Configuring the validity period of indirect profile assignments
When the validity period is calculated, the following configuration parameters are taken into account. These configuration parameters are disabled by default.
-
TargetSystem | SAPR3 | ValidDateHandling | DoNotUsePWODate
Specifies whether the request's validity period is transferred when profile assignments are requested.
Not set: The request's validity period is transferred. If there is no validity period given, the default values of 1900-01-01 and 9999-12-31 are set.
Set: The profile assignment is unlimited.
-
TargetSystem | SAPR3 | ValidDateHandling | ReuseInheritedDate
Controls reuse of existing profile assignments.
Set: Existing unlimited profile assignments are reused if the same assignment is created by different means of inheritance. The following applies:
- The Valid from date of the existing assignment is in the past.
- The Valid until date of the existing assignment is 9999-12-31 or the new assignment has the same Valid until date as the existing assignment.
Any other unlimited assignment or any other assignment with the same Valid until date does not generate a new entry in the SAPUserInSAPHRP table. This can reduce the number of entries in the SAPUserInSAPHRP table.
Not set: An entry in the SAPUserInSAPHRP table is created for every new profile assignment. Existing assignments are not reused.
NOTE: In databases that are migrated from versions older than 7.0, you may see assignments with a Valid until date of 9998-12-31. This is a valid date for unlimited profile assignments, which means that these assignments can also be reused.
-
TargetSystem | SAPR3 | ValidDateHandling | ReuseInheritedDate | UseTodayForInheritedValidFrom
Specifies the value that indirect profile assignments' Valid from date contain when they are added.
Not set: 1900-01-01
Set: <today>
IMPORTANT: Depending on the amount of data to be handled, the calculation of indirect profile assignments is noticeably slowed down by this.
Do not set this configuration parameter if the information about when a profile assignment's validity period starts is not absolutely necessary in SAP R/3.
To reuse an existing profile assignment:
- In the Designer, set the TargetSystem | SAPR3 | ValidDateHandling | ReuseInheritedDate configuration parameter.
To set the assignment's date as the first day of the profile assignment's validity period
To prevent the request's validity date being copied to the profile assignment
-
In the Designer, set the TargetSystem | SAPR3 | ValidDateHandling | DoNotUsePWODate configuration parameter.
This adds an unlimited profile assignment.
Related topics
Determining the validity period of indirect profile assignments
Structural profiles that are assigned to departments, cost centers, locations, or business roles are indirectly assigned through them to user accounts. By default, indirect assignments are unlimited. The TargetSystem | SAPR3 | ValidDateHandling configuration parameter is used to determine the validity period of indirect assignments.
You can enter a valid from date if the requests are made in the IT Shop. An entry in SAPUserInSAPHRP table only exists between the first and last days of the request's validity period. The request's validity period is copied to profile assignments under the following prerequisites:
By default, an entry in the SAPUserInSAPHRP table is created for every new profile assignment. If the same assignment is created by different means of inheritance, the number of entries in the SAPUserInSAPHRP table grows rapidly. In this case, if the validity period is identical, the same entries can be reused. Existing profile assignments can be reused under the following prerequisites:
- The Valid from date of the existing assignment is in the past.
- The Valid until date of the existing assignment is 9999-12-31 or the new assignment has the same Valid until date as the existing assignment.
Any other unlimited assignment or any other assignment with the same Valid until date does not generate a new entry in the SAPUserInSAPHRP table. The number of entries in the SAPUserInSAPHRP table can be reduced in this way.
NOTE: In databases that are migrated from versions older than 7.0, you may see assignments with a Valid until date of 9998-12-31. This is a valid date for unlimited profile assignments, which means that these assignments can also be reused.
By default, the first day that indirect assignments are valid is 1900-01-01. This does not tell us when the assignments were created. If you need this information, in the Valid from field, you can enter the date on which the structural profile will be assigned. The date of the assignment is set as the first valid day of the indirect profile assignments under the following prerequisites:
IMPORTANT: Depending on the amount of data to be handled, the calculation of indirect profile assignments is noticeably slowed down by this.
Do not set the UseTodayForInheritedValidFrom configuration parameter if the information about the valid from date of the profile assignment is not absolutely necessary in SAP R/3!
Detailed information about this topic
Related topics
Mapping personnel planning data
Personnel planning data and parts of the organization structure from the One Identity Manager HCM system can be mapped in SAP. Set up a synchronization project to import personnel planing data. For more information, see Setting up a synchronization project for synchronizing with an SAP HCM system. For all objects imported into the One Identity Manager database in this way, the data source is given as import SAP R/3 (column ImportSource = "SAP").
Use this synchronization project to import employee master data and departments into One Identity Manager database. In addition, information about master identities, work hours, communication data, and department managers are imported. This information can be evaluated during identity audit by assigning employees to SAP user accounts.
Furthermore, you can configure synchronization for other personnel planning data. For more information, see Setting up a synchronization project for synchronizing additional personnel planning data.
Setting up a synchronization project for synchronizing additional personnel planning data
You can import typically required personnel planning data into the One Identity Manager database using the initial synchronization project for personnel planning. This includes general employee master data, communications data, departments, and their managers. For more information, see Project template for synchronizing personnel planning data.
The SAP HCM system has other personnel planning data available. To import these, create a new synchronization project and configure mapping for the additional data. You can use predefined schema types to do this.
Prerequisite
- Synchronization for SAP R/3 base administration is set up.
To set up a synchronization project for additional personnel planning data
- Set up an initial synchronization project as described in the One Identity Manager Administration Guide for Connecting to SAP R/3. The following special features apply:
- On the SAP HCM settings page in the system connection wizard, state whether you want to configure any additional settings. Set the Show expert settings option to do this.
- If you have set the Show expert settings option, select the address type to import on the SAP HCM Settings page.
If the option is not set, the page is not shown. The address type 1 (Permanent residence address) is imported by default.
-
On the SAP connector schema page, click Next.
TIP: You can enter a file with additional schema types on this page. The connector schema is extended by these custom schema types. You can also enter this data after saving the synchronization project. For detailed information, see the One Identity Manager Administration Guide for Connecting to SAP R/3.
- On the Select project template page in the project wizard, select the "SAP HCM Employees and Departments” project template.
- The Restrict target system access page is not displayed. The target system is only loaded.
- On the last page of the project wizard, disable the Activate and save the new synchronization project automatically option.
- To close the project wizard, click Finish.
This creates and allocates a default schedule for regular synchronization. The synchronization project is created.
- Create mappings for the additional schema types in the Synchronization Editor.
Table 6: Properties of a Mapping
| Mapping name |
Display name for the mapping.
Mapping name is used as key. It cannot be changed after saving. |
| Mapping direction |
Mapping direction permitted for all property mapping rules. Select "in direction of One Identity Manager" |
| Description |
Text field for additional explanation. |
| Hierarchy synchronization |
Specifies whether the mapping is part of the hierarchy. This option is important for optimizing synchronization. |
| Only suitable for updates |
Specifies whether schema class objects are never added during synchronization but only updated or deleted. |
| Schema class in One Identity Manager |
One Identity Manager schema class valid for this mapping. Displays all schema classes with a configured mapping, in the menu.
Create a new schema class to set up a mapping for another schema type.
|
| Schema class in the target system |
Target system schema class valid for this mapping. In the menu, all the schema classes with a configured mapping are displayed.
Click  and create a new schema class for a schema type.
TIP: If you require schema types that cannot be selected here, add your own. |
For information about setting up mappings and schema classes, see the One Identity Manager Target System Synchronization Reference Guide.
- In the Synchronization Editor, edit the "Initial synchronization" workflow. Create additional synchronization steps for the new mappings.
- In the Synchronization direction input field, select "In direction of One Identity Manager".
For detailed information about creating synchronization steps, see the One Identity Manager Target System Synchronization Reference Guide.
- Save the synchronization project in the database.
- If you required schema types that cannot be selected when you add a mapping, add your own schema types. For detailed information, see the One Identity Manager Administration Guide for Connecting to SAP R/3.
-
Run a consistency check.
-
Activate the synchronization project.
To synchronize on a regular basis
-
Open the synchronization project in the Synchronization Editor.
- Select the Configuration | Start up configurations category.
- Select a start up configuration in the document view and click Edit schedule.
- Edit the schedule properties.
- To enable the schedule, click Activate.
- Click OK.
To start initial synchronization manually
-
Open the synchronization project in the Synchronization Editor.
-
Select the Configuration | Start up configurations category.
-
Select a start up configuration in the document view and click Execute.
- Confirm the security prompt with Yes.
Detailed information about this topic
- One Identity Manager Target System Synchronization Reference Guide
Related topics
For more detailed information about setting up synchronization server, see the One Identity Manager Administration Guide for Connecting to SAP R/3.
to edit schema class properties.