Basic data for user account administration
One Identity Manager supplies the following basic data for user administration, by default:
If configured, other basic data that cannot be edited in One Identity Manager is read from SAP R/3 during synchronization. It is used only for assignments to SAP user accounts. These include:
Certain user account properties can be defined as default for all user accounts through the configuration settings. These include:
User account types
The user account types are available in One Identity Manager by default. SAP R/3 recognizes the user account types listed below.
Table 28: User account types
Dialog (A) |
Dialog user in a system. |
System (B) |
Background processing within a system. |
Communication (C) |
Communication between systems without a dialog. |
Service (S) |
Common user account for anonymous system access, for example.
User account of this type should have heavily restricted access permissions. |
Reference (L) |
Common user account for additional granting of permissions. |
The default user account type for new user accounts is specified in the "TargetSystem | SAPR3 | Accounts | Ustyp" configuration parameter.
To modify the default user account type
- In the Designer, edit the value of the "TargetSystem | SAPR3 | Accounts | Ustyp" configuration parameter.
External identifier types
External authentication methods for logging in to a system can be used in SAP R/3. One Identity Manager supplies the following types as user identifiers to find the login data necessary for different authentication mechanisms for external systems on an SAP system:
Table 29: External identifier types
DN |
Distinguished Name for X.509. |
NT |
Windows NTLM or password verification with the Windows domain controller. |
LD |
LDAP bind <user-defined> (For other external authentication mechanisms). |
SA |
SAML Token. |
To specify a default type for external identifiers
- In the Designer, set the "TargetSystem | SAPR3 | UserDefaults | ExtID_Type" configuration parameter and specify a value.
SAP parameters
Parameters can be loaded into the One Identity Manager database by synchronization and be either directly or indirectly assigned to user accounts. In the case of indirect assignment, employees and parameters are arranged in hierarchical roles. The number of parameters assigned to an employee is calculated from the position in the hierarchy and the direction of inheritance. If you add an employee to hierarchical roles and that employee owns a user account, the parameter is assigned to the user account.
Prerequisites for assigning employees to user accounts are:
- Assignment of employees and SAP parameters is permitted for role classes (departments, cost centers, locations, or business roles).
- User accounts and parameters belong to the same SAP system.
A different parameter value can be specified for each hierarchical role that is assigned a parameter. Thus, the parameter values are also inherited by the user account. You can use membership in hierarchical roles to control which parameter values the parameter obtain from the user account.
Detailed information about this topic
Related topics