サポートと今すぐチャット
サポートとのチャット

Identity Manager 8.1.5 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP systems Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

Defining schema types

In the section for schema types (SAPExtendedSchematypes), you can define schema types that exist in the SAP schema and can be used to extend the connector schema. The identifier given in the Name attribute is used as the name. This identifier must be unique in the extended connector schema.

Table 20: Schema type definition

Attribute

Description

Bem

Internal description

Name

Name of the schema type in the extended connector schema.

DisplayPattern

Definition of a display pattern for displaying objects in the Synchronization Editor (for example, in the target system browser or defining schema classes). (Optional) Only columns that are loaded in the table definition (Key or Load attribute) can be used.

IMPORTANT: Each column, which must be additionally loaded when the object list is loaded, creates extra load for One Identity Manager. This can make synchronization much slower if there is a lot of data. Only enter columns that you really need for further object processing.

AddRevisionTimeOffset

Specifies whether the revision counter adds the time as 23:59:00. (Optional)

You can use this attribute if the revision counter only contains a change date but no timestamp. This allows objects that were changed after the previous synchronization run but on the same day, to be included in the next synchronization run.

RevisionProperty

Name of a property contain the revision counter. (Optional)

ListObjectsDefinition

Function or table definition for calling an object list.

ReadObjectDefinition

Function or table definition for calling a single object.

WriteObjectDefinition

Function definition for writing an object. (Optional)

DeleteObjectDefinition

Function definition for deleting an object. (Optional)

ParentType

Context of the schema type. (Optional)

By default, the schema types are client-related (ParentType="SAPMANDANT"). If the new schema type is valid in all SAP R/3 system clients, enter ParentType with the value "SAPSYSTEM".

If this attribute is not defined, the schema type is client-related.

A schema type definition must contain at least one object list call (attribute ListObjectsDefinition). In this case, you can enter a table or a function definition. To call a single object (attribute ReadObjectDefinition), the object list must have been loaded previously. The list call and single object call can refer to different tables, however the key columns for identifying single objects must either have the same name or have been mapped in the table definition for the single object call. In the example below, the single objects from table RSECUSERAUTH are determined for an object from the table USR02. The key columns for identifying the objects are USR02.BNAME and RSECUSERAUTH.UNAME. The columns have different names and are therefore mapped using the parameter $BNAME$.

If is possible to define a Properties block for declaring any number of other object properties and the types of access to them.P One single property is defined by the Property tag, which can have the following attributes.

Table 21: Property definition

Attribute

Description

Name

Name of the property. It must be unique within the schema type.

Description

Property description.

ListFunction

Function or table for calling all values.

AddFunction

Function for adding a value. (Optional)

DelFunction

Function for deleting a value. (Optional)

ReplaceFunction

Replaces the entire contents of the property. (Optional)

IsMultivalued

Specifies whether the property has multiple values. (Optional)

If this attribute is not defined, the property does not have multiple values.

Example:

<Tables>

<TABLE Definition = "USR04-Table" TableName="USR04" Key="BNAME,MANDT" X500="CN,OU" SQL="MANDT = sy-mandt" Load="" />

<TABLE Definition = "USR02-Table" TableName="USR02" Key="BNAME" X500="CN" SQL="MANDT = sy-mandt" Load="MANDT,TRDAT" />

<TABLE Definition = "RSECUSERAUTH-SingleUser" TableName="RSECUSERAUTH" Key="AUTH" X500="CN" SQL="UNAME = '$BNAME$'" Load="" >

<Mapping>

<Data ParameterName = "$BNAME$" PropertyName = "BNAME" />

</Mapping>

</TABLE>

</Tables>

<Functions>

<Function Definition = "USER GET" FunctionName="BAPI_USER_GET_DETAIL" OutStructure = "" Key ="USERNAME" X500 ="CN">

<Mapping>

<Data ParameterName = "USERNAME" PropertyName = "BNAME" />

</Mapping>

</Function>

<Function Definition = "USER SET" FunctionName="BAPI_USER_CHANGE" OutStructure ="" Key ="USERNAME" X500 ="CN">

<Mapping>

<Data ParameterName = "USERNAME" PropertyName = "BNAME" />

</Mapping>

</Function>

<Function Definition = "USER DEL" FunctionName="BAPI_USER_DELETE" OutStructure ="" Key ="USERNAME" X500 ="CN" >

<Mapping>

<Data ParameterName = "USERNAME" PropertyName = "BNAME" />

</Mapping>

</Function>

<Function Definition = "USER PROFILE SET" FunctionName="BAPI_USER_PROFILES_ASSIGN" OutStructure ="" Key ="USERNAME" X500 ="CN">

<Mapping>

<Data ParameterName = "USERNAME" PropertyName = "BNAME" />

<Data ParameterName = "BAPIPROF~BAPIPROF" PropertyName = "$Value$" />

</Mapping>

</Function>

<Function Definition = "BWProfileDelFkt" FunctionName="/VIAENET/SAPHR_RSECUSERAUT_DEL" OutStructure ="" Key ="ZUSRNAME,ZHIER" X500 ="CN,OU">

<Mapping>

<Data ParameterName = "ZUSRNAME" PropertyName = "BNAME" />

<Data ParameterName = "ZHIER" PropertyName = "$VALUE$" />

</Mapping>

</Function>

<Function Definition = "BWProfileAddFkt" FunctionName="/VIAENET/SAPHR_RSECUSERAUT_ADD" OutStructure ="" Key ="ZUSRNAME,ZHIER" X500 ="CN,OU">

<Mapping>

<Data ParameterName = "ZUSRNAME" PropertyName = "BNAME" />

<Data ParameterName = "ZHIER" PropertyName = "$VALUE$" />

</Mapping>

</Function>

</Functions>

<SAPExtendedSchematypes>

<SAPExtendedSchematype Bem = "all users" Name = "UserFunctionTable" DisplayPattern="%BNAME% (%MANDT%)" RevisionProperty="TRDAT" ListObjectsDefinition = "USR02-Table" ReadObjectDefinition ="USER GET" WriteObjectDefinition = "USER SET" DeleteObjectDefinition = "USER DEL">

<Properties>

<Property Name = "SAPBWP" Description="all the user's BW profiles" ListFunction="RSECUSERAUTH-SingleUser" AddFunction="BWProfileAddFkt" DelFunction="BWProfileDelFkt" ReplaceFunction="" IsMultivalued = "true" />

<Property Name = "USERPROFILE" Description="all the user's profiles" ListFunction="USR04-Table" AddFunction="" DelFunction="" ReplaceFunction="USER PROFILE SET" IsMultivalued = "true" />

</Properties>

</SAPExtendedSchematype>

<SAPExtendedSchematype Bem = "Asset, asset value" Name = "Asset_ANLA" DisplayPattern="%ANLN1% %BUKRS%" AddRevisionTimeOffset="true" RevisionProperty="AEDAT" ListObjectsDefinition = "ANLA table" ReadObjectDefinition = "ANLA table" InsertObjectDefinition = "" WriteObjectDefinition = "" DeleteObjectDefinition = "" />

</SAPExtendedSchematypes>

Explanation:

The list of UserFunctionTable schema type objects is created by using the USR02 table. Reading, writing, and deleting is done with USER-BAPI functions, which each have been declared as a Function.

The schema type has a properties block. Two properties are defined here that are neither returned through the list call's table definition nor through the single object call's function definition. A multi-value property SAPBWP is defined, whose value is taken from the RSECUSERAUTH table. The single objects are identified by the columns USR02.BNAME and RSECUSERAUTH.UNAME. BAPI calls, which are defined as functions, are used for inserting and deleting values.

The property Userprofile is an example of a multi-value property, which has values read from a table (USER04) and a Replace function. Therefore, all values that need to remain in the property must always be given when changes are made. The write function is the original USER-BAPI function for setting profiles in the user (function definition for BAPI_USER_PROFILES_ASSIGN). Single objects are identified using the USR02.BNAME and USR04.BNAME columns. There is no mapping required for the table definition because the key columns have the same name.

The Asset_ANLA schema type uses the AESAT revision counter, which only contains a change date. The connector adds a time of 23.59:00 to this revision counter (AddRevisionTimeOffset="true").

Speeding up synchronization with revision filtering

When you start synchronization, all synchronization objects are loaded. Some of these objects have not be modified since the last synchronization and, therefore, must not be processed. Synchronization is accelerated by only loading those object pairs that have changed since the last synchronization. One Identity Manager uses revision filtering to accelerate synchronization.

SAP R/3 supports revision filtering. The SAP objects' date of last change is used as revision counter. Each synchronization saves its last execution date as a revision in the One Identity Manager database (DPRRevisionStore table, Value column). This value is used as a comparison for revision filtering when the same workflow is synchronized the next time. When this workflow is synchronized the next time, the SAP objects' change date is compared with the revision saved in the One Identity Manager database. Only those objects that have been changed since this date are loaded from the target system.

NOTE: SAP roles are given the last date the role was generated in the target system. Only SAP roles that have be regenerated since the last synchronization are updated in the database on synchronization with revision filtering.

The revision is found at start of synchronization. Objects modified by synchronization are loaded and checked by the next synchronization. This means that the second synchronization after initial synchronization is not significantly faster.

Revision filtering can be applied to workflows and start up configuration.

To permit revision filtering on a workflow

  • Open the synchronization project in the Synchronization Editor.

  • Edit the workflow properties. Select the Use revision filter item from Revision filtering menu.

To permit revision filtering for a start up configuration

  • Open the synchronization project in the Synchronization Editor.

  • Edit the start up configuration properties. Select the Use revision filter item from the Revision filtering menu.
Detailed information about this topic
  • One Identity Manager Target System Synchronization Reference Guide

Synchronizing composite roles

Only directly assigned single and composite roles are mapped in SAPUserInSAPRole. Assignments of single roles to composite roles are mapped in SAPCollectionRPG. You can establish which single roles are indirectly assigned to a user account through both tables.

By default, the following applies to inheritance of single roles by user accounts: If a single role is assigned to a user account and the single role is part of a composite role, which is also assigned to the user account the single role is not inherited by the user account as well. This removes membership of user accounts in single roles when group memberships are provisioned in SAP R/3. This membership is deleted from the One Identity Manager database by the next synchronization or marked as outstanding, depending on the synchronization's configuration.

To prevent memberships being removed from single roles when single roles are part of composite roles

  • In the Designer, set the "TargetSystem | SAP | KeepRedundantProfiles" configuration parameter.

Restricting synchronization objects using user permissions

One Identity Manager offers the ability to restrict user account and groups for synchronization by using user permissions. In this case, the only user accounts and groups that are synchronized are those used by the SAP R/3 connector to log into the target system. All other groups and user accounts are filtered out of the user lists and the groups list of the function module "/VIAENET/U". If only a small part of the user account in the SAP R/3 environment should be synchronized with the One Identity Manager then the synchronization can be accelerated with this method.

Prerequisites
  • The user account used by the SAP R/3 connector to log into the target system is assigned exactly those groups in the SAP R/3 authorization object S_USER_GRP, characteristic CLASS, that should be synchronized.
  • There are user accounts that one of these groups is assigned to in the SAP R/3 environment as user group for testing authorization (in the login data).

During synchronization, the groups are loaded into the One Identity Manager database that the user account used by the SAP R/3 connector to log into the target system has access to in the authorization object SUSER_GRP. All user accounts that are assigned one of these groups as user group for authorization testing, are also synchronized. All other groups and user accounts are handled as non-existent objects in the target system during synchronization.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択