Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
The EmpowerID SAP S/4HANA Connector enables seamless integration between EmpowerID and SAP S/4HANA systems. It allows you to create, synchronize, and manage user accounts, roles, profiles, and their assignments. Additionally, the connector supports the inventory of SAP Transaction Codes (TCodes), Authorization Objects, and their field type values as rights within EmpowerID. This comprehensive solution streamlines the management of SAP identities and access rights.
Key Features
Account Management
Inventory User Accounts: Automatically import SAP S/4HANA user accounts into EmpowerID.
Create User Accounts: Provision new SAP S/4HANA user accounts directly from EmpowerID.
Update User Accounts: Modify existing user account information.
Enable and Disable User Accounts: Control the activation status of user accounts.
Change User Passwords: Reset or update user passwords securely.
Role and Profile Management
Inventory Roles and Profiles: Import SAP roles and profiles as groups in EmpowerID.
Manage Memberships: Add or remove users from roles or profiles.
Synchronize Assignments: Keep role and profile assignments up-to-date across systems.
SAP TCode Inventory
Inventory SAP Modules: Retrieve all SAP modules from the
TDEVC
table and store them in theResourceSystemModule
table in EmpowerID.Inventory Transaction Codes: Import SAP transaction codes from the
TSTC
table, storing relationships between TCodes and SAP modules.Assign Rights: Map transaction codes to local rights within EmpowerID for access control.
SAP Authorization Objects and Field Types Inventory
Inventory Authorization Objects: Import from the
TOBJ
table into theAzLocalRights
table withAzLocalRightTypeID
of 7.Inventory Field Types: Import field types from the
AUTHX
table into theAzFieldType
table.Map Relationships: Establish relationships between authorization objects, field types, roles, and transaction codes for comprehensive rights management.
Prerequisites
General Requirements
SAP Account: A user account in SAP with the necessary permissions.
SAP GUI Server Installation: Install SAP GUI Server on your EmpowerID server.
librfc32.dll
Assembly: Each EmpowerID server used to run workflows or perform inventory functions must have thelibrfc32.dll
assembly copied into theC:\Windows\System32
folder. EmpowerID uses this assembly to perform various SAP processes (inventory, workflows, etc.). You can download the assembly from EmpowerID at the following link: https://dl1.empowerid.com/files/librfc32_64.zip
Connection Methods
EmpowerID can connect to SAP S/4HANA via two methods:
Application Server
Required Information:
Hostname of the application server
Client ID
Instance number
Network port (default is
33
+ instance number)Service account username and password
Message Server
Required Information:
Hostname of the message server
Logon group name
System ID
Service account username and password
Note: Ensure the appropriate ports are open and the hostnames are resolvable.
SAP Account Permissions
Access to Necessary Tables: The SAP proxy account used for the S/4HANA connector needs read access to specific SAP tables (listed in the Required SAP Tables and Columns section below).
Remote Procedure Calls (BAPIs and RFCs): The service account must be able to execute required BAPIs and RFCs (listed in the Required Remote Procedure Calls section below).
Read-Only Connections: For read-only connections, the service account needs access to the
RFC_READ_TABLE
BAPI.Mandatory Fields: Ensure all mandatory fields (e.g.,
LastName
,PersNumber
) are populated.Standard Table Structure: Standard tables should have consistent structures across all systems.
Unique Records: Records should not have leading or trailing spaces on primary key columns.
Data Quality: The system should be free of data issues, such as duplicate company codes pointing to the same address number.
Network Configurations
Port Accessibility: The EmpowerID server used to connect to the SAP system should have all necessary ports open.
Hostname Resolution: Ensure the SAP system's hostname is resolvable to an IP address.
SAP GUI Installation: Install the SAP GUI Server on your EmpowerID server if not already installed.
Data Integrity Requirements
Consistent Data: Ensure data across SAP systems is consistent and free from anomalies.
Unique Identifiers: Systems should have unique records, especially on primary key columns.
No Data Issues: Resolve any data issues before integration, such as duplicates or invalid references.
Required SAP Tables and Columns
The service account must have access to the following SAP tables and their specified columns:
SAP Table | Required Columns (Keys) |
---|---|
ADCP | CLIENT, ADDRNUMBER, PERSNUMBER, DATE_FROM, NATION |
ADR2 | CLIENT, CLIENT, ADDRNUMBER, ADDRNUMBER, PERSNUMBER, PERSNUMBER, DATE_FROM, DATE_FROM, CONSNUMBER, CONSNUMBER, CONSNUMBER, TEL_NUMBER, TEL_NUMBER |
ADR3 | CLIENT, ADDRNUMBER, PERSNUMBER, DATE_FROM, CONSNUMBER |
ADR6 | CLIENT, ADDRNUMBER, ADDRNUMBER, PERSNUMBER, PERSNUMBER, DATE_FROM, CONSNUMBER, FLGDEFAULT, SMTP_ADDR |
ADRP | CLIENT, PERSNUMBER, PERSNUMBER, DATE_FROM, NATION, NAME_FIRST, NAME_LAST |
AGR_1016 | MANDT, AGR_NAME, AGR_NAME, COUNTER, PROFILE |
AGR_1251 | MANDT, AGR_NAME, AGR_NAME, AGR_NAME, COUNTER, OBJECT, OBJECT, FIELD, FIELD, LOW, LOW, HIGH, HIGH |
AGR_1252 | MANDT, AGR_NAME, COUNTER |
AGR_AGRS | MANDT, AGR_NAME, AGR_NAME, CHILD_AGR, CHILD_AGR |
AGR_DEFINE | MANDT, AGR_NAME |
AGR_TEXTS | MANDT, AGR_NAME, AGR_NAME, AGR_NAME, SPRAS, LINE, LINE, LINE, TEXT |
AGR_USERS | MANDT, AGR_NAME, UNAME, FROM_DAT, TO_DAT |
AUSOBT | NAME, TYPE, OBJECT, FIELD, LOW |
AUTHX | FIELDNAME |
BUT000 | CLIENT, PARTNER, TYPE |
BUT051 | CLIENT, RELNR, PARTNER1, PARTNER2, DATE_TO |
BUT100 | MANDT, PARTNER, RLTYP, DFVAL |
DD04T | ROLLNAME, DDLANGUAGE, AS4LOCAL, AS4VERS |
GRACFFCTRL | MANDT, APP_TYPE, FFOBJECT, CONNECTOR, CNTRL_ID |
GRACFFOWNER | MANDT, APP_TYPE, FFOBJECT, CONNECTOR, OWNER |
GRACFFOWNERT | MANDT, LANGU, APP_TYPE, FFOBJECT, CONNECTOR, OWNER |
GRACFFUSER | MANDT, APP_TYPE, FFOBJECT, CONNECTOR, FF_USER |
HRP1000 | MANDT, MANDT, MANDT, PLVAR, OTYPE, OTYPE, OTYPE, OBJID, OBJID, ISTAT, BEGDA, ENDDA, LANGU, SEQNR, OTJID |
HRP1001 | MANDT, MANDT, OTYPE, OBJID, OBJID, PLVAR, RSIGN, RELAT, ISTAT, PRIOX, BEGDA, ENDDA, VARYF, SEQNR, SCLAS, SOBID |
HRP1032 | MANDT, PLVAR, OTYPE, SUBTY, OBJID, ISTAT, ENDDA, BEGDA, VARYF, SEQNR |
PA0000 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
PA0001 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
PA0002 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
PA0006 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
PA0016 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
PA0032 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
PA0105 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
PA2006 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
RSBPCE_TEAM | APPSET_ID, TEAM_ID, OBJVERS |
RSBPCE_USER_TEAM | APPSET_ID, TEAM_ID, TEAM_ID, OBJVERS, USER_ID, USER_ID |
T591S | MANDT, SPRSL, INFTY, SUBTY |
TACT | ACTVT |
TACTZ | BROBJ, ACTVT |
TADIR | PGMID, OBJECT, OBJ_NAME |
TB003 | CLIENT, ROLE |
TB003T | CLIENT, SPRAS, ROLE |
TDEVC | DEVCLASS |
TOBC | OCLSS |
TOBJ | OBJCT |
TOBJC | OBJCT, OCLSS |
TOBJT | LANGU, OBJECT |
TSAD3 | CLIENT, TITLE |
TSAD3T | CLIENT, TITLE, LANGU |
TSTC | TCODE |
TSTCT | SPRSL, TCODE |
USCOMPANY | MANDT, COMPANY |
USGRP | MANDT, USERGROUP |
USGRP_USER | MANDT, BNAME, USERGROUP, FROM_DAT, TO_DAT |
USOBT | NAME, TYPE, OBJECT, FIELD, LOW |
USOBT_C | NAME, TYPE, OBJECT, FIELD, LOW |
USOBX | NAME, TYPE, OBJECT |
USOBX_C | NAME, TYPE, OBJECT |
USORG | FIELD |
USR01 | MANDT, BNAME |
USR02 | MANDT, BNAME, BNAME, GLTGV, GLTGB, USTYP, CLASS, UFLAG, TRDAT, LTIME |
USR05 | MANDT, BNAME, PARID |
USR06 | MANDT, BNAME |
USR10 | MANDT, PROFN, PROFN, AKTPS, TYP |
USR11 | MANDT, LANGU, PROFN, PROFN, AKTPS, PTEXT |
USR21 | MANDT, BNAME |
USRACL | MANDT, BNAME |
USREFUS | MANDT, BNAME |
UST04 | MANDT, BNAME, PROFILE |
UST10C | MANDT, PROFN, PROFN, AKTPS, SUBPROF, SUBPROF |
UST10S | MANDT, PROFN, PROFN, PROFN, AKTPS, OBJCT, OBJCT, OBJCT, AUTH, AUTH, AUTH |
UST12 | MANDT, OBJCT, OBJCT, AUTH, AUTH, AKTPS, FIELD, FIELD, VON, VON, BIS, BIS |
Required Remote Procedure Calls (BAPIs and RFCs)
The service account must be able to execute the following remote procedure calls:
Required Remote Procedure Calls | Required Activity |
---|---|
BAPI_USER_ACTGROUPS_ASSIGN | Execute |
BAPI_USER_CHANGE | Execute |
BAPI_USER_CREATE1 | Execute |
BAPI_USER_DELETE | Execute |
BAPI_USER_EXISTENCE_CHECK | Execute |
BAPI_USER_GETLIST | Execute |
BAPI_USER_GET_DETAIL | Execute |
BAPI_USER_LOCK | Execute |
BAPI_USER_UNLOCK | Execute |
BAPI_USER_PROFILES_ASSIGN | Execute |
IDENTITY_MODIFY | Execute |
PING | Execute |
RFCPING | Execute |
RFC_GET_FUNCTION_INTERFACE | Execute |
RFC_GET_NAMETAB | Execute |
RFC_PING | Execute |
RFC_READ_TABLE | Execute |
PING | Execute |
RFCPING | Execute |
RFC_GET_FUNCTION_INTERFACE | Execute |
RFC_GET_NAMETAB | Execute |
RFC_PING | Execute |
RFC_READ_TABLE | Execute |
SUSR_CHECK_LOGON_DATA | Execute |
Attribute Mapping
User Attributes
SAP users are imported into EmpowerID accounts with the following attribute mappings:
SAP User Attribute | EmpowerID Attribute | Description |
NAME_FIRST | FirstName | First name of the user |
NAME_LAST | LastName | Last name of the user |
NAMEMIDDLE | MiddleName | Middle name of the user |
BNAME | LogonName | User name of the user |
BNAME | SystemIdenitfier | Unique System Identifier of the user |
TEL_NUMBER_MOBILE | MobileNumber | Mobile number of the user |
TEL_NUMBER | Telephone | Home phone number of the user |
SMTP_ADDR | Email ID of the user | |
LANGU | PreferredLanguage | Language of the user |
UFLAG | Disabled | Specifies whether or not user is active |
TITLE | PersonalTitle | PersonalTitle of the user |
TITLE_ACA1 | AcademicTitle | AcademicTitle of the user |
FUNCTION | BusinessFunction | BusinessFunction of the user |
ROOMNUMBER | RoomNumber | RoomNumber of the user |
FLOOR | Floor | Floor of the user |
BUILDING | BuildingCode | BuildingCode of the user |
FAX_NUMBER | Fax | Fax of the user |
USERALIAS | Alias | Alias of the user |
USTYP | UserType | UserType of the user |
SECURITY_POLICY | SecurityPolicy | SecurityPolicy of the user |
DEPARTMENT | Department | Department name of the user |
CLASS | UserGroup | UserGroup of the user |
GLTGV | ValidFrom | ValidFrom of the user |
GLTGB | ValidUntil | ValidUntil of the user |
ACCNT | AccountNo | AccountNo of the user |
KOSTL | CostCenter | CostCenter of the user |
TZONE | TimeZone | Time Zone of the user |
PWDCHGDATE | PasswordLastChanged | PasswordLastChanged |
TRDAT+LTIME | LastLogonTime | LastLogonTime |
company | Company | Company name of the user |
PNAME | UserPrincipalName | SNC Name of the user |
Role Attributes
SAP roles are imported into EmpowerID groups with the following attribute mappings:
SAP Role Attribute | EmpowerID Attribute | Description |
---|---|---|
AGR_NAME(AGR_DEFINE) | Name | Name of the Group. |
“Role_” + AGR_NAME(AGR_DEFINE) | LogonName | LogonName of the Group |
TEXT(AGR_TEXTS) where LINE column from AGR_TEXTS = '00000' +(SAP CompositeRole or SAP Single Role) | FriendlyName | FriendlyName of the Group |
Concatenation of all rows from TEXT(AGR_TEXTS) where LINE column from AGR_TEXTS != '00000' | Description, Notes | Description, Notes of the Group |
Use Relation FROM AGR_AGRS table to calculate the role type | GroupTypeID | Identifier to distinguish the sap role type either single or composite role |
Profile Attributes
SAP profiles are imported into EmpowerID groups with the following attribute mappings:
SAP Profile Attribute | EmpowerID Attribute | Description |
---|---|---|
PROFN(USR10) | Name | Name of the Group |
“Profile_” + PROFN(USR10) | LogonName | LogonName of the Group |
PTEXT(USR11)+(SAP CompositeProfile or SAP Single Profile) | FriendlyName | FriendlyName of the Group |
PTEXT(USR11)+(SAP CompositeProfile or SAP Single Profile) | Description | Description of the Group |
Use TYP from USR10 table to calculate the profile type | GroupTypeID | Identifier to distinguish the sap profile type either single or composite profile |
Configuration Settings
Inventory of SAP TCodes and Authorization Objects as rights in EmpowerID is optional and controlled by the following system settings:
SAPInventorySAPPBAC
Type: Boolean
Description: Determines whether EmpowerID inventories both SAP TCodes and Authorization data as local rights.
Value: Set to
true
to enable inventory.
SAPInventorySAPPBACTcodes
Type: Boolean
Description: Determines whether EmpowerID inventories only SAP TCodes as local rights.
Value: Set to
true
to enable inventory of TCodes only.
For configuration details, refer to the Connect to SAP S/4 HANA article.
Tip |
---|
As each organization's implementation, practices, and procedures with SAP differs, EmpowerID uses an SAP Data Analysis Utility to ensure the necessary tables can be read and the necessary BAPI's can be invoked. The utility reads from all the same tables as the connector and copies data from those tables into the EmpowerID Identity Warehouse. This provides EmpowerID with the opportunity to review and analyze data in order to modify connector logic before setting up the connection. |
Next Steps
Div | ||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||
IN THIS ARTICLE
|