You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

SAP S/4HANA

The EmpowerID SAP S/4HANA connector lets you create, synchronize, and manage SAP S/4HANA user, role/profile and role/profile assignment information in EmpowerID. Imported user information can be managed and synchronized with data in any connected back-end user directories. When EmpowerID inventories SAP S/4HANA, it creates an account in the EmpowerID Identity Warehouse for each SAP S/4HANA user, a group for each SAP S/4HANA role or profile, and assigns group membership to users based on their role or profile memberships in SAP S/4HANA.

Once connected, you can manage this data from EmpowerID in the following ways:

  • Account Management

    • Inventory user accounts

    • Create user accounts

    • Update user accounts

    • Enable and Disable user accounts

    • Change user passwords

  • Role Management

    • Inventory roles or profiles as groups

    • Inventory role or profile memberships as group accounts

    • Add and Remove members to and from roles or profiles

  • Attribute Flow
    Users in SAP S/4HANA are inventoried as accounts in EmpowerID. The below table shows the attribute mappings of SAP S/4HANA user attributes to EmpowerID account attributes.

SAP User Attribute

EmpowerID Attribute

Description

SAP User Attribute

EmpowerID Attribute

Description

NAME_FIRST

FirstName

First name of the user

NAME_LAST

LastName

Last name of the user

NAMEMIDDLE

MiddleName

Middle name of the user

BNAME

LogonName

User name of the user

TEL_NUMBER_MOBILE

MobileNumber

Mobile number of the user

TEL_NUMBER

Telephone

Home phone number of the user

SMTP_ADDR

Email

Email ID of the user

LANGU

PreferredLanguage

Language of the user

UFLAG

Disabled

Determines whether user is active

TITLE

PersonalTitle

Personal Title of the user

TITLE_ACA1

AcademicTitle

Academic Title of the user

FUNCTION

BusinessFunction

Business Function of the user

ROOMNUMBER

RoomNumber

Room Number of the user

FLOOR

Floor

Floor of the user

BUILDING

BuildingCode

Building Code of the user.

FAX_NUMBER

Fax

Fax of the user

USERALIAS

Alias

Alias of the user

USTYP

UserType

User Type of the user

SECURITY_POLICY

SecurityPolicy

Security Policy of the user

DEPARTMENT

Department

Department name of the user

CLASS

UserGroup

User Group of the user

GLTGV

ValidFrom

Valid From date set for the user

GLTGB

ValidUntil

Valid Until date set for the user

ACCNT

AccountNo

Account Number of the user

KOSTL

CostCenter

Cost Center of the user

TZONE

TimeZone

Time Zone of the user

PWDCHGDATE

PasswordLastChanged

Date the user’s password was last changed

TRDAT+LTIME

LastLogonTime

Date and time the user last logged on

company

Company

Company name of the user

PNAME

UserPrincipalName

SNC Name of the user

Prerequisites

To connect EmpowerID to SAP, you need an SAP account, and you need to install SAP GUI Server on your EmpowerID Server.

You also need the following from SAP to create your Account Store.

  • Host Name of the BAPI endpoint

  • Username that is authorized to read from and write to the BAPI

  • Password

  • App server FQDN

  • Instance number

  • System ID

Additionally the following conditions must be met:

  • Each EmpowerID server used to run workflows or perform inventory functions must have the librfc32.dll assembly copied into the C:\Windows\System32 folder. EmpowerID uses the assembly to perform various SAP processes (inventory, workflows, etc.). You can download the assembly from EmpowerID at the following link: https://dl1.empowerid.com/files/librfc32_64.zip

  • For read-only connections, along with access to the below-mentioned tables, the service account needs access to the RFC_READ_TABLE BAPI

  • All mandatory fields must not be empty (e.g., LastName, PersNumber)

  • The standard tables should have the same structure across all the systems

  • The systems should have unique records across all the standard tables. For example, the records should not have any leading or trailing spaces on the Primary Key columns

  • The system should be free of any data issues. For example, there should not be any duplicate company codes pointing to the same address number.

  • The following network configurations should be in place for connecting to the SAP system:

    • All necessary ports should be open on the server used to connect to the SAP system

    • The host name of the SAP system should be resolvable to an IP address

The SAP proxy account used for the S/4HANA connector needs to have access to the below tables as well as the ability to make the remote procedure calls listed:

REQUIRED TABLE ACCESS

REQUIRED REMOTE PROCEDURE CALLS

REQUIRED TABLE ACCESS

REQUIRED REMOTE PROCEDURE CALLS

ADCP

BAPI_USER_ACTGROUPS_ASSIGN

ADR3

BAPI_USER_CHANGE

ADRP

BAPI_USER_CREATE1

AGR_1251

BAPI_USER_EXISTENCE_CHECK

AGR_DEFINE

BAPI_USER_GETLIST

AGR_USERS

BAPI_USER_GET_DETAIL

TSTCT

BAPI_USER_LOCK

USR02

BAPI_USER_UNLOCK

USR11

PING

USRACL

RFCPING

UST04

RFC_GET_FUNCTION_INTERFACE

UST10S

RFC_GET_NAMETAB

ADR2

RFC_PING

ADR6

RFC_READ_TABLE

AGR_1016

REQUIRED ACTIVITY

AGR_AGRS

Execute

AGR_TEXTS

 

TSTC

 

USCOMPANY

 

USR10

 

USR21

 

USREFUS

 

UST10C

 

UST12

 

As each organization's implementation, practices, and procedures with SAP differs, EmpowerID uses an SAP Data Analysis Utility to ensure the necessary tables can be read and the necessary BAPI's can be invoked. The utility reads from all the same tables as the connector and copies data from those tables into the EmpowerID Identity Warehouse. This provides EmpowerID with the opportunity to review and analyze data in order to modify connector logic before setting up the connection.

When you connect EmpowerID to SAP and configure your SAP Account Store, the first time you run inventory, EmpowerID discovers all of the user accounts in SAP and creates them in the EmpowerID data warehouse. Subsequent inventory runs update any changes occurring since the LastTimeStamp value tracked by the SAP connector.

Install the SAP GUI Server

  1. Download and extract the GUI7.3.zip file (or a newer version).

  2. Navigate to the GUI7.3\NW_7.0_Presentation_\PRES1\GUI\WINDOWS\WIN32\ folder and run SetupAll.exe.

  3. In the installer, select SAP GUI for Windows 7.30 (Compilation 1) (or a newer version), and click Next.

  4. Select the target directory where you want to install it and click Next.

  5. When it finishes installing, open SAP Logon from the desktop icon.

  6. In SAP Logon, click to select the Connections folder, then in the toolbar, click New to create a new system entry.

     

  7. In the Create New System Entry wizard that appears, on the first page, click Next, then fill in the System Connection Parameters with values like the following on the second page.

    • Description — ECC

    • Application Server — FQDN of your SAP Server, e.g. sap.mySAPserver.com

    • Instance Number — e.g. 77

    • System ID — e.g. EH9

    • SAProuter String — Leave this field empty.

       

  8. Click Finish. The new connection appears in the grid.

     

  9. Open File Explorer as Administrator and in the extracted GUI7.3.zip file, navigate to GUI7.3\NW_7.0_Presentation_\PRES1\GUI\WINDOWS\WIN32\system\

  10. From that folder, copy the SAP .NET connector file, librfc32.dll and paste it into your C:\Windows\System32 folder.

Create a SAP S/4HANA account store in EmpowerID

  1. On the navbar, expand Admin > Applications and Directories and then click Account Stores and Systems.

  2. On the Account Stores page, click Create Account Store.

     

  3. Under System Types, search for SAP ABAP.

  4. Click SAP ABAP to select the type and then click Submit.

     

  5. On the SAP S/4HANA Settings page that appears, fill in the following information:

    • Display Name — Enter a name for your account store.

    • Host — Enter the FQDN of your SAP Server

    • User Name — Enter your SAP System Administrator's user name

    • Password — Enter your SAP System Administrator's password

    • SystemNumber — Enter the system number from your SAP account

    • DefaultLanguage —  Enter the two-letter language code

    • Client — Enter the Client ID from your SAP account

    • Is Remote (Requires Cloud Gateway) — This setting appears for account stores with local directories, such as Active Directory, LDAP, SAP, etc. When enabled, this tells EmpowerID to use the Cloud Gateway Connection for that account store. The Cloud Gateway Connection must be installed on an on-premise machine. For installation information, please see Installing the EmpowerID Cloud Gateway Client.

  6. If you selected Is Remote (Requires Cloud Gateway), search for and select one or more cloud gateway servers and then click Submit. You will not see this screen if you did not select Is Remote (Requires Cloud Gateway).

     

  7. EmpowerID creates the account store and the associated resource system for it. The next step is to configure attribute flow between the account store and EmpowerID.

Now that the attribute flow has been set, the next steps include configuring the account store and enabling EmpowerID to inventory it.

Configure account store settings

  1. On the Account Store and Resource System page, click the Account Store tab and then click the pencil icon to put the account store in edit mode.


    This opens the edit page for the account store. This page allows you to specify the proxy account EmpowerID is to use to connect to the SAP as well as how you want EmpowerID to handle the user information it discovers during inventory. Settings that can be edited are described in the table below the image.


  2. Edit the account store as needed and then click Save to save your changes.

    Now that everything is configured, you can enable the Account Inbox Permanent Workflow and monitor inventory. Be sure inventory is enabled on the account store settings page.

IN THIS ARTICLE