Chat now with support
Chat mit Support

Identity Manager 8.1 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 Environments Setting up SAP R/3 Synchronization Basic Data for Managing a SAP R/3 Environment SAP Systems SAP Clients SAP User Accounts SAP groups, SAP roles and SAP profiles SAP Products Providing System Measurement Data Reports about SAP Systems Appendix: Configuration parameters for managing a SAP R/3 environment Appendix: Default Project Templates for Synchronizing an SAP R/3 Environment Appendix: Referenced SAP R/3 Tables and BAPI Calls Appendix: Example of a Schema Extension File

Managing SAP R/3 Environments

One Identity Manager offers simplified user administration for SAP R/3 environments. The One Identity Manager concentrates on setting up and processing user accounts as well as groups, roles, and profiles assignments. External identifiers and parameters can also be assigned to user accounts. The necessary data for system measurement is also mapped. The system measurement data is available in One Identity Manager, but the measurement itself takes place in the SAP R/3 environment.

One Identity Manager provides company employees with the necessary user accounts. For this, you can use different mechanisms to connect employees to their user accounts. You can also manage user accounts independently of employees and therefore set up administrator user accounts.

Groups, roles and profiles are mapped in the One Identity Manager, in order to provide the necessary permissions for user accounts. Groups, roles, and profiles can be grouped into products and assigned to employees. One Identity Manager ensures that the right group memberships are created for the employee’s user account.

If user accounts are managed through the central user administration (CUAClosed) in SAP R/3, access to the child client can be guaranteed to or withdrawn from user accounts in One Identity Manager.

Architecture overview

The following servers in One Identity Managerplay a role in managing an SAP R/3 environment:

  • SAP R/3 application server

    Application server on which synchronization is executed The synchronization server connects to this server in order to access SAP R/3 objects.

  • SAP R/3 database server

    Server on which the SAP R/3 application database is installed.

  • Synchronization server

    The synchronization server for synchronizing the One Identity Manager database with the SAP R/3 system. The One Identity Manager Service is installed on this server with the SAP R/3 connector. The synchronization server connects to the SAP R/3 application server.

  • SAP R/3 router

    Router which provides a network port to the SAP connector for communicating with the SAP R/3 application server.

  • SAP R/3 message server

    Server with which the SAP R/3 connector communicates during login if a direct connection to application servers is not permitted.

The One Identity Manager SAP R/3 connector executes synchronization and provision of data between SAP R/3 and the One Identity Manager database. The SAP R/3 connector uses the SAP connector for Microsoft .NET (NCo 3.0) for 64-bit systems for communicating with the target system.

One Identity Manager is responsible for synchronizing data between the SAP R/3 database and the One Identity Manager Service. The application server ABAP must be installed as a prerequisite for synchronization. An SAP system that is only based on a Java application server cannot be accessed with the SAP R/3 connector.

Figure 1: Architecture for Synchronization - Direct Communication

Figure 2: Architecture for Synchronization - Communication through Message Server

Figure 3: Architecture for Synchronization - Communication through Router

One Identity Manager users for managing a SAP R/3 environment

The following users are included in setting up and managing an SAP R/3 environment.

Table 1: User
User Task
Target system administrators

Target system administrators must be assigned to the Target systems | Administrators application role.

Users with this application role:

  • Administrate application roles for individual target systems types.

  • Specify the target system manager.

  • Set up other application roles for target system managers if required.

  • Specify which application roles are conflicting for target system managers

  • Authorize other employee to be target system administrators.

  • Do not assume any administrative tasks within the target system.

Target system managers

Target system managers must be assigned to Target systems | SAP R/3 or a sub-application role.

Users with this application role:

  • Assume administrative tasks for the target system.

  • Create, change or delete target system objects, like user accounts or groups.

  • Edit password policies for the target system.

  • Prepare system entitlements for adding to the IT Shop.

  • Can create employees with an identity that differs from the Primary identity.

  • Configure synchronization in the Synchronization Editor and defines the mapping for comparing target systems and One Identity Manager.

  • Edit the synchronization's target system types and outstanding objects.

  • Authorize other employees within their area of responsibility as target system managers and create child application roles if required.

One Identity Manager administrators
  • Create customized permissions groups for application roles for role-based login to administration tools in Designer as required.

  • Create system users and permissions groups for non-role-based login to administration tools in Designer as required.

  • Enable or disable additional configuration parameters in Designer as required.

  • Create custom processes in Designer as required.

  • Create and configures schedules as required.

  • Create and configure password policies as required.

Administrators for the IT Shop

Administrators must be assigned to the Request & Fulfillment | IT Shop | Administrators application role.

Users with this application role:

  • Assign system entitlements to IT Shop structures.
Administrators for organizations

Administrators must be assigned to the application role Identity Management | Organizations | Administrators.

Users with this application role:

  • Assign system entitlements to departments, cost centers and locations.
Business roles administrators

Administrators must be assigned to the application role Identity Management | Business roles | Administrators.

Users with this application role:

  • Assign system entitlements to business roles.

Setting up SAP R/3 Synchronization

The One Identity Manager supports synchronization with SAP systems for the following versions:

  • SAP Web Application Server 6.40

  • SAP NetWeaver Application Server 7.00, 7.01, 7.02, 7.10, 7.11, 7.20, 7.31, 7.40 SR 2, 7.41 and 7.50

  • SAP ECC 5.0 and 6.0

  • SAP S/4HANA On-Premise edition

Central User Administration is supported for all versions named here.

To load SAP R/3 objects into the One Identity Manager database for the first time

  1. Prepare a user account with sufficient permissions for synchronizing in SAP R/3.
  2. Install the One Identity Manager Business Application Programming Interface in the SAP R/3 system.
  3. The One Identity Manager parts for managing SAP R/3 systems are available if "TargetSystem\SAPR3" is set.

    • Check whether the configuration parameter is set in the Designer. Otherwise, set the configuration parameter and compile the database.

    • Other configuration parameters are installed when the module is installed. Check the configuration parameters and modify them as necessary to suit your requirements.
  4. Download the installation source for the SAP .Net Connector for .NET 4.0 on x64, with at least version 3.0.15.0.
  5. Install and configure a synchronization server and declare the server as Job server in One Identity Manager.
  6. Create a synchronization project with the Synchronization Editor.
Detailed information about this topic
Self-Service-Tools
Knowledge Base
Benachrichtigungen und Warnmeldungen
Produkt-Support
Software-Downloads
Technische Dokumentationen
Benutzerforen
Videoanleitungen
RSS Feed
Kontakt
Unterstützung bei der Lizenzierung
Technische Support
Alle anzeigen
Verwandte Dokumente