Chat now with support
Chat with Support

Identity Manager 8.1.4 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP systems Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

Users and permissions for synchronizing with SAP R/3

The following users are involved in synchronizing One Identity Manager with SAP R/3.

Table 2: Users for synchronization
User Permissions

One Identity Manager Service user account

The user account for One Identity Manager Service requires permissions to carry out operations at file level. For example, assigning permissions and creating and editing directories and files.

The user account must belong to the Domain users group.

The user account must have the Login as a service extended user permissions.

The user account requires access permissions to the internal web service.

NOTE: If One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can issue access permissions for the internal web service with the following command line call:

netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

The user account needs full access to the One Identity Manager Service installation directory in order to automatically update One Identity Manager.

In the default installation, One Identity Manager is installed under:

  • %ProgramFiles(x86)%\One Identity (on 32-bit operating systems)
  • %ProgramFiles%\One Identity (on 64-bit operating systems)
User for accessing the target system

You must provide a user account with the following authorizations for full synchronization of SAP R/3 objects with the supplied One Identity Manager default configuration.

Required authorization objects and their meanings:

  • S_TCODE with a minimum of transaction codes SU01, SU53, PFCG
  • S_ADDRESS1 with activities 01, 02, 03, 06 and valid address groups (min."BC01")
  • S_USER_AGR (role maintenance) with activities 02, 03, 22, 78 possibly with restrictions in name ranges (for example "Z*")
  • S_USER_GRP (group maintenance) with activities 01, 02, 03, 22
  • S_USER_AUT (authorizations) with activities 03, 08
  • S_USER_PRO (profile) with activities 01, 02, 03, 22
  • S_USER_SAS (system specific assignments) with activities 01, 06, 22
  • S_RFC (authorization check by RFC access) with activity 16 at least for function groups ZVI, /VIAENET/ZVI0, /VIAENET/ZVI_L, /VIAENET/Z_HR, SU_USER, SYST, SDTX, RFC1, RFC_METADATA, SDIFRUNTIME, SYSU,
  • S_TABU_DIS (use of standard tools like SM30 for maintaining tables) with activity 03

Apart from the permissions listed, the user account has to get all objects from the authorization classes "ZVIH_AUT", "ZVIA_AUT", and "ZVIL_AUT" that are installed by the transport package for synchronization.

The following authorization objects are required in addition for the child system in order to synchronize central user administration:

  • S_RFC with the function group SUU6
  • S_TCODE with the transaction code SU56
User for accessing the One Identity Manager database

The Synchronization default system user is provided to execute synchronization with an application server.

TIP: The transport file provided by default, "SAPRole.zip", includes a transport package with a role that the base authorization object already possesses. This role can be assigned to the user account. You will find the transport files on the One Identity Manager installation medium in the Modules\SAP\dvd\AddOn\Bapi directory.

The named authorizations are required so that the SAP R/3 connector has read and write access to the SAP R/3 system. If only read access should be permitted, setting up a profile which has executable permission for transactions SU01 and PFCG but prevents writing at activity or field level is recommended.

The user account requires the user type "dialog", "communication", or "system" to load more information.

NOTE: In SAP R/3 versions up to and including SAP Web Application Server 6.40, the password and user input are not case-sensitive. this no longer applies to the password for SAP NetWeaver Application Server 7.0 and later. The password is case sensitive.

All SAP’s own tools that are supplied up to SAP Web Application Server 6.40, apart from the SAP GUI (RFC-SDK, SAP .Net Connector), therefore change the password to capital letters before passing them to SAP R/3. You must set the password in capital letters for the user account used by the SAP .Net Connector to authenticate itself on the SAP R/3 system. If this is done, all the usual tools can be accessed on SAP NetWeaver Application Server 7.0 by RFC.

Related topics

Installing the One Identity Manager Business Application Programing Interface

NOTE: The Business Application Programming Interface in One Identity Manager is certified.

Certificates:

  • Integration with SAP S/4HANA

  • Powered by SAP NetWeaver

For detailed information, see https://www.sapappcenter.com/apps/5513#!overview.

In order to access One Identity Manager data and business processes with the SAP R/3, you must load the Business Application Programming Interface (BAPI) into the SAP R/3 system. You will find the required transport files on the One Identity Manager installation medium in the Modules\SAP\dvd\AddOn\Bapi directory.

TIP: Instead of installing SAPTRANSPORT_70.ZIP, you can also install the Assembly Kit T070020759523_0000006.PAT. For more information, see Uninstalling BAPI transports.

Install the BAPI transport in the following order:

Table 3: BAPI transport

Transport

Explanation

1

SAPRepository.zip

Creates the /VIAENET/ in the SAP system repository.

2

SAPTable.zip

Defines the table structure for /VIAENET/USERS in the SAP system dictionary.

3

SAPTRANSPORT_70.ZIP

Contains the functions defined in the /VIAENET/ environment.

Select the transport package that suits your SAP system.

Archive directory UNICODE: Transports for systems that support unicode; transports for copies

Archive directory NON_UNICODE: Transports for systems not supporting unicode

Archive directory UNICODE_WORKBENCH: Transports for systems that support unicode; workbench transports

Set the following import options for the transport:

  • Overwrite Originals
  • Overwrite Objects in Unconfirmed Repairs
  • Ignore Non-Matching Component Versions

The SAP R/3 connector uses other BAPI SAP R/3s in parallel. For more information, see Referenced SAP R/3 table and BAPI calls.

Uninstalling BAPI transports

The SAP Add-On Assembly Kit allows SAP to support deinstallation of a BAPI. An uninstallable Assembly Kit is proved for this.

Prerequisites
  • SAP NetWeaver Application Server 7.00 or later

  • SAP ECC 6.0

  • SAP Add-On Assembly Kit 5.0 or later

  • Unicode is supported.

To uninstall a BAPI transport at a later date

  • Install the Assembly Kit T070020759523_0000006.PAT instead of the transport file SAPTRANSPORT_70.ZIP.

    You will find the kit on the One Identity Manager installation medium in the Modules\SAP\dvd\AddOn\Bapi directory.

The kit contains the functions that are defined in the /VIAENET/ environment. The kit has the deinstall_allowed option set.

Related topics

Setting up the synchronization server

To set up synchronization with an SAP R/3 environment, a server has to be available that has the following software installed on it:

  • Windows operating system

    The following versions are supported:

    • Windows Server 2008 R2 (non-Itanium based 64-bit) service pack 1 or later

    • Windows Server 2012

    • Windows Server 2012 R2

    • Windows Server 2016

    • Windows Server 2019

  • Microsoft .NET Framework Version 4.7.2 or later

    NOTE: Take the target system manufacturer's recommendations into account.
  • Windows Installer
  • SAP .Net Connector for .NET 4.0 on x64, with at least version 3.0.15.0
  • One Identity Manager Service, Synchronization Editor, SAP R/3 connector
    • Install One Identity Manager components with the installation wizard.
      1. Select the Select installation modules with existing database option.
      2. Select the Server | Job server | SAP R/3 machine role.

Further requirements

  • Following files must either be in the Global Assemblies Cache (GAC) or in the One Identity Manager installation directory.
    • libicudecnumber.dll
    • rscp4n.dll
    • sapnco.dll
    • sapnco_utils.dll
  • Following files must either be in the Global Assemblies Cache (GAC) or in C:\Windows\System32 or in the One Identity Manager's installation directory.
    • msvcp100.dll
    • msvcr100.dll

All One Identity Manager Service actions are executed against the target system environment on the synchronization server. Data entries required for synchronization and administration with the One Identity Manager database are processed by the synchronization server. The synchronization server must be declared as a Job server in One Identity Manager.

NOTE: If several target system environments of the same type are synchronized under the same synchronization server, it is recommended that you set up a Job server for each target system for performance reasons. This avoids unnecessary swapping of connections to target systems because a Job server only has to process tasks of the same type (re-use of existing connections).

Use the One Identity Manager Service to install the Server Installer. The program executes the following steps:

  • Sets up a Job server.

  • Specifies machine roles and server function for the Job server.

  • Remotely installs One Identity Manager Service components corresponding to the machine roles.

  • Configures the One Identity Manager Service.

  • Starts the One Identity Manager Service.

NOTE: To generate processes for the Job server, you need the provider, connection parameters, and the authentication data. By default, this information is determined from the database connection data. If the Job server runs through an application server, you must configure extra connection data in the Designer. For detailed information about setting up Job servers, see the One Identity Manager Configuration Guide.

NOTE: The program performs a remote installation of the One Identity Manager Service. Local installation of the service is not possible with this program. Remote installation is only supported within a domain or a trusted domain.

To remotely install the One Identity Manager Service, you must have an administrative workstation on which the One Identity Manager components are installed. For detailed information about installing a workstation, see the One Identity Manager Installation Guide.

To remotely install and configure One Identity Manager Service on a server

  1. Start the Server Installer program on your administrative workstation.

  2. On the Database connection page, enter the valid connection credentials for the One Identity Manager database.

  3. On the Server properties page, specify the server on which you want to install the One Identity Manager Service.

    1. Select a Job server from the Server menu.

      - OR -

      To create a new Job server, click Add.

    2. Enter the following data for the Job server.

      • Server: Name of the Job server.

      • Queue: Name of the queue to handle the process steps. Each One Identity Manager Service within the network must have a unique queue identifier. The process steps are requested by the Job queue using this unique queue identifier. The queue identifier is entered in the One Identity Manager Service configuration file.

      • Full server name: Full server name in accordance with DNS syntax.

        Syntax:

        <Name of servers>.<Fully qualified domain name>

      NOTE: You can use the Extended option to make changes to other properties for the Job server. You can also edit the properties later with the Designer.

  4. On the Machine roles page, select SAP R/3.

  5. On the Server functions page, select SAP R/3 connector.

  6. On the Service Settings page, enter the connection data and check the One Identity Manager Service configuration.

    NOTE: The initial service configuration is predefined. If further changes need to be made to the configuration, you can do this later with the Designer. For detailed information about configuring the service, see the One Identity Manager Configuration Guide.

    • For a direct connection to the database:

      1. Select Process collection | sqlprovider.

      2. Click the Connection parameter entry, then click the Edit button.

      3. Enter the connection data for the One Identity Manager database.

    • For a connection to the application server:

      1. Select Process collection, click the Insert button and select AppServerJobProvider.

      2. Click the Connection parameter entry, then click the Edit button.

      3. Enter the connection data for the application server.

      4. Click the Authentication data entry and click the Edit button.

      5. Select the authentication module. Depending on the authentication module, other data may be required, such as user and password. For detailed information about the One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.

  7. To configure remote installations, click Next.

  8. Confirm the security prompt with Yes.

  9. On the Select installation source page, select the directory with the install files.

  10. On the Select private key file page, select the file with the private key.

    NOTE: This page is only displayed when the database is encrypted.

  11. On the Service access page, enter the service's installation data.

    • Computer: Name or IP address of the server that the service is installed and started on.

    • Service account: User account data for the One Identity Manager Service.

      • To start the service under the NT AUTHORITY\SYSTEM account, set the Local system account option.

      • To start the service under another account, disable the Local system account option and enter the user account, password and password confirmation.

    • Installation account: Data for the administrative user account to install the service.

      • To use the current user’s account, set the Current user option.

      • To use another user account, disable the Current user option and enter the user account, password and password confirmation.

    • To change the install directory, names, display names, or description of the One Identity Manager Service, use the other options.

  12. Click Next to start installing the service.

    Installation of the service occurs automatically and may take some time.

  13. Click Finish on the last page of the Server Installer.

    NOTE: In a default installation, the service is entered in the server’s service management with the name One Identity Manager Service.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating