...
Users in SAP are inventoried as accounts in EmpowerID. The following table shows the attribute mapping of SAP User attributes to EmpowerID Account attributes:
SAP User Attribute | Corresponding EmpowerID Attribute | Description |
NAME_FIRST | FirstName | First name of the user |
NAME_LAST | LastName | Last name of the user |
NAMEMIDDLE | MiddleName | Middle name of the user |
BNAME | LogonName | User name of the user |
BNAME | SystemIdenitfier | Unique System Identifier of the user |
TEL_NUMBER_MOBILE | MobileNumber | Mobile number of the user |
TEL_NUMBER | Telephone | Home phone number of the user |
SMTP_ADDR | Email ID of the user | |
LANGU | PreferredLanguage | Language of the user |
UFLAG | Disabled | Specifies whether or not user is active |
TITLE | PersonalTitle | PersonalTitle of the user |
TITLE_ACA1 | AcademicTitle | AcademicTitle of the user |
FUNCTION | BusinessFunction | BusinessFunction of the user |
ROOMNUMBER | RoomNumber | RoomNumber of the user |
FLOOR | Floor | Floor of the user |
BUILDING | BuildingCode | BuildingCode of the user |
FAX_NUMBER | Fax | Fax of the user |
USERALIAS | Alias | Alias of the user |
USTYP | UserType | UserType of the user |
SECURITY_POLICY | SecurityPolicy | SecurityPolicy of the user |
DEPARTMENT | Department | Department name of the user |
CLASS | UserGroup | UserGroup of the user |
GLTGV | ValidFrom | ValidFrom of the user |
GLTGB | ValidUntil | ValidUntil of the user |
ACCNT | AccountNo | AccountNo of the user |
KOSTL | CostCenter | CostCenter of the user |
TZONE | TimeZone | Time Zone of the user |
PWDCHGDATE | PasswordLastChanged | PasswordLastChanged |
TRDAT+LTIME | LastLogonTime | LastLogonTime |
company | Company | Company name of the user |
PNAME | UserPrincipalName | SNC Name of the user |
Role Attributes
Roles in SAP are inventoried as Groups in EmpowerID. The following table shows the attribute mapping of SAP Role attributes to EmpowerID Group attributes:
SAP Role Attribute | EmpowerID Attribute | Description |
|---|---|---|
AGR_NAME(AGR_DEFINE) | Name | Name of the Group. |
“Role_” + AGR_NAME(AGR_DEFINE) | LogonName | LogonName of the Group |
TEXT(AGR_TEXTS) where LINE column from AGR_TEXTS = '00000' +(SAP CompositeRole or SAP Single Role) | FriendlyName | FriendlyName of the Group |
Concatenation of all rows from TEXT(AGR_TEXTS) where LINE column from AGR_TEXTS != '00000' | Description, Notes | Description, Notes of the Group |
Use Relation FROM AGR_AGRS table to calculate the role type | GroupTypeID | Identifier to distinguish the sap role type either single or composite role |
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|
...
Profiles in SAP are inventoried as Groups in EmpowerID. The following table shows the attribute mapping of SAP Profile attributes to EmpowerID Group attributes:
SAP Profile Attribute | EmpowerID Attribute | Description |
|---|---|---|
PROFN(USR10) | Name | Name of the Group |
“Profile_” + PROFN(USR10) | LogonName | LogonName of the Group |
PTEXT(USR11)+(SAP CompositeProfile or SAP Single Profile) | FriendlyName | FriendlyName of the Group |
PTEXT(USR11)+(SAP CompositeProfile or SAP Single Profile) | Description | Description of the Group |
Use TYP from USR10 table to calculate the profile type | GroupTypeID | Identifier to distinguish the sap profile type either single or composite profile |
Prerequisites
To connect EmpowerID to SAP, you need an SAP account, and you need to install SAP GUI Server on your EmpowerID Server.
...
The SAP proxy account used for the S/4HANA connector needs to have access to the below tables as well as the ability to make the remote procedure calls listed:
SAP Table | Required Columns (Keys) |
|---|---|
ADCP | CLIENT, ADDRNUMBER, PERSNUMBER, DATE_FROM, NATION |
ADR2 | CLIENT, CLIENT, ADDRNUMBER, ADDRNUMBER, PERSNUMBER, PERSNUMBER, DATE_FROM, DATE_FROM, CONSNUMBER, CONSNUMBER, CONSNUMBER, TEL_NUMBER, TEL_NUMBER |
ADR3 | CLIENT, ADDRNUMBER, PERSNUMBER, DATE_FROM, CONSNUMBER |
ADR6 | CLIENT, ADDRNUMBER, ADDRNUMBER, PERSNUMBER, PERSNUMBER, DATE_FROM, CONSNUMBER, FLGDEFAULT, SMTP_ADDR |
ADRP | CLIENT, PERSNUMBER, PERSNUMBER, DATE_FROM, NATION, NAME_FIRST, NAME_LAST |
AGR_1016 | MANDT, AGR_NAME, AGR_NAME, COUNTER, PROFILE |
AGR_1251 | MANDT, AGR_NAME, AGR_NAME, AGR_NAME, COUNTER, OBJECT, OBJECT, FIELD, FIELD, LOW, LOW, HIGH, HIGH |
AGR_1252 | MANDT, AGR_NAME, COUNTER |
AGR_AGRS | MANDT, AGR_NAME, AGR_NAME, CHILD_AGR, CHILD_AGR |
AGR_DEFINE | MANDT, AGR_NAME |
AGR_TEXTS | MANDT, AGR_NAME, AGR_NAME, AGR_NAME, SPRAS, LINE, LINE, LINE, TEXT |
AGR_USERS | MANDT, AGR_NAME, UNAME, FROM_DAT, TO_DAT |
AUSOBT | NAME, TYPE, OBJECT, FIELD, LOW |
AUTHX | FIELDNAME |
BUT000 | CLIENT, PARTNER, TYPE |
BUT051 | CLIENT, RELNR, PARTNER1, PARTNER2, DATE_TO |
BUT100 | MANDT, PARTNER, RLTYP, DFVAL |
DD04T | ROLLNAME, DDLANGUAGE, AS4LOCAL, AS4VERS |
GRACFFCTRL | MANDT, APP_TYPE, FFOBJECT, CONNECTOR, CNTRL_ID |
GRACFFOWNER | MANDT, APP_TYPE, FFOBJECT, CONNECTOR, OWNER |
GRACFFOWNERT | MANDT, LANGU, APP_TYPE, FFOBJECT, CONNECTOR, OWNER |
GRACFFUSER | MANDT, APP_TYPE, FFOBJECT, CONNECTOR, FF_USER |
HRP1000 | MANDT, MANDT, MANDT, PLVAR, OTYPE, OTYPE, OTYPE, OBJID, OBJID, ISTAT, BEGDA, ENDDA, LANGU, SEQNR, OTJID |
HRP1001 | MANDT, MANDT, OTYPE, OBJID, OBJID, PLVAR, RSIGN, RELAT, ISTAT, PRIOX, BEGDA, ENDDA, VARYF, SEQNR, SCLAS, SOBID |
HRP1032 | MANDT, PLVAR, OTYPE, SUBTY, OBJID, ISTAT, ENDDA, BEGDA, VARYF, SEQNR |
PA0000 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
PA0001 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
PA0002 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
PA0006 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
PA0016 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
PA0032 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
PA0105 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
PA2006 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
RSBPCE_TEAM | APPSET_ID, TEAM_ID, OBJVERS |
RSBPCE_USER_TEAM | APPSET_ID, TEAM_ID, TEAM_ID, OBJVERS, USER_ID, USER_ID |
T591S | MANDT, SPRSL, INFTY, SUBTY |
TACT | ACTVT |
TACTZ | BROBJ, ACTVT |
TADIR | PGMID, OBJECT, OBJ_NAME |
TB003 | CLIENT, ROLE |
TB003T | CLIENT, SPRAS, ROLE |
TDEVC | DEVCLASS |
TOBC | OCLSS |
TOBJ | OBJCT |
TOBJC | OBJCT, OCLSS |
TOBJT | LANGU, OBJECT |
TSAD3 | CLIENT, TITLE |
TSAD3T | CLIENT, TITLE, LANGU |
TSTC | TCODE |
TSTCT | SPRSL, TCODE |
USCOMPANY | MANDT, COMPANY |
USGRP | MANDT, USERGROUP |
USGRP_USER | MANDT, BNAME, USERGROUP, FROM_DAT, TO_DAT |
USOBT | NAME, TYPE, OBJECT, FIELD, LOW |
USOBT_C | NAME, TYPE, OBJECT, FIELD, LOW |
USOBX | NAME, TYPE, OBJECT |
USOBX_C | NAME, TYPE, OBJECT |
USORG | FIELD |
USR01 | MANDT, BNAME |
USR02 | MANDT, BNAME, BNAME, GLTGV, GLTGB, USTYP, CLASS, UFLAG, TRDAT, LTIME |
USR05 | MANDT, BNAME, PARID |
USR06 | MANDT, BNAME |
USR10 | MANDT, PROFN, PROFN, AKTPS, TYP |
USR11 | MANDT, LANGU, PROFN, PROFN, AKTPS, PTEXT |
USR21 | MANDT, BNAME |
USRACL | MANDT, BNAME |
USREFUS | MANDT, BNAME |
UST04 | MANDT, BNAME, PROFILE |
UST10C | MANDT, PROFN, PROFN, AKTPS, SUBPROF, SUBPROF |
UST10S | MANDT, PROFN, PROFN, PROFN, AKTPS, OBJCT, OBJCT, OBJCT, AUTH, AUTH, AUTH |
UST12 | MANDT, OBJCT, OBJCT, AUTH, AUTH, AKTPS, FIELD, FIELD, VON, VON, BIS, BIS |
Required Remote Procedure Calls | Required Activity |
|---|---|
BAPI_USER_ACTGROUPS_ASSIGN | Display |
BAPI_USER_CHANGE | Execute |
BAPI_USER_CREATE1 | Execute |
BAPI_USER_EXISTENCE_CHECK | Execute |
BAPI_USER_GETLIST | Execute |
BAPI_USER_GET_DETAIL | Execute |
BAPI_USER_LOCK | Execute |
BAPI_USER_UNLOCK | Execute |
PING | Execute |
RFCPING | Execute |
RFC_GET_FUNCTION_INTERFACE | Execute |
RFC_GET_NAMETAB | Execute |
RFC_PING | Execute |
RFC_READ_TABLE | Execute |
PING | Execute |
RFCPING | Execute |
RFC_GET_FUNCTION_INTERFACE | Execute |
RFC_GET_NAMETAB | Execute |
RFC_PING | Execute |
RFC_READ_TABLE | Execute |
| Tip |
|---|
As each organization's implementation, practices, and procedures with SAP differs, EmpowerID uses an SAP Data Analysis Utility to ensure the necessary tables can be read and the necessary BAPI's can be invoked. The utility reads from all the same tables as the connector and copies data from those tables into the EmpowerID Identity Warehouse. This provides EmpowerID with the opportunity to review and analyze data in order to modify connector logic before setting up the connection. |
...