...
...
...
...
...
...
...
...
...
...
...
Inventory role or profile memberships as group accounts
...
...
...
...
...
...
Inventories the relationship between roles/profiles and TCODES and stores this information in the AzAssigneeLocalRightScope
table in EmpowerID
SAP Authorization Object and FieldTypes Inventory
Inventories SAP authorization objects from the
TOBJ
table and stores that information in theAzLocalRights
table in EmpowerID withAzLocalRightTypeID
of7
Inventories SAP FieldTypes from the
AUTHX
table and stores that information in theAzFieldType
table of EmpowerIDInventories the relationship between authorization objects and fieldtypes and stores that information in the
AzGlobalRightFieldType
table of EmpowerIDInventories the relationship between SAP single role to authorization object from the
AGR_1251
table in SAP and stores that information in theAzAssigneeLocalRightScope
table in EmpowerIDInventories the relationship between SAP transaction codes and authorization objects from the
USOBX_C
table in SAP and stores that information in theAzGlobalRightRelatedRight
table in EmpowerIDInventories the relationship between Role > AuthObject > FieldType > Low and High values from the
AGR_1251
andAGR_1252
tables and stores that information in theAzAssigneeRightAzGlobalRightFieldType
of EmpowerID. The multiple explicit values are stored in theAzAssigneeRightAzGlobalRightFieldTypeValue
table of EmpowerID.
Info |
---|
Inventory of SAP TCODES and SAP Authorization Objects and its field type values as rights in EmpowerID is optional. The inventory of these objects is controlled by the below system settings:
For information on how to configure these settings, please see Configure EmpowerID for SAP PBAC. |
Account Attributes
Users in SAP are inventoried as accounts in EmpowerID. The following table shows the attribute mapping of SAP User attributes to EmpowerID Account attributes:
...
SAP User Attribute
...
Corresponding EmpowerID Attribute
...
Description
...
NAME_FIRST
...
FirstName
...
First name of the user
...
NAME_LAST
...
LastName
...
Last name of the user
...
NAMEMIDDLE
...
MiddleName
...
Middle name of the user
...
BNAME
...
LogonName
...
User name of the user
...
BNAME
...
SystemIdenitfier
...
Unique System Identifier of the user
...
TEL_NUMBER_MOBILE
...
MobileNumber
...
Mobile number of the user
...
TEL_NUMBER
...
Telephone
...
Home phone number of the user
...
SMTP_ADDR
...
...
Email ID of the user
...
LANGU
...
PreferredLanguage
...
Language of the user
...
UFLAG
...
Disabled
...
Specifies whether or not user is active
...
TITLE
...
PersonalTitle
...
PersonalTitle of the user
...
TITLE_ACA1
...
AcademicTitle
...
AcademicTitle of the user
...
FUNCTION
...
BusinessFunction
...
BusinessFunction of the user
...
ROOMNUMBER
...
RoomNumber
...
RoomNumber of the user
...
FLOOR
...
Floor
...
Floor of the user
...
BUILDING
...
BuildingCode
...
BuildingCode of the user
...
FAX_NUMBER
...
Fax
...
Fax of the user
...
USERALIAS
...
Alias
...
Alias of the user
...
USTYP
...
UserType
...
UserType of the user
...
SECURITY_POLICY
...
SecurityPolicy
...
SecurityPolicy of the user
...
DEPARTMENT
...
Department
...
Department name of the user
...
CLASS
...
UserGroup
...
UserGroup of the user
...
GLTGV
...
ValidFrom
...
ValidFrom of the user
...
GLTGB
...
ValidUntil
...
ValidUntil of the user
...
ACCNT
...
AccountNo
...
AccountNo of the user
...
KOSTL
...
CostCenter
...
CostCenter of the user
...
TZONE
...
TimeZone
...
Time Zone of the user
...
PWDCHGDATE
...
PasswordLastChanged
...
PasswordLastChanged
...
TRDAT+LTIME
...
LastLogonTime
...
LastLogonTime
...
company
...
Company
...
Company name of the user
...
PNAME
...
UserPrincipalName
...
SNC Name of the user
Role Attributes
Roles in SAP are inventoried as Groups in EmpowerID. The following table shows the attribute mapping of SAP Role attributes to EmpowerID Group attributes:
...
SAP Role Attribute
...
EmpowerID Attribute
...
Description
...
AGR_NAME(AGR_DEFINE)
...
Name
...
Name of the Group.
...
“Role_” + AGR_NAME(AGR_DEFINE)
...
LogonName
...
LogonName of the Group
...
TEXT(AGR_TEXTS) where LINE column from AGR_TEXTS = '00000' +(SAP CompositeRole or SAP Single Role)
...
FriendlyName
...
FriendlyName of the Group
...
Concatenation of all rows from TEXT(AGR_TEXTS) where LINE column from AGR_TEXTS != '00000'
...
Description, Notes
...
Description, Notes of the Group
...
Use Relation FROM AGR_AGRS table to calculate the role type
...
GroupTypeID
...
Identifier to distinguish the sap role type either single or composite role
...
Profile Attributes
Profiles in SAP are inventoried as Groups in EmpowerID. The following table shows the attribute mapping of SAP Profile attributes to EmpowerID Group attributes:
...
SAP Profile Attribute
...
EmpowerID Attribute
...
Description
...
PROFN(USR10)
...
Name
...
Name of the Group
...
“Profile_” + PROFN(USR10)
...
LogonName
...
LogonName of the Group
...
PTEXT(USR11)+(SAP CompositeProfile or SAP Single Profile)
...
FriendlyName
...
FriendlyName of the Group
...
PTEXT(USR11)+(SAP CompositeProfile or SAP Single Profile)
...
Description
...
Description of the Group
...
Use TYP from USR10 table to calculate the profile type
...
GroupTypeID
...
Identifier to distinguish the sap profile type either single or composite profile
Prerequisites
To connect EmpowerID to SAP, you need an SAP account, and you need to install SAP GUI Server on your EmpowerID Server.
You can connect EmpowerID to SAP R/3 system two ways:
Application Server
Message Server
Each has its own set of prerequisites. Expand the drop-down for that connection method to view.
...
title | Application Server Prerequisites |
---|
You also need the following from SAP to connect EmpowerID to SAP via Application Server:
Host Name of the application server used for RFC communication
Username that is authorized to connect to the R/3 system from EmpowerID
Password of the service account
ClientID of the application server
Instance number of the application server
Network port number that is open to connect to the application server
Info |
---|
By default, the SAP connector uses the 33+Instancenumber as the port to connect to the SAP application server. If a different port is used, specify the port number in the hostname column with the following syntax “HostName + ‘:’ + portNumber” |
...
title | Message Server Prerequisites |
---|
You also need the following from SAP to connect EmpowerID to SAP via Message Server:
Host Name of the Message Server used to establish the connection the to SAP R/3 system
Name of the LogonGroup used by the SAP R/3 connector
SystemID of the SAP system
Username that is authorized to connect to the Message Server
Password of the service account
Additionally, the following conditions must be met:
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
The following network configurations should be in place for connecting to the SAP system:
...
...
...
...
...
PING
...
...
RFC_PING
...
Macrosuite divider macro | ||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
...