SAP HCM
The EmpowerID SAP HCM connector is read-only; EmpowerID pulls identity information from the HCM module, but does not write information back to it. This makes SAP HCM the authoritative source for user identities and attributes pulled from HCM. When you connect EmpowerID to the HCM module, it reads a list of people and the demographic information (name, work address, etc.) for each individual user. Additionally, EmpowerID reads the organization structure in order to associate the job functions of each user with the appropriate roles in EmpowerID.
Attribute Flow
Users in SAP S/4HANA are inventoried as accounts in EmpowerID. The below table shows the attribute mappings of SAP HCM user attributes to EmpowerID Person attributes.
SAP User Attribute | EmpowerID Attribute | Description |
|---|---|---|
NACHN | LastName | Last name of the user |
VORNA | FirstName | First name of the user |
NAMEMIDDLE | MiddleName | Middle name of the user |
USRID_LONG | Email ID of the user | |
TELNR | Telephone | Home phone number of the user |
TITEL | Title | Title of the user |
PERNR | EmployeeID | Employee ID of the user |
PERID | EmployeeIDOther | Additional ID of the user |
WAUSW | Company | Company of the user |
ORT01 | City | City of the user |
STRAS | StreetAddress | Street Address of the user |
STATE | State | State of the user |
PSTLZ | PostalCode | Postal Code of the user |
LAND1 | Country | Country of the user |
ENDDA | TerminationDate | Date of termination |
STAT2 | Status | Status of the user |
ADR03 | StreetAddress2 | Second address information for the user |
TEL01 | BusinessPhone | Business Phone of the user |
SAP Tables Read by the HCM Connector | ||||||||
|---|---|---|---|---|---|---|---|---|
HRP1000 | HRP1001 | PA0000 | PA0001 | PA0002 | PA0006 | PA0032 | PA0105 | 591S |
As each organization's implementation, practices, and procedures with SAP differs, EmpowerID uses an SAP Data Analysis Utility to ensure the necessary tables can be read and the necessary BAPI's can be invoked. The utility reads from all the same tables as the connector and copies data from those tables into the EmpowerID Identity Warehouse. This provides EmpowerID with the opportunity to review and analyze data in order to modify connector logic before setting up the connection.
When you connect EmpowerID to SAP and configure your SAP Account Store, the first time you run inventory, EmpowerID discovers all of the user accounts in SAP and creates them in the EmpowerID data warehouse. Subsequent inventory runs update any changes occurring since the LastTimeStamp value tracked by the SAP connector.
Install the SAP GUI Server
Download and extract the GUI7.3.zip file (or a newer version).
Navigate to the
GUI7.3\NW_7.0_Presentation_\PRES1\GUI\WINDOWS\WIN32\folder and run SetupAll.exe.In the installer, select SAP GUI for Windows 7.30 (Compilation 1) (or a newer version), and click Next.
Select the target directory where you want to install it and click Next.
When it finishes installing, open SAP Logon from the desktop icon.
In SAP Logon, click to select the Connections folder, then in the toolbar, click New to create a new system entry.
In the Create New System Entry wizard that appears, on the first page, click Next, then fill in the System Connection Parameters with values like the following on the second page.
Description — ECC
Application Server — FQDN of your SAP Server, e.g. sap.mySAPserver.com
Instance Number — e.g. 77
System ID — e.g. EH9
SAProuter String — Leave this field empty.
Click Finish. The new connection appears in the grid.
Open File Explorer as Administrator and in the extracted GUI7.3.zip file, navigate to
GUI7.3\NW_7.0_Presentation_\PRES1\GUI\WINDOWS\WIN32\system\From that folder, copy the SAP .NET connector file,
librfc32.dlland paste it into yourC:\Windows\System32folder.
Create a SAP HCM account store in EmpowerID
On the navbar, expand Admin > Applications and Directories and then click Account Stores and Systems.
On the Account Stores page, click Create Account Store.
Under System Types, search for SAP HCM.
Click SAP HCM to select the type and then click Submit.
On the SAP S/4HANA Settings page that appears, fill in the following information:
Display Name — Enter a name for your account store.
Host — Enter the FQDN of your SAP Server
User Name — Enter your SAP System Administrator's user name
Password — Enter your SAP System Administrator's password
SystemNumber — Enter the system number from your SAP account
DefaultLanguage — Enter the two-letter language code
Client — Enter the Client ID from your SAP account
Is Remote (Requires Cloud Gateway) — This setting appears for account stores with local directories, such as Active Directory, LDAP, SAP, etc. When enabled, this tells EmpowerID to use the Cloud Gateway Connection for that account store. The Cloud Gateway Connection must be installed on an on-premise machine. For installation information, please see Installing the EmpowerID Cloud Gateway Client.
If you selected Is Remote (Requires Cloud Gateway), search for and select one or more cloud gateway servers and then click Submit. You will not see this screen if you did not select Is Remote (Requires Cloud Gateway).
EmpowerID creates the account store and the associated resource system for it. The next step is to configure attribute flow between the account store and EmpowerID.
Configure account store settings
On the Account Store and Resource System page, click the Account Store tab and then click the pencil icon to put the account store in edit mode.
This opens the edit page for the account store. This page allows you to specify the proxy account EmpowerID is to use to connect to the SAP as well as how you want EmpowerID to handle the user information it discovers during inventory. Settings that can be edited are described in the table below the image.Edit the account store as needed and then click Save to save your changes.
Now that everything is configured, you can enable the Account Inbox Permanent Workflow and monitor inventory. Be sure inventory is enabled on the account store settings page.
IN THIS ARTICLE