Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Insert excerpt
IL:Connector Prerequisites
IL:Connector Prerequisites
nopaneltrue

EmpowerID SAP connector is capable of connecting with the two main SAP modules used for managing identity information, the ECC module and the HCM module. The ECC module stores information for accessing SAP, and the means for authorizing to SAP, which includes

  • action groups,

  • profiles, and

  • individual authorization objects.

The HCM module manages employees and often serves as the authoritative source for employee information, including employment status, location, roles and responsibilities. When EmpowerID connects to any one of these SAP modules, it creates a singular account store object for that module with configurable settings for specifying how EmpowerID is to manage the identity information.

SAP ECC Connector

The ECC connector is bi-directional, meaning that EmpowerID can both read from and write to the module. This allows you to manage ECC users and their access to SAP from EmpowerID. When you connect EmpowerID to the ECC module, EmpowerID reads the list of users, their status (active/disabled) and the action groups and profiles assigned to each. EmpowerID can create new ECC users, enable and disable ECC users, reset passwords and assign action groups and profiles.

Info

Prerequisties: The SAP proxy account used for the ECC connector

reads from the SAP tables below:

SAP Tables Read by the ECC Connector

ADCP

ADR2

ADR3

ADR6

ADRP

AGR_1016

needs to have access to the below tables as well as the ability to make the remote procedure calls listed:

REQUIRED TABLE ACCESS

REQUIRED REMOTE PROCEDURE CALLS

ADCP

BAPI_USER_ACTGROUPS_ASSIGN

ADR3

BAPI_USER_CHANGE

ADRP

BAPI_USER_CREATE1

AGR_1251AGR_AGRS

BAPI_USER_EXISTENCE_CHECK

AGR_DEFINEAGR

BAPI_USER_TEXTSGETLIST

AGR_USERSTSTC

BAPI_USER_GET_DETAIL

TSTCT

BAPI_USER_LOCK

USR02USR10

BAPI_USER_UNLOCK

USR11

USR21PING

USRACL

USREFUSRFCPING

UST04

UST10C

UST10S

RFC_GET_FUNCTION_INTERFACE

UST10S

RFC_GET_NAMETAB

ADR2

RFC_PING

ADR6

RFC_READ_TABLE

AGR_1016

REQUIRED ACTIVITY

AGR_AGRS

Execute

AGR_TEXTS

TSTC

USCOMPANY

USR10

USR21

USREFUS

UST10C

UST12


EmpowerID uses the following stock BAPIs:

  • BAPI_USER_ACTGROUPS_ASSIGN

  • BAPI_USER_CHANGE

  • BAPI_USER_CREATE1

  • BAPI_USER_DELETE

  • BAPI_USER_GET_DETAIL

  • BAPI_USER_PROFILES_ASSIGN

  • BAPI_USER_LOCK

  • BAPI_USER_UNLOCK

SAP HCM Connector

The HCM connector is read-only; EmpowerID pulls identity information from the HCM module, but does not write information back to it. When you connect EmpowerID to the HCM module, it reads a list of people and the demographic information (name, work address, etc.) for each individual user. Additionally, EmpowerID reads the organization structure in order to associate the job functions of each user with the appropriate roles in EmpowerID.

The HCM connector reads information from the SAP tables below:

SAP Tables Read by the HCM Connector

HRP1000

HRP1001

PA0000

PA0001

PA0002

PA0006

PA0032

PA0105

591S

Note

Prerequisites:

To connect EmpowerID to SAP, you need an SAP account, and you need to install SAP GUI Server on your EmpowerID Server.

You also need the following from SAP to create your Account Store.

  • Host Name of the BAPI endpoint

  • Username that is authorized to read from and write to the BAPI

  • Password

  • App server FQDN

  • Instance number

  • System ID

Additionally, each EmpowerID server used to run workflows or perform inventory functions must have the librfc32.dll assembly copied into the C:\Windows\System32 folder. EmpowerID uses the assembly to perform various SAP processes (inventory, workflows, etc.). You can download the assembly from EmpowerID at the following link: https://dl.empowerid.com/SAP/librfc32_x64.zip

Tip

As each organization's implementation, practices, and procedures with SAP differs, EmpowerID uses an SAP Data Analysis Utility to ensure the necessary tables can be read and the necessary BAPI's can be invoked. The utility reads from all the same tables as the connector and copies data from those tables into the EmpowerID Identity Warehouse. This provides EmpowerID with the opportunity to review and analyze data in order to modify connector logic before setting up the connection.

Info

When you connect EmpowerID to SAP and configure your SAP Account Store, the first time you run inventory, EmpowerID discovers all of the user accounts in SAP and creates them in the EmpowerID data warehouse. Subsequent inventory runs update any changes occurring since the LastTimeStamp value tracked by the SAP connector.

Installing the SAP GUI Server

  1. Download and extract the GUI7.3.zip file (or a newer version).

  2. Navigate to the GUI7.3\NW_7.0_Presentation_\PRES1\GUI\WINDOWS\WIN32\ folder and run SetupAll.exe.

  3. In the installer, select SAP GUI for Windows 7.30 (Compilation 1) (or a newer version), and click Next.

  4. Select the target directory where you want to install it and click Next.

  5. When it finishes installing, open SAP Logon from the desktop icon.

  6. In SAP Logon, click to select the Connections folder, then in the toolbar, click New to create a new system entry.



  7. In the Create New System Entry wizard that appears, on the first page, click Next, then fill in the System Connection Parameters with values like the following on the second page.

    • Description — ECC

    • Application Server — FQDN of your SAP Server, e.g. sap.mySAPserver.com

    • Instance Number — e.g. 77

    • System ID — e.g. EH9

    • SAProuter String — Leave this field empty.


  8. Click Finish. The new connection appears in the grid.



  9. Open File Explorer as Administrator and in the extracted GUI7.3.zip file, navigate to GUI7.3\NW_7.0_Presentation_\PRES1\GUI\WINDOWS\WIN32\system\

  10. From that folder, copy the SAP .NET connector file, librfc32.dll and paste it into your C:\Windows\System32 folder.

To create a SAP account store in EmpowerID

  1. In the navigation sidebar, expand Admin > Applications and Directories and then click Account Stores and Systems.

  2. On the Account Stores page, click Create Account Store.


  3. Under System Types, search for SAP.

  4. Depending on the type of account store you wish to create, click either SAP ABAP or SAP HCM to select that type and then click Submit.


  5. On the SAP HCM or SAP ECC Settings page that appears, fill in the following information:

    • Display Name — Enter a name for your account store.

    • Host — Enter the FQDN of your SAP Server, e.g. sap.mySAPserver.com

    • User Name — Enter your SAP System Administrator's user name

    • Password — Enter your SAP System Administrator's password

    • SystemNumber — Enter the system number from your SAP account, e.g. 77.

    • DefaultLanguage —  Enter the two-letter language code, e.g. en.

    • Client — Enter the Client ID from your SAP account, e.g. 500.

  6. When finished, click Submit to create the account store.


  7. EmpowerID creates the account store and the associated resource system. The next step is to configure the attribute flow between the account store and EmpowerID.

Insert excerpt
IL:Configure Attribute Flow Rules
IL:Configure Attribute Flow Rules
nopaneltrue

Now that the attribute flow has been set, the next steps include configuring the account store and enabling EmpowerID to inventory it.

To configure account store settings

  1. On the Account Store and Resource System page, click the Account Store tab and then click the pencil icon to put the account store in edit mode.



    This opens the edit page for the account store. This page allows you to specify the account proxy used to connect EmpowerID to your Office 365 system as well as how you want EmpowerID to handle the user information it discovers in Office 365 during inventory. Settings that can be edited are described in the table below the image.



    Insert excerpt
    IL:Account Store Settings
    IL:Account Store Settings
    nopaneltrue

  2. Edit the account store as needed and then click Save to save your changes.

Next, enable the Account Inbox permanent workflow to allow the Account Inbox to provision or join the user accounts in SAP to EmpowerID Persons as demonstrated below.

Tip

EmpowerID recommends using the Account Inbox for provisioning and joining.

Insert excerpt
IL:Enable Account Inbox PW
IL:Enable Account Inbox PW
nopaneltrue
Insert excerpt
IL:Monitor Inventory
IL:Monitor Inventory
nopaneltrue

Div
stylefloat: left; position: fixed;

Live Search
sizelarge
labels2020

IN THIS ARTICLE

Table of Contents
minLevel2
maxLevel4minLevel2
stylenone