SAP
- Universal Importer for Confluence
- Simon Flückiger
- Kim Landis (Unlicensed)
- Phillip Hanegan
EmpowerID includes an SAP connector capable of connecting with the two main SAP modules used for managing identity information:
- the ECC module and
- the HCM module.
The ECC module stores information for accessing SAP, and the means for authorizing to SAP, which includes
- action groups,
- profiles, and
- individual authorization objects.
The HCM module manages employees and often serves as the authoritative source for employee information, including employment status, location, roles and responsibilities. When EmpowerID connects to any one of these SAP modules, it creates a singular account store object for that module with configurable settings for specifying how EmpowerID is to manage the identity information.
SAP ECC Connector
The ECC connector is bi-directional, meaning that EmpowerID can both read from and write to the module. This allows you to manage ECC users and their access to SAP from EmpowerID. When you connect EmpowerID to the ECC module, EmpowerID reads the list of users, their status (active/disabled) and the action groups and profiles assigned to each. EmpowerID can create new ECC users, enable and disable ECC users, reset passwords and assign action groups and profiles.
The ECC connector reads from the SAP tables below:
SAP Tables Read by the ECC Connector | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
ADCP | ADR2 | ADR3 | ADR6 | ADRP | AGR_1016 | AGR_1251 | AGR_AGRS | AGR_DEFINE | AGR_TEXTS | AGR_USERS |
TSTC | TSTCT | USR02 | USR10 | USR11 | USR21 | USREFUS | UST04 | UST10C | UST10S | UST12 |
EmpowerID uses the following stock BAPIs:
- BAPI_USER_ACTGROUPS_ASSIGN
- BAPI_USER_CHANGE
- BAPI_USER_CREATE1
- BAPI_USER_DELETE
- BAPI_USER_GET_DETAIL
- BAPI_USER_PROFILES_ASSIGN
- BAPI_USER_LOCK
- BAPI_USER_UNLOCK
- IDENTITY_MODIFY
SAP HCM Connector
The HCM connector is read-only; EmpowerID pulls identity information from the HCM module, but does not write information back to it. When you connect EmpowerID to the HCM module, it reads a list of people and the demographic information (name, work address, etc.) for each individual user. Additionally, EmpowerID reads the organization structure in order to associate the job functions of each user with the appropriate roles in EmpowerID.
The HCM connector reads information from the SAP tables below:
SAP Tables Read by the HCM Connector | ||||||||
---|---|---|---|---|---|---|---|---|
HRP1000 | HRP1001 | PA0000 | PA0001 | PA0002 | PA0006 | PA0032 | PA0105 | 591S |
Additionally, each EmpowerID server used to run workflows or perform inventory functions must have the librfc32.dll
assembly copied into the C:\Windows\System32
folder. EmpowerID uses the assembly to perform various SAP processes (inventory, workflows, etc.). You can download the assembly from EmpowerID at the following link: https://dl.empowerid.com/SAP/librfc32_x64.zip
This topic demonstrates how to configure and use the connectors.
Prerequisites
To connect EmpowerID to SAP, you need an SAP account, and you need to install SAP GUI Server on your EmpowerID Server.
You also need the following from SAP to create your Account Store.
- Host Name of the BAPI endpoint
- Username that is authorized to read from and write to the BAPI
- Password
- App server FQDN
- Instance number
- System ID
When you connect EmpowerID to SAP and configure your SAP Account Store, the first time you run inventory, EmpowerID discovers all of the user accounts in SAP and creates them in the EmpowerID data warehouse. Subsequent inventory runs update any changes occurring since the LastTimeStamp value tracked by the SAP connector.
This topic shows you how to connect SAP to EmpowerID and configure the resulting account store.
Installing the SAP GUI Server
- Download and extract the GUI7.3.zip file (or a newer version).
- Navigate to the following folder and run SetupAll.exe:
GUI7.3\NW_7.0_Presentation_\PRES1\GUI\WINDOWS\WIN32\
- In the installer, select SAP GUI for Windows 7.30 (Compilation 1) (or a newer version), and click Next.
- Select the target directory where you want to install it and click Next.
- When it finishes installing, open SAP Logon from the desktop icon.
- In SAP Logon, click to select the Connections folder, then in the toolbar, click New to create a new system entry.
- In the Create New System Entry wizard that appears, on the first page, click Next, then fill in the System Connection Parameters with values like the following on the second page.
- Description: ECC
- Application Server: FQDN of your SAP Server e.g. sap.mySAPserver.com
- Instance Number: e.g. 77
- System ID: e.g. EH9
- SAProuter String: Leave this field empty.
- Click Finish. The new connection appears in the grid.
- Open File Explorer as Administrator and in the extracted GUI7.3.zip file, navigate to:
GUI7.3\NW_7.0_Presentation_\PRES1\GUI\WINDOWS\WIN32\system\
- From that folder, copy the SAP .NET connector file, librfc32.dll and paste it into your C:\Windows\System32 folder.
To create an account store for SAP ABAP or HCM on the web
- From the Navigation Sidebar, expand Admin, then Applications and Directories, and click Account Stores and Systems.
- Click the Actions tab, and then click the Create Account Store action.
- Select SAP-ECC or SAP-HR from the list of Security Boundary types.
In the SAP ABAP (or HCM) Settings page, provide the following values:
- Host – Enter the FQDN of your SAP Server, e.g. sap.mySAPserver.com
- User Name- Your SAP System Administrator's user name
- Password- Your SAP System Administrator's password
- Instance Number- The instance number from your SAP account, e.g. 77.
- Default Language Code- The two-letter language code to use, e.g. en.
- Client- The client ID from your SAP account, e.g. 500.
- Click Submit.
- The Account Store is created and appears in the Account Stores grid and an associated Resource System appears on the Resource Systems tab.
To edit account store settings on the web
- In the Navigation Sidebar, expand Admin, then Applications and Directories, and click Account Stores and Systems.
- On the Account Stores tab, search for the account store you just created and click the link to go to its details page.
- On the Account Store Details page, click the Edit button or the name of the account store.
In the edit view of the page, you can edit values in any of the enabled fields on several tabs as detailed in the tables below. Do not enable inventory until the end.
If you do not want all of the users and groups found during inventory to go in the same location in EmpowerID, we recommend Mapping EmpowerID Locations to External Locations before enabling inventory.
When you have finished editing, click Save.
Clicking the Save button on any of the tabs saves any changed settings on all of the tabs, so there is no need to save it after each tab.
Settings Tab
General section
Setting | Description |
---|---|
Option 1 Specify an Account Proxy | Click Edit to change the Domain (Server), User Name, and Password that was entered when the account store was created. |
Option 2 Select a Vaulted Credential as Account Proxy | Click the drop-down arrow to select a vaulted credential to use as the account proxy. |
Inventoried Directory Server | Click the drop-down arrow to select from any connected SAP servers. |
Is Remote (Cloud Gateway Connection Required) | Select to indicate that the server is a cloud gateway. |
Authentication and Password Settings section
Setting | Description |
---|---|
Allow Password Sync | Toggle to allow EmpowerID to sync password changes discovered during inventory. |
Queue Password Changes | Toggle to have EmpowerID send password changes to the Account Password Reset Inbox for batch processing. |
Password Manager Policy for Accounts without Person | Select a password manager policy to use for the account. If not selected, it uses the Default Password Manager Policy. |
Provisioning Settings section
Setting | Description |
---|---|
Allow Attribute Flow | Toggle to allow attribute changes to flow between EmpowerID and the account store. |
Allow Provisioning (By RET) | Toggle to allow EmpowerID to create users in the system that were created in EmpowerID. |
Allow Deprovisioning (By RET) | Toggle to allow EmpowerID to delete users in the system that were deleted in EmpowerID. |
Max Accounts per Person | Enter the maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. We recommended setting this value to 1 unless users commonly have multiple accounts and you want them to be joined to the same person. |
Allow Business Role and Location Re-Evaluation | Toggle if you have multiple account stores to manage and want to specify a priority for each. |
Business Role and Location Evaluation Order | Enter a number to specify the priority of the account store for determining the Business Roles and Locations to assign to a Person. Account Stores with a higher value take precedence. |
Default Person Business Role | Select a default Business Role to assign provisioned people if none is specified. |
Default Person Location | Select a default Location to assign provisioned people if none is specified. |
Special Use Settings section
Setting | Description |
---|---|
RBAC Assign Group Members On First Inventory | This setting only pertains to Active Directory account stores. |
Automatically Join Account to a Person On Inventory (Skip Account Inbox) | Toggle to allow EmpowerID to join newly discovered accounts to people during the inventory process if they meet the Join Rule as specified by the Custom_Account_InventoryInboxJoinBulk SQL stored procedure. |
Automatically Create a Person On Inventory (Skip Account Inbox) | Toggle to allow EmpowerID to provision EmpowerID people for new accounts discovered during the inventory process if they meet the Provision Rule specified by the Custom_Account_InventoryInboxGetAccountsToProvision SQL stored procedure. |
Show in Tree | Toggle to show the account store in the Locations tree. |
Queue Password Changes on Failure | Toggle to have EmpowerID send password changes to the Account Password Reset Inbox only when the change fails. |
Use Secure LDAPS Binding | Toggle to bind accounts with encryption. |
Naming Fields section
Setting | Description |
---|---|
Application ID | If the account store is a one-to-one match with a Tracking Only application, enter the Application Resource GUID of the application. (This value is supplied automatically if you select the Create a New Account Directory option when creating a Tracking Only application.) |
Tenant ID | Enter the Tenant ID, if supplied by the connection account. (AWS uses this.) |
Inventory Tab
The Inventory tab is where you set scheduling and enable EmpowerID to take inventory of the external system. If you do not want all of the users and groups found during inventory to go in the same location in EmpowerID, we recommend Mapping EmpowerID Locations to External Locations before enabling inventory.
Setting | Description |
---|---|
Inventory Enabled | Select this after everything is set up to your liking to allow EmpowerID to inventory the system. The Inventory Job must be enabled for inventory to occur. |
Inventory Schedule Interval: Start | Set the date on which to begin inventorying the system. By default, this is set to the creation date of the account store. |
Inventory Schedule Interval: End | Set the date on which to stop inventorying the system. By default, this is set to ten years after the creation date of the account store, but since Run Indefinitely is selected by default, this value is ignored unless you clear that checkbox. |
Inventory Schedule Interval: (units) | Select the units for the interval at which to run inventory. By default, this is set to 10 minutes.
|
Run Indefinitely | Select to allow inventory to run indefinitely, ignoring the End date. |
Interval: (number) | Set the number of units for the interval at which to run inventory. By default, this is set to 10 minutes. |
Inventory Next Compilation Time | If you do not want to wait for the next regularly scheduled inventory run, specify the time and date to run it next. |
Inventory Batch Size | Specify the number of records to process in each batch, to avoid hanging up your system when large numbers of records are processed. By default, this is set to 1,000 records. |
Membership Tab
Group membership reconciliation is enabled by default to run every ten minutes, indefinitely.
Setting | Description |
---|---|
Enable Group Membership Reconciliation | Select to allow EmpowerID to reconcile group membership with the system. This is enabled by default. |
Membership Schedule Interval: Start | Set the date on which to begin reconciling group membership with the system. By default, this is set to the creation date of the account store. |
Membership Schedule Interval: End | Set the date on which to stop reconciling group membership with the system. By default, this is set to ten years after the creation date of the account store, but since Run Indefinitely is selected by default, this value is ignored unless you clear that checkbox. |
Membership Schedule Interval: (units) | Select the units for the interval at which to run inventory. By default, this is set to 10 minutes.
|
Run Indefinitely | Select to allow group membership reconciliation to run indefinitely, ignoring the End date. |
Interval: (number) | Set the number of units for the interval at which to run rights inventory. By default, this is set to 10 minutes. |
Rights Inventory Tab
The Rights Inventory tab is where you set scheduling and enable EmpowerID to take inventory of rights in the native system.
Setting | Description |
---|---|
Rights Inventory Is Enabled | Select to allow EmpowerID to inventory native rights in the system. This is disabled by default. |
Rights Inventory Schedule Interval: Start | Set the date on which to begin inventorying rights in the system. By default, this is set to the creation date of the account store. |
Rights Inventory Schedule Interval: End | Set the date on which to stop inventorying rights in the system. By default, this is set to ten years after the creation date of the account store, but since Run Indefinitely is selected by default, this value is ignored unless you clear that checkbox. |
Rights Inventory Schedule Interval: (units) | Select the units for the interval at which to run rights inventory. By default, this is set to 10 minutes.
|
Run Indefinitely | Select to allow rights inventory to run indefinitely, ignoring the End date. |
Interval: (number) | Set the number of units for the interval at which to run rights inventory. By default, this is set to 10 minutes. |
Inventory Next Compilation Time | If you do not want to wait for the next regularly scheduled rights inventory run, specify the time and date to run it next. |
Deleted Object Detection Tab
You can enable EmpowerID to detect deleted objects in the system. This tab applies only to Active Directory. Your Attribute Flow settings dictate which system takes precedence.
Setting | Description |
---|---|
Enabled | Select to enable deleted object detection. This is disabled by default. |
Interval Minutes | Set the number of minutes for the interval at which to run rights inventory. |
Threshold Max # of Deleted Objects | Specify the maximum number of deleted objects. |
To connect to SAP in the Management Console
There are two types of SAP connectors in EmpowerID.
- The SAP ABAP connector connects to SAP ECC.
- The SAP HCM connector connects to SAP HR.
You can set up either or both. This example shows how to connect to SAP ABAP, but it uses the same settings for SAP HR.
- Log in to the EmpowerID Management Console as an administrator.
- Click the EmpowerID icon, and select Configuration Manager from the menu.
- Click Account Stores, and then click the Add New button above the grid.
- In the Add New Security Boundary window that opens, select the SAP ABAP Security Boundary type and click OK.
- In the Add SAP ECC Connection window that appears, enter these settings.
- Host – FQDN of your SAP Server e.g. sap.mySAPserver.com
- Username – Your SAP ECC System Administrator's user name
- Password – Your SAP ECC System Administrator's password
- Confirm Password – Re-enter your password
- System Number – The instance number from your SAP ECC account, e.g. 77.
- Default Language – The two-letter language code to use, e.g. en.
- Client – The client ID from your SAP ECC account, e.g. 500.
Click Ok. EmpowerID creates the SAP ECC account store and adds a record for it in the Account Stores and Resource Systems grids.
EmpowerID uses these credentials to connect to your SAP account. If they are incorrect, the connection fails and the account store is not created.
- The Account Store Details for the SAP ECC system opens so that you can configure it.
Configuring the account store
The Account Store Details screen contains three panes that are relevant to the SAP connector—the General pane, the Inventory pane, and the Group Membership Reconciliation pane. Expand each pane below to view reference information about it.
SAP Account Store Configuration
Before configuring EmpowerID to manage the account store, determine whether you want EmpowerID to provision Person objects from the user records it discovers in the account store. If so, answer the following questions before turning on inventory.
- When do you want EmpowerID to provision Person objects for those user accounts? At inventory or at a later point in time?
- If inventory provisioning is desired, in what Business Role and Location should those Person objects be placed?
- How many user accounts can one Person have in the account store?
- If people can have more that one user account in the account store, do you want EmpowerID to attempt to automatically join any user accounts meeting the conditions of your Join rules to an existing Person during inventory?
For a greater discussion of these points within the context of connecting EmpowerID to an account store, see Connecting EmpowerID to Active Directory.
- On the Inventory pane of the Account Store Details screen, toggle the Enable inventory button from a red sphere to a green check.
- Click Run Now for the Inventory and Group Membership Reconciliation, and after a pause, click Refresh Data to see the Total Accounts, People, Groups, and Computers fields populate in the Inventory pane.
Check the Last Success, Total Accounts, Total People, and Total Groups fields in the Inventory pane to ensure that EmpowerID inventoried the user accounts and provisioned the requisite number of EmpowerID Persons for those accounts (if you selected the provisioning options discussed above).