Installation & configuration on ImageMaster side

ImageMaster Information Lifecycle Management Services for ERP is installed by default if you install the ImageMaster assembly. To enable the module, a proper license that grants the usage of the module must be installed anyway.

Database index

In the ImageMaster database model, create the following index:

create index IDX_DIR_FOLDER_PROPERTY_PROPKEY_VALSTR on DIR_FOLDER_PROPERTY (PROPERTY_KEY, VALUE_STRING);

Configuration in AdminClient

The ILM module is integrated with user-based authentication, which requires a configuration of the module via the ImageMaster AdminClient according to SAP ILM connection settings in [UM AdminClient]. There are two aspects that must be configured:

  • SAP ILM permissions based on roles

  • connections to content repositories

An ImageMaster user with these SAP ILM permissions is required for authentication. With this kind of user-based authentication, the ILM interface can only be used with HTTPS. (HTTP is not supported.)

SAP ILM permissions based on roles

An ImageMaster user must be associated with a specific role to use the ILM service:

  • The role must provide access to WebDAV folders.

  • The role must provide access to the SAP ILM web service operation “ilmAccess”.

    Internally, this role is extended with a base role that enables all operations on the document type “ilm_resource”.

Note: Do not use the document type “ilm_resource” for anything else than its intended usage in ILM!

Otherwise you will lose data because an internal job deletes documents of this type, which are NOT associated with a folder entry.

See the example roles with their definitions below:

  • allFoldersAccessRole

    This example role allows accessing all WebDAV folders.

  • accessSpecificILMFolders

    In this case the user associated with this role can execute ILM service operations on resources placed on URI: https://someHost/webdav/someTenant/ilmTest/systemA or below (e.g. .../ilmTest/systemA/subsystemA etc.).

Roles giving access to folders shouldn't be combined for the same folder for the same user, e.g. a user associated with both roles, allFoldersAccessRole and accessSpecificILMFolders, still will be able to access all resources even if you wanted to forbid access to specific ones.

Copy

allFoldersAccessRole

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" 
 xmlns:ns="http://www.tsystems.com/ima9/integrationws/messaging/201101">
    <soap:Header>
        <role:role xmlns:role='http://www.tsystems.com/ima/9.0/integrationws/header/roles'>powerUser</role:role>
    </soap:Header>
    <soap:Body>
        <ns:createRole>
            <role name="allFoldersAccessRole">
                <combinator>union</combinator>
                <constituents>
                    <roles/>
                    <rights>
                        <right outcome="permitted">
                            <query>galaxy(folders)</query>
                            <functions>
                                <function>create</function>
                                <function>read</function>
                                <function>update</function>
                                <function>delete</function>
                                <function>execute</function>
                            </functions>
                        </right>
                        <right outcome="permitted">
                            <query>restrict(=(ima:webservice:operationName(ref("ops")), const("ilmAccess")), project(["ops", ref("webservice:operations")], galaxy(webservice:operations)))</query>
                            <functions>
                                <function>execute</function>
                            </functions>
                        </right>
                    </rights>
                </constituents>
                <description>role for accessing all webdav folders</description>
            </role>
        </ns:createRole>
    </soap:Body>
</soap:Envelope>

 

Copy
accessSpecificILMFolders
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" 
 xmlns:ns="http://www.tsystems.com/ima9/integrationws/messaging/201101">
    <soap:Header>
        <role:role xmlns:role='http://www.tsystems.com/ima/9.0/integrationws/header/roles'>powerUser</role:role>
    </soap:Header>
    <soap:Body>
        <ns:createRole>
            <role name="accessSpecificILMFolders">
                <combinator>union</combinator>
                <constituents>
                    <roles/>
                    <rights>
                        <right outcome="permitted">
                            <query>restrict(or(ima:folder:isBelowPath(ref("folders"), const("/ilmTest/systemA")), =(ima:folder:path(ref("folders")), const("/ilmTest/systemA"))), galaxy(folders))</query>
                            <functions>
                                <function>create</function>
                                <function>read</function>
                                <function>update</function>
                                <function>delete</function>
                                <function>execute</function>
                            </functions>
                        </right>
                        <right outcome="permitted">
                            <query>restrict(=(ima:webservice:operationName(ref("ops")), const("ilmAccess")), project(["ops", ref("webservice:operations")], galaxy(webservice:operations)))</query>
                            <functions>
                                <function>execute</function>
                            </functions>
                        </right>
                    </rights>
                </constituents>
                <description>role for accessing specific webdav folders</description>
            </role>
        </ns:createRole>
    </soap:Body>
</soap:Envelope>

Connections to content repositories

As required by the SAP specification, the module must be able to communicate with content repositories within a Content Server. ImageMaster supports a connection to content repositories that exist in the same ImageMaster domain.

If an SAP system reference is added in the AdminClient view shown below, the belonging content repositories will be listed.

Figure 501: AdminClient: ILM configuration