Javascript Validation of an Attribute Entry

This came up on the SAP NetWeaver Identity Management forum and since I had to take the screen shots anyway I thought I would show it step by step. In this scenario we are creating a new contractor and we want to set the validation attribute such that it’s maximum value is not greater than one year from today.  I am assuming that one already knows how to create basic workflows.

1. First we open the attribute MX_VALIDTO and click on the Validation tab.

Validation Tab

Validation Tab

2.  We are going to use Client-side script. Click edit and it shows an example in a format we must follow so PHP can evaluate it properly.

Client-side script example

Client-side script example

3.  Next we enter the JavaScript (originally written by Scott) that will check the validity  of entered date.  The  date is passed in from the workflow as yyyy-mm-dd. Because javascript counts months starting at 0 we subtract 1 from our month value (line 5).  If the date entered is less than the maximum permissible date, the date is returned.  If it is more, we return an error message.  Later this script will be set as a string value called myscript in PHP and evaluated.

Javascript Validation Code

JavaScript Validation Code

PHP code in Workflow

PHP code in Workflow

4.  Next we set up our workflow and choose our attributes by creating an unordered task which creates a new entry of the MX_PERSON entry type.  Access Control is set to logged in users.

Unordered Task

Unordered Task



5.  Next we test in our validation in the workflow Create Contractor and enter in the values, including an improper “valid to” date.

Create Contractor Workflow

Create Contractor Workflow

6.  Click OK and receive error message.

Error Message

Error Message

Workarounds for dealing with attributes

I blogged previously about how annoying it can be to scroll through all the attribute objects in NW IDM.  However, I recently remembered a work around that can help with managing all the attributes.

If there are attributes that you know you won’t need, do one of two things:

  1. Delete them – This might seem somewhat obvious, but you’d be supposed how many people think that the attribute objects are critical to NW IDM.  Most are not, but some (MSKEYVALUE, those dealing with roles and privileges come to mind) But to be on the safe side, consider option #2.
  2. Rename them – I usually put a ‘z’ in front of the attribute (i.e., zMX_ACCOUNTING_NUMBER) so it drops to the bottom of the list. 

I’m more partial to #2, because I’ve always found that as soon as I delete something, I wind up needing it.

While we are talking about renaming attributes, here’s some other tips:

  • If there’s an attribute that I’ll need quite often, I’ll put an underscore ‘_’ in front of it so it goes to the top of the list (i.e., _ldapDN)
  • When creating attributes use prefixes to group them together “home_address”, “home_email”
  • Finally, try and keep attribute names and prefixes as short as possible, but not so short that they are hard to keep straight.
    • Prefixes: P_ = Personal, H_ = Home, W_ = Work, R_ = Remote, C_ = Contractor, etc
    • Names are tougher since language localization and organizational standards freqently get in the way

I’d be interested to see what others are doing in this regard as well.

Installing VDS as a Service

Here is a quick step by step guide for installing a VDS configuration as a service.  This goes into more detail than the help file.

  • Once you have the server up and fully tested you will want to install it as a service.  First stop the server.  Right click the Virtual Directory Server root in the left hand pane and select Properties.
  • Virtual Directory Servier Properties

    Virtual Directory Servier Properties

  • From the General Tab select the NT Service radio button.
  • Selecting the NT Service Radio Button

    Selecting the NT Service Radio Button

  • In the Serivce Name dialog box type a meaningful name in this case an HCM connection then click Apply.
  • Service Name

    Service Name

  • Next click the the Install Service button and the click OK.
  • Install Service

    Install Service

  • You can now either start the service from the application or do it from the services in the control panel.
  • Start


  • Check the lower status bar to make sure it’s working. Note that Application Name will change to Service Name. Your finished.  This is the sequence that has produced a consistent result.
  • Status Bar

    Status Bar

Bug with md5 hashed security answers

When working with the recover password task in IdM we came across a bizarre bug with the security questions/answers used to authenticate a user so that they may change their password.

When a user sets up their security questions and answers, if they happen to use an uppercase letter in at least one of their answers, and if you’ve chosen to store the security answers as an MD5 hash in the identity store, your user will not be able to recover their password. Why? Because the php page for the “Recover Password” task has a line of code that goes ahead and impulsively converts your security answers to lowercase. This results in your answers never being able to match your security answers that were originally hashed with all uppercase letters intact.

This buggy line of code exists in the “changepassword.php” file of the workflow interface, on line 717:

$md5Value = md5(strtolower($outputArray[$key]));

removing the “strtolower” function from the above line of code makes it look like this:

$md5Value = md5($outputArray[$key]);

And, that should fix the bug. It’s quite a strange error and if you’re not aware of where it stems from you could waste many hours looking in the wrong place.

Things I’d like to see in the NW IDM Console…

On and off, I’ve been working with the IDM console since 2004, and on the whole I’d say that the interface has always gotten better from release to release.  However as I’ve been working with the software recently a number of issues have been appearing that I hope the development team will be able to address in coming releases:

1. By default, Identity Management has a huge number of objects and scrolling through them can be a bit of a chore.  I’d love to see the attribute selection interface change somewhat.  At the very least, put in a scroll bar, but ideally I’d like to see an interface where I can just type a few letters of the attribute to select it.

2. When setting up the initial connection strings, how about a way to test the JDBC connection?  We’ve got this in VDS.  It would be a great addition to IDM.

3. While we’re on the topic of connection strings.  I’d really like to have an integrated wizard for constructing the ODBC strings.  We’re just building a text string here, do we really need to go out to the ODBC interface?  I realize there might be good reasons for using the ODBC app.  This one might just be me.

4. Install paths… The install path should be stored in the registry so that once on app is installed to a server that becomes the default install location.  I know a lot of admins who prefer to have IDM installed much higher in the tree structure… Typing D:PROGRAM FILESSAPIDM… gets old after a while.

On the whole the application does more than it ever did before, the next challenge is to make it easier to tame all of the capabilites at the Architect’s and Engineer’s disposal.  All-in-all, not a bad place to be.

Queue runaround (tip)

Let’s say you have a couple of jobs/tasks sitting in your provisioning queue, but you’ve changed your mind and you don’t want them to run anymore; what do you do? Well, instead of wasting your time trying to create a job to ‘Clean (your) provisioning queue’, try this:

  1. Log on to your Monitoring module.
  2. Click on the ‘Provisioning queue’ link in your menu.
  3. Once there you should see all the jobs/tasks waiting to execute.
  4. Clicking on the ‘queue size’ link for each entry will bring up another window that should give you the option to ‘Cancel’ the job/task.
  5. Click ‘Cancel’‘ to remove the job/task.
  6. Repeat steps 4-5 so as to remove all the jobs/tasks or just specific ones.

Hopefully, this will save you some time and frustration.