Versions Compared

Old Version 4

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 5

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Once connected, you can manage this data from EmpowerID in the following ways:

Account Management

  • Inventory user accounts

  • Create user accounts

  • Update user accounts

  • Enable and Disable user accounts

  • Change user passwords

Role Management

  • Inventory roles or profiles as groups

    • Inventory role or profile memberships as group accounts

    • Add and Remove members to and from roles or profiles

    Attribute Flow

SAP TCODE Inventory

  • Inventories all SAP modules from the TDEVC table and stores them in the ResourceSystemModule table in EmpowerID

    • Inventories SAP transaction codes from the TSTC table and stores this information in the AzLocalRights table in EmpowerID along with the relation between the transaction codes and the SAP modules.

    • Inventories the relationship between roles/profiles and TCODES and stores this information in the AzAssigneeLocalRightScope table in EmpowerID

SAP Authorization Object and FieldTypes Inventory

  • Inventories SAP authorization objects from the TOBJ table and stores that information in the AzLocalRights table in EmpowerID with AzLocalRightTypeID of 7

  • Inventories SAP FieldTypes from the AUTHX table and stores that information in the AzFieldType table of EmpowerID

  • Inventories the relationship between authorization objects and fieldtypes and stores that information in the AzGlobalRightFieldType table of EmpowerID

  • Inventories the relationship between SAP single role to authorization object from the AGR_1251 table in SAP and stores that information in the AzAssigneeLocalRightScope table in EmpowerID

  • Inventories the relationship between SAP transaction codes and authorization objects from the USOBX_C table in SAP and stores that information in the AzGlobalRightRelatedRight table in EmpowerID

  • Inventories the relationship between Role > AuthObject > FieldType > Low and High values from the AGR_1251 and AGR_1252 tables and stores that information in the AzAssigneeRightAzGlobalRightFieldType of EmpowerID. The multiple explicit values are stored in the AzAssigneeRightAzGlobalRightFieldTypeValue table of EmpowerID.

  • Prerequisites

Account Attributes

Users in SAP

...

are inventoried as accounts in EmpowerID. The

...

following table shows the attribute

...

mapping of SAP

...

User attributes to EmpowerID

...

Account attributes

...

:

SAP User Attribute

Corresponding EmpowerID Attribute

Description

NAME_FIRST

FirstName

First name of the user

NAME_LAST

LastName

Last name of the user

NAMEMIDDLE

MiddleName

Middle name of the user

BNAME

LogonName

User name of the user

BNAME

SystemIdenitfier

Unique System Identifier of the user

TEL_NUMBER_MOBILE

MobileNumber

Mobile number of the user

TEL_NUMBER

Telephone

Home phone number of the user

SMTP_ADDR

Email

Email ID of the user

LANGU

PreferredLanguage

Language of the user

UFLAG

Disabled

Determines

Specifies whether or not user is active

TITLE

PersonalTitle

Personal Title

PersonalTitle of the user

TITLE_ACA1

AcademicTitle

Academic Title

AcademicTitle of the user

FUNCTION

BusinessFunction

Business Function

BusinessFunction of the user

ROOMNUMBER

RoomNumber

Room Number

RoomNumber of the user

FLOOR

Floor

Floor of the user

BUILDING

BuildingCode

Building Code

BuildingCode of the user

.

FAX_NUMBER

Fax

Fax of the user

USERALIAS

Alias

Alias of the user

USTYP

UserType

User Type

UserType of the user

SECURITY_POLICY

SecurityPolicy

Security Policy

SecurityPolicy of the user

DEPARTMENT

Department

Department name of the user

CLASS

UserGroup

User Group

UserGroup of the user

GLTGV

ValidFrom

Valid From date set for

ValidFrom of the user

GLTGB

ValidUntil

Valid Until date set for

ValidUntil of the user

ACCNT

AccountNo

Account Number

AccountNo of the user

KOSTL

CostCenter

Cost Center

CostCenter of the user

TZONE

TimeZone

Time Zone of the user

PWDCHGDATE

PasswordLastChanged

Date the user’s password was last changed

PasswordLastChanged

TRDAT+LTIME

LastLogonTime

Date and time the user last logged on

LastLogonTime

company

Company

Company name of the user

PNAME

UserPrincipalName

SNC Name of the user

Role Attributes

Roles in SAP are inventoried as Groups in EmpowerID. The following table shows the attribute mapping of SAP Role attributes to EmpowerID Group attributes:

SAP Role Attribute

EmpowerID Attribute

Description

AGR_NAME(AGR_DEFINE)

Name

Name of the Group.

“Role_” + AGR_NAME(AGR_DEFINE)

LogonName

LogonName of the Group

TEXT(AGR_TEXTS) where LINE column from AGR_TEXTS = '00000' +(SAP CompositeRole or SAP Single Role)

FriendlyName

FriendlyName of the Group

Concatenation of all rows from  TEXT(AGR_TEXTS) where LINE column from AGR_TEXTS != '00000'

Description, Notes

Description, Notes of the Group

Use Relation FROM AGR_AGRS table to calculate the role type

GroupTypeID

Identifier to distinguish the sap role type either single or composite role

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue
Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue

Profile Attributes

Profiles in SAP are inventoried as Groups in EmpowerID. The following table shows the attribute mapping of SAP Profile attributes to EmpowerID Group attributes:

SAP Profile Attribute

EmpowerID Attribute

Description

PROFN(USR10)

Name

Name of the Group

“Profile_” + PROFN(USR10)

LogonName

LogonName of the Group

PTEXT(USR11)+(SAP CompositeProfile or SAP Single Profile)

FriendlyName

FriendlyName of the Group

PTEXT(USR11)+(SAP CompositeProfile or SAP Single Profile)

Description

Description of the Group

Use TYP from USR10 table to calculate the profile type

GroupTypeID

Identifier to distinguish the sap profile type either single or composite profile

Prerequisites

To connect EmpowerID to SAP, you need an SAP account, and you need to install SAP GUI Server on your EmpowerID Server.

...

  • Host Name of the BAPI endpoint

  • Username that is authorized to read from and write to the BAPI

  • Password

  • App server FQDN

  • Instance number

  • System ID

Prerequisites

You can connect EmpowerID to SAP R/3 system two ways:

  1. Application Server

  2. Message Server

Each has its own set of prerequisites. Expand the drop-down for that connection method to view.

Expand
titleApplication Server Prerequisites

You also need the following from SAP to connect EmpowerID to SAP via Application Server:

  • Host Name of the application server used for RFC communication

  • Username that is authorized to connect to the R/3 system from EmpowerID

  • Password of the service account

  • ClientID of the application server

  • Instance number of the application server

  • Network port number that is open to connect to the application server

Info

By default, the SAP connector uses the 33+Instancenumber as the port to connect to the SAP application server. If a different port is used, specify the port number in the hostname column with the following syntax “HostName + ‘:’ + portNumber”

Expand
titleMessage Server Prerequisites

You also need the following from SAP to connect EmpowerID to SAP via Message Server:

  • Host Name of the Message Server used to establish the connection the to SAP R/3 system

  • Name of the LogonGroup used by the SAP R/3 connector

  • SystemID of the SAP system

  • Username that is authorized to connect to the Message Server

  • Password of the service account

Additionally, the following conditions must be met:

...

The SAP proxy account used for the S/4HANA connector needs to have access to the below tables as well as the ability to make the remote procedure calls listed:

REQUIRED TABLE ACCESS

REQUIRED REMOTE PROCEDURE CALLS

AGR_DEFINE

ADCP

BAPI_USER_ACTGROUPS_ASSIGN

AGR_TEXTS

ADR2

BAPI_USER_CHANGE

AGR_AGRS

ADR3

BAPI_USER_CREATE1

AGR_1016

ADR6

BAPI_USER_EXISTENCE_CHECK

AGR_1251

ADRP

BAPI_USER_GETLIST

USR10

AGR_1016

BAPI_USER_GET_DETAIL

USR11

AGR_1251

BAPI_USER_LOCK

UST10C

AGR_AGRS

BAPI_USER_UNLOCK

UST10S

AGR_DEFINE

PING

UST12

AGR_TEXTS

RFCPING

TSTC

AGR_USERS

RFC_GET_FUNCTION_INTERFACE

TSTCT

TSTC

RFC_GET_NAMETAB

ADR6

TSTCT

RFC_PING

ADRP

USCOMPANY

RFC_READ_TABLE

USR02

REQUIRED ACTIVITY

PING

USR21

USR10

Execute

RFCPING

ADR2

ADR3

ADCP

USREFUS

UST04

AGR_USERS

USRACL

USCOMPANY

USR01

USR06

AUTHX

DD04T

TADIR

TDEVC

TOBJ

USOBT

USOBT_C

USOBX

USOBX_C

AGR_1252

USR11

RFC_GET_FUNCTION_INTERFACE

USR21

RFC_GET_NAMETAB

USRACL

RFC_PING

USREFUS

RFC_READ_TABLE

UST04

UST10C

UST10S

UST12

REQUIRED ACTIVITY

 Display

Execute

Tip

As each organization's implementation, practices, and procedures with SAP differs, EmpowerID uses an SAP Data Analysis Utility to ensure the necessary tables can be read and the necessary BAPI's can be invoked. The utility reads from all the same tables as the connector and copies data from those tables into the EmpowerID Identity Warehouse. This provides EmpowerID with the opportunity to review and analyze data in order to modify connector logic before setting up the connection.

...