying, and deleting such objects and their dependent data. For aConnect
group attributes, the functions listed under Multiple Dependants are applicable with the restrictions as explained above.
In SAM terminology, resource group connections are image object because they mirror the data
structures in a specific type of target system. SAM uses the following objects to represent
aConnect resource group connections for groups:
aConnect resource group connection (group) general data
aConnect resource group connection (group) authorization
aConnect resource group connections for groups have relationships to the three necessary objects
that are already indicated by the name: an aConnect group, an aConnect access resource group,
and an aConnect object resource group. All three of them must exist before the connection can
be created.
The relationship between groups and resource groups in SAM is asymmetrical. This is because
at the resource group side there must always be a pair with one resource group of either type,
access and object. However, despite this asymmetrical nature, SAMs graphical user interface
(GUI) presents such connections as dependants for each of the three involved business objects.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
resource group connection:
aConnect resource group connection (account)
An aConnect accounts assignment to a resource group pair consisting of an aConnect access
resource group and an aConnect object resource group.
aConnect resource group connection (account template)
A customer-specific prototype for creating aConnect resource group connections (account).
aConnect resource group connection (account defaults)
The manufacturer-provided default prototype for creating aConnect resource group connections (account).
aConnect resource group connection (group)
An aConnect groups assignment to a resource group pair consisting of an aConnect access
resource group and an aConnect object resource group.
64
Other details of the authorized access methods are expressed in the resources themselves, more
specifically in their rules. Rules may refer to attributes of the accessing group, the accessing
account, or the group connection through which an account can use a groups access rights.
For any particular pair of access resource and object resource, a resource group connection can
have just one authorization. This provided, a resource group connection can have any number
of authorizations, up to a completely filled access matrix as the maximum.
65
See SAM Enterprise Business Object Reference: Administering Resource Group Connections
(Group) for a summary of functions for creating, modifying, and deleting such business objects
and their dependent data. For aConnect resource group connection (group) authorizations, the
functions listed under Multiple Dependants are applicable.
Automatic Attribute Assignments
When creating a group, it is possible to automatically assign certain attribute independently
from, and in addition to, the attributes that are defined in a template that was used for the
creation:
The attribute definition in the target system data can contain references; see Class Attribute
References.
If the reference entity is Group, the respective attribute is assigned for each new group at
the time of creation.
66
In SAM terminology, access resources are image objects because they mirror the data structures
in a specific type of target system. SAM uses the following business objects to represent aConnect
access resources:
aConnect
aConnect
aConnect
aConnect
access
access
access
access
resource
resource
resource
resource
general data
rule
rule attribute
rule attribute value
An aConnect access resource has relationships to one enterprise object and one image object.
Each access resource belongs to a target system - the one in which it provides a function to
access data. This relationship is always given.
In addition to this implicit relationship, an access resource can have relationships to access
resource groups with the eventual purpose of being accessed (i.e., used) by group members or
directly by accounts. However, before this can take place, the access resource group must be
coupled with an object resource group, and both together must appear in a resource group
connection for an account or group. In contrast, direct authorizations toward access resources
alone are not supported by SAM aConnect.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
access resource:
aConnect access resource
A representative for data access functions in an aConnect target system.
aConnect access resource template
A customer-specific prototype for creating aConnect access resources
aConnect access resource defaults
The manufacturer-provided default prototype for creating aConnect access resources.
aConnect Access Resource General Data
The business object aConnect access resource general data is the main object of an access resource
in an aConnect target system. It contains general information about the resource, such as the
resource class, the resource ID, the access code, etc.
An aConnect access resource must belong to a class for access resources. This means that the
class that is specified when creating the access resource must be found in the list of aConnect
target system classes, and must have the type Access.
See SAM Enterprise Business Object Reference: Administering Resources for a summary of
functions for creating, modifying, and deleting resources. These functions apply to aConnect
access resources as described.
67
For each of its rules, an access resource can have any number of attributes assigned, as long as
these assignments meet the following conditions:
Each attribute reflects an elementary condition within the owning rule, which is defined by
the sum of all conditions combined in a logical AND. This implies that a useful rule cannot
combine attribute conditions that are mutually exclusive in a logical sense.
It is only possible to assign attributes that are defined in the target system and in the same
class to which the owning access resource belongs.
A particular attribute can be assigned only once. A real-world condition in which the same
attribute occurs several times in a logical OR combination is reflected either with several values
under the rule attribute or with several rules, each of them containing the same attribute once.
See SAM Enterprise Business Object Reference: Administering Resources for a summary of
functions for creating, modifying, and deleting such objects and their dependent data. For
aConnect access resource rule attributes, the functions listed under Multiple Dependants are
applicable.
aConnect Access Resource Rule Attribute Values
The business object aConnect access resource rule attribute value defines a value constraint
for the owning attribute within the owning rule of the owning access resource. The following
example illustrates how this third level of dependency is used:
Assume an access resource is supposed to represent the profile any transaction in the
CLK17* category, as long as the transaction value does not exceed 10.000.
The access resource needs one rule to represent this profile, because the elementary conditions
within a rule are combined in a logical AND.
This rule needs two rule attributes, one for the transaction category and one for the maximum
value. Note: A rule attribute also defines the comparison operator that is applied toward
the values.
Each of the two rule attributes have one attribute value. The value for the first attribute would
be CLK17*, and the value for the second attribute would be 10.000 or 10.001, depending on
which comparison operator is used, LESS THAN or LESS THAN OR EQUAL.
If the switch Valid Values Mandatory is set for the owning rule attribute, the value here
must also match any of the valid value definitions for the attribute. Otherwise, the valid value
definitions represent suggestions, and any other value is valid as well.
Each rule attribute needs at least one rule attribute value. Whether multiple values are allowed
depends on the operator (and perhaps also on the attribute). Multiple values are only meaningful
with the EQUAL operator to express alternatives that are combined in a logical OR.
69
See SAM Enterprise Business Object Reference: Administering Resources for a summary of
functions for creating, modifying, and deleting such objects and their dependent data. For
aConnect access resource rule attribute values, the functions listed under Single Dependants
or those listed under Multiple Dependants can apply, depending on the implicit condition.
aConnect Access Resource Group Connections (Access Resource)
The business object aConnect access resource group connection represents a connection
between an aConnect access resource and an aConnect access resource group. Such connections
are a prerequisite for granting access of any kind toward access resources, because accounts
and groups can only have access rights toward resource groups. The diagram below shows the
relationships between aConnect access resource group connections and other business objects.
In SAM terminology, resource group connections are image object because they mirror the data
structures in a specific type of target system. aConnect access resource group connections have
no dependent objects. They have relationships to two other necessary objects: an aConnect
access resource and an aConnect access resource group. Both must exist before the connection
can be created.
The relationship between resources and resource groups in SAM aConnect is nearly symmetrical.
A connection can be created from both sides. The connection counts as property of both the
resource and the resource group. This is expressed in SAMs graphical user interface (GUI) by
presenting resource group connections for resources as dependants of both the resource and the
resource group.
There is one difference between the two perspectives. While deleting a resource automatically
deletes all of its resource group connections, a resource group can only be deleted if it has no
resource connections. The presence of at least one such connection prevents deletion. In this
sense, SAM aConnect does not differ from other target system interfaces in SAM, as far as they
support resources and resource groups.
Similarly, a resource group connection can be deleted in a dialog session (i.e., in SAMs graphical
user interface) only if there is no authorization matrix (in an accounts or a groups resource
group connection) in which the respective resource is involved. This restriction is specific to SAM
aConnect, which handles the two types of resources and resource groups differently. However,
it is possible to mark the connections to be deleted in the next run of a batch utility for this
purpose. The utility will consistently delete the connection as well as all related authorizations.
70
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
access resource group connection:
aConnect access resource group connection
An aConnect access resources assignment to a resource group.
aConnect access resource group connection template
A customer-specific prototype for creating aConnect access resource group connections.
aConnect access resource group connection defaults
The manufacturer-provided default prototype for creating aConnect access resource group
connections.
Note: Be also sure to distinguish between access resource group connections, object resource
group connections, and (unspecific) resource group connections. The first two categories link
the resources to their respective groups, and the last category links the resulting groups to the
objects with access demands, i.e. accounts and groups.
aConnect Access Resource Group Connections (Access Resource) General Data
An aConnect access resource group connection for a resource consists of one part. This item
contains general data about the connection.
See SAM Enterprise Business Object Reference: Administering Resources for a summary of
functions for creating, modifying, and deleting such business objects. These functions apply to
aConnect access resource group connections for resources as described.
Rule Attributes and their Values
The following text summarizes the relationships between rule attributes, class attributes, their
values, and their defaults. This summary is necessary because in this topic several business
object types and dependants play together, each of which is documented with its own purpose
in focus.
Rules are dependants of access resources and object resources, for which they represent conditions determining how the respective resource can exist. The rule itself is just a framework
or container; only the attributes of a rule determine the left-side operands of the condition,
and and only the values of an attribute determine the right-side operands.
Attributes exist as basic attribute definition in an attribute pool, implemented as dependants
of the aConnect target system. Any attribute assigned to any business object - the resources
mentioned above as well as accounts and groups - must first be defined in this pool.
Attributes in the pool belong to a certain class. This class membership determines to which
resources an attribute can be assigned as dependant of a rule: A resource of the class X can
only have attributes of the same class assigned under its rules, while the rules themselves are
classless.
71
Attributes in the pool also have value/value range entries which determine the values and
value ranges valid for an assigned attribute, i.e. for a dependant of a rule in a resource.
Attributes in the pool finally have two switches, which are the key factors in the playingtogether of rules, attributes, and values. In SAMs graphical user interface (GUI), these
switches are of course checkboxes:
The checkbox SAM Enterprise User Manual: Attribute Mandatory in Resource determines
whether the attribute is automatically assigned to every rule of any resource in the same
class as the attribute: If the checkbox is marked, each rule created for a resource in the same
class automatically receives this attribute as an assignment.
If the checkbox is unmarked, the attribute can still be assigned, but then as an explicit
administrator action, rather than an automatic function.
The checkbox SAM Enterprise User Manual: Valid Values Mandatory has a basic effect and
an implicit effect: A marked checkbox specifies that this attribute can only have values within
the boundaries expressed by the value/range definitions in the attribute pool. This is the basic
effect.
An attribute with this checkbox unmarked can be set to any value, and value/range entries
in the pool represent just suggestions or plannings but no constraints.
The implicit effect is that, when automatically assigning the attribute to a rule in a resource,
a valid value/range must be set; otherwise the automatic assignment would violate the value
constraint in the attribute definition. The default value/range used for this situation is part
of the attribute definition and stored in the three fields
Default Operator
Default From Value
Default To Value
In the rule of the resource, the automatically assigned attribute is a child object of the rule,
and the automatically assigned valid value/range is a child object of the attribute assignment,
i.e. a grandchild object of the rule. The above three fields correspond to the following fields
in the aConnext <type> resource rule attribute value objects:
Operator
Value From
Value To
It should be obvious that the default values in the attribute definition must match the value
constraints in the same definition.
When clearing a previously set checkbox Valid Values Mandatory, neither the three default
fields nor the dependent value/range specifications are deleted, but from this moment on they
are unused - until the checkbox is marked again.
72
In SAM terminology, object resources are image objects because they mirror the data structures
in a specific type of target system. SAM uses the following business objects to represent aConnect
object resources:
aConnect
aConnect
aConnect
aConnect
object
object
object
object
resource
resource
resource
resource
general data
rule
rule attribute
rule attribute value
An aConnect object resource has relationships to one enterprise object and one image object.
Each object resource belongs to a target system - the one in which it represents real-world data.
This relationship is always given.
In addition to this implicit relationship, an object resource can have relationships to object
resource groups with the eventual purpose of being accessed by group members or directly by
accounts. However, before this can take place, the object resource group must be coupled with
73
an access resource group, and both together must appear in a resource group connection for
an account or group. In contrast, direct authorizations toward object resources alone are not
supported by SAM aConnect.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
object resource:
aConnect object resource
A representative for accessible objects in an aConnect target system.
aConnect object resource template
A customer-specific prototype for creating aConnect object resources
aConnect object resource defaults
The manufacturer-provided default prototype for creating aConnect object resources.
aConnect Object Resource General Data
The business object aConnect object resource general data is the main object of an object resource
in an aConnect target system. It contains general information about the resource, such as the
resource class, the resource ID, the access code, etc.
An aConnect object resource must belong to a class for object resources. This means that the
class that is specified when creating the object resource must be found in the list of aConnect
target system classes, and must have the type Object.
See SAM Enterprise Business Object Reference: Administering Resources for a summary of
functions for creating, modifying, and deleting resources. These functions apply to aConnect
object resources as described.
aConnect Object Resource Rules
The business object aConnect object resource rule defines a set of conditions for the owning object
resource. This can always be understood as an access restriction. Depending on the nature of
the represented documents, it may also be understood as a resource-defining condition. The
following details clarify how to distinguish between real-world documents and object resources
at one side and the various levels of conditions at the other side:
A particular object resource is hardly ever equivalent to one specific data object. In an
environment in which unconditional access rights can be granted for specific documents and
files, SAM aConnect is rarely required.
Instead, the object resource defines an object profile, and any document that meets this profile
under given circumstances can be a valid real-world equivalent. For example, such a profile
might be specified as any contract in the Real Estate category, as long as the contract value
does not exceed 250.000.
74
A rule is a set of conditions that are combined in a logical AND. The above profile can be
reflected in one rule. This rule would contain two attributes, one for the document category
and one for the contract value. The condition operator for the first attribute would be =
and that for the second would be <. The value for the first attribute would be Real Estate
and that for the second would be 250.000 (or 250.001, to be most accurate with the LESS
operator).
The same object resource might contain several rules. Each of them represents another
condition set, and these sets are combined in a logical OR. Whether several independent
condition sets are reflected in one resource with several rules or in several resources with one
rule for each of them is a matter of taste and of additional environment conditions.
A rule with its attributes, their comparison operators and values is always both a defining
condition for the resource and an access restriction that establishes an upper limit for any
access right that might be granted toward the resource through resource group connections.
See SAM Enterprise Business Object Reference: Administering Resources for a summary of
functions for creating, modifying, and deleting such objects and their dependent data. For
aConnect object resource rules, the functions listed under Multiple Dependants are applicable.
aConnect Object Resource Rule Attributes
The business object aConnect object resource rule attribute defines a single condition within the
owning rule by specifying the following:
the involved attribute and
the comparison operator for the condition
For each of its rules, an object resource can have any number of attributes assigned, as long as
these assignments meet the following conditions:
Each attribute reflects an elementary condition within the owning rule, which is defined by
the sum of all conditions combined in a logical AND. This implies that a useful rule cannot
combine attribute conditions that are mutually exclusive in a logical sense.
It is only possible to assign attributes that are defined in the target system and in the same
class to which the owning object resource belongs.
A particular attribute can be assigned only once. A real-world condition in which the same
attribute occurs several times in a logical OR combination is reflected either with several values
under the rule attribute or with several rules, each of them containing the same attribute once.
See SAM Enterprise Business Object Reference: Administering Resources for a summary of
functions for creating, modifying, and deleting such objects and their dependent data. For
aConnect object resource rule attributes, the functions listed under Multiple Dependants are
applicable.
75
76
In SAM terminology, resource group connections are image object because they mirror the data
structures in a specific type of target system. aConnect object resource group connections have
no dependent objects. They have relationships to two other necessary objects: an aConnect
object resource and an aConnect object resource group. Both must exist before the connection
can be created.
The relationship between resources and resource groups in SAM aConnect is nearly symmetrical.
A connection can be created from both sides. The connection counts as property of both the
resource and the resource group. This is expressed in SAMs graphical user interface (GUI) by
presenting resource group connections for resources as dependants of both the resource and the
resource group.
There is one difference between the two perspectives. While deleting a resource automatically
deletes all of its resource group connections, a resource group can only be deleted if it has no
resource connections. The presence of at least one such connection prevents deletion. In this
sense, SAM aConnect does not differ from other target system interfaces in SAM, as far as they
support resources and resource groups.
Similarly, a resource group connection can be deleted in a dialog session (i.e., in SAMs graphical
user interface) only if there is no authorization matrix (in an accounts or a groups resource
group connection) in which the respective resource is involved. This restriction is specific to SAM
aConnect, which handles the two types of resources and resource groups differently. However,
it is possible to mark the connections to be deleted in the next run of a batch utility for this
purpose. The utility will consistently delete the connection as well as all related authorizations.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
object resource group connection:
aConnect object resource group connection
An aConnect object resources assignment to a resource group.
aConnect object resource group connection template
A customer-specific prototype for creating aConnect object resource group connections.
aConnect object resource group connection defaults
The manufacturer-provided default prototype for creating aConnect object resource group
connections.
Note: Be also sure to distinguish between access resource group connections, object resource
group connections, and (unspecific) resource group connections. The first two categories link
the resources to their respective groups, and the last category links the resulting groups to the
objects with access demands, i.e. accounts and groups.
General Data An aConnect object resource group connection for a resource consists of one
part. This item contains general data about the connection.
77
See SAM Enterprise Business Object Reference: Administering Resources for a summary of
functions for creating, modifying, and deleting such business objects. These functions apply to
aConnect object resource group connections for resources as described.
Rule Attributes and their Values
The following text summarizes the relationships between rule attributes, class attributes, their
values, and their defaults. This summary is necessary because in this topic several business
object types and dependants play together, each of which is documented with its own purpose
in focus.
Rules are dependants of access resources and object resources, for which they represent conditions determining how the respective resource can exist. The rule itself is just a framework
or container; only the attributes of a rule determine the left-side operands of the condition,
and and only the values of an attribute determine the right-side operands.
Attributes exist as basic attribute definition in an attribute pool, implemented as dependants
of the aConnect target system. Any attribute assigned to any business object - the resources
mentioned above as well as accounts and groups - must first be defined in this pool.
Attributes in the pool belong to a certain class. This class membership determines to which
resources an attribute can be assigned as dependant of a rule: A resource of the class X can
only have attributes of the same class assigned under its rules, while the rules themselves are
classless.
Attributes in the pool also have value/value range entries which determine the values and
value ranges valid for an assigned attribute, i.e. for a dependant of a rule in a resource.
Attributes in the pool finally have two switches, which are the key factors in the playingtogether of rules, attributes, and values. In SAMs graphical user interface (GUI), these
switches are of course checkboxes:
The checkbox SAM Enterprise User Manual: Attribute Mandatory in Resource determines
whether the attribute is automatically assigned to every rule of any resource in the same
class as the attribute: If the checkbox is marked, each rule created for a resource in the same
class automatically receives this attribute as an assignment.
If the checkbox is unmarked, the attribute can still be assigned, but then as an explicit
administrator action, rather than an automatic function.
The checkbox SAM Enterprise User Manual: Valid Values Mandatory has a basic effect and
an implicit effect: A marked checkbox specifies that this attribute can only have values within
the boundaries expressed by the value/range definitions in the attribute pool. This is the basic
effect.
An attribute with this checkbox unmarked can be set to any value, and value/range entries
in the pool represent just suggestions or plannings but no constraints.
78
The implicit effect is that, when automatically assigning the attribute to a rule in a resource,
a valid value/range must be set; otherwise the automatic assignment would violate the value
constraint in the attribute definition. The default value/range used for this situation is part
of the attribute definition and stored in the three fields
Default Operator
Default From Value
Default To Value
In the rule of the resource, the automatically assigned attribute is a child object of the rule,
and the automatically assigned valid value/range is a child object of the attribute assignment,
i.e. a grandchild object of the rule. The above three fields correspond to the following fields
in the aConnext <type> resource rule attribute value objects:
Operator
Value From
Value To
It should be obvious that the default values in the attribute definition must match the value
constraints in the same definition.
When clearing a previously set checkbox Valid Values Mandatory, neither the three default
fields nor the dependent value/range specifications are deleted, but from this moment on they
are unused - until the checkbox is marked again.
Resource Group Connection The box Resource Group Connection stands for five different
object types. The hyperlinks below lead to the respective descriptions:
The first partner is the aConnect access resource group itself. It provides the access functions
involved in the access operations.
The second partner is an aConnect object resource group. It provides the data objects
involved in the access operations.
The third partner is the access-requesting object. This can be any of the following:
-
aConnect
aConnect
aConnect
aConnect
account
account template
group
template
The third partner determines and completes the name for this business object. For example, if an
account is the third partner, the business object is called resource group connection (account).
Such an object can be created with any of the three objects as the starting point. The process
is always the same, only the pre-defined entry in the dialog box varies depending on from where
the dialog was invoked.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
access resource group:
aConnect access resource group
A container for aConnect access resources.
aConnect access resource group template
A customer-specific prototype for creating aConnect access resource groups.
aConnect access resource group defaults
The manufacturer-provided default prototype for creating aConnect access resource groups.
aConnect Access Resource Group General Data
The business object aConnect access resource group general data is the main object of an access
resource group in an aConnect target system. It contains general information about the group,
such as the group ID, the access code, etc.
See SAM Enterprise Business Object Reference: Administering Resource Groups for a summary
of functions for creating, modifying, and deleting such business objects. These functions apply
to aConnect access resource groups as described.
aConnect Access Resource Group Forbidden Groups
The business object aConnect access resource group forbidden group defines a condition of mutual
exclusion that applies to resource group connections for accounts or groups in which the owning
resource group is involved. The following example illustrates what this means:
81
Assume that a rule in an enterprise specifies that someone with administrative access rights
toward a category of contracts cannot also have auditing or approving access rights, and vice
versa.
Assume there is one access resource group ADM that provides the functions for contract
administration, and there is another access resource group AUD that provides the functions
for auditing. Assume also that the contracts are represented in an object resource group
CON.
To establish the rule, the group ADM needs a forbidden group entry for AUD, and the
group AUD needs a forbidden group entry for ADM.
= Forbidden group entries are symmetrical by definition. SAM aConnect reflects this by
automatically creating the counterpart. For example, when you create the entry under
ADM that forbids AUD, SAM aConnect automatically adds the entry under AUD
that forbids ADM.
Assume that a group has a resource group connection in which ADM is the access partner
and CON is the object partner. This connection provides the necessary access rights to
administer the contracts. Now, when attempting to provide a connection to a pair with
AUD and CON as the partners, SAM aConnect refuses the creation with reference to this
forbidden group entry.
The same happens when attempting to provide a connection for an account which has inherited
the access rights from the ADM/CON connection through a normal group connection.
The forbidden group can only be another access resource group. An access resource group can
have any number of forbidden groups, provided that the other group is defined in the same
target system, and all entries refer to different groups.
= SAM checks mutual exclusions from forbidden groups only when creating resource group
connections for accounts or groups. As a side effect, it would be possible to provide an
account with mutually exclusive resource group connections, simply by using different
group connections.
For the sake of performance, SAM does not prevent this situation via standard checks.
Instead, one of the default reports for SAM aConnect runs a check across all resource
group connections and reports any such case.
See SAM Enterprise Business Object Reference: Administering Resource Groups for a summary
of functions for creating, modifying, and deleting such objects and their dependent data. For
aConnect access resource group forbidden groups, the functions listed under Multiple Dependants are applicable.
82
Resource Group Connection The box Resource Group Connection stands for five different
An aConnect object resource group has relationships to one enterprise object and several image
objects. Each group belongs to a target system - the one in which it acts as a container for
object resources. This relationship is always given.
In order to provide its container services, an object resource group can have relationships to
aConnect object resources. Without them, the resource group would be empty and useless.
In order to provide access to the represented resources, an object resource group can participate
in a triple relationship in which only the access-requesting partner can vary:
The first partner is the aConnect object resource group itself. It provides the data objects
involved in the access operations.
The second partner is an aConnect access resource group. It provides the access functions
involved in the access operations.
The third partner is the access-requesting object. This can be any of the following:
-
aConnect
aConnect
aConnect
aConnect
account
account template
group
template
The third partner determines and completes the name for this business object. For example, if an
account is the third partner, the business object is called resource group connection (account).
Such an object can be created with any of the three objects as the starting point. The process
is always the same, only the pre-defined entry in the dialog box varies depending on from where
the dialog was invoked.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
object resource group:
aConnect object resource group
A container for aConnect object resources.
aConnect object resource group template
A customer-specific prototype for creating aConnect object resource groups.
aConnect object resource group defaults
The manufacturer-provided default prototype for creating aConnect object resource groups.
aConnect Object Resource Group General Data
The business object aConnect object resource group general data is the main object of an object
resource group in an aConnect target system. It contains general information about the group,
such as the group ID, the access code, etc.
84
See SAM Enterprise Business Object Reference: Administering Resource Groups for a summary
of functions for creating, modifying, and deleting such business objects. These functions apply
to aConnect object resource groups as described.
aConnect Object Resource Group Forbidden Groups
The business object aConnect object resource group forbidden group defines a condition of mutual
exclusion that applies to resource group connections for accounts or groups in which the owning
resource group is involved. The following example illustrates what this means:
Assume that a rule in an enterprise specifies that someone with administrative access rights
toward one category of contracts cannot also have access rights toward another category.
Assume that there are three contract categories called CA, CB, and CC.
Assume that there is one object resource group for each of the three categories. These resource
groups are called GCA, GCB, and GCC. The access functions for all three categories are
the same and are represented in the access resource group TRAN-CON.
To establish the rule, the group CA needs a forbidden group entry for CB and another one
for CC. The other two groups need their respective entries in return.
= Forbidden group entries are symmetrical by definition. SAM aConnect reflects this by
automatically creating the counterpart. For example, when you create the entry under
GCA that forbids GCB, SAM aConnect automatically adds the entry under GCB
that forbids GCA. Similarly, when you create the entry under GCA that forbids GCC,
SAM aConnect adds the entry under GCC that forbids GCA.
Assume that a group has a resource group connection in which TRAN-CON is the access
partner and GCA is the object partner. This connection provides the necessary access rights
for administering the contracts in the category CA. Now, when attempting to provide a
connection to a pair with TRAN-CON and GCB or GCC as the partners, SAM aConnect
refuses the creation with reference to these forbidden group entries.
The same happens when attempting to provide a connection for an account which has inherited the access rights from the TRAN-CON/GCA connection through a normal group
connection.
The forbidden group can only be another object resource group. An object resource group can
have any number of forbidden groups, provided that the other group is defined in the same
target system, and all entries refer to different groups.
= SAM checks mutual exclusions from forbidden groups only when creating resource group
connections for accounts or groups. As a side effect, it would be possible to provide an
account with mutually exclusive resource group connections, simply by using different
group connections.
85
For the sake of performance, SAM does not prevent this situation via standard checks.
Instead, one of the default reports for SAM aConnect runs a check across all resource
group connections and reports any such case.
See SAM Enterprise Business Object Reference: Administering Resource Groups for a summary
of functions for creating, modifying, and deleting such objects and their dependent data. For
aConnect object resource group forbidden groups, the functions listed under Multiple Dependants are applicable.
86
In SAM terminology, an aConnect target system is an image object and an enterprise object.
The systems image data, which represents the system-specific details, is correlated with the
target system definition at enterprise level. This definition is structurally identical for target
systems of all types. SAM uses the following business objects for the representation of target
systems at enterprise level:
Target
Target
Target
Target
Target
Target
Target
Target
Target
system
system
system
system
system
system
system
system
system
technical data
names
parameters
tables
table type rules
table parameters
fields
field type rules
field parameters
At image level, SAM uses the following objects to represent an aConnect target system:
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
target
target
target
target
target
target
system
system
system
system
system
system
aConnect data
classes
class attributes
class attribute values
class attribute references
allowed classes
A target system has implicit relationships to all image objects that can occur in the system. For
aConnect target systems, this applies to
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
accounts
groups
access resources
object resources
access resource groups
object resource groups
as well as connections between them. The list is further enhanced by the templates and defaults
for the above business objects, as far as they exist.
All target systems can also be elements in a target system set. This business object is one of
SAMs features for role-based access control (RBAC).
aConnect Target System aConnect Data
The business object aConnect target system aConnect data is the main image object of an
aConnect target system. It contains general information about the target system, such as the
TS ID, the access code, etc.
87
As target systems are both enterprise objects and image objects, the aConnect target system
aConnect data is a dependant of the target system technical data. Technical data is the main
object at enterprise level.
See SAM Enterprise Business Object Reference: Administering Target Systems for a summary of
functions for creating, modifying, and deleting such objects. These functions apply to aConnect
target systems as described. See also the configuration Step 4 as the task in which a new
aConnect target system is created.
aConnect Target System Classes
The business object aConnect class defines a category that is primarily intended for resources,
but also serves for the categorization of attributes:
Aside from its class ID, the central attribute of an aConnect target system class is its type,
which can be Access, Object, or Target System.
Every aConnect access resource must belong to a class of the type Access. A class of this
type must exist before creating access resources.
Similarly, every aConnect object resource must belong to a class of the type Object. A class
of this type must exist before creating object resources.
Any attribute that is assigned to an account, user policy account, group, or group connection
must be defined in any of the classes for the target system. This implies the request for a
class that is only relevant in the context of attributes but not for resources. Such a class can
be defined under the type Target System, which can also be understood as Other.
Note: SAM only accepts one class of the type Target System. This is because multiple
classes, each of them representing the collecting category Other, would be just confusing.
An aConnect target system can have any number of classes. The above description makes clear
that one class in each type is the realistic minimum in order to support the full spectrum of
features.
See SAM Enterprise Business Object Reference: Administering Target Systems for a summary
of functions for creating, modifying, and deleting such objects and their dependant data. For
aConnect target system classes, the functions listed under Multiple Dependants are applicable.
aConnect Target System Class Attributes
The business object aConnect class attribute defines an attribute that can occur in resources of
the respective class and in accounts, user policy accounts, groups, or group connections:
A condition for the rule attributes of a resource indicates that the attribute must be defined
in the same class to which the resource belongs. In this regard, the sum of all attributes under
the owning class serves as a look-up table.
88
Note: An attribute reference from a resource prevents the deletion of this attribute. See
the Deleting Attributes function of the aConnect Toolbox for a method to find and remove
such references.
A condition for the attribute assignments of accounts, user policy accounts, groups, and group
connections indicates that the attribute must be defined in any class of any type within the
target system. In this regard, the sum of all attributes across all classes serves as a look-up
table.
Note: An attribute reference from these business object types does not prevent the deletion
of the attribute. Instead, such references are removed as part of the attribute deletion process.
A basic condition for all attributes is that they must be defined in the enterprise-wide
Attribute Pool.
An aConnect target system class can hold any number of attributes. Note that the attribute ID
alone must be unique across the entire target system, even though attribute belong to different
classes.
See SAM Enterprise Business Object Reference: Administering Target Systems for a summary
of functions for creating, modifying, and deleting such objects and their dependant data. For
aConnect target system class attributes, the functions listed under Multiple Dependants are
applicable.
aConnect Target System Class Attribute Values
The business object aConnect target system attribute value defines a valid value or value range
for the owning attribute - however only within the aConnect target system itself. For SAM,
the only relevant value constraints for an attribute are found in the attribute pool, and the
checkbox SAM Enterprise User Manual: Valid Values Mandatory in the aConnect target system
class attribute determines whether or not they apply to this attribute usage as well.
The conclusion for the values here: An administrator is responsible for keeping the value constraints here synchronous with those in the attribute pool. The presence of an entry here only
means that SAM will transfer this definition to the aConnect target system.
Note also that attribute values are mutually exclusive with attribute references, which represent
placeholders for dynamic value assignment. A particular attribute can have only one of these
two types of dependants.
See SAM Enterprise Business Object Reference: Administering Target Systems for a summary
of functions for creating, modifying, and deleting such objects and their dependant data. For
aConnect target system class attribute values, the functions listed under Single Dependants or
under Multiple Dependants can apply, depending on the nature of the owning attribute.
aConnect Target System Class Attribute References
The business object aConnect target system attribute reference defines a placeholder instead of
a direct value. It refers to an attribute of an account, user policy account, group, or group
89
connection, and this reference is a specification where the real value can be obtained. Such
references are the basis on which value-specific access rights can be granted, as is illustrated in
the following example:
Imagine an access profile according to which a user is authorized to administer contracts, but
only for the same branch to which the user belongs.
To establish such a profile with aConnect objects, the first prerequisite is that the accounts
have an attribute USER.BRANCH assigned.
The next prerequisite is that the contracts, which appear as object resources of a certain
class, have an attribute CONTRACT.BRANCH assigned. However, this attribute appears
as a condition in a rule, and the condition value is the name of a reference.
The effect is that the rule is checked by resolving the reference first. The condition is met if
both the contract and the accessing user belong to the same branch.
According to the nature of references, an owning attribute can hold just one such entry.
See SAM Enterprise Business Object Reference: Administering Target Systems for a summary
of functions for creating, modifying, and deleting such objects and their dependant data. For
aConnect target system class attribute references, the functions listed under Single Dependants
are applicable.
aConnect Target System Allowed Classes
The business object aConnect allowed class defines a class of the opposite type - access or
object - with which resources of the owning class can be paired in the access matrix of a
resource group connection for an account, user policy account, or group. These entries are the
basis for the proper coupling of access resources with object resources, as is illustrated in the
following example:
Imagine an insurance company that offers life insurances, real estate insurances, and car
insurances. These three types of contracts are reflected in three different object classes: CLife, C-Estate, and C-Car.
The contracts are administered with a number of transactions. Assume that there is a transaction category General that can apply to contracts of any kind. A category Life applies
only to life insurances, a category Estate only to real estate, and a category Car only to
car insurances.
Consequently, the transactions are reflected in four different object classes: T-General, TLife, T-Estate, and T-Car.
Each of these seven classes needs allowed class entries to make clear which pairings are allowed
in resource group connections for accounts and groups. One example is sufficient:
90
The object class C-Life can be paired with the access classes T-General and T-Life. This
is expressed with two allowed class entries, one for T-General and one for T-Life.
= Allowed class entries are symmetrical by definition. SAM aConnect reflects this by
automatically creating the counterpart. For example, when you create the entry under
C-Life that allows T-General, SAM aConnect automatically adds the entry under
T-General that allows C-Life.
An allowed class is a class-to-class relationship in which the other class must always belong
to the opposite type of access and object. This provided, and provided all entries refer to
different classes, a class can have any number of allowed classes.
= According to the exact naming conventions, these objects must be called aConnect target
system class allowed classes, because they are dependants of the aConnect target system
classes. In this case, however, exactly following the rule would have created a confusing
object title.
See SAM Enterprise Business Object Reference: Administering Target Systems for a summary
of functions for creating, modifying, and deleting such objects and their dependant data. For
aConnect target system allowed classes, the functions listed under Multiple Dependants are
applicable.
Class Attributes and their Values
The following text summarizes the relationships between rule attributes, class attributes, their
values, and their defaults. This summary is necessary because in this topic several business
object types and dependants play together, each of which is documented with its own purpose
in focus.
Rules are dependants of access resources and object resources, for which they represent conditions determining how the respective resource can exist. The rule itself is just a framework
or container; only the attributes of a rule determine the left-side operands of the condition,
and and only the values of an attribute determine the right-side operands.
Attributes exist as basic attribute definition in an attribute pool, implemented as dependants
of the aConnect target system. Any attribute assigned to any business object - the resources
mentioned above as well as accounts and groups - must first be defined in this pool.
Attributes in the pool belong to a certain class. This class membership determines to which
resources an attribute can be assigned as dependant of a rule: A resource of the class X can
only have attributes of the same class assigned under its rules, while the rules themselves are
classless.
Attributes in the pool also have value/value range entries which determine the values and
value ranges valid for an assigned attribute, i.e. for a dependant of a rule in a resource.
91
Attributes in the pool finally have two switches, which are the key factors in the playingtogether of rules, attributes, and values. In SAMs graphical user interface (GUI), these
switches are of course checkboxes:
The checkbox SAM Enterprise User Manual: Attribute Mandatory in Resource determines
whether the attribute is automatically assigned to every rule of any resource in the same
class as the attribute: If the checkbox is marked, each rule created for a resource in the same
class automatically receives this attribute as an assignment.
If the checkbox is unmarked, the attribute can still be assigned, but then as an explicit
administrator action, rather than an automatic function.
The checkbox SAM Enterprise User Manual: Valid Values Mandatory has a basic effect and
an implicit effect: A marked checkbox specifies that this attribute can only have values within
the boundaries expressed by the value/range definitions in the attribute pool. This is the basic
effect.
An attribute with this checkbox unmarked can be set to any value, and value/range entries
in the pool represent just suggestions or plannings but no constraints.
The implicit effect is that, when automatically assigning the attribute to a rule in a resource,
a valid value/range must be set; otherwise the automatic assignment would violate the value
constraint in the attribute definition. The default value/range used for this situation is part
of the attribute definition and stored in the three fields
Default Operator
Default From Value
Default To Value
In the rule of the resource, the automatically assigned attribute is a child object of the rule,
and the automatically assigned valid value/range is a child object of the attribute assignment,
i.e. a grandchild object of the rule. The above three fields correspond to the following fields
in the aConnext <type> resource rule attribute value objects:
Operator
Value From
Value To
It should be obvious that the default values in the attribute definition must match the value
constraints in the same definition.
When clearing a previously set checkbox Valid Values Mandatory, neither the three default
fields nor the dependent value/range specifications are deleted, but from this moment on they
are unused - until the checkbox is marked again.
92
Role-Based Objects
The object category Role-based comprises those business objects in SAM Enterprise that are
used for role-based access control (RBAC). These objects imply a certain mode of control over
accounts as the objects representing users in specific systems.
Conceptually, role-based objects reside at enterprise level. However, in order to establish
control over accounts, these objects require a system-specific instance in the same system in
which the account is defined.
Roles
The business object type role belongs to the enterprise level and appears the same for any
target system interface. However, the purpose of roles is to provide group connections, and this
indeed implies image level objects - system-specific group connections for roles. This section
documents the two types of aConnect group connections for roles.
Providing group connections is the only function of roles. This is why the roles themselves
are not represented at image level. In contrast to user policy accounts, roles provide neither
attribute values nor dependent data. Nonetheless, roles can cause the creation of accounts:
When a user is connected to a role, SAM duplicates the roles group connections for the
users accounts.
If a user does not yet have an account in any involved systems, SAM creates the account
automatically. In the case of user policy assignment, SAM uses the user policy account
as prototype. For roles, SAM uses the system-specific account defaults.
aConnect Group Connections (Role)
The business object type aConnect group connection (role) represents a relationship between an aConnect group and a role. The connection grants the groups access rights to the
accounts belonging to the roles assigned users. The diagram below shows the relationships
between aConnect group connections for roles and other business objects.
93
In SAM terminology, group connections are image object because they mirror the data structures
in a specific type of target system. This is also true for connections to roles, although these
connections exist only in SAM and not in the target system.
aConnect group connections for roles have no dependent objects, which is in contrast to all other
group connections in SAM aConnect. They have relationships to two other necessary objects:
a role and an aConnect group. Both must exist before the group connection can be created.
The relationship between a role and a group is not symmetrical. A group connection can be
created and deleted only from the role side. SAMs graphical user interface (GUI) shows such
connections as dependents of groups, but only for viewing purposes.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
group connection:
aConnect group connection (account)
An aConnect accounts assignment to an aConnect group.
aConnect group connection (account template)
A customer-specific prototype for creating aConnect group connections (account).
aConnect group connection (account defaults)
The manufacturer-provided default prototype for creating aConnect group connections (account).
aConnect group connection (role)
A roles prototype for creating and controlling aConnect group connections (account).
aConnect Group Connections (Role) General Data An aConnect group connection for
a role consists of one element. This item contains general data about the connection.
See SAM Enterprise Business Object Reference: Administering Group Connections (Role) for
a summary of functions for creating, modifying, and deleting such business objects. These
functions apply to aConnect group connections for roles as described.
aConnect Generic Group Connections (Role)
The generic version of an aConnect group connection for a role can be defined only through a
target system set. The generic connection serves as a prototype for normal aConnect group
connections for accounts in the target systems that are elements in the TS set. There are two
implicit conditions for generic group connections for roles:
The group must reside in the sets reference system.
The group connection must be done toward the TS set, appearing as a generic target
system, rather than directly toward the reference system.
94
Note: The role can receive a connection to the same group directly toward the reference system.
However, the result is then a normal (discrete) group connection for the role, and none of the
details discussed apply in this case.
The following example outlines how a generic group connection for a role is used and where the
involved business objects appear as physical occurrences:
1. Assume there is a TS set SET-1. This set has three target systems as elements - ACON-A,
ACON-B, and ACON-C. All three of them are aConnect target systems. The sets reference
system is ACON-A.
Note: A TS set can only have elements of the same target system type, here aConnect.
2. Assume there is a role PROJECT1. Now the administrator connects this role with the group
TEAM23 by specifying SET-1 as the TS set ID.
Because SET-1 identifies a TS set, SAM evaluates the sets reference system - here ACON-A
- and checks whether the group TEAM23 is defined in the system. This provided, the group
connection is created. From its definition through a TS set, it automatically becomes
generic.
3. The new group connection has no effects yet. It exists only in SAM. Logically, you can
consider the connection as stored under the sets reference system ACON-A. Physically,
however, this occurrence is in the same table as all other aConnect group connections.
4. Now the administrator assigns the role PROJECT1 to the user CLARK. The user CLARK then
automatically receives all discrete group connections the role offers. However, generic
objects are not passed on automatically.
The generic account establishes a pool of target systems in which the user CLARK can
receive group connections according to the assigned role. This pool includes the systems
ACON-A, ACON-B, and ACON-C.
5. The administrator now assigns another aConnect target system as an element of the TS
set SET-1 - the system ACON-D. The new element increases the pool by one. This causes
no immediate changes for the controlled user CLARK.
6. Now the administrator returns to the user CLARK and selects two systems from the pool ACON-B and ACON-D. SAM performs this order as follows:
First, SAM checks whether the user CLARK is already represented with an account
in these systems. If not, accounts are created using the system-specific account
defaults as prototype.
SAM then connects these accounts with the groups TEAM23 in the respective systems
by creating normal aConnect group connections for the accounts.
The new normal aConnect group connections for the accounts reside in the respective systems
as if created by some other method. However, in contrast to a directly created connection, they
depend on the involved conditions. For example, any of the following events causes the deletion
of the connection between the account CLARK and the group TEAM23 in the system ACON-B:
The role PROJECT1 loses the connection to the group TEAM23.
95
It as a matter of perspective whether joker group connections - and joker groups themselves should be called enterprise objects or image objects. The following table allows you to form
your own opinion:
Concerning business object ID, Import Interface transaction, data panel and help IDs, there
is just one object called joker group connection, and the BO ID prefix is Base, which
otherwise is exclusively used for enterprise data. These facts indicate an enterprise object
which, for some reason, has an attribute called TS ID.
96
Joker group connections are asymmetrical, meaning they can only be administered from within
the roles context. This fact is neutral and does not imply anything because the same is true
for normal group connections of a role, which are definitely image objects.
The attribute TS ID is a key attribute. The group connection that results from the associated
customer-specific program can only be a connection to an aConnect group (or none at all).
These facts indicate an image object which, for some reason, is structurally the same in all
target system interfaces.
Only roles can connect to joker groups, so joker group connection and joker group connection
(role) mean the same. Joker group connections have no dependent objects. They have relationships to two other necessary objects: a role and a joker group. Both must exist before the joker
group connection can be created.
The relationship between a role and a joker group is not symmetrical. A joker group connection
can be created and deleted only from the role side. SAMs graphical user interface (GUI) shows
such connections as dependants of joker groups, but only for viewing purposes.
aConnect Joker Group Connections (Role) General Data An aConnect joker group
connection consists of one occurrence. This item contains the general data about the connection.
See SAM Enterprise Business Object Reference: Administering Joker Group Connections (Role)
for a summary of functions for creating, modifying, and deleting such objects. These functions
apply to aConnect joker group connections for roles as described.
Templates
The object category Template comprises those business objects in SAM Enterprise that serve
as prototypes and blueprints when creating normal objects of the respective type. Templates
have the following characteristics:
A template can include everything that is needed to represent a certain prototype. For
example, a template can include connections to other business objects. Templates can provide
attribute values, dependent data, and connections to other business objects, if available for a
template type.
A template is always a customer-defined business object. SAM Enterprise is delivered without
standard templates.
A template must be explicitly specified when creating an object. When creating an object
without specifying a template, SAM Enterprise uses the respective defaults object, which is a
manufacturer-provided prototype. However, defaults objects cannot provide dependent data
or connections to other objects.
A template does not retain control over the objects created by copying it. After an object is
created using a template, the object and template can change without affecting each other.
This is in contrast to role-based objects which combine a template-like aspect with a control
function.
When discussing users and their accounts, templates and user policies seem very similar. The
following table summarizes their common factors and differences using user policy accounts and
account templates as example:
Aspect
Account Template
Function:
Usage:
98
Template
Used when the administrator creates an account without role-based
administration but with a certain
structure in mind. The template
must be explicitly specified in the
creation order.
None, right after SAM installation.
Can be created, modified, and
deleted.
Supported in the GUI and in the
Import Interface.
Aspect
Account Template
Dependants:
Connections:
Control
The business object type aConnect account template represents a customer-specific prototype and blueprint for creating normal aConnect accounts. The diagram below shows the
relationships between aConnect account templates and other business objects:
99
In SAM terminology, accounts are image objects because they mirror the data structures in a
specific type of target system. This is also true for account templates, although they exist only
in SAM and not in the target system itself. SAM uses the following business objects to represent
aConnect account templates:
aConnect account template general data
aConnect account template attributes
aConnect account template attribute values
aConnect account templates have two mandatory relationships to business objects at enterprise
level:
Each aConnect account template belongs to a user template - the one for which it serves
as the blueprint when creating normal aConnect accounts in the respective target system.
Each aConnect account template is defined in a specific aConnect target system - the one
in which it can act as a prototype for normal accounts.
At image level, an aConnect account template can have relationships to the following objects,
always for the purpose of receiving access rights that will be granted to the normal accounts
that are created after the account template:
A connection to an aConnect group grants the access rights given to that group.
100
Under the conditions mentioned above, it is possible to manually assign any attribute that
is defined in the target system and appears in the selection list for the assignable attributes.
However, in a well configured target system, important account attributes are assigned automatically when creating the account. This effect is achieved through attribute references
that are defined in the target system. See Automatic Attribute Assignments for a detailed
discussion of this topic.
See SAM Enterprise Business Object Reference: Administering Account Templates for a summary of functions for creating, modifying, and deleting such objects and their dependent data.
For aConnect account template attributes, the functions listed under Multiple Dependants are
applicable with the restrictions as explained above.
In SAM terminology, group connections are image objects because they mirror the data structures in a specific type of target system. This is also true for connections to account templates,
although they only exist in SAM and not in the target system. SAM uses the following business
objects to represent aConnect group connections for account templates:
aConnect group connection (role) general data
aConnect group connection (role) attribute
aConnect group connection (role) attribute value
aConnect group connections for account templates have relationships to two other necessary
objects: an aConnect account template and an aConnect group. Both must exist before the
group connection can be created.
The relationship between an account template and a group is not symmetrical. A group connection can be created and deleted only from the template side. SAMs graphical user interface
(GUI) shows such connections also as dependents of groups, but only for viewing purposes.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
group connection:
aConnect group connection (account)
An aConnect accounts assignment to an aConnect group.
aConnect group connection (account template)
A customer-specific prototype for creating aConnect group connections (account).
aConnect group connection (account defaults)
The manufacturer-provided default prototype for creating aConnect group connections (account).
aConnect group connection (role)
A roles prototype for creating and controlling aConnect group connections (account).
103
aConnect Group Connections (Account Template) General Data The business object
aConnect group connection (account template) general data is the main object of a group connection for an account template in an aConnect target system. It contains general information
about the connection, such as the template and the group ID, the access code for the template
and for the created object, etc.
See SAM Enterprise Business Object Reference: Administering Group Connections (Account
Template) for a summary of functions for creating, modifying, and deleting such objects. These
functions apply to aConnect group connections for account templates as described.
aConnect Group Connections (Account Template) Attributes The business object
aConnect group connection (account template) attribute defines an attribute assignment for the
owning group connection. A group connection can have any number of attributes assigned, as
long as these assignments meet the following conditions:
The attribute can cover any purpose. Typically, a group connection attribute defines accessrelevant information. For example, an attribute Limit might specify the maximum transaction value up to which a particular user is authorized without requiring an approval from
another person in the organization. If such an attribute is assigned to a group connection, it
applies to the data objects that are accessible through this group connection, rather than to
the user in general.
It is only possible to assign attributes that are defined in the target system. This means that
the same attribute must be defined in any of the classes of the target system.
A particular attribute, which is defined by its attribute ID and by the class to which it
belongs, can be assigned only once. Additional variations can be specified only at attribute
value level.
Under the conditions mentioned above, it is possible to assign any attribute that is defined
in the target system and appears in the selection list for the assignable attributes. When
using the template to create normal group connections, the same attribute is assigned to the
created connection. However, in a well configured target system, important group connection
attributes are assigned automatically when creating the connection. This effect is achieved
through attribute references that are defined in the target system. See Automatic Attribute
Assignments for a detailed discussion of this topic.
See SAM Enterprise Business Object Reference: Administering Group Connections (Account
Template) for a summary of functions for creating, modifying, and deleting such objects and their
dependent data. For aConnect group connection (account template) attributes, the functions
listed under Multiple Dependants are applicable with the restrictions as explained above.
aConnect Group Connections (Account Template) Attribute Values The business
object aConnect group connection (account template) attribute value defines the owning group
104
connections value for the owning attribute. If the attribute is defined with a value range or a
list of valid values, the value here must meet this condition.
If the switch Valid Values Mandatory is set for the owning attribute, the value here must also
match any of the valid value definitions for the attribute. Otherwise, the valid value definitions
represent suggestions, and any other value is valid as well.
Each attribute which is assigned to a group connection must hold at least one attribute value.
Whether a group connection can have more than one value for the same attribute assignment
depends on the attribute definition.
See SAM Enterprise Business Object Reference: Administering Group Connections (Account
Template) for a summary of functions for creating, modifying, and deleting such objects and
their dependent data. For aConnect group connection (account template) attribute values, the
functions listed under Single Dependants or those listed under Multiple Dependants can be
applicable, depending on the attribute nature.
aConnect Resource Group Connections (Account Template)
The business object aConnect resource group connection (account template) represents a relationship between an aConnect resource group and an aConnect account template. When using
the account template for creating a normal account, the account receives a connection to the
same resource group and the access rights held by the resource group. The diagram below shows
the relationships between aConnect resource group connections for account templates and other
business objects.
In SAM terminology, resource group connections are image objects because they mirror the
data structures in a specific type of target system. This is also true for connections to account
templates, although they only exist in SAM and not in the target system. SAM uses the following
business objects to represent aConnect resource group connections for account templates:
aConnect group connection (role) general data
105
It contains general information about the connection, such as the template and the resource
group IDs, the access code, etc. From the application perspective, the connection alone - without authorizations as dependants - is equivalent to an empty access matrix in which the access
resources represent the rows and the object resources represent the columns.
See SAM Enterprise Business Object Reference: Administering Resource Group Connections
(Account Template) for a summary of functions for creating, modifying, and deleting such
business objects. These functions apply to aConnect resource group connections for account
templates as described, however under the additional condition that this is a triple connection
in which there is always a balanced pair of resource groups - access and object - at the other
side.
Other details of the authorized access methods are expressed in the resources themselves, more
specifically in their rules. The rules may refer to attributes of the accessing group, the accessing
account, or the group connection through which an account can use a groups access rights.
For any particular pair of access resource and object resource, a resource group connection can
have just one authorization. This provided, a resource group connection can have any number
of authorizations, up to a completely filled access matrix as the maximum.
See SAM Enterprise Business Object Reference: Administering Resource Group Connections
(Account Template) for a summary of functions for creating, modifying, and deleting such
business objects and their dependent data. For aConnect resource group connection (account
template) authorizations, the functions listed under Multiple Dependants are applicable.
In SAM terminology, groups are image objects because they mirror the data structures in a
specific type of target system. This is also true for group templates, although they exist only in
SAM and not in the target system itself. SAM uses the following business objects to represent
aConnect group templates:
aConnect
aConnect
aConnect
aConnect
group
group
group
group
template
template
template
template
general data
forbidden group
attribute
attribute value
aConnect group templates have one mandatory relationship to another business object at enterprise level. This is the aConnect target system to which they belong - the one in which they
can act as a prototype for normal groups.
In addition to this implicit relationship, an aConnect group template can have relationships to
pairs of resource groups with the purpose of receiving access rights that are given to every group
formed after the template. Such a pair always includes an aConnect access resource group
and an aConnect object resource group.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
group:
aConnect group
A container structure for access rights in an aConnect target system.
108
A forbidden group under a normal group is a group-to-group relationship, and a forbidden group
under a group template is a group template-to-group relationship. A group template can have
any number of forbidden groups, provided that the forbidden group is defined in the same target
system, and all entries refer to different groups.
See SAM Enterprise Business Object Reference: Administering Group Templates for a summary
of functions for creating, modifying, and deleting such business objects and their dependent data.
For aConnect group template forbidden groups, the functions listed under Multiple Dependants
are applicable.
aConnect Group Template Attributes
The business object aConnect group template attribute defines an attribute assignment for the
owning group template, with the purpose of providing a group that is created from this template
with the same assignment. A group can have any number of attributes assigned, as long as these
assignments meet the following conditions:
The attribute can cover any purpose. Typically, a group attribute defines access-relevant
information. For example, an attribute Limit might specify the maximum transaction value
up to which a particular user is authorized as far as these access rights are inherited from a
membership in that group.
It is only possible to assign attributes that are defined in the target system. This means that
the same attribute must be defined in any of the classes of the target system.
A particular attribute, which is defined by its attribute ID and by the class to which it
belongs, can be assigned only once. Additional variations can be specified only at attribute
value level.
Under the conditions mentioned above, it is possible to assign any attribute that is defined in
the target system and appears in the selection list for the assignable attributes. However, in
a well configured target system, important group attributes are assigned automatically when
creating the group. This effect is achieved through attribute references that are defined in the
target system. See Automatic Attribute Assignments for a detailed discussion of this topic.
See SAM Enterprise Business Object Reference: Administering Group Templates for a summary
of functions for creating, modifying, and deleting such business objects and their dependent data.
For aConnect group template attributes, the functions listed under Multiple Dependants are
applicable.
aConnect Group Template Attribute Values
The business object aConnect group template attribute value defines the owning group templates
value for the owning attribute. If the attribute is defined with a value range or a list of valid
values, the value here must meet this condition.
110
If the switch Valid Values Mandatory is set for the owning attribute, the value here must also
match any of the valid value definitions for the attribute. Otherwise, the valid value definitions
represent suggestions, and any other value is valid as well.
Each attribute which is assigned to a group or group template must hold at least one attribute
value. Whether a group template can have more than one value for the same attribute assignment
depends on the attribute definition.
See SAM Enterprise Business Object Reference: Administering Group Templates for a summary
of functions for creating, modifying, and deleting such business objects and their dependent data.
For aConnect group template attribute values, the functions listed under Single Dependants or
those listed under Multiple Dependants can be applicable, depending on the attribute nature.
aConnect Resource Group Connections (Group Template)
The business object aConnect resource group connection (group template) represents a relationship between an aConnect resource group and an aConnect group template. When using
the group template for creating a normal group, the group receives a connection to the same
resource group and the access rights held by the resource group. The diagram below shows
the relationships between aConnect resource group connections for group templates and other
business objects.
In SAM terminology, resource group connections are image objects because they mirror the data
structures in a specific type of target system. This is also true for connections to group templates,
although they only exist in SAM and not in the target system. SAM uses the following business
objects to represent aConnect resource group connections for group templates:
aConnect group connection (role) general data
aConnect group connection (role) authorization
Resource group connections for group templates have relationships to the three necessary objects
that are already indicated by the name: an aConnect group template, an aConnect access
111
resource group, and an aConnect object resource group. All three of them must exist before the
connection can be created.
The relationship between group templates and resource groups in SAM is asymmetrical. This is
because at the resource group side there must always be a pair with one resource group of either
type, access and object. However, despite this asymmetrical nature, SAMs graphical user
interface (GUI) presents such connections as dependants for each of the three involved business
objects.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
resource group connection:
aConnect resource group connection (account)
An aConnect accounts assignment to a resource group pair consisting of an aConnect access
resource group and an aConnect object resource group.
aConnect resource group connection (account template)
A customer-specific prototype for creating aConnect resource group connections (account).
aConnect resource group connection (account defaults)
The manufacturer-provided default prototype for creating aConnect resource group connections (account).
aConnect resource group connection (group)
An aConnect groups assignment to a resource group pair consisting of an aConnect access
resource group and an aConnect object resource group.
aConnect resource group connection (group template)
A customer-specific prototype for creating aConnect resource group connections (group).
aConnect resource group connection (group defaults)
The manufacturer-provided default prototype for creating aConnect resource group connections (group).
Note: Be also sure to distinguish between access resource group connections, object resource
group connections, and (unspecific) resource group connections. The first two categories link
the resources to their respective groups, and the last category links the resulting groups to the
objects with access demands, i.e. accounts and groups.
aConnect Resource Group Connections (Group Template) General Data The business object aConnect resource group connection (group template) general data is the main object
of a resource group connection for a group template in an aConnect target system. It contains
general information about the connection, such as the template and the resource group IDs, the
access code, etc. From the application perspective, the connection alone - without authorizations
as dependants - is equivalent to an empty access matrix in which the access resources represent
the rows and the object resources represent the columns.
112
See SAM Enterprise Business Object Reference: Administering Resource Group Connections
(Group Template) for a summary of functions for creating, modifying, and deleting such business
objects. These functions apply to aConnect resource group connections for group templates as
described, however under the additional condition that this is a triple connection in which there
is always a balanced pair of resource groups - access and object - at the other side.
aConnect Resource Group Connections (Group Template) Authorizations The business object aConnect resource group connection (group template) authorization defines a single
authorization in the access matrix that is represented by the resource group connection altogether and in which access resources appear as rows and object resources appear as columns. A
particular authorization defines the following:
Other details of the authorized access methods are expressed in the resources themselves, more
specifically in their rules. The rules may refer to attributes of the accessing group, the accessing
account, or the group connection through which an account can use a groups access rights.
For any particular pair of access resource and object resource, a resource group connection can
have just one authorization. This provided, a resource group connection can have any number
of authorizations, up to a completely filled access matrix as the maximum.
See SAM Enterprise Business Object Reference: Administering Resource Group Connections
(Group Template) for a summary of functions for creating, modifying, and deleting such business
objects and their dependent data. For aConnect resource group connection (group template)
authorizations, the functions listed under Multiple Dependants are applicable.
In SAM terminology, access resources are image objects because they mirror the data structures
in a specific type of target system. This is also true for access resource templates, although they
exist only in SAM and not in the target system itself. SAM uses the following business objects
to represent aConnect access resource templates:
aConnect
aConnect
aConnect
aConnect
access
access
access
access
resource
resource
resource
resource
template
template
template
template
general data
rule
rule attribute
rule attribute value
aConnect access resource templates have one mandatory relationship to another business object
at enterprise level. This is the aConnect target system to which they belong - the one in which
they can act as a prototype for normal access resources.
In addition to this implicit relationship, an access resource template can have relationships to
access resource groups with the purpose of creating the same relationships for the normal access
resources that are formed after the owning template.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
access resource:
aConnect access resource
A representative for data access functions in an aConnect target system.
aConnect access resource template
A customer-specific prototype for creating aConnect access resources
114
A rule with its attributes, their comparison operators and values is always both a defining
condition for the resource and an access restriction that establishes an upper limit for any
access right that might be granted toward the resource through resource group connections.
See SAM Enterprise Business Object Reference: Administering Resource Templates for a summary of functions for creating, modifying, and deleting such objects and their dependent data.
For aConnect access resource template rules, the functions listed under Multiple Dependants
are applicable.
aConnect Access Resource Template Rule Attributes
The business object aConnect access resource template rule attribute defines a single condition
within the owning rule by specifying the following:
the involved attribute and
the comparison operator for the condition
For each of its rules, an access resource or access resource template can have any number of
attributes assigned, as long as these assignments meet the following conditions:
Each attribute reflects an elementary condition within the owning rule, which is defined by
the sum of all conditions combined in a logical AND. This implies that a useful rule cannot
combine attribute conditions that are mutually exclusive in a logical sense.
It is only possible to assign attributes that are defined in the target system and in the same
class to which the owning access resource or template belongs.
A particular attribute can be assigned only once. A real-world condition in which the same
attribute occurs several times in a logical OR combination is reflected either with several values
under the rule attribute or with several rules, each of them containing the same attribute once.
See SAM Enterprise Business Object Reference: Administering Resources Templates for a summary of functions for creating, modifying, and deleting such objects and their dependent data.
For aConnect access resource template rule attributes, the functions listed under Multiple Dependants are applicable.
aConnect Access Resource Template Rule Attribute Values
The business object aConnect access resource template rule attribute value defines a value constraint for the owning attribute within the owning rule of the owning access resource template.
The following example illustrates how this third level of dependency is used in the normal access
resources that are created by copying the template:
Assume that an access resource is supposed to represent the profile any transaction in the
CLK17* category, as long as the transaction value does not exceed 10.000.
116
The access resource needs one rule to represent this profile, because the elementary conditions
within a rule are combined in a logical AND.
This rule needs two rule attributes, one for the transaction category and one for the maximum
value. Note: A rule attribute also defines the comparison operator that is applied toward
the values.
Each of the two rule attributes have one attribute value. The value for the first attribute
is CLK17*, and the value for the second attribute is 10.000 or 10.001, depending on which
comparison operator is used, LESS THAN or LESS THAN OR EQUAL.
If the switch Valid Values Mandatory is set for the owning rule attribute, the value here
must also match any of the valid value definitions for the attribute. Otherwise, the valid value
definitions represent suggestions, and any other value is valid as well.
Each rule attribute needs at least one rule attribute value. Whether multiple values are allowed
depends on the operator (and perhaps also on the attribute). Multiple values are only meaningful
with the EQUAL operator to express alternatives that are combined in a logical OR.
See SAM Enterprise Business Object Reference: Administering Resource Templates for a summary of functions for creating, modifying, and deleting such objects and their dependent data.
For aConnect access resource template rule attribute values, the functions listed under Single
Dependants or those listed under Multiple Dependants can apply, depending on the implicit
condition.
aConnect Access Resource Group Connections
The business object aConnect access resource group connection template represents
a connection between an aConnect access resource template and an aConnect access resource
group, with the purpose of providing the same connection to normal access resources that are
formed after the template. Such connections are a prerequisite for granting access of any kind
toward access resources, because accounts and groups can only have access rights toward resource
groups. The diagram below shows the relationships between aConnect access resource group
connection templates and other business objects.
In SAM terminology, resource group connections are image object because they mirror the data
structures in a specific type of target system. This is also true for templates, although they
117
only exist in SAM, not in the target system itself. aConnect access resource group connection
templates have no dependent objects. They have relationships to two other necessary objects:
an aConnect access resource template and an aConnect access resource group. Both must exist
before the connection can be created.
The relationship between resource templates and resource groups in SAM is asymmetrical. A
connection can only be created or deleted from the template side. Nonetheless, SAMs graphical
user interface (GUI) presents them as dependants of both involved business objects.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
access resource group connection:
aConnect access resource group connection
An aConnect access resources assignment to a resource group.
aConnect access resource group connection template
A customer-specific prototype for creating aConnect access resource group connections.
aConnect access resource group connection defaults
The manufacturer-provided default prototype for creating aConnect access resource group
connections.
Note: Be also sure to distinguish between access resource group connections, object resource
group connections, and (unspecific) resource group connections. The first two categories link
the resources to their respective groups, and the last category links the resulting groups to the
objects with access demands, i.e. accounts and groups.
aConnect Access Resource Template General Data An aConnect access resource group
connection for a resource template consists of one part. This item contains general data about
the connection.
See SAM Enterprise Business Object Reference: Administering Resource Group Connections
(Resource Template) for a summary of functions for creating, modifying, and deleting such
business objects. These functions apply to aConnect access resource group connections for
resource templates as described.
In SAM terminology, object resources are image objects because they mirror the data structures
in a specific type of target system. This is also true for object resource templates, although they
exist only in SAM and not in the target system itself. SAM uses the following business objects
to represent aConnect object resource templates:
aConnect
aConnect
aConnect
aConnect
object
object
object
object
resource
resource
resource
resource
template
template
template
template
general data
rule
rule attribute
rule attribute value
aConnect object resource templates have one mandatory relationship to another business object
at enterprise level. This is the aConnect target system to which they belong - the one in which
they can act as a prototype for normal object resources.
In addition to this implicit relationship, an object resource template can have relationships
to object resource groups with the purpose of establishing the same connections at the object
resources that are created from this template.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
object resource:
aConnect object resource
A representative for accessible objects in an aConnect target system.
aConnect object resource template
A customer-specific prototype for creating aConnect object resources
119
A rule with its attributes, their comparison operators and values is always both a defining
condition for the resource and an access restriction that establishes an upper limit for any
access right that might be granted toward the resource through resource group connections.
See SAM Enterprise Business Object Reference: Administering Resource Templates for a summary of functions for creating, modifying, and deleting such objects and their dependent data.
For aConnect object resource template rules, the functions listed under Multiple Dependants
are applicable.
aConnect Object Resource Template Rule Attributes
The business object aConnect object resource template rule attribute defines a single condition
within the owning rule by specifying the following:
the involved attribute and
the comparison operator for the condition
For each of its rules, an object resource or object resource template can have any number of
attributes assigned, as long as these assignments meet the following conditions:
Each attribute reflects an elementary condition within the owning rule, which is defined by
the sum of all conditions combined in a logical AND. This implies that a useful rule cannot
combine attribute conditions that are mutually exclusive in a logical sense.
It is only possible to assign attributes that are defined in the target system and in the same
class to which the owning object resource or template belongs.
A particular attribute can be assigned only once. A real-world condition in which the same
attribute occurs several times in a logical OR combination is reflected either with several values
under the rule attribute or with several rules, each of them containing the same attribute once.
See SAM Enterprise Business Object Reference: Administering Resources Templates for a summary of functions for creating, modifying, and deleting such objects and their dependent data.
For aConnect object resource template rule attributes, the functions listed under Multiple Dependants are applicable.
aConnect Object Resource Template Rule Attribute Values
The business object aConnect object resource template rule attribute value defines a value constraint for the owning attribute within the owning rule of the owning object resource template.
The following example illustrates how this third level of dependency is used in the normal object
resources that are created by copying the template:
Assume that an object resource is supposed to represent the profile any contract in the Real
Estate category, as long as the contract value does not exceed 250.000.
121
The object resource needs one rule to represent this profile, because the elementary conditions
within a rule are combined in a logical AND.
This rule needs two rule attributes, one for the contract category and one for the contract
value. Note: A rule attribute also defines the comparison operator that is applied toward
the values.
Each of the two rule attributes have one attribute value. The value for the first attribute would
be Real Estate, and the value for the second attribute would be 250.000 or 250.001, depending
on which comparison operator is used, LESS THAN or LESS THAN OR EQUAL.
If the switch Valid Values Mandatory is set for the owning rule attribute, the value here
must also match any of the valid value definitions for the attribute. Otherwise, the valid value
definitions represent suggestions, and any other value is valid as well.
Each rule attribute needs at least one rule attribute value. Whether multiple values are allowed
depends on the operator (and perhaps also on the attribute). Multiple values are only meaningful
with the EQUAL operator to express alternatives that are combined in a logical OR.
See SAM Enterprise Business Object Reference: Administering Resource Templates for a summary of functions for creating, modifying, and deleting such objects and their dependent data.
For aConnect object resource template rule attribute values, the functions listed under Single
Dependants or those listed under Multiple Dependants can apply, depending on the implicit
condition.
aConnect Object Resource Group Connections
The business object aConnect object resource group connection template represents
a connection between an aConnect object resource template and an aConnect object resource
group, with the purpose of providing the same connection to normal object resources that are
formed after the template. Such connections are a prerequisite for granting access of any kind
toward object resources, because accounts and groups can only have access rights toward resource
groups. The diagram below shows the relationships between aConnect s and other business
objects.
In SAM terminology, resource group connections are image object because they mirror the data
structures in a specific type of target system. This is also true for templates, although they
122
only exist in SAM, not in the target system itself. aConnect object resource group connection
templates have no dependent objects. They have relationships to two other necessary objects:
an aConnect object resource template and an aConnect object resource group. Both must exist
before the connection can be created.
The relationship between resource templates and resource groups in SAM is asymmetrical. A
connection can only be created or deleted from the template side. Nonetheless, SAMs graphical
user interface (GUI) presents them as dependants of both involved business objects.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
object resource group connection:
aConnect object resource group connection
An aConnect object resources assignment to a resource group.
aConnect object resource group connection template
A customer-specific prototype for creating aConnect object resource group connections.
aConnect object resource group connection defaults
The manufacturer-provided default prototype for creating aConnect object resource group
connections.
Note: Be also sure to distinguish between access resource group connections, object resource
group connections, and (unspecific) resource group connections. The first two categories link
the resources to their respective groups, and the last category links the resulting groups to the
objects with access demands, i.e. accounts and groups.
aConnect Object Resource Template General Data An aConnect object resource group
connection for a resource template consists of one part. This item contains general data about
the connection.
See SAM Enterprise Business Object Reference: Administering Resource Group Connections
(Resource Template) for a summary of functions for creating, modifying, and deleting such
business objects. These functions apply to aConnect object resource group connections for
resource templates as described.
In SAM terminology, access resource groups are image objects because they mirror the data
structures in a specific type of target system. This is also true for access resource group templates, although they exist only in SAM and not in the target system itself. SAM uses the
following business objects to represent aConnect access resource group templates:
aConnect access resource group template general data
aConnect access resource group template orbidden group
aConnect access resource group templates have one mandatory relationship to another business
object at enterprise level. This is the aConnect target system to which they belong - the one in
which they can act as a prototype for normal access resource groups.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
access resource group:
aConnect access resource group
A container for aConnect access resources.
aConnect access resource group template
A customer-specific prototype for creating aConnect access resource groups.
aConnect access resource group defaults
The manufacturer-provided default prototype for creating aConnect access resource groups.
aConnect Access Resource Group Template General Data
The business object aConnect access resource group template general data is the main object of
an access resource group template in an aConnect target system. It contains general information
about the template, such as the template ID, the access codes for the template and the normal
objects, etc.
124
See SAM Enterprise Business Object Reference: Administering Resource Group Templates for
a summary of functions for creating, modifying, and deleting such business objects. These
functions apply to aConnect access resource group templates as described.
aConnect Access Resource Group Template Forbidden Groups
The business object aConnect access resource group template forbidden group defines a condition
of mutual exclusion that applies to resource group connections for accounts or groups in which
a resource group is involved that was created after the owning template. An example may
illustrate what this means:
Assume that a rule in an enterprise specifies that someone with administrative access rights
toward a category of contracts cannot also have auditing or approving access rights, and vice
versa.
Assume that there is one access resource group ADM that provides the functions for contract
administration, and there is another access resource group AUD that provides the functions
for auditing. Assume further that the contracts are represented in an object resource group
CON.
To establish the rule, the group ADM needs a forbidden group entry for AUD, and the
group AUD needs a forbidden group entry for ADM.
= Forbidden group entries are symmetrical by definition. In a relationship between two
resource groups, SAM aConnect would reflect this by automatically creating the counterpart. In a relationship between a resource group template and a resource group, SAM
aConnect reflects this by creating the counterpart when creating a resource group with
the template. For example, assume a template TEMP-A with an entry that forbids
GRP-B. When creating a group GRP-A by using that template, SAM aConnect adds
an entry under GRP-B that forbids GRP-A.
Assume a group has a resource group connection in which ADM is the access partner and
CON is the object partner. This connection provides the necessary access rights for administering the contracts. When attempting to provide a connection to a pair with AUD and
CON as the partners, SAM aConnect refuses the creation with reference to this forbidden
group entry.
The same happens when attempting to provide a connection for an account which has inherited
the access rights from the ADM/CON connection through a normal group connection.
The forbidden group can only be an access resource group. An access resource group template
can have any number of forbidden groups, provided that the forbidden group is defined in the
same target system, and all entries refer to different groups.
See SAM Enterprise Business Object Reference: Administering Resource Group Templates for
a summary of functions for creating, modifying, and deleting such objects and their dependent
125
data. For aConnect access resource group template forbidden groups, the functions listed under
Multiple Dependants are applicable.
In SAM terminology, object resource groups are image objects because they mirror the data
structures in a specific type of target system. This is also true for object resource group templates, although they exist only in SAM and not in the target system itself. SAM uses the
following business objects to represent aConnect object resource group templates:
aConnect object resource group template general data
aConnect object resource group template forbidden group
aConnect object resource group templates have one mandatory relationship to another business
object at enterprise level. This is the aConnect target system to which they belong - the one in
which they can act as a prototype for normal object resource groups.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
object resource group:
aConnect object resource group
A container for aConnect object resources.
aConnect object resource group template
A customer-specific prototype for creating aConnect object resource groups.
aConnect object resource group defaults
The manufacturer-provided default prototype for creating aConnect object resource groups.
126
The forbidden group can only be an object resource group. An object resource group template
can have any number of forbidden groups, provided that the forbidden group is defined in the
same target system, and all entries refer to different groups.
See SAM Enterprise Business Object Reference: Administering Resource Group Templates for
a summary of functions for creating, modifying, and deleting such objects and their dependent
data. For aConnect object resource group template forbidden groups, the functions listed under
Multiple Dependants are applicable.
Defaults
The object category Defaults comprises those business objects in SAM Enterprise that serve
as prototypes when creating objects when no template is specified. In short, defaults combine
three characteristics:
A defaults object is manufacturer-provided and counts as part of the installation. There is
exactly one defaults object for any type of business object in SAM Enterprise.
A defaults object cannot be created or deleted by a customer. Only the attribute values are
subject to administration or configuration.
A defaults object shares the prototype function with a template of the same type. However,
in contrast to them, defaults cannot include dependants or connections to other objects. The
sole purpose of a defaults object is to make object creation possible when a user provides only
the key values and maybe a name but nothing else.
Defaults and templates are closely related, but at the same time significantly different. The
following table provides an overview of their common factors and differences:
Aspect
Template
Defaults
Function:
Usage:
Customer-created template
Used when the administrator explicitly specifies a template when
creating a new object.
Initial count:
Manufacturer-created template
Used when the administrator does
not specify a template when creating a new object, or when a
template cannot be specified (e.g.,
when creating objects through
role-based administration).
One per object type and target
system.
Exist for all business objects.
Types:
Exist for all business objects except target systems and their dependants.
Administration: Can be created, modified, and
deleted.
128
Aspect
Template
Defaults
Interfaces:
Dependants:
Connections:
aConnect account
The representation of a user in an aConnect target system.
aConnect account template
A customer-specific prototype for creating aConnect accounts.
aConnect account defaults
The manufacturer-provided default prototype for creating aConnect accounts.
aConnect Account Defaults General Data
The business object aConnect account general data defaults is the manufacturer-provided standard prototype for creating aConnect account general data in cases where a template is not
specified. There is exactly one such object in an aConnect target system.
Note: The term aConnect account defaults general data would also be correct - as long as it
is clear that a defaults object cannot be a compound object with a main part and dependent
parts.
See SAM Enterprise Business Object Reference: Administering Account Defaults for a summary
of functions for administering such objects. These functions apply to aConnect account general
data defaults as described.
aConnect Account Defaults Attribute
The business object aConnect account attribute defaults is the manufacturer-provided standard
prototype for creating aConnect account attributes in cases where a template is not specified.
There is exactly one such object in an aConnect target system.
Note: The term aConnect account defaults attributes would also be correct - as long as it
is clear that a defaults object cannot be a compound object with a main part and dependent
parts.
See SAM Enterprise Business Object Reference: Administering Account Defaults for a summary
of functions for administering such objects. These functions apply to aConnect account attribute
defaults as described.
aConnect Account Defaults Attribute Value
The business object aConnect account attribute value defaults is the manufacturer-provided
standard prototype for creating aConnect account attribute values in cases where a template is
not specified. There is exactly one such object in an aConnect target system.
Note: The term aConnect account defaults attribute values would also be correct - as long as
it is clear that a defaults object cannot be a compound object with a main part and dependent
parts.
130
See SAM Enterprise Business Object Reference: Administering Account Defaults for a summary
of functions for administering such objects. These functions apply to aConnect account attribute
value defaults as described.
aConnect Group Connection (Account Defaults) General Data The business object
aConnect group connection (account) general data defaults is the manufacturer-provided standard prototype for creating general data in aConnect group connections for accounts in cases
where a template is not specified. There is exactly one such object in an aConnect target system.
Note: The term aConnect group connection (account defaults) general data would also be
correct - as long as it is clear that a defaults object cannot be a compound object with a main
part and dependent parts.
See SAM Enterprise Business Object Reference: Administering Group Connections (Account
Defaults) for a summary of functions for administering such objects. These functions apply to
aConnect group connections for account defaults as described. See also the configuration Step
4 for the creation of defaults in a new aConnect target system.
131
aConnect Group Connection (Account Defaults) Attributes The business object aConnect group connection (account) attribute defaults is the manufacturer-provided standard prototype for creating attributes in aConnect group connections for accounts in cases where a template
is not specified. There is exactly one such object in an aConnect target system.
Note: The term aConnect group connection (account defaults) attribute would also be correct
- as long as it is clear that a defaults object cannot be a compound object with a main part and
dependent parts.
See SAM Enterprise Business Object Reference: Administering Group Connections (Account
Defaults) for a summary of functions for administering such objects. These functions apply to
aConnect group connections for account defaults as described. See also the configuration Step
4 for the creation of defaults in a new aConnect target system.
aConnect Group Connection (Account Defaults) Attribute Values The business object aConnect group connection (account) attribute value defaults is the manufacturer-provided
standard prototype for creating attribute values in aConnect group connections for accounts in
cases where a template is not specified. There is exactly one such object in an aConnect target
system.
Note: The term aConnect group connection (account defaults) attribute value would also be
correct - as long as it is clear that a defaults object cannot be a compound object with a main
part and dependent parts.
See SAM Enterprise Business Object Reference: Administering Group Connections (Account
Defaults) for a summary of functions for administering such objects. These functions apply to
aConnect group connections for account defaults as described. See also the configuration Step
4 for the creation of defaults in a new aConnect target system.
aConnect Resource Group Connection (Account Defaults)
The business object aConnect resource group connection (account defaults) is the manufacturerprovided prototype for creating aConnect resource group connections for accounts in cases where
a template is not specified.
There is exactly one such object in any particular aConnect target system. It is created automatically when creating a new target system. See Configuration for the steps in which first the
target system and then its defaults objects are defined.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
resource group connection:
aConnect resource group connection (account)
An aConnect accounts assignment to a resource group pair consisting of an aConnect access
resource group and an aConnect object resource group.
aConnect resource group connection (account template)
A customer-specific prototype for creating aConnect resource group connections (account).
132
apply to aConnect resource group connections for account defaults as described. See also the
configuration Step 4 for the creation of defaults in a new aConnect target system.
Note: The term aConnect group defaults general data would also be correct - as long as it
is clear that a defaults object cannot be a compound object with a main part and dependent
parts.
See SAM Enterprise Business Object Reference: Administering Group Defaults for a summary
of functions for administering such objects. These functions apply to aConnect group general
data defaults as described.
aConnect Group Defaults Forbidden Group
The business object aConnect group forbidden group defaults is the manufacturer-provided standard prototype for creating aConnect group forbidden groups in cases where a template is not
specified. There is exactly one such object in an aConnect target system.
Note: The term aConnect group defaults forbidden group would also be correct - as long as
it is clear that a defaults object cannot be a compound object with a main part and dependent
parts.
See SAM Enterprise Business Object Reference: Administering Group Defaults for a summary
of functions for administering such objects. These functions apply to aConnect group forbidden
group defaults as described.
aConnect Group Defaults Attribute
The business object aConnect group attribute defaults is the manufacturer-provided standard
prototype for creating aConnect group attributes in cases where a template is not specified.
There is exactly one such object in an aConnect target system.
Note: The term aConnect group defaults attribute would also be correct - as long as it is clear
that a defaults object cannot be a compound object with a main part and dependent parts.
See SAM Enterprise Business Object Reference: Administering Group Defaults for a summary
of functions for administering such objects. These functions apply to aConnect group attribute
defaults as described.
aConnect Group Defaults Attribute Value
The business object aConnect group attribute value defaults is the manufacturer-provided standard prototype for creating aConnect group attribute values in cases where a template is not
specified. There is exactly one such object in an aConnect target system.
Note: The term aConnect group defaults attribute value would also be correct - as long as it
is clear that a defaults object cannot be a compound object with a main part and dependent
parts.
See SAM Enterprise Business Object Reference: Administering Group Defaults for a summary
of functions for administering such objects. These functions apply to aConnect group attribute
value defaults as described.
135
Note: The term aConnect resource group connection (group defaults) general data would also
be correct - as long as it is clear that a defaults object cannot be a compound object with a
main part and dependent parts.
See SAM Enterprise Business Object Reference: Administering Resource Group Connections
(Group Defaults) for a summary of functions for administering such objects. These functions
apply to aConnect resource group connections for group defaults as described. See also the
configuration Step 4 for the creation of defaults in a new aConnect target system.
aConnect Resource Group Connection (Group Defaults) Authorization The business object aConnect resource group connection (group) authorization defaults is the manufacturerprovided standard prototype for creating authorizations in aConnect resource group connections
for groups in cases where a template is not specified. There is exactly one such object in an
aConnect target system.
Note: The term aConnect resource group connection (group defaults) authorization would
also be correct - as long as it is clear that a defaults object cannot be a compound object with
a main part and dependent parts.
See SAM Enterprise Business Object Reference: Administering Resource Group Connections
(Group Defaults) for a summary of functions for administering such objects. These functions
apply to aConnect resource group connections for group defaults as described. See also the
configuration Step 4 for the creation of defaults in a new aConnect target system.
aConnect
aConnect
aConnect
aConnect
access
access
access
access
resource
resource
resource
resource
which are kept together for internal organization purposes but have nothing else in common.
Nonetheless, the standard terminology is used for the sake of simplicity.
Like any other aConnect business object, aConnect access resource defaults have an implicit
relationship to a certain aConnect target system. They have no relationships to other business
objects.
137
In SAM terminology, access resources are image objects because they mirror the data structures
in a specific type of target system. This is also true for access resource defaults, although they
exist only in SAM and not in the target system itself.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
access resource:
aConnect access resource
A representative for data access functions in an aConnect target system.
aConnect access resource template
A customer-specific prototype for creating aConnect access resources
aConnect access resource defaults
The manufacturer-provided default prototype for creating aConnect access resources.
aConnect
aConnect
aConnect
aConnect
object
object
object
object
resource
resource
resource
resource
which are kept together for internal organization purposes but have nothing else in common.
Nonetheless, the standard terminology is used for the sake of simplicity.
Like any other aConnect business object, aConnect object resource defaults have an implicit
relationship to a certain aConnect target system. They have no relationships to other business
objects.
In SAM terminology, object resources are image objects because they mirror the data structures
in a specific type of target system. This is also true for object resource defaults, although they
exist only in SAM and not in the target system itself.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
object resource:
aConnect object resource
A representative for accessible objects in an aConnect target system.
aConnect object resource template
A customer-specific prototype for creating aConnect object resources
aConnect object resource defaults
The manufacturer-provided default prototype for creating aConnect object resources.
140
Note: The term aConnect object resource defaults rule attribute value would also be correct
- as long as it is clear that a defaults object cannot be a compound object with a main part and
dependent parts.
See SAM Enterprise Business Object Reference: Administering Resource Defaults for a summary
of functions for administering such objects. These functions apply to aConnect object resource
rule attribute value defaults as described.
aConnect Object Resource Group Connection
The business object aConnect object resource group connection (resource defaults) is the manufacturerprovided prototype for creating aConnect object resource group connections for object resources
in cases where a template is not specified.
There is exactly one such object in any particular aConnect target system. It is created automatically when creating a new target system. See Configuration for the steps in which first the
target system and then its defaults objects are defined.
Be sure to distinguish between the business objects discussed here and other business objects
with similar names. The following table lists all business object names using the term aConnect
object resource group connection:
aConnect object resource group connection
An aConnect object resources assignment to a resource group.
aConnect object resource group connection template
A customer-specific prototype for creating aConnect object resource group connections.
aConnect object resource group connection defaults
The manufacturer-provided default prototype for creating aConnect object resource group
connections.
Note: Be also sure to distinguish between access resource group connections, object resource
group connections, and (unspecific) resource group connections. The first two categories link
the resources to their respective groups, and the last category links the resulting groups to the
objects with access demands, i.e. accounts and groups.
Note: The term aConnect access resource group defaults forbidden group would also be correct
- as long as it is clear that a defaults object cannot be a compound object with a main part and
dependent parts.
See SAM Enterprise Business Object Reference: Administering Resource Group Defaults for a
summary of functions for administering such objects. These functions apply to aConnect access
resource group forbidden group defaults as described.
aConnect
aConnect
aConnect
aConnect
target
target
target
target
system
system
system
system
See SAM Enterprise Business Object Reference: Administering Target System Defaults for a
summary of functions for administering such objects. These functions apply to aConnect target
system class attribute defaults as described.
Other
The object category Other comprises those business objects in SAM Enterprise that do not
belong to any of the previous categories. Usually, this leaves just the Help Desk accounts.
However, even if there are more candidates, this category cannot include objects that exist in
the administered target system because such objects are always normal by definition. Other
objects can only exist in SAM.
148
Configuration
This chapter explains how to configure SAM aConnect for the security administration of an
application system with SAM Enterprise. The table of contents above shows the configuration
steps that must be performed and the sequence in which they occur.
2 - Administrator ID
In Step 2, you make sure that the administrator who performs the configuration has appropriate
authorizations in SAM.
The administrator needs an account in ISEC, SAMs own security system. This account must
be authorized to update target system definitions. See the SAM Enterprise Internal Security
Manual for details about ISEC.
1. Open a Target System Defaults Navigation Windows. You can use the Configuration
-> Defaults -> Target System Defaults command from the menu bar. The window
displays a list of all target system defaults.
2. Locate the item ACON in the list. Double-click the item to open an Edit Window.
3. Update the settings as required for your target system defaults object. The default values
will be used whenever a new aConnect target system is created.
4. Submit your updates by pressing the Submit button. You can close the Target System
Defaults Edit Window.
3. Enter the ID for the new target system in the field TS ID.
Select aConnect as the target system type. The value will be placed in the field TS Type.
Enter a descriptive name for the new target system in the field Name.
4. Submit your input by pressing the Submit button. Be aware that pressing the Submit
button creates the new target system immediately in SAM. You cannot cancel this action
later on. When you press Submit, SAM closes the dialog box and opens a Target System
Edit Window with the new target system in display. See the next step for the required
settings there.
1. Make sure that the Enabled checkbox is empty. This checkbox must remain unmarked
until some more configuration steps are completed.
2. Fill in the Version field.
3. Fill in the Location field. The field must contain the same ID as the <location> element
in the Master Courier initialization file. The location ID identifies the connection to the
application system that is represented as an aConnect target system. The Master Courier
looks up the location ID in its initialization file to determine the parameters that are
needed for the communication with an aConnect Agent.
4. Submit your changes by pressing the Submit button. SAM implements the update.
performed as follows:
1. Select the entry Technical Data in the tree at the left. This recalls the previous data
panel at the right.
2. Mark the checkbox Enabled.
3. Select the entry Aconnect Data in the tree at the left. This recalls the data panel from a
previous step.
4. Enter the password for the TOM user.
5. Submit your update by pressing the Submit button. Now, with the aConnect data defined,
this update is accepted.
6. Close the window. This was the last activity toward the aConnect target system definition.
8 - Account Defaults
In Step 8, you update the aConnect account defaults object for the new target system by
establishing the required and the desired values. This object was created automatically as part
of the target system creation. Assuming you are logged in to SAM and the Workplace Window
is open, the step sequence is as follows:
1. Open a User Defaults Navigation Windows. You can use the Configuration -> Defaults
-> User Defaults command from the menu bar. The window displays a list of all user
defaults.
2. Locate the item DEFAULT in the list. Double-click the item to open a User Defaults
Edit Window.
3. Select Accounts in the tree at the left. This displays a selection list with all account
defaults at the right. Each target system has exactly one account defaults objects and,
hence, one item in the list.
4. Locate the ID of your aConnect target system in the list. The account defaults object for
your aConnect target system appears under this ID. Double-click the item in the list to
display the General Data Panel. Make sure the following fields have proper values:
Account ID
Name
See SAM Enterprise User Manual: Smart Defaults for object-specific placeholders in such
fields.
Update other settings as required for your account defaults object. SAM uses the default
values if an object is created, and no other source provides the initial values. For example,
account templates or policies can also be sources for initial values.
5. Submit your updates by pressing the Submit button. You can close the User Defaults Edit
Window.
153
9 - Group Defaults
In Step 9, you update the aConnect group defaults object for the new target system by establishing the required and the desired values. This object was created automatically as part of
the target system creation. Assuming you are logged in to SAM and the Workplace Window
is open, the step sequence is as follows:
1. Open a Group Defaults Navigation Window. You can use the Configuration -> Defaults
-> Group Defaults command from the menu bar. The window displays a list of all group
defaults.
2. Locate the item DEFAULT in the list. Double-click the item to open a Group Defaults
Edit Window.
3. Select General Data in the tree and make sure the fields have proper values. See SAM
Enterprise User Manual: Smart Defaults for object-specific placeholders in such fields.
Update other settings as required for your group defaults object. SAM uses the default
values if an object is created, and no other source provides the initial values. For example,
group templates can also be sources for initial values.
4. Submit your updates by pressing the Submit button. You can close the Group Defaults
Edit Window.
10 - Resource Defaults
In Step 10, you update the two aConnect resource defaults objects for the new target system
by establishing the required and the desired values. These objects, one for each of the two
resource types, were created automatically as part of the target system creation. Assuming you
are logged in to SAM and the Workplace Window is open, the step sequence is as follows:
1. Open a Resource Defaults Navigation Window. You can use the Configuration ->
Defaults -> Resource Defaults command from the menu bar. The window displays
a list of all resource defaults.
2. Locate the ID of your aConnect target system in the list. There are two resource defaults
objects per aConnect target system, one for access resources and one for object resources.
Double-click the first of them to open an Edit Window.
3. Select General Data in the tree and make sure the fields have proper values. See SAM
Enterprise User Manual: Smart Defaults for object-specific placeholders in a field. SAM
uses the default values if an object is created, and no other source provides the initial
values. For example, resource templates can also be sources for initial values.
4. Submit your updates by pressing the Submit button.
5. Proceed through the second resource type as well.
6. Finally, you can close the Resource Defaults Edit Window.
154
13 - Database Optimization
In Step 13, you run a database optimization job. This is an optional step. However, it is highly
recommended to optimize the performance.
155
156
There are as many different Agents as there are target system interfaces in SAM Enterprise,
and the basic rule is one Agent for each target system. An Agent for a particular interface
uses the interface name as prefix, so for SAM aConnect, the Agent is called aConnect Agent,
and its three sub-components are called
aConnect Socket Daemon
aConnect Remote Courier
157
aConnect TOM
This is despite the fact that the Socket Daemon and the Remote Courier are always platformspecific. The characteristics of the aConnect Agent and its sub-components can be summarized
as follows:
Concerning Socket Daemon and Remote Courier, the aConnect Agent is technically identical
with any other z/OS-based agent, because these components are fully determined by the
platform on which they reside. As explained in greater details in the respective sections, it
would even be possible to share one Socket Daemon and/or one Remote Courier among all
target systems on the same z/OS platform.
Concerning its TOM, the aConnect Agent is unique. The aConnect TOM supports the full
spectrum of TOM functions in SAM Enterprise.
This chapter documents the configuration as well as the handling of the aConnect Agent. As it
turns out, both parts deal with the setting of configuration files for the three sub-components
Socket Daemon, Remote Courier, and TOM.
= All z/OS-based Agents share the same libraries. As a consequence, if you install the
aConnect Agent, you actually get all z/OS-based Agents - even though your license may
not allow you to use them all.
Prerequisites
All prerequisites for the aConnect Agent are met during the installation of SAM aConnect, with
the Agent Installation being an integral part of it. The installation task can immediately be
followed by the configuration task described in this chapter.
The Master Courier uses the same code page as the SAM database. This code page was
implicitly specified during system installation when installing the SAM back end components
on the selected platform and the selected DBMS.
The Agent uses a code page that is specified during the Agent installation, in the step in which
the connection between the Agent and the Master Courier is configured. For SAM aConnect,
this is SAM Enterprise Installation Manual: Phase 4 - Handler Connection Screen. This panel
refers back to a parameter panel where the Remote Courier code page was really defined, while
the Master Courier code page was specified identical to its real definition in an XML file.
Unless these two code pages happen to be identical, any data that is transferred between the
Master Courier and the Agent is converted using a conversion table which is part of the RCINI
File.
Note: The code page for the LDAP server is defined in the slapd.envvars file in the LANG
environment variable.
Code Conversion Inconsistencies
For a proper code conversion, it is recommended to use only those characters which are common
to all involved code pages. Otherwise, it might happen that different source codes are mapped
to one target code. This, in turn, can raise inconsistencies between SAM and the target system.
The only safe indicator for such inconsistencies is a verification failure during an update.
Consistency Maintenance can neither detect non-mappable codes nor errors in the conversion table. Once detected, the inconsistencies can be repaired with the following steps, which
require some manual work:
First, check the used conversion table to see whether it maps all mappable codes, and all
of them to different destinations. If required, repair the table.
Next, perform a Consistency Maintenance run which only reports inconsistencies.
If the CM report contains the inconsistent object, it can be corrected via CM with the
specification Repair SAM.
If the CM report does not contain the inconsistent object, and the difference is in a non-key
field, a double update in SAM - with the Overwrite flag set - performs the correction.
The first update is required to forcibly change the occurrence in the target system. The
second update brings the occurrence back to the proper value status.
If the CM report does not contain the inconsistent object, and the difference is in a
key field, the objects must be deleted on both sides and then recreated with proper
values/codes. The deletion in the target system must be performed manually. The deletion
in SAM requires either of the following:
The target system-specific Update flag is not set.
The target system-specific Verify flag is not set.
159
The first alternative suppresses the corresponding delete operation in the target system
(which would fail). The second alternative ensures that the failed delete operation in the
target system does not cause a failure of the SAM operation.
Configuration
The configuration of the aConnect Agent takes place after this Agent has been installed as
explained in the section SAM Enterprise Installation Manual: aConnect Agent Installation of
the SAM Enterprise Installation Manual. The installed Agent is fully operative concerning
communication and order flow, or at least will be in that state after the configuration.
Configuring the aConnect Agent means setting entries in configuration files so that the communication between the Master Courier and the Remote Courier works, and verifying the successful
configuration with a test communication. The subsequent pages describe the details.
1 - TOM
Step 1 applies to the aConnect TOM. While the TOM itself does not need any configuration, the
aConnect target system must be prepared by defining the account through which SAM accesses
the database:
TOM User
The TOM user is SAMs user ID in an administration layer, i.e. in an LDAP directory. All
security maintenance operations are performed using this user ID. A user ID with sufficient
access rights is a prerequisite for the aConnect TOM.
See SAM Enterprise Release Guide: SAM aConnect in the chapter HW/SW Reference of the
SAM Enterprise Release Guide for information about the TOM users access rights.
2 - Remote Courier
In Step 2, you complete the Remote Courier configuration which was started during the installation of the aConnect Agent. The complete configuration involves two configuration files:
The RCINI file, which is short for Remote Courier initialization file, specifies details of the
communication mode with the Master Courier. This file was generated during the Agent
installation. See SAM Enterprise Installation Manual: Connection Definition in the SAM
Enterprise Installation Manual for the installation step in which the input was provided, see
RCINI File for a sample file, and see SAM Enterprise Operations Manual: RCINI Files in the
SAM Enterprise Operations Manual for details about the syntax.
The MsgINI file, which is short for Remote Courier messaging initialization file, specifies
details of the message routing from the Remote Courier to the central SAM components. See
MsgINI File for a sample file; see SAM Enterprise Operations Manual: Message Routing in
the SAM Enterprise Operations Manual for details about the syntax. The PHOST and PORT
160
statements in the MsgINI file specify the TCP/IP address and port of the SAM Messaging
Server. These values wer set during installation.
3 - Socket Daemon
In Step 3, you configure the Socket Daemon for proper operation as a started task and for proper
communication with the Master Courier. This is done by confirming or updating the settings
in two configuration files that were generated during the Agent installation, and by starting the
Socket Daemon:
The SDINI file, which is short for Socket Daemon initialization file, specifies details of the
communication mode with the Master Courier on one side and the Remote Courier on the
other. See SAM Enterprise Installation Manual: Connection Definition in the SAM Enterprise
Installation Manual for the installation step in which the file was created; see RCINI File for a
sample file; and see SAM Enterprise Operations Manual: SDINI Files in the SAM Enterprise
Operations Manual for details about the syntax.
The MsgINI file, which is short for Socket Daemon messaging initialization file, specifies
details of the message routing from the Socket Daemon to the central SAM components. See
MsgINI File for a sample file; see SAM Enterprise Operations Manual: Message Routing in
the SAM Enterprise Operations Manual for details about the syntax.
The installation program created these configuration files according to the values that were
entered during the installation dialog. Check whether the settings are as required. Then you
can proceed as follows to start the Socket Daemon:
1. Find out which name was given to the start procedure during the SAM installation on the
Handler Started Task Screen. The name was entered in the input field Socket Daemon
Started Task Name, and the installation program created the corresponding member in
the CNTLLIB.
2. Issue a START command for this procedure from the operator console for the z/OS environment in which the Remote Courier is running.
= It is strongly recommended to include the start procedure in your system start-up processing. A running Socket Daemon is required for the communication with the Master
Courier.
4 - Master Courier
In Step 4, you register the aConnect Remote Courier as one of the locations to which the Master
Courier can connect. This is done as follows:
161
1. Add a new <Location> element to the SAM global initialization file that applies to
the Master Courier. A <Location> element defines a Remote Courier for the Master
Courier. It must be contained in the <MasterCourier> element. Be aware that the
following parameters must be synchronized with settings on other platforms:
The id attribute in the <Location> element must be unique. This value is required
when you define the aConnect target system.
The attributes hostName and port in the child element <Connection> specify the
IP address and port of the Remote Courier, more exactly of the Socket Daemon.
They must be synchronized with the settings in the SDINI file.
For a description of the above XML elements, see the section SAM Enterprise Operations
Manual: SAM Global Initialization File in the SAM Enterprise Operations Manual.
2. After changing the SAM global initialization file, propagate the new settings to the components private initialization files; see SAM Enterprise Operations Manual: Making Changes
Effective for a description how to do this.
3. Start the SAM Client and issue the command SAM Enterprise User Manual: Management
Console to open a Management Console Navigation Window. Click go! to receive the list
entries for the manageable components, and double-click the list entry Master Courier to
open an Edit Window for the Master Courier.
4. The Edit Window presents the Master Courier General Data, which includes the command
checkbox SAM Enterprise User Manual: Reload MCINI. Mark this checkbox and press the
[Submit] button to have the command executed. The effect is that the Master Courier
reloads its <Location> definitions while leaving global settings unchanged.
With this step successfully performed, the Master Courier knows the new aConnect Agent,
which will be verified in the test of the next configuration step.
4. Refresh the Management Console and check the connection status. The value Connected
is proof of a successful test: It indicates that the Master Courier succeeded in connecting
to the Agent.
The connection will time out after some time, but you can also force a disconnect. Mark
the checkbox Disconnect and press Submit.
If a connection cannot be established, check the various INI files again, especially for identical
settings concerning TCP/IP address and port number.
1. Start the SAM Client and open a Target System Edit Window for your aConnect target
system.
2. The right half of the window should present the Technical Data Panel. If not, select this
data in the tree at the left:
3. Fill in the Location field. The field must contain the same ID as the <location> element
in the MCINI file; see Step 4.
4. Save your updates and close the window.
163
SDINI File
A Socket Daemon is controlled by an initialization file, called SDINI file for short. This file
was generated as part of the Agent installation and verified in the configuration Step 3.
The listing below shows SDINI00, a sample SDINI file. Follow the hyperlinks for details about
the various parameters:
/***************************************************************/
/***
***/
/***
SAMPLE DAEMON INI-FILE
***/
/***
***/
/*** THIS MEMBER WAS GENERATED DURING INSTALLATION
***/
/*** (2006/09/19, 15:39).
***/
/***
***/
/***************************************************************/
D:SAMSOCKETDAEMON:PORT=5110:EXECN=SAMSE3XR:TIMEOUT=180:
D:SAMADAPTER:EXECN=SAMSE3XL:
D:RCADD:EXECN=SAMSE3XR:INI=RCINI02
S:SAMWATCHDOG:TYP=SOCK:DAEMON=RPC:
The start procedure for the aConnect Socket Daemon refers to the SDINI file in the SDINI
DD-statement:
164
//SDINI DD DSN=&PREFIXB..USER.CNTLLIB(SDINI&INI),DISP=SHR
SDINI&INI is the name of the SDINI file, for example SDINI00.
SAMSOCKETDAEMON A symbolic name for a connection to the aConnect Remote Courier.
The first line specifies the default connection. This is the connection that will be started
unless the communication partner requests one of the other connections on the other lines.
You can use any string as the symbolic name. The only condition is that the same name
must be used in the Socket Daemon start procedure.
SAMADAPTER A symbolic name for a connection to the SAM Adapter. The connection
You can use any string as the symbolic name. The only condition is that the same name
must appear in the MCINI file as the ID attribute in the <connection> element.
If the Master Courier connects to the Socket Daemon sending the symbolic name, a Remote
Courier with a particular RCINI file is used, rather than the default specified on the first
line. For example, if one z/OS system runs RACF and DB2, you can define two connections,
each of them with a specific RCINI file.
SAMWATCHDOG A symbolic name for a special connection that is currently not used.
EXECN The name of the start procedure that will be called when the communication partner
of the respective line requests a connection.
PORT The TCP/IP port number. This number must be the same as specified in the
<port> entry (in the <location> block for this Remote Courier) in the MCINI file of
the Master Courier.
TIMEOUT An optional parameter that specifies the number of seconds during which the
Socket Daemon must start and hand over the communication to the Remote Courier. The
default value is 120 seconds.
Valid values are numbers in the range 10 - 300 (seconds). Any value must be followed by a
closing colon :.
INI The name of the RCINI file to be used for the connection that is specified on on this
line.
165
MsgINI File
Like any other component in a SAM Enterprise system, the Socket Daemon can issue error
messages according to the rules of SAMs messaging system. This system expects a messaging
initialization file for each component, called MsgINI file for short. The MsgINI file for the
Socket Daemon was generated during the Agent installation.
The listing below shows sdmsgini.xml, a sample MsgINI file for the aConnect Socket Daemon.
See SAM Enterprise Operations Manual: Message Routing in the SAM Enterprise Operations
Manual for details about the syntax.
<?xml version="1.0"?>
<!DOCTYPE messaging SYSTEM "../dtd/Messaging.dtd">
<messaging>
<msgController>
<host>AIXSERVER</host>
<prog>sockdaem</prog>
<vers>3.3</vers>
<prefix>SAM</prefix>
<user>sam</user>
<lang>en</lang>
<country>US</country>
<level>5</level>
<code>ISO8859-1</code>
</msgController>
<msgCatalog>
<id>1</id>
<name>SDCatalog</name>
<type>file</type>
<medium1>../messaging/catalog/sdmsg.xml</medium1>
<preload>true</preload>
</msgCatalog>
<msgCatalog>
<id>2</id>
<name>MPPICatalog</name>
<type>file</type>
<medium1>../messaging/catalog/mppimsg.xml</medium1>
<preload>true</preload>
</msgCatalog>
<msgDirectory>
<name>../messaging</name>
</msgDirectory>
<!-- Log File Definitions -->
166
<msgDevice>
<id>1</id>
<level>4</level>
<name>RCLogFile</name>
<type>file</type>
<preformat>true</preformat>
<length>80</length>
<indent>
</indent>
<preload>true</preload>
<msgWriteDeviceHandler>
<handler>MsgWriteDeviceHandlerFile</handler>
<fileName>../log/sdlog.txt</fileName>
</msgWriteDeviceHandler>
<msgFormatter>
<handler>MsgFormatterText</handler>
<addField>timestamp</addField>
<addField>prefix</addField>
<addField>className</addField>
<addField>number</addField>
<addField>level</addField>
<addField>pid</addField>
<addField>thread</addField>
</msgFormatter>
</msgDevice>
<!-- Connection to the Messaging Server -->
<msgDevice>
<id>2</id>
<level>3</level>
<name>TCP</name>
<type>console</type>
<preformat>false</preformat>
<maxErr>1</maxErr>
<preload>true</preload>
<msgWriteDeviceHandler>
<handler>MsgWriteDeviceHandlerServer</handler>
<tpname>MSG</tpname>
<profile>C:MSG:TYP=SOCK:PHOST=MSGSERVER:PORT=5151:</profile>
<codepage>ISO8859-1</codepage>
</msgWriteDeviceHandler>
</msgDevice>
</messaging>
167
Start-Up
The name for the start procedure of the z/OS Socket Daemon is specified during the SAM
Installation on the Handler Started Task Screen. The name is entered in the input field
Socket Daemon Started Task Name, and the installation program creates the corresponding
member in the CNTLLIB.
= In the subsequent text, <start-proc> stands for this procedure and/or its name.
The start-up is performed with a START command from the operator console for the z/OS
environment in which the Remote Courier is running. After a successful start, the Socket
Daemon issues this message:
If the command fails and this message does not occur, check the following:
The settings in the start procedure
The settings in the SDINI file
The z/OS system log for any error message in this context
If you cannot locate the error reason, contact SAM Customer Support.
Shut-Down
A z/OS Socket Daemon can be shut down with an operator console command. There are two
alternatives:
P <stc-name>
F <stc-name>,STOP
where <stc-name> is the started task name of the Socket Daemon, i.e. the name of the
procedure by which it was started.
Operator Commands
The only operator commands accepted by the z/OS Socket Daemon are those used for shutdown. See Shut-Down for details.
168
RCINI File
A Remote Courier is controlled by an initialization file, called RCINI file for short. This file
was generated as part of the Agent installation and verified in the configuration Step 2.
The listing below shows RCINI00, the z/OS-specific template for RCINI files. The installation
routine takes this template, enhances it according to the input from the installing administrator,
and stores it in a member whose name is also part of the input:
(Gen)
Daemon = YES
CallTomEndExit=YES
MsgINI File
Like any other component in a SAM Enterprise system, the Remote Courier can issue error
messages according to the rules of SAMs messaging system. This system expects a messaging
initialization file for each component, called MSGINI file for short. The file for the Remote
Courier was generated as part of the aConnect Agent installation.
The listing below shows rcmsgini.xml, an example of a messaging initialization file for the Remote
Courier. See SAM Enterprise Operations Manual: Message Routing in the SAM Enterprise
Operations Manual for details about the syntax.
169
<?xml version="1.0"?>
<!DOCTYPE messaging SYSTEM "../Messaging.dtd">
<messaging>
<msgController>
<host>AIXSERVER</host>
<prog>rc_tcpip</prog>
<vers>3.3</vers>
<prefix>SAM</prefix>
<user>sam</user>
<lang>en</lang>
<country>US</country>
<level>5</level>
<code>ISO8859-1</code>
</msgController>
<msgCatalog>
<id>1</id>
<name>RCUNIXCatalog</name>
<type>file</type>
<medium1>../messaging/catalog/rcuxmsg.xml</medium1>
<preload>true</preload>
</msgCatalog>
<msgCatalog>
<id>2</id>
<name>RCindepCatalog</name>
<type>file</type>
<medium1>../messaging/catalog/rcindmsg.xml</medium1>
<preload>true</preload>
</msgCatalog>
<msgCatalog>
<id>3</id>
<name>MPPICatalog</name>
<type>file</type>
<medium1>../messaging/catalog/mppimsg.xml</medium1>
<preload>true</preload>
</msgCatalog>
<msgCatalog>
<id>4</id>
<name>TTOMCatalog</name>
<type>file</type>
<medium1>../messaging/catalog/ttommsg.xml</medium1>
<preload>true</preload>
170
</msgCatalog>
<msgCatalog>
<id>4</id>
<name>OBOXCatalog</name>
<type>file</type>
<medium1>../messaging/catalog/OBOXmsg.xml</medium1>
<preload>true</preload>
</msgCatalog>
<msgCatalog>
<id>5</id>
<name>TSICatalog</name>
<type>file</type>
<medium1>../messaging/catalog/TSImsg.xml</medium1>
<preload>true</preload>
</msgCatalog>
<msgDirectory>
<name>../messaging</name>
</msgDirectory>
<!-- Log File Definitions -->
<msgDevice>
<id>1</id>
<level>4</level>
<name>RCLogFile</name>
<type>file</type>
<preformat>true</preformat>
<length>80</length>
<indent>
</indent>
<preload>true</preload>
<msgWriteDeviceHandler>
<handler>MsgWriteDeviceHandlerFile</handler>
<fileName>../log/rclog.txt</fileName>
</msgWriteDeviceHandler>
<msgFormatter>
<handler>MsgFormatterText</handler>
<addField>timestamp</addField>
<addField>prefix</addField>
<addField>className</addField>
<addField>number</addField>
<addField>level</addField>
<addField>callingClass</addField>
<addField>callingFunction</addField>
</msgFormatter>
</msgDevice>
171
Start-Up
A z/OS-based Remote Courier is exclusively started by the Socket Daemon, after this watchdog
program received a communication request from the Master Courier. The orders from the Master
Courier determine when the Remote Courier shuts down again.
There is no way of manually starting or shutting down the Remote Courier.
Shut-Down
A z/OS-based Remote Courier is exclusively started by the Socket Daemon, after this watchdog
program received a communication request from the Master Courier. The orders from the Master
Courier determine when the Remote Courier shuts down again.
There is no way of manually starting or shutting down the Remote Courier.
Operator Commands
A z/OS-based Remote Courier does not accept direct commands.
aConnect TOM
The TOM (meaning Target System Operation Module) is the sub-component in an Agent
which directly contacts the target system and therefore appears as SAMs representative from
the perspective of the target system or its access control subsystem. Only the TOM knows
172
how to read from or write into the target system database. As the other sub-components in an
Agent are platform-specific, the TOM is the only sub-component that is really specific to the
particular target system interface, here aConnect.
In order to perform its duty, the aConnect TOM needs an account in the access control system
that protects the target system. This account must be properly authorized to perform the
necessary accesses.
Technically, the TOM is started as a sub-task of the Remote Courier. The handling of the
aConnect TOM is the topic of this section. The descriptions on the following pages can be
summarized as follows:
The TOM was completely provided by the manufacturer and configured as part of
the Agent installation. In contrast to other TOMs, the aConnect TOM does not
have a configuration file because there is nothing to be configured.
TOM Configuration
In short: the aConnect TOM has no configuration file. In the longer version, the explanation is
as follows:
A TOM configuration file specifies whether the TOM for the respective target system is scriptbased or DLL-based and, in the latter case, the name of the DLL. For the aConnect TOM,
which is completely provided by the manufacturer, there are no alternatives that might result
from any customer-specific development. So the TOM configuration file is unnecessary.
TOM User
The TOM user is SAMs user ID in an administration layer, i.e. in an LDAP directory. All
security maintenance operations are performed using this user ID. A user ID with sufficient
access rights is a prerequisite for the aConnect TOM.
See SAM Enterprise Release Guide: SAM aConnect in the chapter HW/SW Reference of the
SAM Enterprise Release Guide for information about the TOM users access rights.
173
Initial Load
The current version of SAM aConnect does not support functions for Initial Load.
In order to take over security data from an existing application system, the functions of the
Import Interface are the most likely candidates for a replacement. Such an approach requires
a customer-specific program that creates the import transactions from the existing security data
in the application.
174
Consistency Maintenance
Consistency Maintenance (CM) is a SAM utility which compares SAMs image data with the
security data in the aConnect target system. If the two are inconsistent, CM can automatically
update the SAM database and/or the application database to restore consistency.
= You should run CM on a regular basis to ensure that security administration with SAM
is based on consistent data.
The following diagram provides an overview of a CM run. The steps and actions are explained
below:
1. An administrator specifies the scope of the CM run. The maximum scope is an entire
aConnect target system, but it is also possible to select individual business object types
or image tables.
For example, an administrator can choose to run CM for all aConnect accounts. Alternatively, the administrator can restrict CM to the account general data table or any other
175
image table. Whatever the specification may be, CM resolves it into a list of image tables
to be processed.
2. CM locks the target system to prevent administrators from making updates in SAM while
CM is running.
3. CM unloads the required image data from the SAM database. If necessary, this data is
sorted.
4. For every selected image table, CM instructs the Master Courier to extract the target
system data from the application database. If necessary, this data is sorted.
5. The data from both sides goes through a check process whose unit of work is a single
occurrence in a table. These are the possible results:
Exists
Exists
Exists
Exists
only in SAM
only in the target system
in both but with different attributes
in both and with identical attributes
6. If an inconsistency is found, CM consults the repair rules to find out what to do. These
are the possible actions:
Generate repair transactions
Report the inconsistency
Ignore the inconsistency
For example, the CM check may find a user that exists only in SAM. If the repair rule is
Repair TS, CM generates transactions to create the user in the application database.
7. SAM executes the repair transactions to restore consistency between the SAM database
and the application database. The effects are the same as if an administrator had manually
performed the updates.
8. Finally, CM unlocks the target system.
CM creates a report about all inconsistencies. This report can be found in the CMMSGOUT dataset.
It lists successful repair actions, failures, and those occurrences that were excluded from the
automatic repair. The information helps administrators to analyze the results of a CM run.
CM Repair Rules
A Consistency Maintenance (CM) repair rule specifies what to do after finding an inconsistency
during CM. SAM provides rules in a category matrix, in a hierarchy matrix, and with six different
values representing the action to be taken. The following inconsistencies can occur:
Not in SAM
Not in TS
176
Different Attributes
Not in SAM means that a particular business object is found in the target system but not in
SAM. The repair action applies to the entire object. However, different attributes of the object
can be handled according to repair rules from different hierarchy levels.
Not in TS means that a particular business object is found in SAM but not in the target
system. As before, the repair action applies to the entire object and can involve repair rules
from different hierarchy levels for different attributes.
Different Attributes means that a particular business object is found in both SAM and the
target system but with different values in one or several attributes. The repair action applies
to the different attributes, and each attribute can be considered as an inconsistency of its own
with its own repair rule.
These inconsistency types represent the first dimension of the category matrix. The second
dimension is formed by the scope to which a particular rule applies. The supported scopes are
System
Table
Key range in table
Key in table
This is further discussed in Rule Hierarchies, because the scopes also represent a dimension
in the hierarchy matrix, in which the second dimension is formed by the question whether an
inconsistency applies to an entire business object or just to a particular attribute.
All repair rules for a particular target system are stored in attributes of the target system
definition at enterprise level. Follow the above hyperlink to find a graphic with click-sensitive
boxes leading to them.
For any repair rule more specific than Table Level, SAM defines a list of tables and fields for
which key ranges and single key values can be specified. The last two pages in this section deal
with this topic.
Depending on the type of inconsistency, this action can be an insertion (Not in TS), a deletion
(Not in SAM), or a value change (Different Attributes). This action can be invalid for certain
object types and attribute types. For example, a time stamp Last Login can never be repaired
in this way.
Report is an instruction to list the inconsistency in the CM report but not do anything that
would perform an automatic repair operation. This action is valid for all object types, attribute
types, and levels.
Ignore is an instruction to ignore the inconsistency so that it does not even cause an entry in
the CM report. This action is valid for all object types, attribute types, and levels.
Update Statistics is an instruction to silently repair the inconsistency. This is a special case
of Repair SAM which can only be applied to statistical or time stamp attributes. It means that
the SAM image is updated to the status of the target system data without creating an entry in
the CM report. This rule is applied to attributes which cannot be right in SAM, such as Last
Login.
Use Default is an instruction to resort to the next higher level in the hierarchy matrix and
apply the rule specified there. See Rule Hierarchies for the matrix and the default references,
which are expressed by arrows in the graphic on this page. This action is invalid on the system
level, because there is no higher level to which to resort, and for rules that are specific to fields.
SAM always uses the most specific rule it can find for a particular type of inconsistency and
data element. The evaluation process determines the most specific rule as follows:
System Level stands for the least specific rule, stored in the technical data of the respective
target system. This rule is used if nothing better is found, or if the case-related rule at table
level says Use Default.
178
Table Level is the next better level, the standard for ninety-five percent of all cases and the
most specific level for all target system types which do not support type-specific rules. These
rules - one for each table type - are stored in the table definitions of the respective target
system. They are used if nothing better is found, or if the case-related rule at key range level
says Use Default. Furthermore, these rules are used for all attributes in the object for which
there is no entry at field level.
Key Range Level requires that the target system interface supports type-specific repair
rules; see the next two pages for details. Such rules define that certain object types and/or
key ranges in a table should be treated according the the specified action, rather than the
table-wide setting. Such rules are always customer-specific. They are stored in the table type
data of the respective target system. They are used unless there is an even more specific rule
at key value level. Furthermore, these rules are used for all attributes in the object for which
there is no entry at field level.
Key Level is a special case of Key Range Level in which the rule applies to just one key
value, i.e. to a single business object. In all other regards, this case is equivalent to the one
explained above.
The description so far explains how the relevant repair rule is evaluated if a business object with
inconsistencies is found. If the inconsistency is one of the cases Not in SAM or Not in TS,
the evaluation ends here because field-specific settings are irrelevant for them. the evaluation
continues only if the object exists on both sides but with different attributes:
Fields at table level are only relevant if the rule evaluation at occurrence level stopped at
table level, i.e. if there was no type-specific rule. Then, a particular attribute (i.e., field) is
repaired according to its rule in the field data of the target system or, if this rule says Use
Default, according to the table rule at occurrence level.
Field Types at key range level are only relevant if the rule evaluation at occurrence level
reached the key range level and there was no more specific rule at key level. Then, a particular
attribute (i.e., field) is repaired according to its rule in the field types data of the target system
or, if this rule says Use Default, according to the table type rule at occurrence level. Note:
When inserting a type rule at table level, SAM automatically creates the complete list of field
types for it, initially all set to Use Default.
Field Types at key level are only relevant if the rule evaluation at occurrence level reached
this most specific level. Otherwise, the handling is the same as for field types at key range
level.
Object type: There are many cases in which one table contains different types of business
objects. For example, if there is one table for resource connections, but the target system
supports several types of resources and several types of objects requiring access, the object
category resource connection can split into multiple types. Another common case are the
tables for dependent data in uConnect-based target system interfaces, in which the concept
of sub-types is fully incorporated.
Key Range: Even within a sub-type or sub-category, a customer may need repair rules that
apply only to a certain key range. Key ranges are defined by their key prefix. Every business
object whose key matches the key prefix in the rule is handled according to this rule (unless
there is a more specific rule; see below.)
Key Value: It is possible to define a rule with a key prefix that can be matched by just one
specific business object. Such rules are used if certain single objects play a very special role
in the target system.
Type-specific repair rules can only be used within the supported scope of tables and key fields,
which differ depending on the target system interface. The page Type Support specifies the
supported range for this target system interface. The method is always the same:
The business object Target System Table Types appears in the GUI when expanding the
tree for a target system via Technical Data -> Tables -> Types; see SAM Enterprise User
Manual: Types. This means that the assignment to a specific table is already implicit. (When
using the Import Interface, the associated table is one of the values that must be specified.)
The data panel for a table type object shows a field Entity Key and the three rule fields for
the three cases Not in SAM, Not in TS, and Diff. Attr. (plus the usual time stamps). In
other words, the single attribute Entity Key determines the type and key range to which
the rule applies.
The value for the Entity Key attribute can be a key prefix or a concatenation that is split
into field-specific sections according to a table-specific algorithm. The next page explains
which fields to use/concatenate for a particular table.
For example, uConnect tables for dependent data use a type field and a key field. The type
field specifies the object type. The key field specifies the object to which the dependent data
belongs. Type-specific repair rules for such tables have a value in Entity Key which is a
concatenation of (complete) type value and key prefix.
If the value in Entity Key represents a concatenation of two fields, its value is interpreted in
a way that can best be illustrated in an example:
Assume a TYPE field of 16 bytes and a KEY field of 64 bytes being the ones for which
a concatenation is placed in Entity Key
Any value of less than 16 bytes is interpreted as a selector for a type range: all objects
whose TYPE prefix matches the selector are qualified.
180
A value of exactly 16 bytes is interpreted as a type selector. All objects whose TYPE
value matches the selector are qualified.
A value of more than 16 bytes is interpreted as a key range selector within a certain
type. All objects whose TYPE value matches the first 16 bytes in the selector and
whose KEY prefix matches the remaining bytes in the selector are qualified.
This concept can be extended until the selector matches just one specific object: the
remaining bytes after the 16-byte type prefix match the KEY value of just one object.
When inserting a new table type in the target system, SAM automatically copies the full list of
field definitions as field types under this entry. By default, all are set to Use Default, meaning
the table type applies to it. Setting field-specific rules for the case Different Attributes is
done by opening the respective field type and changing the repair rule to something else.
Changing the sequence to process groups after connections is no solution either. IC2 can
now be solved but IC1 causes an error. The connection that corresponds to the AIX
membership cannot be created in SAM because the group does not yet exist.
The conclusion from this example is that Consistency Maintenance must be run twice.
There is another case in which Consistency Maintenance seems to fail, but in fact does everything
according to the definitions. For each image table definition in SAM, the field List TOM specifies
the TOM which retrieves data from the target system. If the value is NOTOM, Consistency
Maintenance does nothing for this table. This is reported with a message in the job protocol.
Tables List
This section lists the image tables for SAM aConnect with their important attributes and the
list of business objects stored in them:
Click a column title to open a pop-up that explains the column logic.
Click a table name/repeater to open an Import Interface XML structure.
Click a business object name to open the logical object description.
For more details, see the pop-up for the respective column. Note that generic business objects
are not listed below. If a business object has a generic version - e.g., a user policy account - this
version is found in the same table as the discrete counterpart.
CMSN
Table Name
Business Object
10
ACONTS
****
ACONTSC
****
ACONTSCA
****
ACONTSCV
****
ACONTSCR
****
ACONTSCD
****
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
Target
Target
Target
Target
Target
Target
Target
Target
Target
Target
Target
Target
ACONUS
****
****
ACONUSA
****
****
ACONUSAV
****
****
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
Account
Account
Account
Account
Account
Account
Account
Account
Account
11
13
14
15
--
20
21
22
Object Data
System
System
System
System
System
System
System
System
System
System
System
System
aConnect Data
Defaults
Class
Defaults
Class Attribute
Defaults
Class Attribute Value
Defaults
Class Attribute Reference
Defaults
Allowed Class
Defaults
General Data
Template
Defaults
Attribute
Template
Defaults
Attribute
Template
Defaults
182
Attribute Value
CMSN
Table Name
Business Object
30
ACONUG
****
****
ACONUGA
****
****
ACONUGAV
****
****
ACONUGD
****
****
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
Group
Group
Group
Group
Group
Group
Group
Group
Group
Group
Group
Group
ACONUMS
****
aConnect
aConnect
plate)
aConnect
faults)
aConnect
aConnect
aConnect
aConnect
plate)
aConnect
faults)
aConnect
aConnect
plate)
aConnect
faults)
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
Access Resource
Access Resource Template
Access Resource Defaults
Object Resource
Object Resource Template
Object Resource Defaults
Access Resource
Access Resource Template
Access Resource Defaults
Object Resource
Object Resource Template
Object Resource Defaults
Access Resource
Access Resource Template
Access Resource Defaults
Object Resource
Object Resource Template
Object Resource Defaults
Access Resource
32
33
--
40
****
41
****
****
ACONUMSA
****
****
42
ACONUMSAV
****
****
50
51
52
53
ACONRS
****
****
****
****
****
ACONRSR
****
****
****
****
****
ACONRSRA
****
****
****
****
****
ACONRSRV
Object Data
General Data
Template
Defaults
Attribute
Template
Defaults
Attribute Value
Template
Defaults
Forbidden Group
Template
Defaults
General Data
Attribute
Attribute Value
183
General Data
Rule
Rule Attribute
CMSN
--
--
--
Table Name
Business Object
****
****
****
****
****
aConnect
aConnect
aConnect
aConnect
aConnect
ACONRG
****
****
****
****
****
ACONRGD
****
****
****
****
****
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
aConnect
Access R.Group
Access R.Group Template
Access R.Group Defaults
Object R.Group
Object R.Group Template
Object R.Group Defaults
Access R.Group
Access R.Group Template
Access R.Group Defaults
Object R.Group
Object R.Group Template
Object R.Group Defaults
ACONRMS
aConnect Access
source)
aConnect Access
source Template)
aConnect Access
source Defaults)
aConnect Object
source)
aConnect Object
source Template)
aConnect Object
source Defaults)
****
****
****
****
****
80
ACONAU
****
****
****
****
****
81
ACONAUA
****
****
****
****
Object Data
General Data
Forbidden Group
complete
R.Group Connection (ReR.Group Connection (ReR.Group Connection (ReR.Group Connection (ReR.Group Connection (Re-
184
General Data
Authorization
CMSN
Table Name
Business Object
Object Data
****
CMSN The table sequence number determines the order in which the tables are processed
during Consistency Maintenance and Initial Load.
For example, if table A has the number 10 and table B has the number 5, table B is processed
before table A. The value itself is meaningless; only the order is relevant.
Table Name The table name in the SAM database.
Clicking the table name or the repeater **** opens the XML structure description in the
Import Interface for the business object (data) listed in the same row.
Note: If a row has no link in the column, the respective business object cannot be administered using the Import Interface. This is always the case for defaults objects.
Business Object The name of the business object stored in the table - either with the data
The name for the dependent data remains the same for all business objects in a group.
Accordingly, the name is listed only in the first row of such a group.
Configuration Object
A CM configuration is a business object of the category utility configuration which refers to
Consistency Maintenance (CM) as the utility to be configured, and to aConnect as the target
system interface. Both settings specify the exact list of image tables that may or may not be
included in a particular utility invocation.
= A CM configuration is necessary for starting a CM run. Make sure that at least one
CM configuration is available for target systems of the type aConnect if you administer
aConnect systems with SAM.
Depending on how you organize CM, a single CM configuration with generic settings may be
sufficient for all your aConnect target systems. Alternatively, you can create CM configurations
with specific settings for every single target system. To create a new CM configuration, proceed
as follows:
1. Start the SAM Client and open a Utility Configuration Navigation Window.
You can use the command Tools -> Utility Configurations from the menu bar.
2. Open the creation dialog.
You can use the command Edit -> New Utility Configuration from the menu bar.
The dialog starts up with a single field. When you fill in a field and press Next, the next
field is displayed. You must fill in these fields to create a new CM configuration:
Utility must contain the value CM.
TS Type must contain the value aConnect.
Configuration ID is an arbitrary ID for your CM configuration.
3. After you have filled in all fields in the dialog box, pressing Next once more opens an
Edit Window with your new CM configuration. Fill in the fields and press Submit to
submit your changes and save the configuration. See SAM Enterprise User Manual: CM
Configuration in the SAM Enterprise User Manual for a description of all settings in this
business object.
186
Interactive Run
SAM Enterprise provides two methods for invoking Consistency Maintenance (CM), an interactive one and a batch function. This section explains how to invoke CM interactively using
standard functions in SAMs graphical user interface (GUI).
Both methods refer to the CM configuration object whose creation is explained in Configuration Object. Remembering the configuration ID given to the business object is a prerequisite,
although the interactive method simplifies the task by providing a selection list in which the
configuration can be easily found.
1 - Configuration Selection
See SAM Enterprise User Manual: Consistency Maintenance in the SAM Enterprise User Manual
for a full description of the involved windows and data panels.
In Step 3 of the interactive invocation, you start the previously created utility run object. This
is equivalent to invoking Consistency Maintenance with the settings in the run object. This is
done in the Utility Run Edit Window displaying the created run object:
189
1. Make sure the settings are as desired for the planned job.
2. Press Start to start the utility run object.
SAM stores the equivalent batch job in the Queue and executes it according to the settings
and conditions.
See SAM Enterprise User Manual: Consistency Maintenance in the SAM Enterprise User Manual
for a full description of the involved windows, panels, and dialog functions.
Batch Run
As an alternative to the interactive method described in Interactive Run, Consistency Maintenance (CM) can be executed with a batch transaction for the Import Interface. This transaction
starts a utility run object that is created from a utility configuration object, which is the same
action as in the interactive run. Proceed as follows to build and submit a batch transaction for
invoking CM:
1. Create an import transaction that refers to an existing CM utility configuration.
The business object ID is SUTL CM Template. You must use the operation name start
to start a new CM run. The following listing shows an example in which My-aConnectTS represents the TS ID of the aConnect target system for which CM should be performed:
190
= Due to the special nature of the Start command, a batch run is practically limited
to the settings found in the originating utility configuration. More exactly, the Start
command is limited to changes in the root object of the utility run. So if this run
should be special in any regard, the respective settings and candidate selections must
be made in the configuration. In this sense, the batch method is not quite as flexible
as the interactive method.
= In contrast to an interactive start, the batch transaction start supports file transfer
orders that take place after the utility job and deal with job logs and protocols and
their transfer to another destination. See SAM Enterprise Operations Manual: File
Management Functions for a detailed description.
2. Save the file with your import transaction.
3. Call the Import Interface passing the file name. You can use this command:
startSamImport.bat <file> <user id> <password>
<file> stands for the file name or URL of your import transaction. <user id> is a
user ID and <password> the corresponding password. The user must be authorized to
use the Import Interface.
CM Unlock/Restart
The most significant control attribute in a CM utility run is the SAM Enterprise User Manual:
CM Mode, a drop-down combo box that offers three options, representing three operation modes:
Normal applies to a target system in normal state.
Restart applies to a target system on which a previous CM job failed.
191
Unlock/Stop also applies to a target system on which a previous CM job failed, but in
contrast to Restart, it cancels the job, rather than to attempt a completion by running
the tables that did not run in the failed job, starting with the one that caused the failure.
Follow the above link to the field description for more details about the three operation modes.
Note, though, that only the Normal mode must be accompanied by a list of tables: Restart
processes the tables left from the failed job, and Unlock/Stop does not process tables at all.
192
Deleting Attributes
Attributes in an aConnect system can be connected to nearly every other business object type.
When it comes to the deletion of an attribute, the list of possible references splits into two
categories:
References from within resources prevent the deletion of the respective attribute: Any
attempt to delete an attribute still referenced from a resource rule entry causes an error
message.
References from other business object types, e.g. accounts or groups, do not prevent
the deletion; they will be automatically deleted as part of the process which deletes the
respective attribute.
193
Contrary to what the function title suggests, Delete Attributes only deletes references to the
specified attributes. Furthermore it only deletes those references which prevent the deletion of
the attribute itself. The other references will be automatically deleted as part of the process in
which the attribute itself is deleted. Note: Deleting the attributes themselves is not part of the
function nor of another function in the aConnect Toolbox; this is done manually or in a batch
job.
The utility can be configured for any number of attributes, each of them specified by a separate
entry in the list of dependent objects for the configuration and later for the run object. Assigning
the attributes to be prepared for deletion is a simple task in a dialog session. The assignment
dialog allows you to select first the attribute class and then attributes of this class, or all of
them. This list can still be modified, until the run object for the job is started: This is the time
when all settings are fixed.
Like the other functions, Delete Attributes supports a statistics mode in which the utility
only provides reports of what would have been done, had this job been run in sharp mode, i.e.
update mode. The same reports are also provided from a run which really deletes the references.
3. After you have filled in all fields in the dialog box, pressing Next once more opens an
Edit Window with your new aConnect Toolbox configuration. Fill in the fields of the
configuration general data and then deal with the dependants:
4. Expanding General Data in the tree at the left reveals an entry Deleting Attributes
which is initially empty. As explained in more detail in SAM Enterprise User Manual:
Configuration - Delete Attributes, you can add and remove attributes to be deleted by
opening a dialog box in which entire attribute classes or single attributes are selected.
196
5. Press Submit to submit your changes and save the configuration. These settings - including
the list of dependants - serve as template for run objects; only when starting a run object,
the job settings are really fixed.
3. After you have filled in all fields in the dialog box, pressing Next once more opens an
Edit Window with your new aConnect Toolbox configuration. Fill in the fields of the
configuration general data and then deal with the dependants:
197
4. Expanding General Data in the tree at the left reveals an entry Deleting Resource
Group Connections which is initially empty. As explained in more detail in SAM Enterprise User Manual: Configuration - Delete Resource Group Connections, you can add and
remove resource groups to be deleted by opening a dialog box in which entire type sets or
single groups are selected.
5. Press Submit to submit your changes and save the configuration. These settings - including
the list of dependants - serve as template for run objects; only when starting a run object,
the job settings are really fixed.
1. Start the SAM Client and open a Utility Configuration Navigation Window.
You can use the command Tools -> Utility Configurations from the menu bar.
2. Open the creation dialog.
You can use the command Edit -> New Utility Configuration from the menu bar.
The dialog starts up with a single field. When you fill in a field and press Next, the
next field is displayed. You must fill in these fields to create a new aConnect Toolbox
configuration:
Utility must contain the value aConnect Toolbox.
Function must contain the value Update Activity Status.
Configuration ID is an arbitrary ID for your configuration.
198
3. After you have filled in all fields in the dialog box, pressing Next once more opens an
Edit Window with your new aConnect Toolbox configuration. Fill in the fields of the
configuration general data and then deal with the dependants:
4. Expanding General Data in the tree at the left reveals an entry Updating Activity
Status which, when expanded by itself, reveals the list of entities. This list is fixed, but
the setting for a particular entity can be Attend or Ignore. Go through all entities and
make sure to switch them on or off as desired. This is explained in more detail in SAM
Enterprise User Manual: Configuration - Entity.
5. Press Submit to submit your changes and save the configuration. These settings - including
the list of dependants - serve as template for run objects; only when starting a run object,
the job settings are really fixed.
the entry points SAM Utility Conf and SAM Utility Run
view authorization for the business object ACON Acontool Template BO
insert and change authorization for the business object ACON Acontool Active BO
authorizations for the access codes used by the two above business objects
199
If the business object IDs (BO IDs) for the involved objects are required in the course of access
right granting, they can be found in the context menus of these objects in SAMs graphical user
interface (GUI). The documentation of the Import Interface transactions for the configuration
object includes the specification of the BO IDs; the corresponding BO ID for a run object is the
same ID, only with Active instead of Template at the end.
200
3. Select an aConnect Toolbox configuration that meets the requirements. Note: As the
field Function does not appear as a column in the selection list, you will appreciate
configuration IDs and/or description texts which identify the represented function, as
shown in the above example.
4. Double-clicking the selected object opens a Utility Configuration Edit Window displaying
the selected configuration; see next page.
See SAM Enterprise User Manual: aConnect Toolbox in the SAM Enterprise User Manual for
a full description of the involved windows and data panels.
2 - Utility Run Creation
In Step 2 of the interactive invocation, you create a utility run object from the previously selected
utility configuration object. The run object will be the one in which the exact settings for the
utility execution are specified. This is done as follows:
1. The assumption is that the previously selected aConnect Toolbox configuration is displayed
in a Utility Configuration Edit Window. This window may look as follows:
2. Make sure the settings are as desired for the planned job: The Start command is the
time when all settings are fixed.
3. Press Start to start the utility run object.
SAM stores the equivalent batch job in the Queue and executes it according to the settings
and conditions.
See SAM Enterprise User Manual: aConnect Toolbox in the SAM Enterprise User Manual for
a full description of the involved windows, panels, and dialog functions.
Batch Run
To execute the aConnect Toolbox in batch mode, you create and submit an aConnect Toolbox
run object using the Import Interface. This is done as follows:
202
1. Create a file with an import transaction that refers to an existing aConnect Toolbox
configuration. The business object ID is Acon Acontool Template BO. You must use the
operation name start to start a new aConnect Toolbox run. The following listing shows
an example:
<?xml version="1.0" encoding ="ISO-8859-1" ?>
<!DOCTYPE qInput SYSTEM "http://www.betasystems.com/sam/dtd/Import.dtd">
<qInput>
<businessObject name="ACON_AconTool_Template_BO" opName="start">
<!-- Keys of a Toolbox configuration -->
<attribute name="BASETAB-SAM-ID2" value="MyAconToolbox" />
<!-- Parameters for a Toolbox run -->
<!-- Target system ID -->
<attribute name="BASETAB-C-08-01" value="MYACONTS" />
</businessObject>
</qInput>
= Because of the special nature of the Start command, a batch run is practically
limited to the settings found in the originating utility configuration. More exactly,
the Start command is limited to changes in the root object of the utility run. So
if this run should be special in any regard, the respective settings and candidate
selections must be made in the configuration. In this sense, the batch method is not
quite as flexible as the interactive method.
= In contrast to an interactive start, the batch transaction start supports file transfer
orders that take place after the utility job and deal with job logs and protocols and
their transfer to another destination. See SAM Enterprise Operations Manual: File
Management Functions for a detailed description.
2. Save the file with your import transaction.
3. Call the Import Interface passing the file name. You can use this command:
startSamImport.bat <file> <user id> <password>
<file> stands for the file name or URL of your import transaction. <user id> is a
user ID and <password> the corresponding password. The user must be authorized to
use the Import Interface.
203