...
EmpowerID SAP connector is capable of connecting with the two main SAP modules used for managing identity information, the ECC module and the HCM module. The ECC module stores information for accessing SAP, and the means for authorizing to SAP, which includes
action groups,
profiles, and
individual authorization objects.
The HCM module manages employees and often serves as the authoritative source for employee information, including employment status, location, roles and responsibilities. When EmpowerID connects to any one of these SAP modules, it creates a singular account store object for that module with configurable settings for specifying how EmpowerID is to manage the identity information.
SAP ECC Connector
The ECC connector is bi-directional, meaning that EmpowerID can both read from and write to the module. This allows you to manage ECC users and their access to SAP from EmpowerID. When you connect EmpowerID to the ECC module, EmpowerID reads the list of users, their status (active/disabled) and the action groups and profiles assigned to each. EmpowerID can create new ECC users, enable and disable ECC users, reset passwords and assign action groups and profiles.
Info |
---|
Prerequisties: The SAP proxy account used for the ECC connector needs to have access to the below tables as well as the ability to make the remote procedure calls listed: |
...
REQUIRED TABLE ACCESS
...
REQUIRED REMOTE PROCEDURE CALLS
...
ADCP
...
BAPI_USER_ACTGROUPS_ASSIGN
...
ADR3
...
BAPI_USER_CHANGE
...
ADRP
...
BAPI_USER_CREATE1
...
AGR_1251
...
BAPI_USER_EXISTENCE_CHECK
...
AGR_DEFINE
...
BAPI_USER_GETLIST
...
AGR_USERS
...
BAPI_USER_GET_DETAIL
...
TSTCT
...
BAPI_USER_LOCK
...
USR02
...
BAPI_USER_UNLOCK
...
USR11
...
PING
...
USRACL
...
RFCPING
...
UST04
...
RFC_GET_FUNCTION_INTERFACE
...
UST10S
...
RFC_GET_NAMETAB
...
ADR2
...
RFC_PING
...
ADR6
...
RFC_READ_TABLE
...
AGR_1016
...
REQUIRED ACTIVITY
...
AGR_AGRS
...
Execute
...
AGR_TEXTS
...
TSTC
...
USCOMPANY
...
USR10
...
USR21
...
USREFUS
...
UST10C
...
UST12
EmpowerID uses the following stock BAPIs:
BAPI_USER_ACTGROUPS_ASSIGN
BAPI_USER_CHANGE
BAPI_USER_CREATE1
BAPI_USER_DELETE
BAPI_USER_GET_DETAIL
BAPI_USER_PROFILES_ASSIGN
BAPI_USER_LOCK
BAPI_USER_UNLOCK
SAP HCM Connector
The HCM connector is read-only; EmpowerID pulls identity information from the HCM module, but does not write information back to it. When you connect EmpowerID to the HCM module, it reads a list of people and the demographic information (name, work address, etc.) for each individual user. Additionally, EmpowerID reads the organization structure in order to associate the job functions of each user with the appropriate roles in EmpowerID.
The HCM connector reads information from the SAP tables below:
SAP Tables Read by the HCM Connector | ||||||||
---|---|---|---|---|---|---|---|---|
HRP1000 | HRP1001 | PA0000 | PA0001 | PA0002 | PA0006 | PA0032 | PA0105 | 591S |
Note |
---|
Prerequisites: To connect EmpowerID to SAP, you need an SAP account, and you need to install SAP GUI Server on your EmpowerID Server. You also need the following from SAP to create your Account Store.
Additionally, each EmpowerID server used to run workflows or perform inventory functions must have the |
Tip |
---|
As each organization's implementation, practices, and procedures with SAP differs, EmpowerID uses an SAP Data Analysis Utility to ensure the necessary tables can be read and the necessary BAPI's can be invoked. The utility reads from all the same tables as the connector and copies data from those tables into the EmpowerID Identity Warehouse. This provides EmpowerID with the opportunity to review and analyze data in order to modify connector logic before setting up the connection. |
Info |
---|
When you connect EmpowerID to SAP and configure your SAP Account Store, the first time you run inventory, EmpowerID discovers all of the user accounts in SAP and creates them in the EmpowerID data warehouse. Subsequent inventory runs update any changes occurring since the LastTimeStamp value tracked by the SAP connector. |
Installing the SAP GUI Server
...
Download and extract the GUI7.3.zip file (or a newer version).
...
Navigate to the GUI7.3\NW_7.0_Presentation_\PRES1\GUI\WINDOWS\WIN32\
folder and run SetupAll.exe.
...
In the installer, select SAP GUI for Windows 7.30 (Compilation 1) (or a newer version), and click Next.
...
Select the target directory where you want to install it and click Next.
...
When it finishes installing, open SAP Logon from the desktop icon.
In SAP Logon, click to select the Connections folder, then in the toolbar, click New to create a new system entry.
...
In the Create New System Entry wizard that appears, on the first page, click Next, then fill in the System Connection Parameters with values like the following on the second page.
...
Description — ECC
...
Application Server — FQDN of your SAP Server, e.g. sap.mySAPserver.com
...
Instance Number — e.g. 77
...
System ID — e.g. EH9
SAProuter String — Leave this field empty.
...
Click Finish. The new connection appears in the grid.
...
Open File Explorer as Administrator and in the extracted GUI7.3.zip file, navigate to GUI7.3\NW_7.0_Presentation_\PRES1\GUI\WINDOWS\WIN32\system\
...
From that folder, copy the SAP .NET connector file, librfc32.dll
and paste it into your C:\Windows\System32
folder.
To create a SAP account store in EmpowerID
...
In the navigation sidebar, expand Admin > Applications and Directories and then click Account Stores and Systems.
...
Under System Types, search for SAP.
...
On the SAP HCM or SAP ECC Settings page that appears, fill in the following information:
Display Name — Enter a name for your account store.
Host — Enter the FQDN of your SAP Server, e.g. sap.mySAPserver.com
User Name — Enter your SAP System Administrator's user name
Password — Enter your SAP System Administrator's password
SystemNumber — Enter the system number from your SAP account, e.g. 77.
DefaultLanguage — Enter the two-letter language code, e.g. en.
Client — Enter the Client ID from your SAP account, e.g. 500.
...
EmpowerID creates the account store and the associated resource system. The next step is to configure the attribute flow between the account store and EmpowerID.
...
Now that the attribute flow has been set, the next steps include configuring the account store and enabling EmpowerID to inventory it.
To configure account store settings
...
Edit the account store as needed and then click Save to save your changes.
Next, enable the Account Inbox permanent workflow to allow the Account Inbox to provision or join the user accounts in SAP to EmpowerID Persons as demonstrated below.
Tip |
---|
EmpowerID recommends using the Account Inbox for provisioning and joining. |
...
style | float: left; position: fixed; |
---|
Live Search | ||||
---|---|---|---|---|
|
IN THIS ARTICLE
...
Identity Lifecycle for SAP
EmpowerID Identity Lifecycle for SAP automates account provisioning and access assignment. Automation of policy-based “Compliant Access” eliminates security problems and human errors associated with the manual user creation and role and profile assignment in SAP. Lifecycle events can be triggered manually by workflows but are most often detected as changes coming from any HR system including SuccessFactors. EmpowerID handles provisioning and deprovisioning across your entire SAP landscape. On deprovisioning, policy settings allow for graceful handover of responsibilities and the transfer of data ownership.
Zero Trust Delegated Administration for SAP
The out of the box roles and security model varies across your traditional ABAP-based systems, SAP HANA, and other various SAP modules which presents a challenge for organization’s pursuing a Zero Trust strategy. One of the key tenants of the Zero Trust model is that users should not be granted permanent unproxied access to systems. Unproxied access cannot be easily monitored and permanent privileged access is an opening waiting to be compromised by an attacker. EmpowerID’s supports a Zero Trust strategy by overlaying a single unified security model on top of all your SAP systems. This allows organizations to delegate granular administrative privileges to users within specific business units or partner organizations even though this granularity is not supported in some SAP modules. Fine-grained delegations support even the most complex global organizations and multi-tenancy scenarios to control exactly who may see which objects and identities and who may perform which tasks, all without granting any native administrative privileges.
SAP Firefighter and Emergency Access Management
EmpowerID supports a Zero Trust strategy for SAP with the industry’s leading firefighter management capabilities for S/4HANA. End users are empowered to request temporary firefighter emergency access that is granted to the user’s existing SAP account. Requests can be pre-approved or routed for approval with their status tracked in a business-user friendly interface. This approach is simpler than checking out vaulted privileged account passwords and improves the correlation of user activity.
Role Design and Optimization for SAP
EmpowerID is a critical tool in defining and maintaining compliant access for your SAP landscape. EmpowerID ties together your SAP role and fine-grained TCode level access with organizational data from HR and IGA to map out in advance the position appropriate access for employees, partners, and customers and the risk policies that will measure and ensure continued compliance.
EmpowerID’s role optimization functionality assists with maintaining SAP roles and ensuring that they grant the optimal least privilege access even in business environments undergoing frequent changes due to re-organizations, mergers and acquisitions. In addition, EmpowerID performs SOD simulation during role design to ensure proposed roles have no inherent SOD conflicts.
Compliant Risk Management
The goal of any organization is to efficiently deliver Compliant Access which is “position appropriate” and adheres to an organization’s “business policies” concerning risk. Compliant Access enhances an organization’s Zero Trust strategy by adding risk policies into the equation to determine if least privilege ‘level’ would produce unacceptable risks. Identifying such cases allows an organization’s risk control owners to make informed decisions whether to accept risk and apply mitigating controls or to reject them. EmpowerID’s risk engine supports both preventive and detective SOD simulation and validation with friendly dashboards and workflow processes to automate remediation and revocation.
EmpowerID for SAP Supports:
SAP Master Data Governance
SAP Transport Management
SAP Central Finance
SAP CAR UDF (Customer Activity Repository / Unified Demand Forecast)
SAP Forecasting and Replenishment (SAP F&R)
SAP SRM (Supplier Relationship Management)
SAP BPC (Business Planning and Consolidation)
SAP Fiori
SAP Solman
SAP SCM (Supply Chain Management)
SAP BW (Business Warehouse)
SAP SLT
Non-ABAP SAP Modules: