The following users are involved in synchronizing One Identity Manager with SAP R/3.
User | Permissions |
---|---|
One Identity Manager Service user account |
The user account for One Identity Manager Service requires permissions to carry out operations at file level. For example, assigning permissions and creating and editing directories and files. The user account must belong to the Domain users group. The user account must have the Login as a service extended user permissions. The user account requires access permissions to the internal web service. NOTE: If One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can issue access permissions for the internal web service with the following command line call: netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE" The user account needs full access to the One Identity Manager Service installation directory in order to automatically update One Identity Manager. In the default installation, One Identity Manager is installed under:
|
User for accessing the target system |
You must provide a user account with the following authorizations for full synchronization of SAP R/3 objects with the supplied One Identity Manager default configuration. Required authorization objects and their meanings:
Apart from the permissions listed, the user account has to get all objects from the authorization classes "ZVIH_AUT", "ZVIA_AUT", and "ZVIL_AUT" that are installed by the transport package for synchronization. The following authorization objects are required in addition for the child system in order to synchronize central user administration:
|
User for accessing the One Identity Manager database |
The Synchronization default system user is provided to execute synchronization with an application server. |
The named authorizations are required so that the SAP R/3 connector has read and write access to the SAP R/3 system. If only read access should be permitted, setting up a profile which has executable permission for transactions SU01 and PFCG but prevents writing at activity or field level is recommended.
The user account requires the user type "dialog", "communication", or "system" to load more information.
NOTE: In SAP R/3 versions up to and including SAP Web Application Server 6.40, the password and user input are not case-sensitive. this no longer applies to the password for SAP NetWeaver Application Server 7.0 and later. The password is case sensitive.
All SAP’s own tools that are supplied up to SAP Web Application Server 6.40, apart from the SAP GUI (RFC-SDK, SAP .Net Connector), therefore change the password to capital letters before passing them to SAP R/3. You must set the password in capital letters for the user account used by the SAP .Net Connector to authenticate itself on the SAP R/3 system. If this is done, all the usual tools can be accessed on SAP NetWeaver Application Server 7.0 by RFC.