Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The EmpowerID SAP S/4HANA

...

Connector enables seamless integration between EmpowerID and SAP S/4HANA systems. It allows you to create, synchronize, and manage

...

user

...

accounts, roles, profiles, and their assignments. Additionally, the connector supports the inventory of SAP

...

Transaction Codes (TCodes),

...

Authorization Objects, and

...

their field type values as rights

...

within EmpowerID. This

...

comprehensive solution streamlines the management of SAP identities and access rights.

Key Features

Account Management

  • Inventory User Accounts: Automatically import SAP S/4HANA user accounts into EmpowerID.

  • Create User Accounts: Provision new SAP S/4HANA user accounts directly from EmpowerID.

  • Update

...

  • User Accounts: Modify existing user account information.

  • Enable and Disable User Accounts: Control the activation status of user accounts.

  • Change User Passwords: Reset or update user passwords securely.

Role and Profile Management

  • Inventory

...

  • Roles and Profiles: Import SAP roles and profiles as groups

...

Inventory role or profile memberships as group accounts

...

  • in EmpowerID.

  • Manage Memberships: Add or remove users from roles or profiles.

  • Synchronize Assignments: Keep role and profile assignments up-to-date across systems.

SAP

...

TCode Inventory

...

  • Inventory SAP Modules: Retrieve all SAP modules from the TDEVC table and

...

  • store them in the ResourceSystemModule table in EmpowerID.

...

  • Inventory Transaction Codes: Import SAP transaction codes from the TSTC table

...

Inventories the relationship between roles/profiles and TCODES and stores this information in the AzAssigneeLocalRightScope table in EmpowerID

SAP Authorization Object and FieldTypes Inventory

  • Inventories SAP authorization objects from the TOBJ table and stores that information in the AzLocalRights table in EmpowerID with AzLocalRightTypeID of 7

  • Inventories SAP FieldTypes from the AUTHX table and stores that information in the AzFieldType table of EmpowerID

  • Inventories the relationship between authorization objects and fieldtypes and stores that information in the AzGlobalRightFieldType table of EmpowerID

  • Inventories the relationship between SAP single role to authorization object from the AGR_1251 table in SAP and stores that information in the AzAssigneeLocalRightScope table in EmpowerID

  • Inventories the relationship between SAP transaction codes and authorization objects from the USOBX_C table in SAP and stores that information in the AzGlobalRightRelatedRight table in EmpowerID

  • Inventories the relationship between Role > AuthObject > FieldType > Low and High values from the AGR_1251 and AGR_1252 tables and stores that information in the AzAssigneeRightAzGlobalRightFieldType of EmpowerID. The multiple explicit values are stored in the AzAssigneeRightAzGlobalRightFieldTypeValue table of EmpowerID.

Info

Inventory of SAP TCODES and SAP Authorization Objects and its field type values as rights in EmpowerID is optional. The inventory of these objects is controlled by the below system settings:

  • SAPInventorySAPPBAC – This is a Boolean setting that determines whether EmpowerID inventories SAP TCODES AND SAP Authorization data as AzLocalRights. The value must be set to true for EmpowerID to inventory both authorization data and TCODES as local rights.

  • SAPInventorySAPPBACTcodes – This is a Boolean setting that determines whether EmpowerID inventories ONLY SAP TCODES as AzLocalRights. The value must be set to true for EmpowerID to inventory TCODES as local rights.

For information on how to configure these settings, please see Configure EmpowerID for SAP PBAC.

Account Attributes

Users in SAP are inventoried as accounts in EmpowerID. The following table shows the attribute mapping of SAP User attributes to EmpowerID Account attributes:

...

SAP User Attribute

...

Corresponding EmpowerID Attribute

...

Description

...

NAME_FIRST

...

FirstName

...

First name of the user

...

NAME_LAST

...

LastName

...

Last name of the user

...

NAMEMIDDLE

...

MiddleName

...

Middle name of the user

...

BNAME

...

LogonName

...

User name of the user

...

BNAME

...

SystemIdenitfier

...

Unique System Identifier of the user

...

TEL_NUMBER_MOBILE

...

MobileNumber

...

Mobile number of the user

...

TEL_NUMBER

...

Telephone

...

Home phone number of the user

...

SMTP_ADDR

...

Email

...

Email ID of the user

...

LANGU

...

PreferredLanguage

...

Language of the user

...

UFLAG

...

Disabled

...

Specifies whether or not user is active

...

TITLE

...

PersonalTitle

...

PersonalTitle of the user

...

TITLE_ACA1

...

AcademicTitle

...

AcademicTitle of the user

...

FUNCTION

...

BusinessFunction

...

BusinessFunction of the user

...

ROOMNUMBER

...

RoomNumber

...

RoomNumber of the user

...

FLOOR

...

Floor

...

Floor of the user

...

BUILDING

...

BuildingCode

...

BuildingCode of the user

...

FAX_NUMBER

...

Fax

...

Fax of the user

...

USERALIAS

...

Alias

...

Alias of the user

...

USTYP

...

UserType

...

UserType of the user

...

SECURITY_POLICY

...

SecurityPolicy

...

SecurityPolicy of the user

...

DEPARTMENT

...

Department

...

Department name of the user

...

CLASS

...

UserGroup

...

UserGroup of the user

...

GLTGV

...

ValidFrom

...

ValidFrom of the user

...

GLTGB

...

ValidUntil

...

ValidUntil of the user

...

ACCNT

...

AccountNo

...

AccountNo of the user

...

KOSTL

...

CostCenter

...

CostCenter of the user

...

TZONE

...

TimeZone

...

Time Zone of the user

...

PWDCHGDATE

...

PasswordLastChanged

...

PasswordLastChanged

...

TRDAT+LTIME

...

LastLogonTime

...

LastLogonTime

...

company

...

Company

...

Company name of the user

...

PNAME

...

UserPrincipalName

...

SNC Name of the user

Role Attributes

Roles in SAP are inventoried as Groups in EmpowerID. The following table shows the attribute mapping of SAP Role attributes to EmpowerID Group attributes:

...

SAP Role Attribute

...

EmpowerID Attribute

...

Description

...

AGR_NAME(AGR_DEFINE)

...

Name

...

Name of the Group.

...

“Role_” + AGR_NAME(AGR_DEFINE)

...

LogonName

...

LogonName of the Group

...

TEXT(AGR_TEXTS) where LINE column from AGR_TEXTS = '00000' +(SAP CompositeRole or SAP Single Role)

...

FriendlyName

...

FriendlyName of the Group

...

Concatenation of all rows from  TEXT(AGR_TEXTS) where LINE column from AGR_TEXTS != '00000'

...

Description, Notes

...

Description, Notes of the Group

...

Use Relation FROM AGR_AGRS table to calculate the role type

...

GroupTypeID

...

Identifier to distinguish the sap role type either single or composite role

...

Profile Attributes

Profiles in SAP are inventoried as Groups in EmpowerID. The following table shows the attribute mapping of SAP Profile attributes to EmpowerID Group attributes:

...

SAP Profile Attribute

...

EmpowerID Attribute

...

Description

...

PROFN(USR10)

...

Name

...

Name of the Group

...

“Profile_” + PROFN(USR10)

...

LogonName

...

LogonName of the Group

...

PTEXT(USR11)+(SAP CompositeProfile or SAP Single Profile)

...

FriendlyName

...

FriendlyName of the Group

...

PTEXT(USR11)+(SAP CompositeProfile or SAP Single Profile)

...

Description

...

Description of the Group

...

Use TYP from USR10 table to calculate the profile type

...

GroupTypeID

...

Identifier to distinguish the sap profile type either single or composite profile

Prerequisites

To connect EmpowerID to SAP, you need an SAP account, and you need to install SAP GUI Server on your EmpowerID Server.

You can connect EmpowerID to SAP R/3 system two ways:

  1. Application Server

  2. Message Server

Each has its own set of prerequisites. Expand the drop-down for that connection method to view.

...

titleApplication Server Prerequisites

You also need the following from SAP to connect EmpowerID to SAP via Application Server:

  • Host Name of the application server used for RFC communication

  • Username that is authorized to connect to the R/3 system from EmpowerID

  • Password of the service account

  • ClientID of the application server

  • Instance number of the application server

  • Network port number that is open to connect to the application server

Info

By default, the SAP connector uses the 33+Instancenumber as the port to connect to the SAP application server. If a different port is used, specify the port number in the hostname column with the following syntax “HostName + ‘:’ + portNumber”

...

titleMessage Server Prerequisites

You also need the following from SAP to connect EmpowerID to SAP via Message Server:

  • Host Name of the Message Server used to establish the connection the to SAP R/3 system

  • Name of the LogonGroup used by the SAP R/3 connector

  • SystemID of the SAP system

  • Username that is authorized to connect to the Message Server

  • Password of the service account

Additionally, the following conditions must be met:

  • , storing relationships between TCodes and SAP modules.

  • Assign Rights: Map transaction codes to local rights within EmpowerID for access control.

SAP Authorization Objects and Field Types Inventory

  • Inventory Authorization Objects: Import from the TOBJ table into the AzLocalRights table with AzLocalRightTypeID of 7.

  • Inventory Field Types: Import field types from the AUTHX table into the AzFieldType table.

  • Map Relationships: Establish relationships between authorization objects, field types, roles, and transaction codes for comprehensive rights management.

Prerequisites

General Requirements

  • SAP Account: A user account in SAP with the necessary permissions.

  • SAP GUI Server Installation: Install SAP GUI Server on your EmpowerID server.

  • librfc32.dll Assembly: Each EmpowerID server used to run workflows or perform inventory functions must have

...

  • the librfc32.dll

...

  • assembly copied into

...

  • the C:\Windows\System32

...

  • folder. EmpowerID uses

...

  • this assembly to perform various SAP processes (inventory, workflows, etc.). You can download the assembly from EmpowerID at the following link:

...

...

Connection Methods

EmpowerID can connect to SAP S/4HANA via two methods:

  1. Application Server

    • Required Information:

      • Hostname of the application server

      • Client ID

      • Instance number

      • Network port (default is 33 + instance number)

      • Service account username and password

  2. Message Server

    • Required Information:

      • Hostname of the message server

      • Logon group name

      • System ID

      • Service account username and password

Note: Ensure the appropriate ports are open and the hostnames are resolvable.

SAP Account Permissions

  • Access to Necessary Tables: The SAP proxy account used for the S/4HANA connector needs read access to specific SAP tables (listed in the Required SAP Tables and Columns section below).

  • Remote Procedure Calls (BAPIs and RFCs): The service account must be able to execute required BAPIs and RFCs (listed in the Required Remote Procedure Calls section below).

  • Read-Only Connections: For read-only connections, the service account needs access to the RFC_READ_TABLE BAPI.

...

  • Mandatory Fields: Ensure all mandatory fields

...

  • (

...

  • e.

...

  • g., LastName, PersNumber)

...

  • are populated.

  • Standard Table Structure: Standard tables should have

...

  • consistent structures across all

...

  • systems

...

  • .

  • Unique Records: Records should not have

...

  • leading or trailing spaces on

...

  • primary key columns.

  • Data Quality: The system should be free of

...

  • data issues

...

  • , such as duplicate company codes pointing to the same address number.

Network Configurations

The following network configurations should be in place for connecting to the SAP system:

  • Port Accessibility: The EmpowerID server used to connect to the SAP system

...

  • should have all necessary ports open.

  • Hostname Resolution: Ensure the SAP system

...

  • 's hostname is resolvable to an IP address.

...

  • SAP GUI Installation: Install the SAP GUI Server on your EmpowerID server if not already installed.

Data Integrity Requirements

  • Consistent Data: Ensure data across SAP systems is consistent and free from anomalies.

  • Unique Identifiers: Systems should have unique records, especially on primary key columns.

  • No Data Issues: Resolve any data issues before integration, such as duplicates or invalid references.

Required SAP Tables and Columns

The service account must have access to the following SAP tables and their specified columns:

SAP Table

Required Columns (Keys)

ADCP

CLIENT, ADDRNUMBER, PERSNUMBER, DATE_FROM, NATION

ADR2

CLIENT, CLIENT, ADDRNUMBER, ADDRNUMBER, PERSNUMBER, PERSNUMBER, DATE_FROM, DATE_FROM, CONSNUMBER, CONSNUMBER, CONSNUMBER, TEL_NUMBER, TEL_NUMBER

ADR3

CLIENT, ADDRNUMBER, PERSNUMBER, DATE_FROM, CONSNUMBER

ADR6

CLIENT, ADDRNUMBER, ADDRNUMBER, PERSNUMBER, PERSNUMBER, DATE_FROM, CONSNUMBER, FLGDEFAULT, SMTP_ADDR

ADRP

CLIENT, PERSNUMBER, PERSNUMBER, DATE_FROM, NATION, NAME_FIRST, NAME_LAST

AGR_1016

MANDT, AGR_NAME, AGR_NAME, COUNTER, PROFILE

AGR_1251

MANDT, AGR_NAME, AGR_NAME, AGR_NAME, COUNTER, OBJECT, OBJECT, FIELD, FIELD, LOW, LOW, HIGH, HIGH

AGR_1252

MANDT, AGR_NAME, COUNTER

AGR_AGRS

MANDT, AGR_NAME, AGR_NAME, CHILD_AGR, CHILD_AGR

AGR_DEFINE

MANDT, AGR_NAME

AGR_TEXTS

MANDT, AGR_NAME, AGR_NAME, AGR_NAME, SPRAS, LINE, LINE, LINE, TEXT

AGR_USERS

MANDT, AGR_NAME, UNAME, FROM_DAT, TO_DAT

AUSOBT

NAME, TYPE, OBJECT, FIELD, LOW

AUTHX

FIELDNAME

BUT000

CLIENT, PARTNER, TYPE

BUT051

CLIENT, RELNR, PARTNER1, PARTNER2, DATE_TO

BUT100

MANDT, PARTNER, RLTYP, DFVAL

DD04T

ROLLNAME, DDLANGUAGE, AS4LOCAL, AS4VERS

GRACFFCTRL

MANDT, APP_TYPE, FFOBJECT, CONNECTOR, CNTRL_ID

GRACFFOWNER

MANDT, APP_TYPE, FFOBJECT, CONNECTOR, OWNER

GRACFFOWNERT

MANDT, LANGU, APP_TYPE, FFOBJECT, CONNECTOR, OWNER

GRACFFUSER

MANDT, APP_TYPE, FFOBJECT, CONNECTOR, FF_USER

HRP1000

MANDT, MANDT, MANDT, PLVAR, OTYPE, OTYPE, OTYPE, OBJID, OBJID, ISTAT, BEGDA, ENDDA, LANGU, SEQNR, OTJID

HRP1001

MANDT, MANDT, OTYPE, OBJID, OBJID, PLVAR, RSIGN, RELAT, ISTAT, PRIOX, BEGDA, ENDDA, VARYF, SEQNR, SCLAS, SOBID

HRP1032

MANDT, PLVAR, OTYPE, SUBTY, OBJID, ISTAT, ENDDA, BEGDA, VARYF, SEQNR

PA0000

MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR

PA0001

MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR

PA0002

MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR

PA0006

MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR

PA0016

MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR

PA0032

MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR

PA0105

MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR

PA2006

MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR

RSBPCE_TEAM

APPSET_ID, TEAM_ID, OBJVERS

RSBPCE_USER_TEAM

APPSET_ID, TEAM_ID, TEAM_ID, OBJVERS, USER_ID, USER_ID

T591S

MANDT, SPRSL, INFTY, SUBTY

TACT

ACTVT

TACTZ

BROBJ, ACTVT

TADIR

PGMID, OBJECT, OBJ_NAME

TB003

CLIENT, ROLE

TB003T

CLIENT, SPRAS, ROLE

TDEVC

DEVCLASS

TOBC

OCLSS

TOBJ

OBJCT

TOBJC

OBJCT, OCLSS

TOBJT

LANGU, OBJECT

TSAD3

CLIENT, TITLE

TSAD3T

CLIENT, TITLE, LANGU

TSTC

TCODE

TSTCT

SPRSL, TCODE

USCOMPANY

MANDT, COMPANY

USGRP

MANDT, USERGROUP

USGRP_USER

MANDT, BNAME, USERGROUP, FROM_DAT, TO_DAT

USOBT

NAME, TYPE, OBJECT, FIELD, LOW

USOBT_C

NAME, TYPE, OBJECT, FIELD, LOW

USOBX

NAME, TYPE, OBJECT

USOBX_C

NAME, TYPE, OBJECT

USORG

FIELD

USR01

MANDT, BNAME

USR02

MANDT, BNAME, BNAME, GLTGV, GLTGB, USTYP, CLASS, UFLAG, TRDAT, LTIME

USR05

MANDT, BNAME, PARID

USR06

MANDT, BNAME

USR10

MANDT, PROFN, PROFN, AKTPS, TYP

USR11

MANDT, LANGU, PROFN, PROFN, AKTPS, PTEXT

USR21

MANDT, BNAME

USRACL

MANDT, BNAME

USREFUS

MANDT, BNAME

UST04

MANDT, BNAME, PROFILE

UST10C

MANDT, PROFN, PROFN, AKTPS, SUBPROF, SUBPROF

UST10S

MANDT, PROFN, PROFN, PROFN, AKTPS, OBJCT, OBJCT, OBJCT, AUTH, AUTH, AUTH

UST12

MANDT, OBJCT, OBJCT, AUTH, AUTH, AKTPS, FIELD, FIELD, VON, VON, BIS, BIS

Required Remote Procedure Calls (BAPIs and RFCs)

The service account must be able to execute the following remote procedure calls:

Required Remote Procedure Calls

Required Activity

BAPI_USER_ACTGROUPS_ASSIGN

...

 Execute

BAPI_USER_CHANGE

Execute

BAPI_USER_CREATE1

Execute

BAPI_USER_DELETE

Execute

BAPI_USER_EXISTENCE_CHECK

Execute

BAPI_USER_GETLIST

Execute

BAPI_USER_GET_DETAIL

Execute

BAPI_USER_LOCK

Execute

BAPI_USER_UNLOCK

Execute

BAPI_USER_PROFILES_ASSIGN

Execute

IDENTITY_MODIFY

Execute

PING

Execute

RFCPING

Execute

RFC_GET_FUNCTION_INTERFACE

Execute

RFC_GET_NAMETAB

Execute

RFC_PING

Execute

RFC_READ_TABLE

...

PING

...

Execute

RFC_READ_TABLE2

Execute

RFC_GET_FUNCTION_INTERFACE

Execute

RFC_GET_NAMETAB

...

RFC_PING

...

Macrosuite divider macro
dividerWidth100
dividerTypetext-with-icon
emoji{"id":"smile","name":"Smiling Face with Open Mouth and Smiling Eyes","short_names":["smile"],"colons":":smile:","emoticons":["C:","c:",":D",":-D"],"unified":"1f604","skin":null,"native":"😄"}
textColor#000000
dividerWeight3
labelPositionmiddle
textAlignmentcenter
iconColor#0052CC
iconSizemedium
fontSizemedium
textNext Steps
emojiEnabledfalse
dividerIconbootstrap/BarChartSteps
dividerColor#DFE1E6

...

Execute

SUSR_CHECK_LOGON_DATA

Execute

Attribute Mapping

User Attributes

SAP users are imported into EmpowerID accounts with the following attribute mappings:

SAP User Attribute

EmpowerID Attribute

Description

NAME_FIRST

FirstName

First name of the user

NAME_LAST

LastName

Last name of the user

NAMEMIDDLE

MiddleName

Middle name of the user

BNAME

LogonName

User name of the user

BNAME

SystemIdenitfier

Unique System Identifier of the user

TEL_NUMBER_MOBILE

MobileNumber

Mobile number of the user

TEL_NUMBER

Telephone

Home phone number of the user

SMTP_ADDR

Email

Email ID of the user

LANGU

PreferredLanguage

Language of the user

UFLAG

Disabled

Specifies whether or not user is active

TITLE

PersonalTitle

PersonalTitle of the user

TITLE_ACA1

AcademicTitle

AcademicTitle of the user

FUNCTION

BusinessFunction

BusinessFunction of the user

ROOMNUMBER

RoomNumber

RoomNumber of the user

FLOOR

Floor

Floor of the user

BUILDING

BuildingCode

BuildingCode of the user

FAX_NUMBER

Fax

Fax of the user

USERALIAS

Alias

Alias of the user

USTYP

UserType

UserType of the user

SECURITY_POLICY

SecurityPolicy

SecurityPolicy of the user

DEPARTMENT

Department

Department name of the user

CLASS

UserGroup

UserGroup of the user

GLTGV

ValidFrom

ValidFrom of the user

GLTGB

ValidUntil

ValidUntil of the user

ACCNT

AccountNo

AccountNo of the user

KOSTL

CostCenter

CostCenter of the user

TZONE

TimeZone

Time Zone of the user

PWDCHGDATE

PasswordLastChanged

PasswordLastChanged

TRDAT+LTIME

LastLogonTime

LastLogonTime

company

Company

Company name of the user

PNAME

UserPrincipalName

SNC Name of the user

Role Attributes

SAP roles are imported into EmpowerID groups with the following attribute mappings:

SAP Role Attribute

EmpowerID Attribute

Description

AGR_NAME(AGR_DEFINE)

Name

Name of the Group.

“Role_” + AGR_NAME(AGR_DEFINE)

LogonName

LogonName of the Group

TEXT(AGR_TEXTS) where LINE column from AGR_TEXTS = '00000' +(SAP CompositeRole or SAP Single Role)

FriendlyName

FriendlyName of the Group

Concatenation of all rows from  TEXT(AGR_TEXTS) where LINE column from AGR_TEXTS != '00000'

Description, Notes

Description, Notes of the Group

Use Relation FROM AGR_AGRS table to calculate the role type

GroupTypeID

Identifier to distinguish the sap role type either single or composite role

Profile Attributes

SAP profiles are imported into EmpowerID groups with the following attribute mappings:

SAP Profile Attribute

EmpowerID Attribute

Description

PROFN(USR10)

Name

Name of the Group

“Profile_” + PROFN(USR10)

LogonName

LogonName of the Group

PTEXT(USR11)+(SAP CompositeProfile or SAP Single Profile)

FriendlyName

FriendlyName of the Group

PTEXT(USR11)+(SAP CompositeProfile or SAP Single Profile)

Description

Description of the Group

Use TYP from USR10 table to calculate the profile type

GroupTypeID

Identifier to distinguish the sap profile type either single or composite profile

Configuration Settings

Inventory of SAP TCodes and Authorization Objects as rights in EmpowerID is optional and controlled by the following system settings:

  • SAPInventorySAPPBAC

    • Type: Boolean

    • Description: Determines whether EmpowerID inventories both SAP TCodes and Authorization data as local rights.

    • Value: Set to true to enable inventory.

  • SAPInventorySAPPBACTcodes

    • Type: Boolean

    • Description: Determines whether EmpowerID inventories only SAP TCodes as local rights.

    • Value: Set to true to enable inventory of TCodes only.

For configuration details, refer to the Connect to SAP S/4 HANA article.

Tip

As each organization's implementation, practices, and procedures with SAP differs, EmpowerID uses an SAP Data Analysis Utility to ensure the necessary tables can be read and the necessary BAPI's can be invoked. The utility reads from all the same tables as the connector and copies data from those tables into the EmpowerID Identity Warehouse. This provides EmpowerID with the opportunity to review and analyze data in order to modify connector logic before setting up the connection.

...

Div
stylefloat: left; position: fixed;padding: 5px;

IN THIS ARTICLE

Table of Contents
minLevel2
maxLevel3
include
outlinefalse
indent
stylenone
exclude
typelist
classtoctable
printabletrue