ImageMaster Information Lifecycle Management Services for ERP is installed by default if you install the ImageMaster assembly. To enable the module, a proper license that grants the usage of the module must be installed anyway.
Database index
In the ImageMaster database model, create the following index:
create index IDX_DIR_FOLDER_PROPERTY_PROPKEY_VALSTR on DIR_FOLDER_PROPERTY (PROPERTY_KEY, VALUE_STRING);
Configuration in AdminClient
The ILM module is integrated with user-based authentication, which requires a configuration of the module via the ImageMaster AdminClient according to SAP ILM connection settings in [UM AdminClient]. There are two aspects that must be configured:
-
SAP ILM permissions based on roles
-
connections to content repositories
An ImageMaster user with these SAP ILM permissions is required for authentication. With this kind of user-based authentication, the ILM interface can only be used with HTTPS. (HTTP is not supported.)
SAP ILM permissions based on roles
An ImageMaster user must be associated with a specific role to use the ILM service:
-
The role must provide access to WebDAV folders.
-
The role must provide access to the SAP ILM web service operation “ilmAccess”.
Internally, this role is extended with a base role that enables all operations on the document type “ilm_resource”.
Otherwise you will lose data because an internal job deletes documents of this type, which are NOT associated with a folder entry.
See the example roles with their definitions below:
-
allFoldersAccessRole
This example role allows accessing all WebDAV folders.
-
accessSpecificILMFolders
In this case the user associated with this role can execute ILM service operations on resources placed on URI: https://someHost/webdav/someTenant/ilmTest/systemA or below (e.g. .../ilmTest/systemA/subsystemA etc.).
Roles giving access to folders shouldn't be combined for the same folder for the same user, e.g. a user associated with both roles, allFoldersAccessRole, and accessSpecificILMFolders, still will be able to access all resources even if you wanted to forbid access to specific ones.
allFoldersAccessRole
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
xmlns:ns="http://www.tsystems.com/ima9/integrationws/messaging/201101">
<soap:Header>
<role:role xmlns:role='http://www.tsystems.com/ima/9.0/integrationws/header/roles'>powerUser</role:role>
</soap:Header>
<soap:Body>
<ns:createRole>
<role name="allFoldersAccessRole">
<combinator>union</combinator>
<constituents>
<roles/>
<rights>
<right outcome="permitted">
<query>galaxy(folders)</query>
<functions>
<function>create</function>
<function>read</function>
<function>update</function>
<function>delete</function>
<function>execute</function>
</functions>
</right>
<right outcome="permitted">
<query>restrict(=(ima:webservice:operationName(ref("ops")), const("ilmAccess")), project(["ops", ref("webservice:operations")], galaxy(webservice:operations)))</query>
<functions>
<function>execute</function>
</functions>
</right>
</rights>
</constituents>
<description>role for accessing all webdav folders</description>
</role>
</ns:createRole>
</soap:Body>
</soap:Envelope>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
xmlns:ns="http://www.tsystems.com/ima9/integrationws/messaging/201101">
<soap:Header>
<role:role xmlns:role='http://www.tsystems.com/ima/9.0/integrationws/header/roles'>powerUser</role:role>
</soap:Header>
<soap:Body>
<ns:createRole>
<role name="accessSpecificILMFolders">
<combinator>union</combinator>
<constituents>
<roles/>
<rights>
<right outcome="permitted">
<query>restrict(or(ima:folder:isBelowPath(ref("folders"), const("/ilmTest/systemA")), =(ima:folder:path(ref("folders")), const("/ilmTest/systemA"))), galaxy(folders))</query>
<functions>
<function>create</function>
<function>read</function>
<function>update</function>
<function>delete</function>
<function>execute</function>
</functions>
</right>
<right outcome="permitted">
<query>restrict(=(ima:webservice:operationName(ref("ops")), const("ilmAccess")), project(["ops", ref("webservice:operations")], galaxy(webservice:operations)))</query>
<functions>
<function>execute</function>
</functions>
</right>
</rights>
</constituents>
<description>role for accessing specific webdav folders</description>
</role>
</ns:createRole>
</soap:Body>
</soap:Envelope>Connections to content repositories
As required by the SAP specification, the module must be able to communicate with content repositories within a Content Server. ImageMaster supports a connection to content repositories that exist in the same ImageMaster domain.
If an SAP system reference is added in the AdminClient view shown below, the belonging content repositories will be listed.
Figure 389: AdminClient: ILM configuration