The following users are involved in synchronizing One Identity Manager with SAP R/3.
User |
Authorizations |
---|---|
One Identity Manager Service user account |
The user account for the One Identity Manager Service requires user permissions to carry out operations at file level (adding and editing directories and files). The user account must belong to the Domain users group. The user account must have the Login as a service extended user permissions. The user account requires permissions for the internal web service. NOTE: If the One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can grant permissions for the internal web service with the following command line call: netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE" The user account needs full access to the One Identity Manager Service installation directory in order to automatically update One Identity Manager. In the default installation, One Identity Manager is installed under:
|
User for accessing the target system (synchronization user) |
You must provide a user account with the following authorizations for full synchronization of SAP R/3 objects with the supplied One Identity Manager default configuration. Required authorization objects and their meanings:
Apart from the authorizations listed, the user account has to get all objects from the authorization classes ZVIH_AUT, ZVIA_AUT, and ZVIL_AUT that are installed by the transport package for synchronization. These authorization objects are there to guarantee principal authorization for running function modules. In addition, the authorization objects ZVIH_OP, ZVIA_OP, ZVIL_OP need to be assigned. This regulates the type of access to SAP R/3 data using the ACTVT authorization field. Possible values are 01 add or create, 02 change, 03 display, 06 delete. The respective activity is checked before accessing data. If only the 03 display activity has been assigned, it means that absolutely no write operations can be carried out with this user account using the One Identity Manager Business Application Programing Interface. The following authorization objects are required in addition for the child system in order to synchronize central user administration:
|
User for accessing the One Identity Manager database |
The Synchronization default system user is provided to run synchronization using an application server. |
The named authorizations are required so that the SAP R/3 connector has read and write access to the SAP R/3 system. If only read access is permitted, set up a profile that has authorizations for carrying out for transactions SU01 and PFCG but prevents write access at activity or field level. Also be aware of granting authorizations for activities regarding the authorization objects ZVIH_OP, ZVIA_OP, ZVIL_OP. If access is read-only, only the 03 display activity is enabled.
The user account requires the user type dialog, communication, or system to load more information.
NOTE: In SAP R/3 versions up to and including SAP Web Application Server 6.40, the password and user input are not case-sensitive. this no longer applies to the password for SAP NetWeaver Application Server 7.0 and later. Passwords are case sensitive.
All SAP’s own tools that are supplied up to SAP Web Application Server 6.40, apart from the SAP GUI (RFC-SDK, SAP .Net Connector), therefore change the password to capital letters before passing them to SAP R/3. You must set the password in capital letters for the user account used by the SAP .Net Connector to authenticate itself on the SAP R/3 system. If this is done, all the usual tools can be accessed on SAP NetWeaver Application Server 7.0 by RFC.