The EmpowerID SAP S/4HANA connector lets you create, synchronize, and manage SAP S/4HANA user, role/profile and role/profile assignment information in EmpowerID. Imported user information can be managed and synchronized with data in any connected back-end user directories. When EmpowerID inventories SAP S/4HANA, it creates an account in the EmpowerID Identity Warehouse for each SAP S/4HANA user, a group for each SAP S/4HANA role or profile and assigns group membership to users based on their role or profile memberships in SAP S/4HANA.
Additionally, the connector supports the inventory of SAP TCODEs, SAP Authorization Objects and its field type values as rights in EmpowerID. Successfully inventorying these objects requires additional configuration in EmpowerID. This is demonstrated in the Connect to SAP S/4 HANA article.
Once connected, you can manage this data from EmpowerID in the following ways:
Account Management
Inventory user accounts
Create user accounts
Update user accounts
Enable and Disable user accounts
Change user passwords
Role Management
Inventory roles or profiles as groups
Inventory role or profile memberships as group accounts
Add and Remove members to and from roles or profiles
SAP TCODE Inventory
Inventories all SAP modules from the
TDEVC
table and stores them in theResourceSystemModule
table in EmpowerIDInventories SAP transaction codes from the
TSTC
table and stores this information in theAzLocalRights
table in EmpowerID along with the relation between the transaction codes and the SAP modules.Inventories the relationship between roles/profiles and TCODES and stores this information in the
AzAssigneeLocalRightScope
table in EmpowerID
SAP Authorization Object and FieldTypes Inventory
Inventories SAP authorization objects from the
TOBJ
table and stores that information in theAzLocalRights
table in EmpowerID withAzLocalRightTypeID
of7
Inventories SAP FieldTypes from the
AUTHX
table and stores that information in theAzFieldType
table of EmpowerIDInventories the relationship between authorization objects and fieldtypes and stores that information in the
AzGlobalRightFieldType
table of EmpowerIDInventories the relationship between SAP single role to authorization object from the
AGR_1251
table in SAP and stores that information in theAzAssigneeLocalRightScope
table in EmpowerIDInventories the relationship between SAP transaction codes and authorization objects from the
USOBX_C
table in SAP and stores that information in theAzGlobalRightRelatedRight
table in EmpowerIDInventories the relationship between Role > AuthObject > FieldType > Low and High values from the
AGR_1251
andAGR_1252
tables and stores that information in theAzAssigneeRightAzGlobalRightFieldType
of EmpowerID. The multiple explicit values are stored in theAzAssigneeRightAzGlobalRightFieldTypeValue
table of EmpowerID.
Inventory of SAP TCODES and SAP Authorization Objects and its field type values as rights in EmpowerID is optional. The inventory of these objects is controlled by the below system settings:
SAPInventorySAPPBAC – This is a Boolean setting that determines whether EmpowerID inventories SAP TCODES AND SAP Authorization data as
AzLocalRights
. The value must be set to true for EmpowerID to inventory both authorization data and TCODES as local rights.SAPInventorySAPPBACTcodes – This is a Boolean setting that determines whether EmpowerID inventories ONLY SAP TCODES as
AzLocalRights
. The value must be set to true for EmpowerID to inventory TCODES as local rights.
For information on how to configure these settings, please see Configure EmpowerID for SAP PBAC.
Account Attributes
Users in SAP are inventoried as accounts in EmpowerID. The following table shows the attribute mapping of SAP User attributes to EmpowerID Account attributes:
SAP User Attribute | Corresponding EmpowerID Attribute | Description |
NAME_FIRST | FirstName | First name of the user |
NAME_LAST | LastName | Last name of the user |
NAMEMIDDLE | MiddleName | Middle name of the user |
BNAME | LogonName | User name of the user |
BNAME | SystemIdenitfier | Unique System Identifier of the user |
TEL_NUMBER_MOBILE | MobileNumber | Mobile number of the user |
TEL_NUMBER | Telephone | Home phone number of the user |
SMTP_ADDR | Email ID of the user | |
LANGU | PreferredLanguage | Language of the user |
UFLAG | Disabled | Specifies whether or not user is active |
TITLE | PersonalTitle | PersonalTitle of the user |
TITLE_ACA1 | AcademicTitle | AcademicTitle of the user |
FUNCTION | BusinessFunction | BusinessFunction of the user |
ROOMNUMBER | RoomNumber | RoomNumber of the user |
FLOOR | Floor | Floor of the user |
BUILDING | BuildingCode | BuildingCode of the user |
FAX_NUMBER | Fax | Fax of the user |
USERALIAS | Alias | Alias of the user |
USTYP | UserType | UserType of the user |
SECURITY_POLICY | SecurityPolicy | SecurityPolicy of the user |
DEPARTMENT | Department | Department name of the user |
CLASS | UserGroup | UserGroup of the user |
GLTGV | ValidFrom | ValidFrom of the user |
GLTGB | ValidUntil | ValidUntil of the user |
ACCNT | AccountNo | AccountNo of the user |
KOSTL | CostCenter | CostCenter of the user |
TZONE | TimeZone | Time Zone of the user |
PWDCHGDATE | PasswordLastChanged | PasswordLastChanged |
TRDAT+LTIME | LastLogonTime | LastLogonTime |
company | Company | Company name of the user |
PNAME | UserPrincipalName | SNC Name of the user |
Role Attributes
Roles in SAP are inventoried as Groups in EmpowerID. The following table shows the attribute mapping of SAP Role attributes to EmpowerID Group attributes:
SAP Role Attribute | EmpowerID Attribute | Description |
---|---|---|
AGR_NAME(AGR_DEFINE) | Name | Name of the Group. |
“Role_” + AGR_NAME(AGR_DEFINE) | LogonName | LogonName of the Group |
TEXT(AGR_TEXTS) where LINE column from AGR_TEXTS = '00000' +(SAP CompositeRole or SAP Single Role) | FriendlyName | FriendlyName of the Group |
Concatenation of all rows from TEXT(AGR_TEXTS) where LINE column from AGR_TEXTS != '00000' | Description, Notes | Description, Notes of the Group |
Use Relation FROM AGR_AGRS table to calculate the role type | GroupTypeID | Identifier to distinguish the sap role type either single or composite role |
Profile Attributes
Profiles in SAP are inventoried as Groups in EmpowerID. The following table shows the attribute mapping of SAP Profile attributes to EmpowerID Group attributes:
SAP Profile Attribute | EmpowerID Attribute | Description |
---|---|---|
PROFN(USR10) | Name | Name of the Group |
“Profile_” + PROFN(USR10) | LogonName | LogonName of the Group |
PTEXT(USR11)+(SAP CompositeProfile or SAP Single Profile) | FriendlyName | FriendlyName of the Group |
PTEXT(USR11)+(SAP CompositeProfile or SAP Single Profile) | Description | Description of the Group |
Use TYP from USR10 table to calculate the profile type | GroupTypeID | Identifier to distinguish the sap profile type either single or composite profile |
Prerequisites
To connect EmpowerID to SAP, you need an SAP account, and you need to install SAP GUI Server on your EmpowerID Server.
You can connect EmpowerID to SAP R/3 system two ways:
Application Server
Message Server
Each has its own set of prerequisites. Expand the drop-down for that connection method to view.
Additionally, the following conditions must be met:
Each EmpowerID server used to run workflows or perform inventory functions must have the
librfc32.dll
assembly copied into theC:\Windows\System32
folder. EmpowerID uses the assembly to perform various SAP processes (inventory, workflows, etc.). You can download the assembly from EmpowerID at the following link: https://dl1.empowerid.com/files/librfc32_64.zipFor read-only connections, along with access to the below-mentioned tables, the service account needs access to the RFC_READ_TABLE BAPI
All mandatory fields must not be empty (E.G., LastName, PersNumber)
The standard tables should have the same structure across all the systems
The systems should have unique records across all the standard tables. For example, the records should not have any leading or trailing spaces on the Primary Key columns
The system should be free of any data issues. For example, there should not be any duplicate company codes pointing to the same address number.
The following network configurations should be in place for connecting to the SAP system:
All necessary ports should be open on the server used to connect to the SAP system
The host name of the SAP system should be resolvable to an IP address
The SAP proxy account used for the S/4HANA connector needs to have access to the below tables as well as the ability to make the remote procedure calls listed:
SAP Table | Required Columns (Keys) |
---|---|
ADCP | CLIENT, ADDRNUMBER, PERSNUMBER, DATE_FROM, NATION |
ADR2 | CLIENT, CLIENT, ADDRNUMBER, ADDRNUMBER, PERSNUMBER, PERSNUMBER, DATE_FROM, DATE_FROM, CONSNUMBER, CONSNUMBER, CONSNUMBER, TEL_NUMBER, TEL_NUMBER |
ADR3 | CLIENT, ADDRNUMBER, PERSNUMBER, DATE_FROM, CONSNUMBER |
ADR6 | CLIENT, ADDRNUMBER, ADDRNUMBER, PERSNUMBER, PERSNUMBER, DATE_FROM, CONSNUMBER, FLGDEFAULT, SMTP_ADDR |
ADRP | CLIENT, PERSNUMBER, PERSNUMBER, DATE_FROM, NATION, NAME_FIRST, NAME_LAST |
AGR_1016 | MANDT, AGR_NAME, AGR_NAME, COUNTER, PROFILE |
AGR_1251 | MANDT, AGR_NAME, AGR_NAME, AGR_NAME, COUNTER, OBJECT, OBJECT, FIELD, FIELD, LOW, LOW, HIGH, HIGH |
AGR_1252 | MANDT, AGR_NAME, COUNTER |
AGR_AGRS | MANDT, AGR_NAME, AGR_NAME, CHILD_AGR, CHILD_AGR |
AGR_DEFINE | MANDT, AGR_NAME |
AGR_TEXTS | MANDT, AGR_NAME, AGR_NAME, AGR_NAME, SPRAS, LINE, LINE, LINE, TEXT |
AGR_USERS | MANDT, AGR_NAME, UNAME, FROM_DAT, TO_DAT |
AUSOBT | NAME, TYPE, OBJECT, FIELD, LOW |
AUTHX | FIELDNAME |
BUT000 | CLIENT, PARTNER, TYPE |
BUT051 | CLIENT, RELNR, PARTNER1, PARTNER2, DATE_TO |
BUT100 | MANDT, PARTNER, RLTYP, DFVAL |
DD04T | ROLLNAME, DDLANGUAGE, AS4LOCAL, AS4VERS |
GRACFFCTRL | MANDT, APP_TYPE, FFOBJECT, CONNECTOR, CNTRL_ID |
GRACFFOWNER | MANDT, APP_TYPE, FFOBJECT, CONNECTOR, OWNER |
GRACFFOWNERT | MANDT, LANGU, APP_TYPE, FFOBJECT, CONNECTOR, OWNER |
GRACFFUSER | MANDT, APP_TYPE, FFOBJECT, CONNECTOR, FF_USER |
HRP1000 | MANDT, MANDT, MANDT, PLVAR, OTYPE, OTYPE, OTYPE, OBJID, OBJID, ISTAT, BEGDA, ENDDA, LANGU, SEQNR, OTJID |
HRP1001 | MANDT, MANDT, OTYPE, OBJID, OBJID, PLVAR, RSIGN, RELAT, ISTAT, PRIOX, BEGDA, ENDDA, VARYF, SEQNR, SCLAS, SOBID |
HRP1032 | MANDT, PLVAR, OTYPE, SUBTY, OBJID, ISTAT, ENDDA, BEGDA, VARYF, SEQNR |
PA0000 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
PA0001 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
PA0002 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
PA0006 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
PA0016 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
PA0032 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
PA0105 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
PA2006 | MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR |
RSBPCE_TEAM | APPSET_ID, TEAM_ID, OBJVERS |
RSBPCE_USER_TEAM | APPSET_ID, TEAM_ID, TEAM_ID, OBJVERS, USER_ID, USER_ID |
T591S | MANDT, SPRSL, INFTY, SUBTY |
TACT | ACTVT |
TACTZ | BROBJ, ACTVT |
TADIR | PGMID, OBJECT, OBJ_NAME |
TB003 | CLIENT, ROLE |
TB003T | CLIENT, SPRAS, ROLE |
TDEVC | DEVCLASS |
TOBC | OCLSS |
TOBJ | OBJCT |
TOBJC | OBJCT, OCLSS |
TOBJT | LANGU, OBJECT |
TSAD3 | CLIENT, TITLE |
TSAD3T | CLIENT, TITLE, LANGU |
TSTC | TCODE |
TSTCT | SPRSL, TCODE |
USCOMPANY | MANDT, COMPANY |
USGRP | MANDT, USERGROUP |
USGRP_USER | MANDT, BNAME, USERGROUP, FROM_DAT, TO_DAT |
USOBT | NAME, TYPE, OBJECT, FIELD, LOW |
USOBT_C | NAME, TYPE, OBJECT, FIELD, LOW |
USOBX | NAME, TYPE, OBJECT |
USOBX_C | NAME, TYPE, OBJECT |
USORG | FIELD |
USR01 | MANDT, BNAME |
USR02 | MANDT, BNAME, BNAME, GLTGV, GLTGB, USTYP, CLASS, UFLAG, TRDAT, LTIME |
USR05 | MANDT, BNAME, PARID |
USR06 | MANDT, BNAME |
USR10 | MANDT, PROFN, PROFN, AKTPS, TYP |
USR11 | MANDT, LANGU, PROFN, PROFN, AKTPS, PTEXT |
USR21 | MANDT, BNAME |
USRACL | MANDT, BNAME |
USREFUS | MANDT, BNAME |
UST04 | MANDT, BNAME, PROFILE |
UST10C | MANDT, PROFN, PROFN, AKTPS, SUBPROF, SUBPROF |
UST10S | MANDT, PROFN, PROFN, PROFN, AKTPS, OBJCT, OBJCT, OBJCT, AUTH, AUTH, AUTH |
UST12 | MANDT, OBJCT, OBJCT, AUTH, AUTH, AKTPS, FIELD, FIELD, VON, VON, BIS, BIS |
Required Remote Procedure Calls | Required Activity |
---|---|
BAPI_USER_ACTGROUPS_ASSIGN | Display |
BAPI_USER_CHANGE | Execute |
BAPI_USER_CREATE1 | Execute |
BAPI_USER_EXISTENCE_CHECK | Execute |
BAPI_USER_GETLIST | Execute |
BAPI_USER_GET_DETAIL | Execute |
BAPI_USER_LOCK | Execute |
BAPI_USER_UNLOCK | Execute |
PING | Execute |
RFCPING | Execute |
RFC_GET_FUNCTION_INTERFACE | Execute |
RFC_GET_NAMETAB | Execute |
RFC_PING | Execute |
RFC_READ_TABLE | Execute |
PING | Execute |
RFCPING | Execute |
RFC_GET_FUNCTION_INTERFACE | Execute |
RFC_GET_NAMETAB | Execute |
RFC_PING | Execute |
RFC_READ_TABLE | Execute |
As each organization's implementation, practices, and procedures with SAP differs, EmpowerID uses an SAP Data Analysis Utility to ensure the necessary tables can be read and the necessary BAPI's can be invoked. The utility reads from all the same tables as the connector and copies data from those tables into the EmpowerID Identity Warehouse. This provides EmpowerID with the opportunity to review and analyze data in order to modify connector logic before setting up the connection.