One Identity Manager Administration Guide for

One Identity Manager 8.0
Administration Guide for Connecting
to SAP R/3
Copyright 2017 One Identity LLC.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide
is furnished under a software license or nondisclosure agreement. This software may be used or copied
only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced
or transmitted in any form or by any means, electronic or mechanical, including photocopying and
recording for any purpose other than the purchaser’s personal use without the written permission of
One Identity LLC .
The information in this document is provided in connection with One Identity products. No license,
express or implied, by estoppel or otherwise, to any intellectual property right is granted by this
document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE
TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR
STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT
LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF
ONE IDENTITY HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity make no
representations or warranties with respect to the accuracy or completeness of the contents of this
document and reserves the right to make changes to specifications and product descriptions at any
time without notice. One Identity do not make any commitment to update the information contained
in this document.
If you have any questions regarding your potential use of this material, contact:
One Identity LLC.
Attn: LEGAL Dept
4 Polaris Way
Aliso Viejo, CA 92656
Refer to our Web site (http://www.OneIdentity.com) for regional and international office information.
Patents
One Identity is proud of our advanced technology. Patents and pending patents may apply to this
product. For the most current information about applicable patents for this product, please visit our
website at http://www.OneIdentity.com/legal/patents.aspx.
Trademarks
One Identity and the One Identity logo are trademarks and registered trademarks of One Identity
LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit
our website at www.OneIdentity.com/legal. All other trademarks are the property of their
respective owners.
Legend
WARNING: A WARNING icon indicates a potential for property damage,
personal injury, or death.
CAUTION: A CAUTION icon indicates potential damage to hardware or loss
of data if instructions are not followed.
IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting
information.
One Identity Manager Administration Guide for Connecting to SAP R/3
Updated - November 2017
Version - 8.0
Contents
Managing SAP R/3 Environments
8
Architecture Overview
8
One Identity Manager Users for Managing an SAP R/3
11
Setting up SAP R/3 Synchronization
13
Users and Permissions for Synchronizing with SAP R/3
14
Installing the One Identity Manager Business Application Programing Interface
16
Setting Up the Synchronization Server
17
Creating a Synchronization Project for initial Synchronization of an SAP Client
21
Special Features of Synchronizing with a CUA Central System
31
Excluding child Systems from Synchronization
32
Show Synchronization Results
34
Customizing Synchronization Configuration
35
How to Configure SAP R/3 Synchronization
36
Configuring Synchronization of Different Clients
37
Updating Schemas
37
Adding Other Schema Types
38
Configuring a Schema Extension File
40
Defining Tables
41
Defining Functions
44
Defining Schema Types
45
Speeding Up Synchronization with Revision Filtering
49
Synchronizing Collective Roles
49
Restricting Synchronization Objects using User Permissions
50
Post-Processing Outstanding Objects
51
Configuring Memberships Provisioning
53
Help for Analyzing Synchronization Issues
54
Deactivating Synchronization
54
Base Data for Managing SAP R/3
56
Setting Up Account Definitions
57
Creating an Account Definition
58
Master Data for an Account Definition
58
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
3
Setting Up Manage Levels
61
Master Data for a Manage Level
62
Creating a Formatting Rule for IT Operating Data
63
Determining IT Operating Data
64
Modifying IT Operating Data
66
Assigning Account Definitions to Employees
67
Assigning Account Definitions to Departments, Cost Centers and Locations
68
Assigning Account Definitions to Business Roles
68
Assigning Account Definitions to all Employees
68
Assigning Account Definitions Directly to Employees
69
Assigning Account Definitions to System Roles
69
Adding Account Definitions in the IT Shop
70
Assigning Account Definitions to a Target System
71
Deleting an Account Definition
72
Basic Data for User Account Administration
74
User Account Types
74
External Identifier Types
75
Parameter
75
Printers
76
Cost centers
76
Start Menu
76
Companies
77
Login Languages
77
Security Policies
77
Communications Types
77
Licenses
78
Special Versions
79
Password Policies
79
Predefined Password Policies
80
Editing Password Policies
81
Custom Scripts for Password Requirements
83
Restricted Passwords
86
Testing a Password
86
Testing Generating a Password
86
Assigning a Password Policy
87
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
4
Initial Password for New SAP User Accounts
88
Email Notifications about Login Data
90
Editing a Server
91
Master Data for a Job Server
92
Specifying Server Functions
94
Target System Managers
96
SAP Systems
99
SAP Clients
100
General Master Data for an SAP Client
100
Specifying Categories for Inheriting SAP Groups, SAP Roles and SAP Profiles
102
How to Edit a Synchronization Project
103
SAP User Accounts
104
Linking User Accounts to Employees
104
Supported User Account Types
105
Central User Administration in One Identity Manager
108
Entering Master Data for SAP User Accounts
109
General Master Data for an SAP User Account
110
SAP User Account Login Data
114
Phone numbers
115
Fax numbers
116
Email addresses
117
Fixed Values for an SAP User Account
118
Measurement Data
119
Assigning Parameters
119
SNC Data for an SAP User Account
120
Additional Tasks for Managing SAP User Accounts
120
Overview of SAP User Accounts
120
Changing the Manage Level of an SAP User Account
121
Assigning SAP Groups and SAP Profiles Directly to an SAP User Account
121
Assigning SAP Roles Directly to an SAP User Account
122
Assigning Structural Profiles
123
Assigning Child Systems
124
Assigning SAP Licenses
124
Lock SAP User Account
126
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
5
Assigning Extended Properties
127
Automatic Assignment of Employees to SAP User Accounts
127
Editing Search Criteria for Automatic Employee Assignment
129
Locking SAP User Accounts
132
Deleting and Restoring SAP User Accounts
134
Entering External User Identifiers for an SAP User Account
134
SAP Groups, SAP Roles and SAP Profiles
137
Editing Master Data for SAP Groups, SAP Roles and SAP Profiles
137
General Master Data for SAP Groups
138
General Master Data for SAP Roles
140
General Master Data for SAP Profiles
141
Assigning SAP Groups, SAP Roles and SAP Profiles to SAP User Accounts
143
Assigning SAP Groups, SAP Roles and SAP Profiles to Organizations
143
Assigning SAP Groups, SAP Roles and SAP Profiles to Business Roles
145
Assigning SAP User Accounts directly to SAP Groups and SAP Profiles
147
Assigning SAP User Accounts directly to SAP Roles
148
Adding SAP Groups, SAP Roles and SAP Profiles to System Roles
149
Adding SAP Groups, SAP Roles and SAP Profiles to the IT Shop
150
Role Assignment Validity Period
152
Assigning and Passing on SAP Profiles and SAP Roles to SAP User Accounts
154
Additional Tasks for Managing SAP Groups, SAP Roles and SAP Profiles
155
Overview of SAP Groups, SAP Roles and SAP Profiles
155
Effectiveness of SAP Groups, SAP Roles and SAP Profiles
156
Inheriting SAP Groups, SAP Roles and SAP Profiles based on Categories
159
Assigning Extended Properties to SAP Groups, SAP Roles and SAP Profiles
161
Showing SAP Authorizations
162
Calculating the Validity Date of Inherited Role Assignments
162
SAP Products
165
General Master Data for SAP Products
166
SAP Product Assignments to Employees
168
Assigning SAP Products to Organizations
168
Assigning SAP Products to Business Roles
169
Assigning SAP Products directly to Employees
170
Adding SAP Products in System Roles
170
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
6
Adding SAP Products to the IT Shop
171
Additional Tasks for Managing SAP Products
172
Overview of SAP Products
173
Assiging SAP Groups, SAP Roles and SAP Profiles to a SAP Product
173
Assigning Account Definitions to SAP Products
174
Assigning Subscribable Reports to SAP Products
175
Assigning Extended Properties to SAP Products
175
Edit Conflicting System Roles
176
Providing System Measurement Data
177
Mapping Measurement Data
178
Entering licenses for SAP User Accounts
180
Finding Licenses using SAP Roles and SAP Profiles
181
Determining an SAP User Account Rating
182
Transferring Calculated Licenses
184
Reports about SAP Systems
186
Overview of all Assignments
187
Appendix: Configuration Parameters for Managing SAP R/3
189
Appendix: Default Project Templates for Synchronizing an SAP R/3 Environment
194
Project Template for Client without CUA
194
Project Template for the CUA Central System
195
Project Template for CUA Subsystems
197
Appendix: Referenced SAP R/3 Tables and BAPI Calls
198
Appendix: Example of a Schema Extension File
201
About us
205
Contacting us
205
Technical support resources
205
Index
206
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
7
1
Managing SAP R/3 Environments
One Identity Manager offers simplified user administration for SAP R/3 environments. The
One Identity Manager concentrates on setting up and processing user accounts as well as
group, role and profile assignments. External identifiers and parameters can also be
assigned to user accounts. The necessary data for system measurement is also mapped.
TheOne Identity Manager system measurement data is available in , but the measurement
itself takes place in the environment.SAP R/3
One Identity Manager provides company employees with the necessary user accounts. For
this, you can use different mechanisms to connect employees to their user accounts. You
can also manage user accounts independently of employees and therefore set up
administrator user accounts.
Groups, roles and profiles are mapped in the One Identity Manager, in order to provide the
necessary permissions for user accounts. Groups, roles and profiles can be grouped into
products and assigned to employees. One Identity Manager ensures that the right group
memberships are created for the employee’s user account.
If user accounts are managed through the central user administration (CUA) in SAP R/3,
access to the child client can be guaranteed to or withdrawn from user accounts in One
Identity Manager.
Architecture Overview
The following servers are used for managing an SAP R/3 system in One Identity Manager:
l
SAP R/3 application server
Application server for synchronization. The synchronization server connects to this
server in order to access SAP R/3 objects.
l
SAP R/3 database
Server installed with the SAP R/3 application database.
l
Synchronization server
The synchronization server for synchronizing the One Identity Manager database with
the SAP R/3 system. The One Identity Manager Service is installed on this server
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Managing SAP R/3 Environments
8
with the SAP R/3 connector. The synchronization server connects to the SAP R/3
server.
l
SAP R/3 router
Router, which provides a network port for the SAP connector for communicating with
the SAP R/3 application server.
l
SAP R/3 message server
Server with which the SAP R/3 connector communicates if a direct connection to
application servers is not permitted.
The One Identity Manager SAP R/3 connector executes synchronization and provision of
data between SAP R/3 and the One Identity Manager database. The SAP R/3 connector uses
the SAP connector for Microsoft .NET (NCo 3.0) for 64-bit systems for communicating with
the target system.
One Identity Manager is responsible for synchronizing data between the SAP R/3 database
and the One Identity Manager Service. The application server ABAP must be installed as a
prerequisite for synchronization. An SAP system that is only based on a Java application
server cannot be accessed with the SAP R/3 connector.
Figure 1: Architecture for Synchronization - Direct Communication
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Managing SAP R/3 Environments
9
Figure 2: Architecture for Synchronization - Communication through
Message Server
Figure 3: Architecture for Synchronization - Communication through router
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Managing SAP R/3 Environments
10
One Identity Manager Users for
Managing an SAP R/3
The following users are used for setting up and administration of an SAP R/3 system.
Table 1: User
User
Task
Target system administrators
Target system administrators must be assigned to the
application role Target system | Administrators.
Users with this application role:
l
l
l
l
l
l
Target system
managers
Administrate application roles for individual target
systems types.
Specify the target system manager.
Set up other application roles for target system managers
if required.
Specify which application roles are conflicting for target
system managers
Authorize other employee to be target system administrators.
Do not assume any administrative tasks within the target
system.
Target system managers must be assigned to the application
role Target systems | SAP R/3 or a sub application role.
Users with this application role:
l
l
Assume administrative tasks for the target system.
Create, change or delete target system objects, like user
accounts or groups.
l
Edit password policies for the target system.
l
Prepare system entitlements for adding to the IT Shop.
l
l
l
Configure synchronization in the Synchronization Editor
and defines the mapping for comparing target systems
and One Identity Manager.
Edit the synchronization's target system types and
outstanding objects.
Authorize other employees within their area of responsibility as target system managers and create child application roles if required.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Managing SAP R/3 Environments
11
User
One Identity Manager
administrators
Task
l
l
l
Administrators for the
IT Shop
Create customized permissions groups for application
roles for role-based login to administration tools in the
Designer, as required.
Create system users and permissions groups for non-role
based login to administration tools, as required.
Enable or disable additional configuration parameters in
the Designer, as required.
l
Create custom processes in the Designer, as required.
l
Create and configures schedules, as required.
l
Create and configure password policies, as required.
Administrators must be assigned to the application role
Request & Fulfillment | IT Shop | Administrators.
Users with this application role:
l
Administrators for
organizations
Assign system authorizations to IT Shop structures.
Administrators must be assigned to the application role
Identity Management | Organizations | Administrators.
Users with this application role:
l
Business roles administrators
Assign system entitlements to departments, cost centers
and locations.
Administrators must be assigned to the application role
Identity Management | Business roles | Administrators.
Users with this application role:
l
Assign system authorizations to business roles.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Managing SAP R/3 Environments
12
2
Setting up SAP R/3 Synchronization
One Identity Manager supports synchronization with SAP systems in versions SAP Web
Application Server 6.40 and SAP NetWeaver Application Server 7.00, 7.01, 7.02, 7.10,
7.11, 7.20, 7.31, 7.40 SR2, 7.41 and 7.50 as well as SAP S/4HANA on-premise edition. This
ensures that all variations of the installation based on SAP ECC 5.0 and 6.0 are fully
supported. Central User Administration is supported for all versions named here.
To load SAP R/3 objects into the One Identity Manager database for the
first time
1. Prepare a user account with sufficient permissions for synchronizing in SAP R/3.
2. Install the One Identity Manager Business Application Programming Interface in the
SAP R/3 system.
3. The One Identity Manager parts for managing SAP R/3 systems are available if the
configuration parameter "TargetSystem\SAPR3" is set.
l
l
Check whether the configuration parameter is set in the Designer. Otherwise,
set the configuration parameter and compile the database.
Other configuration parameters are installed when the module is installed.
Check the configuration parameters and modify them as necessary to suit your
requirements.
4. Download the installation source for the SAP .Net Connector for .NET 4.0 on x64, with
at least version 3.0.15.0.
5. Install and configure a synchronization server and declare the server as Job server in
One Identity Manager.
6. Create a synchronization project with the Synchronization Editor.
Detailed information about this topic
l
l
l
l
Users and Permissions for Synchronizing with SAP R/3 on page 14
Installing the One Identity Manager Business Application Programing Interface
on page 16
Setting Up the Synchronization Server on page 17
Creating a Synchronization Project for initial Synchronization of an SAP Client
on page 21
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
13
Users and Permissions for
Synchronizing with SAP R/3
The following users are involved in synchronizing One Identity Manager with SAP R/3.
Table 2: Users for Synchronization
User
Authorizations
One Identity
Manager Service
user account
The user account for the One Identity Manager Service requires access
rights to carry out operations at file level (issuing user rights, adding
directories and files to be edited).
The user account must belong to the group "Domain Users".
The user account must have the extended access right "Log on as a
service".
The user account requires access rights to the internal web service.
NOTE: If the One Identity Manager Service runs under the
network service (NT Authority\NetworkService), you can issue
access rights for the internal web service with the following
command line call:
netsh http add urlacl url=http://<IP address>:<port number>/
user="NT AUTHORITY\NETWORKSERVICE"
The user account needs full access to the One Identity Manager
Service installation directory in order to automatically update the One
Identity Manager.
In the default installation the One Identity Manager is installed under:
User for
accessing the
target system
l
%ProgramFiles(x86)%\One Identity (on 32-bit operating systems)
l
%ProgramFiles%\One Identity (on 64-bit operating systems)
You must provide a user account with the following authorizations for
full synchronization of SAP R/3 objects with the supplied One Identity
Manager default configuration.
Required authorization objects and their meanings:
l
l
l
l
S_TCODE with a minimum of transaction codes SU01, SU53,
PFCG
S_ADDRESS1 with activities 01, 02, 03, 06 and valid address
groups (min."BC01")
S_USER_AGR (role maintenance) with activities 02, 03, 22, 78
possibly with restrictions in name ranges (for example "Z*")
S_USER_GRP (group maintenance) with activities 02, 03, 22
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
14
User
Authorizations
l
S_USER_AUT (authorizations) with activities 03, 08
l
S_USER_PRO (profile) with activities 01, 02, 03, 22
l
l
l
S_USER_SAS (system specific assignments) with activities 01,
06, 22
S_RFC (authorization check by RFC access) with activity 16 at
least for function groups ZVI, /VIAENET/ZVI0, /VIAENET/ZVI_L,
/VIAENET/Z_HR, SU_USER, SYST, SDTX, RFC1, RFC_
METADATA, SDIFRUNTIME, SYSU
S_TABU_DIS (use of standard tools like SM30 for maintaining
tables) with activity 03
Apart from the permissions listed, the user account has to get all
objects from the authorization classes "ZVIH_AUT", "ZVIA_AUT", and
"ZVIL_AUT" which are installed by the transport package for
synchronization.
The following authorization objects are required in addition for the
child system in order to synchronize central user administration:
User for
accessing the
One Identity
Manager
database
l
S_RFC with the function group SUU6
l
S_TCODE with the transaction code SU56
The default system user "Synchronization" is available to run
synchronization over an application server.
TIP: The transport file provided by default, "SAPRole.zip", includes a transport
package with a role that the base authorization object already possesses. This role
can be assigned to the user account. You will find the transport files on the One
Identity Manager installation medium in the directory ..\Modules\SAP\dvd\AddOn\Bapi.
The named authorizations are required so that the SAP R/3 connector has read and write
access to the SAP R/3 system. If only read access should be permitted, setting up a profile
which has executable permission for transactions SU01 and PFCG but prevents writing at
activity or field level is recommended.
The user account requires the user type "dialog", "communication" or "system" to load
more information.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
15
NOTE: In SAP R/3 versions up to and including SAP Web Application Server 6.40, the
password and user input are not case sensitive. this no longer applies to the
password for SAP NetWeaver Application Server 7.0 and later. The password is case
sensitive.
All SAP’s own tools that are supplied up to SAP Web Application Server 6.40, apart
from the SAP GUI (RFC-SDK, SAP .Net Connector), therefore change the password to
capital letters before passing them to SAP R/3. You must set the password in capital
letters for the user account used by the SAP .Net Connector to authenticate itself on
the SAP R/3 system. If this is done, all the usual tools can be accessed on SAP
NetWeaver Application Server 7.0 by RFC.
Related Topics
l
Appendix: Referenced SAP R/3 Tables and BAPI Calls on page 198
Installing the One Identity Manager
Business Application Programing
Interface
In order to access SAP R/3 data and business processes with the One Identity Manager, you
must load the Business Application Programming Interface (BAPI) into the SAP R/3 system.
You will find the required transport files on the One Identity Manager installation medium in
the directory ..\Modules\SAP\dvd\AddOn\Bapi.
Install the BAPI transport in the following order:
Table 3: BAPI transport
Transport
Explanation
1 SAPRepository.zip
Creates the /VIAENET/ in the SAP system repository.
2 SAPTable.zip
Defines the table structure for /VIAENET/USERS in the SAP
system dictionary.
3 SAPTRANSPORT_
70.ZIP
Contains the functions defined in the /VIAENET/ environment.
Archive directory UNICODE: Transports for systems supporting
unicode
Archive directory NON_UNICODE: Transports for systems not
supporting unicode
NOTE: If your SAP system supports unicode, select the unicode transport file from
the archive file. The archive files contain transport packages for systems not
supporting unicode in the respective directories.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
16
Set the following import options for the transport:
l
Overwrite Originals
l
Overwrite Objects in Unconfirmed Repairs
l
Ignore Non-Matching Component Versions
The SAP R/3 connector uses other SAP R/3 BAPIs in parallel. For more information, see
Appendix: Referenced SAP R/3 Tables and BAPI Calls on page 198.
Setting Up the Synchronization Server
To setup synchronization with an SAP R/3 environment a server has to be available that has
the following software installed on it:
l
Windows operating system
Following versions are supported:
l
l
Windows Server 2008 (non-Itanium based 64-bit) Service Pack 2 or later
l
Windows Server 2008 R2 (non-Itanium based 64-bit) Service Pack 1 or later
l
Windows Server 2012
l
Windows Server 2012 R2
l
Windows Server 2016
Microsoft .NET Framework Version 4.5.2 or later
NOTE: Microsoft .NET Framework version 4.6 is not supported.
NOTE: Take the target system manufacturer's recommendations into account.
l
Windows Installer
l
SAP .Net Connector for .NET 4.0 on x64, with at least version 3.0.15.0
l
One Identity Manager Service, Synchronization Editor, SAP R/3 connector
l
Install One Identity Manager components with the installation wizard.
1. Select the option Select installation modules with existing
database.
2. Select the machine role Server | Job server | SAP R/3.
Further requirements
l
Following files must either be in the Global Assemblies Cache (GAC) or in the One
Identity Manager installation directory.
l
libicudecnumber.dll
l
rscp4n.dll
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
17
l
l
sapnco.dll
l
sapnco_utils.dll
Following files must either be in the Global Assemblies Cache (GAC) or in
C:\Windows\System32 or in the One Identity Manager's installation directory.
l
msvcp100.dll
l
msvcr100.dll
All One Identity Manager Service actions are executed against the target system
environment on the synchronization server. Entries which are necessary for
synchronization and administration with the One Identity Manager database are processed
by the synchronization server. The synchronization server must be declared as a Job
server in One Identity Manager.
NOTE: If several target system environments of the same type are synchronized
under the same synchronization server, it is useful to set up a job server for each
target system on performance grounds. This avoids unnecessary swapping of connection to target systems because a job server only has to process tasks of the same
type (re-use of existing connections).
Use the Server Installer to install the One Identity Manager Service. This program
executes the following steps.
l
Setting up a Job server.
l
Specifying machine roles and server function for the Job server.
l
Remote installation of One Identity Manager Service components corresponding to
the machine roles.
l
Configures the One Identity Manager Service.
l
Starts the One Identity Manager Service.
NOTE: The program executes remote installation of the One Identity Manager
Service. Local installation of the service is not possible with this program. Remote
installation is only supported within a domain or a trusted domain.
To install and configure the One Identity Manager Service remotely on a server
1. Start the program Server Installer on your administrative workstation.
2. Enter valid data for connecting to One Identity Manager on the Database
connection page and click Next.
3. Specify on which server you want to install the One Identity Manager Service on the
Server properties page.
a. Select a job server in the Server menu.
- OR Click Add to add a new job server.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
18
b. Enter the following data for the Job server.
Table 4: Job Servers Properties
Property Description
Server
Name of the Job servers.
Queue
Name of queue to handle the process steps. Each One Identity
Manager Service within the network must have a unique queue
identifier. The process steps are requested by the job queue
using exactly this queue name. The queue identifier is entered in
the One Identity Manager Service configuration file.
Full
server
name
Full name of the server in DNS syntax.
Example:
<name of server>.<fully qualified domain name>
NOTE: Use the Advanced option to edit other Job server properties. You
can use the Designer to change properties at a later date.
4. Specify which job server roles to include in One Identity Manager on the Machine
role page. Installation packages to be installed on the Job server are found
depending on the selected machine role.
Select at least the following roles:
l
SAP R/3
5. Specify the server's functions in One Identity Manager on the Server functions
page. One Identity Manager processes are handled depending on the server function.
The server's functions depend on which machine roles you have selected. You can
limit the server's functionality further here.
Select the following server functions:
l
SAP R/3 connector
Windows PowerShell
6. Check the One Identity Manager Service configuration on the Service
settings page.
NOTE: The initial service configuration is already predefined. If further changes
need to be made to the configuration, you can do this later with the Designer.
For more detailed information about configuring the service, see One Identity
Manager Configuration Guide.
7. To configure remote installations, click Next.
8. Confirm the security prompt with Yes.
9. Select the directory with the install files on the Select installation source page.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
19
10. Select the file with the private key on the page Select private key file.
NOTE: This page is only displayed when the database is encrypted.
11. Enter the service's installation data on the Service access page.
Table 5: Installation Data
Data
Description
Computer
Server on which to install and start the service from.
To select a server
l
Enter the server name.
- OR -
l
Service
account
Select a entry from the list.
One Identity Manager Service user account data.
To enter a user account for the One Identity Manager
Service
l
Set the option Local system account.
This starts the One Identity Manager Service under the
account "NT AUTHORITY\SYSTEM".
- OR -
l
Installation
account
Enter user account, password and password confirmation.
Data for the administrative user account to install the service.
To enter an administrative user account for installation
Enable Advanced
l
.
l
Enable the option Current user.
This uses the user account of the current user.
- OR -
l
Enter user account, password and password confirmation.
12. Click Next to start installing the service.
Installation of the service occurs automatically and may take some time.
13. Click Finish on the last page of the Server Installer.
NOTE: The is entered with the name "One Identity Manager Service" in the
server's service administration.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
20
Creating a Synchronization Project for
initial Synchronization of an SAP Client
Use Synchronization Editor to configure synchronization between the One Identity Manager
database and SAP R/3. The following describes the steps for initial configuration of a
synchronization project.
After the initial configuration, you can customize and configure workflows within the
synchronization project. Use the workflow wizard in the Synchronization Editor for this.
The Synchronization Editor also provides different configuration options for a
synchronization project.
Have the following information available for setting up a synchronization project.
Table 6: Information Required for Setting up a Synchronization Project
Data
Explanation
SAP R/3 application server
Name of the application server used to RFC communication.
System number
Number of the SAP R/3 system for connecting the SAP connector.
System ID
System ID of this SAP system.
Client
Number of the client to be synchronized. You need the central system's
client number to synchronize central user administration (CUA).
Login name and
password
The name and password of the user account used by the SAP R/3
connector to log in to the SAP R/3 system. Make a user account
available with sufficient permissions.
If the network connection must be secure, you require the user
account's SNC name.
Login language
Login language for logging the SAP R/3 connection into the SAP R/3
system.
Synchronization All One Identity Manager Service actions are executed against the
server
target system environment on the synchronization server. Entries
which are necessary for synchronization and administration with the
One Identity Manager database are processed by the synchronization
server.
Installed components:
l
SAP .Net Connector for .NET 4.0 on x64, with at least version
3.0.15.0
l
One Identity Manager Service (started)
l
Synchronization Editor
l
SAP R/3 connector
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
21
Data
Explanation
The synchronization server must be declared as a Job server in One
Identity Manager. Use the following properties when you set up the Job
server.
Table 7: Additional Properties for the Job Server
Property
Value
Server Function
SAP R/3 connector
Machine role
Server/Job server/SAP R/3
For more information, see Setting Up the Synchronization Server on
page 17.
One Identity
Manager
Database
Connection
Data
SQL Server:
l
Database server
l
Database
l
Database user and password
l
Specifies whether Windows authentication is used.
This type of authentication is not recommended. If you decide to
use it anyway, ensure that your environment supports Windows
authentication.
Oracle:
l
Species whether access is direct or through the Oracle client
Which connection data is required, depends on how this option is
set.
l
Database server
l
Oracle instance port
l
Service name
l
Oracle database user and password
l
Data source (TNS alias name from TNSNames.ora)
Remote connec- To configure synchronization with a target system, One Identity
Manager must load the data from the target system. One Identity
tion server
Manager communicates directly with target system to do this. If you do
not have direct access on the workstation on which the Synchronization
Editor is installed, because of the firewall configuration, for example,
you can set up a remote connection.
The remote connection server and the workstation must be in the same
Active Directory domain.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
22
Data
Explanation
Remote connection server configuration:
l
One Identity Manager Service is started
l
RemoteConnectPlugin is installed
l
SAP R/3 connector is installed
The remote connection server must be declared as a Job server in One
Identity Manager. The Job server name is required.
TIP: The remote connection server requires the same configuration (with respect to the installed software) as the synchronization server. Use the synchronization as remote connection
server at the same time, by simply installing the RemoteConnectPlugin as well.
For more detailed information about setting up a remote connection,
see the One Identity Manager Target System Synchronization
Reference Guide.
Additional information about setting up the synchronization project may be required
depending on the configuration of the SAP R/3 system.
Table 8: Information for Setting up a Synchronization Project
Data
Explanation
SAP R/3
router
Name of the router, which provides a network port for the SAP R/3
connector for communicating with the application server.
SAP R/3
message
server
Name of the message server with which the SAP R/3 connector communicates when logging in.
Login
group
Name of the login group used by the SAP R/3 connector for logging in when
communication is working over a message server within the SAP R/3 environment.
SNC host
name
SNC name of the host for the secure network connection.
SNC Name
SCN name of the user account with which the SAP R/3 connector logs into
the SAP R/3 system if a secure network connection is required.
SNC client
API
API containing SNC encryption.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
23
NOTE: The following sequence describes how you configure a synchronization project
if the Synchronization Editor is both:
l
In default mode
l
Started from the launchpad
Additional settings can be made if the project wizard is run in expert mode or is
started directly from the Synchronization Editor. Follow the project wizard
instructions through these steps.
To set up initial synchronization project for an SAP client.
1. Start the Launchpad and log on to the One Identity Manager database.
NOTE: If synchronization is executed by an application server, connect the
database through the application server.
2. Select the entry SAP R/3 target system type. Click Run.
This starts the Synchronization Editor's project wizard.
3. Specify how the One Identity Manager can access the target system on the System
access page.
l
l
If you have access from the workstation from which you started the
Synchronization Editor, do not set anything.
If you do not have access from the workstation from which you started the
Synchronization Editor, you can set up a remote connection.
In this case, set the option Connect using remote connection server and
select, under Job server, the server you want to use for the connection.
4. Select a connection type on the Connection type tab.
Table 9: Connection Types
Property
Description
SAP R/3 Application server
or SAP R/3 router
Specifies whether the connection is established
through an application server or a router.
SAP R/3 message server
Specifies whether the connection is established
through a message server.
l
Enter the connection data for connection type "SAP R/3 application server or
SAP R/3 router" on the Connection data page.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
24
Table 10: System Connection
l
Property
Description
SAP R/3 host
or router
Name of the application server or router used by the SAP R/3
connector for communicating.
System
number
Number of the system.SAP
System ID
System ID of the system.SAP This is used as the display
name in One Identity Manager tools.
Enter the connection data for the connection type "SAP R/3 message server" on
the Message server page.
Table 11: System Connection
Property
Description
SAP R/3
message
server
Name of the message server used to establish the connection.
Logon group
Name of the logon group used by the SAP R/3 connector.
SAP R/3 router
Name of the router if the SAP R/3 connector communicates
through a router.
System
number
Number of the SAP system.
System ID
System ID of the system.SAP This is used as the display
name in One Identity Manager tools.
5. Enter the network settings on Secure network communication.
Table 12: Network Settings
Property Description
Program
ID
Identifier for the connection the SAP R/3 connector establishes with the
SAP R/3 system.
SNC login
Specifies whether the SNC user account name is used when the SAP R/3
connector logs in on the SAP R/3 system.
6. If you have enabled the option SNC login on the Secure connection page, the page
SNC connection configuration is opened. Enter the data required for logging into
the target system using a secure network connection.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
25
Table 13: SNC Configuration
Property
Description
ClientNumber Enter the central system's client number if central user adminof the client to istration is to be synchronized.
be synchronized.
SNC host
name
Name of the SNC host for the secure network connection.
SNC name
The name and password of the user account used by the SAP R/3
connector to log in to the SAP R/3 system.
SNC client API API containing the SCN encryption.
Authentication
Integrity
protection
Select a security level for logging into the SAP R/3 system.
Encryption
Highest avail.
level
Login
language
Login language for logging the SAP R/3 connection into the SAP R/3
system. The language selected determines the language for
captions for all the client's oSAPbjects. If you select "EN", all the
text from SAP groups, roles, profiles and start menus is synchronized in English.
7. Enter data for logging into the target system on the Login data page.
Table 14: Login Data
Property Description
Client
Number of the client to be synchronized. Enter the central system's
client number if central user administration is to be synchronized.
Login
name
Name of the user account used by the SAP R/3 connector to log into the
SAP R/3 system. If you have enabled the option SNC login on the
Secure connection page, enter the SNC name of this user account.
Login
password
User account's password the SAP R/3 connector uses to log into the SAP
R/3 system.
Login
language
Login language for logging the SAP R/3 connection into the SAP R/3
system. The language selected determines the language for captions
for all the client's SAP objects. If you select "EN", all the text from SAP
groups, roles, profiles and start menus is synchronized in English.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
26
8. Supply additional information about synchronizing objects and properties on the
Additional settings. You can check the connection settings.
l
l
Specify in Central user administration (CUA) whether the connection to a
central user administration's central system should be established. In this
case, set CUA central system.
You can test the connection in Verify connection settings. Click on
Verify project.
The system tries to connect to the server. If the option CUA central system
is set, the given client is tested to see if it is the central system of a CUA.
NOTE: Checks whether the supplied BAPI is installed.
l
Click Finish, to end the system connection wizard and return to the
project wizard.
9. Click Next on the SAP HCM settings page.
This page is only needed for synchronizing additional personnel planning data in the
SAP R/3 Structural Profiles Add-on Module.
10. Click Next on the SAP connector schema page.
TIP: You can enter a file with additional schema types on this page. The
connector schema is extended by these custom schema types. You can also
enter this data after saving the synchronization project. For more information,
see Adding Other Schema Types on page 38.
11. Verify the One Identity Manager database connection data on the One Identity
Manager connection page. The data is loaded from the connected database.
Reenter the password.
NOTE: Reenter all the connection data if you are not working with an encrypted
One Identity Manager database and no synchronization project has been saved
yet in the database. This page is not shown if a synchronization project already
exists.
12. The wizard loads the target system schema. This may take a few minutes depending
on the type of target system access and the size of the target system.
13. Select a project template on the Select project template page to use for setting up
the synchronization configuration.
Table 15: Default Project Templates
Project
template
Description
SAP R/3 (CUA
subsystem)
Use this project template for initially setting up the synchronization project for a CUA child system, which belongs to another
SAP system than the central system.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
27
Project
template
Description
SAP R/3 synchron- Use this project template for initially setting up the synchronization (base
ization project for single clients of a CUA's central system.
administration)
NOTE: A default project template ensures that all required information is added
in the One Identity Manager. This includes mappings, workflows and the
synchronization base object. If you do not use a default project template you
must declare the synchronization base object in One Identity Manager
yourself.Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the .Synchronization Editor
14. Specify how system access should work on the page Restrict target system
access. You have the following options:
Table 16: Specifying Target System Access
Option
Meaning
Read-only access
to target system.
Specifies whether a synchronization workflow should be set
up to initially load the target system into the One Identity
Manager database.
The synchronization workflow has the following
characteristics:
l
l
Changes are also
made to the target
system.
Synchronization is in the direction of "One Identity
Manager".
Processing methods in the synchronization steps are
only defined in synchronization direction "One Identity
Manager".
Specifies whether a provisioning workflow should be set up in
addition to the synchronization workflow to initially load the
target system.
The provisioning workflow displays the following
characteristics:
l
l
l
Synchronization in the direction of the "target system"
Processing methods are only defined in the synchronization steps in synchronization direction "target
system".
Synchronization steps are only created for such schema
classes whose schema types have write access.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
28
This page is only shown if the project template "SAP® R/3® synchronization (basic
administration)" was selected. If the project template " "SAP® R/3® (child CUA
system)" was selected, the option Read-only access to target system is set.
15. Select the synchronization server to execute synchronization on the
Synchronization server page.
If the synchronization server is not declare as a job server in the One Identity
Manager database yet, you can add a new job server.
l
l
l
Click
to add a new job server.
Enter a name for the job server and the full server name conforming to
DNS syntax.
Click OK.
The synchronization server is declared as job server for the target system in
the One Identity Manager database.
NOTE: Ensure that this server is set up as the synchronization server
after saving the synchronization project.
16. Click Finish to complete the project wizard.
This creates and allocates a default schedule for regular synchronization. Enable the
schedule for regular synchronization.
The synchronization project is created, saved and enabled immediately.
NOTE: If the synchronization project is not going to be executed immediately,
disable the option Activate and save the new synchronization project
automatically.
In this case, save the synchronization project manually before closing the
Synchronization Editor.
Disable this option, if you want to add your own schema types in this
synchronization project.
NOTE: The target system connection data is saved in a variable set, which you
can change in the Synchronization Editor under Configuration | Variables if
necessary.
To configure the content of the synchronization log
1. To configure the synchronization log for target system connection, select the
category Configuration | Target system.
2. To configure the synchronization log for the database connection, select the category
Configuration | One Identity Manager connection.
3. Select General view and click Configure....
4. Select the Synchronization log view and set Create synchronization log.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
29
5. Enable the data to be logged.
NOTE: Certain content create a lot of log data.
The synchronization log should only contain the data necessary for error
analysis and other evaluations.
6. Click OK.
To synchronize on a regular basis
1. Select the category Configuration | Start up configurations.
2. Select a start up configuration in the document view and click Edit schedule....
3. Edit the schedule properties.
4. To enable the schedule, click Activate.
5. Click OK.
To start initial synchronization manually
1. Select the category Configuration | Start up configurations.
2. Select a start up configuration in the document view and click Execute.
3. Confirm the security prompt with Yes.
NOTE: Following synchronization, employees are automatically created for user
accounts in the default installation. If there are no account definitions for the client at
the time of synchronization, user accounts are linked to employees. However,
account definitions are not assigned. The user accounts are, therefore, in a "Linked"
state.
To select user accounts through account definitions
1. Create an account definition.
2. Assign an account definition to the client.
3. Assign the account definition and manage level to the user accounts in a
"linked" state.
a. Select the category SAP R/3 | User accounts | Linked but not
configured | <client>.
b. Select the task Assign account definition to linked accounts.
Detailed information about this topic
l
One Identity Manager Target System Synchronization Reference Guide
Related Topics
l
Setting Up the Synchronization Server on page 17
l
Users and Permissions for Synchronizing with SAP R/3 on page 14
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
30
l
Show Synchronization Results on page 34
l
Customizing Synchronization Configuration on page 35
l
Speeding Up Synchronization with Revision Filtering on page 49
l
Appendix: Default Project Templates for Synchronizing an SAP R/3 Environment
on page 194
l
Setting Up Account Definitions on page 57
l
Automatic Assignment of Employees to SAP User Accounts on page 127
l
Adding Other Schema Types on page 38
Special Features of Synchronizing with
a CUA Central System
NOTE:
l
l
Only child system roles and profiles that match the login language of the administrative user account for synchronization are mapped in One Identity Manager.
Maintain all child system roles and profile in the target system in the language
set as login language in the synchronization project for the central system in
the system connection.
If a central user administration is connected to One Identity Manager, regular
synchronization is only required with the central system. The synchronization
configuration is created for the client labeled as central system. The CUA Application Link
Enabling (ALE) distribution model is loaded during synchronization and tries to assign all
clients, which are configured as child systems, to the central system in One Identity
Manager. All clients in the same SAP system as the central system are automatically
added in One Identity Manager in the process and assigned to the central system (in CUA
central system). All clients in another SAP system, must already exist in One Identity
Manager at this point in time.
If a text comparison of roles and profiles between child and central systems was executed
the target system in the target system, the child system roles and profiles are taken into
account by synchronization. These roles and profiles are assigned to the originating client
in the One Identity Manager.
Roles and profile are saved in the table USRSYSACTT with respect to language by text
comparison of roles and profiles in the target system. Only roles and profile matching the
login language of the administrative account for synchronization are read from the table
USRSYSACTT during synchronization with One Identity Manager. If single roles and profiles
are not maintained in this language, they are not transferred to One Identity Manager. In
order to map all roles and profiles from child systems in One Identity Manager, they must
all be all maintained in the language specified as login language in the central system.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
31
To set up an initial synchronization project for central user administration
1. Create synchronization projects the child systems, not in the same SAP system as
the central system.
Proceed as described in section Creating a Synchronization Project for initial
Synchronization of an SAP Client on page 21. The following anomalies apply:
a. Select the project template "SAP R/3 (CUA subsystem)" on the Select project
template page in the project wizard.
b. The page Restrict target system access is not shown. The target system is
only loaded.
c. Start synchronization manually to load the required data.
All clients from the selected system and their license data are loaded.
NOTE: Do not synchronize using schedules. Re-synchronizing is only
necessary, if the active price lists for charging licenses were changed in
the target system.
2. Repeat step 1 for all child system in other SAP subsystems.
3. Create a synchronization project for the central system.
Proceed as described in section Creating a Synchronization Project for initial
Synchronization of an SAP Client on page 21. The following anomalies apply:
a. Set the option CUA central system on the Additional settings page.
b. Select the project template "SAP R/3 synchronization (base administration)" on
the Select project template page.
c. Configure scheduled synchronization.
4. Start central system synchronization, after all child systems have been loaded in the
SAP database from One Identity Manager subsystems.
Related Topics
l
General Master Data for an SAP Client on page 100
l
Excluding child Systems from Synchronization on page 32
Excluding child Systems from
Synchronization
Certain administrative task in SAP R/3 required that the child system is temporarily
excluded from the central user administration. If these child system are synchronized
during this period, the SAP roles and SAP profile of the temporarily excluded child system
are marked as outstanding or deleted in the One Identity Manager database. To prevent
this, remove the child system from the synchronization scope.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
32
SAP roles and profiles are removed from the synchronization scope by deleting the
ALE model name in the client. The client properties are synchronized anyway. To
ensure that the ALE model name is not reintroduced, disable the rule for mapping this
schema property.
To exclude a child system from synchronization
1. Select the category SAP R/3 | Clients.
2. Select the child system in the result list. Select Change master data in the
task view.
3. Delete the entry in ALE model name.
4. Save the changes.
5. Open the synchronization project in the Synchronization Editor.
6. Select the category Workflows.
7. Select the workflow to use for synchronizing the central system in the
navigation view.
8. Double-click on the synchronization step "client" in the workflow view.
9. Select the Rule filter tab.
10. Select the property mapping rule "ALEModelName_ALEModelName" in Exluded
rules.
11. Click OK.
12. Save the changes.
You must reactivate synchronization of the child system's SAP role and profiles the
moment it becomes part of the central user administration again.
To re-include a child system in synchronization
1. Select the category SAP R/3 | Clients.
2. Select the child system in the result list. Select Change master data in the
task view.
3. Enter the ALE model name of the central system's CUA in the textbox ALE
model name.
The child system is only synchronized if the same ALE model named is entered in the
central system and the child system.
4. Save the changes.
5. Open the synchronization project in the Synchronization Editor.
6. Select the category Workflows.
7. Select the workflow in the navigation, to use for synchronizing the central system
(default is "Initial Synchronization").
8. Double-click on the synchronization step "client" in the workflow view.
9. Select the Rule filter tab.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
33
10. Deselect the property mapping rule "ALEModelName_ALEModelName" in
Exluded rules.
11. Click OK.
12. Save the changes.
For more information about editing synchronization steps, see One Identity Manager Target
System Synchronization Reference Guide.
Related Topics
l
General Master Data for an SAP Client on page 100
Show Synchronization Results
Synchronization results are summarized in the synchronization log. You can specify the
extent of the synchronization log for each system connection individually. One Identity
Manager provides several reports in which the synchronization results are organized under
different criteria.
To display a synchronization log
1. Open the synchronization project in the Synchronization Editor.
2. Select the category Logs.
3. Click
in the navigation view toolbar.
Logs for all completed synchronization runs are displayed in the navigation view.
4. Select a log by double-clicking on it.
An analysis of the synchronization is shown as a report. You can save the report.
To display a provisioning log.
1. Select the category Logs.
2. Click
in the navigation view toolbar.
Logs for all completed provisioning processes are displayed in the navigation view.
3. Select a log by double-clicking on it.
An analysis of the provisioning is show as a report. You can save the report.
The log is marked in color in the navigation view. This mark shows you the execution status
of the synchronization/provisioning.
Synchronization logs are stored for a fixed length of time. The retention period is set in the
configuration parameter "DPR\Journal\LifeTime" and its sub parameters.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
34
To modify the retention period for synchronization logs
l
l
l
Set the configuration parameter "Common\Journal\LifeTime" in the Designer and
enter the maximum retention time for entries in the database journal. Use the
configuration sub parameters to specify the retention period for each warning level.
If there is a large amount of data, you can specify the number of objects to delete
per DBQueue Processor operation and run in order to improve performance. Use the
configuration parameters "Common\Journal\Delete\BulkCount" and
"Common\Journal\Delete\TotalCount" to do this.
Configure and set the schedule "Delete journal" in the Designer.
Customizing Synchronization
Configuration
You have used the Synchronization Editor to set up a synchronization project for initial
synchronization of an SAP client. You can use this synchronization project to load SAP
objects into the One Identity Manager database. If you manage user accounts and their
authorizations with One Identity Manager, changes are provisioned in the SAP
environment.
You must customize the synchronization configuration in order to compare the SAP R/3
database with the regularly and to synchronize changes.
l
l
l
l
l
l
Create a workflow with the direction of synchronization "target system" to use One
Identity Manager as the master system for synchronization.
To specify which SAP objects and database object are included in synchronization,
edit the scope of the target system connection and the One Identity Manager
database connection. To prevent data inconsistencies, define the same scope in both
systems. If no scope is defined, all objects will be synchronized.
You can use variables to create generally applicable synchronization configurations
which contain the necessary information about the synchronization objects when
synchronization starts. Variables can be implemented in base objects, schema
classes or processing methods, for example.
Use variables to set up a synchronization project which can be used for several
different clients. Store a connection parameter as a variable for logging in to
the clients.
Update the schema in the synchronization project, if the One Identity Manager
schema or target system schema has changed. Then you can add the changes to
the mapping.
Add your own schema types if you want to synchronize data, which does not have
schema types in the connector schema.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
35
IMPORTANT: As long as synchronization is running, you must not start another
synchronization for the same target system. This applies especially, if the same
synchronization objects would be processed.
l
l
The moment another synchronization is started with the same start up configuration, the running synchronization process is stopped and given the status,
"Frozen". An error message is written to the One Identity Manager Service log
file.
If another synchronization is started with another start up configuration, that
addresses same target system, it may lead to synchronization error or loss of
data. Plan your start times carefully. If possible, specify your start times so
that synchronization does not overlap.
For more detailed information about configuring synchronization, see the One Identity
Manager Target System Synchronization Reference Guide.
Detailed information about this topic
l
How to Configure SAP R/3 Synchronization on page 36
l
Configuring Synchronization of Different Clients on page 37
l
Updating Schemas on page 37
l
Adding Other Schema Types on page 38
How to Configure SAP R/3 Synchronization
The synchronization project for initial synchronization provides a workflow for initial
loading of target system objects (initial synchronization) and one for provisioning object
modifications from the One Identity Manager database to the target system (provisioning).
You also require a workflow with synchronization in the direction of the "target system" to
use One Identity Manager as the master system for synchronization.
To create a synchronization configuration for synchronizing SAP R/3
1. Open the synchronization project in the Synchronization Editor.
2. Check whether existing mappings can be used for synchronizing the target system.
Create new maps if required.
3. Create a new workflow with the workflow wizard.
This adds a workflow for synchronizing in the direction of the target system.
4. Create a new start up configuration. Use the new workflow to do this.
5. Save the changes.
6. Run a consistency check.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
36
Related Topics
l
Configuring Synchronization of Different Clients on page 37
Configuring Synchronization of Different
Clients
Prerequisites
l
l
The target system schema of both clients are identical.
All virtual schema properties used in the mapping must exist in the extended schema
of both clients.
To customize a synchronization project for synchronizing another client
1. Prepare a user account with sufficient permissions for synchronizing in the
other client.
2. Open the synchronization project in the Synchronization Editor.
3. Create a new base object for the other clients. Use the wizards to attach a
base object.
l
Select the SAP connector in the wizard and enter the connection parameters.
The connection parameters are saved in a special variable set.
A start up configuration is created, which uses the new variable set.
4. Change other elements of the synchronization configuration as required.
5. Save the changes.
6. Run a consistency check.
Related Topics
l
How to Configure SAP R/3 Synchronization on page 36
Updating Schemas
All the schema data (schema types and schema properties) of the target system schema
and the One Identity Manager schema are available when you are editing a
synchronization project. Only a part of this data is really needed for configuring
synchronization. If a synchronization project is finished, the schema is compressed to
remove unnecessary data from the synchronization project. This can speed up loading the
synchronization project. Deleted schema data can be added to the synchronization
configuration again at a later point.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
37
If the target system schema or the One Identity Manager schema has changed, these
changes must also be added to the synchronization configuration. Then the changes can be
added to the schema property mapping.
To include schema data that have been deleted through compressing and schema
modifications in the synchronization project, update each schema in the synchronization
project. This may be necessary if:
l
l
A schema was changed by:
l
Changes to a target system schema
l
Customizations to the One Identity Manager schema
l
A One Identity Manager update migration
A schema in the synchronization project was shrunk by:
l
Activating the synchronization project
l
Synchronization project initial save
l
Compressing a schema
To update a system connection schema
1. Open the synchronization project in the Synchronization Editor.
2. Select the category Configuration | Target system.
- OR Select the category
Configuration | One Identity Manager connection.
3. Select the view General and click Update schema.
4. Confirm the security prompt with Yes.
This reloads the schema data.
To edit a mapping
1. Open the synchronization project in the Synchronization Editor.
2. Select the category Mappings.
3. Select a mapping in the navigation view.
Opens the Mapping Editor. For more detailed information about editing mappings,
see One Identity Manager Target System Synchronization Reference Guide.
NOTE: The synchronization is deactivated if the schema of an activated synchronization project is updated. Reactivate the synchronization project to synchronize.
Adding Other Schema Types
Add your own schema types if you want to synchronize data, which does not have schema
types in the connector schema. You can let your own schema types be added when setting
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
38
up the initial synchronization project with the project wizard, However, you can also add
them after saving the synchronization project. This method is described in the following
section.
You can obtain an overview of which schema types are defined in the connector schema in
the Synchronization Editor target system browser.
IMPORTANT: Both used and unused schema types are displayed in the Target System
Browser. If the synchronization project is set, unused system types are deleted from
the schema. Then they are longer appear in the Target System Browser.
Check the schema type list before you enable the synchronization project.
To start the Target System Browser
1. Open the synchronization project in the Synchronization Editor.
2. Select the category Configuration | Target systems.
3. Select the General view and click Browse....
This opens the Target System Browser. You will see all the schema types used in this
synchronization project in the upper pane of the Schema types view. The lower
pane contains the list of unused schema types
To extend the connector schema with your own schema types
1. Find which out schema types you require.
2. Create a schema extension file. Save this file and keep the file name and path
at the ready.
For more information, see Configuring a Schema Extension File on page 40.
3. Open the synchronization project in the Synchronization Editor.
4. Select the category Configuration | Target systems.
5. Select the General view and click Edit connection....
This starts the system connection wizard.
6. Verify the data.
7. Enter the name and path of your schema extension file on the SAP connector
schema page.
l
To check the schema extension file for logical error, click Check file.
This lists all the system types that are defined.
l
Click Next.
8. Click Finish to end the system connection wizard.
9. Select the view General and click Update schema.
10. Confirm the security prompt with Yes.
The schema types, including your new schema types, are loaded.
11. Open the Target System Browser and check whether the schema types have been
added.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
39
The schema types are displayed in the list of used schema types.
12. Select the category Mapping ad create mappings for the your new schema types.
For more information about setting up mappings and schema classes, see the One
Identity Manager Target System Synchronization Reference Guide.
13. Select the category Workflows and edit the workflow 'Initial Synchronization'.
Create additional synchronization steps for the new mappings.
For more detailed information about setting up synchronization steps, see the One
Identity Manager Target System Synchronization Reference Guide.
14. Save the synchronization project in the database.
15. Run a consistency check.
16. Activate the synchronization project.
Configuring a Schema Extension File
Define all the schema types you want to use to extend the connector schema in the schema
extension file. The schema extension file is an XML file with a structure identical to the
connector schema. It describes the definitions for table queries and BAPI calls for the new
schema types. If a new schema type has the same name as an already existing schema
type, the extension is ignored.
The file is divided into three main sections:
l
Table section
l
Functions section
l
Schema types section
Basically, tables and functions required to access data for defined schema types, must be
declared first. Then, after this, you can define new schema types in the schema types
section. You can use functions and tables in different schema type definitions in this case. A
schema type definition must contain at least one call for an object list.
Schema Extension File Structure
<?xml version="1.0" encoding="utf-8" ?>
<SAP>
<Tables>
...
</Tables>
<Functions>
...
</Functions>
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
40
<SAPExtendedSchematypes>
...
</SAPExtendedSchematypes>
</SAP>
Predefined Variables
You can use variables in the table and function sections. These can be all the system
variables known to the SAP module RFC_READ_TABLE.
Table 17: System Variable Examples
Variable
Description
sy-langu
Currently selected login language.
sy–datum
Current date.
sy-mandant Current client.
You can also use variables known to the SAP R/3 connector, for example, from the process
parameter definition.
Table 18: Predefined SAP R/3Connector Variables
Variable Description
$Value$
Input parameter for the One Identity Manager Service call.
$Mandt$
Current client's number.
$Date$
Current date.
Detailed information about this topic
l
Defining Tables on page 41
l
Defining Functions on page 44
l
Defining Schema Types on page 45
l
Appendix: Example of a Schema Extension File on page 201
Defining Tables
In the section for tables (Tables), you can select tables and columns required for accessing
the data for the schema types, which will be defined. The SAP R/3 connector requires a
definition for each table to load the slim object list. To do this, you define exactly those
columns the SAP R/3 connector required when it loaded the synchronization objects. All
columns in the table are loaded when single objects are accessed.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
41
Table 19: Table definition
Attribute
Description
Definition
Symbolic name for using the definition.
TableName Name of the table in the SAP database.
Key
Key term for formatting the distinguished name. Multiple values can be
entered in a comma delimited list.
X500
Abbreviation for the key term in the attribute Key. Multiple values can be
entered in a comma delimited list.
SQL
Limiting WHERE clause.
NOTE: There are a number of restrictions for parsing SQL operators in
the SAP R/3 system. Take the following rules into account to ensure
correctness:
l
l
The column name must be in front of the operator in a comparison and the comparison value after it (example: BEGDA LT sydatum).
The comparison operators "<" and ">" cause parsing errors in
XML. Use the operators LT and GT instead. For more information,
see Permitted operators in the SQL attribute on page 43.
Distinct
Counts the columns that the Distinct filter applies to (as comma delimited
list).
Load
Columns to load when the object list is loaded. These columns can be for can
be used to format the schema type's display name (DisplayPattern) as
revision counters, for example, or as input parameters in a function,
If the object list is loaded from a table but single objects from a function, all
the columns used within the synchronization project mapping must be given
here.
IMPORTANT: Each column, which must be additionally loaded when
the object list is loaded, creates extra load for One Identity Manager.
This can make synchronization much slower if there is a lot of data.
Only enter columns that you really need for further object processing.
No data is required for single object access.
Advice
l
l
Several table definitions with different symbolic names can be defined that refer to
the same table in the SAP database.
Key columns are always loaded. They should not, therefore, be given in the
Load attribute.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
42
l
l
The Load attribute only works when loading the object list. All columns of the table
are always loaded for When single object access
The following operators are valid in the WHERE clause:
Table 20: Permitted operators in the SQL
attribute
Operator Function/Example
l
EQ
=
NE
<>
GT
>
LT
<
GE
>=
LE
<=
BETWEEN
ENDDA BETWEEN '20090101' AND '20090131'
A table definition can also contain a mapping block. This block is used to replace
parameters that are supposed to be used in WHERE clauses but were selected with
another name in the object list.
In the example, every occurrence of the variable $BNAME$ was replaced with the value
in the column USERNAME when single objects were loaded from the table RSECUSERAUTH
before SQL selection was run. The column USERNAME must be loaded into an object list
beforehand.
Table definitions with a mapping are used primarily to load single objects.
l
Predefined variables can be used as well as custom defined parameters in the
WHERE clause. For more information, see Configuring a Schema Extension File
on page 40.
Example:
<Tables>
<TABLE Definition = "HRP1001-Table" TableName="HRP1001"
Key="OTJID,SUBTY,BEGDA,ENDDA" X500="CN,OU,OU,OU" SQL="MANDT = sy-mandt"
Load="VARYF" Distinct="OTJID,SUBTY,VARYF" />
<TABLE Definition = "HRP1000-Table" TableName="HRP1000"
Key="OTJID,LANGU,BEGDA,ENDDA" X500="CN,OU,OU,OU" SQL="MANDT = sy-mandt" Load=""
Distinct="OTJID" />
<TABLE Definition = "RSECUSERAUTH-SingleUser" TableName="RSECUSERAUTH" Key="AUTH"
X500="CN" SQL="UNAME = '$BNAME$'" Load="" >
<Mapping>
<Data ParameterName = "$BNAME$" PropertyName = "USERNAME" />
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
43
</Mapping>
</TABLE>
</Tables>
Defining Functions
In the section for functions (Functions), you can describe the interfaces to BAPI functions
required for accessing the data for the schema types, which will be defined.
Table 21: Function definition
Attribute
Description
Definition
Symbolic name for using the definition.
FunctionName Function name in the SAP R/3 system.
OutStructure
Name of a SAP structure given as a return value. (Optional)
Key
Key term for formatting the distinguished name. Multiple values can be
entered in a comma delimited list.
X500
Abbreviation for the key term in the attribute Key. Multiple values can be
entered in a comma delimited list.
In the optional mapping block, you define how the values are passed to the function
call parameters. To do this, an object list must be created before the function call. The
parameters for the function call can be filled from this object list's properties. In the
example below, BNAME is a property, which is determined from the object list of the
table USR02.
Predefined variables can be passed to the parameters. For more information, see
Configuring a Schema Extension File on page 40. Apart from that, it is possible to pass a
fixed value to a function parameter. The following notation is provided for this.
<Data ParameterName = "<Name>" PropertyName = "VALUE=<fixed value>" />
Example:
<Tables>
<TABLE Definition = "USR02-Table" TableName="USR02" Key="BNAME" X500="CN"
SQL="MANDT = '$MANDT$'" Load="" />
</Tables>
<Functions>
<Function Definition = "USER GET" FunctionName="BAPI_USER_GET_DETAIL"
OutStructure = "" Key ="USERNAME" X500 ="CN">
<Mapping>
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
44
<Data ParameterName = "USERNAME" PropertyName = "BNAME" />
</Mapping>
</Function>
</Functions>
Related Topics
l
Appendix: Example of a Schema Extension File on page 201
Defining Schema Types
In the section for schema types (SAPExtendedSchematypes), you can define schema types
that exist in the SAP schema and can be used to extend the connector schema. The
identifier given in the attribute Name is used as the name. This identifier must be unique in
the extended connector schema.
Table 22: Schema type definition
Attribute
Description
Bem
Internal description
Name
Name of the schema type in the extended connector schema.
DisplayPattern
Definition of a display pattern for displaying objects in the
Synchronization Editor (for example, in the target system
browser or defining schema classes). (Optional) Only columns
that are loaded in the table definition (attribute Key or Load) can
be used.
IMPORTANT: Each column, which must be additionally
loaded when the object list is loaded, creates extra load for
One Identity Manager. This can make synchronization
much slower if there is a lot of data. Only enter columns
that you really need for further object processing.
RevisionProperty
Name of a property contain the revision counter. (Optional)
ListObjectsDefinition
Function or table definition for calling an object list.
ReadObjectDefinition
Function or table definition for calling a single object.
WriteObjectDefinition
Function definition for writing an object. (Optional)
DeleteObjectDefinition Function definition for deleting an object. (Optional)
ParentType
Context of the schema type. (Optional)
By default, the schema types are client related
(ParentType="SAPMANDANT"). If the new schema type is valid in all
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
45
Attribute
Description
SAP R/3 system clients, enter the ParentType with the value
"SAPSYSTEM".
If this attribute is not defined, the schema type is client related.
A schema type definition must contain at least one object list call (attribute
ListObjectsDefinition). In this case, you can enter a table or a function definition. To call a
single object (attribute ReadObjectDefinition), the object list must have been loaded
previously. The list call and single object call can refer to different tables, however the key
columns for identifying single objects must either have the same name or have been
mapped in the table definition for the single object call. In the example below, the single
objects from table RSECUSERAUTH are determined for an object from the table USR02. The key
columns for identifying the objects are USR02.BNAME and RSECUSERAUTH.UNAME. The columns
have different names and are therefore mapped using the parameter $BNAME$.
If is possible to define a Properties block for declaring any number of other object
properties and the types of access to them.P One single property is defined by the Property
tag, which can have the following attributes.
Table 23: Property Definition
Attribute
Description
Name
Name of the property. It must be unique within the schema type.
Description
Property description.
ListFunction
Function or table for calling all values.
AddFunction
Function for adding a value. (Optional)
DelFunction
Function for deleting a value. (Optional)
ReplaceFunction Replaces the entire contents of the property. (Optional)
IsMultivalued
Specifies whether the property has multiple values. (Optional)
If this attribute is not defined, the property is not mult-value.
Example:
<Tables>
<TABLE Definition = "USR04-Table" TableName="USR04" Key="BNAME,MANDT"
X500="CN,OU" SQL="MANDT = sy-mandt" Load="" />
<TABLE Definition = "USR02-Table" TableName="USR02" Key="BNAME" X500="CN"
SQL="MANDT = sy-mandt" Load="MANDT,TRDAT" />
<TABLE Definition = "RSECUSERAUTH-SingleUser" TableName="RSECUSERAUTH" Key="AUTH"
X500="CN" SQL="UNAME = '$BNAME$'" Load="" >
<Mapping>
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
46
<Data ParameterName = "$BNAME$" PropertyName = "BNAME" />
</Mapping>
</TABLE>
</Tables>
<Functions>
<Function Definition = "USER GET" FunctionName="BAPI_USER_GET_DETAIL"
OutStructure = "" Key ="USERNAME" X500 ="CN">
<Mapping>
<Data ParameterName = "USERNAME" PropertyName = "BNAME" />
</Mapping>
</Function>
<Function Definition = "USER SET" FunctionName="BAPI_USER_CHANGE" OutStructure
="" Key ="USERNAME" X500 ="CN">
<Mapping>
<Data ParameterName = "USERNAME" PropertyName = "BNAME" />
</Mapping>
</Function>
<Function Definition = "USER DEL" FunctionName="BAPI_USER_DELETE" OutStructure
="" Key ="USERNAME" X500 ="CN" >
<Mapping>
<Data ParameterName = "USERNAME" PropertyName = "BNAME" />
</Mapping>
</Function>
<Function Definition = "USER PROFILE SET" FunctionName="BAPI_USER_PROFILES_
ASSIGN" OutStructure ="" Key ="USERNAME" X500 ="CN">
<Mapping>
<Data ParameterName = "USERNAME" PropertyName = "BNAME" />
<Data ParameterName = "BAPIPROF~BAPIPROF" PropertyName = "$Value$" />
</Mapping>
</Function>
<Function Definition = "BWProfileDelFkt" FunctionName="/VIAENET/SAPHR_
RSECUSERAUT_DEL" OutStructure ="" Key ="ZUSRNAME,ZHIER" X500 ="CN,OU">
<Mapping>
<Data ParameterName = "ZUSRNAME" PropertyName = "BNAME" />
<Data ParameterName = "ZHIER" PropertyName = "$VALUE$" />
</Mapping>
</Function>
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
47
<Function Definition = "BWProfileAddFkt" FunctionName="/VIAENET/SAPHR_
RSECUSERAUT_ADD" OutStructure ="" Key ="ZUSRNAME,ZHIER" X500 ="CN,OU">
<Mapping>
<Data ParameterName = "ZUSRNAME" PropertyName = "BNAME" />
<Data ParameterName = "ZHIER" PropertyName = "$VALUE$" />
</Mapping>
</Function>
</Functions>
<SAPExtendedSchematypes>
<SAPExtendedSchematype Bem = "all users" Name = "UserFunctionTable"
DisplayPattern="%BNAME% (%MANDT%)" RevisionProperty="TRDAT" ListObjectsDefinition
= "USR02-Table" ReadObjectDefinition ="USER GET" WriteObjectDefinition = "USER
SET" DeleteObjectDefinition = "USER DEL">
<Properties>
<Property Name = "SAPBWP" Description="all the user's BW
profiles" ListFunction="RSECUSERAUTH-SingleUser"
AddFunction="BWProfileAddFkt" DelFunction="BWProfileDelFkt"
ReplaceFunction="" IsMultivalued = "true" />
<Property Name = "USERPROFILE" Description="all the user's profiles"
ListFunction="USR04-Table" AddFunction="" DelFunction=""
ReplaceFunction="USER PROFILE SET" IsMultivalued = "true" />
</Properties>
</SAPExtendedSchematype>
</SAPExtendedSchematypes>
Explanation:
The list of schema type objects UserFunctionTable is created by using the table USR02.
Reading, writing and deleting is done with USER-BAPI functions, which each have been
declared as a Function.
The schema type has a properties block. Two properties are defined here that are neither
returned through the list call's table definition nor through the single object call's function
definition. A multi-value property SAPBWP is defined, whose value is taken from the table
RSECUSERAUTH. The single objects are identified by the columns USR02.BNAME and
RSECUSERAUTH.UNAME. BAPI calls, which are defined as functions, are used for inserting and
deleting values.
The property Userprofile is an example of a multi-value property, which has values read
from a table (USER04) and a Replace function. Therefore, all values that need to remain in
the property must always be given when changes are made. The write function is the
original USER-BAPI function for setting profiles in the user (function definition for BAPI_
USER_PROFILES_ASSIGN). Single objects are identified using the columns USR02.BNAME and
USR04.BNAME. There is no mapping required for the table definition because the key columns
have the same name.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
48
Speeding Up Synchronization with
Revision Filtering
When you start synchronization, all synchronization objects are loaded. Some of these
objects have not be modified since the last synchronization and, therefore, must not be
processed. Synchronization is accelerated by only loading those object pairs that have
changed since the last synchronization. One Identity Manager uses revision filtering to
accelerate synchronization.
SAP R/3 supports revision filtering. The SAP objects' date of last change is used as revision
counter. Each synchronization save its last execution date as revision in the the One
Identity Manager database (table DPRRevisionStore, column Value). This value is used as a
comparison for revision filtering when the same workflow is synchronized the next time.
When this workflow is synchronized the next time, the SAP objects' change date is
compared with the revision saved in the One Identity Manager database. Only those
objects that have been changed since this date are loaded from the target system.
NOTE: SAP roles are given the last date the role was generated in the target system.
Only SAP roles that have be regenerated since the last synchronization are updated in
the database on synchronization with revision filtering.
The revision is found at start of synchronization. Objects changed after this point are
included with the next synchronization.
Revision filtering can be applied to workflows and start up configuration.
To permit revision filtering on a workflow
l
l
Open the synchronization project in the Synchronization Editor.
Edit the workflow properties. Select the entry Use revision filter from
Revision filtering.
To permit revision filtering for a start up configuration
l
l
Open the synchronization project in the Synchronization Editor.
Edit the start up configuration properties. Select the entry Use revision filter from
Revision filtering.
Detailed information about this topic
l
One Identity Manager Target System Synchronization Reference Guide
Synchronizing Collective Roles
Only directly assigned single and collective roles are mapped in the table SAPUserInSAPRole.
Assignments of single roles to collective roles are mapped in the SAPCollectionRPG table.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
49
You can establish which single roles are indirectly assigned to a user account through both
tables.
By default, the following applies to inheritance of single roles by user accounts: If a single
role is assigned to a user account and the single role is part of a collective role, which is
also assigned to the user account the single role is not inherited by the user account as
well. This removes membership of user accounts in single roles when group memberships
are provisioned in SAP R/3. This membership is deleted from the One Identity Manager
database by the next synchronization or marked as outstanding, depending on the
synchronization's configuration.
To prevent memberships being removed from single roles when single roles
are part of collective roles
l
Set the configuration parameter "TargetSystem\SAP\KeepRedundantProfiles" in
the Designer.
Restricting Synchronization Objects
using User Permissions
The One Identity Manager offers the possibility to restrict user account and groups for
synchronization by using user permissions. In this case, only the user accounts and groups
are synchronized that the user account used by the SAP R/3 connector to log into the target
system, is authorized for. All other groups and user accounts are filtered out of the user
lists and the groups list of the function module "/VIAENET/U". If only a small part of the
user account in the SAP R/3 environment should be synchronized with the One Identity
Manager then the synchronization can be accelerated with this method.
Prerequisites
l
l
The user account used by the SAP R/3 connector to log into the target system, is
assigned exactly those groups in the SAP R/3 authorization object S_USER_GRP,
characteristic CLASS, that should be synchronized.
There are user accounts that one of these groups is assigned to in the SAP R/3
environment as user group for testing authorization (in the login data).
During synchronization, the groups are loaded into the One Identity Manager database that
the user account used by the SAP R/3 connector to log into the target system, has access to
in the authorization object SUSER_GRP. All user accounts that are assigned one of these
groups as user group for authorization testing, are also synchronized. All other groups and
user accounts are handled as non-existent objects in the target system during
synchronization.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
50
Post-Processing Outstanding Objects
Objects, which do not exist in the target system, can be marked as outstanding in One
Identity Manager by synchronizing. This prevents objects being deleted because of an
incorrect data situation or an incorrect synchronization configuration.
Objects marked as outstanding:
l
Cannot be edited in One Identity Manager.
l
Are ignored by subsequent synchronization.
l
Must be post-processed separately in One Identity Manager.
Start target system synchronization to do this.
To post-process outstanding objects
1. Select the category SAP R/3 | Target system synchronization: SAP R/3.
All tables assigned to the target system type SAP R/3 as synchronization tables are
displayed in the navigation view.
1. Select the table whose outstanding objects you want to edit in the navigation view.
This opens the target system synchronization form. All objects are shown here that
are marked as outstanding.
TIP:
To display object properties of an outstanding object
a. Select the object on the target system synchronization form.
b. Open the context menu and click Show object.
2. Select the objects you want to rework. Multi-select is possible.
3. Click one of the following icons in the form toolbar to execute the respective method.
Table 24: Methods for handling outstanding objects
Icon Method Description
Delete
The object is immediately deleted in the One Identity Manager.
Deferred deletion is not taken into account. The "outstanding"
label is removed from the object.
Indirect memberships cannot be deleted.
Publish
The object is added in the target system. The "outstanding" label
is removed from the object.
The method triggers the event "HandleOutstanding". This runs a
target system specific process that triggers the provisioning
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
51
Icon Method Description
process for the object.
Prerequisites:
l
l
Reset
The table containing the object can be published.
The target system connector has write access to the target
system.
The "outstanding" label is removed from the object.
4. Confirm the security prompt with Yes.
NOTE: By default, the selected objects are processed in parallel, which speeds up
execution of the selected method. If an error occurs during processing, the action is
stopped and all changes are discarded.
Bulk processing of objects must be disabled if errors are to be localized, which means
the objects are processed sequentially. Failed objects are named in the error
message. All changes that were made up until the error occurred are saved.
To disable bulk processing
l
Deactivate
in the form toolbar.
You must customize synchronization to synchronize custom tables.
To add custom tables to the target system synchronization.
1. Select the category SAP R/3 | Basic configuration data | Target system
types.
2. Select the target system type SAP R/3 in the result list.
3. Select Assign synchronization tables in the task view.
4. Assign custom tables whose outstanding objects you want to handle in Add
assignments.
5. Save the changes.
6. Select Configure tables for publishing.
7. Select custom tables whose outstanding objects can be published in the target
system and set the option Publishable.
8. Save the changes.
NOTE: The target system connector must have write access to the target system in
order to publish outstanding objects that are being post-processed. That means, the
option Connection is read only must no be set for the target system connection.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
52
Configuring Memberships Provisioning
Memberships, for example, user accounts in groups, are saved in assignment tables in the
One Identity Manager database. During provisioning of modified memberships, changes
made in the target system will probably be overwritten. This behavior can occur under the
following conditions:
l
Memberships are saved in the target system as an object property in list form
(Example: List of role assignments in the property AGR_NAME for an SAP R/3 user).
l
Memberships can be modified in either of the connected systems.
l
A provisioning workflow and provisioning processes are set up.
If a membership in One Identity Manager changes, the complete list of members is
transferred to the target system by default. Memberships, previously added to the target
system are removed by this; previously deleted memberships are added again.
To prevent this, provisioning can be configured such that only the modified membership is
provisioned in the target system. The corresponding behavior is configured separately for
each assignment table.
To allow separate provisioning of memberships
1. Start the Manager.
2. Select the category SAP R/3 | Basic configuration data | Target system
types.
3. Select Configure tables for publishing.
4. Select the assignment tables for which you want to allow separate provisioning.
Multi-select is possible.
l
l
The option can only be set for assignment tables whose base table has a
column XDateSubItem.
Assignment tables, which are grouped together in a virtual schema property in
the mapping, must be labeled identically.
5. Click Enable merging.
6. Save the changes.
For each assignment table labeled like this, the changes made in the One Identity Manager
are saved in a separate table. During modification provisioning, the members list in the
target system is compared to the entries in this table. This means that only modified
memberships are provisioned and the members list does not get entirely overwritten.
NOTE: The complete members list is updated by synchronization. During this process,
objects with changes but incomplete provisioning are not handled. These objects are
logged in the synchronization log.
For more detailed information about provisioning memberships, see the One Identity
Manager Target System Synchronization Reference Guide.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
53
NOTE: Changes to user account memberships in single role are always provisioned
individually. Therefore, single provisioning cannot be configured for the table SAPUserInSAPRole.
Help for Analyzing Synchronization
Issues
You can generate a report for analyzing problems which occur during synchronization, for
example, insufficient performance. The report contains information such as:
l
Consistency check results
l
Revision filter settings
l
Scope applied
l
Analysis of the synchronization buffer
l
Object access times in the One Identity Manager database and in the target system
To generate a synchronization analysis report
1. Open the synchronization project in the Synchronization Editor.
2. Select the menu Help | Generate synchronization analysis report and answer
the security prompt with Yes.
The report may take a few minutes to generate. It is displayed in a separate window.
3. Print the report or save it in one of the available output formats.
Deactivating Synchronization
Regular synchronization cannot be started until the synchronization project and the
schedule are active.
To prevent regular synchronization
l
Select the start up configuration and deactivate the configured schedule.
Now you can only start synchronization manually.
An activated synchronization project can only be edited to a limited extend. The schema in
the synchronization project must be updated if schema modifications are required. The
synchronization project is deactivated in this case and can be edited again.
Furthermore, the synchronization project must be deactivated if synchronization should not
be started by any means (not even manually).
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
54
To deactivate the loaded synchronization project
1. Select General on the start page.
2. Click Deactivate project.
Detailed information about this topic
l
Creating a Synchronization Project for initial Synchronization of an SAP Client
on page 21
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Setting up SAP R/3 Synchronization
55
3
Base Data for Managing SAP R/3
To manage an SAP R/3 environment in One Identity Manager, the following data is
relevant.
l
Configuration parameter
Use configuration parameters to configure the behavior of the system's basic
settings. One Identity Manager provides default settings for different configuration
parameters. Check the configuration parameters and modify them as necessary to
suit your requirements.
Configuration parameters are defined in the One Identity Manager modules. Each
One Identity Manager module can also install configuration parameters. You can find
an overview of all configuration parameters in the category Base data | General |
Configuration parameters in the Designer.
For more information, see Appendix: Configuration Parameters for Managing SAP
R/3 on page 189.
l
Account definitions
One Identity Manager has account definitions for automatically allocating user
accounts to employees during working hours. You can create account definitions for
every target system. If an employee does not have a user account in the target
system, a new user account is created. This is done by assigning account
definitions to an employee using the integrated inheritance mechanism followed by
process handling.
For more information, see Setting Up Account Definitions on page 57.
l
Password policies
One Identity Manager provides you with support for creating complex password
policies, for example, for system user passwords, the employees' central password
as well as passwords for individual target systems. Password polices apply not only
when the user enters a password but also when random passwords are generated.
Predefined password policies are supplied with the default installation that you can
user or customize if required. You can also define your own password policies.
For more information, see Password Policies on page 79.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
56
l
Initial Password for New User Accounts
You have the different options for issuing an initial password for user accounts. The
central password of the assigned employee can be aligned with the user account
password, a predefined, fixed password can be used or a randomly generated initial
password can be issued.
For more information, see Initial Password for New SAP User Accounts on page 88.
l
Email notifications about login data
When a new user account is created, the login data are send to a specified recipient.
In this case, two messages are sent with the user name and the initial password. Mail
templates are used to generate the messages.
For more information, see Email Notifications about Login Data on page 90.
l
Login Languages
User accounts can be assigned a default login language. Login languages can be
loaded into the One Identity Manager database through synchronization.
For more information, see Login Languages on page 77.
l
Target system types
Target system types are required for configuring target system comparisons. Tables
containing outstanding objects are maintained on target system types.
For more information, see Post-Processing Outstanding Objects on page 51.
l
Server
In order to handle SAP R/3 specific processes in One Identity Manager, the
synchronization server and its server functionality must be declared.
For more information, see Editing a Server on page 91.
l
Target system managers
A default application role exists for the target system manager in the One Identity
Manager. Assign this application to employees who are authorized to edit the clients
in One Identity Manager.
Define other application roles, if you want to limit target system managers' access
permissions to individual clients. The application roles must be added under the
default application role.
For more information, see Target System Managers on page 96.
Setting Up Account Definitions
One Identity Manager has account definitions for automatically allocating user accounts to
employees during working hours. You can create account definitions for every target
system. If an employee does not have a user account in the target system, a new user
account is created. This is done by assigning account definitions to an employee using the
integrated inheritance mechanism followed by process handling.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
57
The data for the user accounts in the respective target system comes from the basic
employee data. The assignment of the IT operating data to the employee’s user account is
controlled through the primary assignment of the employee to a location, a department, a
cost center, or a business role (template processing). Processing is done through
templates. There are predefined templates for determining the data required for user
accounts included in the default installation. You can customize templates as required.
For more details about the basics, see the One Identity Manager Target System Base
Module Administration Guide.
The following steps are required to implement an account definition:
l
Creating an Account Definition
l
Setting Up Manage Levels
l
Creating a Formatting Rule for IT Operating Data
l
Determining IT Operating Data
l
Assigning Account Definitions to Employees
l
Assigning Account Definitions to a Target System
Creating an Account Definition
To create a new account definition
1. Select the category SAP R/3 | Basic configuration data | Account definitions
| Account definitions.
2. Select an account definition in the result list. Select Change master data in
the task view.
- OR Click
in the result list toolbar.
3. Enter the account definition's master data.
4. Save the changes.
Detailed information about this topic
l
Master Data for an Account Definition on page 58
Master Data for an Account Definition
Enter the following data for an account definition:
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
58
Table 25: Master Data for an Account Definition
Property
Description
Account
definition
Account definition name.
User
account
table
Table in the One Identity Manager schema which maps user accounts.
Target
System
Target system to which the account definition applies.
Required
account
definition
Required account definitions. Define the dependencies between account
definitions. When this account definition is requested or assigned, the
required account definition is automatically requested or assigned with it.
NOTE: No CUA child client can be assigned.
Leave empty for SAP clients.
Description
Spare text box for additional explanation.
Manage
level
(initial)
Manage level to use by default when you add new user accounts.
Risk index
Value for evaluating the risk of account definition assignments to
employees. Enter a value between 0 and 1. This property is only visible
when the configuration parameter QER\CalculateRiskIndex is set.
For more detailed information, see the .One Identity Manager Risk
Assessment Administration Guide
Service item Service item through which you can request the account definition in the IT
Shop. Assign an existing service item or add a new one.
IT Shop
Specifies whether the account definition can be requested through the IT
Shop. The account definition can be ordered by an employee over the Web
Portal and distributed using a defined approval process. The account
definition can still be directly assigned to employees and roles outside the
IT Shop.
Only for use
in IT Shop
Specifies whether the account definition can only be requested through the
IT Shop. The account definition can be ordered by an employee over the
Web Portal and distributed using a defined approval process. This means,
the account definition cannot be directly assigned to roles outside the IT
Shop.
Automatic
assignment
to
employees
Specifies whether the account definition is assigned automatically to all
internal employees. The account definition is assigned to every employee
not marked as external, on saving. New employees automatically obtain
this account definition as soon as they are added.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
59
Property
Description
IMPORTANT: Only set this option if you can ensure that all current
internal employees in the database and all pending newly added
internal employees obtain a user account in this target system.
Disable this option to remove automatic assignment of the account
definition to all employees. The account definition cannot be reassigned to
employees from this point on. Existing account definition assignments
remain intact.
Retain
account
definition if
permanently
disabled
Specifies the account definition assignment to permanently disabled
employees.
Option set: the account definition assignment remains in effect. The user
account stays the same.
Option not set: the account definition assignment is not in effect.The
associated user account is deleted.
Retain
account
definition if
temporarily
disabled
Specifies the account definition assignment to temporarily disabled
employees.
Option set: the account definition assignment remains in effect. The user
account stays the same.
Option not set: the account definition assignment is not in effect.The
associated user account is deleted.
Retain
account
definition on
deferred
deletion
Specifies the account definition assignment on deferred deletion of
employees.
Option set: the account definition assignment remains in effect. The user
account stays the same.
Option not set: the account definition assignment is not in effect.The
associated user account is deleted.
Retain
account
definition on
security risk
Specifies the account definition assignment to employees posing a security
risk .
Option set: the account definition assignment remains in effect. The user
account stays the same.
Option not set: the account definition assignment is not in effect.The
associated user account is deleted.
Resource
type
Resource type for grouping account definitions.
Spare field
01 - spare
field 10
Additional company specific information. Use the Designer to customize
display names, formats and templates for the input fields.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
60
Setting Up Manage Levels
Specify the manage level for an account definition for managing user accounts. The user
account’s manage level specifies the extent of the employee’s properties that are inherited
by the user account. This allows an employee to have several user accounts in one target
system, for example:
l
l
Default user account that inherits all properties from the employee
Administrative user account that is associated to an employee but should not inherit
the properties from the employee.
The One Identity Manager supplies a default configuration for manage levels:
l
Unmanaged
User accounts with a manage level of "Unmanaged" become linked to an employee
but do not inherit any other properties. When a new user account is added with this
manage level and an employee is assigned, some of the employee's properties are
transferred initially. If the employee properties are changed at a later date, the
changes are not passed onto the user account.
l
Full managed
User accounts with a manage level of "Full managed" inherit specific properties from
the assigned employee.
NOTE: The manage levels "Full managed" and "Unmanaged" are evaluated in the
templates. You can customize the supplied templates in the Designer.
You can define other manage levels depending on your requirements. You need to
amend the templates to include manage level approaches.
Specify the effect of temporarily or permanently disabling, deleting or the security risk of
an employee on its user accounts and group memberships for each manage level. For more
detailed information about manage levels, see the One Identity Manager Target System
Base Module Administration Guide.
l
l
Employee user accounts can be locked when they are disabled, deleted or rated as a
security risk so that permissions are immediately withdrawn. If the employee is
reinstated at a later date, the user accounts are also reactivated.
You can also define group membership inheritance. Inheritance can be discontinued
if desired when, for example, the employee’s user accounts are disabled and
therefore cannot be members in groups. During this time, no inheritance processes
should be calculated for this employee. Existing group memberships are deleted!
To assign manage levels to an account definition
1. Select the category SAP R/3 | Basic configuration data | Account definitions
| Account definitions.
2. Select an account definition in the result list.
3. Select Assign manage level in the task view.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
61
4. Assign manage levels in Add assignments.
- OR Remove assignments to manage levels in Remove assignments.
5. Save the changes.
IMPORTANT: The manage level "Unmanaged" is assigned automatically when an
account definition is assigned and cannot be removed.
To edit a manage level
1. Select the category SAP R/3 | Basic configuration data | Account definitions
| Manage levels.
2. Select the manage level in the result list. Select Change master data.
- OR Click
in the result list toolbar.
3. Edit the manage level's master data.
4. Save the changes.
Detailed information about this topic
l
Master Data for a Manage Level on page 62
Master Data for a Manage Level
Enter the following data for a manage level.
Table 26: Master Data for a Manage Level
Property
Description
Manage level
Name of the manage level.
Description
Spare text box for additional explanation.
IT operating data
overwrites
Specifies whether user account data formatted from IT
operating data is automatically updated. Permitted values are:
Retain groups if
temporarily disabled
Never
Data is not updated
always
Data is always updated
Only initially
Data is only initially determined.
Specifies whether user accounts of temporarily disabled
employees retain their group memberships.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
62
Property
Description
Lock user accounts if
temporarily disabled
Specifies whether user accounts of temporarily disabled
employees are locked.
Retain groups if
permanently disabled
Specifies whether user accounts of permanently disabled
employees retain group memberships.
Lock user accounts if
permanently disabled
Specifies whether user accounts of permanently disabled
employees are locked.
Retain groups on
deferred deletion
Specifies whether user accounts of employees marked for
deletion retain their group memberships.
Lock user accounts if
deletion is deferred
Specifies whether user accounts of employees marked for
deletion are locked.
Retain groups on
security risk
Specifies whether user accounts of employees posing a security
risk retain their group memberships.
Lock user accounts if
security is at risk
Specifies whether user accounts of employees posing a security
risk are locked.
Retain groups if user
account disabled
Specifies whether locked user accounts retain their group
memberships.
Creating a Formatting Rule for IT
Operating Data
An account definition specifies which rules are used to form the IT operating data and
which default values will be used if no IT operating data can be found through the
employee's primary roles.
The following IT operating data is used in the One Identity Manager default
configuration for automatic creating and modifying of user accounts for an employee in
the target system.
l
Groups can be inherited
l
Identity
l
Privileged user account
To create a mapping rule for IT operating data
1. Select the category SAP R/3 | Basic configuration data | Account definitions
| Account definitions.
2. Select an account definition in the result list.
3. Select Edit IT operating data mapping in the task view and enter the
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
63
following data.
Table 27: Mapping rule for IT operating data
Property Description
Column
User account property for which the value is set.
Source
Specifies which roles to use in order to find the user account properties.
You have the following options:
l
Primary department
l
Primary location
l
Primary cost center
l
Primary business roles
NOTE: Only use the primary business role if the Business Roles Module is installed.
l
Empty
If you select a role, you must specify a default value and set the
option Always use default value.
Default
value
Default value of the property for an employee's user account if the
value is not determined dynamically from the IT operating data.
Always
use
default
value
Specifies whether user account properties are always filled with the
default value. IT operating data is not determined dynamically from a
role.
Notify
when
applying
the
standard
Specifies whether email notification to a defined mailbox is sent when
the default value is used. Use the mail template "Employee - new user
account with default properties created". To change the mail template,
modify the configuration parameter
"TargetSystem\SAPR3\Accounts\MailTemplateDefaultValues" .
4. Save the changes.
Determining IT Operating Data
In order for an employee to create user accounts with the manage level "Full managed",
the necessary IT operating data must be determined. The operating data required to
automatically supply an employee with IT resources is shown in the departments,
locations, cost centers, and business roles. An employee is assigned to one primary
location, one primary department, one primary cost center or one primary business role.
The necessary IT operating data is ascertained from these assignments and used in
creating the user accounts. Default values are used if valid IT operating data cannot be
found over the primary roles.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
64
You can also specify IT operating data directly for a specific account definition.
Example:
Normally, each employee in department A obtains a default user account in the client A.
In addition, certain employees in department A obtain administrative user accounts in
the client A.
Create an account definition A for the default user account of the client A and an account
definition B for the administrative user account of client A. Specify the property
"Department" in the IT operating data formatting rule for the account definitions A and B in
order to determine the valid IT operating data.
Specify the effective IT operating data of department A for the client A. This IT operating
data is used for standard user accounts. In addition, specify the effective account
definition B IT operating data for department A. This IT operating data is used for
administrative user accounts.
To specify IT operating data
1. Select the role in the category Organizations or Business roles.
2. Select Edit IT operating data in the task view and enter the following data.
Table 28: IT Operating Data
Property
Description
Organization/Business Department, cost center, location or business role for
role
which the IT operating data is valid.
Effects on
IT operating data application scope. The IT operating data
can be used for a target system or a defined account definition.
To specify an application scope
a. Click
next to the text box.
b. Select the table under Table, which maps the target
system or the table TSBAccountDef for an account
definition.
c. Select the concrete target system or concrete
account definition under Effects on.
d. Click OK.
Column
User account property for which the value is set.
Columns using the script template TSB_ITDataFromOrg in
their template are listed. For more detailed information,
see the One Identity Manager Target System Base Module
Administration Guide.
Value
Concrete value which is assigned to the user account
property.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
65
3. Save the changes.
Modifying IT Operating Data
If IT operating data changes, you must transfer these changes to the existing user
accounts. To do this, templates must be rerun on the affected columns. Before you can run
the templates, you can check what the effect of a change to the IT operating data has on
the existing user accounts. You can decide whether the change is transferred to the
database in the case of each affected column in each affected database.
Prerequisites
l
The IT operating data of a department, cost center, business roleor a location
was changed.
- OR -
l
The default values in the IT operating data template were modified for an account
definition.
NOTE: If the assignment of an employee to a primary department, cost center,
business role or to a primary location changes, the templates are automatically
executed.
To execute the template
1. Select the category SAP R/3 | Basic configuration data | Account definitions
| Account definitions.
2. Select an account definition in the result list.
3. Select Execute templates in the task view
This displays a list of all user account, which are created through the selected
account definition and whose properties are changed by modifying the IT
operating data.
Old value
Current value of the object property.
New
value
Value applied to the object property after modifying the IT operating
data.
Selection
Specifies whether the modification is applied to the user account.
4. Mark all the object properties in the selection column that will be given the
new value.
5. Click Apply.
The templates are applied to all selected user accounts and properties.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
66
Assigning Account Definitions to Employees
Account definitions are assigned to company employees. Indirect assignment is the default
method for assigning account definitions to employees. Account definitions are assigned to
departments, cost centers, locations or roles. The employees are categorized into these
departments, cost centers, locations or roles depending on their function in the company
and thus obtain their account definitions. To react quickly to special requests, you can
assign individual account definitions directly to employees. You can automatically assign
special account definitions to all company employees. It is possible to assign account
definitions to the IT Shop as requestable products. A department manager can then request
user accounts from the Web Portal for his staff. It is also possible to add account definitions
to system roles. These system roles can be assigned to employees through hierarchical
roles or directly or added as products in the IT Shop.
In the One Identity Manager default installation, the processes are checked at the start to
see if the employee already has a user account in the target system that has an account
definition. If no user account exists, a new user account is created with the account
definition’s default manage level.
NOTE: If a user account already exists and is disabled, then it is re-enabled. You
have to alter the user account manage level afterwards in this case.
Prerequisites for indirect assignment of account definitions to
employees
l
Assignment of employees and account definitions is permitted for role classes
(department, cost center, location or business role).
For detailed information about preparing role classes to be assigned, see the One Identity
Manager Identity Management Base Module Administration Guide.
Detailed information about this topic
l
Assigning Account Definitions to Departments, Cost Centers and Locations on page 68
l
Assigning Account Definitions to Business Roles on page 68
l
Assigning Account Definitions to all Employees on page 68
l
Assigning Account Definitions Directly to Employees on page 69
l
Assigning Account Definitions to a Target System on page 71
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
67
Assigning Account Definitions to Departments,
Cost Centers and Locations
To add account definitions to hierarchical roles
1. Select the category SAP R/3 | Basic configuration data | Account definitions
| Account definitions.
2. Select an account definition in the result list.
3. Select Assign organizations.
4. Assign organizations in Add assignments.
l
Assign departments on the Departments tab.
l
Assign locations on the Locations tab.
l
Assign cost centers on the Cost center tab.
- OR Remove the organizations from Remove assignments.
5. Save the changes.
Assigning Account Definitions to Business Roles
Installed Modules: Business Roles Module
To add account definitions to hierarchical roles
1. Select the category SAP R/3 | Basic configuration data | Account definitions
| Account definitions.
2. Select an account definition in the result list.
3. Select Assign business roles in the task view.
4. Assign business roles in Add assignments.
- OR Remove business roles in Remove assignments.
5. Save the changes.
Assigning Account Definitions to all Employees
To assign an account definition to all employees
1. Select the category SAP R/3 | Basic configuration data | Account definitions
| Account definitions.
2. Select an account definition in the result list.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
68
3. Select Change master data in the task view.
4. Set the option Automatic assignment to employees on the General tab.
IMPORTANT: Only set this option if you can ensure that all current internal
employees in the database and all pending newly added internal employees
obtain a user account in this target system.
5. Save the changes.
The account definition is assigned to every employee that is not marked as external. New
employees automatically obtain this account definition as soon as they are added. The
assignment is calculated by the DBQueue Processor.
NOTE: Disable the option Automatic assignment to employees to remove
automatic assignment of the account definition to all employees. The account definition cannot be reassigned to employees from this point on. Existing assignments
remain intact.
Assigning Account Definitions Directly to
Employees
To assign an account definition directly to employees
1. Select the category SAP R/3 | Basic configuration data | Account definitions
| Account definitions.
2. Select an account definition in the result list.
3. Select Assign to employees in the task view.
4. Assign employees in Add assignments.
- OR Remove employees from Remove assignments.
5. Save the changes.
Assigning Account Definitions to System Roles
Installed Modules: System Roles Module
NOTE: Account definitions with the option Only use in IT Shop can only by assigned
to system roles that also have this option set.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
69
To add account definitions to a system role
1. Select the category SAP R/3 | Basic configuration data | Account definitions
| Account definitions.
2. Select an account definition in the result list.
3. Select Assign system roles in the task view.
4. Assign system roles in Add assignments.
- OR Remove assignments to system roles in Remove assignments.
5. Save the changes.
Adding Account Definitions in the IT Shop
A account definition can be requested by shop customers when it is assigned to an IT Shop
shelf. To ensure it can be requested, further prerequisites need to be guaranteed.
l
The account definition must be labeled with the IT Shop option.
l
The account definition must be assigned to a service item.
l
If the account definition is only assigned to employees using IT Shop assignments,
you must also set the option Only for use in IT Shop. Direct assignment to
hierarchical roles may not be possible.
NOTE: IT Shop administrators can assign account definitions to IT Shop shelves if
login is role-based. Target system administrators are not authorized to add account
definitions in the IT Shop.
To add an account definition to the IT Shop
1. Select the category SAP R/3 | Basic configuration data | Account definitions
(non role-based login).
– OR –
Select the category Entitlements | Account definitions (role-based login).
2. Select an account definition in the result list.
3. Select Add to IT Shop in the task view.
4. Assign the account definition to the IT Shop shelf in Add assignments
5. Save the changes.
To remove an account definition from individual IT Shop shelves
1. Select the category SAP R/3 | Basic configuration data | Account definitions
(non role-based login).
– OR –
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
70
Select the category Entitlements | Account definitions (role-based login).
2. Select an account definition in the result list.
3. Select Add to IT Shop in the task view.
4. Remove the account definition from the IT Shop shelves in Remove assignments.
5. Save the changes.
To remove an account definition from all IT Shop shelves
1. Select the category SAP R/3 | Basic configuration data | Account definitions
(non role-based login).
– OR –
Select the category Entitlements | Account definitions (role-based login).
2. Select an account definition in the result list.
3. Select Remove from all shelves (IT Shop) in the task view.
4. Confirm the security prompt with Yes.
5. Click OK.
The account definition is removed from all shelves by the One Identity Manager
Service. All requests and assignment requests with this account definition are
canceled in the process.
For more detailed information about request from company resources through the IT Shop,
see the One Identity Manager IT Shop Administration Guide.
Related Topics
l
Master Data for an Account Definition on page 58
l
Assigning Account Definitions to Departments, Cost Centers and Locations on page 68
l
Assigning Account Definitions to Business Roles on page 68
l
Assigning Account Definitions Directly to Employees on page 69
l
Assigning Account Definitions to System Roles on page 69
Assigning Account Definitions to a Target
System
NOTE: To use automatic employee assignment for central user administration (CUA)
user accounts, assign the account definition to the CUA central system. Account
definitions cannot be used to assign user accounts to child systems.
The following prerequisites must be fulfilled if you implement automatic assignment of
user accounts and employees resulting in administered user accounts (state "Linked
configured"):
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
71
l
The account definition is assigned to the target system.
l
The account definition has the default manage level.
User accounts are only linked to the employee (state "Linked") if no account definition is
given. This is the case on initial synchronization, for example.
To assign the account definition to a target system
1. Select the client in the category SAP R/3 | Clients.
2. Select Change master data in the task view.
3. Select the account definition for user accounts from Account definition (initial).
4. Save the changes.
Deleting an Account Definition
You can delete account definitions if they are not assigned to target systems, employees,
hierarchical roles or any other account definitions.
NOTE: If an account definition is deleted, the user accounts arising from this account
definition are deleted.
To delete an account definition
1. Remove automatic assignments of the account definition from all employees.
a. Select the category SAP R/3 | Basic configuration data | Account
definitions | Account definitions.
b. Select an account definition in the result list.
c. Select Change master data in the task view.
d. Disable the option Automatic assignment to employees on the General tab.
e. Save the changes.
2. Remove direct assignments of the account definition to employees.
a. Select the category SAP R/3 | Basic configuration data | Account
definitions | Account definitions.
b. Select an account definition in the result list.
c. Select Assign to employees in the task view.
d. Remove employees from Remove assignments.
e. Save the changes.
3. Remove the account definition's assignments to departments, cost centers and
locations.
a. Select the category SAP R/3 | Basic configuration data | Account
definitions | Account definitions.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
72
b. Select an account definition in the result list.
c. Select Assign organizations.
d. Remove the account definition's assignments to departments, cost centers and
locations in Remove assignments.
e. Save the changes.
4. Remove the account definition's assignments to business roles.
a. Select the category SAP R/3 | Basic configuration data | Account
definitions | Account definitions.
b. Select an account definition in the result list.
c. Select Assign business roles in the task view.
Remove business roles from Remove assignments.
d. Save the changes.
5. If the account definition was requested through the IT Shop, it must be canceled and
removed from all IT Shop shelves. For more detailed information, see the .One
Identity Manager IT Shop Administration Guide
6. Remove the account definition assignment as required account definition for another
account definition. As long as the account definition is required for another account
definition, it cannot be deleted. Check all the account definitions.
a. Select the category SAP R/3 | Basic configuration data | Account
definitions | Account definitions.
b. Select an account definition in the result list.
c. Select Change master data in the task view.
d. Remove the account definition from the Required account definition menu.
e. Save the changes.
7. Remove the account definition's assignments to target systems.
a. Select the client in the category SAP R/3 | Clients.
b. Select Change master data in the task view.
c. Remove the assigned account definitions on the General tab.
d. Save the changes.
8. Delete the account definition.
a. Select the category SAP R/3 | Basic configuration data | Account
definitions | Account definitions.
b. Select an account definition in the result list.
c. Click
, to delete the account definition.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
73
Basic Data for User Account
Administration
The One Identity Manager supplies the following basic data for user administration,
by default:
l
User Account Types on page 74
l
External Identifier Types on page 75
Other basic data is read from SAP R/3 during synchronization, if configured, and cannot be
editing in One Identity Manager. This merely allows assignment to an SAP user account.
These include:
l
Parameter on page 75
l
Printers on page 76
l
Cost centers on page 76
l
Start Menu on page 76
l
Companies on page 77
l
Login Languages on page 77
l
Licenses on page 78
l
Special Versions on page 79
Certain user account properties can be defined as default for all user accounts through the
configuration settings. These include:
l
Initial Password for New SAP User Accounts on page 88
l
Email Notifications about Login Data on page 90
User Account Types
The user account types are available in One Identity Manager by default. SAP R/3
recognizes the user account types listed below.
Table 29: User Account Types
User account
type
Meaning
Dialog (A)
Dialog user in a system.
System (B)
Background processing within an system.
Communication
(C)
Communication between systems without a dialog.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
74
User account
type
Meaning
Service (S)
Common user account for anonymous system access, for example.
User account of this type should have heavily restricted access
permissions.
Reference (L)
Common user account for additional granting of permissions.
The default user account type for new user accounts is specified in the configuration
parameter "TargetSystem\SAPR3\UserDefaults\Ustyp".
To modify the default user account type
l
Edit the value of the configuration parameter
"TargetSystem\SAPR3\UserDefaults\Ustyp" in the Designer.
External Identifier Types
External authentication methods for logging on to a system can be used in SAP R/3. The
One Identity Manager supplies the following types as user identifiers to find the login data
necessary for different authentication mechanisms for external systems on an SAP system:
Table 30: External identifier types
Type Description
DN
Distinguished Name for X.509.
NT
Windows NTLM or password verification with the Windows domain controller.
LD
LDAP bind <user defined> (For other external authentication mechanisms).
SA
SAML Token.
To specify a default type for external identifiers
l
Set the configuration parameter "TargetSystem\SAPR3\UserDefaults\ExtID_Type" in
the Designer and specify a value.
Parameter
Parameters can be loaded into the One Identity Manager database and assigned to user
account by synchronization.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
75
To display parameters
1. Select the category SAP R/3 | Parameters.
2. Select the parameter in the result list. Select Change master data in the task view.
Table 31: Parameter Properties
Property
Description
System
System to which the parameter belongs.
Parameter Parameter name.
Text
Description of the parameter.
Related Topics
l
Assigning Parameters on page 119
Printers
To display a printer
1. Select the category SAP R/3 | Printers.
2. Select the printer in the result list.
The printer's properties, assigned SAP system and assigned user accounts are displayed on
the overview form.
Cost centers
To display a cost center
1. Select the category SAP R/3 | Cost centers.
2. Select the cost center in the result list.
The cost center properties and assigned client are displayed on the overview form.
Start Menu
To display a start menu
1. Select the category SAP R/3 | Start menus.
2. Select the start menu in the result list.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
76
The start menu's properties, assigned client and assigned user accounts are displayed on
the overview form.
Companies
To display a company
1. Select the category SAP R/3 | Companies.
2. Select the company in the result list.
The company's properties, assigned client and assigned user accounts are displayed on the
overview form.
Login Languages
To display a login language
1. Select the category SAP R/3 | Basic configuration data | Login languages.
2. Select the login language in the result list.
The login language's properties, the associated SAP system and assigned user accounts are
displayed on the overview form.
Security Policies
You can load security policies into the One Identity Manager database using
synchronization and assign then to a user account.
To display security policies
1. Select the category SAP R/3 | Security policies.
2. Select the security policy in the result list. Select Change master data in
the task view.
Valid security policy attributes, the assigned client and user account accounts are displayed
on the overview form.
Communications Types
Communication types can be loaded into the One Identity Manager database by
synchronization and assigned to user accounts.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
77
To display communication types
1. Select the category SAP R/3 | Start communication.
2. Select the communication type from the result list.
The assign user accounts are shown on the overview form.
Licenses
Licenses are required for user account system measurement. Select the following objects
in the synchronization configuration to be able to synchronize licenses and their properties
with the database after initial migration.
To enter a rating for a license
1. Select the category SAP R/3 | Licenses.
2. Select the license in the result list. Select Change master data in the task view.
3. Enter a value in Rating.
4. Save the changes.
The following information is shown for Licenses:
Table 32: License Master Data
Property Description
license
Unique license identifier. Used to determine the system measurement rating
if no license rating is entered.
System
Associated SAP system.
User type
User type of the SAP system to which the license applies.
Price list
(token)
Number in the price list.
Price list
(text)
Description in the price list.
Rating
License rating as alphanumeric string. Enter any alphanumeric character
string. Case sensitivity is not taken into account when determining the rating
for system measurement.
The license rating is evaluated when the system measurement ratings are
determined. If no rating is entered the license ID for determining the rating
for system measurement is used.
Enabled
Specifies whether the license is enabled.
Special
version
Specifies whether special versions can be selected for this license.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
78
Property Description
Country
Specifies whether country surcharges can be selected for this license.
surcharge
Detailed information about this topic
l
Providing System Measurement Data on page 177
Special Versions
If special versions are installed in an SAP R/3 environment for license extension, user
accounts for system measurement must be classified accordingly.
You can see the CUA assignment to user accounts on the special version overview form.
Navigate to the user account with the mouse and edit the special version assignment.
To obtain an overview of an e special version
1. Select the category SAP R/3 | Special versions.
2. Select the special version in the result list.
Password Policies
One Identity Manager provides you with support for creating complex password policies,
for example, for system user passwords, the employees' central password as well as
passwords for individual target systems. Password polices apply not only when the user
enters a password but also when random passwords are generated.
Predefined password policies are supplied with the default installation that you can user or
customize if required. You can also define your own password policies.
Detailed information about this topic
l
Predefined Password Policies on page 80
l
Editing Password Policies on page 81
l
Custom Scripts for Password Requirements on page 83
l
Restricted Passwords on page 86
l
Testing a Password on page 86
l
Testing Generating a Password on page 86
l
Assigning a Password Policy on page 87
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
79
Predefined Password Policies
You can customize predefined password policies to meet your own requirements, if
necessary.
Password for logging into One Identity Manager
The password policy "One Identity Manager password policy" is used for logging into One
Identity Manager. This password policy defined the settings for the system user passwords
(DialogUser.Password and Person.DialogUserPassword) as well as the access code for a one
off log in on the Web Portal (Person.Passcode).
The password policy "One Identity Manager password policy" is also labeled as the default
and is used when no other password policy is found.
Password policy for forming employees' central passwords
An employee's central password is formed from the target system specific user accounts
by respective configuration. The password policy "Employee central password policy"
defines the settings for the central password (Person.CentralPassword).
IMPORTANT: Ensure that the password policy "Employee central password policy"
does not violate the target system specific password requirements.
Password policies for target systems
A predefined password that you can apply to the user account password columns, is
provided for every target system.
NOTE: When you update One Identity Manager version 7.x to One Identity Manager
version 8.0, the configuration parameter settings for forming passwords are passed
on to the target system specific password policies.
IMPORTANT: If you are not working with target system specific password policies,
the default policy applies. In this case, ensure that the password policy "One Identity
Manager password policy" does not violate the target system requirements.
The password policy "SAP R/3 password policy" is predefined for SAP R/3. You can apply
this password policy to SAP user accounts (SAPUser.Password) of an SAP client.
If the clients' password requirements differ, it is recommended that you set up your own
password policies for each client.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
80
Editing Password Policies
To edit a password policy
1. Select the category Manager | Basic configuration data | Password policies
in the SAP R/3.
2. Select the password policy in the result list and select Change master data in
the task view.
- OR Click
in the result list toolbar.
3. Edit the password policy's master data.
4. Save the changes.
Detailed information about this topic
l
General Master Data for a Password Policy on page 81
l
Policy Settings on page 82
l
Character Sets for Passwords on page 82
l
Custom Scripts for Password Requirements on page 83
General Master Data for a Password Policy
Enter the following master data for a password policy.
Table 33: Master Data for a Password Policy
Property
Meaning
Display name
Password policy name. Translate the given text using the
button.
Description
Spare text box for additional explanation. Translate the given
text using the
button.
Error Message
Custom error message outputted if the policy is not fulfilled.
Translate the given text using the
button.
Owner (Application Role)
Application roles whose members can configure the password
policies.
Default policy
Mark as default policy for passwords.
NOTE: The password policy "One Identity Manager
password policy" is marked as the default policy. This
password policy is applied if no other password policies
can be found.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
81
Policy Settings
Define the following settings for a password policy on the Password tab.
Table 34: Policy Settings
Property
Meaning
Initial password
Initial password for new user accounts. If no password is
given when the user account is added or a random password
is generated, the initial password is used.
Password confirmation
Reconfirm password.
Min. Length
Minimum length of the password. Specify the number of
characters a password must have.
Max. length
Maximum length of the password. Specify the number of
characters a password can have.
Max. errors
Maximum number of errors. Set the number of invalid
passwords. If the user has reached this number the user
account is blocked.
Validity period
Maximum age of the password. Enter the length of time a
password can be used before it expires.
Password history
Enter the number of passwords to be saved. If the value '5' is
entered, for example, the last 5 passwords of the user are
saved.
Min. password strength
Specifies how secure the password must be. The higher the
password strength, the more secure it is. The password
strength is not tested if the value is '0'. The values '1', '2', '3'
and '4' gauge the required complexity of the password. The
value '1' demands the least complex password. The value '4'
demands the highest complexity.
Name properties denied
Specifies whether name properties are permitted in the
password.
Character Sets for Passwords
Use the Character classes tab to specify which characters are permitted for a password.
Table 35: Character Classes for Passwords
Property
Meaning
Min. letters
Specifies the minimum number of alphabetical characters
the password must contain.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
82
Property
Meaning
Min. number lower case
Specifies the minimum number of lowercase letters the
password must contain.
Min. number uppercase
Specifies the minimum number of uppercase letters the
password must contain.
Min. number digits
Specifies the minimum number of digits the password must
contain.
Min. number special
characters
Specifies the minimum number of special characters the
password must contain.
Permitted special
characters
List of permitted characters.
Denied special characters
List of characters, which are not permitted.
Max. identical characters
in total
Maximum number of identical characters that can be
present in the password in total.
Max. identical characters
in succession
Maximum number of identical character that can be
repeated after each other.
Custom Scripts for Password Requirements
You can implement custom scripts for testing and generating password if the password
requirements cannot be mapped with the existing settings options. Scripts are applied in
addition to the other settings.
Detailed information about this topic
l
Script for Checking a Password on page 83
l
Script for Generating a Password on page 84
Script for Checking a Password
You can implement a check script if additional policies need to be used for checking a
password, which cannot be mapped with the available settings.
Syntax for Check Scripts
Public Sub CCC_CustomPwdValidate( policy As VI.DB.Passwords.PasswordPolicy, spwd As
System.Security.SecureString)
With parameters:
policy = password policy object
spwd = password to test
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
83
TIP: To use a base object, take the property Entity of the PasswordPolicy class.
Example for a script for testing a password
A password cannot have '?' or '!' at the beginning. The script checks a given password
for validity.
Public Sub CCC_PwdValidate( policy As VI.DB.Passwords.PasswordPolicy, spwd As
System.Security.SecureString)
Dim pwd = spwd.ToInsecureArray()
If pwd.Length>0
If pwd(0)="?" Or pwd(0)="!"
Throw New Exception(#LD("Password can't start with '?' or '!'")#)
End If
End If
If pwd.Length>2
If pwd(0) = pwd(1) AndAlso pwd(1) = pwd(2)
Throw New Exception(#LD("Invalid character sequence in password")#)
End If
End If
End Sub
To use a custom script for checking a password
1. Create your script in the category Script Library in the Designer.
2. Edit the password policy.
a. Select the category Manager | Basic configuration data | Password
policies in the SAP R/3.
b. Select the password policy in the result list.
c. Select Change master data in the task view.
d. Enter the name of the script to test the password in Check script on the
Scripts tab.
e. Save the changes.
Related Topics
l
Script for Generating a Password on page 84
Script for Generating a Password
You can implement a generating script if additional policies need to be used for generating
a random password, which cannot be mapped with the available settings.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
84
Syntax for Generating Script
Public Sub CCC_PwdGenerate( policy As VI.DB.Passwords.PasswordPolicy, spwd As
System.Security.SecureString)
With parameters:
policy = password policy object
spwd = generated password
TIP: To use a base object, take the property Entity of the PasswordPolicy class.
Example for a script to generate a password
The script replaces the invalid characters '?' and '!' in random passwords.
Public Sub CCC_PwdGenerate( policy As VI.DB.Passwords.PasswordPolicy, spwd As
System.Security.SecureString)
Dim pwd = spwd.ToInsecureArray()
' replace invalid characters at first position
If pwd.Length>0
If pwd(0)="?" Or pwd(0)="!"
spwd.SetAt(0, CChar("_"))
End If
End If
End Sub
To use a custom script for generating a password
1. Create your script in the category Script Library in the Designer.
2. Edit the password policy.
a. Select the category Manager | Basic configuration data | Password
policies in the SAP R/3.
b. Select the password policy in the result list.
c. Select Change master data in the task view.
d. Enter the name of the script to generate a password in Generation script on
the Scripts tab.
e. Save the changes.
Related Topics
l
Script for Checking a Password on page 83
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
85
Restricted Passwords
You can add words to a list of restricted terms to prohibit them from being used in
passwords.
NOTE: The restricted list applies globally to all password policies.
To add a term to the restricted list
1. Select the category Base Data | Security Settings | Restricted passwords in
the Designer.
2. Create a new entry with the menu item Object | New an enter the term to excluded
to the list.
3. Save the changes.
Testing a Password
When you test a password, all the password policy settings, custom scripts and the
restricted passwords are taken into account.
To test whether a password conforms to the password policy
1. Select the category Manager | Basic configuration data | Password policies
in the SAP R/3.
2. Select the password policy in the result list.
3. Select Change master data in the task view.
4. Select the Test tab.
5. Select the table and object to be tested in Base object for test.
6. Enter a password in Enter password to test.
A display next to the password shows whether it is valid or not.
Testing Generating a Password
When you generate a password, all the password policy settings, custom scripts and the
restricted passwords are taken into account.
To generate a password that conforms to the password policy
1. Select the category Manager | Basic configuration data | Password policies
in the SAP R/3.
2. Select the password policy in the result list.
3. Select Change master data in the task view.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
86
4. Select the Test tab.
5. Click Generate.
This generates and displays a password.
Assigning a Password Policy
The password policy "SAP R/3 password policy" is predefined for SAP R/3. You can apply
this password policy to SAP user accounts (SAPUser.Password) of an SAP client.
If the clients' password requirements differ, it is recommended that you set up your own
password policies for each client.
IMPORTANT: If you are not working with target system specific password policies,
the default policy applies. In this case, ensure that the password policy "One Identity
Manager password policy" does not violate the target system requirements.
To reassign a password policy
1. Select the category Manager | Basic configuration data | Password policies
in the SAP R/3.
2. Select the password policy in the result list.
3. Select Assign objects in the task view.
4. Click Add in the Assignments section and enter the following data.
Table 36: Assigning a Password Policy
Property
Description
Apply to
Application scope of the password policy.
To specify an application scope
a. Click
next to the text box.
b. Select the table which contains the password column
under Table.
c. Select the specific target system under Apply to.
d. Click OK.
Password
column
The password column's identifier.
Password policy
The identifier of the password policy to be used.
5. Save the changes.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
87
To change a password policy's assignment
1. Select the category Manager | Basic configuration data | Password policies
in the SAP R/3.
2. Select the password policy in the result list.
3. Select Assign objects in the task view.
4. Select the assignment you want to change in Assignments.
5. Select the new password policy to apply from the Password Policies menu.
6. Save the changes.
Initial Password for New SAP User Accounts
Table 37: Configuration Parameters for Formatting Initial Passwords for User
Accounts
Configuration parameter
Meaning
QER\Person\UseCentralPassword
This configuration parameter
specifies whether the employee's
central password is used in the user
accounts. The employee’s central
password is automatically mapped to
the employee’s user account in all
permitted target systems. This
excludes privileged user accounts,
which are not updated.
QER\Person\UseCentralPassword\PermanentStore This configuration parameter
controls the storage period for
central passwords. If the parameter
is set, the employee’s central
password is permanently stored. If
the parameter is not set, the central
password is only used for publishing
to existing target system specific
user accounts and is subsequently
deleted from the One Identity
Manager database.
TargetSystem\SAPR3\Accounts\
InitialRandomPassword
This configuration parameter
specifies whether a random
generated password is issued when a
new user account is added. The
password must contain at least those
character sets that are defined in the
password policy.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
88
You have the following possible options for issuing an initial password for a new SAP
user account.
1. User the employee's central password. The employee’s central password is mapped
to the user account password.
l
Set the configuration parameter "QER\Person\UseCentralPassword" in the
Designer.
If the configuration parameter "QER\Person\UseCentralPassword" is set, the
employee's central password is automatically mapped to an employee's user
account in each of the target systems. This excludes privileged user accounts,
which are not updated.
l
Use the configuration parameter
"QER\Person\UseCentralPassword\PermanentStore" in the Designer to specify
whether an employee’s central password is permanently saved in the One
Identity Manager database or only until the password has been published in the
target system.
The password policy "Employee central password policy" is used to format the
central password.
IMPORTANT: Ensure that the password policy "Employee central password
policy" does not violate the target system specific password requirements.
2. Create user accounts manually and enter a password in their master data.
3. Specify an initial password to be used when user accounts are created automatically.
l
Apply the target system specific password policies and enter an initial
password in the password policies.
4. Assign a randomly generated initial password to enter when you create user
accounts.
l
l
l
Set the configuration parameter
"TargetSystem\SAPR3\Accounts\InitialRandomPassword" in the Designer.
Apply target system specific password policies and define the character sets
that the password must contain.
Specify which employee will receive the initial password by email.
Related Topics
l
Password Policies on page 79
l
Email Notifications about Login Data on page 90
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
89
Email Notifications about Login Data
Table 38: Configuration Parameters for Notifications about Actions in the
Target System
Configuration parameter
Meaning
TargetSystem\SAPR3\Accounts\
InitialRandomPassword\SendTo
This configuration parameter specifies to which
employee the email with the random generated
password should be sent (manager cost
center/department/location/business role,
employee’s manager or XUserInserted). If no
recipient can be found, the password is sent to the
address stored in the configuration parameter
"TargetSystem\SAP3\DefaultAddress".
TargetSystem\SAPR3\Accounts\
InitialRandomPassword\SendTo\
MailTemplateAccountName
This configuration parameter contains the name
of the mail template sent to inform users about
their initial login data (name of the user account).
Use the mail template "Employee - new account
created".
TargetSystem\SAPR3\Accounts\
InitialRandomPassword\SendTo\
MailTemplatePassword
This configuration parameter contains the name
of the mail template sent to inform users about
their initial login data (initial password). Use the
mail template "Employee - initial password for
new user account".
TargetSystem\SAPR3\DefaultAddress The configuration parameter contains the
recipient's default email address for sending
notifications about actions in the target system.
You can configure the login information for new user accounts to be sent by email to a
specified person. In this case, two messages are sent with the user name and the initial
password. Mail templates are used to generate the messages. The mail text in a mail
template is defined in several languages, which means the recipient’s language can be
taken into account when the email is generated. Mail templates are supplied in the default
installation with which you can configure the notification procedure.
To use email notifications about login data
1. Ensure that the email notification system is configured in One Identity Manager. For
more detailed information, see the .One Identity Manager Configuration Guide
2. Enable the configuration parameter "Common\MailNotification\DefaultSender" in the
Designer and enter the email address for sending the notification.
3. Ensure that all employees have a default email address. Notifications are sent to this
address. For more detailed information, see the .One Identity Manager Identity
Management Base Module Administration Guide
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
90
4. Ensure that a language culture can be determined for all employees. Only then can
they receive email notifications in their own language. For more detailed
information, see the .One Identity Manager Identity Management Base Module
Administration Guide
When a randomly generated password is issued for the new user account, the initial login
data for a user account is sent by email to a previously specified person.
To send initial login data by email
1. Set the configuration parameter
"TargetSystem\SAPR3\Accounts\InitialRandomPassword" in the Designer.
2. Set the configuration parameter
"TargetSystem\SAPR3\Accounts\InitialRandomPassword\SendTo" in the Designer
and enter the message recipient as value.
3. Set the configuration parameter
"TargetSystem\SAPR3\Accounts\InitialRandomPassword\SendTo\MailTemplateAccou
ntName" in the Designer.
By default, the message sent uses the mail template "Employee - new account
created". The message contains the name of the user account.
4. Set the configuration parameter
"TargetSystem\SAPR3\Accounts\InitialRandomPassword\SendTo\MailTemplatePass
word" in the Designer.
By default, the message sent uses the mail template "Employee - initial password for
new user account". The message contains the initial password for the user account.
TIP: Change the value of the configuration parameter in order to use custom mail
templates for these mails.
Editing a Server
In order to handle SAP R/3 specific processes in One Identity Manager, the synchronization
server and its server functionality must be declared. You have several options for defining
a server's functionality:
l
l
Create an entry for the Job server in the category Base Data | Installation | Job
server in the Designer. For detailed information, see the One Identity Manager
Configuration Guide.
Select an entry for the Job server in the category SAP R/3 | Basic configuration
data | Server in the Manager and edit the Job server master data.
Use this task if the Job server has already been declared in One Identity Manager and
you want to configure special functions for the Job server.
NOTE: One Identity Manager Service must be installed, configured and started in
order for a server to execute its function in the One Identity Manager network.
Proceed as follows in the One Identity Manager Installation Guide.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
91
To edit a Job server and its functions
1. Select the category SAP R/3 | Basic configuration data | Server in the
Manager.
2. Select the Job server entry in the result list.
3. Select Change master data in the task view.
4. Edit the Job server's master data.
5. Select Assign server functions in the task view and specify server functionality.
6. Save the changes.
Detailed information about this topic
l
Master Data for a Job Server on page 92
l
Specifying Server Functions on page 94
Related Topics
l
Setting Up the Synchronization Server on page 17
Master Data for a Job Server
NOTE: All editing options are available to you in the Designer, in the category Base
Data | Installation | Job server.
Table 39: Job Server Properties
Property Meaning
Server
Job server name.
Full
server
name
Full server name in accordance with DNS syntax.
Example:
<Name of servers>.<Fully qualified domain name>
Target
System
Computer account target system.
Language
culture
Language of the server.
Server is
cluster
Specifies whether the server maps a cluster.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
92
Property Meaning
Server
belongs
to cluster
Cluster to which the server belongs.
IP
address
(IPv6)
Internet protocol version 6 (IPv6) server address.
IP
address
(IPv4)
Internet protocol version 4 (IPv4) server address.
Copy
process
(source
server)
Permitted copying methods that can be used when this server is the source of
a copy action. Only the methods "Robocopy" and "Rsync" are currently
supported.
Copy
process
(target
server)
Permitted copying methods that can be used when this server is the destination of a copy action.
Coding
Character set coding that is used to write files to the server.
Parent
Job
server
Name of the parent Job server.
Executing
server
Name of the executing server. The name of the server that exists physically
and where the processes are handled.
NOTE: The properties Server is cluster and Server belongs to
cluster are mutually exclusive.
If no method is given, the One Identity Manager Service determines the
operating system of the server during runtime. Replication then takes place
between servers with a Windows operating system using "Robocopy" and
between servers with the Linux operating system using "rsync". If the
operating systems of the source and destination servers differ, it is important
that the right copy method is applied for successful replication. A copy
method is chosen that supports both servers.
This input is evaluated when One Identity Manager Service is automatically
updated. If the server is handling several queues the process steps are not
supplied until all the queues that are being processed on the same server
have completed their automatic update.
Queue
Name of the queue to handle the process steps. Each One Identity Manager
Service within the network must have a unique queue identifier. The process
steps are requested by the job queue using exactly this queue name. The
queue identifier is entered in the One Identity Manager Service configuration
file.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
93
Property Meaning
Server
operating
system
Operating system of the server. This input is required to resolve the path
name for replicating software profiles. Permitted values are "Win32",
"Windows", "Linux" and "Unix". If the input is empty, "Win32" is assumed.
Service
account
data
One Identity Manager Service user account information. In order to replicate
between non-trusted systems (non-trusted domains, Linux server) the One
Identity Manager Service user information has to be declared for the servers
in the database. This means that the service account, the service account
domain and the service account password have to be entered for the server.
One
Identity
Manager
Service
installed
Specifies whether a One Identity Manager Service is installed on this server.
This option is enabled by the procedure QBM_PJobQueueLoad the moment the
queue is called for the first time.
Stop One
Identity
Manager
Service
Specifies whether the One Identity Manager Service has stopped. If this
option is set for the Job server, the One Identity Manager Service does not
process any more tasks.
The option is not automatically removed. If necessary, you can reset this
option manually for servers whose queue is no longer enabled.
You can make the service start and stop with the appropriate administrative
permissions in program "Job Queue Info".
No
Specifies whether to exclude the server from automatic software updating.
automatic
NOTE: Servers must be manually updated if this option is set.
software
update
Software
update
running
Specifies whether a software update is currently being executed.
Server
Function
Server functionality in One Identity Manager. One Identity Manager
processes are handled depending on the server function.
Related Topics
l
Specifying Server Functions on page 94
Specifying Server Functions
NOTE: All editing options are available to you in the Designer, in the category Base
Data | Installation | Job server.
The server function defines the functionality of a server in One Identity Manager. One
Identity Manager processes are handled depending on the server function.
NOTE: More server functions may be available depending on which modules are
installed.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
94
Table 40: Permitted Server Functions
Server
Function
Remark
CSV connector
Server on which the CSV connector for synchronization is installed.
Domain
controller
The Active Directory domain controller. Servers that are not labeled as
domain controller are considered to be member servers.
Printer server
Server which acts as a print server.
Generic server
Server for generic synchronization with a custom target system.
Home server
Server for adding home directories for user accounts.
Update Server
This server executes automatic software updating of all other servers.
The server requires a direct connection to the database server that the
One Identity Manager database is installed on. The server can execute
SQL tasks.
The server with the installed One Identity Manager database, is labeled
with this functionality during initial installation of the schema.
SQL processing
server
This server can process SQL tasks. Several SQL processing servers can
be set up to spread the load of SQL processes. The system distributes
the generated SQL processes throughout all the Job servers with this
server function.
Native
database
connector
The server can connect to an ADO.Net database.
One Identity
Manager
database
connector
Server on which the One Identity Manager connector is installed. This
server executes synchronization with the target system One Identity
Manager.
One Identity
Manager
Service
installed
Server on which a One Identity Manager Service is installed.
Primary
domain
controller
Primary domain controller.
Profile Server
Server for setting up profile directories for user accounts.
SAM
Server for running synchronization with an SMB-based target system.
synchronization
Server
SAP R/3
Server on which the SAP R/3 connector is installed. This server
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
95
Server
Function
Remark
connector
executes synchronization with the target system SAP R/3.
SMTP host
Server from which the One Identity Manager Service sends email
notifications. Prerequisite for sending mails using the One Identity
Manager Service is SMTP host configuration.
Default report
server
Server on which reports are generated.
Windows
PowerShell
connector
The server can run Windows PowerShell version 3.0 or later.
Related Topics
l
Master Data for a Job Server on page 92
Target System Managers
For more detailed information about implementing and editing application roles, see the
One Identity Manager Application Roles Administration Guide.
Implementing Application Roles for Target System Managers
1. The One Identity Manager administrator assigns employees to be target
system managers.
2. These target system managers add employees to the default application role for
target system managers.
The default application role target system managers are entitled to edit all clients in
One Identity Manager.
3. Target system managers can authorize more employees as target system managers,
within their scope of responsibilities and create other child application roles and
assign individual clients.
Table 41: Default Application Roles for Target System Managers
User
Task
Target
System
Managers
Target system managers must be assigned to the application role Target
systems | SAP R/3 or a sub application role.
Users with this application role:
l
Assume administrative tasks for the target system.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
96
User
Task
l
Create, change or delete target system objects, like user accounts
or groups.
l
Edit password policies for the target system.
l
Prepare system entitlements for adding to the IT Shop.
l
l
l
Configure synchronization in the Synchronization Editor and defines
the mapping for comparing target systems and One Identity
Manager.
Edit the synchronization's target system types and outstanding
objects.
Authorize other employees within their area of responsibility as
target system managers and create child application roles if
required.
To initially specify employees to be target system administrators
1. Log in to the Manager as One Identity Manager administrator (application role Base
role | Administrators)
2. Select the category One Identity Manager Administration | Target systems |
Administrators.
3. Select Assign employees in the task view.
4. Assign the employee you want and save the changes.
To add the first employees to the default application as target system
managers.
1. Log yourself into the Manager as target system administrator (application role
Target systems | Administrator).
2. Select the category One Identity Manager Administration | Target
systems | SAP R/3.
3. Select Assign employees in the task view.
4. Assign the employees you want and save the changes.
To authorize other employees as target system managers when you are a
target system manager
1. Login to the Manager as target system manager.
2. Select the application role in the category SAP R/3 | Basic configuration data |
Target system managers.
3. Select Assign employees in the task view.
4. Assign the employees you want and save the changes.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
97
To define target system managers for individual clients.
1. Login to the Manager as target system manager.
2. Select the category SAP R/3 | Clients.
3. Select the client from the result list.
4. Select Change master data in the task view.
5. Select the application role on the General tab in the Target system
manager menu.
- OR Click
l
l
next to the Target system manager menu to create a new application role.
Enter the application role name and assign the parent application role Target
system | SAP R/3.
Click OK to add the new application role.
6. Save the changes.
7. Assign the application role to employees, who are authorized to edit the client in One
Identity Manager.
Related Topics
l
One Identity Manager Users for Managing an SAP R/3 on page 11
l
General Master Data for an SAP Client on page 100
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Base Data for Managing SAP R/3
98
4
SAP Systems
NOTE: The Synchronization Editor sets up SAP systems in the One Identity Manager
database.
To edit an SAP system's master data
1. Select the category SAP R/3 | Systems.
2. Select an SAP system in the result list and run the task Change master data.
3. Edit the system's master data.
4. Save the changes.
Table 42: Master Data for an SAP System
Property
Description
Display name
The SAP system's display name.
System
number
The SAP system number.
System
Specifies whether system measurement for this system is carried out.
measurement One Identity Manager provides the measurement data but the actual
enabled
system measurement takes place in the SAP R/3 environment.
Related Topics
l
Providing System Measurement Data on page 177
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Systems
99
5
SAP Clients
NOTE: One Identity Manager sets up the clients in the Synchronization Editor
database.
To edit client master data
1. Select the category SAP R/3 | Clients.
2. Select the client from the result list. Select Change master data in the task view.
3. Edit the client's master data.
4. Save the changes.
General Master Data for an SAP Client
Enter the following general data on the General tab.
Table 43: General Master Data for a Client
Property
Description
Client no.
Number of the client.
Name
Client's name.
System
System to which the client belongs.
Canonical
name
Client's canonical name.
Company
Company for which the client is set up. The company given here is used
when a new user account is set up.
City
City where company resides.
Has user
Specifies whether the client is used for user administration.
administration
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Clients
100
Property
Description
Account defin- Initial account definition for creating user accounts. These account
definitions are used if automatic assignment of employees to user
ition (initial)
account is used for this domain resulting in administered user accounts
(state "Linked configured"). The account definition's default manage
level is applied.
User accounts are only linked to the employee (state "Linked") if no
account definition is given. This is the case on initial synchronization, for
example.
NOTE: The account definition can only be assigned if no CUA status
is entered or CUA status "central system" is assigned.
Target system Application role in which target system managers are specified for the
managers
client. Target system managers only edit client objects that are assigned
to them. Each client can have a different target system manager
assigned to it.
Select the One Identity Manager application role whose members are
responsible for administration of this client. Use the
button to add a
new application role.
Synchronized
by
NOTE: You can only specify the synchronization type when adding a
new client. No changes can be made after saving.
Use "One Identity Manager" when you create a client with the
Synchronization Editor.
Specify how the data will be synchronized between the target system and
the One Identity Manager. Choose between "One Identity Manager",
"FIM" and "No synchronization".
Table 44: Permitted Values
Value
Synchronization by
Provisioned by
One Identity Manager
SAP R/3 connector
SAP R/3 connector
No synchronization
none
none
NOTE: If you select "No synchronization" you can define custom
processes to exchange data between One Identity Manager and the
target system.
ALE name
Name used to map the client as logical system in the SAP distribution
model.
ALE model
name
Name of the SAP distribution model that maps the relation between the
logical systems of the central user administration. SAP roles and profiles
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Clients
101
Property
Description
of all child systems with the same ALE model name as the central
system, are synchronized when the central system is synchronized.
CUA status
Labels client usage when CUA is enabled. Possible values are "Central",
"Child" and "None". If Central User Administration is not enabled, do not
enter a value.
CUA central
system
Central system to which the client belongs. Assign the valid central
system to clients with CUA status "Child".
Description
Spare text box for additional explanation.
Related Topics
l
Setting Up Account Definitions on page 57
l
Assigning Account Definitions to a Target System on page 71
l
Target System Managers on page 96
l
Special Features of Synchronizing with a CUA Central System on page 31
l
Excluding child Systems from Synchronization on page 32
Specifying Categories for Inheriting
SAP Groups, SAP Roles and SAP Profiles
NOTE: In order to easy understanding the behavior is described with respect to SAP
groups in this section. It applies in the same way to roles and profiles.
In One Identity Manager, groups can be selectively inherited by user accounts. For this,
groups and user accounts are divided into categories. The categories can be freely selected
and are specified by a template. Each category is given a specific position within the
template. The mapping rule contains different tables. Use the user account table to specify
categories for target system dependent user accounts. Enter your categories for the
structural profiles, administrative roles, subscriptions and disabled service plans in the .
Each table contains the category items "Position1" to "Position31".
NOTE: If central user administration is implemented, define the categories in the
central system as well as in the child system. The same categories must be defined in
the child system as in the central system so that groups from a child system can be
inherited by user accounts.
To define a category
1. Select the category SAP R/3 | Clients.
2. Select the client from the result list.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Clients
102
3. Select Change master data in the task view.
4. Switch to the Mapping rule category tab.
5. Expand the respective base node of a table.
6. Click
to enable category.
7. Enter a name for the user account and group categories in the current language.
8. Save the changes.
Detailed information about this topic
l
Inheriting SAP Groups, SAP Roles and SAP Profiles based on Categories on page 159
l
One Identity Manager Target System Base Module Administration Guide
How to Edit a Synchronization Project
Synchronization projects, in which a client is already used as a base object, can also be
opened using the Manager. You can, for example, check the configuration or view the
synchronization log in this mode. The Synchronization Editor is not started with its full
functionality. You cannot run certain functions, such as, running synchronization or
simulation, starting the target system browser and others.
NOTE: The Manager is locked for editing throughout. To edit objects in the Manager,
close the Synchronization Editor.
To open an existing synchronization project in the Synchronization Editor
1. Select the category SAP R/3 | Clients.
2. Select the client from the result list. Select Change master data in the task view.
3. Select Edit synchronization project... from the task view.
Detailed information about this topic
l
One Identity Manager Target System Synchronization Reference Guide
Related Topics
l
Customizing Synchronization Configuration on page 35
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Clients
103
6
SAP User Accounts
You can manage the users of a One Identity Manager environment with the SAP R/3. One
Identity Manager concentrates on setting up and editing SAP user accounts. Groups, roles
and profiles are mapped in SAP, in order to provide the necessary permissions for One
Identity Manager user accounts. The necessary data for system measurement is also
mapped. The system measurement data is available in One Identity Manager, but the
measurement itself takes place in the SAP R/3 environment.
If user accounts are managed through the central user administration (CUA) in SAP R/3,
access to the child client can be guaranteed to or withdrawn from user accounts in One
Identity Manager.
Detailed information about this topic
l
Linking User Accounts to Employees on page 104
l
Supported User Account Types on page 105
l
Entering Master Data for SAP User Accounts on page 109
Linking User Accounts to Employees
The central component of the One Identity Manager is to map employees and their master
data with permissions through which they have control over different target systems. For
this purpose, information about user accounts and permissions can be read from the target
system into the One Identity Manager database and linked to employees. This gives an
overview of the permissions for each employees in all of the connected target systems.
One Identity Manager provides the possibility to manage user accounts and their
permissions. You can provision modifications in the target systems. Employees are
supplied with the necessary permissions in the connected target systems according to their
function in the company. Regular synchronization keeps data consistent between target
systems and the One Identity Manager database.
Because requirements vary between companies, the One Identity Manager offers different
methods for supplying user accounts to employees. One Identity Manager supports the
following method for linking employees and their user accounts.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
104
l
l
Employees and user accounts can be entered manually and assigned to each other.
Employees can automatically obtain their account definitions using user account
resources. If an employee does not have a user account in a client, a new user
account is created. This is done by assigning account definitions to an employee
using the integrated inheritance mechanism followed by process handling.
When you manage account definitions through user accounts, you can specify the
way user accounts behave when employees are enabled or deleted.
NOTE: If employees obtain their user accounts through account definitions,
they have to have a central SAP user account.
l
An existing employee is automatically assigned when a user account is added or a
new employee is created if necessary. In this case, employee master data is created
on the basis of the existing user account master data. This mechanism can be
implemented if a new user account is created manually or by synchronization. This
method, however, is not the One Identity Manager default method. Define criteria for
finding employees for automatic employee assignment.
Related Topics
l
Entering Master Data for SAP User Accounts on page 109
l
Setting Up Account Definitions on page 57
l
Automatic Assignment of Employees to SAP User Accounts on page 127
For more detailed information about employee handling and administration, see the One
Identity Manager Target System Base Module Administration Guide.
Supported User Account Types
Different types of user accounts, such as default user accounts, administrative user
accounts or service accounts, can be mapped in One Identity Manager.
The following properties are used for mapping different user account types.
l
Identity (column IdentityType)
The identity describes the type of user account.
Table 45: Identities of User Accounts
Identity
Description
Value of the
column
"IdentityType"
Primary
identity
Employee's default user account.
Primary
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
105
Identity
l
Description
Value of the
column
"IdentityType"
Organizational Secondary user account used for various roles
identity
within the organization, f. ex. In sub-agreements with other functional areas.
Organizational
Personalized
User account with administration rights used by
admin identity one person.
Admin
Sponsored
identity
User account used for example for training
purposes.
Sponsored
Shared
identity
User account with administration rights used by
several people.
Shared
Service
identity
Service account.
Service
Privileged user account (column IsPrivilegedAccount)
Use this option to flag user accounts with special, privileged permissions. This
includes administrative user accounts or service accounts, for example. This option
is not used to flag default user accounts.
Default User Accounts
Normally, each employee obtains a default user account, which has the permissions they
require for their regular work. The user accounts are linked to the employee. The effect of
the link and the scope of the employee’s inherited properties on the user accounts can be
configured through an account definition and its manage levels.
To create default user accounts through account definitions
1. Create an account definition and assign the manage level "Unmanaged" or "Full
managed" to it.
2. Specify the effect of temporarily or permanently disabling, deleting or the
security risk of an employee on its user accounts and group memberships for
each manage level.
3. Create a formatting rule for IT operating data.
An account definition specifies which rules are used to generate the IT operating data
for example, whether the container for a user account is made up of the employee's
department, cost center, location or business role and which default values will be
used if no IT operating data can be found through the employee's primary roles.
Which IT operating data is required, depends on the target system. The following
setting are recommended for default user accounts:
l
Use the default value "1" in the formatting rule for the column IsGroupAccount
and set the option Always use default value.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
106
l
Use the default value "primary" in the formatting rule for the column
IdentityType and set the option Always use default value.
4. Enter the effective IT operating data for the target system. Select the concrete target
system under Effects on.
Specify in the departments, cost centers, locations or business roles, which IT
operating data should apply when you set up a user account.
5. Assign the account definition to employees.
When the account definition is assigned to an employee, a new user account is
created through the inheritance mechanism and subsequent processing.
Administrative User Accounts
An administrative user account must be used for certain administrative tasks.
Administrative user accounts are normally predefined in the target system and have fixed
identifiers and login names, for example, "Administrator".
Administrative user accounts are loaded through synchronization into the One Identity
Manager. To assign a manager to administrative user accounts, assign an employee to the
user account in One Identity Manager.
NOTE: You can automatically label administrative user accounts as privileged user
accounts. To do this, set the schedule "Mark selected user accounts as privileged" in
the Designer.
Privileged User Accounts
Privileged user accounts are used to provide employees with additional privileges. This
includes administrative user accounts or service accounts, for example. The user accounts
are marked with the property Privileged user account (IsPrivilegedAccount).
NOTE: The criteria used to label user accounts automatically as privileged, are
defined as extensions to the view definition (ViewAddOn) on the table
TSBVAccountIsPrivDetectRule (table type "Union"). The evaluation is done in the script
TSB_SetIsPrivilegedAccount.
To create privileged users through account definitions
1. Create an account definition. Create a new manage level for privileged user accounts
and assign this manage level to the account definition.
2. If you want to prevent properties for privileged user accounts being overwritten, set
the property IT operating data overwrites for the manage level, to the value
"Only initially". In this case, the properties are populated just once when the user
accounts is created.
3. Specify the effect of temporarily or permanently disabling, deleting or the
security risk of an employee on its user accounts and group memberships for
each manage level.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
107
4. Create a formatting rule for IT operating data.
An account definition specifies which rules are used to generate the IT operating data
for example, whether the container for a user account is made up of the employee's
department, cost center, location or business role and which default values will be
used if no IT operating data can be found through the employee's primary roles.
Which IT operating data is required, depends on the target system. The following
settings are recommended for privileged user accounts:
l
l
l
Use the default value "1" in the formatting rule for the column
IsPrivilegedAccount and set the option Always use default value.
You can also specify a formatting rule for the column IdentityType. The column
owns different permitted values, which represent user accounts.
To prevent privileged user accounts inheriting default user groups, define a
template for the column IsGroupAccount with the default value "0" and set the
option Always use default value.
5. Enter the effective IT operating data for the target system.
Specify in the departments, cost centers, locations or business roles, which IT
operating data should apply when you set up a user account.
6. Assign the account definition directly to employees who work with privileged
user accounts.
When the account definition is assigned to an employee, a new user account is
created through the inheritance mechanism and subsequent processing.
NOTE: Specify a formatting rule for a naming schema if it is required by the company
for privileged user account login names.
Central User Administration in One
Identity Manager
If user accounts are managed through the central user administration (CUA) in SAP R/3,
access to the child client can be guaranteed to or withdrawn from user accounts in One
Identity Manager. To do this, clients are marked as central system or child system in One
Identity Manager. User accounts are managed in the central system. You specify the child
system in which each user account obtains its access permissions (table
SAPUserInSAPMandant). Only SAP groups, role or profiles from these clients and from the
central system can be assigned to a user account.
To use automatic employee assignment for central user administration (CUA) user
accounts, assign the account definition to the CUA central system. Account definitions
cannot be used to assign user accounts to child systems.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
108
To grant access permissions in a child system to a user account
1. Assign all the clients to the user account to which it can have access permissions.
For more information, see Assigning Child Systems on page 124.
2. Assign SAP groups, roles, profiles from the child systems to the user account.
For more information, see Additional Tasks for Managing SAP User Accounts
on page 120.
Related Topics
l
General Master Data for an SAP Client on page 100
l
General Master Data for an SAP User Account on page 110
l
Setting Up Account Definitions on page 57
Entering Master Data for SAP User
Accounts
A user account can be linked to an employee in the One Identity Manager. You can also
manage user accounts separately from employees.
NOTE: It is recommended to use account definitions to set up user accounts for
company employees. In this case, some of the master data described in the following
is mapped through templates from employee master data.
NOTE: If employees obtain their user accounts through account definitions, they have
to have a central SAP user account.
To edit master data for a user account
1. Select the category SAP R/3 | User accounts.
2. Select the user account in the result list and run the task Change master data.
- ORClick
in the result list toolbar.
3. Edit the user account's resource data.
4. Save the changes.
To manually assign or create a user account for an employee
1. Select the Employees | Employees.
2. Select the employee in the result list and run Assign SAP user accounts from
the task view.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
109
3. Assign a user account.
4. Save the changes.
Detailed information about this topic
l
General Master Data for an SAP User Account on page 110
l
SAP User Account Login Data on page 114
l
Phone numbers on page 115
l
Fax numbers on page 116
l
Email addresses on page 117
l
Assigning Parameters on page 119
l
Fixed Values for an SAP User Account on page 118
l
Measurement Data on page 119
l
SNC Data for an SAP User Account on page 120
General Master Data for an SAP User
Account
Table 46: Configuration Parameters for Risk Assessment of SAP User Accounts
Configuration
parameter
Active Meaning
QER\CalculateRiskIndex Preprocessor relevant configuration parameter controlling
system components for calculating an employee's risk index.
Changes to the parameter require recompiling the database.
If the parameter is set, values can be entered and calculated
for the risk index.
NOTE: You can only add user account to client which are marked as central system if
user accounts in the SAP system manged with central user administration.
Enter general data for a user account on the Address tab.
Table 47: SAP User Account Address Data
Property
Description
Employee
Employee that uses this user account. An employee is already entered
if the user account was generated by an account definition. If you
create the user account manually, you can select an employee in the
menu. If you use automatic employee assignment, an associated
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
110
Property
Description
employee is created and entered into the user account when the user
account is saved.
Account
definition
Account definition through which the user account was created.
Use the account definition to automatically fill user account master
data and to specify a manage level for the user account. The One
Identity Manager finds the IT operating data of the assigned employee
and enters it in the corresponding fields in the user account.
NOTE: The account definition cannot be changed once the user
account has been saved.
To create the user account manually through an account definition,
enter an employee in the Employee box. You can select all the
account definitions assigned to this employee and through which no
user account has been created for this employee.
Manage level
User account's manage level. Select a manage level from the menu.
You can only specify the manage level can if you have also entered an
account definition. All manage levels of the selected account definition
are available in the menu.
Client
The client to be added in the user account. Central system, if user
accounts are manged with CUA. You can only edit the client when the
user account is added.
User account
User account identifier. If you have assigned an account definition, the
input field is automatically filled out with respect to the manage level.
NOTE: Existing user accounts cannot be renamed.
First name
The user’s first name. If you have assigned an account definition, the
input field is automatically filled out with respect to the manage level.
Last name
The user’s last name. If you have assigned an account definition, the
input field is automatically filled out with respect to the manage level.
Form of address
Form of address in the associated client's language. If you have
assigned an account definition, the form of address is found by
template rule depending on the mange level. The form of address
depends on the gender of the assigned employee.
Academic title
Additional information about the user account.
Alias
Alternative ID for the user account that is used as log in for certain
internet transactions.
Nickname
Additional information about the user account.
Name format-
Name format and country for name formatting. Name and country
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
111
Property
Description
ting
formats determine the formatting rules for composing a full name of
an employee in SAP R/3. Name formatting specifies the order in which
parts of names are put together so that an employee‘s name is represented in an extensively long form. The country is serves to uniquely
identify the formatting rule.
Country for
name formatting
ISO 639 language
Default language for the user account according to ISO 639
Function
Additional information about the user account. Used when addresses
are printed.
Employee
number
SAP internal key for identifying an employee.
Department
Additional information about the user account. Used when addresses
are printed.
Room in building Additional information about the user account.
Floor
Additional information about the user account.
Building
(number or
token)
Additional information about the user account.
Communications Unique identifier for the communications type
type
Company
The company to which the user account is assigned.
When a user account is added, the company of the assigned client is
used. If the client is not assigned to a company, the company with the
smallest address number is found and assigned to the user account.
NOTE: Company is a mandatory field! Changes to user accounts
cannot be saved in on synchronization SAP R/3 if a company is
not assigned to them in .One Identity Manager
Assign these user accounts a default company in the SAP R/3
system where possible.
Risk index
(calculated)
Maximum risk index values for all assigned groups, roles and profiles.
This property is only visible if the configuration parameter
"QER\CalculateRiskIndex" is set. For more detailed information, see
the .One Identity Manager Risk Assessment Administration Guide
Category
Categories for the inheritance of groups, roles and profiles by the user
account. Select one or more categories from the menu. Groups, roles
and profiles can be selectively inherited by user accounts. To do this,
groups, roles and profiles and user accounts or contacts are divided
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
112
Property
Description
into categories.
Identity
User account's identity type
Table 48: Permitted values for the identity.
Value
Description
Primary
identity
Employee's default user account.
Organizational Secondary user account used for different roles in
identity
the organization, for example for subcontracts with
other functional areas.
Personalized
User account with administrative permissions, used
admin identity by one employee.
Sponsored
identity
User account that is used for training purposes, for
example.
Shared
identity
User account with administrative permissions, used
by several employees.
Service
identity
Service account.
Privileged user
account
Specifies whether this is a privileged user account.
Groups can be
inherited
Specifies whether the user account groups, roles and profiles can
inherit through the employee. If this option is set, the user account
inherits groups, roles and profiles through hierarchical roles or IT Shop
requests.
l
l
If you add an employee with a user account to a department, for
example, and you have assigned groups to this department, the
user account inherits these groups.
If an employee has requested group membership in the IT Shop
and the request is granted approval, the employee's user
account only inherits the group if the option is set.
Related Topics
l
Linking User Accounts to Employees on page 104
l
Supported User Account Types on page 105
l
Setting Up Account Definitions on page 57
l
Specifying Categories for Inheriting SAP Groups, SAP Roles and SAP Profiles
on page 102
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
113
l
General Master Data for an SAP Client on page 100
l
One Identity Manager Identity Management Base Module Administration Guide
l
One Identity Manager Target System Base Module Administration Guide
l
One Identity Manager Risk Assessment Administration Guide
SAP User Account Login Data
When a user is added, you issue them with a password. Once you have saved the user
account password with the Manager it cannot be changed.
Enter the following data on the Login data tab.
Table 49: SAP User Account Login Data
Property
Description
Password
Password for the user account. Depending on the configuration parameter
"Person\UseCentralPassword" the employee’s central password can be
mapped to the user account‘s password. If you use an initial password for
the user accounts, it is automatically entered when a user account is
created.
NOTE: One Identity Manager password policies are taken into
account when a user password is being verified. Ensure that the
password policy does not violate the target system's requirements.
Password
Reconfirm password.
confirmation
Set effective Specifies whether the password status "Active password" is set if it is
password
changed in the target system.
Disabled
password
Specifies whether the password is disabled (if single sign-on is used for
logging in).
Security
policy
Security policy for this user account.
User group
The user account contains authorizations for this SAP group.
Reference
user
The user account contains authorizations for this reference user.
Account is
valid from
A reference user is user account with the user type "Reference". Use
reference users to supply identical authorizations to different user
accounts within one client.
Validity period of the SAP user account.
Account is
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
114
Property
Description
valid until
Accounting
number
Number for user account's accounting.
Cost center
Cost center for the user account's accounting.
Type of user account. The default user account type is specified in the
User
account type configuration parameter "TargetSystem\SAPR3\Accounts\Ustyp".
User
account
locked
Specifies that the user account is locked.
Last login
Date and time of last target SAP system login.
Related Topics
l
Password Policies on page 79
l
Initial Password for New SAP User Accounts on page 88
l
Email Notifications about Login Data on page 90
l
User Account Types on page 74
l
Lock SAP User Account on page 126
l
Security Policies on page 77
Phone numbers
You can edit user account email addresses on the Phone numbers tab.
To assign a phone number to a user account
1. Select the Phone numbers tab.
2. Click Add.
This inserts a new row in the table.
3. Mark this row. Edit the telephone number master data.
4. Save the changes.
To edit a phone number
1. Select the Phone numbers tab.
2. Select the phone number in the list.
3. Edit the telephone number master data.
4. Save the changes.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
115
To remove a phone number assignment
1. Select the Phone numbers tab.
2. Select the phone number in the list.
3. Click Delete.
4. Save the changes.
Table 50: Phone Number Properties
Property
Description
Type
Type of phone connection Select either "Phone", "Phone (default)", "Mobile
(default)" or "Mobile".
Country
Country for determining the country code.
Telephone
number
Phone number with local code. Enter an extension number in the extra field.
If you have assigned an account definition, the telephone number is found by
template rule depending on the mange level.
Phone
Full phone number. Contains dialing code, connection and extension
number
numbers.
(complete)
Default
number
Specifies whether this phone number is the user's default number.
Home
address
Specifies whether this phone number is the user's home number.
SMSenabled
Specifies whether text messages can be sent through this phone number.
Fax numbers
You can edit user account email addresses on the Fax numbers tab.
To assign a fax number to a user account
1. Select the Fax numbers tab.
2. Click Add.
This inserts a new row in the table.
3. Mark this row. Edit the fax number master data.
4. Save the changes.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
116
To edit a fax number
1. Select the Fax numbers tab.
2. Select the fax number in the list.
3. Edit the fax number master data.
4. Save the changes.
To remove a fax number assignment
1. Select the Fax numbers tab.
2. Select the fax number in the list.
3. Click Delete.
4. Save the changes.
Table 51: Fax numbers
Property
Description
Country
Country for determining the country code.
FAX number
Fax number with local area code. Enter an extension number in the
extra field.
FAX number
(complete)
Full fax number. Contains dialing code, connection and extension
numbers.
Default number
Specifies whether this fax number is the user's default number.
Home address
Specifies whether this fax number is the user's home number.
Email addresses
You can edit user account email addresses on the Email addresses tab.
To assign an email address to a user account
1. Select the Email addresses tab.
2. Click Add.
This inserts a new row in the table.
3. Mark this row. Edit the email address master data.
4. Save the changes.
To edit an email address
1. Select the Email addresses tab.
2. Select the email address in the list.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
117
3. Edit the email address master data.
4. Save the changes.
To remove an email address assignment
1. Select the Email addresses tab.
2. Select the email address in the list.
3. Click Delete.
4. Save the changes.
Table 52: Email address data
Property
Description
Email address
(SMTP)
Email address.
Email address
search
Contains the first 20 characters of the email address in normalized
form.
Default address
Specifies whether this email address is the user's default address.
Home address
Specifies whether this email address is the user's home address.
Fixed Values for an SAP User Account
Table 53: Configuration Parameters for Setting up User Accounts
Configuration parameter
Active Meaning
TargetSystem\SAPR3\Accounts\Datfm
Specifies the default date format for SAP user
accounts.
TargetSystem\SAPR3\Accounts\Dcpfm
Specifies the default decimal point format for
SAP user accounts.
TargetSystem\SAPR3\Accounts\Fax_
Group
Specifies the default fax group for SAP user
accounts.
TargetSystem\SAPR3\Accounts\Guiflag Specifies whether secure communication is
permitted for SAP user accounts.
TargetSystem\SAPR3\Accounts\Spda
Specifies default setting for printer parameter 3
(delete after print).
TargetSystem\SAPR3\Accounts\Spdb
Specifies default setting for printer parameter 3
(print immediately).
TargetSystem\SAPR3\Accounts\Splg
Specifies the default printer (print parameter
1).
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
118
Configuration parameter
Active Meaning
TargetSystem\SAPR3\Accounts\Time_
zone
Specifies the default time zone value for the
SAP user account’s address.
TargetSystem\SAPR3\Accounts\Tzone
Specifies the default value for the time zone.
Enter the default values that are to be put into effect for the user account on the Fixed
values tab. This includes data such as the start menu, which should be shown after login,
the default login language, personal time zone, decimal representation or date format that
the user is going to work with.
To specify default values for fixed values
l
Set the configuration parameter values under "TargetSystem\SAPR3\Accounts" in
the Designer.
Measurement Data
The license data for system measurement are shown on the Measurement data tab. For
more information, see Providing System Measurement Data on page 177.
Assigning Parameters
You can assign a user account parameter on the Parameter tab and specify its values.
To assign a parameter to a user account
1. Select the Parameter tab.
2. Click Add.
This inserts a new row in the table.
3. Mark this row. Select a parameter from the Parameter list and specify a
parameter value.
4. Save the changes.
To edit a parameter value
1. Select the Parameter tab.
2. Select the parameter whose value you want to edit, in the list.
3. Change the parameter value.
4. Save the changes.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
119
To remove a parameter assignment
1. Select the Parameter tab.
2. Select the parameter you want to remove.
3. Click Remove.
4. Save the changes.
SNC Data for an SAP User Account
Enter the data required for logging into the system over secure network communications
(SNC) on the SNC tab.
Table 54: User Account SNC Data
Properties
Description
SNC Name
User account's SNC name. You can find the syntax for SNC
names in the SNC user manual.
Insecure communication allowed
Specifies whether insecure communication is permitted for this
user account.
Additional Tasks for Managing SAP
User Accounts
After you have entered the master data, you can apply different tasks to it. The task view
contains different forms with which you can run the following tasks.
Overview of SAP User Accounts
To obtain an overview of a user account
1. Select the category SAP R/3 | User accounts.
2. Select the user account in the result list.
3. Select SAP user account overview in the task view.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
120
Changing the Manage Level of an SAP User
Account
The default manage level is applied if you create user accounts using automatic employee
assignment. You can change a user account manage level later.
To change the manage level for a user account
1. Select the category SAP R/3 | User accounts.
2. Select the user account in the result list.
3. Select Change master data in the task view.
4. Select the manage level in the Manage level menu on the tab Address.
5. Save the changes.
Related Topics
l
General Master Data for an SAP User Account on page 110
Assigning SAP Groups and SAP Profiles
Directly to an SAP User Account
Groups and profiles can be assigned directly or indirectly to a user account. Indirect
assignment is carried out by allocating the employee, groups and profiles in hierarchical
roles, like departments, cost centers, locations or business roles. If the employee has an
SAP user account, the groups and profiles in the role are inherited by the user account.
To react quickly to special requests, you can assign groups and profiles directly to the
user account.
NOTE:
l
l
l
Only profiles that are not assigned to SAP roles can be assigned to user
accounts.
Generated profiles cannot be assigned to user accounts.
If the user account is managed through a CUA, groups and profiles can be
selected from all clients assigned to this user account.
To assign groups and profiles directly to user accounts
1. Select the category SAP R/3 | User accounts.
2. Select the user account in the result list.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
121
3. Select one of the following tasks.
l
Assign groups, to assign SAP groups directly.
l
Assign profiles, to assign SAP profiles directly.
4. Assign groups or profiles in Add assignments.
- OR Remove groups or profiles from Remove assignments.
5. Save the changes.
Related Topics
l
Assigning SAP Groups, SAP Roles and SAP Profiles to SAP User Accounts on page 143
Assigning SAP Roles Directly to an SAP
User Account
Roles can be assigned directly or indirectly to a user account. Indirect assignment is
carried out by allocating the employee and roles in hierarchical roles, like departments,
cost centers, locations or business roles. If the employee has an SAP user account, the SAP
roles in the hierarchical roles are inherited by the user account.
To react quickly to special requests, you can assign roles directly to the user account.
If the user account is managed through a CUA, roles can be selected from all clients
assigned to this user account.
To assign roles directly to user accounts
1. Select the category SAP R/3 | User accounts.
2. Select the user account in the result list.
3. Select the task Assign roles.
To assign a role
1. Click Add.
This inserts a new row in the table.
2. Select the role you want to assign from the Role menu.
3. Enter a validity period for the role assignment in Valid from and Valid until,
if it applies.
4. Assign more roles as necessary.
5. Save the changes.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
122
To edit a role assignment
1. Select the role assignment you want to edit in the table. Edit the validity period.
2. Save the changes.
To remove a role assignment.
1. Select the role assignment you want to remove in the table.
2. Click Delete.
3. Save the changes.
Related Topics
l
Assigning SAP User Accounts directly to SAP Roles on page 148
Assigning Structural Profiles
Installed Module: SAP R/3 Structural Profiles Add-on Module
Structural profiles can be assigned directly or indirectly to a user account. Indirect
assignment is carried out by allocating the employee and structural profiles in hierarchical
roles, like departments, cost centers, locations or business roles. If the employee has an
SAP user account, the structural profiles in the role are inherited by the user account.
To react quickly to special requests, you can assign structural profiles directly to the
user account.
To assign structural profiles directly to user accounts
1. Select the category SAP R/3 | User accounts.
2. Select the user account in the result list.
3. Select Assign structural profiles in the task view.
To assign a structural profile
1. Click Add.
This inserts a new row in the table.
2. Select the structural profile to assign from the Structural profile menu.
3. Enter a validity period for the profile assignment in Valid from and Valid until,
if it applies.
4. Assign more structural profiles as necessary.
5. Save the changes.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
123
To edit a profile assignment
1. Select the profile assignment you want to edit in the table. Edit the validity period.
2. Save the changes.
To remove a profile assignment
1. Select the profile assignment you want to remove in the table.
2. Click Delete.
3. Save the changes.
Detailed information about this topic
l
One Identity Manager Administration Guide for SAP R/3 Structural Profiles Add-on
Assigning Child Systems
User accounts, administered through central user administration (CUA), have control over
access permissions in several clients. You can use this task to assign clients containing
user logon authorization to user accounts. You can select the central system and the child
system. If a user account is not assigned to a client, it cannot be assigned groups, roles or
profiles either.
This task is only available if the client of the selected user account is labeled as
central system.
To assign a user account to clients
1. Select the category SAP R/3 | User accounts.
2. Select the user account in the result list.
3. Select Assign SAP child systems in the task view.
4. Assign clients in which users should obtain user logon authorizations, in Add
assignments.
- OR Remove clients in Remove assignments.
5. Save the changes.
Assigning SAP Licenses
NOTE: This task is only available for user account managed through CUA.
SAP licenses in child system and in the central system can be assigned to user account
for system measurement. For more information, see Providing System Measurement
Data on page 177.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
124
To assign licenses to a user account
1. Select the category SAP R/3 | User accounts.
2. Select the user account in the result list.
3. Select Assign SAP licenses in client systems in the task view.
4. Click Add.
This inserts a new row in the table.
5. Mark this row. Enter the measurement data.
6. Save the changes.
To edit a license assignment
1. Select the category SAP R/3 | User accounts.
2. Select the user account in the result list.
3. Select Assign SAP licenses in client systems in the task view.
4. Select an assignment in the table.
5. Edit the measurement data.
6. Save the changes.
To remove a license assignment
1. Select the category SAP R/3 | User accounts.
2. Select the user account in the result list.
3. Select Assign SAP licenses in client systems in the task view.
4. Select an assignment in the table.
5. Click Delete.
6. Save the changes.
The following license information is displayed on the form.
Table 55: Measurement Data for a Centrally administrated User Account
Property
Description
Recipient
client
Client containing the user account which is assigned a license. You can
select the central system or a assigned child system.
License
User account license in the selected client.
License
extension
License extension for the installed special version. Select the special
version ID from the menu.
Country
surcharge
Additional license fee.
Chargeable
SAP system containing the client to be charged. This field is only shown if
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
125
Property
Description
system
"04 (substitute)" or "11 (Multi-client/system)" is entered.
Chargeable
client
Client containing the user account to be charged. This field is only shown if
"04 (substitute)" or "11 (Multi-client/system)" is entered.
Chargeable
User account to be charged if "04 (substitute)" or "11 (Multi-client/sysuser account tem)" is entered.
Substituted
from
Substituted
until
Time period in which another user account assumes responsibility. This
input field is enabled if the active license is set to "04 (substitute)".
Related Topics
l
Special Versions on page 79
Lock SAP User Account
The way that user accounts are managed determines how you lock them. User accounts
that are not linked to an employee, can be locked with the task Lock user account.
To lock a user account
1. Select the category SAP R/3 | User accounts.
2. Select the user account in the result list.
3. Select Lock user account from the task view.
4. Confirm the prompt with OK.
This generates a process that publishes the change in the target system. The option
User account locked is enabled the moment the process is successfully completed.
To unlock a user account
1. Select the category SAP R/3 | User accounts.
2. Select the SAP user account in the result list.
3. Select Unlock user account from the task view.
4. Confirm the prompt with OK.
This generates a process that publishes the change in the target system. The option
User account locked is enabled the moment the process is successfully completed.
Detailed information about this topic
l
Locking SAP User Accounts on page 132
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
126
Assigning Extended Properties
Extended properties are meta objects that cannot be mapped directly in the One Identity
Manager, for example, operating codes, cost codes or cost accounting areas.
To specify extended properties for a user account
1. Select the category SAP R/3 | User accounts.
2. Select the user account in the result list.
3. Select Assign extended properties in the task view.
4. Assign extended properties in Add assignments.
- OR Remove extended properties from Remove assignments.
5. Save the changes.
Detailed information about this topic
l
One Identity Manager Identity Management Base Module Administration Guide
Automatic Assignment of Employees to
SAP User Accounts
Table 56: Configuration Parameters for Automatic Employee Assignment
Configuration parameter
Meaning
TargetSystem\SAPR3\PersonAutoFullsync
This configuration parameter
specifies the mode for automatic
employee assignment for user
accounts added to or updated in the
database through synchronization.
TargetSystem\SAPR3\PersonAutoDefault
This configuration parameter
specifies the mode for automatic
employee assignment for user
accounts added to the database
outside synchronization.
TargetSystem\SAPR3\PersonExcludeList
List of all user accounts for which
automatic employee assignment
should not take place. Names given
in a pipe (|) delimited list that is
handled as a regular search pattern.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
127
Configuration parameter
Meaning
Example:
SAP*|SAPCPIC|SAPJSF|DDIC|J2EE_
ADMIN|J2EE_GUEST
TargetSystem\SAPR3\PersonAutoDisabledAccounts This configuration parameters
specifies whether employees are
automatically assigned to disable
user accounts. User accounts do not
obtain an account definition.
When you add a user account, an existing employee can be assigned automatically or
added if necessary. In the process, the employee master data is created based for
existing user master data. This mechanism can follow on after a new user account has
been created manually or through synchronization. Define criteria for finding employees
to apply to automatic employee assignment. If a user account is linked to an employee
through the current mode, the user account is given, through an internal process, the
default manage level of the account definition entered in the user account's target system.
You can customize user account properties depending on how the behavior of the manage
level is defined.
If you run this procedure during working hours, automatic assignment of employees to
user accounts takes place from that moment onwards. If you disable the procedure again
later, the changes only affect user accounts added or updated after this point in time.
Existing employee assignment to user accounts remain intact.
NOTE: It is not recommended to assign employees using automatic employee assignment in the case of administrative user accounts. Use the task Change master data
to assign employees to administrative user account for the respective user account.
Run the following tasks to assign employees automatically.
l
l
l
If employees can be assigned by user accounts during synchronization, set the
parameter "TargetSystem\SAPR3\PersonAutoFullsync" in the Designer and select
the mode.
If employees can be assigned by user accounts during synchronization, set the
parameter "TargetSystem\SAPR3\PersonAutoDefault" in the Designer and select
the mode.
Specify the user accounts in the configuration parameter
"TargetSystem\SAPR3\PersonExcludeList" which must not be assigned automatically
to employees.
Example:
SAP*|SAPCPIC|SAPJSF|DDIC|J2EE_ADMIN|J2EE_GUEST
l
Use the configuration parameter
"TargetSystem\SAPR3\PersonAutoDisabledAccounts" to specify whether employees
can be automatically assigned to disabled user accounts. User accounts do not obtain
an account definition.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
128
l
l
Assign an account definition to the client. Ensure the manage level to be used is
entered as default automation level.
Define the search criteria for employees assigned to clients.
NOTE:
The following applies for synchronization:
l
Automatic employee assignment takes effect if user accounts are added or
updated.
The following applies outside synchronization:
l
Automatic employee assignment takes effect if user accounts are added.
NOTE: Following synchronization, employees are automatically created for user
accounts in the default installation. If there are no account definitions for the client at
the time of synchronization, user accounts are linked to employees. However,
account definitions are not assigned. The user accounts are, therefore, in a "Linked"
state.
To select user accounts through account definitions
1. Create an account definition.
2. Assign an account definition to the client.
3. Assign the account definition and manage level to the user accounts in a
"linked" state.
a. Select the category SAP R/3 | User accounts | Linked but not
configured | <client>.
b. Select the task Assign account definition to linked accounts.
Detailed information about this topic
l
One Identity Manager Target System Base Module Administration Guide
Related Topics
l
Creating an Account Definition on page 58
l
Assigning Account Definitions to a Target System on page 71
l
Editing Search Criteria for Automatic Employee Assignment on page 129
Editing Search Criteria for Automatic
Employee Assignment
Criteria for employee assignment are defined in the client. In this case, you specify which
user account properties must match the employee’s properties such that the employee can
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
129
be assigned to the user account. You can limit search criteria further by using format
definitions. The search criteria are written in XML notation in the column "Search criteria
for automatic employee assignment" (AccountToPersonMatchingRule) of the SAPMandant
table.
Search criteria are evaluated when employees are automatically assigned to user
accounts. Furthermore, you can create a suggestion list for assignments of employees to
user accounts based on the search criteria and make the assignment directly.
NOTE: When the employees are assigned to user accounts on the basis of search
criteria, user accounts are given the default manage level of the account definition
entered in the user account's target system. You can customize user account
properties depending on how the behavior of the manage level is defined.
It is not recommended to make assignment to administrative user accounts based on
search criteria. Use the task Change master data to assign employees to
administrative user account for the respective user account.
NOTE: One Identity Manager supplies a default mapping for employee assignment.
Only carry out the following steps when you want to customize the default mapping.
To specify criteria for employee assignment
1. Select the category SAP R/3 | Clients.
2. Select the client from the result list.
3. Select Define search criteria for employee assignment in the task view.
4. Specify which user account properties must match with which employee so that the
employee is linked to the user account.
Table 57: Default Search Criteria for User Accounts
Apply to
Column on Employee
Column on User
Account
SAP user accounts of
type "Dialog"
Central SAP user account
(CentralSAPAccount)
User account
(Accnt)
5. Save the changes.
Direct Assignment of Employees to User Accounts Based on a
Suggestion List
You can create a suggestion list in the "Assignments" view for assignments of employees
to user accounts based on the search criteria. User accounts are grouped in different
views for this.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
130
Table 58: Manual Assignment View
View
Description
Suggested
This view lists all user accounts to which One Identity Manager can assign
assignments an employee. All employees are shown who were found using the search
criteria and can be assigned.
Assigned
user
accounts
This view lists all user accounts to which an employee is assigned.
Without
employee
assignment
This view lists all user accounts to which no employee is assigned and for
which no employee was found using the search criteria.
TIP: By double-clicking on an entry in the view, you can view the user account and
employee master data.
To apply search criteria to user accounts
l
Click Reload.
All possible assignments based on the search criteria are found in the target system
for all user accounts. The three views are updated.
To assign employees directly over a suggestion list
1. Click Suggested assignments.
a. Click Select for all user accounts to be assigned to the suggested employee.
Multi-select is possible.
b. Click Assign selected.
c. Confirm the security prompt with Yes.
The selected user accounts are assigned to the employees found using the
search criteria.
– OR –
2. Click No employee assignment.
a. Click Select employee... for the user account to which you want to assign the
employee. Select an employee from the menu.
b. Click Select for all user accounts to which you want to assign the selected
employees. Multi-select is possible.
c. Click Assign selected.
d. Confirm the security prompt with Yes.
This assigns the selected user accounts to the employees shown in the
"Employee" column.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
131
To remove assignments
1. Click Assigned user accounts.
a. Click Select for all user accounts whose employee assignment you want to
remove. Multi-select is possible.
b. Click Delete selected.
c. Confirm the security prompt with Yes.
The assigned employees are deleted from the selected user accounts.
Detailed information about this topic
l
For more information, see theOne Identity Manager Target System Base Module
Administration Guide.
Related Topics
l
Automatic Assignment of Employees to SAP User Accounts on page 127
Locking SAP User Accounts
Table 59: Configuration Parameter for Locking User Accounts
Configuration parameter
Meaning
QER\Person\TemporaryDeactivation This configuration parameter specifies whether
user accounts for an employee are locked if the
employee is temporarily or permanently disabled.
The way you lock user accounts depends on how they are managed.
Scenario:
l
The user account is linked to employees and is managed through account definitions.
User accounts managed through account definitions are locked when the employee is
temporarily or permanently disabled. The behavior depends on the user account manage
level. User accounts with the manage level "Full managed" are disabled depending on the
account definition settings. You cannot apply the tasks Lock user account and Unlock
user account to these user accounts. For user accounts with another manage level,
modify the column template SAPUser.U_Flag accordingly.
Scenario:
l
The user accounts are linked to employees. No account definition is applied.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
132
User accounts managed through user account definitions are locked when the employee is
temporarily or permanently disabled. The behavior depends on the configuration
parameter "QER\Person\TemporaryDeactivation".
l
l
If the configuration parameter is set, the employee’s user accounts are locked if the
employee is permanently or temporarily disabled. You cannot apply the tasks Lock
user account and Unlock user account to these user accounts.
If the configuration parameter is not set, the employee’s properties do not have any
effect on the associated user accounts.
To lock a user account when the configuration parameter is disabled
3. Select the category SAP R/3 | User accounts.
4. Select the user account in the result list.
5. Select Lock user account from the task view.
6. Confirm the prompt with OK.
Scenario:
l
User accounts not linked to employees.
To lock a user account, which is not linked to an employee
2. Select the category SAP R/3 | User accounts.
3. Select the user account in the result list.
4. Select Lock user account from the task view.
5. Confirm the prompt with OK.
A process is generated, which publishes this user account modification in the target
system. Once the lock has been published in the target system, the option User account
locked is enabled on the master data form, Login data tab. The user can no longer log in
with this user account.
To unlock a user account
1. Select the category SAP R/3 | User accounts.
2. Select the user account in the result list.
3. Select Unlock user account from the task view.
4. Confirm the prompt with OK.
This generates a process that publishes the change in the target system. The option
User account locked is enabled the moment the process is successfully completed.
Detailed information about this topic
For more information, see theOne Identity Manager Target System Base Module
Administration Guide.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
133
Related Topics
l
Setting Up Account Definitions on page 57
l
Setting Up Manage Levels on page 61
Deleting and Restoring SAP User
Accounts
NOTE: As long as an account definition for an employee is valid, the employee retains
the user account that was created by it. If the account definition assignment is
removed, the user account created through this account definition, is deleted.
To delete a user account
1. Select the category SAP R/3 | User accounts.
2. Select the user account in the result list.
3. Click
to delete the user account.
4. Confirm the security prompt with Yes.
To restore user account
1. Select the category SAP R/3 | User accounts.
2. Select the user account in the result list.
3. Click
in the result list toolbar.
Configuring Deferred Deletion
By default, user accounts are finally deleted from the database after 30 days.The user
accounts are initially disabled. You can reenable the user accounts until deferred deletion is
run. After deferred deletion is run, the user account are deleted from the database and
cannot be restored anymore.You can configure an alternative deletion delay on the table
SAPUser in the Designer. Deferred deletion has no influence over the login permission in
assigned CUA child systems.
Entering External User Identifiers for an
SAP User Account
External authentication methods for logging on to a system can be used in SAP R/3. With
One Identity Manager, you can maintain login data for logging in external system users, for
example, Active Directory on an SAP R/3 environment.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
134
You can use One Identity Manager to enter external user IDs and delete them. You can only
change the option "Account is enabled" for existing user ID's.
To enter external IDs
1. Select the category SAP R/3 | External IDs.
2. Select the external identifier in the result list. Select Change master data in
the task view.
- OR Click
in the result list toolbar.
3. Enter the required data on the master data form.
4. Save the changes.
Enter the following data for an external identifier.
Table 60: External ID Properties
Property
Description
External
user ID
User login name for the user to log into external systems. The syntax you
require depends on the type of authentication selected. The complete user
identifier is compiled by template.
NOTE: The BAPI One Identity Manager uses default settings of the
program RSUSREXT for generating the user identifier, that means, the
user name is reset. The value provided in the interface is passed as
prefix.
If you SAP R/3 environment uses something other than these default
settings, modify the template for column SAPUserExtId.EXTID
respectively.
External
identifier
type
Authentication type for the external user. This results in the syntax for the
external identifier.
Table 61: External Identifier Types
Distinguished Name
for X.509
Login uses the distinguished name for X.509.
Windows NTLM or
password
verification
Login uses Windows NT Lan Manager or password
verification with the Windows domain controller.
LDAP bind <user
defined>
Login uses LDAP bind (for other authentication
mechanisms).
SAML token
Authentication uses an SAML token profile.
The default type is specified in the configuration parameter
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
135
Property
Description
"TargetSystem\SAPR3\Accounts\ExtID_Type".
Target
system
type
Can be called up together with the external ID type to test the login data. The
default type is specified in the configuration parameter "TargetSystem\SAPR3\Accounts\TargetSystemID". Permitted values are ADSACCOUNT and
NTACCOUNT.
Account is
enabled
Specifies whether the user or an external authentication system can log onto
the system.
User
account
Assignment of the external user ID to a user account.
Sequential Sequential number, if a user account has more than one external identifiers.
number
Valid from Date from which the external user ID is valid.
Related Topics
l
External Identifier Types on page 75
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP User Accounts
136
7
SAP Groups, SAP Roles and SAP
Profiles
Groups, roles and profiles are mapped in the One Identity Manager, in order to provide the
necessary permissions for user accounts. Groups, roles and profiles can be assigned to
user accounts, requested or inherited through hierarchical roles in One Identity Manager.
No new groups, roles or profiles can be added or deleted.
Groups
You can share maintenance of user accounts over different administrators by assigning
user accounts to groups.
roles
A role includes all transactions and user menus that an SAP user requires to fulfill its tasks.
Roles are separated into single and collective roles. Single roles can be group together into
collective roles. User account member in the roles can be set for a limit period.
Profiles
Access permissions to the system are regulated though profiles. Profiles are assigned
through single roles or directly to user accounts. Profiles can be grouped into
collective profiles.
Editing Master Data for SAP Groups,
SAP Roles and SAP Profiles
You can edit the following data about groups, roles and profiles in One Identity Manager:
l
Assigned SAP user accounts
l
Usage in the IT Shop
l
Risk Assessment
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
137
l
Inheritance through roles and inheritance restrictions
l
License information for system measurement
To edit group master data
1. Select the category SAP R/3 | Groups.
2. Select the group in the result list. Select Change master data in the task view.
3. Enter the required data on the master data form.
4. Save the changes.
To edit profile master data
1. Select the category SAP R/3 | Profiles.
2. Select a profile in the result list. Select Change master data in the task view.
3. Enter the required data on the master data form.
4. Save the changes.
To edit role master data
1. Select the category SAP R/3 | Roles.
2. Select the role in the result list. Select Change master data in the task view.
3. Enter the required data on the master data form.
4. Save the changes.
Detailed information about this topic
l
General Master Data for SAP Groups on page 138
l
General Master Data for SAP Roles on page 140
l
General Master Data for SAP Profiles on page 141
General Master Data for SAP Groups
Table 62: Configuration Parameters for Risk Assessment of SAP User Accounts
Configuration
parameter
Active Meaning
QER\CalculateRiskIndex Preprocessor relevant configuration parameter controlling
system components for calculating an employee's risk index.
Changes to the parameter require recompiling the database.
If the parameter is set, values can be entered and calculated
for the risk index.
Edit the following master data for a group.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
138
Table 63: SAP Group Master Data
Property
Description
Display
name
Name of the group as displayed in One Identity Manager tools. The group
name is taken from the group identifier by default.
Name
Name of group in the target system.
Client
Client, in which the group is added.
Service
item
Service item data for requesting the group through the IT Shop.
Risk index
Value for evaluating the risk of assigning the group to user accounts. Enter a
value between 0 and 1. This property is only visible when the configuration
parameter QER\CalculateRiskIndex is set.
Category
Categories for group inheritance. Groups can be selectively inherited by
user accounts. To do this, groups and user accounts are divided into categories. Use this menu to allocate one or more categories to the group.
Description Spare text box for additional explanation.
IT Shop
Specifies whether the group can be requested through the IT Shop. This
group can be requested by staff through the Web Portal and granted through
a defined approval process. The group can still be assigned directly to
hierarchical roles.
Only for
use in IT
Shop
Specifies whether the group can only be requested through the IT Shop. This
group can be requested by staff through the Web Portal and granted through
a defined approval process. The group may not be assigned directly to
hierarchical roles.
Detailed information about this topic
l
Specifying Categories for Inheriting SAP Groups, SAP Roles and SAP Profiles
on page 102
l
One Identity Manager IT Shop Administration Guide
l
One Identity Manager Identity Management Base Module Administration Guide
l
One Identity Manager Target System Base Module Administration Guide
l
One Identity Manager Risk Assessment Administration Guide
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
139
General Master Data for SAP Roles
Table 64: Configuration Parameters for Risk Assessment of SAP User Accounts
Configuration
parameter
Active Meaning
QER\CalculateRiskIndex Preprocessor relevant configuration parameter controlling
system components for calculating an employee's risk index.
Changes to the parameter require recompiling the database.
If the parameter is set, values can be entered and calculated
for the risk index.
Edit the following master data for a role.
Table 65: SAP Role Master Data
Property
Description
Display
name
Name of the role as displayed in One Identity Manager tools. Taken from the
role identifier by default.
Name
Name of role in the target system.
Client
Client, in which the role is added.
License
Role license. This task is needed for finding system measurement for user
accounts and is assigned once after synchronization.
Role type
Role type for differentiating between single and collective roles.
Service
item
Service item data for requesting the role through the IT Shop.
Risk index
Value for evaluating the risk of assigning the role to user accounts. Enter a
value between 0 and 1. This property is only visible if the configuration
parameter "QER\CalculateRiskIndex" is set.
Category
Categories for role inheritance. User accounts can inherit roles selectively.
To do this, roles and user accounts are divided into categories. Use this
menu to allocate one or more categories to the role.
Description Spare text box for additional explanation.
Role
description
Spare text box for additional explanation.
IT Shop
Specifies whether the role can be requested through the IT Shop. This role
can be requested by staff through the Web Portal and granted through a
defined approval procedure. The role can still be assigned directly to
employees and hierarchical roles.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
140
Property
Description
Only for
use in IT
Shop
Specifies whether the role can only be requested through the IT Shop. This
role can be requested by staff through the Web Portal and granted through a
defined approval procedure. The role may not assigned directly to hierarchical roles.
Detailed information about this topic
l
Licenses on page 78
l
Providing System Measurement Data on page 177
l
Specifying Categories for Inheriting SAP Groups, SAP Roles and SAP Profiles
on page 102
l
One Identity Manager IT Shop Administration Guide
l
One Identity Manager Identity Management Base Module Administration Guide
l
One Identity Manager Target System Base Module Administration Guide
l
One Identity Manager Risk Assessment Administration Guide
General Master Data for SAP Profiles
Table 66: Configuration Parameters for Risk Assessment of SAP User Accounts
Configuration
parameter
Active Meaning
QER\CalculateRiskIndex Preprocessor relevant configuration parameter controlling
system components for calculating an employee's risk index.
Changes to the parameter require recompiling the database.
If the parameter is set, values can be entered and calculated
for the risk index.
Edit the following master data for a profile.
Table 67: SAP Profile Master Data
Property
Description
Display
name
Name of the profile as displayed in One Identity Manager tools. The profile
name is taken from the profile identifier by default.
Name
Name of profile in the target system.
Client
Client, in which the profile is added.
License
Profile license. This task is needed for finding system measurement for SAP
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
141
Property
Description
user accounts and is assigned once after synchronization.
Profile type Profile type for differentiating between single, collective and generated
profiles.
Service
item
Service item data for requesting the profile through the IT Shop.
Risk index
Value for evaluating the risk of assigning the profile to account accounts.
Enter a value between 0 and 1. This property is only visible if the
configuration parameter "QER\CalculateRiskIndex" is set.
Category
Category for profile inheritance. User accounts can selectively inherit
profiles. To do this, profiles and user accounts are divided into categories.
Use this menu to allocate one or more categories to the profile.
Description Spare text box for additional explanation.
Profile is
enabled
Specifies whether the profile is enabled or a maintenance version.
Limited
Specifies whether the profile is assigned to an SAP role. The profile then no
assignment longer be directly assigned to user accounts, business roles, organizations
or IT Shop shelves.
IT Shop
Specifies whether the profile can be requested through the IT Shop. This
profile can be requested by staff through the Web Portal and granted
through a defined approval procedure. The profile can still be assigned
directly to hierarchical roles. This option cannot be enabled for generated
profiles.
Only for
use in IT
Shop
Specifies whether the profile can only be requested through the IT Shop.
This profile can be requested by staff through the Web Portal and granted
through a defined approval procedure. The profile may not assigned directly
to hierarchical roles. This option cannot be enabled for generated profiles.
Detailed information about this topic
l
Licenses on page 78
l
Providing System Measurement Data on page 177
l
Specifying Categories for Inheriting SAP Groups, SAP Roles and SAP Profiles
on page 102
l
One Identity Manager IT Shop Administration Guide
l
One Identity Manager Identity Management Base Module Administration Guide
l
One Identity Manager Target System Base Module Administration Guide
l
One Identity Manager Risk Assessment Administration Guide
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
142
Assigning SAP Groups, SAP Roles and
SAP Profiles to SAP User Accounts
Groups, roles and profiles can be directly and indirectly assigned to user accounts. In the
case of indirect assignment, employees, groups, roles and profiles are arranged in
hierarchical roles. The number of groups, roles and profiles assigned to an employee is
calculated from the position in the hierarchy and the direction of inheritance. If you add an
employee to roles and that employee owns a user account, the user account is added to the
group, role or profile. Prerequisites for indirect assignment of employees to user accounts:
l
Assignment of employees and groups, roles and profiles is permitted for role classes
(department, cost center, location or business role).
l
The user accounts are marked with the option Groups can be inherited.
l
User accounts and groups, roles and profiles belong to the same SAP clients.
Furthermore, groups, roles and profiles can be assigned to employees through IT Shop
requests. Add employees to a shop as customers so that groups, roles and profiles can be
assigned through IT Shop requests. All groups, roles and profiles are assigned to this shop
can be requested by the customers. Requested groups, roles and profiles are assigned to
the employees after approval is granted.
NOTE: Only profiles that are not assigned to an SAP role can be assigned to hierarchical roles.
Detailed information about this topic
l
Assigning SAP Groups, SAP Roles and SAP Profiles to Organizations on page 143
l
Assigning SAP Groups, SAP Roles and SAP Profiles to Business Roles on page 145
l
Assigning SAP User Accounts directly to SAP Groups and SAP Profiles on page 147
l
Adding SAP Groups, SAP Roles and SAP Profiles to System Roles on page 149
l
Adding SAP Groups, SAP Roles and SAP Profiles to the IT Shop on page 150
l
l
Assigning and Passing on SAP Profiles and SAP Roles to SAP User Accounts on
page 154
One Identity Manager Identity Management Base Module Administration Guide
Assigning SAP Groups, SAP Roles and SAP
Profiles to Organizations
Assign groups, roles and profiles to departments, cost centers and locations in order to
assign user accounts to them through these organizations.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
143
To assign a group to departments, cost centers or locations (non rolebased login)
1. Select the category SAP R/3 | Groups.
2. Select the group in the result list.
3. Select Assign organizations.
4. Assign organizations in Add assignments.
l
Assign departments on the Departments tab.
l
Assign locations on the Locations tab.
l
Assign cost centers on the Cost center tab.
- OR Remove the organizations in Remove assignments.
5. Save the changes.
To assign a role to departments, cost centers or locations (non role-based
login)
1. Select the category SAP R/3 | Roles.
2. Select the role in the result list.
3. Select Assign organizations.
4. Assign organizations in Add assignments.
l
Assign departments on the Departments tab.
l
Assign locations on the Locations tab.
l
Assign cost centers on the Cost center tab.
- OR Remove the organizations in Remove assignments.
5. Save the changes.
To assign a profile to departments, cost centers or locations (non rolebased login)
1. Select the category SAP R/3 | Profiles.
2. Select a profile in the result list.
3. Select Assign organizations.
4. Assign organizations in Add assignments.
l
Assign departments on the Departments tab.
l
Assign locations on the Locations tab.
l
Assign cost centers on the Cost center tab.
- OR Remove the organizations in Remove assignments.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
144
5. Save the changes.
To assign groups, roles or profiles to departments, cost centers or locations
(non role-based login)
1. Select the category Organizations | Departments.
- OR Select the category Organizations | Cost centers.
- OR Select the category Organizations | Locations.
2. Select the department, cost center or location in the result list.
3. Select Assign SAP groups in the task view.
- OR Select Assign SAP roles in the task view.
- OR Select Assign SAP profiles in the task view.
4. Select the groups, roles or profiles in Add assignments.
- OR Remove the groups, roles or profiles in Remove assignments.
5. Save the changes.
Related Topics
l
Assigning SAP Groups, SAP Roles and SAP Profiles to Business Roles on page 145
l
Assigning SAP User Accounts directly to SAP Groups and SAP Profiles on page 147
l
Adding SAP Groups, SAP Roles and SAP Profiles to System Roles on page 149
l
Adding SAP Groups, SAP Roles and SAP Profiles to the IT Shop on page 150
l
One Identity Manager Users for Managing an SAP R/3 on page 11
Assigning SAP Groups, SAP Roles and SAP
Profiles to Business Roles
Installed Module: Business Roles Module
You assign groups, roles and profiles to business roles in order to assign them to user
accounts over business roles.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
145
To assign a group to a business role (non role-based login)
1. Select the category SAP R/3 | Groups.
2. Select the group in the result list.
3. Select Assign business roles in the task view.
4. Assign business roles in Add assignments.
- OR Remove business roles from Remove assignments.
5. Save the changes.
To assign a role to a business role (non role-based login)
1. Select the category SAP R/3 | Roles.
2. Select the role in the result list.
3. Select Assign business roles in the task view.
4. Assign business roles in Add assignments.
- OR Remove business roles from Remove assignments.
5. Save the changes.
To assign a profile to a business role (non role-based login)
1. Select the category SAP R/3 | Profiles.
2. Select a profile in the result list.
3. Select Assign business roles in the task view.
4. Assign business roles in Add assignments.
- OR Remove business roles from Remove assignments.
5. Save the changes.
To assign groups, roles or profiles to a business role (non role-based login)
1. Select the category Business roles | <Role class>.
2. Select the business role in the result list.
3. Select Assign SAP groups in the task view.
- OR Select Assign SAP roles in the task view.
- OR Select Assign SAP profiles in the task view.
4. Select the groups, roles or profiles in Add assignments.
- OR -
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
146
Remove the groups, roles or profiles in Remove assignments.
5. Save the changes.
Related Topics
l
Assigning SAP Groups, SAP Roles and SAP Profiles to Organizations on page 143
l
Assigning SAP User Accounts directly to SAP Groups and SAP Profiles on page 147
l
Adding SAP Groups, SAP Roles and SAP Profiles to System Roles on page 149
l
Adding SAP Groups, SAP Roles and SAP Profiles to the IT Shop on page 150
l
One Identity Manager Users for Managing an SAP R/3 on page 11
Assigning SAP User Accounts directly to SAP
Groups and SAP Profiles
To react quickly to special requests, you can assign groups and profiles directly to
user accounts.
NOTE:
l
l
Only profiles that are not assigned to SAP roles can be assigned to user
accounts.
Generated profiles cannot be assigned to user accounts.
The following applies if user accounts are managed by CUA:
l
l
The group (the profile) is assigned to the central system, or
The group's (the profile's) client is assigned as a child system to the user
accounts
To assign a group directly to user accounts
1. Select the category SAP R/3 | Groups.
2. Select the group in the result list.
3. Select Assign user accounts in the task view.
4. Assign user accounts in Add assignments.
- OR Remove user accounts in Remove assignments.
5. Save the changes.
To assign a profile directly to user accounts
1. Select the category SAP R/3 | Profiles.
2. Select a profile in the result list.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
147
3. Select Assign user accounts in the task view.
4. Assign user accounts in Add assignments.
- OR Remove user accounts in Remove assignments.
5. Save the changes.
Related Topics
l
Assigning SAP Groups and SAP Profiles Directly to an SAP User Account on page 121
l
Assigning SAP Groups, SAP Roles and SAP Profiles to Organizations on page 143
l
Assigning SAP Groups, SAP Roles and SAP Profiles to Business Roles on page 145
l
Adding SAP Groups, SAP Roles and SAP Profiles to System Roles on page 149
l
Adding SAP Groups, SAP Roles and SAP Profiles to the IT Shop on page 150
Assigning SAP User Accounts directly to
SAP Roles
To react quickly to special requests, you can assign roles directly to user accounts.
The following applies if user accounts are managed by CUA:
l
The role is assigned to the central system, or
l
The role's client is assigned as a child system to the user accounts.
To assign a role directly to user accounts
1. Select the category SAP R/3 | Roles.
2. Select the role in the result list.
3. Select Assign user accounts in the task view.
To assign a role to a user account
1. Click Add.
This inserts a new row in the table.
2. Select the user account you want to assign to the role from the User account menu.
3. Enter a validity period for the role assignment in Valid from and Valid until,
if it applies.
4. Enter another user account if required.
5. Save the changes.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
148
To edit a role assignment
1. Select the role assignment you want to edit in the table. Edit the validity period.
2. Save the changes.
To remove a role assignment.
1. Select the role assignment you want to remove in the table.
2. Click Delete.
3. Save the changes.
Related Topics
l
Assigning SAP Roles Directly to an SAP User Account on page 122
l
Assigning SAP Groups, SAP Roles and SAP Profiles to Organizations on page 143
l
Assigning SAP Groups, SAP Roles and SAP Profiles to Business Roles on page 145
l
Adding SAP Groups, SAP Roles and SAP Profiles to System Roles on page 149
l
Adding SAP Groups, SAP Roles and SAP Profiles to the IT Shop on page 150
Adding SAP Groups, SAP Roles and SAP
Profiles to System Roles
Installed Module: System Roles Module
Groups, roles and profiles can be added to different system roles. When you assign a
system role to an employee, the groups, roles and profiles are inherited by all SAP user
accounts that these employees have. System roles that exclusively contain SAP groups,
roles or profiles can be labeled with the system role type "SAP product". Groups, roles and
profiles can also be added to system roles that are not SAP products.
NOTE: Only profiles that are not assigned to an SAP role can be assigned to system
roles.
NOTE: Groups, roles and profiles with the option Only use in IT Shop can only be
assigned to system roles that also have this option set. For more detailed information
about providing system roles in the IT Shop, see the One Identity Manager System
Roles Administration Guide.
To assign a group to system roles
1. Select the category SAP R/3 | Groups.
2. Select the group in the result list.
3. Select Assign system roles in the task view.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
149
4. Assign system roles in Add assignments.
- OR Remove system roles from Remove assignments.
5. Save the changes.
To assign a role to system roles
1. Select the category SAP R/3 | Roles.
2. Select the role in the result list.
3. Select Assign system roles in the task view.
4. Assign system roles in Add assignments.
- OR Remove system roles from Remove assignments.
5. Save the changes.
To assign a profile to system roles
1. Select the category SAP R/3 | Profiles.
2. Select a profile in the result list.
3. Select Assign system roles in the task view.
4. Assign system roles in Add assignments.
- OR Remove system roles from Remove assignments.
5. Save the changes.
Detailed information about this topic
l
SAP Products on page 165
Related Topics
l
Assigning SAP Groups, SAP Roles and SAP Profiles to Organizations on page 143
l
Assigning SAP Groups, SAP Roles and SAP Profiles to Business Roles on page 145
l
Assigning SAP User Accounts directly to SAP Groups and SAP Profiles on page 147
l
Adding SAP Groups, SAP Roles and SAP Profiles to the IT Shop on page 150
Adding SAP Groups, SAP Roles and SAP
Profiles to the IT Shop
NOTE: Only profiles that are not assigned to SAP roles can be assigned to IT Shop
shelves.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
150
Once a grouprole or profile has been assigned to an IT Shop shelf, it can be requested by
the shop customers. To ensure it can be requested, further prerequisites need to be
guaranteed.
l
The group, role or profile must be labeled with the option IT Shop.
l
The group, role or profile must be assigned to a service item.
l
The group, role or profile must be labeled with the option Only use in IT Shop if the
group, role or profile can only be assigned to employees through IT Shop requests.
Direct assignment to hierarchical roles may not be possible.
NOTE: IT Shop administrators can assign groups, roles and profiles to IT Shop
shelves in the case of role-based login. Target system administrators are not authorized to add groups, roles and profiles in the IT Shop.
To add a group, role or profile to the IT Shop
1. Select the category SAP R/3 | Groups or SAP R/3 | Roles or SAP R/3 |
Profiles (non role-based login).
- OR Select the category Entitlements | SAP groups or Entitlements | SAP roles or
Entitlements | SAP profiles (role-based login).
2. Select the group, role or profile in the result list.
3. Select Add to IT Shop in the task view.
4. Assign the group, role or profile to the IT Shop shelves in Add assignments.
5. Save the changes.
To remove a group, role or profile from individual IT Shop shelves.
1. Select the category SAP R/3 | Groups or SAP R/3 | Roles or SAP R/3 |
Profiles (non role-based login).
- OR Select the category Entitlements | SAP groups or Entitlements | SAP roles or
Entitlements | SAP profiles (role-based login).
2. Select the group, role or profile in the result list.
3. Select Add to IT Shop in the task view.
4. Remove the group, role or profile from the IT Shop shelves in Remove
assignments.
5. Save the changes.
To remove a group, role or profile from all IT Shop shelves.
1. Select the category SAP R/3 | Groups or SAP R/3 | Roles or SAP R/3 |
Profiles (non role-based login).
- OR -
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
151
Select the category Entitlements | SAP groups or Entitlements | SAP roles or
Entitlements | SAP profiles (role-based login).
2. Select the group, role or profile in the result list.
3. Select Remove from all shelves (IT Shop) in the task view.
4. Confirm the security prompt with Yes.
5. Click OK.
This removes the group, role or profile from all One Identity Manager Service
shelves. All requests and assignment requests with this group, role or profile are
canceled in the process.
For more detailed information about request from company resources through the IT Shop,
see the One Identity Manager IT Shop Administration Guide.
Related Topics
l
General Master Data for SAP Groups on page 138
l
Assigning SAP Groups, SAP Roles and SAP Profiles to Organizations on page 143
l
Assigning SAP Groups, SAP Roles and SAP Profiles to Business Roles on page 145
l
Assigning SAP User Accounts directly to SAP Groups and SAP Profiles on page 147
l
Adding SAP Groups, SAP Roles and SAP Profiles to System Roles on page 149
Role Assignment Validity Period
Table 68: Configuration parameter for handling the Validity Period of requested
SAP Roles
Configuration parameter
Active Meaning
TargetSystem\SAPR3\ValidDateHandling
Configuration parameter
for handling the validity
period in SAP user account
assignments to SAP roles.
TargetSystem\SAPR3\ValidDateHandling\DoNotUsePWODate This configuration
parameter specifies
whether the validity dates
from request procedure
are copied from SAP user
account assignments to
SAP roles. If the configuration parameter is set,
the dates, "Valid from"
and "Valid to" from the
request procedure, are
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
152
Configuration parameter
Active Meaning
not copied from SAP user
account assignments to
SAP roles.
Assignment of SAP roles to user accounts can be limited to set periods in your SAP R/3
environment. There are different ways of specifying time limits for role assignments in One
Identity Manager.
1. Synchronizing Role Assignments
The columns "Valid from" and "Valid to" are taken into account in the default
mapping. Synchronization writes the role assignment's validity period into the One
Identity Manager database.
2. Direct assignment of SAP roles to user accounts in the Manager
A validity period can be entered for direct assignment of roles to user accounts.
"Valid from" and "Valid to" dates are provisioned in the target system.
3. Limited time period requests in the IT Shop
A validity period for a request can be entered in the IT Shop. An entry in the
table SAPUserInSAPRole only exist between the first and last days of the request's
validity period.
a. Directly requesting an SAP roles
Once the request is approved and the "Valid from" date has been reached,
the request recipient's SAP user account inherits the SAP role. The role
assignments are automatically canceled and deleted when the validity
period expires.
The request's validity period is copied to the table SAPUserInSAPRole by default.
This means that the data is provisioned in the SAP environment.
To prevent the request's validity date is copied to the role
assignment
l
Set the configuration parameter
"TargetSystem\SAPR3\ValidDateHandling\DoNotUsePWODate" in the
Designer.
b. Membership request in a hierarchical role (a department, for example)
l
The hierarchical role is assigned to an SAP role.
Once the request is approved and the "Valid from" date is reached, the
employees becomes a member in the hierarchical role. The employee's SAP
user account inherits the SAP role. The membership is automatically canceled
and the role assignment deleted when the validity period expires.
c. Request for assignment of an SAP role to a hierarchical role.
l
Employees with an SAP user account are members of this
hierarchical role.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
153
Once the request is approved and the "Valid from" date is reached, the SAP
role is assigned to the hierarchical role. The role member's SAP user accounts
inherit the SAP role. The assignment is automatically canceled and the role
assignment deleted when the validity period expires.
The request's validity period is copied to the table SAPUserInSAPRole by default.
This means that the data is provisioned in the SAP environment.
To prevent the request's validity date is copied to the role
assignment
l
Set the configuration parameter
"TargetSystem\SAPR3\ValidDateHandling\DoNotUsePWODate" in the
Designer.
The table SAPUserInSAPRole contains all role assignments, limited and unlimited. The table
HelperSAPUserInSAPRole only contains current valid role assignments. Tables are calculated
on a schedule.
Detailed information about this topic
l
Assigning SAP Roles Directly to an SAP User Account on page 122
l
Adding SAP Groups, SAP Roles and SAP Profiles to the IT Shop on page 150
l
One Identity Manager Web Portal User Guide
Related Topics
l
Assigning SAP Groups, SAP Roles and SAP Profiles to SAP User Accounts on page 143
Assigning and Passing on SAP Profiles and
SAP Roles to SAP User Accounts
The following SAP sided limitation influence the user account assignment and inheritance of
profiles and roles in One Identity Manager.
l
l
l
Collective profiles can be put together from 0...n profiles or collective profiles. If a
user account is assigned an collective profile, the target system only returns the user
account membership in the assigned collective profile and not the membership in
subprofiles.
Single roles can put together from 0..n profiles. Only profiles that are not collective
profiles can be assigned. Profiles that are assigned to a single role can no longer be
assigned to a user account.
Collective roles can be made up of 0...n single roles. Assignment of profiles or
collective profiles to collective roles is not possible.
These limitations result in the following:
In assignment:
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
154
l
Triggering prevents the assignment of roles which are assigned to single roles, to
user accounts, products, roles and employees.
In inheritance behavior:
l
l
l
l
If a user account is assigned a collective role that owns single roles, the single roles
are not added to the table SAPuserInSAPGroupTotal.
If a user account is assigned a single role that owns profiles, the profiles are not
added to the table SAPUserInSAPProfile
If a user account is assigned a single role and this single role is part of a collective
role that is also assigned to this user account, the single role is not added to the table
SAPUserInSAPRole.
If a user account is assigned a collective profile with child profiles, the child profiles
are not added to the table SAPUserInSAPProfile.
If a user account obtains additional roles or profiles through a reference user, these roles
or profiles are only added in tables SAPUserInSAPRole and SAPUserInSAPProfile for the
reference user. When company resources assigned to an employee (table PersonHasObject)
are calculated, the roles and profiles inherited by a user account through single roles,
collective roles, collective profiles and reference users are also taken into account.
Additional Tasks for Managing SAP
Groups, SAP Roles and SAP Profiles
After you have entered the master data, you can apply different tasks to it. The task view
contains different forms with which you can run the following tasks.
Overview of SAP Groups, SAP Roles and
SAP Profiles
To obtain an overview of a group
1. Select the category SAP R/3 | Groups.
2. Select the group in the result list.
3. Select SAP group overview in the task view.
To obtain an overview of a profile
1. Select the category SAP R/3 | Profiles.
2. Select a profile in the result list.
3. Select SAP profile overview in the task view.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
155
To obtain an overview of a role
1. Select the category SAP R/3 | Roles.
2. Select the role in the result list.
3. Select SAP role overview in the task view.
Effectiveness of SAP Groups, SAP Roles and
SAP Profiles
NOTE: In order to easy understanding the behavior is described with respect to SAP
groups in this section. It applies in the same way to roles and profiles.
Table 69: Configuration Parameter for Conditional Inheritance
Configuration parameter
Active Meaning
QER\Structures\Inherite\GroupExclusion Preprocessor relevant configuration parameter
for controlling effectiveness of group
memberships. If the parameter is set,
memberships can be reduced on the basis of
exclusion definitions. The database has to be
recompiled after changes have been made to
the parameter.
When groups are assigned to user accounts an employee may obtain two or more groups,
which are not permitted in this combination. To prevent this, you can declare mutually
exclusive groups. To do this, you specify which of the two groups should apply to the user
accounts if both are assigned.
It is possible to assign an excluded group directly, indirectly or by IT Shop request at any
time. One Identity Manager determines whether the assignment is effective.
NOTE:
l
l
You cannot define a pair of mutually exclusive groups. That means, the definition "Group A excludes group B" AND "Group B excludes groups A" is not
permitted.
You must declare each group to be excluded from a group separately. Exclusion
definitions cannot be inherited.
The effect of the assignments is mapped in the tables SAPUserInSAPGrp and
BaseTreeHasSAPGrp through the column XIsInEffect.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
156
Example of the effect of group memberships
l
l
Group A is defined with permissions for triggering requests in a client. A group B is
authorized to make payments. A group C is authorized to check invoices.
Group A is assigned through the department "Marketing", group B through "Finance"
and group C through the business role "Control group".
Clara Harris has a user account in this client. She primarily belongs to the department
"marketing". The business role "Control group" and the department "Finance" are assigned
to her secondarily. Without an exclusion definition, the user account obtains all the
permissions of groups A, B and C.
By using suitable controls, you want to prevent an employee from being able to trigger a
request and to pay invoices. That means, groups A, B and C are mutually exclusive. An
employee that checks invoices may not be able to make invoice payments as well. That
means, groups B and C are mutually exclusive.
Table 70: Specifying excluded groups (table SAPGrpExclusion)
Effective Group
Excluded Group
Group A
Group B
Group A
Group C
Group B
Table 71: Effective Assignments
Employee
Member in Role
Effective Group
Ben King
Marketing
Group A
Jan Bloggs
Marketing, finance
Group B
Clara Harris
Marketing, finance, control group
Group C
Jenny Basset
Marketing, control group
Group A, Group C
Only the group C assignment is in effect for Clara Harris. It is published in the target
system. If Clara Harris leaves the business role "control group" at a later date, group B
also takes effect.
The groups A and C are in effect for Jenny Basset because the groups are not defined as
mutually exclusive. If this should not be allowed, define further exclusion for group C.
Table 72: Excluded groups and effective assignments
Employee
Member in
Role
Assigned
Group
Jenny
Basset
Marketing
Group A
Control group
Group C
Excluded
Group
Effective
Group
Group C
Group B
Group A
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
157
Prerequisites
l
The configuration parameter "QER\Inherite\GroupExclusion" is enabled.
l
Mutually exclusive groups, roles and profiles belong to the same client.
To exclude a group
1. Select the category SAP R/3 | Groups.
2. Select the group in the result list.
3. Select Exclude groups in the task view.
4. Assign the groups that are mutually exclusive to the selected group in Add
assignments.
- OR Remove the conflicting groups that are no longer mutually exclusive in Remove
assignments.
5. Save the changes.
To exclude roles
1. Select the category SAP R/3 | Roles.
2. Select the role in the result list.
3. Select Exclude SAP roles in the task view.
4. Assign the roles that are mutually exclusive to the selected role in Add
assignments.
- OR Remove roles that are no longer mutually exclusive in Remove assignments.
5. Save the changes.
To exclude profiles
1. Select the category SAP R/3 | Profiles.
2. Select a profile in the result list.
3. Select Exclude roles in the task view.
4. Assign the profiles that are mutually exclusive to the selected profile in Add
assignments.
- OR Remove profiles that are no longer mutually exclusive in Remove assignments.
5. Save the changes.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
158
Inheriting SAP Groups, SAP Roles and SAP
Profiles based on Categories
NOTE: In order to easy understanding the behavior is described with respect to SAP
groups in this section. It applies in the same way to roles and profiles.
In One Identity Manager, groups can be selectively inherited by user accounts. For this,
groups and user accounts are divided into categories. The categories can be freely selected
and are specified by a template. Each category is given a specific position within the
template. The mapping rule contains different tables. Use the user account table to specify
categories for target system dependent user accounts. Enter your categories for the
structural profiles, administrative roles, subscriptions and disabled service plans in the .
Each table contains the category items "Position1" to "Position31".
Every user account can be assigned to one or more categories. Each group can also be
assigned to one or more categories. The group is inherited by the user account when at
least one user account category item matches an assigned group. The group is also
inherited by the user account if the group or the user account is not put into categories.
NOTE: Inheritance through categories is only taken into account when groups are
assigned indirectly through hierarchical roles. Categories are not taken into account
when groups are directly assigned to user accounts.
Table 73: Category Examples
Category
Position
Categories for User
Accounts
Categories for Groups
1
Default user
Default permissions
2
System user
System user permissions
3
System administrator
System administrator permissions
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
159
Figure 4: Example of inheriting through categories.
To use inheritance through categories
l
Define the categories in the client.
NOTE: If central user administration is implemented, define the categories in
the central system as well as in the child system. The same categories must be
defined in the child system as in the central system so that groups from a child
system can be inherited by user accounts.
l
Assign categories to user accounts through their master data.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
160
l
Assign categories to groups, roles and profiles through their master data.
Related Topics
l
Specifying Categories for Inheriting SAP Groups, SAP Roles and SAP Profiles
on page 102
l
General Master Data for an SAP User Account on page 110
l
General Master Data for SAP Groups on page 138
l
General Master Data for SAP Roles on page 140
l
General Master Data for SAP Profiles on page 141
Assigning Extended Properties to SAP
Groups, SAP Roles and SAP Profiles
Extended properties are meta objects that cannot be mapped directly in the One Identity
Manager, for example, operating codes, cost codes or cost accounting areas.
To specify extended properties for a group
1. Select the category SAP R/3 | Groups.
2. Select the group in the result list.
3. Select Assign extended properties in the task view.
4. Assign extended properties in Add assignments.
- OR Remove extended properties from Remove assignments.
5. Save the changes.
To specify extended properties for a role
1. Select the category SAP R/3 | Roles.
2. Select the role in the result list.
3. Select Assign extended properties in the task view.
4. Assign extended properties in Add assignments.
- OR Remove extended properties from Remove assignments.
5. Save the changes.
To specify extended properties for a profile
1. Select the category SAP R/3 | Profiles.
2. Select a profile in the result list.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
161
3. Select Assign extended properties in the task view.
4. Assign extended properties in Add assignments.
- OR Remove extended properties from Remove assignments.
5. Save the changes.
Showing SAP Authorizations
You can view authorization objects and authorizations of SAP roles and profiles in One
Identity Manager. All single profiles with their associated authorization objects and fields
are displayed in a hierarchical overview.
To display role authorizations
1. Select the category SAP R/3 | Roles.
2. Select the role in the result list.
3. Select Show SAP authorizations in the task view.
To display profile authorizations
1. Select the category SAP R/3 | Profiles.
2. Select a profile in the result list.
3. Select Show SAP authorizations in the task view.
Calculating the Validity Date of
Inherited Role Assignments
Table 74: Configuration Parameters for handling for Validity Dates from
indirectly assigned SAP Roles
Configuration parameter
Active Meaning
TargetSystem\SAPR3\ValidDateHandling
Configuration parameter for
handling the validity period in SAP
user account assignments to SAP
roles.
TargetSystem\SAPR3\ValidDateHandling\
ReuseInheritedDate
This configuration parameter
specifies whether the validity
date's format of inherited SAP
user account assignments to SAP
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
162
Configuration parameter
Active Meaning
roles remains intact. The configuration parameter is only relevant
in systems that were migrated
from a pre 7.0 version. If the
configuration parameter is set,
the format of the dates "Valid
from" and "Valid to" stays the
same if SAP user account assignments to roles are inherited.
TargetSystem\SAPR3\ValidDateHandling\
This configuration parameter
ReuseInheritedDate\UseTodayForInheritedValidFrom specifies whether the "Valid from"
date in inherited SAP user
accounts assignments to SAP
roles is set to <Today> or to
"1900-01-01".
The valid dates' indirectly assigned SAP roles have been saved in the One Identity Manager
database in a different format since One Identity Manager version 7.0.
Table 75: Default Date Format for Validity Dates fr indirectly assigned SAP
Roles (Table SAPUserInSAPRole)
One Identity Manager
version
Valid from (ValidFrom)
Valid until
(ValidUntil)
>= 7.0
1900-01-01
9999-12-31
< 7.0
Date on which the role assignment
was created
9998-12-31
Existing validity dates in databases migrated from versions older that 7.0 remain as they
are. Once a inheritance is recalculated for a user account, all indirectly assigned SAP roles
are saved with new validity dates. These changes are immediately provisioned in SAP. This
might result in a heavy load on the connected SAP system.
To prevent validity dates from adjusting to the new format when recalculating
inheritance
l
Set the configuration parameter
"TargetSystem\SAPR3\ValidDateHandling\ReuseInheritedDate" in the Designer.
IMPORTANT: In order to ensure that the validity period is correctly calculated
straight after migration, set the configuration parameter with a custom change
in the migration package. For more detailed information about creating a
custom migration package, see the One Identity One Identity Manager 7.0.2.
Migration Guide to Upgrading Previous Versions of One Identity Manager.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
163
If the configuration parameter is set, the validity date format stays the same for existing
indirect role assignments meaning that no provisioning tasks are queued. These
assignments are not reworked during synchronization with revision filtering.
The new date format is used for newly added indirect assignments. Therefore, it is not
obvious when the assignment is valid in the SAP R/3 environment after provisioning. If this
information is required, you can enter the actual date that the role assigned is created in
the "Valid from" date.
To apply the current date as "Valid from" date for new indirect assignments
l
Set the configuration parameter
"TargetSystem\SAPR3\ValidDateHandling\ReuseInheritedDate\UseTodayForInherite
dValidFrom" in the Designer.
The date the role assignment was created is entered in the "Valid from" date if it is
an indirect assignment.
IMPORTANT: Calculating indirect role assignments can become much slower
depending on the amount of data to be processed.
If it not really necessary to know since when the role assignment is valid in the
SAP R/3 environment, do not set this configuration parameter.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Groups, SAP Roles and SAP Profiles
164
8
SAP Products
Installed Module: System Roles Module
You can define One Identity Manager products as a collection of different groups, roles or
profiles in SAP. SAP products are system roles with the system role type "SAP product".
Employees can obtain SAP products directly, inherit them though hierarchical role or
request them in the IT Shop.
The employee’s user account is assigned the groups, roles and profiles in the SAP product
independent of the assignment method. If an SAP product changes by adding or removing a
group, role or a profile in One Identity Manager, user account memberships are changed
accordingly.
To edit SAP products
1. Select the category SAP R/3 | Products.
2. Select an SAP product in the result list.
- OR Click
in the result list toolbar.
This opens the master data form for a system role.
3. Edit the system role's master data.
4. Save the changes.
Detailed information about this topic
l
One Identity Manager System Roles Administration Guide
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Products
165
General Master Data for SAP Products
Table 76: Configuration Parameters for Risk Assessment of SAP User Accounts
Configuration
parameter
Active Meaning
QER\CalculateRiskIndex Preprocessor relevant configuration parameter controlling
system components for calculating an employee's risk index.
Changes to the parameter require recompiling the database.
If the parameter is set, values can be entered and calculated
for the risk index.
Enter the following data for a system role.
Table 77: System Role Master Data
Property
Description
Display
Name
Name for displaying the system roles in One Identity Manager tools.
System
role
Unique identifier for the system role.
Internal
product
names
An additional internal name for the system role.
System
role type
Specifies the type of company resources, which comprise the system role.
Service
item
In order to use a service item within the IT Shop, assign a service item to it
or add a new service item. For more information about service items, see
the One Identity Manager IT Shop Administration Guide.
System
role
manager
You can assign any employee to be a manager for the system role. This
employee can edit system role master data. They can be used as attestors
for system role properties.
Share date
Specify a date for enabling the system role. If the date is in the future, the
system role is considered to be disabled. If the date is reached, the system
role is enabled. Employees inherit company resources that are assigned to
the system role.
If the share date is exceeded or no date is entered, the system role is
handled as an enabled system role. Company resource inheritance can be
controlled with the option Disabled in these cases.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Products
166
Property
Description
NOTE: Configure and set the schedule "Share system roles" in the
Designer to check the share date. For more information about
schedules, see the One Identity Manager Configuration Guide.
Risk index
Maximum risk index values for all company resources. This property is only
(calculated) visible if the configuration parameter "QER\CalculateRiskIndex" is set. For
more information about calculating risk indexes, see the One Identity
Manager Risk Assessment Administration Guide.
Comment
Spare text box for additional explanation.
Remarks
Spare text box for additional explanation.
Description
Spare text box for additional explanation.
Disabled
Specifies whether employees inherit the company resources contained in
the system role.
If the option is set, the system role can be assigned to employees. However
they cannot inherit the company resources contained in the system role.
If the option is not set, the employees that are assigned the system role,
immediately inherit company resources allocated to the system role.
If the option is enabled at a later date, existing assignments are removed.
IT Shop
Specifies whether the system role can be requested through the IT Shop.
This system role can be requested by staff through the Web Portal and the
request granted by a defined approval procedure. The system role can still
be assigned directly to employees and hierarchical roles. For more
information about the IT Shop, see the One Identity Manager IT Shop
Administration Guide.
Only for
use in IT
Shop
Specifies whether the system role can only be requested through the IT
Shop. This system role can be requested by staff through the Web Portal
and the request granted by a defined approval procedure. The system role
may not assigned directly to hierarchical roles.
Spare fields Additional company specific information. Use the Designer to customize
no.
display names, formats and templates for the input fields.
01.....spare
field no. 10
For more detailed information about system roles, see the One Identity Manager System
Roles Administration Guide.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Products
167
SAP Product Assignments to Employees
SAP products can be assigned directly or indirectly to employees. In the case of indirect
assignment, employees and SAP products are arranged in hierarchical roles. The number
of SAP products assigned to an employee is calculated from the position in the hierarchy
and the direction of inheritance.
If you add an employee to roles and that employee owns a user account, the user account
is added to all groups, roles or profiles included in the SAP products owned by the
employee. The groups, roles or profiles are not inherited if the SAP product is disabled or if
the share date is still in the future.
Prerequisites for indirect assignment:
l
Assignment of system roles, employees, groups, roles and profiles is permitted for
role classes (department, cost center, location or business role).
l
The user accounts are marked with the option Groups can be inherited.
l
User accounts and groups, roles and profiles belong to the same SAP clients.
Furthermore, IT Shop products can be assigned to employees through SAP requests. SAP
products can be assigned through IT Shop requests by adding employees to a shop as
customers. All SAP products are assigned to this shop can be requested by the customers.
Requested SAP products are assigned to the employees after approval is granted.
Detailed information about this topic
l
Assigning SAP Products to Organizations on page 168
l
Assigning SAP Products to Business Roles on page 169
l
Assigning SAP Products directly to Employees on page 170
l
Adding SAP Products in System Roles on page 170
l
Adding SAP Products to the IT Shop on page 171
l
One Identity Manager Identity Management Base Module Administration Guide
Related Topics
l
Assigning SAP Groups, SAP Roles and SAP Profiles to SAP User Accounts on page 143
Assigning SAP Products to Organizations
Assign SAP products to departments, cost centers and locations in order to assign
employees to them through these organizations.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Products
168
To assign an SAP product to departments, cost centers or locations
1. Select the category SAP R/3 | Products.
2. Select the SAP product in the result list.
3. Select Assign organizations.
4. Assign organizations in Add assignments.
l
Assign departments on the Departments tab.
l
Assign locations on the Locations tab.
l
Assign cost centers on the Cost center tab.
- OR Remove the organizations in Remove assignments.
5. Save the changes.
Related Topics
l
Assigning SAP Products to Business Roles on page 169
l
Adding SAP Products to the IT Shop on page 171
l
Assigning SAP Products directly to Employees on page 170
l
Adding SAP Products in System Roles on page 170
l
Assigning SAP Groups, SAP Roles and SAP Profiles to Organizations on page 143
Assigning SAP Products to Business Roles
Installed Module: Business Roles Module
You assign SAP products to business roles in order to assign them to user accounts over
business roles.
To assign an SAP product to business roles
1. Select the category SAP R/3 | Products.
2. Select the SAP product in the result list.
3. Select Assign business roles in the task view.
4. Assign business roles in Add assignments.
- OR Remove business roles from Remove assignments.
5. Save the changes.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Products
169
Related Topics
l
Assigning SAP Products to Organizations
l
Adding SAP Products in System Roles on page 170
l
Assigning SAP Products directly to Employees on page 170
l
Adding SAP Products to the IT Shop on page 171
l
Assigning SAP Groups, SAP Roles and SAP Profiles to Business Roles on page 145
Assigning SAP Products directly to
Employees
You can assign SAP products directly to employees. All groups, roles and profiles are
assigned to this SAP product can be inherited by these employees.
To assign an SAP product directly to employees
1. Select the category SAP R/3 | Products.
2. Select the SAP product in the result list.
3. Select Assign to employees in the task view.
4. Assign employees in Add assignments.
- OR Remove employees from Remove assignments.
5. Save the changes.
Related Topics
l
Assigning SAP Products to Organizations on page 168
l
Assigning SAP Products to Business Roles on page 169
l
Adding SAP Products to the IT Shop on page 171
l
Adding SAP Products in System Roles on page 170
Adding SAP Products in System Roles
You can group individual SAP products into a package. To do this, you assign SAP products
to system roles.
NOTE: SAP products with the option Only use in IT Shop set can only be assigned
to system roles that also have this option set.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Products
170
To assign an SAP product to system roles
1. Select the category SAP R/3 | Products.
2. Select the SAP product in the result list.
3. Select Assign system roles in the task view.
4. Select the tab System role contained in to assign parent system roles.
l
Assign system roles in Add assignments.
- OR Remove assignments to system roles in Remove assignments.
5. Select the tab System role contains to assign child system roles.
l
Assign system roles in Add assignments.
- OR Remove assignments to system roles in Remove assignments.
6. Save the changes.
Related Topics
l
Assigning SAP Products to Organizations on page 168
l
Assigning SAP Products to Business Roles on page 169
l
Assigning SAP Products directly to Employees on page 170
l
Adding SAP Products to the IT Shop on page 171
l
Adding SAP Groups, SAP Roles and SAP Profiles to System Roles on page 149
Adding SAP Products to the IT Shop
Once an SAP product has been assigned to an IT Shop shelf, it can be requested by the shop
customers. To ensure the SAP product is requestable, further prerequisites need to be
guaranteed.
l
The product must be labeled with SAPthe option IT Shop.
l
The SAP product must be assigned to a service item.
l
The SAP product must be also labeled with the option Only use in IT Shop if the
SAP product can only be assigned to employees using IT Shop requests. Then, the
SAP product may no longer be assigned directly to hierarchical roles.
To add an SAP product to the IT Shop
1. Select the category SAP R/3 | Products.
2. Select the SAP product in the result list.
3. Select Add to IT Shop in the task view.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Products
171
4. Add the SAP product to the IT Shop shelves in Add assignments.
5. Save the changes.
To remove an SAP product from individual IT Shop shelves
1. Select the category SAP R/3 | Products.
2. Select the SAP product in the result list.
3. Select Add to IT Shop in the task view.
4. Remove the SAP product from the IT Shop shelves in Remove assignments.
5. Save the changes.
To remove an SAP product from all IT Shop shelves
1. Select the category SAP R/3 | Products.
2. Select the SAP product in the result list.
3. Select Remove from all shelves (IT Shop) in the task view.
4. Confirm the security prompt with Yes.
5. Click OK.
The SAP product is removed from all shelves by the One Identity Manager
Service. All requests and assignment requests are canceled along with the SAP
product as a result.
For more detailed information about providing products in the IT Shop, see the One
Identity Manager IT Shop Administration Guide.
Related Topics
l
Assigning SAP Products directly to Employees on page 170
l
Assigning SAP Products to Organizations on page 168
l
Adding SAP Products in System Roles on page 170
l
Assigning SAP Products to Business Roles on page 169
l
Adding SAP Groups, SAP Roles and SAP Profiles to the IT Shop on page 150
Additional Tasks for Managing SAP
Products
After you have entered the master data, you can apply different tasks to it. The task view
contains different forms with which you can run the following tasks.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Products
172
Overview of SAP Products
To obtain an overview of an SAP product
1. Select the category SAP R/3 | Products.
2. Select the SAP product in the result list.
3. Select System role overview in the task view.
Assiging SAP Groups, SAP Roles and SAP
Profiles to a SAP Product
Assign the groups, roles and profiles you want to include to the SAP product. Employees to
which you assign this SAP product, will inherit these groups, roles and profiles.
NOTE: Groups, roles and profiles with the option Only use in IT Shop can only be
assigned to SAP products that also have this option set.
NOTE: Groups, roles and profiles can also be added to system roles that are not SAP
products.
To assign groups to an SAP product
1. Select the category SAP R/3 | Products.
2. Select the SAP product in the result list.
3. Select Assign SAP groups in the task view.
4. Assign groups in Add assignments.
- OR Remove groups in Remove assignments.
5. Save the changes.
To assign profiles to an SAP product.
1. Select the category SAP R/3 | Products.
2. Select the SAP product in the result list.
3. Select Assign SAP profiles in the task view.
4. Assign profiles in Add assignments.
- OR Remove profiles in Remove assignments.
5. Save the changes.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Products
173
To assign roles to an SAP product
1. Select the category SAP R/3 | Products.
2. Select the SAP product in the result list.
3. Select Assign SAP roles in the task view.
4. Assign roles in Add assignments.
- OR Remove roles in Remove assignments.
5. Save the changes.
Related Topics
l
SAP Product Assignments to Employees on page 168
Assigning Account Definitions to SAP
Products
Use this task to add account definitions to an SAP product. If you assign the SAP
product to employees, the account definitions contained in the SAP product are inherited
by the employees.
NOTE: Account definitions roles with the option Only use in IT Shop set, can only
be assigned to SAP products that also have this option set.
To assign account definition to an SAP product
1. Select the category SAP R/3 | Products.
2. Select the SAP product in the result list.
3. Select Assign account definitions.
4. Assign account definitions in Add assignments.
- OR Remove account definitions in Remove assignments.
5. Save the changes.
Detailed information about this topic
l
Setting Up Account Definitions
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Products
174
Assigning Subscribable Reports to SAP
Products
Installed Module: Report Subscription Module
Use this task to add subscribable reports to an SAP product. If you assign the SAP
product to employees, the subscribable reports contained in the SAP product are
inherited by the employees.
NOTE: Subscribable reports with the option Only use in IT Shop set, can only be
assigned to SAP products that also have this option set.
To assign subscribable reports to an SAP product
1. Select the category SAP R/3 | Products.
2. Select the SAP product in the result list.
3. Select Assign subscribable reports in the task view.
4. Assign subscribable reports in Add assignments.
- OR Remove subscribable reports in Remove assignments.
5. Save the changes.
Detailed information about this topic
l
One Identity Manager Report Subscriptions Administration Guide
Assigning Extended Properties to SAP
Products
Extended properties are meta objects that cannot be mapped directly in the One Identity
Manager, for example, operating codes, cost codes or cost accounting areas.
To specify extended properties for an SAP product
1. Select the category SAP R/3 | Products.
2. Select the SAP product in the result list.
3. Select Assign extended properties in the task view.
4. Assign extended properties in Add assignments.
- OR Remove extended properties from Remove assignments.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Products
175
5. Save the changes.
Related Topics
l
Assigning Extended Properties to SAP Groups, SAP Roles and SAP Profiles on
page 161
Edit Conflicting System Roles
Table 78: Configuration Parameters for Editing Mutually Exclusive Roles
Configuration parameter
Active Meaning
QER\Structures\ExcludeStructures Preprocessor relevant configuration parameter for
controlling the model parts that specify conflicts
between roles. Changes to the parameter require
recompiling the database.
If the parameter is set, you can specify which roles
are mutually exclusive.
It is possible that employees may not own certain groups, roles and profiles at the same
time. To avoid this, you can assign mutually exclusive groups, roles and profiles to
different SAP products. Define these SAP products afterward as conflicting system roles.
This means that conflicting system roles can be grouped together into a system role.
NOTE: Only SAP products, which are defined directly as conflicting system roles
cannot be assigned to the same employee. Definitions made on parent or child SAP
products do not affect the assignment.
To implement conflicting system roles
l
Set the configuration parameter "QER\Structures\ExcludeStructures" in the Designer
and compile the database.
To define conflicting system roles
1. Select the category SAP R/3 | Products.
2. Select the SAP product in the result list for which you want to define conflicting
system roles.
3. Select Edit conflicting system roles from the task view.
4. Double-click on the system roles in Add assignments to exclude them from the
selected SAP product.
- OR Double-click on the system roles in Remove assignments which are no
longer excluded.
5. Save the changes.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
SAP Products
176
9
Providing System Measurement
Data
User account license information can be mapped in One Identity Manager. An employee
can have several user accounts which belong to different clients and systems. The
employee's most significant user account is required for system measurement. This user
account is determined as a chargeable user account by system measurement. One Identity
Manager calculates user account ratings from the licenses assigned.
The employee's most significant user account is automatically determined from all user
accounts not managed though CUA. CUA user accounts are mapped in the license
information in One Identity Manager and can be edited. The most significant user account is
not, however, determined automatically.
System measurement data is supplied in One Identity Manager. The actual measurement
takes place in the target system.
To make system measurement data available
1. Set the option Enable system measurement in the SAP system.
2. Set the option Has user administration in the client.
3. Enter the license data
a. Enter the license for roles and profiles. One Identity Manager finds the user
account's licenses from the licenses of all roles and profiles in which the user
account is a member.
– OR –
b. Enter the active license directly in the user account.
One Identity Manager calculates the most significant user account license from the
licenses entered.
4. Publish the measurement data.
The calculated licenses are transferred to the active licenses. Active licenses are
published in the target system. System measurement can be carried out there.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Providing System Measurement Data
177
Detailed information about this topic
l
SAP Systems on page 99
l
General Master Data for an SAP Client on page 100
l
Finding Licenses using SAP Roles and SAP Profiles on page 181
l
Entering licenses for SAP User Accounts on page 180
l
Transferring Calculated Licenses on page 184
Mapping Measurement Data
Measurement data is displayed on the master data form for user accounts which
are not CUA.
To display measurement data
1. Select the category SAP R/3 | User accounts.
2. Select the user account in the result list.
3. Change to the Inventory data tab.
This open the master data form with synchronized and calculated data for system
measurement.
The following license information is displayed on the form.
Table 79: User Account Measurement Data
Property
Description
Active
License
User account's license. The active license is loaded into the One Identity
Manager database by synchronization or found from the calculated,
employee-related license.
NOTE: The active license can be edited directly and changed. Changes
to the active license are published immediately in the target system.
The licenses stored with the roles and profiles are not effective in this
case.
NOTE: If licenses are stored with roles or profiles in which the user
account is a member and the task Publishing calculated licenses
is run, the active license stored directly with the user account is
overwritten by the calculated license!
Special
version ID
License extension for the installed special version. Select the special
version ID from the menu. This is only enabled if special versions are
permitted for the active license.
Country
Additional license fee. This is only enabled if country surcharges are
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Providing System Measurement Data
178
Property
Description
surcharge
permitted for the active license.
Substitute
Link to the user account which takes over as deputy for a specified time
period. This field is only active if "04 (substitute)" or "11 (Multi-client/system)" is entered. The substitute user account obtains roles and profiles of
the displayed user account for a specified time period.
Substituted
from
Substituted
until
Calculated
license
(client)
Time period in which another user account assumes responsibility. This
input field is enabled if the active license is set to "04 (substitute)".
License determined from user account assigned roles and profiles within the
client.
Calculated License of most significant employee user account.
license
The client related calculated license is entered for the most significant user
(employee) account. For all the other employee’s user accounts, the employee related
calculated license "11 (Multi-client/system user)" is entered. This also
contains a reference to the calculated most significant user account
(Calculated ref. name).
Calculated
ref. name
Link to the calculated most significant user account if "11 (Multi-client/system user)" is entered.
Measurement data is displayed for each user account assignment to the target system and
to child systems if the user accounts are managed over CUA,
To display measurement data for a centrally administered user account
1. Select the category SAP R/3 | User accounts.
2. Select the user account in the result list.
3. Select Assign SAP licenses in client systems in the task view.
4. Select an assignment in the table.
The following license information is displayed on the form.
Table 80: Measurement Data for a Centrally administrated User Account
Property
Description
Recipient
client
Client containing the user account which is assigned a license. You can
select the central system or a assigned child system.
License
User account license in the selected client.
License
extension
License extension for the installed special version. Select the special
version ID from the menu.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Providing System Measurement Data
179
Property
Description
Country
surcharge
Additional license fee.
Chargeable
system
SAP system containing the client to be charged. This field is only shown if
"04 (substitute)" or "11 (Multi-client/system)" is entered.
Chargeable
client
Client containing the user account to be charged. This field is only shown if
"04 (substitute)" or "11 (Multi-client/system)" is entered.
Chargeable
User account to be charged if "04 (substitute)" or "11 (Multi-client/sysuser account tem)" is entered.
Substituted
from
Substituted
until
Time period in which another user account assumes responsibility. This
input field is enabled if the active license is set to "04 (substitute)".
Related Topics
l
Entering licenses for SAP User Accounts on page 180
l
Finding Licenses using SAP Roles and SAP Profiles on page 181
l
Determining an SAP User Account Rating on page 182
l
Transferring Calculated Licenses on page 184
l
Special Versions on page 79
l
Licenses on page 78
Entering licenses for SAP User Accounts
In order to maintain system measurement data directly in user accounts, enter the
active license in the user accounts. This might be necessary, for example, for storing
substitute licenses.
To enter a user account active license
1. Select the category SAP R/3 | User accounts.
2. Select the user account in the result list.
3. Select the Measurement data tab.
4. Select a license Active license from the menu.
5. Enter any other data required, if necessary.
6. Save the changes.
The active license is published in the target system.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Providing System Measurement Data
180
NOTE: If licenses are stored with roles or profiles in which the user account is a
member and the task Publishing calculated licenses is run, the active license
stored directly with the user account is overwritten by the calculated license!
To enter the centrally administrated user account's license
1. Select the category SAP R/3 | User accounts.
2. Select the user account in the result list.
3. Select Assign SAP licenses in client systems in the task view.
4. Click Add.
This inserts a new row in the table.
5. Mark this row. Enter the measurement data.
6. Save the changes.
Detailed information about this topic
l
Mapping Measurement Data on page 178
l
Finding Licenses using SAP Roles and SAP Profiles on page 181
Finding Licenses using SAP Roles and
SAP Profiles
The most significant license can be determined from role and profile licenses that are not
managed through CUA. You must make the initial assignment of licenses manually after
synchronizing roles and profiles. One Identity Manager determines the user account's
highest rated license through user account memberships in roles and profiles. The
employee's most significant user account is found across clients and system. The most
significant license is added to the user account as the active license and published in the
target system.
To assign roles and profiles
1. Select the category SAP R/3 | Roles.
– OR –
Select the category SAP R/3 | Profiles.
2. Select the role or profile in the result list.
3. Assign a license in License.
4. Save the changes.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Providing System Measurement Data
181
Related Topics
l
Licenses on page 78
l
General Master Data for SAP Profiles on page 141
l
General Master Data for SAP Roles on page 140
Determining an SAP User Account Rating
NOTE: In this section, roles and profiles are grouped under the term "SAP system
authorizations" to make it easier to understand.
A rating for a user account is determined in One Identity Manager by rating profiles and
roles in which the user account is a member. Licenses have to be entered for the profiles
and roles as a prerequisite. You have to make this assignment once manually after the
objects have been synchronized. When the most significant user account is determined, the
license names and any manually issued license value are taken into account.
A recalculation task for the DBQueue Processor is generated to determine license rating.
The recalculation task is generated when:
l
The option System measurement enabled for the SAP system is
disabled/enabled.
l
The option Has user account management for the SAP client is disabled/enabled.
l
User account assignments to roles or profiles are changed
l
Role assignment validity periods are changed
l
License's rating changes
l
License assignments to roles or profiles are changed
l
Employee assignment to user accounts
l
The user account substitute is changed
The most highly rated user account is determined in One Identity Manager in a two
step process.
1. Determining the significance of a user account within a client (client related)
Memberships in system authorizations within a client are calculated for a userSAP
account. Through this, the SAP system authorization is found with the highest rating.
The license for the most significant SAP system authorization is added to the user
account as Calculated license (client). The most significant SAP system
authorization fulfills the following criteria:
a. The assigned license has the lowest license rating (in alphanumeric sort order).
b. If several SAP system authorizations with the same license rating are
assigned or no license rating has been given, the valid license is the one with
the highest rating.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Providing System Measurement Data
182
2. Determining the most highly rated user account (employee related)
a. The most significant user account is determined from all the employee’s user
account sin all clients and all systems. The criteria from 1a) and 1b) apply for
these user accounts. The license for the most highly rated user account is
added to the user account as Calculated license (employee). A reference to
the user account calculated with the most significance is entered for the all the
employee's other user accounts in Calculated ref. name. These user account
contain the license "11 (Multi-client/system) or "04 (substitute)".
Table 81: Employee related license
User accounts
Calculated
license
(employee)
Most significant user account
Calculated license
(client)
Remaining user accounts in clients of the same systems 04 (substitute)
as the most significant user account
Remaining user accounts in clients of the other systems 11 (Multi-client/systhan the most significant user account
tem)
b. If a user account is not assigned an employee, the rating calculated under 1) is
seen as the most significant and the license entry is added to the user account
as Calculated license (employee).
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Providing System Measurement Data
183
Figure 5: Determining an SAP User Account Rating
Related Topics
l
Licenses on page 78
Transferring Calculated Licenses
In order to execute system measurement in the SAP R/3 environment, you need to transfer
employee related calculated licenses to the active license. This transfer is done separately
for each client in the system.
NOTE: If the task Publishing calculated licenses is run, the active license stored
directly with the user account is overwritten by the calculated license!
Exception: "04 (substitute)" is entered as active license and the substitute time
period is currently valid or is in the future.
NOTE: The task Publishing calculated licenses is only for clients with CUA status
"No CUA system" or empty CUA status.
To transfer calculated licenses to active licenses
1. Select the category SAP R/3 | Clients.
2. Select the client whose licenses are to be transferred.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Providing System Measurement Data
184
3. Select Publish calculated licenses.
A security prompt appears.
4. Confirm the security prompt with Yes.
Once the calculated licenses are transferred to active licenses, the active licenses are
published in the target system.
The One Identity Manager transfers the calculated employee related license for all this
client‘s user accounts to the active license. You can edit this data later, if required. Once
the licenses are published in the SAP R/3 system and system measurement has been
carried out, you can synchronize the current measurement data with the One Identity
Manager database.
Special Features for User Accounts with a Substitute's License
If the active license "04 (substitute)" is entered in the user account and the substitution
period is current valid, the active license is not replaced by the calculated employeerelated license. The same applies if the substitution period is in the future (Substituted
from later than "today").
If the substitution period has expired, the calculated employee-related license is
transferred to the active license by the task Publishing calculated licenses.
Information about the substitute and the substitution period is deleted from the user
account.
NOTE: In order to publish a active license "04 (substitute) in the target system, the
price list and all usable user types must be enabled in the program part system
measurement in the SAP R/3 environment.
Related Topics
l
Mapping Measurement Data on page 178
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Providing System Measurement Data
185
10
Reports about SAP Systems
One Identity Manager makes various reports available containing information about the
selected base object and its relations to other One Identity Manager database objects. The
following reports are available for SAP systems.
NOTE: Other sections may be available depending on the which modules are
installed.
Table 82: Reports for the Target System
Report
Description
Overview of all assignments (system)
This report finds all roles containing employees with at least
one user account in the selected system.
Overview of all assignments (client)
This report finds all roles containing employees with at least
one user account in the selected client.
Overview of all assignments (group, role,
profile)
This report find all roles containing employees with the
selected group, role or profile.
Show orphaned user
accounts
This report shows all user accounts in the client, which are not
assigned to an employee. The report contains assigned system
entitlements and risk assessment.
Show employees with
multiple user accounts
This report shows all employees with more than one user
account in the client. The report contains a risk assessment.
Show entitlement drifts
This report shows all the client's system entitlements that are
the result of manual operations in the target system rather
than using the One Identity Manager provisioning engine.
Show unused user
accounts
This report shows all the client's user accounts that have not
been used in the last few months.
Show user accounts with
an above average
number of system
entitlements
This report contains all the client's user accounts with an
above average number of system entitlements.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Reports about SAP Systems
186
Report
Description
SAP user account and
group administration
This report contains a summary of user account and group
distribution in all clients. You can find the report in the
category My One Identity Manager | Target system
overviews.
Data quality summary
for SAP user accounts
This report contains different evaluations of user account data
quality in all clients. You can find the report in the category My
One Identity Manager | Data quality analysis.
Overview of all Assignments
The report "Overview of all Assignments" is displayed for certain objects, for example,
permissions, compliance rules or roles. The report finds all the roles, for example,
departments, cost centers, locations, business roles and IT Shop structures in which there
are employee who own the selected base object. In this case, direct as well as indirect
base object assignments are included.
Example
l
l
l
l
l
If the report is created for a resource, all roles are determined in which there are
employees with this resource.
If the report is created for a group, all roles are determined in which there are
employees with this group.
If the report is created for a compliance rule, all roles are determined in which there
are employees with this compliance rule.
If the report is created for a department, all roles are determined in which
employees of the selected department are also members.
If the report is created for a business role, all roles are determined in which
employees of the selected business role are also members.
To display detailed information about assignments
l
l
To display the report, select the base object from the navigation or the result list and
select the report Overview of all assignments.
Use the
Used by button in the report's toolbar to select the role class
(department, location, business role or IT Shop structure) for which you determine if
roles exist in which there are employees with the selected base object.
All the roles of the selected role class are shown. The color coding of elements
identifies the role in which there are employees with the selected base object. The
meaning of the report control elements is explained in a separate legend. In the
report's toolbar, click
to open the legend.
l
Double-click a control to show all child roles belonging to the selected role.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Reports about SAP Systems
187
l
l
By clicking the
button in a role's control, you display all employees in the role with
the base object.
Use the small arrow next to
to start a wizard that allows you to bookmark this list
of employee for tracking. This creates a new business role to which the employees
are assigned.
Figure 6: Toolbar for Report "Overview of all assignments"
Table 83: Meaning of Icons in the Report Toolbar
Icon
Meaning
Show the legend with the meaning of the report control elements
Saves the current report view as a graphic.
Selects the role class used to generate the report.
Displays all roles or only the affected roles.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Reports about SAP Systems
188
A
Appendix: Configuration Parameters
for Managing SAP R/3
The following configuration parameters are additionally available in One Identity Manager
after the module has been installed.
Table 84: Configuration parameter
Configuration parameter
Description
TargetSystem\SAPR3
SAP is supported. The parameter
is a precompiler dependent configuration parameter. Changes to
the parameter require recompiling the database.
TargetSystem\SAPR3\Accounts
Default values should be used for
SAP user accounts.
TargetSystem\SAPR3\Accounts\Datfm
Specifies the default date format
for SAP user accounts.
TargetSystem\SAPR3\Accounts\Dcpfm
Specifies the default decimal
point format for SAP user
accounts.
TargetSystem\SAPR3\Accounts\ExtID_Type
Specifies the default type for
external identification of SAP user
accounts.
TargetSystem\SAPR3\Accounts\Fax_Group
Specifies the default fax group for
SAP user accounts.
TargetSystem\SAPR3\Accounts\Guiflag
Specifies whether secure communication is permitted for SAP user
accounts.
TargetSystem\SAPR3\Accounts\InitialRandomPassword
This configuration parameter
specifies whether a random
generated password is issued
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Appendix: Configuration Parameters for Managing SAP R/3
189
Configuration parameter
Description
when a new user account is
added. The password must
contain at least those character
sets that are defined in the
password policy.
TargetSystem\SAPR3\Accounts\InitialRandomPassword\
SendTo
This configuration parameter
specifies to which employee the
email with the random generated
password should be sent
(manager cost center/department/location/business
role, employee’s manager or
XUserInserted). If no recipient
can be found, the password is
sent to the address stored in the
configuration parameter
"TargetSystem\SAP\DefaultAddress".
TargetSystem\SAPR3\Accounts\InitialRandomPassword\
SendTo\MailTemplateAccountName
This configuration parameter
contains the name of the mail
template sent to inform users
about their initial login data
(name of the user account). Use
the mail template "Employee new account created".
TargetSystem\SAPR3\Accounts\InitialRandomPassword\
SendTo\MailTemplatePassword
This configuration parameter
contains the name of the mail
template sent to inform users
about their initial login data
(initial password). Use the mail
template "Employee - initial
password for new user account".
TargetSystem\SAPR3\Accounts\Langu_p
Specifies default language key for
SAP users.
TargetSystem\SAPR3\Accounts\Langup_iso
Specifies default language (ISO
639).
TargetSystem\SAPR3\Accounts\MailTemplateDefault
Values
This configuration parameter
contains the mail template used
to send notifications if default IT
operating data mapping values
are used for automatically
creating a user account. Use the
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Appendix: Configuration Parameters for Managing SAP R/3
190
Configuration parameter
Description
mail template "Employee - new
user account with default
properties created".
TargetSystem\SAPR3\Accounts\Spda
Specifies default setting for
printer parameter 3 (delete after
print).
TargetSystem\SAPR3\Accounts\Spdb
Specifies default setting for
printer parameter 3 (print
immediately).
TargetSystem\SAPR3\Accounts\Splg
Specifies the default printer (print
parameter 1).
TargetSystem\SAPR3\Accounts\TargetSystemID
Specifies default target system
identification for mapping
external users.
TargetSystem\SAPR3\Accounts\Time_zone
Specifies the default time zone
value for the SAP user account’s
address.
TargetSystem\SAPR3\Accounts\Tzone
Specifies the default value for the
time zone.
TargetSystem\SAPR3\Accounts\Ustyp
Specifies the default user type for
SAP user accounts.
TargetSystem\SAPR3\DefaultAddress
Default email address (recipient)
for messages about actions in the
target system.
TargetSystem\SAPR3\KeepRedundantProfiles
This configuration parameter
regulates behavior for handling
single role and profile
assignments to users.
If the parameter is set, the user's
single roles or profiles, which are
already part of the user's
collective roles, are retained.
If the parameter is not set, the
user's single roles or profiles,
which are already part of the
user's collective roles, are
removed (default).
TargetSystem\SAPR3\MaxFullsyncDuration
Specifies the maximum runtime
for synchronization.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Appendix: Configuration Parameters for Managing SAP R/3
191
Configuration parameter
Description
TargetSystem\SAPR3\PersonAutoDefault
This configuration parameter
specifies the mode for automatic
employee assignment for user
accounts added to the database
outside synchronization.
TargetSystem\SAPR3\PersonAutoDisabledAccounts
This configuration parameters
specifies whether employees are
automatically assigned to disable
user accounts. User accounts do
not obtain an account definition.
TargetSystem\SAPR3\PersonAutoFullSync
This configuration parameter
specifies the mode for automatic
employee assignment for user
accounts added to or updated in
the database through
synchronization.
TargetSystem\SAPR3\ValidDateHandling
Configuration parameter for
handling the validity period in
SAP user account assignments to
SAP roles.
TargetSystem\SAPR3\ValidDateHandling\
DoNotUsePWODate
This configuration parameter
specifies whether the validity
dates from request procedure are
copied from SAP user account
assignments to SAP roles. If the
configuration parameter is set,
the dates, "Valid from" and "Valid
to" from the request procedure,
are not copied from SAP user
account assignments to SAP
roles.
TargetSystem\SAPR3\ValidDateHandling\
ReuseInheritedDate
This configuration parameter
specifies whether the validity
date's format of inherited SAP
user account assignments to SAP
roles remains intact. The configuration parameter is only
relevant in systems that were
migrated from a pre 7.0 version.
If the configuration parameter is
set, the format of the dates "Valid
from" and "Valid to" stays the
same if SAP user account assign-
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Appendix: Configuration Parameters for Managing SAP R/3
192
Configuration parameter
Description
ments to roles are inherited.
TargetSystem\SAPR3\ValidDateHandling\
ReuseInheritedDate\UseTodayForInheritedValidFrom
This configuration parameter
specifies whether the "Valid
from" date in inherited SAP user
accounts assignments to SAP
roles is set to <Today> or to
"1900-01-01".
TargetSystem\SAPR3\VerifyUpdates
This configuration parameter
specifies whether modified
properties are checked by
updating. If this parameter is set,
the objects in the target system
are verified after every update.
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Appendix: Configuration Parameters for Managing SAP R/3
193
B
Appendix: Default Project Templates
for Synchronizing an SAP R/3
Environment
A default project template ensures that all required information is added in the One
Identity Manager. This includes mappings, workflows and the synchronization base object.
If you do not use a default project template you must declare the synchronization base
object in One Identity Manager yourself.
Use a default project template for initially setting up the synchronization project. For
custom implementations, you can extend the synchronization project with the
.Synchronization Editor
Detailed information about this topic
l
Project Template for Client without CUA on page 194
l
Project Template for the CUA Central System on page 195
l
Project Template for CUA Subsystems on page 197
Project Template for Client without CUA
Use the project template "SAP® R/3® synchronisation (base administration)" for
synchronizing clients, which are not connected to a central system. The template uses
mappings for the following schema types.
Table 85: Mapping SAP R/3 schema types to tables in the One Identity Manager
schema.
Schema Type in the Target System Table in the One Identity Manager schema
Company
SAPCompany
GROUP
SAPGrp
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Appendix: Default Project Templates for Synchronizing an SAP R/3
Environment
194
Schema Type in the Target System Table in the One Identity Manager schema
LICENSETYPE
SAPLicence
LicenceExtension
SAPLicenceExtension
LoginLanguage
SAPLoginLanguages
CLIENT
SAPMandant
parameter
SAPParameter
Printer
SAPPrinter
PROFILE
SAPProfile
ProfileInProfile
SAPProfileInSAPProfile
ProfileInRole
SAPProfileInSAPRole
PROFITCENTER
SAPProfitCenter
ROLE
SAPRole
RoleInRole
SAPRoleInSAPRole
STARTMENUE
SAPStartMenu
SAPTSAD3T
SAPTitle
USER
SAPUser
UserComFax
SAPComFax
UserComPhone
SAPComPhone
UserComSMTP
SAPComSMTP
SAPCOMMTYPE
SAPCommType
UserExtId
SAPUserExtId
UserHasParameter
SAPUserHasParameter
UserInGroup
SAPUserInSAPGrp
UserInProfile
SAPUserInSAPProfile
UserInRole
SAPUserInSAPRole
Project Template for the CUA Central
System
Use the project template "SAP® R/3® synchronisation (base administration)" for
synchronizing a central user administration central system. The template uses mappings
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Appendix: Default Project Templates for Synchronizing an SAP R/3
Environment
195
for the following schema types.
Table 86: Mapping SAP R/3 schema types to tables in the One Identity Manager
schema.
Schema Type in the Target System Table in the One Identity Manager schema
ALE
SAPMandant
CLIENT
SAPMandant
Company
SAPCompany
GROUP
SAPGrp
LICENSETYPE
SAPLicence
LicenceExtension
SAPLicenceExtension
LoginLanguage
SAPLoginLanguages
Parameter
SAPParameter
Printer
SAPPrinter
CUAProfile
SAPProfile
ProfileInProfile
SAPProfileInSAPProfile
ProfileInRole
SAPProfileInSAPRole
PROFITCENTER
SAPProfitCenter
CUARole
SAPRole
RoleInRole
SAPRoleInSAPRole
STARTMENUE
SAPStartMenu
SAPTSAD3T
SAPTitle
USER
SAPUser
UserComFax
SAPComFax
UserComPhone
SAPComPhone
UserComSMTP
SAPComSMTP
UserExtId
SAPUserExtId
UserHasLicense
SAPUserHasLicence
UserHasParameter
SAPUserHasParameter
UserInGroup
SAPUserInSAPGrp
UserInMandant
SAPuser accountInSAPMandant
UserInCUAProfile
SAPUserInSAPProfile
UserInCUARole
SAPUserInSAPRole
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Appendix: Default Project Templates for Synchronizing an SAP R/3
Environment
196
Project Template for CUA Subsystems
Use the project template "SAP® R/3® (CUA subsystem)" for synchronizing central user
administration child systems that are not in the same SAP system. The template uses
mappings for the following schema types.
Table 87: Mapping SAP R/3 schema types to tables in the One Identity Manager
schema.
Schema Type in the Target System Table in the One Identity Manager schema
LICENSETYPE
SAPLicence
LicenceExtension
SAPLicenceExtension
LoginLanguage
SAPLoginLanguages
CLIENT
SAPMandant
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Appendix: Default Project Templates for Synchronizing an SAP R/3
Environment
197
C
Appendix: Referenced SAP R/3
Tables and BAPI Calls
The following overview provides information about all the tables in an SAP R/3 system
referenced during synchronization and the BAPI calls that are executed.
Table 88: Referenced Tables and BAPIs
Tables
BAPI Calls
l
ADR2
l
BAPI_USER_CREATE1
l
ADR3
l
BAPI_USER_GET_DETAIL
l
ADR6
l
BAPI_USER_CHANGE
l
AGR_1016
l
BAPI_USER_DELETE
l
AGR_AGRS
l
BAPI_USER_LOCK
l
AGR_DEFINE
l
BAPI_USER_UNLOCK
l
AGR_USERS
l
BAPI_USER_ACTGROUPS_ASSIGN
l
ANLA
l
BAPI_USER_ACTGROUPS_DELETE
l
ANLZ
l
BAPI_USER_PROFILES_ASSIGN
l
CSKS
l
BAPI_USER_PROFILES_DELETE
l
CSKT
l
BAPI_USER_LOCACTGROUPS_READ
l
DD02L
l
BAPI_USER_LOCACTGROUPS_DELETE
l
DD03L
l
BAPI_USER_LOCPROFILES_READ
l
DD04L
l
BAPI_USER_LOCPROFILES_DELETE
l
DD07L
l
BAPI_USER_SYSTEM_ASSIGN
l
RSECUSERAUTH
l
SUSR_USER_CHANGE_PASSWORD_RFC
l
RSECTXT
l
BAPI_USER_LOCPROFILES_ASSIGN
l
SEC_POLICY_CUST
l
BAPI_USER_LOCACTGROUPS_ASSIGN
l
SEC_POLICY_RT
l
RFC_READ_TABLE
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Appendix: Referenced SAP R/3 Tables and BAPI Calls
198
Tables
l
T000
l
T001
l
T002
l
T591S
l
T500P
l
T548T
l
TMENU01
l
TMENU01R
l
TPARA
l
TSAD3
l
TSAD3T
l
TSAC
l
TSADC
l
TSP03
l
TTREE
l
TUTYPA
l
TUTYPPL
l
TUZUS
l
USGRP_USER
l
USL04
l
USLA04
l
USR01
l
USR02
l
USR05
l
USR06
l
USR06SYS
l
USR12
l
USR21
l
USREFUS
l
USREXTID
l
UST04
l
UST10C
l
USZBVLNDSC
BAPI Calls
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Appendix: Referenced SAP R/3 Tables and BAPI Calls
199
Tables
l
USZBVLNDRC
l
USZBVSYS
l
USRSYSACTT
l
USRSYSPRF
l
USRSTAMP
l
V_USCOMPA
BAPI Calls
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Appendix: Referenced SAP R/3 Tables and BAPI Calls
200
D
Appendix: Example of a Schema
Extension File
<?xml version="1.0" encoding="utf-8" ?>
<SAP>
<Functions>
<Function Definition = "USER GET" FunctionName="BAPI_USER_GET_DETAIL"
OutStructure = "" Key ="USERNAME" X500 ="CN">
<Mapping>
<Data ParameterName = "USERNAME" PropertyName = "BNAME" />
</Mapping>
</Function>
<Function Definition = "USER SET" FunctionName="BAPI_USER_CHANGE"
OutStructure ="" Key ="USERNAME" X500 ="CN">
<Mapping>
<Data ParameterName = "USERNAME" PropertyName = "BNAME" />
</Mapping>
</Function>
<Function Definition = "USER DEL" FunctionName="BAPI_USER_DELETE"
OutStructure ="" Key ="USERNAME" X500 ="CN" >
<Mapping>
<Data ParameterName = "USERNAME" PropertyName = "BNAME" />
</Mapping>
</Function>
<Function Definition = "USER PROFILE SET" FunctionName="BAPI_USER_PROFILES_
ASSIGN" OutStructure ="" Key ="USERNAME" X500 ="CN">
<Mapping>
<Data ParameterName = "USERNAME" PropertyName = "BNAME" />
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Appendix: Example of a Schema Extension File
201
<Data ParameterName = "BAPIPROF~BAPIPROF" PropertyName =
"$Value$" />
</Mapping>
</Function>
<Function Definition = "BWProfileAdd" FunctionName="/VIAENET/SAPHR_
RSECUSERAUT_ADD" OutStructure ="" Key ="ZUSRNAME,ZHIER" X500 ="CN,OU">
<Mapping>
<Data ParameterName = "ZUSRNAME" PropertyName = "UNAME" />
<Data ParameterName = "ZHIER" PropertyName = "AUTH" />
</Mapping>
</Function>
<Function Definition = "BWProfileDel" FunctionName="/VIAENET/SAPHR_
RSECUSERAUT_DEL" OutStructure ="" Key ="ZUSRNAME,ZHIER" X500 ="CN,OU">
<Mapping>
<Data ParameterName = "ZUSRNAME" PropertyName = "UNAME" />
<Data ParameterName = "ZHIER" PropertyName = "AUTH" />
</Mapping>
</Function>
<Function Definition = "BWProfileDelFkt" FunctionName="/VIAENET/SAPHR_
RSECUSERAUT_DEL" OutStructure ="" Key ="ZUSRNAME,ZHIER" X500 ="CN,OU">
<Mapping>
<Data ParameterName = "ZUSRNAME" PropertyName = "BNAME" />
<Data ParameterName = "ZHIER" PropertyName = "$VALUE$" />
</Mapping>
</Function>
<Function Definition = "BWProfileAddFkt" FunctionName="/VIAENET/SAPHR_
RSECUSERAUT_ADD" OutStructure ="" Key ="ZUSRNAME,ZHIER" X500 ="CN,OU">
<Mapping>
<Data ParameterName = "ZUSRNAME" PropertyName = "BNAME" />
<Data ParameterName = "ZHIER" PropertyName = "$VALUE$" />
</Mapping>
</Function>
</Functions>
<Tables>
<TABLE Definition = "TUZUS-Table" TableName="TUZUS" Key="SONDERVERS"
X500="CN" SQL="LANGU = sy-langu" Load="SONDERVERS,TEXTSVERS" />
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Appendix: Example of a Schema Extension File
202
<TABLE Definition = "USR05-Table" TableName="USR05" Key="BNAME,PARID"
X500="CN,OU" SQL="MANDT = '$MANDT$'" Load="BNAME,PARID,PARVA">
<Mapping>
<Data ParameterName = "$BNAME$" PropertyName = "BNAME" />
<Data ParameterName = "$PARID$" PropertyName = "PARID" />
</Mapping>
</TABLE>
<TABLE Definition = "USR04-Table" TableName="USR04" Key="BNAME,MANDT"
X500="CN,OU" SQL="MANDT = sy-mandt" Load="" />
<TABLE Definition = "RSECUSERAUTH-Table" TableName="RSECUSERAUTH"
Key="UNAME,AUTH" X500="CN,OU" SQL="" Load="" />
<TABLE Definition = "RSECUSERAUTH-SingleUser" TableName="RSECUSERAUTH"
Key="AUTH" X500="CN" SQL="UNAME = '$BNAME$'" Load="" >
<Mapping>
<Data ParameterName = "$BNAME$" PropertyName = "BNAME" />
</Mapping>
</TABLE>
</Tables>
<SAPExtendedSchematypes>
<SAPExtendedSchematype Bem = "M:N, add/del - function" Name = "BWUserInBWP"
DisplayPattern="%UNAME% - %AUTH%" ListObjectsDefinition = "RSECUSERAUTHTable" ReadObjectDefinition = "RSECUSERAUTH-Table" InsertObjectDefinition =
"BWProfileAdd" DeleteObjectDefinition = "BWProfileDel" />
<SAPExtendedSchematype Bem = "simple read only table" Name =
"LicenceExtension" DisplayPattern="%SONDERVERS%" ListObjectsDefinition =
"TUZUS-Table" ReadObjectDefinition ="TUZUS-Table" InsertObjectDefinition =
"" WriteObjectDefinition = "" DeleteObjectDefinition = "" ParentType =
"SAPSYSTEM" />
<SAPExtendedSchematype Bem = "Test" Name = "USERFunctionTable"
DisplayPattern="%BNAME% (%MANDT%)" ListObjectsDefinition = "USR05-Table"
ReadObjectDefinition ="USER GET" WriteObjectDefinition = "USER SET"
DeleteObjectDefinition = "USER DEL" >
<Properties>
<Property Name = "SAPBWP" Description="all the user's BW
profiles" ListFunction="RSECUSERAUTH-SingleUser"
AddFunction="BWProfileAddFkt" DelFunction="BWProfileDelFkt"
ReplaceFunction="" IsMultivalued = "true" />
<Property Name = "USERPROFILE" Description="all the user's
profiles" ListFunction="USR04-Table" AddFunction=""
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Appendix: Example of a Schema Extension File
203
DelFunction="" ReplaceFunction="USER PROFILE SET" IsMultivalued
= "true" />
</Properties>
</SAPExtendedSchematype>
</SAPExtendedSchematypes>
</SAP>
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Appendix: Example of a Schema Extension File
204
About us
About us
Contacting us
For sales or other inquiries, visit https://www.oneidentity.com/company/contact-us.aspx
or call +1-800-306-9329.
Technical support resources
Technical support is available to One Identity customers with a valid maintenance contract
and customers who have trial versions. You can access the Support Portal at
https://support.oneidentity.com/.
The Support Portal provides self-help tools you can use to solve problems quickly and
independently, 24 hours a day, 365 days a year. The Support Portal enables you to:
l
Submit and manage a Service Request
l
View Knowledge Base articles
l
Sign up for product notifications
l
Download software and technical documentation
l
View how-to-videos at www.YouTube.com/OneIdentity
l
Engage in community discussions
l
Chat with support engineers online
l
View services to assist you with your product
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
About us
205
Index
I ndex
A
central user administration 108
user account 124
account definition 108
child system
add to IT Shop 70
assign automatically 58
access permissions 108
assign role 68
no synchronization 32
assign to business role 68
client 100
assign to client 71
category 159
assign to employee 68-69
employee assignment 129
assign to system roles 69
login data 100
create 58
main system 100
delete 72
target system manager 100
for IT Shop 58
collective role
synchronizing 49
inheritance 58, 62, 67
ALE model name 32
communications type 77
application role 11
company address 77
application server 8
connection parameter 21
architecture 8
connector schema
extend 38
cost center
B
assign to group 143
BAPI transport 16
assign to product 168
business role
assign to profile 143
assign role 145
assign to role 143
assign to group 145
assign to product 169
assign to profile 145
C
SAP R/3 76
country surcharge 78, 178
CUA 108
D
calculation schedule
database server 8
disable 54
category 102
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Index
206
department
assign user account 147
assign to group 143
category 138, 159
assign to product 168
effective 156
assign to profile 143
exclusion 156
assign to role 143
inheritance 62
deputy
IT Shop 138
license data 178
manage 137
direction of synchronization
overview 155
direction target system 21, 36
risk index 138
in the Manager 21
I
E
inheritance
email address 117
category 159
email notification 90
IT operating data
employee assignment
change 66
manual 130
create mapping rule 63
remove 130
IT Shop shelf
search criteria 129
assign account definition 70
exclusion definition 156
external ID
J
type 75
Job server
properties 92
F
fax 116
L
license 78
G
active 178
group
country surcharge 78
assign business roles 145
rating 78
assign cost center 143
special version 78
assign department 143
license extension 79
assign extended properties 161
location
assign location 143
assign to group 143
assign shelf 150
assign to product 168
assign system role 149
assign to profile 143
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Index
207
assign to role 143
check password 86
login data 90
conversion script 83-84
login language 77
default policy 81, 87
display name 81
edit 81
M
main system 108
synchronizing 31
manage level
edit 61
inheritance 62
membership
modify provisioning 53
message server 8
error message 81
excluded list 86
failed logins 82
generate password 86
initial password 82
name components 82
password age 82
password cycle 82
password length 82
password strength 82
N
predefined 80
notification 90
test script 83
phone 115
Printers 76
O
object
delete immediately 51
outstanding 51
publish 51
outstanding object 51
product 165
assign business role 169
assign cost center 168
assign department 168
assign employee 170
assign extended properties 175
assign group 173
P
assign location 168
parameter
assign 119
assign profile 173
assign role 173
Parameter 75
assign shelf 171
password
assign system role 170
initial 88, 90
password policy 79
conflicting system role 176
disable 166
assign 87
IT Shop 166
character sets 82
manager 166
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Index
208
overview 173
assign cost center 143
remove from IT Shop 171
assign department 143
risk index 166
assign extended properties 161
share date 166
assign location 143
profile
assign shelf 150
assign business roles 145
assign system role 149
assign cost center 143
assign user account 148
assign department 143
calculated license 181
assign extended properties 161
category 140, 159
assign location 143
effective 156
assign shelf 150
exclusion 156
assign system role 149
IT Shop 140
assign user account 147
license 140
calculated license 181
manage 137
category 141, 159
only synchronize changes 49
effective 156
overview 155
exclusion 156
pass down
IT Shop 141
limit 154
license 141
risk index 140
manage 137
show authorization object 162
overview 155
role assignment
pass down
validity period 152
limit 154
router 8
risk index 141
show authorization object 162
project template 194
S
SAP product
provisioning
assign account definition 174
members list 53
assign subscribable reports 175
schema
R
changes 37
report
shrink 37
Overview of all Assignments 187
revision filter 49
update 37
schema type
role
add additionally 38
assign business roles 145
security policies 77, 114
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Index
209
Security Policiesattribut 77
synchronization server 8
server function 94
configure 17
special version 78-79, 178
edit 91
start menu 76
install 17
subscribable report 175
server function 94
synchronization
synchronization workflow
accelerate 49
create 21, 36
base object
system 99
create 37
report 186
configure 21, 35
system connection 21
connection data 21
system measurement 177
connection parameter 21, 35, 37
CUA system 124
different clients 37
deputy license 185
extended schema 37
determine active license 181
limit synchronization object 50
enter active license 124
only changes 49
find rating 182
permissions 14
license extension 124
prevent 54
publish license 184
scope 35
register active license 180
start 21
synchronization project
T
create 21
target system manager 96
target system schema 37
variable 35
target system synchronization 51
template
variable set 37
IT operating data, modify 66
workflow 21, 36
synchronization analysis report 54
synchronization configuration
customize 35-37
U
user account
synchronization log 34
address data 110
synchronization project
administrative user account 105
create 21
apply template 66
disable 54
assign employee 104, 127
edit 103
assign extended properties 127
project template 194
assign group 121
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Index
210
assign profile 121
user name 110
assign role 122
user account type 74, 114
assign structural profiles 123
calculated license 184
V
category 110, 159
valid from 152
child system 124
format 162
default user accounts 105
delete 134
valid until 152
format 162
deputy 178
validity date
deputy license 185
inherited SAP roles 162
email address 117
MIGRATION 162
external ID 134
fax number 116
fixed value 118
identity 105, 110
license data 178
lock 62, 126, 132, 134
login data 114
main system 124
manage 104
manage level 121
measurement data 178
overview form 120
password 88, 114
notification 90
privileged user account 105, 110
productive license 180, 184
rating 182
reference user 114
retrieve 134
risk index 110
set up 109
SNC name 120
telephone number 115
type 105
One Identity Manager 8.0 Administration Guide for Connecting to
SAP R/3
Index
211