Managing SAP R/3 Environments
Setting up SAP R/3 Synchronization
Users and Permissions for Synchronizing with SAP R/3
Installing the One Identity Manager Business Application Programing Interface
Setting Up the Synchronization Server
Creating a Synchronization Project for initial Synchronization of an SAP Client
Special Features of Synchronizing with a CUA Central System
Show Synchronization Results
Customizing Synchronization Configuration
Base Data for Managing SAP R/3
How to Configure SAP R/3 Synchronization
Configuring Synchronization of Different Clients
Updating Schemas
Adding Other Schema Types
Configuring a Schema Extension File
Speeding Up Synchronization with Revision Filtering
Synchronizing Collective Roles
Restricting Synchronization Objects using User Permissions
Post-Processing Outstanding Objects
Configuring Memberships Provisioning
Supporting Analysis of Synchronization Issues
Deactivating Synchronization
Setting Up Account Definitions
SAP Systems
SAP Clients
Creating an Account Definition
Setting Up Manage Levels
Creating a Formatting Rule for IT Operating Data
Determining IT Operating Data
Modifying IT Operating Data
Assigning Account Definitions to Employees
Basic Data for User Account Administration
Assigning Account Definitions to Departments, Cost Centers and Locations
Assigning Account Definitions to Business Roles
Assigning Account Definitions to all Employees
Assigning Account Definitions Directly to Employees
Assigning Account Definitions to System Roles
Adding Account Definitions in the IT Shop
Assigning Account Definitions to a Target System
Deleting an Account Definition
User Account Types
External Identifier Types
Parameter
Printers
Cost centers
Start Menu
Companies
Login Languages
Security Policies
Communications Types
Licenses
License Extensions
Password Policies
Editing a Server
Target system managers
Predefined Password Policies
Editing Password Policies
Custom Scripts for Password Requirements
Restricted Passwords
Testing a Password
Testing Generating a Password
Assigning a Password Policy
Initial Password for New SAP User Accounts
Email Notifications about Login Data
General Master Data for a SAP Client
Specifying Categories for Inheriting SAP Groups, SAP Roles and SAP Profiles
How to Edit a Synchronization Project
SAP User Accounts
Linking User Accounts to Employees
Supported User Account Types
Central User Administration in One Identity Manager
Entering Master Data for SAP User Accounts
SAP Groups, SAP Roles and SAP Profiles
General Master Data for an SAP User Account
SAP User Account Login Data
Phone numbers
Fax numbers
Email addresses
Fixed Values for an SAP User Account
Measurement Data
Parameter
SNC Data for an SAP User Account
Additional Tasks for Managing SAP User Accounts
Overview of User Accounts
Changing the Manage Level of an SAP User Account
Assigning SAP Groups and SAP Profiles Directly to an SAP User Account
Assigning SAP Roles Directly to an SAP User Account
Assigning Structural Profiles
Assigning Child Systems
Assigning SAP Licenses
Lock SAP User Account
Assigning Extended Properties
Automatic Assignment of Employees to SAP User Accounts
Locking SAP User Accounts
Deleting and Restoring SAP User Accounts
Entering External User Identifiers for an SAP User Account
Editing Master Data for SAP Groups, SAP Roles and SAP Profiles
SAP Products
General Master Data for SAP Groups
General Master Data for SAP Roles
General Master Data for SAP Profiles
Assigning SAP Groups, SAP Roles and SAP Profiles to SAP User Accounts
Assigning SAP Groups, SAP Roles and SAP Profiles to Organizations
Assigning SAP Groups, SAP Roles and SAP Profiles to Business Roles
Assigning SAP User Accounts directly to SAP Groups and SAP Profiles
Assigning SAP User Accounts directly to an SAP Roles
Adding SAP Groups, SAP Roles and SAP Profiles to System Roles
Adding SAP Groups, SAP Roles and SAP Profiles to the IT Shop
Role Assignment Validity Period
Assigning and Passing on SAP Profiles and SAP Roles to SAP User Accounts
Additional Tasks for Managing SAP Groups, SAP Roles and SAP Profiles
Overview of SAP Groups, SAP Roles and SAP Profiles
Effectiveness of SAP Groups, SAP Roles and SAP Profiles
Inheriting SAP Groups, SAP Roles and SAP Profiles based on Categories
Assigning Extended Properties to SAP Groups, SAP Roles and SAP Profiles
Showing SAP Authorizations
Calculating the Validity Date of Inherited Role Assignments
General Master Data for SAP Products
SAP Product Assignments to Employees
Providing System Measurement Data
Assigning SAP Products to Organizations
Assigning SAP Products to Business Roles
Assigning SAP Products directly to Employees
Adding SAP Products in System Roles
Adding SAP Products to the IT Shop
Additional Tasks for Managing SAP Products
Mapping Measurement Data
Entering licenses for SAP User Accounts
Finding Licenses using SAP Roles and SAP Profiles
Reports about SAP Systems
Appendix: Configuration Parameters for Managing an SAP R/3 Environment
Appendix: Default Project Templates for Synchronizing an SAP R/3 Environment
Project Template for Client without CUA
Project Template for the CUA Central System
Project Template for CUA Subsystems
Appendix: Referenced SAP R/3 Tables and BAPI Calls
Appendix: Example of a Schema Extension File
Deleting an Account Definition
Deleting an Account Definition
You can delete account definitions if they are not assigned to target systems, employees, hierarchical roles or any other account definitions.
|
|
NOTE: If an account definition is deleted, the user accounts arising from this account definition are deleted. |
To delete an account definition
- Remove automatic assignments of the account definition from all employees.
-
Select the category SAP R/3 | Basic configuration data | Account definitions | Account definitions.
- Select an account definition in the result list.
- Select Change master data in the task view.
- Disable the option Automatic assignment to employees on the General tab.
- Save the changes.
-
- Remove direct assignments of the account definition to employees.
-
Select the category SAP R/3 | Basic configuration data | Account definitions | Account definitions.
- Select an account definition in the result list.
- Select Assign to employees in the task view.
- Remove employees from Remove assignments.
- Save the changes.
-
- Remove the account definition's assignments to departments, cost centers and locations.
-
Select the category SAP R/3 | Basic configuration data | Account definitions | Account definitions.
- Select an account definition in the result list.
- Select Assign organizations.
- Remove the account definition's assignments to departments, cost centers and locations in Remove assignments.
- Save the changes.
-
- Remove the account definition's assignments to business roles.
-
Select the category SAP R/3 | Basic configuration data | Account definitions | Account definitions.
- Select an account definition in the result list.
- Select Assign business roles in the task view.
Remove business roles from Remove assignments.
- Save the changes.
-
- If the account definition was requested through the IT Shop, it must be canceled and removed from all IT Shop shelves. For more detailed information, see the .One Identity Manager IT Shop Administration Guide
- Remove the account definition assignment as required account definition for another account definition. As long as the account definition is required for another account definition, it cannot be deleted. Check all the account definitions.
-
Select the category SAP R/3 | Basic configuration data | Account definitions | Account definitions.
- Select an account definition in the result list.
- Select Change master data in the task view.
- Remove the account definition from the Required account definition menu.
- Save the changes.
-
- Remove the account definition's assignments to target systems.
- Select the client in the category SAP R/3 | Clients.
- Select Change master data in the task view.
- Remove the assigned account definitions on the General tab.
- Save the changes.
- Delete the account definition.
-
Select the category SAP R/3 | Basic configuration data | Account definitions | Account definitions.
- Select an account definition in the result list.
- Click
, to delete the account definition.
-
Basic Data for User Account Administration
The One Identity Manager supplies the following basic data for user administration, by default:
Other basic data is read from SAP R/3 during synchronization, if configured, and cannot be editing in One Identity Manager. This merely allows assignment to an SAP user account. These include:
Certain user account properties can be defined as default for all user accounts through the configuration settings. These include:
User Account Types
User Account Types
The user account types are available in One Identity Manager by default. SAP R/3 recognizes the user account types listed below.
| User account type | Meaning |
|---|---|
| Dialog (A) | Dialog user in a system. |
| System (B) | Background processing within an system. |
| Communication (C) | Communication between systems without a dialog. |
| Service (S) | Common user account for anonymous system access, for example.
User account of this type should have heavily restricted access permissions. |
| Reference (L) | Common user account for additional granting of permissions. |
The default user account type for new user accounts is specified in the configuration parameter "TargetSystem\SAPR3\UserDefaults\Ustyp".
To modify the default user account type
- Edit the value of the configuration parameter "TargetSystem\SAPR3\UserDefaults\Ustyp" in the Designer.
External Identifier Types
Base Data for Managing SAP R/3 > Basic Data for User Account Administration > External Identifier Types
External Identifier Types
External authentication methods for logging on to a system can be used in SAP R/3. The One Identity Manager supplies the following types as user identifiers to find the login data necessary for different authentication mechanisms for external systems on an SAP system:
| Type | Description |
|---|---|
| DN | Distinguished Name for X.509. |
| NT | Windows NTLM or password verification with the Windows domain controller. |
| LD | LDAP bind <user defined> (For other external authentication mechanisms). |
| SA | SAML Token. |
To specify a default type for external identifiers
- Set the configuration parameter "TargetSystem\SAPR3\UserDefaults\ExtID_Type" in the Designer and specify a value.