Versions Compared

Old Version 2

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The EmpowerID SAP S/4HANA connector lets you create, synchronize, and manage SAP S/4HANA user, role/profile and role/profile assignment information in EmpowerID. Imported user information can be managed and synchronized with data in any connected back-end user directories. When EmpowerID inventories SAP S/4HANA, it creates an account in the EmpowerID Identity Warehouse for each SAP S/4HANA user, a group for each SAP S/4HANA role or profile

...

and assigns group membership to users based on their role or profile memberships in SAP S/4HANA.

Info

Additionally, the connector supports the inventory of SAP TCODEs, SAP Authorization Objects and its field type values as rights in EmpowerID. Successfully inventorying these objects requires additional configuration in EmpowerID. This is demonstrated in the Connect to SAP S/4 HANA article.

Once connected, you can manage this data from EmpowerID in the following ways:

Account Management

  • Inventory user accounts

  • Create user accounts

  • Update user accounts

  • Enable and Disable user accounts

  • Change user passwords

Role Management

  • Inventory roles or profiles as groups

    • Inventory role or profile memberships as group accounts

    • Add and Remove members to and from roles or profiles

...

SAP TCODE Inventory

  • Inventories all SAP modules from the TDEVC table and stores them in the ResourceSystemModule table in EmpowerID

  • Inventories SAP transaction codes from the TSTC table and stores this information in the AzLocalRights table in EmpowerID along with the relation between the transaction codes and the SAP modules.

  • Inventories the relationship between roles/profiles and TCODES and stores this information in the AzAssigneeLocalRightScope table in EmpowerID

SAP Authorization Object and FieldTypes Inventory

  • Inventories SAP authorization objects from the TOBJ table and stores that information in the AzLocalRights table in EmpowerID with AzLocalRightTypeID of 7

  • Inventories SAP FieldTypes from the AUTHX table and stores that information in the AzFieldType table of EmpowerID

  • Inventories the relationship between authorization objects and fieldtypes and stores that information in the AzGlobalRightFieldType table of EmpowerID

  • Inventories the relationship between SAP single role to authorization object from the AGR_1251 table in SAP and stores that information in the AzAssigneeLocalRightScope table in EmpowerID

  • Inventories the relationship between SAP transaction codes and authorization objects from the USOBX_C table in SAP and stores that information in the AzGlobalRightRelatedRight table in EmpowerID

  • Inventories the relationship between Role > AuthObject > FieldType > Low and High values from the AGR_1251 and AGR_1252 tables and stores that information in the AzAssigneeRightAzGlobalRightFieldType of EmpowerID. The multiple explicit values are stored in the AzAssigneeRightAzGlobalRightFieldTypeValue table of EmpowerID.

Info

Inventory of SAP TCODES and SAP Authorization Objects and its field type values as rights in EmpowerID is optional. The inventory of these objects is controlled by the below system settings:

  • SAPInventorySAPPBAC – This is a Boolean setting that determines whether EmpowerID inventories SAP TCODES AND SAP Authorization data as AzLocalRights. The value must be set to true for EmpowerID to inventory both authorization data and TCODES as local rights.

  • SAPInventorySAPPBACTcodes – This is a Boolean setting that determines whether EmpowerID inventories ONLY SAP TCODES as AzLocalRights. The value must be set to true for EmpowerID to inventory TCODES as local rights.

For information on how to configure these settings, please see Configure EmpowerID for SAP PBAC.

Account Attributes

Users in SAP are inventoried as accounts in EmpowerID. The

...

following table shows the attribute

...

mapping of SAP

...

User attributes to EmpowerID

...

Account attributes

...

:

SAP User Attribute

Corresponding EmpowerID Attribute

Description

NAME_FIRST

FirstName

First name of the user

NAME_LAST

LastName

Last name of the user

NAMEMIDDLE

MiddleName

Middle name of the user

BNAME

LogonName

User name of the user

BNAME

SystemIdenitfier

Unique System Identifier of the user

TEL_NUMBER_MOBILE

MobileNumber

Mobile number of the user

TEL_NUMBER

Telephone

Home phone number of the user

SMTP_ADDR

Email

Email ID of the user

LANGU

PreferredLanguage

Language of the user

UFLAG

Disabled

...

Specifies whether or not user is active

TITLE

PersonalTitle

...

PersonalTitle of the user

TITLE_ACA1

AcademicTitle

...

AcademicTitle of the user

FUNCTION

BusinessFunction

...

BusinessFunction of the user

ROOMNUMBER

RoomNumber

...

RoomNumber of the user

FLOOR

Floor

Floor of the user

BUILDING

BuildingCode

...

BuildingCode of the user

...

FAX_NUMBER

Fax

Fax of the user

USERALIAS

Alias

Alias of the user

USTYP

UserType

...

UserType of the user

SECURITY_POLICY

SecurityPolicy

...

SecurityPolicy of the user

DEPARTMENT

Department

Department name of the user

CLASS

UserGroup

...

UserGroup of the user

GLTGV

ValidFrom

...

ValidFrom of the user

GLTGB

ValidUntil

...

ValidUntil of the user

ACCNT

AccountNo

...

AccountNo of the user

KOSTL

CostCenter

...

CostCenter of the user

TZONE

TimeZone

Time Zone of the user

PWDCHGDATE

PasswordLastChanged

...

PasswordLastChanged

TRDAT+LTIME

LastLogonTime

...

LastLogonTime

company

Company

Company name of the user

PNAME

UserPrincipalName

SNC Name of the user

Role Attributes

Roles in SAP are inventoried as Groups in EmpowerID. The following table shows the attribute mapping of SAP Role attributes to EmpowerID Group attributes:

SAP Role Attribute

EmpowerID Attribute

Description

AGR_NAME(AGR_DEFINE)

Name

Name of the Group.

“Role_” + AGR_NAME(AGR_DEFINE)

LogonName

LogonName of the Group

TEXT(AGR_TEXTS) where LINE column from AGR_TEXTS = '00000' +(SAP CompositeRole or SAP Single Role)

FriendlyName

FriendlyName of the Group

Concatenation of all rows from  TEXT(AGR_TEXTS) where LINE column from AGR_TEXTS != '00000'

Description, Notes

Description, Notes of the Group

Use Relation FROM AGR_AGRS table to calculate the role type

GroupTypeID

Identifier to distinguish the sap role type either single or composite role

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue
Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue

Profile Attributes

Profiles in SAP are inventoried as Groups in EmpowerID. The following table shows the attribute mapping of SAP Profile attributes to EmpowerID Group attributes:

SAP Profile Attribute

EmpowerID Attribute

Description

PROFN(USR10)

Name

Name of the Group

“Profile_” + PROFN(USR10)

LogonName

LogonName of the Group

PTEXT(USR11)+(SAP CompositeProfile or SAP Single Profile)

FriendlyName

FriendlyName of the Group

PTEXT(USR11)+(SAP CompositeProfile or SAP Single Profile)

Description

Description of the Group

Use TYP from USR10 table to calculate the profile type

GroupTypeID

Identifier to distinguish the sap profile type either single or composite profile

Prerequisites

To connect EmpowerID to SAP, you need an SAP account, and you need to install SAP GUI Server on your EmpowerID Server.

You can connect EmpowerID to SAP R/3 system two ways:

  1. Application Server

  2. Message Server

Each has its own set of prerequisites. Expand the drop-down for that connection method to view.

Expand
titleApplication Server Prerequisites

You also need the following from SAP to

...

connect EmpowerID to SAP via Application Server:

  • Host Name of the

...

  • application server used for RFC communication

  • Username that is authorized to

...

  • connect to the

...

  • R/3 system from EmpowerID

  • Password

...

App server FQDN

...

Instance number

...

System ID

...

  • of the service account

  • ClientID of the application server

  • Instance number of the application server

  • Network port number that is open to connect to the application server

Info

By default, the SAP connector uses the 33+Instancenumber as the port to connect to the SAP application server. If a different port is used, specify the port number in the hostname column with the following syntax “HostName + ‘:’ + portNumber”

Expand
titleMessage Server Prerequisites

You also need the following from SAP to connect EmpowerID to SAP via Message Server:

  • Host Name of the Message Server used to establish the connection the to SAP R/3 system

  • Name of the LogonGroup used by the SAP R/3 connector

  • SystemID of the SAP system

  • Username that is authorized to connect to the Message Server

  • Password of the service account

Additionally, the following conditions must be met:

  • Each EmpowerID server used to run workflows or perform inventory functions must have the librfc32.dll assembly copied into the C:\Windows\System32 folder. EmpowerID uses the assembly to perform various SAP processes (inventory, workflows, etc.). You can download the assembly from EmpowerID at the following link: https://dl1.empowerid.com/files/librfc32_64.zip

  • For read-only connections, along with access to the below-mentioned tables, the service account needs access to the RFC_READ_TABLE BAPI

  • All mandatory fields must not be

...

  • empty (E.G., LastName, PersNumber)

  • The standard tables should have the same structure across all the systems

  • The systems should have unique records across all the standard tables. For example, the records should not have any leading or trailing spaces on the Primary Key columns

  • The system should be free of any data issues. For example, there should not be any duplicate company codes pointing to the same address number.

  • The following network configurations should be in place for connecting to the SAP system:

    • All necessary ports should be open on the server used to connect to the SAP system

    • The host name of the SAP system should be resolvable to an IP address

The SAP proxy account used for the S/4HANA connector needs to have access to the below tables as well as the ability to make the remote procedure calls listed:

REQUIRED TABLE ACCESS

REQUIRED REMOTE PROCEDURE CALLS

ADCP

BAPI_USER_ACTGROUPS_ASSIGN

...

ADR2

BAPI_USER_CHANGE

...

ADR3

BAPI_USER_CREATE1

...

ADR6

BAPI_USER_EXISTENCE_CHECK

...

ADRP

BAPI_USER_GETLIST

AGR_

...

1016

BAPI_USER_GET_DETAIL

...

AGR_1251

BAPI_USER_LOCK

...

AGR_AGRS

BAPI_USER_UNLOCK

...

AGR_DEFINE

PING

...

AGR_TEXTS

RFCPING

...

AGR_USERS

RFC_GET_FUNCTION_INTERFACE

...

TSTC

RFC_GET_NAMETAB

...

TSTCT

RFC_PING

...

USCOMPANY

RFC_READ_TABLE

...

AGR_1016

...

REQUIRED ACTIVITY

...

AGR_AGRS

...

Execute

...

AGR_TEXTS

...

TSTC

...

USCOMPANY

...

USR10

...

USR21

...

USREFUS

...

UST10C

...

UST12

USR02

PING

USR10

RFCPING

USR11

RFC_GET_FUNCTION_INTERFACE

USR21

RFC_GET_NAMETAB

USRACL

RFC_PING

USREFUS

RFC_READ_TABLE

UST04

UST10C

UST10S

UST12

REQUIRED ACTIVITY

 Display

Execute

Tip

As each organization's implementation, practices, and procedures with SAP differs, EmpowerID uses an SAP Data Analysis Utility to ensure the necessary tables can be read and the necessary BAPI's can be invoked. The utility reads from all the same tables as the connector and copies data from those tables into the EmpowerID Identity Warehouse. This provides EmpowerID with the opportunity to review and analyze data in order to modify connector logic before setting up

...

Info

When you connect EmpowerID to SAP and configure your SAP Account Store, the first time you run inventory, EmpowerID discovers all of the user accounts in SAP and creates them in the EmpowerID data warehouse. Subsequent inventory runs update any changes occurring since the LastTimeStamp value tracked by the SAP connector.

Install the SAP GUI Server

...

Download and extract the GUI7.3.zip file (or a newer version).

...

Navigate to the GUI7.3\NW_7.0_Presentation_\PRES1\GUI\WINDOWS\WIN32\ folder and run SetupAll.exe.

...

In the installer, select SAP GUI for Windows 7.30 (Compilation 1) (or a newer version), and click Next.

...

Select the target directory where you want to install it and click Next.

...

When it finishes installing, open SAP Logon from the desktop icon.

...

In SAP Logon, click to select the Connections folder, then in the toolbar, click New to create a new system entry.

...

...

the

...

  • Description — ECC

  • Application Server — FQDN of your SAP Server, e.g. sap.mySAPserver.com

  • Instance Number — e.g. 77

  • System ID — e.g. EH9

  • SAProuter String — Leave this field empty.

    Image Removed

...

connection

...

...

.

...

...

From that folder, copy the SAP .NET connector file, librfc32.dll and paste it into your C:\Windows\System32 folder.

Create a SAP S/4HANA account store in EmpowerID

  1. On the navbar, expand Admin > Applications and Directories and then click Account Stores and Systems.

  2. On the Account Stores page, click Create Account Store.

    Image Removed

  3. Under System Types, search for SAP ABAP.

  4. Click SAP ABAP to select the type and then click Submit.

    Image Removed

  5. On the SAP S/4HANA Settings page that appears, fill in the following information:

    • Display Name — Enter a name for your account store.

    • Host — Enter the FQDN of your SAP Server

    • User Name — Enter your SAP System Administrator's user name

    • Password — Enter your SAP System Administrator's password

    • SystemNumber — Enter the system number from your SAP account

    • DefaultLanguage —  Enter the two-letter language code

    • Client — Enter the Client ID from your SAP account

    • Is Remote (Requires Cloud Gateway) — This setting appears for account stores with local directories, such as Active Directory, LDAP, SAP, etc. When enabled, this tells EmpowerID to use the Cloud Gateway Connection for that account store. The Cloud Gateway Connection must be installed on an on-premise machine. For installation information, please see Installing the EmpowerID Cloud Gateway Client.

  6. If you selected Is Remote (Requires Cloud Gateway), search for and select one or more cloud gateway servers and then click Submit. You will not see this screen if you did not select Is Remote (Requires Cloud Gateway).

    Image Removed

  7. EmpowerID creates the account store and the associated resource system for it. The next step is to configure attribute flow between the account store and EmpowerID.

Insert excerpt

...

IL:

...

Now that the attribute flow has been set, the next steps include configuring the account store and enabling EmpowerID to inventory it.

Configure account store settings

On the Account Store and Resource System page, click the Account Store tab and then click the pencil icon to put the account store in edit mode.

...

Edit the account store as needed and then click Save to save your changes.

Now that everything is configured, you can enable the Account Inbox Permanent Workflow and monitor inventory. Be sure inventory is enabled on the account store settings page.

...

External Stylesheet
IL:External Stylesheet
nopaneltrue

...

stylefloat: left; position: fixed;

...

Live Search
sizelarge
labels2020,admin

IN THIS ARTICLE

...

Next Steps

Connect to SAP S/4 Hanna