Chat now with support
Chat with Support

Identity Manager 8.2.1 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP objects Removing a Central User Administration Troubleshooting an SAP R/3 connection Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

General main data of an SAP user account

NOTE: You can only add user account to client which are marked as central system if user accounts in the SAP system manged with central user administration.

Enter general data for a user account on the Address tab.

Table 41: SAP user account address data
Property Description
Employee Employee that uses this user account. An employee is already entered if the user account was generated by an account definition. If you create the user account manually, you can select an employee in the menu. If you are using automatic employee assignment, an associated employee is found and added to the user account when you save the user account.

You can create a new employee for a user account with an identity of type Organizational identity, Personalized administrator identity, Sponsored identity, Shared identity, or Service identity. To do this, click next to the input field and enter the required employee main data. Which login data is required depends on the selected identity type.

No link to an employee required

Specifies whether the user account is intentionally not assigned an employee. The option is automatically set if a user account is included in the exclusion list for automatic employee assignment or a corresponding attestation is carried out. You can set the option manually. Enable the option if the user account does not need to be linked with an employee (for example, if several employees use the user account).

If attestation approves these user accounts, these user accounts will not be submitted for attestation in the future. In the Web Portal, user accounts that are not linked to an employee can be filtered according to various criteria.

Not linked to an employee

Indicates why the No link to an employee required option is enabled for this user account. Possible values:

  • By administrator: The option was set manually by the administrator.

  • By attestation: The user account was attested.

  • By exclusion criterion: The user account is not associated with an employee due to an exclusion criterion. For example, the user account is included in the exclude list for automatic employee assignment (configuration parameter PersonExcludeList).

Account definition

Account definition through which the user account was created.

Use the account definition to automatically fill user account main data and to specify a manage level for the user account. One Identity Manager finds the IT operating data of the assigned employee and enters it in the corresponding fields in the user account.

NOTE: The account definition cannot be changed once the user account has been saved.

NOTE: Use the user account's Remove account definition task to reset the user account to Linked status. This removes the account definition from both the user account and the employee. The user account remains but is not managed by the account definition anymore. The task only removes account definitions that are directly assigned (XOrigin=1).

Manage level Manage level of the user account. Select a manage level from the menu. You can only specify the manage level can if you have also entered an account definition. All manage levels of the selected account definition are available in the menu.
Client

The client to be added in the user account. Central system, if user accounts are manged with CUAClosed. You can only edit the client when the user account is added.

User account User account identifier. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.
NOTE: Existing user accounts cannot be renamed.

User type

Type of user. Permitted values are:

  • User with classic address

  • Technical user

  • User with BP person

  • User with BP org and classic address

  • User with workplace address

First name The user’s first name. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Second name

User's second name. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Last name The user’s last name. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Second last name

The user's second last name.

Name at birth

The user's name at birth.

Surname prefix

User's last name prefix.

Second last name prefix

User's second last name prefix.

Form of address Form of address in the associated client's language. If you have assigned an account definition, the form of address is found by template rule depending on the mange level. The form of address depends on the gender of the assigned employee.
Academic title Additional information about the user account.
Alias Alternative ID for the user account that is used as log in for certain internet transactions.
Nickname Additional information about the user account.
Name formatting Name format and country for name formatting. Name and country formats determine the formatting rules for composing a full name of an employee in SAP R/3. Name formatting specifies the order in which parts of names are put together so that an employee‘s name is represented in an extensively long form. The country serves to uniquely identify the formatting rule.
Country for name formatting
ISO 639 - language Default language for the user account according to ISO 639

Search pattern 1

Search pattern.

Search pattern 2

Search pattern.

Employee number SAP internal key for identifying an employee.
communications type Unique identifier for the communications type
Company The company to which the user account is assigned.

When a user account is added, the company of the assigned client is used. If the client is not assigned to a company, the company with the smallest address number is found and assigned to the user account.

NOTE: Company is a required field. Changes to user accounts cannot be saved in SAP R/3 on synchronization if a company is not assigned to them in One Identity Manager.

Assign a default company to these user accounts in the SAP R/3 system where possible.

Risk index (calculated)

Maximum risk index value of all assigned groups, roles, and profiles. The property is only visible if the QER | CalculateRiskIndex configuration parameter is set. For detailed information, see the One Identity Manager Risk Assessment Administration Guide.

Category Categories for the inheritance of groups, roles, and profiles by the user account. Groups, roles, and profiles can be selectively inherited by user accounts. To do this, groups, roles, and profiles and user accounts or contacts are divided into categories. Select one or more categories from the menu.

Identity

User account's identity type Permitted values are:

  • Primary identity: Employee's default user account.

  • Organizational identity: Secondary user account used for different roles in the organization, for example for subcontracts with other functional areas.

  • Personalized administrator identity: User account with administrative permissions, used by one employee.

  • Sponsored identity: User account to use for a specific purpose. Training, for example.

  • Shared identity: User account with administrative permissions, used by several employees. Assign all employees that use this user account.

  • Service identity: Service account.

Privileged user account. Specifies whether this is a privileged user account.

Groups can be inherited

Specifies whether the user account can inherit groups through the linked employee. If the option is set, the user account inherits groups through hierarchical roles, in which the employee is a member, or through IT Shop requests.

  • If you add an employee with a user account to a department, for example, and you have assigned groups to this department, the user account inherits these groups.

  • If an employee has requested group membership in the IT Shop and the request is granted approval, the employee's user account only inherits the group if the option is set.

Profiles can be inherited

Specifies whether the user account can inherit profiles through the linked employee. If the option is set, the user account inherits profiles through hierarchical roles, in which the employee is a member, or through IT Shop requests.

Roles can be inherited

Specifies whether the user account can inherit SAP roles through the linked employee. If the option is set, the user account inherits SAP roles through hierarchical roles, in which the employee is a member, or through IT Shop requests.

Related topics

Workplace data for SAP user accounts

On the Workplace tab, you can see all the workplace data for a user account.

Table 42: SAP user account address data
Property Description
Function Additional information about the user account. Used when addresses are printed.
Department Additional information about the user account. Used when addresses are printed.
Room in building Additional information about the user account.
Floor Additional information about the user account.
Building (number or token) Additional information about the user account.
Related topics

SAP user account login data

When a user is added, you issue them with a password. Once you have saved the user account password with the Manager it cannot be changed.

Enter the following data on the Login data tab.

Table 43: SAP user account login data

Property

Description

Password

Password for the user account. The employee’s central password can be mapped to the user account password. For detailed information about an employee’s central password, see One Identity Manager Identity Management Base Module Administration Guide.

If you use a random generated initial password for the user accounts, it is automatically entered when a user account is created.

The password is deleted from the database after publishing to the target system.

NOTE: One Identity Manager password policies are taken into account when a user password is being verified. Ensure that the password policy does not violate the target system's requirements.

Password confirmation

Reconfirm password.

Set effective password

Specifies whether the Active password password status is set if it is changed in the target system.

NOTE: The effective password can only be set if the SAP R/3 connector for logging into the target system uses either SCN Login with single sign-on or an insecure connection.

Disabled password

Specifies whether the password is disabled (if single sign-on is used for logging in).

Security policy

Security policy for this user account.

User group

SAP group to use as user group for checking permissions.

Reference user

The user account contains authorizations for this reference user.

A reference user is user account with the Reference user type. Use reference users to supply identical authorizations to different user accounts within one client.

Account is valid from

Validity period of the SAP user account.

Account is valid until

Accounting number

Number for user account's accounting.

Cost center

Cost center for the user account's accounting.

User account type

Type of user account. The default user account type is specified in the TargetSystem | SAPR3 | Accounts | Ustyp configuration parameter.

User account locked

Specifies whether the user account is locked.

If the user account is linked to an employee, the user account is unlocked when a new central password is set for the employee. This behavior is controlled by the TargetSystem | SAPR3 | Accounts | UnlockByCentralPassword configuration parameter. For detailed information about an employee’s central password, see One Identity Manager Identity Management Base Module Administration Guide.

Last login

Date and time of last target SAP system login.

Related topics

Phone numbers

You can edit user account email addresses on the Phone numbers tab.

To assign a phone number to a user account

  1. Select the Phone numbers tab.
  2. Click Add.

    This inserts a new row in the table.

  3. Mark this row. Edit the telephone number main data.
  4. Save the changes.

To edit a phone number

  1. Select the Phone numbers tab.
  2. Select the phone number in the list.
  3. Edit the telephone number main data.
  4. Save the changes.

To remove a phone number assignment

  1. Select the Phone numbers tab.
  2. Select the phone number in the list.
  3. Click Delete.
  4. Save the changes.
Table 44: Phone number properties
Property Description
Type Type of phone connection Select either "Phone", "Phone (default)", "Mobile (default)" or "Mobile".
Country Country for determining the country code.
Phone Phone number with local code. Enter an extension number in the extra field. If you have assigned an account definition, the telephone number is found by template rule depending on the mange level.
Phone number (complete) Full phone number. Contains dialing code, connection, and extension numbers.
Preferred Specifies the user's preferred telephone number.
Home address Specifies whether this phone number is the user's home number.
SMS-enabled Specifies whether text messages can be sent through this phone number.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating