Chat now with support
Chat with Support

Identity Manager 9.2.1 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP objects Removing a Central User Administration Troubleshooting an SAP R/3 connection Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

Central user administration in One Identity Manager

If user accounts are managed through the central user administration (CUAClosed) in SAP R/3, access to the child client can be guaranteed for or withdrawn from user accounts in One Identity Manager. To do this, clients are marked as central system or child system in One Identity Manager. User accounts are managed in the central system. You specify the client in which each user account obtains its access permissions. (SAPUserMandant table). Only SAP roles or profiles from this client can be assigned to a user account. A user account only has access authorizations in the central system if the central system is also explicitly assigned in the SAPUserMandant table.

NOTE: In One Identity Manager, only SAP groups from the central system are mapped. SAP groups are not administered through the central user administration.

To use automatic identity assignment for central user administration (CUA) user accounts, assign an account definition to the CUA central system using the SAPUser user table.

The access authorizations for central and child systems are read into theOne Identity Manager database through synchronization. In One Identity Manager, access authorization can be granted by IT Shop requests and indirect assignment, as well as by indirect assignment.

To grant an identity access to a client by indirect assignment or request

  1. Create an account definition to generate user accounts in the central system.

    In the User account table field, select the SAPUser table. For more information, see Main data for an account definition.

    This account definition is required to generate a user account in the central system if the identity does not yet have a user account.

  2. Create an account definition for the client for which you want to grant access. The following special features apply:

    Table 39: Main data of an account definition for accessing clients
    Property Description
    User account table Select SAPUserMandant from the menu.

    Target system

    Client for which you want to grant access.

    Required account definition

    From the menu, select the account definition to generate user accounts in the central system. A user account is then created in the central system if the identity does not yet have a user account.

    Manage level (initial)

    Select Unmanaged from the menu.

    Service item

    Service item through which you can request the account definition resource in the IT Shop. Assign an existing service item or add a new one.

    IT Shop

    Enable the option if access to the child system can be requested in the Web Portal.

    Only for use in IT Shop

    Enable the option if access to the child system can only be requested in the Web Portal. Indirect assignment by business roles or organizations is not possible. However, access by a user account to the child system can still be granted directly.

    An account definition is required for each child system and for the central system in which you want to grant access.

  3. Assign the account definition for the client to a hierarchical role or IT Shop shelf.

  4. Add the identity as a member to the hierarchical role or as a customer to the IT Shop.

To grant a user account direct access to a client

You can now assign the SAP roles and profiles from this client to the user account.

Detailed information about this topic
Related topics

Entering main data of SAP user accounts

A user account can be linked to an identity in One Identity Manager. You can also manage user accounts separately from identities.

NOTE: It is recommended to use account definitions to set up user accounts for company identities. In this case, some of the main data described in the following is mapped through templates from identity main data.

NOTE: If identities are to obtain their user accounts through account definitions, the identities must own a central user account and obtain their IT operating data through assignment to a primary department, a primary location, or a primary cost center.If identities are to obtain their user accounts through account definitions, the identities must own a central SAP user account and obtain their IT operating data through assignment to a primary department, a primary location, or a primary cost center.

To create a user account

  1. In the Manager, select the SAP R/3 > User accounts category.

  2. Click in the result list.

  3. On the main data form, edit the main data of the user account.

  4. Save the changes.

To edit main data of a user account

  1. In the Manager, select the SAP R/3 > User accounts category.

  2. Select the user account in the result list.

  3. Select the Change main data task.

  4. Edit the user account's resource data.

  5. Save the changes.

To manually assign a user account for an identity

  1. In the Manager, select the Identities > Identities category.

  2. Select the identity in the result list.

  3. Select the Assign SAP user accounts task.

  4. Assign a user account.

  5. Save the changes.
Detailed information about this topic

General main data of an SAP user account

NOTE: You can only add user account to client which are marked as central system if user accounts in the SAP system manged with central user administration.

Enter general data for a user account on the Address tab.

Table 40: SAP user account address data
Property Description
Identity

Identity that uses this user account.

  • An identity is already entered if the user account was generated by an account definition.

  • If you are using automatic identity assignment, an associated identity is found and added to the user account when you save the user account.

  • If you create the user account manually, you can select an identity in the menu.

    The menu displays activated and deactivated identities by default. If you do not want to see any deactivated identities, set the QER | Person| HideDeactivatedIdentities configuration parameter.

NOTE: If you assign a deactivated identity to a user account, it might be locked or deleted depending on the configuration.

You can create a new identity for a user account with an identity of type Organizational identity, Personalized administrator identity, Sponsored identity, Shared identity, or Service identity. To do this, click next to the input field and enter the required identity main data. Which login data is required depends on the selected identity type.

No link to an identity required

Specifies whether the user account is intentionally not assigned an identity. The option is automatically set if a user account is included in the exclusion list for automatic identity assignment or a corresponding attestation is carried out. You can set the option manually. Enable the option if the user account does not need to be linked with an identity (for example, if several identities use the user account).

If attestation approves these user accounts, these user accounts will not be submitted for attestation in the future. In the Web Portal, user accounts that are not linked to an identity can be filtered according to various criteria.

Not linked to an identity

Indicates why the No link to an identity required option is enabled for this user account. Possible values:

  • By administrator: The option was set manually by the administrator.

  • By attestation: The user account was attested.

  • By exclusion criterion: The user account is not associated with an identity due to an exclusion criterion. For example, the user account is included in the exclude list for automatic identity assignment (configuration parameter PersonExcludeList).

Account definition

Account definition through which the user account was created.

Use the account definition to automatically fill user account main data and to specify a manage level for the user account. One Identity Manager finds the IT operating data of the assigned identity and enters it in the corresponding fields in the user account.

NOTE: The account definition cannot be changed once the user account has been saved.

NOTE: Use the user account's Remove account definition task to reset the user account to Linked status. This removes the account definition from both the user account and the identity. The user account remains but is not managed by the account definition anymore. The task only removes account definitions that are directly assigned (XOrigin=1).

Manage level Manage level of the user account. Select a manage level from the menu. You can only specify the manage level can if you have also entered an account definition. All manage levels of the selected account definition are available in the menu.
Client

The client to be added in the user account. Central system, if user accounts are manged with CUAClosed. You can only edit the client when the user account is added.

User account User account identifier. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.
NOTE: Existing user accounts cannot be renamed.

User type

Type of user. Permitted values are:

  • User with classic address

  • Technical user

  • User with BP person

  • User with BP org and classic address

  • User with work center address

First name The user’s first name. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Second name

User's second name. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Last name The user’s last name. If you have assigned an account definition, the input field is automatically filled out with respect to the manage level.

Second surname

The user's second surname.

Name at birth

The user's name at birth.

Surname prefix

User's last name prefix.

Second last name prefix

User's second last name prefix.

Form of address Form of address in the associated client's language. If you have assigned an account definition, the form of address is found by template rule depending on the mange level.
Academic title Additional information about the user account.
Alias Alternative ID for the user account that is used as log in for certain internet transactions.
Nickname Additional information about the user account.
Name formatting Name format and country for name formatting. Name and country formats determine the formatting rules for composing a full name of an employee in SAP R/3. Name formatting specifies the order in which parts of names are put together so that an identity‘s name is represented in an extensively long form. The country serves to uniquely identify the formatting rule.
Country for name formatting
ISO 639 - language Default language for the user account according to ISO 639

Search pattern 1

Search pattern.

Search pattern 2

Search pattern.

Personnel number SAP internal key for identifying an employee.
communications type Unique identifier for the communications type
Company The company to which the user account is assigned.

When a user account is added, the company of the assigned client is used. If the client is not assigned to a company, the company with the smallest address number is found and assigned to the user account.

NOTE: Company is a required field. Changes to user accounts cannot be saved in SAP R/3 on synchronization if a company is not assigned to them in One Identity Manager.

Assign a default company to these user accounts in the SAP R/3 system where possible.

Risk index (calculated)

Maximum risk index value of all assigned groups, roles, and profiles. The property is only visible if the QER | CalculateRiskIndex configuration parameter is set. For more information, see the One Identity Manager Risk Assessment Administration Guide.

Category Categories for the inheritance of groups, roles, and profiles by the user account. Groups, roles, and profiles can be selectively inherited by user accounts. To do this, groups, roles, and profiles and user accounts or contacts are divided into categories. Select one or more categories from the menu.

Identity type

User account's identity type Permitted values are:

  • Primary identity: Identity's default user account.

  • Organizational identity: Secondary user account used for different roles in the organization, for example for subcontracts with other functional areas.

  • Personalized administrator identity: User account with administrative permissions, used by one identity.

  • Sponsored identity: User account to use for a specific purpose. Training, for example.

  • Shared identity: User account with administrative permissions, used by several identities. Assign all identities that use this user account.

  • Service identity: Service account.

Privileged user account. Specifies whether this is a privileged user account.

Groups can be inherited

Specifies whether the user account can inherit groups through the linked identity. If the option is set, the user account inherits groups through hierarchical roles, in which the identity is a member, or through IT Shop requests.

  • If you add an identity with a user account to a department, for example, and you have assigned groups to this department, the user account inherits these groups.

  • If an identity has requested group membership in the IT Shop and the request is granted approval, the identity's user account only inherits the group if the option is set.

Profiles can be inherited

Specifies whether the user account can inherit profiles through the linked identity. If the option is set, the user account inherits profiles through hierarchical roles, in which the identity is a member, or through IT Shop requests.

Roles can be inherited

Specifies whether the user account can inherit SAP roles through the linked identity. If the option is set, the user account inherits the roles through hierarchical roles, in which the identity is a member, or through IT Shop requests.

Related topics

Work center data for SAP user accounts

On the Work center tab, you can see all the work center data for a user account.

Table 41: SAP user account address data
Property Description
Function Additional information about the user account. Used when addresses are printed.
Department Additional information about the user account. Used when addresses are printed.
Room in building Additional information about the user account.
Floor Additional information about the user account.
Building (number or token) Additional information about the user account.
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating