지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager 9.2 - Administration Guide for SAP R/3 Structural Profiles Add-on

Managing personnel planning data and structural profiles Setting up SAP HCM system synchronization Managing structural profiles Mapping personnel planning data Configuration parameters for the SAP R/3 Structural Profiles Add-on Module Default project template for the SAP R/3 Structural Profiles Add-on Module Referenced SAP R/3 tables and BAPI calls

Setting up a synchronization project for synchronizing with an SAP HCM system

Create your own synchronization project foe synchronizing personnel planning data and structural profiles. Two separate project templates are available for this.

Use the Synchronization Editor to configure synchronization between the One Identity Manager database and the HCM system. The following describes the steps for initial configuration of a synchronization project.

NOTE: Just one synchronization project can be created per target system and default project template used.

To set up a synchronization project for structural profiles

  1. Set up an initial synchronization project as described in the One Identity Manager Administration Guide for Connecting to SAP R/3. The following special features apply:

    • In the project wizard, on the Select project template page, select the SAP HCM structural profile project template.

  2. Configure and set a schedule to run synchronization on a regular basis.

To set up a synchronization project for personnel planning data

  1. Set up an initial synchronization project as described in the One Identity Manager Administration Guide for Connecting to SAP R/3. The following special features apply:

    1. On the Select project template page in the project wizard, select the SAP HCM employees and departments project template.

    2. To allow editing of communication data in One Identity Manager and provisioning of changes, select the Restrict target system access tab and enable the Read/write access to target system option. Otherwise, set Read-only access to target system.

  2. Disable the TargetSystem | SAPR3 | AutoCreateDepartment configuration parameter.

    IMPORTANT: During synchronization of personnel planning data, departments that have been created already from SAP user account data are marked as outstanding. If synchronization of personnel planning data is configured, ensure that departments are not automatically created from user account data. For more information about this, see the One Identity Manager Administration Guide for Connecting to SAP R/3.

  3. (Optional) To synchronize additional HR data

    1. In the Initial Synchronization workflow, enable the Employee_PA0000 synchronization step.

    2. Disable the Employee synchronization step.

  4. Configure and set a schedule to run synchronization on a regular basis.

For more information about editing synchronization configuration, see One Identity Manager Target System Synchronization Reference Guide.

Related topics

Post-processing outstanding objects

Objects, which do not exist in the target system, can be marked as outstanding in One Identity Manager by synchronizing. This prevents objects being deleted because of an incorrect data situation or an incorrect synchronization configuration.

Outstanding objects:

  • Cannot be edited in One Identity Manager.

  • Are ignored by subsequent synchronizations.

  • Are ignored by inheritance calculations.

This means, all memberships and assignments remain intact until the outstanding objects have been processed.

Start target system synchronization to do this.

To post-process outstanding objects

  1. Select the SAP R/3 > Target system synchronization: SAP R/3 category.

    All tables assigned to the SAP R/3 target system type as synchronization tables are displayed in the navigation view.

  2. Select the table whose outstanding objects you want to edit in the navigation view.

    This opens the target system synchronization form. All objects are shown here that are marked as outstanding.

    TIP:

    To display object properties of an outstanding object

    1. Select the object on the target system synchronization form.

    2. Open the context menu and click Show object.

  1. Select the objects you want to rework. Multi-select is possible.

  2. Click on one of the following icons in the form toolbar to run the respective method.

    Table 2: Methods for handling outstanding objects

    Icon

    Method

    Description

    Delete

    The object is immediately deleted from the One Identity Manager database. Deferred deletion is not taken into account.

    Indirect memberships cannot be deleted.

    Publish

    The object is added to the target system. The Outstanding label is removed from the object.

    This runs a target system specific process that triggers the provisioning process for the object.

    Prerequisites:

    • The table containing the object can be published.

    • The target system connector has write access to the target system.

    The method can only be applied to objects in the SAPUserInSAPHRP table.

    Reset

    The Outstanding label is removed for the object.

    TIP: If a method cannot be run due to certain restrictions, the respective icon is disabled.

    • To display the constraint's details, click the Show button in the Constraints column.

  3. Confirm the security prompt with Yes.

NOTE: By default, the selected objects are processed in parallel, which speeds up the selected method. If an error occurs during processing, the action is stopped and all changes are discarded.

Bulk processing of objects must be disabled if errors are to be localized, which means the objects are processed sequentially. Failed objects are named in the error message. All changes that were made up until the error occurred are saved.

To disable bulk processing

  • Disable the icon in the form's toolbar.

NOTE: The target system connector must have write access to the target system in order to publish outstanding objects that are being post-processed. That means, the Connection is read-only option must not be set for the target system connection.

Managing structural profiles

Structural profiles are mapped in One Identity Manager to provide the necessary permissions for user accounts. Structural profiles can be assigned to user accounts, requested, or inherited through hierarchical roles in One Identity Manager. No new structural profiles can be added or deleted.

You can edit the following data about structural profiles in One Identity Manager:

  • Assigned SAP user accounts
  • Usage in the IT Shop
  • Risk assessment
  • Inheritance through roles and inheritance restrictions

To edit structural profiles

  1. Select the SAP R/3 > Structural profiles category.
  2. Select a structural profile in the result list. Select the Change main data task.
  3. Enter the required data on the main data form.
  4. Save the changes.

General main data of structural profiles

Table 3: Configuration parameters for risk assessment of structural profiles
Configuration parameter Effect when set
QER\CalculateRiskIndex Preprocessor relevant configuration parameter controlling system components for calculating the risk index. Changes to the parameter require recompiling the database.

If the parameter is enabled, values for the risk index can be entered and calculated.

Enter the following main data of a structural profile.

Table 4: General main data of structural profiles
Property Description
Structural profile Name of the structural profile
Distinguished name Distinguished name of the structural profile The distinguished name is mapped through the SAP connector.
Canonical name Canonical name of the structural profile The canonical name is mapped through the SAP connector.
Client Client that contains the structural profile.
Service item Service item data for requesting the structural profile through the IT Shop.
Depth of hierarchy The number of the level in the hierarchy that the assigned user account is allowed to drill down to.
Seq.no. Sequential number of this structural profile.
Object type The structural profile is valid for this object type.
Plan version The structural profile is applied to this plan version.
Risk index Value for evaluating the risk of assigning the structural profile to account accounts. Enter a value between 0 and 1. The field is only visible if the “QER | CalculateRiskIndex” configuration parameter is set.
Category Categories for structural profile inheritance. Structural profiles can selectively inherit profiles. To do this, structural profiles and user accounts are divided into categories. Use this menu to allocate one or more categories to the structural profile.
IT Shop

Specifies whether the profile can be requested through the IT Shop. Then the structural profile can be requested from the Web Portal‘s employees and granted through a defined approval procedure. The structural profile can still be assigned directly to user accounts and hierarchical roles.

Only for use in IT Shop Specifies whether the structural profile can be requested exclusively through the IT Shop. Then the structural profile can be requested from the Web Portal‘s employees and granted through a defined approval procedure. The structural profile cannot be assigned directly to hierarchical roles.
Detailed information about this topic
  • Inheriting structural profiles based on categories

  • One Identity Manager IT Shop Administration Guide
  • One Identity Manager Identity Management Base Module Administration Guide
  • One Identity Manager Target System Base Module Administration Guide
  • One Identity Manager Risk Assessment Administration Guide
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택