You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Connect to SAP S/4 HANA
When you connect EmpowerID to SAP and configure your SAP Account Store, the first time you run inventory, EmpowerID discovers all of the user accounts in SAP and creates them in the EmpowerID data warehouse. Subsequent inventory runs update any changes occurring since the LastTimeStamp value tracked by the SAP connector.
Step 1 – Install the SAP GUI Server
Download and extract the GUI7.3.zip file (or a newer version).
Navigate to the
GUI7.3\NW_7.0_Presentation_\PRES1\GUI\WINDOWS\WIN32\
folder and run SetupAll.exe.In the installer, select SAP GUI for Windows 7.30 (Compilation 1) (or a newer version), and click Next.
Select the target directory where you want to install it and click Next.
When it finishes installing, open SAP Logon from the desktop icon.
In SAP Logon, click to select the Connections folder, then in the toolbar, click New to create a new system entry.
Â
In the Create New System Entry wizard that appears, on the first page, click Next, then fill in the System Connection Parameters with values like the following on the second page.
Description — ECC
Application Server — FQDN of your SAP Server, e.g.Â
sap.mySAPserver.com
Instance Number — e.g. 77
System ID — e.g. EH9
SAProuter String — Leave this field empty.
Â
Click Finish. The new connection appears in the grid.
Â
Open File Explorer as Administrator and in the extracted GUI7.3.zip file, navigate to
GUI7.3\NW_7.0_Presentation_\PRES1\GUI\WINDOWS\WIN32\system\
From that folder, copy the SAP .NET connector file,Â
librfc32.dll
 and paste it into yourÂC:\Windows\System32
 folder.
Step 2 – Create a SAP S/4HANA account store in EmpowerID
On the navbar, expand Admin > Applications and Directories and then click Account Stores and Systems.
On the Account Stores page, select the Action tab and then click Create Account Store.
Â
Under System Types, search for SAP S/4HANA.
Click SAP S/4HANA to select the type and then click Submit.
Â
For SAP Connection Type, select either Application Server or Message Server and click Submit.
Â
On the SAP S/4HANA Settings page that appears, fill in the following information:
Display Name – Enter a name for your account store.
Host – Enter the FQDN of your SAP Server
User Name – Enter your SAP System Administrator's user name
Password – Enter your SAP System Administrator's password
SystemNumber – Enter the system number from your SAP account
DefaultLanguage – Enter the two-letter language code
Client – Enter the Client ID from your SAP account
Is Remote (Requires Cloud Gateway) – This setting appears for account stores with local directories, such as Active Directory, LDAP, SAP, etc. When enabled, this tells EmpowerID to use the Cloud Gateway Connection for that account store. The Cloud Gateway Connection must be installed on an on-premise machine. For installation information, please see Installing the EmpowerID Cloud Gateway Client.
If you selected Is Remote (Requires Cloud Gateway), search for and select one or more cloud gateway servers and then click Submit. You will not see this screen if you did not select Is Remote (Requires Cloud Gateway).
Â
EmpowerID creates the account store and the associated resource system for it. The next step is to configure attribute flow between the account store and EmpowerID.
Step 3 – Configure Attribute Flow
Now that the attribute flow has been set, the next steps include configuring the account store and enabling EmpowerID to inventory it.
Step 4 – Configure account store settings
On the Account Store and Resource System page, click the Account Store tab and then click the Edit link to put the account store in edit mode.
This opens the edit page for the account store. This page allows you to specify the proxy account EmpowerID is to use to connect to the SAP as well as how you want EmpowerID to handle the user information it discovers during inventory. Settings that can be edited are described in the table below the image.Edit the account store as needed and then click Save to save your changes.
Next, configure EmpowerID to inventory SAP TCODEs, SAP Authorization Objects and its field type values as rights in EmpowerID.
Step 5 – Configure EmpowerID for SAP PBAC
The new version of SAP ABAP Connector supports the inventory of SAP TCODEs, SAP Authorization Objects and its field type values as Rights in EmpowerID. These settings include:
SAPInventorySAPPBAC – This is a Boolean setting that determines whether EmpowerID inventories SAP TCODES AND SAP Authorization data as
AzLocalRights
. The value must be set to true for EmpowerID to inventory both authorization data and TCODES as local rights.SAPInventorySAPPBACTcodes – This is a Boolean setting that determines whether EmpowerID inventories ONLY SAP TCODES as
AzLocalRights
. The value must be set to true for EmpowerID to inventory TCODES as local rights.
Please follow the below steps to successfully inventory SAP PBAC without any issues.
On the navbar, expand Infrastructure Admin > EmpowerID Servers and Settings and select EmpowerID System Settings.
Search for the ListOfInvTables system setting.
If
SAPInventorySAPPBAC
is set totrue
, do the following:Click the Edit button for the setting and add the following tables to the Value field:
AGR_DEFINE,AGR_TEXTS,AGR_AGRS,AGR_1016,AGR_1251,USR10,USR11,UST10C,UST10S,UST12,TSTC,TSTCT,ADR6,ADRP,USR02,USR21,ADR2,ADR3,ADCP, USREFUS,UST04,AGR_USERS,USRACL,USCOMPANY,USR01,USR06,AUTHX,DD04T,TADIR,TDEVC,TOBJ,USOBT,USOBT_C,USOBX,USOBX_C,AGR_125
Save the setting.
If
SAPInventorySAPPBACTcodes
is set totrue
, do the following:Click the Edit button for the setting and add the following tables to the Value field:
AGR_DEFINE,AGR_TEXTS,AGR_AGRS,AGR_1016,AGR_1251,USR10,USR11,UST10C,UST10S,UST12,TSTC,TSTCT,ADR6,ADRP,USR02,USR21,ADR2,ADR3,ADCP, USREFUS,UST04,AGR_USERS,USRACL,USCOMPANY,USR01,USR06,TADIR,TDEVC,AGR_1252
Save the setting.
On the EmpowerID System Settings page, click the Add button in the grid header.
Â
Name the setting SAPInventorySAPPBAC and set the Value to true.
Â
Save the setting.
In addition to the above steps, for the initial load of the system please do the following:
Disable Triggers on
SAP_TABLE_TSTC
andSAP_TABLE_TOBJ
Run inventory to only retrieve the SAP raw tables and account and group membership inventory. For this set
SAPInventoryStopAfterStage
to4
Run the following EmpowerID Stored Procedures (sprocs) manually as these sprocs are called on triggers of the table
exec SAP_RefreshAzLocalRightsAndRSM @ResourceSystemID,@ResourceSystemGUID
exec SAP_SyncRSMAndTcodes @ResourceSystemID,@ResourceSystemGUID
exec SAP_SyncAzAssigneeLocalRightScope @ResourceSystemID,@ResourceSystemGUID
exec SAP_RefreshAzObjects @ResourceSystemID
exec SAP_SyncAzObjectFieldType @ResourceSystemID,@ResourceSystemGUID
exec SAP_SyncAzAssigneeLocalRightScopeForAuthObjects @ResourceSystemID,@ResourceSystemGUID
exec SAP_SyncAzGlobalRightRelatedRight @ResourceSystemID
exec SAP_SyncAzAssigneeRightAzGlobalRightFieldType @ResourceSystemID
Enable the triggers only
SAP_TABLE_TSTC
ifSAPInventorySAPPBACTcodes
is set totrue
Enable the triggers SAP_TABLE_TSTC and SAP_TABLE_TOBJ TSTC if SAPInventorySAPPBAC is set to true
Step 6 – Enable the Account Inbox Permanent Workflow
Step 7 – Enable Inventory on the account store
On the navbar, expand Administration > Applications and Directories and select Account Stores and Systems.
Search for the account store you created and click the Account Store link for it.
On the Account Store and Resource System page for the link, click the Account Store tab and then click the Edit link to put the account store in edit mode.
Â
On edit page, select the Inventory tab and then check Inventory Enabled.
Â
Save your changes.
Â