Chat now with support
Chat with Support

Identity Manager 8.1.4 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP systems Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

Creating a synchronization project for initial synchronization of an SAP client

Use the Synchronization Editor to configure synchronization between the One Identity Manager database and SAP R/3 environment. The following describes the steps for initial configuration of a synchronization project.

After the initial configuration, you can customize and configure workflows within the synchronization project. Use the workflow wizard in the Synchronization Editor for this. The Synchronization Editor also provides different configuration options for a synchronization project.

Have the following information available for setting up a synchronization project.

Table 4: Information required for setting up a synchronization project
Data Explanation
SAP R/3 application server Name of the application server used to RFC communication.
System number Number of the SAP system for connecting the SAP R/3 connector.
System ID System ID of this SAP system.
Client Number of the client to be synchronized. You need the central system's client number to synchronize central user administration (CUAClosed).
Login name and password

The name and password of the user account used by the SAP R/3 connector to log in to the SAP R/3 system. Make a user account available with sufficient permissions.

If the network connection must be secure, you require the user account's SNC name.

Login language Login language for logging the SAP R/3 connection into the SAP R/3 system.

Synchronization server

All One Identity Manager Service actions are executed against the target system environment on the synchronization server. Data entries required for synchronization and administration with the One Identity Manager database are processed by the synchronization server.

Installed components:

  • SAP .Net Connector for .NET 4.0 on x64, with at least version 3.0.15.0
  • One Identity Manager Service (started)
  • Synchronization Editor
  • SAP R/3 connector

The synchronization server must be declared as a Job server in One Identity Manager. Use the following properties when you set up the Job server.

Table 5: Additional properties for the Job server
Property Value
Server function SAP R/3 connector
Machine role Server/Job server/SAP R/3

For more information, see Setting up the synchronization server.

One Identity Manager database connection data
  • Database server

  • Database

  • SQL Server login and password

  • Specifies whether integrated Windows authentication is used. This type of authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication.

Remote connection server

To configure synchronization with a target system, One Identity Manager must load the data from the target system. One Identity Manager communicates directly with the target system to do this. Sometimes direct access from the workstation, on which the Synchronization Editor is installed, is not possible. For example, because of the firewall configuration or the workstation does not fulfill the necessary hardware and software requirements. If direct access is not possible from the workstation, you can set up a remote connection.

The remote connection server and the workstation must be in the same Active Directory domain.

Remote connection server configuration:

  • One Identity Manager Service is started

  • RemoteConnectPlugin is installed

  • SAP R/3 connector is installed

The remote connection server must be declared as a Job server in One Identity Manager. The Job server name is required.

TIP: The remote connection server requires the same configuration as the synchronization server (with regard to the installed software and entitlements). Use the synchronization as remote connection server at the same time, by simply installing the RemoteConnectPlugin as well.

For more detailed information about setting up a remote connection, see the One Identity Manager Target System Synchronization Reference Guide.

Additional information about setting up the synchronization project may be required depending on the configuration of the SAP R/3 system.

Table 6: Information for setting up a synchronization project

Data

Explanation

SAP R/3 router

Name of the router that provides a network port for the SAP R/3 connector for communicating with the application server.

SAP R/3 message server

Name of the message server with which the SAP R/3 connector communicates when logging in.

Login group

Name of the login group used by the SAP R/3 connector for logging in when communication is working over a message server within the SAP R/3 environment.

SNC host name

SNC name of the host for the secure network connection.

SNC Name

SCN name of the user account with which the SAP R/3 connector logs into the SAP R/3 system if a secure network connection is required. The SNC name must be entered using the same syntax as in the user account in SAP R/3.

SNC client API

API containing SNC encryption. Enter the file name and path of the synchronization server.

Only file name is required if the file is in the default search path of the operating system. If encryption has been applied to the operating system, the file is located in the operating system directory and can be found through the default search path. If a third-party product was used for encryption, the file can only be found if the installation directory of this product was added to the default search path (PATH variable).

NOTE: The following sequence describes how to configure a synchronization project if the Synchronization Editor is both:
  • Executed in default mode

  • Started from the Launchpad

If you execute the project wizard in expert mode or directly from the Synchronization Editor, additional configuration settings can be made. Follow the project wizard instructions through these steps.

To set up an initial synchronization project for an SAP client

  1. Start the Launchpad and log in to the One Identity Manager database.

    NOTE: If synchronization is executed by an application server, connect the database through the application server.
  2. Select the Target system type SAP R/3 entry and click Start.

    This starts the Synchronization Editor's project wizard.

  1. On the System access page, specify how One Identity Manager can access the target system.

    • If access is possible from the workstation on which you started the Synchronization Editor, do not change any settings.

    • If access is not possible from the workstation on which you started the Synchronization Editor, you can set up a remote connection.

      Enable the Connect using remote connection server option and select the server to be used for the connection under Job server.

  1. Select a connection type on Connection type.
    Table 7: Connector types
    Property Description
    SAP R/3 application server or SAP R/3 router Specifies whether the connection is to be established through an application server or router
    SAP R/3 message server Specifies whether the connection is to be established through a message server
    • Enter the connection data for connection type "SAP R/3 application server or SAP R/3 router" on Connection data.
      Table 8: System connection
      Property Description
      SAP R/3 host or router Name of the application server or router used by the SAP R/3 connector for communication.
      System number Number of the SAP system.
      System ID System ID of the SAP system. This is used as the display name in One Identity Manager tools.
    • Enter the connection data for the "SAP R/3 message server" connection type on the Message server page.
      Table 9: System connection
      Property Description
      SAP R/3 message server Name of the message server used to establish the connection
      Login group Name of the login group used by the SAP R/3 connector for logging in.
      SAP R/3 router Name of the router if the SAP R/3 connector communicates through a router.
      System number Number of the SAP system.
      System ID System ID of the SAP system. This is used as the display name in One Identity Manager tools.
  2. Enter the network settings on Secure network communication.
    Table 10: Network settings
    Property Description
    Program ID Identifier for the connection established by the SAP R/3 connector with the SAP R/3 system.
    SNC login Specifies whether the SNC user account name is to be used when the SAP R/3 connector logs in on the SAP R/3system.
  3. If you have enabled SNC login on Secure connection, SNC connection configuration opens. Enter the data required for logging into the target system using a secure network connection.
    Table 11: SNC system connection
    Property Description
    Client Number of the client to be synchronized. Enter the central system's client number if central user administration is to be synchronized.
    SNC host name SNC name of the host for the secure network connection.
    SNC Name SNC name of the user account used by the SAP R/3 connector to log in on to the SAP R/3 system.
    SNC client API API containing the SNC encryption
    Authentication Select a security level for logging in to the SAP R/3 system.
    Integrity protection
    Encryption
    Highest available

    SNC login with user name and password

    User name and password are given explicitly during SNC login.

    If this option is not set, single sign-on is used for logging in.

    Login language Login language for logging the SAP R/3 connection in on the SAP R/3 system. The language selected determines the language for captions for all SAP objects of this client. If you select "EN", all texts from SAP groups, roles, profiles and start menus are synchronized in English.
  4. Enter data for logging into the target system on Login data.
    Table 12: Login data
    Property Description
    Client Number of the client to be synchronized. Enter the central system's client number if central user administration is to be synchronized.
    Login name Name of the user account used by the SAP R/3 connector to login to the SAP R/3 system. If you have enabled the option SNC login on the Secure connection page, enter the SNC name of this user account.
    Login password User account's password that is used by the SAP R/3 connector to log in to the SAP R/3 system.
    Login language Login language for logging the SAP R/3 connection into the SAP R/3 system. The language selected determines the language for captions for all SAP objects of this client. If you select "EN", all texts from SAP groups, roles, profiles, and start menus are synchronized in English.
  5. Supply additional information about synchronizing objects and properties on Additional settings. You can check the connection settings.
    • In Central user administration (CUA), specify whether the connection to a central user administration's central system should be established. In this case, set CUA central system.
    • You can test the entered connection data in Verify connection settings. Click on Verify project.

      The system tries to connect to the server. If CUA central system is set, the given client is tested to see if it is the central system of a CUA.

      NOTE: There is no check on whether the supplied BAPI is installed.
    • Click Finish, to end the system connection wizard and return to the project wizard.
  6. Click Next on SAP HCM settings.

    This page is only needed for synchronizing additional personnel planning data in the SAP R/3 Structural Profiles Add-on Module.

  7. Click Next on SAP connector schema.

    TIP: You can enter a file with additional schema types on this page. The connector schema is extended by these custom schema types. You can also enter this data after saving the synchronization project. For more information, see Adding other schema types.
  1. On the One Identity Manager Connection tab, test the data for connecting to the One Identity Manager database. The data is loaded from the connected database. Reenter the password.

    NOTE: If you use an unencrypted One Identity Manager database and have not yet saved any synchronization projects to the database, you need to enter all connection data again. This page is not shown if a synchronization project already exists.
  2. The wizard loads the target system schema. This may take a few minutes depending on the type of target system access and the size of the target system.

  1. Select a project template on the Select project template page to use for setting up the synchronization configuration.
    Table 13: Standard project templates
    Project template Description
    SAP R/3 (CUA subsystem) Use this project template for initially setting up the synchronization project for a CUA’s child systems that belong to another SAP system than the central system.
    SAP R/3 synchronization (base administration) Use this project template for initially setting up the synchronization project for individual clients or a CUA's central system.
    NOTE:A default project template ensures that all required information is added in One Identity Manager. This includes mappings, workflows, and the synchronization base object. If you do not use a default project template you must declare the synchronization base object in One Identity Manager yourself.Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the Synchronization Editor.
  1. On the Restrict target system access page, specify how system access should work. You have the following options:
    Table 14: Specify target system access
    Option Meaning

    Read-only access to target system.

    Specifies that a synchronization workflow is only to be set up for the initial loading of the target system into the One Identity Manager database.

    The synchronization workflow has the following characteristics:

    • Synchronization is in the direction of One Identity Manager.
    • Processing methods in the synchronization steps are only defined for synchronization in the direction of One Identity Manager.

    Read/write access to target system. Provisioning available.

    Specifies whether a provisioning workflow is to be set up in addition to the synchronization workflow for the initial loading of the target system.

    The provisioning workflow displays the following characteristics:

    • Synchronization is in the direction of the Target system.
    • Processing methods are only defined in the synchronization steps for synchronization in the direction of the Target system.
    • Synchronization steps are only created for such schema classes whose schema types have write access.

    This page is only shown if the project template SAP® R/3® synchronization (basic administration) was selected. If the SAP® R/3® (child CUA system) project template was selected, the Read-only access to target system option is automatically enabled.

  1. On the Synchronization server page, select a synchronization server to execute synchronization.

    If the synchronization server is not declared as a Job server in the One Identity Manager database yet, you can add a new Job server.

    1. Click to add a new Job server.

    2. Enter a name for the Job server and the full server name conforming to DNS syntax.

    3. Click OK.

      The synchronization server is declared as a Job server for the target system in the One Identity Manager database.

      NOTE: After you save the synchronization project, ensure that this server is set up as a synchronization server.
  1. To close the project wizard, click Finish.

    This creates and allocates a default schedule for regular synchronization. Enable the schedule for regular synchronization.

    The synchronization project is created, saved, and enabled immediately.

    NOTE: If enabled, a consistency check is carried out. If errors occur, a message appears. You can decide whether the synchronization project can remain activated or not.

    Check the errors before you use the synchronization project. To do this, in the General view on the Synchronization Editor‘s start page, click Verify project.

    NOTE: If you do not want the synchronization project to be activated immediately, disable the Activate and save the new synchronization project automatically option. In this case, save the synchronization project manually before closing the Synchronization Editor.

    Disable this option, if you want to add your own schema types in this synchronization project.

    NOTE: The connection data for the target system is saved in a variable set and can be modified in the Configuration | Variables category in the Synchronization Editor.

To configure the content of the synchronization log

  1. Open the synchronization project in the Synchronization Editor.

  2. To configure the synchronization log for target system connection, select the Configuration | Target system category.
  3. To configure the synchronization log for the database connection, select the Configuration | One Identity Manager connection category.
  4. Select the General view and click Configure.
  5. Select the Synchronization log view and set Create synchronization log.
  6. Enable the data to be logged.

    NOTE: Some content generates a particularly large volume of log data. The synchronization log should only contain data required for troubleshooting and other analyses.

  7. Click OK.

To synchronize on a regular basis

  1. Open the synchronization project in the Synchronization Editor.

  2. Select the Configuration | Start up configurations category.
  3. Select a start up configuration in the document view and click Edit schedule.
  4. Edit the schedule properties.
  5. To enable the schedule, click Activate.
  6. Click OK.

To start initial synchronization manually

  1. Open the synchronization project in the Synchronization Editor.

  2. Select the Configuration | Start up configurations category.

  3. Select a start up configuration in the document view and click Execute.

  4. Confirm the security prompt with Yes.

NOTE:

Following a synchronization, employees are automatically created for the user accounts in the default installation. If an account definition for the client is not yet known at the time of synchronization, user accounts are linked with employees. However, account definitions are not assigned. The user accounts are therefore in a Linked state.

To manage the user accounts using account definitions, assign an account definition and a manage level to these user accounts.

To select user accounts through account definitions

  1. Create an account definition.
  2. Assign an account definition to the client.
  3. Assign a user account in the Linked state to the account definition. The account definition's default manage level is applied to the user account.
    1. In the Manager, select the SAP R/3 | User accounts | Linked but not configured | <Client> category.
    2. Select the Assign account definition to linked accounts task.
    3. In the Account definition menu, select the account definition.

    4. Select the user accounts that contain the account definition.

    5. Save the changes.
Detailed information about this topic
  • One Identity Manager Target System Synchronization Reference Guide
Related topics

Special features of synchronizing with a CUA central system

NOTE:

  • Only child system roles and profiles that match the login language of the administrative user account for synchronization are mapped in One Identity Manager.
  • Maintain all child system roles and profile in the target system in the language set as login language in the synchronization project for the central system in the system connection.

If a central user administration is connected to One Identity Manager, regular synchronization is only required with the central system. The synchronization configuration is created for the client labeled as central system. The CUAClosed Application Link Enabling (ALE) distribution model is loaded during synchronization and tries to assign all clients, which are configured as child systems to the central system in One Identity Manager. All clients in the same SAP system as the central system are automatically added in One Identity Manager in the process and assigned to the central system (in CUA central system). All clients in another SAP system must already exist in One Identity Manager at this point in time.

If a text comparison of roles and profiles between child and central systems was executed the target system in the target system, the child system roles and profiles are taken into account by synchronization. These roles and profiles are assigned to the originating client in One Identity Manager.

Roles and profile are saved in USRSYSACTT with respect to language by text comparison of roles and profiles in the target system. Only roles and profile matching the login language of the administrative account for synchronization are read from the USRSYSACTT during synchronization with One Identity Manager. If single roles and profiles are not maintained in this language, they are not transferred to One Identity Manager. In order to map all roles and profiles from child systems in One Identity Manager, they must all be all maintained in the language specified as login language in the central system.

To set up an initial synchronization project for central user administration

  1. Create synchronization projects the child systems, not in the same SAP system as the central system.

    Follow the steps described in Creating a synchronization project for initial synchronization of an SAP client. The following special features apply:

    1. In Select project template in the project wizard, select the "SAP R/3 (CUA subsystem)" project template.
    2. The Restrict target system access page is not displayed. The target system is only loaded.
    3. Start synchronization manually to load the required data.

      All clients from the selected system and their license data are loaded.

      NOTE: Do not synchronize using schedules. Re-synchronizing is only necessary if the active price lists for charging licenses were changed in the target system.

  2. Repeat step 1 for all child system in other SAP subsystems.
  3. Create a synchronization project for the central system.

    Follow the steps described in Creating a synchronization project for initial synchronization of an SAP client. The following special features apply:

    1. On the Additional settings page, enable the Central User Administration (CUA) instance option.
    2. On the Select project template page, select the "SAP R/3 synchronization (base administration)” project template.
    3. Configure the scheduled synchronization.
  4. Start central system synchronization, after all child systems have been loaded in the SAP database from One Identity Manager subsystems.
Related topics

Excluding a child system from synchronization

Certain administrative task in SAP R/3 required that the child system is temporarily excluded from the central user administration. If these child systems are synchronized during this period, the SAP roles and SAP profile of the temporarily excluded child system are marked as outstanding or deleted in the One Identity Manager database. To prevent this, remove the child system from the synchronization scope.

SAP roles and profiles are removed from the synchronization scope by deleting the ALE model name in the client. The client properties are synchronized anyway. To ensure that the ALE model name is not reintroduced, disable the rule for mapping this schema property.

To exclude a child system from synchronization

  1. Select the SAP R/3 | Clients category.
  2. Select the child system in the result list. Select the Change master data task.
  3. Delete the entry in the ALE model name field.
  4. Save the changes.
  5. Open the synchronization project in the Synchronization Editor.

  6. Select the Workflows category.
  7. Select the workflow to use for synchronizing the central system in the navigation view.
  8. Double-click on the synchronization step "client" in the workflow view.
  9. Select Rule filter.
  10. Select "ALEModelName_ALEModelName" in the Exluded rules pane.
  11. Click OK.
  12. Save the changes.

NOTE: Unsuccessful database operations for assigning SAP roles and profiles to user account that originate from the temporarily excluded child system are logged depending on the setting in the synchronization log. You can ignore these messages. Once the child system is available again, the memberships are handled properly.

You must reactivate synchronization of the child system's SAP roles and profiles the moment it becomes part of the central user administration again.

To re-include a child system in synchronization

  1. Select the SAP R/3 | Clients category.
  2. Select the child system in the result list. Select the Change master data task.
  3. Enter the ALE model name of the central system's CUAClosed in the ALE model name field.

    The child system is only synchronized if the same ALE model named is entered in the central system and the child system.

  4. Save the changes.
  5. Open the synchronization project in the Synchronization Editor.

  6. Select the Workflows category.
  7. Select the workflow in the navigation, to use for synchronizing the central system (default is "Initial Synchronization").
  8. Double-click on the synchronization step "client" in the workflow view.
  9. Select Rule filter.
  10. Deselect "ALEModelName_ALEModelName" in the Exluded rules pane.
  11. Click OK.
  12. Save the changes.

For more information about editing synchronization steps, see One Identity Manager Target System Synchronization Reference Guide.

Related topics

Displaying synchronization results

Synchronization results are summarized in the synchronization log. You can specify the extent of the synchronization log for each system connection individually. One Identity Manager provides several reports in which the synchronization results are organized under different criteria.

To display a synchronization log

  1. Open the synchronization project in the Synchronization Editor.

  2. Select the Logs category.

  3. Click in the navigation view toolbar.

    Logs for all completed synchronization runs are displayed in the navigation view.

  4. Select a log by double-clicking it.

    An analysis of the synchronization is shown as a report. You can save the report.

To display a provisioning log

  1. Open the synchronization project in the Synchronization Editor.

  2. Select the Logs category.

  3. Click in the navigation view toolbar.

    Logs for all completed provisioning processes are displayed in the navigation view.

  4. Select a log by double-clicking it.

    An analysis of the provisioning is shown as a report. You can save the report.

The log is marked in color in the navigation view. This mark shows you the status of the synchronization/provisioning.

TIP: The logs are also displayed in the Manager under the <target system> | synchronization log category.

Synchronization logs are stored for a fixed length of time.

To modify the retention period for synchronization logs

  • In the Designer, enable the DPR | Journal | LifeTime configuration parameter and enter the maximum retention period.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating