Chat now with support
Chat with Support

Identity Manager 8.2.1 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP objects Removing a Central User Administration Troubleshooting an SAP R/3 connection Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

Removing a Central User Administration

One Identity Manager supports you in releasing individual clients from a Central User Administration or in completely removing a CUAClosed. After the changeover, individual clients can be managed independently of each other in One Identity Manager. Some tasks can be automated, others must be performed manually afterward. For example, this includes setting up new synchronization projects and removing the CUA distribution model from the SAP R/3 environment.

Recommendations
  • Link user accounts to employees

    Before removing a CUA, you must ensure that each user account is linked to an employee. When the CUA is removed, a new user account is created in each client. Therefore, if a user account has access permissions in different clients, multiple user accounts are created. The connection between these user accounts can be established only through the linked employee.

  • Create a backup of the One Identity Manager database

    The data conversion cannot be undone. Make sure that there is an up-to-date backup of the One Identity Manager database.

To remove a CUA, first release the individual child systems and check for successful conversion. After all child systems have been detached, you can convert the central system and delete the CUA from the SAP R/3 environment's distribution model.

Detailed information about this topic
Related topics

Release child systems

The child systems can be released individually from the CUAClosed without removing it entirely. Removing a CUA can be done step-by-step and tested. The following steps must be performed for each child system:

  1. Release the child system in One Identity Manager from the CUA
  2. Set up a new synchronization project and synchronize the client
  3. Release child systems from the CUA distribution model of the SAP R/3 environment

To release a child system from the CUA

  1. In the Manager, select the SAP R/3 > Clients category.

  2. In the results list, select the child system you want to release.

  3. Select the Release client from CUA task and confirm the security prompt with Yes.

After checking whether the client can be removed, One Identity Manager converts the data.

  • User accounts and their external identifiers are copied from the central system to the child system.
  • SAP groups and group assignments to user accounts are copied from the central system to the child system.
  • SAP roles and profiles are converted and assigned to the copied user accounts.
  • Removes user account access permissions to the child system (purges SAPUserMandant table).
  • The client assignment to the central system is removed.
  • If an account definition is assigned to the client, it is converted. The SAPUser table is assigned as a user account table.

To set up synchronization for the released client

  1. If the client is hosted in a different SAP system than the central system, then there is a synchronization project for the client. Delete this synchronization project.

  2. Create a new synchronization project. For this purpose, use the SAP R/3 synchronization (base administration) project template.

    For more information, see Creating a synchronization project for initial synchronization of an SAP client.

    TIP: If a suitable synchronization project already exists for an SAP client with an identical schema, then the released client can be assigned to this synchronization project as another base object.

  3. Start the synchronization.

  4. Check the synchronization result. Fix errors and handle outstanding objects.

To release the child system from the CUA distribution model

  • If the synchronization was run without errors, delete the child system from the CUA distribution model in the SAP R/3 environment.

    Only the client assignment to the CUA distribution model is to be removed. For more information, see your SAP R/3 documentation.

Related topics

Converting the central system

As soon as all child systems have been removed from a central user administration, the central system can also be converted. The following steps must be performed:

  1. Convert the central system in One Identity Manager
  2. Delete user accounts without central system access
  3. Delete the CUAClosed from the distribution model of the SAP R/3 environment
  4. Set up a new synchronization project and synchronize the client

To convert the central system

  1. In the Manager, select the SAP R/3 > Clients category.

  2. Select the target system in the result list.

  3. Select the Release client from CUA task and confirm the security prompt with Yes.

    After checking whether the client qualifies for conversion, the data is converted in the One Identity Manager database.

    • Converts SAP roles and profiles in the central system.
    • Converts SAP role and profile assignments to user accounts.
    • Removes user account access permissions to the central system (purges SAPUserMandant table).
    • Removes the client's central system identifier.
  4. Once conversion is complete, it is necessary to decide how to proceed with user accounts that did not have access permissions to the central system within the CUA.

    • If you want to delete these user accounts, click Yes.

      Select this option to ensure that only the users who were authorized to access the client before the conversion are granted access. User accounts created by an IT Shop request or by inheritance of a valid account definition remain intact.

      All other user accounts without access permissions are deleted.

    • If you want to keep these user accounts, click No.

      The user accounts are retained and are thus authorized for access in this client.

  5. Decide what to do with user accounts that were created using a valid account definition. If you want to delete these user accounts, remove the account definition assignment to the employees.

    For more information, see Assigning account definitions to employees.

IMPORTANT: All provisioning processes must be completed before conversion can continue.

Perform the following step before creating a new synchronization project for the client.

To delete the CUA from the distribution model of the SAP R/3 environment

  • Once all child systems have been released from the CUA distribution model in the SAP R/3 environment, you can delete the entire CUA from the distribution model.

    • Specify how to proceed with user accounts that did not have access permissions to the central system within CUA.

      If these user accounts have been deleted in One Identity Manager, select the Additionally Lock Users Locally option here.

      As a result, the user accounts that were created using an account definition are locked and do not get access permissions to the client.

    For more information, see your SAP R/3 documentation.

To set up synchronization for the client

  1. Delete the synchronization project for the central system.

  2. Create a new synchronization project. For this purpose, use the SAP R/3 synchronization (base administration) project template.

    • On the Additional settings page, disable the Central User Administration (CUA) option.

    For more information, see Creating a synchronization project for initial synchronization of an SAP client.

    TIP: If a suitable synchronization project already exists for an SAP client with an identical schema, then the released client can be assigned to this synchronization project as another base object.

  3. Start the synchronization.

  4. Check the synchronization result. Fix errors and handle outstanding objects.

    User accounts that did not have access permissions for the central system and were created through an account definition are blocked.

  5. Check locked user accounts.

    1. Unlock all user accounts that should have access to the client.

    2. Remove the account definition from the linked employee of all user accounts to be deleted.

      For more information, see Assigning account definitions to employees.

Related topics

Checking for successful conversion

If all child systems have been removed without errors and the central system has been converted without errors, the CUAClosed is removed. The SAP user accounts in all previously involved clients can be managed either separately or through the linked employee.

To check for correct conversion of a child system

  1. In the Manager, select the SAP R/3 > Clients category.

  2. In the results list, select the client of the former child system.

  3. Check the following main data

    • ALE name: Value deleted.
    • ALE model name: Value deleted.
    • CUA status: None.
    • CUA central system: None assigned.
  4. Select the SAP client overview task.

  5. Click the form element for the assigned account definition and check the account definition's main data.

    • User account table: SAPUser.
    • Required account definition: The central system's account definition is assigned.

  6. Check if the required account definition is still needed.

    After the removing the CUA, a user account in the central system is no longer a necessary prerequisite for the creation of a user account in the former child system. In this case, the required account definition can be removed.

  7. Synchronization is set up and works correctly.

To check for correct conversion of a central system

  1. In the Manager, select the SAP R/3 > Clients category.

  2. In the results list, select the client of the former central system.

  3. Check the following main data

    • ALE name: Empty value.
    • ALE model name: Value deleted.
    • CUA status: None.
  4. Select the SAP client overview task.

    No child system is assigned.

  5. Synchronization is set up and works correctly.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating