Versions Compared

Old Version 2

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Insert excerpt
IL:External Directory Prerequisites V21
IL:External Directory Prerequisites V21
nopaneltrue

Info

When you connect EmpowerID to SAP and configure your SAP Account Store, the first time you run inventory, EmpowerID discovers all of the user accounts in SAP and creates them in the EmpowerID data warehouse. Subsequent inventory runs update any changes occurring since the LastTimeStamp value tracked by the SAP connector.

Step 1 – Install the SAP GUI Server

  1. Download and extract the GUI7.3.zip file (or a newer version).

  2. Navigate to the GUI7.3\NW_7.0_Presentation_\PRES1\GUI\WINDOWS\WIN32\ folder and run SetupAll.exe.

  3. In the installer, select SAP GUI for Windows 7.30 (Compilation 1) (or a newer version), and click Next.

  4. Select the target directory where you want to install it and click Next.

  5. When it finishes installing, open SAP Logon from the desktop icon.

  6. In SAP Logon, click to select the Connections folder, then in the toolbar, click New to create a new system entry.

  7. In the Create New System Entry wizard that appears, on the first page, click Next, then fill in the System Connection Parameters with values like the following on the second page.

    • Description — ECC

    • Application Server — FQDN of your SAP Server, e.g. sap.mySAPserver.com

    • Instance Number — e.g. 77

    • System ID — e.g. EH9

    • SAProuter String — Leave this field empty.

  8. Click Finish. The new connection appears in the grid.

  9. Open File Explorer as Administrator and in the extracted GUI7.3.zip file, navigate to GUI7.3\NW_7.0_Presentation_\PRES1\GUI\WINDOWS\WIN32\system\

  10. From that folder, copy the SAP .NET connector file, librfc32.dll and paste it into your C:\Windows\System32 folder.

Step 2 – Create a SAP S/4HANA account store in EmpowerID

  1. On the navbar, expand Admin > Applications and Directories and then click Account Stores and Systems.

  2. On the Account Stores page, select the Action tab and then click Create Account Store.

  3. Under System Types, search for SAP S/4HANA.

  4. Click SAP S/4HANA to select the type and then click Submit.

  5. For SAP Connection Type, select either Application Server or Message Server and click Submit.

  6. On the SAP S/4HANA Settings page that appears, fill in the following information:

    • Display Name – Enter a name for your account store.

    • Host – Enter the FQDN of your SAP Server

    • User Name – Enter your SAP System Administrator's user name

    • Password – Enter your SAP System Administrator's password

    • SystemNumber – Enter the system number from your SAP account

    • DefaultLanguage – Enter the two-letter language code

    • Client – Enter the Client ID from your SAP account

    • Is Remote (Requires Cloud Gateway) – This setting appears for account stores with local directories, such as Active Directory, LDAP, SAP, etc. When enabled, this tells EmpowerID to use the Cloud Gateway Connection for that account store. The Cloud Gateway Connection must be installed on an on-premise machine. For installation information, please see Installing the EmpowerID Cloud Gateway Client.

  7. If you selected Is Remote (Requires Cloud Gateway), search for and select one or more cloud gateway servers and then click Submit. You will not see this screen if you did not select Is Remote (Requires Cloud Gateway).

EmpowerID creates the account store and the associated resource system for it. The next step is to configure attribute flow between the account store and EmpowerID.

Step 3 – Configure Attribute Flow

Insert excerpt
IL:Configure Attribute Flow Rules-V21
IL:Configure Attribute Flow Rules-V21
nopaneltrue

Now that the attribute flow has been set, the next steps include configuring the account store and enabling EmpowerID to inventory it.

Step 4 – Configure account store settings

  1. On the Account Store and Resource System page, click the Account Store tab and then click the Edit link to put the account store in edit mode.


    This opens the edit page for the account store. This page allows you to specify the proxy account EmpowerID is to use to connect to the SAP as well as how you want EmpowerID to handle the user information it discovers during inventory. Settings that can be edited are described in the table below the image.


    Insert excerpt
    IL:AD Account Store Settings V21
    IL:AD Account Store Settings V21
    nopaneltrue

  2. Edit the account store as needed and then click Save to save your changes.

Next, configure EmpowerID to inventory SAP TCODEs, SAP Authorization Objects and its field type values as rights in EmpowerID.

Step 5 – Configure EmpowerID for SAP PBAC

The new version of SAP ABAP Connector supports the inventory of SAP TCODEs, SAP Authorization Objects and its field type values as Rights in EmpowerID. These settings include:

  • SAPInventorySAPPBAC – This is a Boolean setting that determines whether EmpowerID inventories SAP TCODES AND SAP Authorization data as AzLocalRights. The value must be set to true for EmpowerID to inventory both authorization data and TCODES as local rights.

  • SAPInventorySAPPBACTcodes – This is a Boolean setting that determines whether EmpowerID inventories ONLY SAP TCODES as AzLocalRights. The value must be set to true for EmpowerID to inventory TCODES as local rights.

Please follow the below steps to successfully inventory SAP PBAC without any issues.

  1. On the navbar, expand Infrastructure Admin > EmpowerID Servers and Settings and select EmpowerID System Settings.

  2. Search for the ListOfInvTables system setting.

  3. If SAPInventorySAPPBAC is set to true, do the following:

    1. Click the Edit button for the setting and add the following tables to the Value field:

      Code Block
      languageabap
      AGR_DEFINE,AGR_TEXTS,AGR_AGRS,AGR_1016,AGR_1251,USR10,USR11,UST10C,UST10S,UST12,TSTC,TSTCT,ADR6,ADRP,USR02,USR21,ADR2,ADR3,ADCP,
USREFUS,
    1. UST04,AGR_USERS,USRACL,USCOMPANY,USR01,USR06,AUTHX,DD04T,TADIR,TDEVC,TOBJ,USOBT,USOBT_C,USOBX,USOBX_C,AGR_125

    2. Save the setting.

  4. If SAPInventorySAPPBACTcodes is set to true, do the following:

    1. Click the Edit button for the setting and add the following tables to the Value field:

      Code Block
      languageabap
      AGR_DEFINE,AGR_TEXTS,AGR_AGRS,AGR_1016,AGR_1251,USR10,USR11,UST10C,UST10S,UST12,TSTC,TSTCT,ADR6,ADRP,USR02,USR21,ADR2,ADR3,ADCP,
USREFUS,UST04,AGR_USERS,USRACL,USCOMPANY,USR01,USR06,TADIR,TDEVC,AGR_1252

    2. Save the setting.

  5. On the EmpowerID System Settings page, click the Add button in the grid header.

  6. Name the setting SAPInventorySAPPBAC and set the Value to true.

  7. Save the setting.

Note

In addition to the above steps, for the initial load of the system please do the following:

  1. Disable Triggers on SAP_TABLE_TSTC and SAP_TABLE_TOBJ

  2. Run inventory to only retrieve the SAP raw tables and account and group membership inventory. For this set SAPInventoryStopAfterStage to 4

  3. Run the following EmpowerID Stored Procedures (sprocs) manually as these sprocs are called on triggers of the table

    • exec SAP_RefreshAzLocalRightsAndRSM @ResourceSystemID,@ResourceSystemGUID

    • exec SAP_SyncRSMAndTcodes @ResourceSystemID,@ResourceSystemGUID

    • exec SAP_SyncAzAssigneeLocalRightScope @ResourceSystemID,@ResourceSystemGUID

    • exec SAP_RefreshAzObjects @ResourceSystemID

    • exec SAP_SyncAzObjectFieldType @ResourceSystemID,@ResourceSystemGUID

    • exec SAP_SyncAzAssigneeLocalRightScopeForAuthObjects @ResourceSystemID,@ResourceSystemGUID

    • exec SAP_SyncAzGlobalRightRelatedRight @ResourceSystemID

    • exec SAP_SyncAzAssigneeRightAzGlobalRightFieldType @ResourceSystemID

  4. Enable the triggers only SAP_TABLE_TSTC if SAPInventorySAPPBACTcodes is set to true

  5. Enable the triggers SAP_TABLE_TSTC and SAP_TABLE_TOBJ TSTC if SAPInventorySAPPBAC is set to true

Step 6 – Enable the Account Inbox Permanent Workflow

Insert excerpt
IL:Enable Account Inbox PW - V21
IL:Enable Account Inbox PW - V21
nopaneltrue

Step 7 – Enable Inventory on the account store

  1. On the navbar, expand Administration > Applications and Directories and select Account Stores and Systems.

  2. Search for the account store you created and click the Account Store link for it.

  3. On the Account Store and Resource System page for the link, click the Account Store tab and then click the Edit link to put the account store in edit mode.

  4. On edit page, select the Inventory tab and then check Inventory Enabled.

  5. Save your changes.

Step 8 – Monitor Inventory

Insert excerpt
IL:Monitor Inventory - V21
IL:Monitor Inventory - V21
nopaneltrue
Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue
Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue

See Also

SAP S/4 Hanna Connector

Div
stylefloat:left; position:fixed;
idarticleNav

IN THIS ARTICLE

Table of Contents
maxLevel4
minLevel2
maxLevelstyle4none
styleprintablenonefalse