Page Comparison

Installing the SAP GUI Server

1. Download and extract the GUI7.3.zip file (or a newer version).
2. Navigate to the following folder and run SetupAll.exe:
   

   GUI7.3\NW_7.0_Presentation_\PRES1\GUI\WINDOWS\WIN32\

3. In the installer, select SAP GUI for Windows 7.30 (Compilation 1) (or a newer version), and click Next.
4. Select the target directory where you want to install it and click Next.
5. When it finishes installing, open SAP Logon from the desktop icon.
6. In SAP Logon, click to select the Connections folder, then in the toolbar, click New to create a new system entry.
   
   
   
   
7. In the Create New System Entry wizard that appears, on the first page, click Next, then fill in the System Connection Parameters with values like the following on the second page.
   • Description: ECC
   • Application Server: FQDN of your SAP ServerServer e.g. sap.mySAPserver.com
   • Instance Number: e.g. 77
   • System ID: e.g. EH9
   • SAProuter String: Leave this field empty.
     
     
     
     
8. ClickClick Finish. The new connection appears in the grid.
   
   
   
   
9. Open File Explorer as Administrator and in the extracted GUI7.3.zip file, navigate to:
   
   

   GUI7.3\NW_7.0_Presentation_\PRES1\GUI\WINDOWS\WIN32\system\
   
   

10. From that folder, copy the SAP .NET connector file, librfc32.dll and paste it into your C:\Windows\System32 folder.

To create an account store for SAP ECC or HCM on the web 

1. From the Navigation Sidebar, expand Admin, then Applications and Directories, and click Account Stores and Systems.
2. Click the Actions tab, and then click the Create Account Store action.
   
   
   
   
3. Select SAP-ECC or SAP-HR from the list of Security Boundary types.
   
   
   
   

4. In the SAP ECC (or HCM) Settings page, provide the following values:
   
   

   1. Host – Enter the FQDN of your SAP ServereServer, e.g. sap.mySAPserver.com
   2. User Name- Your SAP System Administrator's user name
   3. Password- Your SAP System Administrator's password
   4. Instance Number- The instance number from your SAP account, e.g. 77.
   5. Default Language Code- The two-letter language code to use, e.g. en.
   6. Client- The client ID from your SAP account, e.g. 500.
   7. Click Submit.
      
      
      
      
5. The Account Store is created and appears in the Account Stores grid and an associated Resource System appears on the Resource Systems tab.

To edit account store settings on the web

1. In the Navigation Sidebar, expand Admin, then Applications and Directories, and click Account Stores and Systems.
2. On the Account Stores tab, search for the account store you just created and click the link to go to its details page.
   
   
   
   
3. On the Account Store Details page, click the Edit button or the name of the account store.
   
   
   
   
4. In the edit view of the page, you can edit values in any of the enabled fields. In the General section, these are:
   • Display Name – Edit the name of the account store as it appears in the list of account stores.
   • Proxy Connection Account – Change the domain, user name, and password for the connection.
   • Account Store Proxy Shared Credential – Click in this box and press Enter to see a list of shared credentials in your system to use for the proxy connection.
   • Password Manager Policy – Select a password manager policy to use for the account. If not selected, it uses the Default Password Manager Policy.
   • Application ID – If the account store is a one-to-one match with a Tracking Only application, enter the Application Resource GUID of the application. (This value is supplied automatically if you select the Create a New Account Directory option when creating a Tracking Only application.)
     Tenant ID – Enter the Tenant ID, if supplied by the connection account. (AWS uses this.)
   • Use Secure Binding – Toggleto  – Toggle to bind accounts with encryption.
   • Show in Tree – Toggle to show the account store in the Locations tree.
   • Default User Creation Path  – Select a location in which to create users if none is specified.
   • Default Group Creation Path – Select a location in which to create groups if none is specified.
   • EmpowerID Group Creation Path – Select a location in which to create EmpowerID groups if none is specified.
   • Max Accounts per Person – Enter the maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. We recommended setting this value to 1 unless users commonly have multiple accounts and you want them to be joined to the same person.
     
     
     
     
5. In the Features section, you can select any of these values:
   • Use for Authentication – 
   • Allow Search for User Name in Authentication – 
   • Allow Password Sync – Toggle to allow EmpowerID to sync password changes discovered during inventory.
   • Queue Password Changes – Toggle to have EmpowerID send password changes to the Account Password Reset Inbox for batch processing.
   • Queue Password Changes on Failure – Toggle to have EmpowerID send password changes to the Account Password Reset Inbox only when the change fails.
   • Allow Account Creation on Membership Request – Toggle to allowallow users without accounts to request group membership and automatically have an account created.
   • Batch Calls – 
   • Allow Attribute Flow – Toggle to allow attribute changes to flow between EmpowerID and the account store.
   • Allow Person Provisioning – Toggle to allow EmpowerID to create Person objects from the user records discovered during inventory.
   • Allow Provisioning – Toggle to allow EmpowerID to create new Groups in ServiceNow from requests discovered during inventory.
   • Allow Deprovisioning – Toggle to allow EmpowerID to delete Groups in ServiceNow based on requests discovered during inventory.
   • Automatic Person Join – Toggle to allow EmpowerID to join newly discovered accounts to people during the inventory process if they meet the Join Rule as specified by the Custom_Account_InventoryInboxJoinBulk SQL stored procedure.
   • Automatic Person Provision – Toggle to allow EmpowerID to provision EmpowerID people for new accounts discovered during the inventory process if they meet the Provision Rule specified by the Custom_Account_InventoryInboxGetAccountsToProvision SQL stored procedure.
   • Default Provision Business Role – Set a default Business Role to assign people if none is specified.
   • Default Provision Location – Set a default Location to assign people if none is specified.
   • Allow Business Role and Location Re-Evaluation – Toggle if you have multiple account stores to manage and want to specify a priority for each.
   • Business Role and Location Re-Evaluation Order – Enter a number to specify the priority of the account store for determining the Business Roles and Locations to assign to a Person. Account Stores with a higher value take precedence.
   • Recertify All Group Changes – Toggle to allow EmpowerID to generate recertification review tasks for all changes in ServiceNow Groups.
     
     
     
     
6. When you have finished editing, click Save.

To connect to SAP in the Management Console

There are two types of SAP connectors in EmpowerID.

• The SAP ABAP connector connects to SAP ECC.
• The SAP HCM connector connects to SAP HR.

You can set up either or both. This example shows how to connect to SAP ECC, but it uses the same settings for SAP HR.

1. Log in to the EmpowerID Management Console as an administrator.
2. Click the EmpowerID icon, and select Configuration Manager from the menu.
3. Click Account Stores, and then click the Add New button above the grid.
4. In the Add New Security Boundary window that opens, select the SAP ABAP Security Boundary type and click OK.
   
   
   
   
5. In the Add SAP ECC Connection window that appears, enter these settings.
   • Host – FQDN of your SAP Server e.g. sap.mySAPserver.com
   • Username – Your SAP ECC System Administrator's user name
   • Password – Your SAP ECC System Administrator's password
   • Confirm Password – Re-enter your password
   • System Number – The instance number from your SAP ECC account, e.g. 77.
   • Default Language – The two-letter language code to use, e.g. en.
   • Client – The client ID from your SAP ECC account, e.g. 500.
     
     
     
     

6. Click Ok. EmpowerID creates the SAP ECC account store and adds a record for it in the Account Stores and Resource Systems grids.

   Info
   EmpowerID uses these credentials to connect to your SAP account. If they are incorrect, the connection fails and the account store is not created.

   
   

7. The Account Store Details for the SAP ECC system opens so that you can configure it.
   
   

Configuring the account store

The Account Store Details screen contains three panes that are relevant to the SAP connector—the General pane, the Inventory pane, and the Group Membership Reconciliation pane. Expand each pane below to view reference information about it.

1. 
   

   Tip
   Check the Last Success, Total Accounts, Total People, and Total Groups fields in the Inventory pane to ensure that EmpowerID inventoried the user accounts and provisioned the requisite number of EmpowerID Persons for those accounts (if you selected the provisioning options discussed above).