지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager 9.1.1 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP objects Removing a Central User Administration Troubleshooting an SAP R/3 connection Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

Managing SAP R/3 environments

One Identity Manager offers simplified user administration for SAP R/3 environments. One Identity Manager concentrates on setting up and processing user accounts as well as groups, roles, and profiles assignments. External identifiers and parameters can also be assigned to user accounts. The necessary data for system measurement is also mapped. The system measurement data is available in One Identity Manager, but the measurement itself takes place in the SAP R/3 environment.

One Identity Manager provides company employees with the user accounts required to allow you to use different mechanisms for connecting employees to their user accounts. You can also manage user accounts independently of employees and therefore set up administrator user accounts.

Groups, roles, and profiles are mapped in One Identity Manager, in order to provide the necessary permissions for user accounts. Groups, roles, and profiles can be grouped into products and assigned to employees. One Identity Manager ensures that the right group memberships are created for the employee’s user account.

If user accounts are managed through the central user administration (CUAClosed) in SAP R/3, access to the child client can be guaranteed for or withdrawn from user accounts in One Identity Manager.

Architecture overview

In One Identity Manager, the following servers play a role in managing SAP R/3:

  • SAP R/3 application server

    Application server on which synchronization is run The synchronization server connects to this server in order to access SAP R/3 objects.

  • SAP R/3 database server

    Server on which the SAP R/3 application database is installed.

  • Synchronization server

    The synchronization server for synchronizing data between One Identity Manager and SAP R/3. The One Identity Manager Service with the SAP R/3 connector is installed on this server. The synchronization server connects to the SAP R/3 application server.

  • SAP R/3 router

    Router which provides a network port to the SAP connector for communicating with the SAP R/3 application server.

  • SAP R/3 message server

    Server with which the SAP R/3 connector communicates during login if a direct connection to application servers is not permitted.

The SAP R/3 One Identity Manager connector runs synchronization and provision of data between SAP R/3 and the One Identity Manager database. The SAP R/3 connector uses the SAP connector for Microsoft .NET (NCo 3.0) for 64-bit systems for communicating with the target system.

The One Identity Manager Service is responsible for synchronizing data between the One Identity Manager database and SAP R/3. The application server ABAP must be installed as a prerequisite for synchronization. An SAP R/3 system that is only based on a Java application server cannot be accessed with the SAP connector.

Figure 1: Architecture for synchronization - Direct communication

Figure 2: Architecture for synchronization - Communication through message server

Figure 3: Architecture for synchronization - Communication through router

One Identity Manager users for managing SAP R/3

The following users are used for setting up and administration of SAP R/3.

Table 1: Users
Users Tasks
Target system administrators

Target system administrators must be assigned to the Target systems | Administrators application role.

Users with this application role:

  • Administer application roles for individual target system types.

  • Specify the target system manager.

  • Set up other application roles for target system managers if required.

  • Specify which application roles for target system managers are mutually exclusive.

  • Authorize other employees to be target system administrators.

  • Do not assume any administrative tasks within the target system.

Target system managers

Target system managers must be assigned to the Target systems | SAP R/3 application role or a child application role.

Users with this application role:

  • Assume administrative tasks for the target system.

  • Create, change, or delete target system objects.

  • Edit password policies for the target system.

  • Prepare system entitlements to add to the IT Shop.

  • Can add employees who have another identity than the Primary identity.

  • Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.

  • Edit the synchronization's target system types and outstanding objects.

  • Authorize other employees within their area of responsibility as target system managers and create child application roles if required.

One Identity Manager administrators

One Identity Manager administrator and administrative system users Administrative system users are not added to application roles.

One Identity Manager administrators:

  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

  • Create and configure password policies as required.

Administrators for the IT Shop

Administrators must be assigned to the Request & Fulfillment | IT Shop | Administrators application role.

Users with this application role:

  • Assign system entitlements to IT Shop structures.

Administrators for organizations

Administrators must be assigned to the Identity Management | Organizations | Administrators application role.

Users with this application role:

  • Assign system entitlements to departments, cost centers, and locations.

Business roles administrators

Administrators must be assigned to the Identity Management | Business roles | Administrators application role.

Users with this application role:

  • Assign system entitlements to business roles.

Setting up SAP R/3 synchronization

One Identity Manager supports synchronization with SAP systems for the following versions:

  • SAP Web Application Server 6.40

  • SAP NetWeaver Application Server 7.00, 7.01, 7.02, 7.10, 7.11, 7.20, 7.31, 7.40, 7.40 SR 2, 7.41, 7.50, 7.51, 7.52, 7.53, 7.54, 7.55, 7.56, and 7.69

  • SAP ECC 5.0 and 6.0

  • SAP S/4HANA On-Premise Edition 1.0 and 2.0 as from SAP BASIS 7.40 SR 2 and 7.50 (also for installations with SAP BASIS 7.53)

Central User Administration is supported for all versions named here.

NOTE: The application server ABAP must be installed as a prerequisite for synchronization. An SAP R/3 system that is only based on a Java application server cannot be accessed with the SAP connector.

To load SAP R/3 objects into the One Identity Manager database for the first time

  1. Prepare a user account with sufficient permissions for synchronizing in SAP R/3.
  2. Install the One Identity Manager Business Application Programming Interface in the SAP R/3 system.
  3. One Identity Manager components for managing SAP R/3 environments are available if the TargetSystem | SAPR3 configuration parameter is set.

    • In the Designer, check if the configuration parameter is set. Otherwise, set the configuration parameter and compile the database.

      NOTE: If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

    • Other configuration parameters are installed when the module is installed. Check the configuration parameters and modify them as necessary to suit your requirements.

  4. Download the installation source for the SAP .Net Connector for .NET 4.0 on x64, with at least version 3.0.15.0.
  5. Install and configure a synchronization server and declare the server as a Job server in One Identity Manager.
  6. Create a synchronization project with the Synchronization Editor.
Detailed information about this topic
셀프 서비스 도구
지식 기반
공지 및 알림
제품 지원
소프트웨어 다운로드
기술 설명서
사용자 포럼
비디오 자습서
RSS 피드
문의처
라이센싱 지원가져오기
기술 지원
모두 보기
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택