SAP

EmpowerID includes an SAP connector capable of connecting with the two main SAP modules used for managing identity information:

  • the ECC module and
  • the HCM module.

The ECC module stores information for accessing SAP, and the means for authorizing to SAP, which includes

  • action groups,
  • profiles, and
  • individual authorization objects.

The HCM module manages employees and often serves as the authoritative source for employee information, including employment status, location, roles and responsibilities. When EmpowerID connects to any one of these SAP modules, it creates a singular account store object for that module with configurable settings for specifying how EmpowerID is to manage the identity information.

SAP ECC Connector

The ECC connector is bi-directional, meaning that EmpowerID can both read from and write to the module. This allows you to manage ECC users and their access to SAP from EmpowerID. When you connect EmpowerID to the ECC module, EmpowerID reads the list of users, their status (active/disabled) and the action groups and profiles assigned to each. EmpowerID can create new ECC users, enable and disable ECC users, reset passwords and assign action groups and profiles.

The ECC connector reads from the SAP tables below:

SAP Tables Read by the ECC Connector
ADCPADR2ADR3ADR6ADRPAGR_1016AGR_1251AGR_AGRSAGR_DEFINEAGR_TEXTSAGR_USERS
TSTCTSTCTUSR02USR10USR11USR21USREFUSUST04UST10CUST10SUST12


EmpowerID uses the following stock BAPIs:

  • BAPI_USER_ACTGROUPS_ASSIGN
  • BAPI_USER_CHANGE
  • BAPI_USER_CREATE1
  • BAPI_USER_DELETE
  • BAPI_USER_GET_DETAIL
  • BAPI_USER_PROFILES_ASSIGN
  • BAPI_USER_LOCK
  • BAPI_USER_UNLOCK
  • IDENTITY_MODIFY

SAP HCM Connector

The HCM connector is read-only; EmpowerID pulls identity information from the HCM module, but does not write information back to it. When you connect EmpowerID to the HCM module, it reads a list of people and the demographic information (name, work address, etc.) for each individual user. Additionally, EmpowerID reads the organization structure in order to associate the job functions of each user with the appropriate roles in EmpowerID.

The HCM connector reads information from the SAP tables below:

SAP Tables Read by the HCM Connector
HRP1000HRP1001PA0000PA0001PA0002PA0006PA0032PA0105591S

Additionally, each EmpowerID server used to run workflows or perform inventory functions must have the librfc32.dll assembly copied into the C:\Windows\System32 folder. EmpowerID uses the assembly to perform various SAP processes (inventory, workflows, etc.). You can download the assembly from EmpowerID at the following link: https://dl.empowerid.com/SAP/librfc32_x64.zip


As each organization's implementation, practices, and procedures with SAP differs, EmpowerID uses an SAP Data Analysis Utility to ensure the necessary tables can be read and the necessary BAPI's can be invoked. The utility reads from all the same tables as the connector and copies data from those tables into the EmpowerID Identity Warehouse. This provides EmpowerID with the opportunity to review and analyze data in order to modify connector logic before setting up the connection.

This topic demonstrates how to configure and use the connectors.


Prerequisites

To connect EmpowerID to SAP, you need an SAP account, and you need to install SAP GUI Server on your EmpowerID Server.

You also need the following from SAP to create your Account Store.

  • Host Name of the BAPI endpoint
  • Username that is authorized to read from and write to the BAPI
  • Password
  • App server FQDN
  • Instance number
  • System ID

When you connect EmpowerID to SAP and configure your SAP Account Store, the first time you run inventory, EmpowerID discovers all of the user accounts in SAP and creates them in the EmpowerID data warehouse. Subsequent inventory runs update any changes occurring since the LastTimeStamp value tracked by the SAP connector.

This topic shows you how to connect SAP to EmpowerID and configure the resulting account store.


Installing the SAP GUI Server

  1. Download and extract the GUI7.3.zip file (or a newer version).
  2. Navigate to the following folder and run SetupAll.exe:
    GUI7.3\NW_7.0_Presentation_\PRES1\GUI\WINDOWS\WIN32\
  3. In the installer, select SAP GUI for Windows 7.30 (Compilation 1) (or a newer version), and click Next.
  4. Select the target directory where you want to install it and click Next.
  5. When it finishes installing, open SAP Logon from the desktop icon.
  6. In SAP Logon, click to select the Connections folder, then in the toolbar, click New to create a new system entry.



  7. In the Create New System Entry wizard that appears, on the first page, click Next, then fill in the System Connection Parameters with values like the following on the second page.
    • Description: ECC
    • Application ServerFQDN of your SAP Server e.g. sap.mySAPserver.com
    • Instance Number: e.g. 77
    • System ID: e.g. EH9
    • SAProuter StringLeave this field empty.



  8. Click Finish. The new connection appears in the grid.



  9. Open File Explorer as Administrator and in the extracted GUI7.3.zip file, navigate to:

    GUI7.3\NW_7.0_Presentation_\PRES1\GUI\WINDOWS\WIN32\system\

  10. From that folder, copy the SAP .NET connector file, librfc32.dll and paste it into your C:\Windows\System32 folder.

To create an account store for SAP ABAP or HCM on the web 

  1. From the Navigation Sidebar, expand Admin, then Applications and Directories, and click Account Stores and Systems.
  2. Click the Actions tab, and then click the Create Account Store action.



  3. Select SAP-ECC or SAP-HR from the list of Security Boundary types.



  4. In the SAP ABAP (or HCM) Settings page, provide the following values:

    1. Host – Enter the FQDN of your SAP Server, e.g. sap.mySAPserver.com
    2. User Name- Your SAP System Administrator's user name
    3. Password- Your SAP System Administrator's password
    4. Instance Number- The instance number from your SAP account, e.g. 77.
    5. Default Language Code- The two-letter language code to use, e.g. en.
    6. Client- The client ID from your SAP account, e.g. 500.
    7. Click Submit.



  5. The Account Store is created and appears in the Account Stores grid and an associated Resource System appears on the Resource Systems tab.

To edit account store settings on the web

  1. In the Navigation Sidebar, expand Admin, then Applications and Directories, and click Account Stores and Systems.
  2. On the Account Stores tab, search for the account store you just created and click the link to go to its details page.



  3. On the Account Store Details page, click the Edit button or the name of the account store.



  4. In the edit view of the page, you can edit values in any of the enabled fields on several tabs as detailed in the tables below. Do not enable inventory until the end.

    If you do not want all of the users and groups found during inventory to go in the same location in EmpowerID, we recommend Mapping EmpowerID Locations to External Locations before enabling inventory.

  5. When you have finished editing, click Save.

    Clicking the Save button on any of the tabs saves any changed settings on all of the tabs, so there is no need to save it after each tab.

Settings Tab

General section

Setting Description
Option 1 Specify an Account Proxy Click Edit to change the Domain (Server), User Name, and Password that was entered when the account store was created.
Option 2 Select a Vaulted Credential as Account Proxy Click the drop-down arrow to select a vaulted credential to use as the account proxy.
Inventoried Directory Server Click the drop-down arrow to select from any connected SAP servers.
Is Remote (Cloud Gateway Connection Required)Select to indicate that the server is a cloud gateway.

Authentication and Password Settings section

SettingDescription
Allow Password SyncToggle to allow EmpowerID to sync password changes discovered during inventory.
Queue Password ChangesToggle to have EmpowerID send password changes to the Account Password Reset Inbox for batch processing.
Password Manager Policy for Accounts without PersonSelect a password manager policy to use for the account. If not selected, it uses the Default Password Manager Policy.

Provisioning Settings section

SettingDescription
Allow Attribute FlowToggle to allow attribute changes to flow between EmpowerID and the account store.
Allow Provisioning (By RET)Toggle to allow EmpowerID to create users in the system that were created in EmpowerID.
Allow Deprovisioning (By RET)Toggle to allow EmpowerID to delete users in the system that were deleted in EmpowerID.
Max Accounts per PersonEnter the maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. We recommended setting this value to 1 unless users commonly have multiple accounts and you want them to be joined to the same person.
Allow Business Role and Location Re-EvaluationToggle if you have multiple account stores to manage and want to specify a priority for each.
Business Role and Location Evaluation OrderEnter a number to specify the priority of the account store for determining the Business Roles and Locations to assign to a Person. Account Stores with a higher value take precedence.
Default Person Business RoleSelect a default Business Role to assign provisioned people if none is specified.
Default Person LocationSelect a default Location to assign provisioned people if none is specified.

Special Use Settings section

SettingDescription
RBAC Assign Group Members On First InventoryThis setting only pertains to Active Directory account stores.
Automatically Join Account to a Person On Inventory (Skip Account Inbox)Toggle to allow EmpowerID to join newly discovered accounts to people during the inventory process if they meet the Join Rule as specified by the Custom_Account_InventoryInboxJoinBulk SQL stored procedure.
Automatically Create a Person On Inventory (Skip Account Inbox)Toggle to allow EmpowerID to provision EmpowerID people for new accounts discovered during the inventory process if they meet the Provision Rule specified by the Custom_Account_InventoryInboxGetAccountsToProvision SQL stored procedure.
Show in TreeToggle to show the account store in the Locations tree.
Queue Password Changes on FailureToggle to have EmpowerID send password changes to the Account Password Reset Inbox only when the change fails.
Use Secure LDAPS BindingToggle to bind accounts with encryption.

Naming Fields section

SettingDescription
Application IDIf the account store is a one-to-one match with a Tracking Only application, enter the Application Resource GUID of the application. (This value is supplied automatically if you select the Create a New Account Directory option when creating a Tracking Only application.)
Tenant IDEnter the Tenant ID, if supplied by the connection account. (AWS uses this.)

Inventory Tab

The Inventory tab is where you set scheduling and enable EmpowerID to take inventory of the external system. If you do not want all of the users and groups found during inventory to go in the same location in EmpowerID, we recommend Mapping EmpowerID Locations to External Locations before enabling inventory.

SettingDescription
Inventory EnabledSelect this after everything is set up to your liking to allow EmpowerID to inventory the system. The Inventory Job must be enabled for inventory to occur. 
Inventory Schedule Interval: StartSet the date on which to begin inventorying the system. By default, this is set to the creation date of the account store.
Inventory Schedule Interval: EndSet the date on which to stop inventorying the system. By default, this is set to ten years after the creation date of the account store, but since Run Indefinitely is selected by default, this value is ignored unless you clear that checkbox.
Inventory Schedule Interval: (units)

Select the units for the interval at which to run inventory. By default, this is set to 10 minutes.

  • Once — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the time at which to run inventory.
  • Hour Interval — If you select this value, enter the number of hours between inventory runs in the Interval box below.
  • Weekly — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the day and time at which to run inventory.
  • Minute Interval — If you select this value, enter the number of minutes between inventory runs in the Interval box below.
  • Daily — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the time at which to run inventory each day.
  • Monthly — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the months, days, and time at which to run inventory.
Run IndefinitelySelect to allow inventory to run indefinitely, ignoring the End date.
Interval: (number)Set the number of units for the interval at which to run inventory. By default, this is set to 10 minutes.
Inventory Next Compilation TimeIf you do not want to wait for the next regularly scheduled inventory run, specify the time and date to run it next.
Inventory Batch SizeSpecify the number of records to process in each batch, to avoid hanging up your system when large numbers of records are processed. By default, this is set to 1,000 records.

Membership Tab

Group membership reconciliation is enabled by default to run every ten minutes, indefinitely. 

SettingDescription
Enable Group Membership ReconciliationSelect to allow EmpowerID to reconcile group membership with the system. This is enabled by default. 
Membership Schedule Interval: StartSet the date on which to begin reconciling group membership with the system. By default, this is set to the creation date of the account store.
Membership Schedule Interval: EndSet the date on which to stop reconciling group membership with the system. By default, this is set to ten years after the creation date of the account store, but since Run Indefinitely is selected by default, this value is ignored unless you clear that checkbox.
Membership Schedule Interval: (units)

Select the units for the interval at which to run inventory. By default, this is set to 10 minutes.

  • Once — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the time at which to run reconciliation.
  • Hour Interval — If you select this value, enter the number of hours between reconciliation runs in the Interval box below.
  • Weekly — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the day and time at which to run reconciliation.
  • Minute Interval — If you select this value, enter the number of minutes between reconciliation runs in the Interval box below.
  • Daily — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the time at which to run reconciliation each day.
  • Monthly — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the months, days, and time at which to run reconciliation.
Run IndefinitelySelect to allow group membership reconciliation to run indefinitely, ignoring the End date.
Interval: (number)Set the number of units for the interval at which to run rights inventory. By default, this is set to 10 minutes.

Rights Inventory Tab

The Rights Inventory tab is where you set scheduling and enable EmpowerID to take inventory of rights in the native system. 

SettingDescription
Rights Inventory Is EnabledSelect to allow EmpowerID to inventory native rights in the system. This is disabled by default.
Rights Inventory Schedule Interval: StartSet the date on which to begin inventorying rights in the system. By default, this is set to the creation date of the account store.
Rights Inventory Schedule Interval: EndSet the date on which to stop inventorying rights in the system. By default, this is set to ten years after the creation date of the account store, but since Run Indefinitely is selected by default, this value is ignored unless you clear that checkbox.
Rights Inventory Schedule Interval: (units)

Select the units for the interval at which to run rights inventory. By default, this is set to 10 minutes.

  • Once — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the time at which to run rights inventory.
  • Hour Interval — If you select this value, enter the number of hours between rights inventory runs in the Interval box below.
  • Weekly — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the day and time at which to run rights inventory.
  • Minute Interval — If you select this value, enter the number of minutes between rights inventory runs in the Interval box below.
  • Daily — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the time at which to run rights inventory each day.
  • Monthly — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the months, days, and time at which to run rights inventory.
Run IndefinitelySelect to allow rights inventory to run indefinitely, ignoring the End date.
Interval: (number)Set the number of units for the interval at which to run rights inventory. By default, this is set to 10 minutes.
Inventory Next Compilation TimeIf you do not want to wait for the next regularly scheduled rights inventory run, specify the time and date to run it next.

Deleted Object Detection Tab

You can enable EmpowerID to detect deleted objects in the system. This tab applies only to Active Directory. Your Attribute Flow settings dictate which system takes precedence.

SettingDescription
EnabledSelect to enable deleted object detection. This is disabled by default. 
Interval MinutesSet the number of minutes for the interval at which to run rights inventory.
Threshold Max # of Deleted ObjectsSpecify the maximum number of deleted objects.


To connect to SAP in the Management Console

There are two types of SAP connectors in EmpowerID.

  • The SAP ABAP connector connects to SAP ECC.
  • The SAP HCM connector connects to SAP HR.

You can set up either or both. This example shows how to connect to SAP ABAP, but it uses the same settings for SAP HR.

  1. Log in to the EmpowerID Management Console as an administrator.
  2. Click the EmpowerID icon, and select Configuration Manager from the menu.
  3. Click Account Stores, and then click the Add New button above the grid.
  4. In the Add New Security Boundary window that opens, select the SAP ABAP Security Boundary type and click OK.



  5. In the Add SAP ECC Connection window that appears, enter these settings.
    • Host – FQDN of your SAP Server e.g. sap.mySAPserver.com
    • Username – Your SAP ECC System Administrator's user name
    • Password – Your SAP ECC System Administrator's password
    • Confirm Password – Re-enter your password
    • System Number – The instance number from your SAP ECC account, e.g. 77.
    • Default Language – The two-letter language code to use, e.g. en.
    • Client – The client ID from your SAP ECC account, e.g. 500.



  6. Click Ok. EmpowerID creates the SAP ECC account store and adds a record for it in the Account Stores and Resource Systems grids.

    EmpowerID uses these credentials to connect to your SAP account. If they are incorrect, the connection fails and the account store is not created.

  7. The Account Store Details for the SAP ECC system opens so that you can configure it.


Configuring the account store

The Account Store Details screen contains three panes that are relevant to the SAP connector—the General pane, the Inventory pane, and the Group Membership Reconciliation pane. Expand each pane below to view reference information about it.


SAP Account Store Configuration


Before configuring EmpowerID to manage the account store, determine whether you want EmpowerID to provision Person objects from the user records it discovers in the account store. If so, answer the following questions before turning on inventory.

  1. When do you want EmpowerID to provision Person objects for those user accounts? At inventory or at a later point in time?
  2. If inventory provisioning is desired, in what Business Role and Location should those Person objects be placed?
  3. How many user accounts can one Person have in the account store?
  4. If people can have more that one user account in the account store, do you want EmpowerID to attempt to automatically join any user accounts meeting the conditions of your Join rules to an existing Person during inventory?

For a greater discussion of these points within the context of connecting EmpowerID to an account store, see Connecting EmpowerID to Active Directory.

  1. On the Inventory pane of the Account Store Details screen, toggle the Enable inventory button from a red sphere to a green check.
  2. Click Run Now for the Inventory and Group Membership Reconciliation, and after a pause, click Refresh Data to see the Total Accounts, People, Groups, and Computers fields populate in the Inventory pane.


  1. Check the Last Success, Total Accounts, Total People, and Total Groups fields in the Inventory pane to ensure that EmpowerID inventoried the user accounts and provisioned the requisite number of EmpowerID Persons for those accounts (if you selected the provisioning options discussed above).


In this article