Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 Environments Setting up SAP R/3 Synchronization Base Data for Managing SAP R/3 SAP Systems SAP Clients SAP User Accounts SAP Groups, SAP Roles and SAP Profiles SAP Products Providing System Measurement Data Reports about SAP Systems Appendix: Configuration Parameters for Managing an SAP R/3 Environment Appendix: Default Project Templates for Synchronizing an SAP R/3 Environment Appendix: Referenced SAP R/3 Tables and BAPI Calls Appendix: Example of a Schema Extension File

Managing SAP R/3 Environments

Managing SAP R/3 Environments

One Identity Manager offers simplified user administration for SAP R/3 environments. The One Identity Manager concentrates on setting up and processing user accounts as well as group, role and profile assignments. External identifiers and parameters can also be assigned to user accounts. The necessary data for system measurement is also mapped. TheOne Identity Manager system measurement data is available in , but the measurement itself takes place in the environment.SAP R/3

One Identity Manager provides company employees with the necessary user accounts. For this, you can use different mechanisms to connect employees to their user accounts. You can also manage user accounts independently of employees and therefore set up administrator user accounts.

Groups, roles and profiles are mapped in the One Identity Manager, in order to provide the necessary permissions for user accounts. Groups, roles and profiles can be grouped into products and assigned to employees. One Identity Manager ensures that the right group memberships are created for the employee’s user account.

If user accounts are managed through the central user administration (CUAClosed) in SAP R/3, access to the child client can be guaranteed to or withdrawn from user accounts in One Identity Manager.

Architecture Overview

Architecture Overview

The following servers are used for managing an SAP R/3 system in One Identity Manager:

  • SAP R/3 application server

    Application server for synchronization. The synchronization server connects to this server in order to access SAP R/3 objects.

  • SAP R/3 database

    Server installed with the SAP R/3 application database.

  • Synchronization serverClosed

    The synchronization server for synchronizing the One Identity Manager database with the SAP R/3 system. The One Identity Manager Service is installed on this server with the SAP R/3 connector. The synchronization server connects to the SAP R/3 server.

  • SAP R/3 router

    Router, which provides a network port for the SAP connector for communicating with the SAP R/3 application server.

  • SAP R/3 message server

    Server with which the SAP R/3 connector communicates if a direct connection to application servers is not permitted.

The One Identity Manager SAP R/3 connector executes synchronization and provision of data between SAP R/3 and the One Identity Manager database. The SAP R/3 connector uses the SAP connector for Microsoft .NET (NCo 3.0) for 64-bit systems for communicating with the target system.

One Identity Manager is responsible for synchronizing data between the SAP R/3 database and the One Identity Manager Service. The application server ABAP must be installed as a prerequisite for synchronization. An SAP system that is only based on a Java application server cannot be accessed with the SAP R/3 connector.

Figure 1: Architecture for SynchronizationClosed - Direct Communication

Figure 2: Architecture for Synchronization - Communication through Message Server

Figure 3: Architecture for Synchronization - Communication through router

One Identity Manager Users for Managing SAP R/3

One Identity Manager Users for Managing an SAP R/3

The following users are used for setting up and administration of an SAP R/3 system.

Table 1: User
User Task
Target system administrators

Target system administrators must be assigned to the application role Target system | Administrators.

Users with this application role:

  • Administrate application roles for individual target systems types.
  • Specify the target system manager.
  • Set up other application roles for target system managers if required.
  • Specify which application roles are conflicting for target system managers
  • Authorize other employee to be target system administrators.
  • Do not assume any administrative tasks within the target system.
Target system managers

Target system managers must be assigned to the application role Target systems | SAP R/3 or a sub application role.

Users with this application role:

  • Assume administrative tasks for the target system.
  • Create, change or delete target system objects, like user accounts or groups.
  • Edit password policies for the target system.
  • Prepare system entitlements for adding to the IT Shop.
  • Configure synchronization in the Synchronization EditorClosed and defines the mapping for comparing target systems and One Identity Manager.
  • Edit the synchronization's target system types and outstanding objects.
  • Authorize other employees within their area of responsibility as target system managers and create child application roles if required.
One Identity Manager administrators
  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer, as required.
  • Create system users and permissions groups for non-role based login to administration tools, as required.
  • Enable or disable additional configuration parameters in the Designer, as required.
  • Create custom processes in the Designer, as required.
  • Create and configures schedules, as required.
  • Create and configure password policies, as required.
Administrators for the IT Shop

Administrators must be assigned to the application role Request & Fulfillment | IT Shop | Administrators.

Users with this application role:

  • Assign system authorizations to IT Shop structures.
Administrators for organizations

Administrators must be assigned to the application role Identity Management | Organizations | Administrators.

Users with this application role:

  • Assign system entitlements to departments, cost centers and locations.
Business roles administrators

Administrators must be assigned to the application role Identity Management | Business roles | Administrators.

Users with this application role:

  • Assign system authorizations to business roles.

Setting up SAP R/3 Synchronization

Setting up SAP R/3 Synchronization

One Identity Manager supports synchronization with SAP systems in versions SAP Web Application Server 6.40 and SAP NetWeaver Application Server 7.00, 7.01, 7.02, 7.10, 7.11, 7.20, 7.31, 7.40 SR2, 7.41 and 7.50 as well as SAP S/4HANA on-premise edition. This ensures that all variations of the installation based on SAP ECC 5.0 and 6.0 are fully supported. Central User Administration is supported for all versions named here.

To load SAP R/3 objects into the One Identity Manager database for the first time

  1. Prepare a user account with sufficient permissions for synchronizing in SAP R/3.
  2. Install the One Identity Manager Business Application Programming Interface in the SAP R/3 system.
  3. The One Identity Manager parts for managing SAP R/3 systems are available if the configuration parameter "TargetSystem\SAPR3" is set.

    • Check whether the configuration parameter is set in the Designer. Otherwise, set the configuration parameter and compile the database.

    • Other configuration parameters are installed when the module is installed. Check the configuration parameters and modify them as necessary to suit your requirements.
  4. Download the installation source for the SAP .Net Connector for .NET 4.0 on x64, with at least version 3.0.15.0.
  5. Install and configure a synchronization server and declare the server as Job serverClosed in One Identity Manager.
  6. Create a synchronization project with the Synchronization EditorClosed.
Detailed information about this topic
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents