Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 Environments Setting up SAP R/3 Synchronization Base Data for Managing SAP R/3 SAP Systems SAP Clients SAP User Accounts SAP Groups, SAP Roles and SAP Profiles SAP Products Providing System Measurement Data Reports about SAP Systems Appendix: Configuration Parameters for Managing an SAP R/3 Environment Appendix: Default Project Templates for Synchronizing an SAP R/3 Environment Appendix: Referenced SAP R/3 Tables and BAPI Calls Appendix: Example of a Schema Extension File

Special Features of Synchronizing with a CUA Central System

Special Features of Synchronizing with a CUA Central System

NOTE:

  • Only child system roles and profiles that match the login language of the administrative user account for synchronization are mapped in One Identity Manager.
  • Maintain all child system roles and profile in the target system in the language set as login language in the synchronization project for the central system in the system connection.

If a central user administration is connected to One Identity Manager, regular synchronization is only required with the central system. The synchronization configuration is created for the client labeled as central system. The CUAClosed Application Link Enabling (ALE) distribution model is loaded during synchronization and tries to assign all clients, which are configured as child systems, to the central system in One Identity Manager. All clients in the same SAP system as the central system are automatically added in One Identity Manager in the process and assigned to the central system (in CUA central system). All clients in another SAP system, must already exist in One Identity Manager at this point in time.

If a text comparison of roles and profiles between child and central systems was executed the target system in the target system, the child system roles and profiles are taken into account by synchronization. These roles and profiles are assigned to the originating client in the One Identity Manager.

Roles and profile are saved in the table USRSYSACTT with respect to language by text comparison of roles and profiles in the target system. Only roles and profile matching the login language of the administrative account for synchronization are read from the table USRSYSACTT during synchronization with One Identity Manager. If single roles and profiles are not maintained in this language, they are not transferred to One Identity Manager. In order to map all roles and profiles from child systems in One Identity Manager, they must all be all maintained in the language specified as login language in the central system.

To set up an initial synchronization project for central user administration

  1. Create synchronization projects the child systems, not in the same SAP system as the central system.

    Proceed as described in section Creating a Synchronization Project for initial Synchronization of an SAP Client. The following anomalies apply:

    1. Select the project template "SAP R/3 (CUA subsystem)" on the Select project template page in the project wizard.
    2. The page Restrict target system access is not shown. The target system is only loaded.
    3. Start synchronization manually to load the required data.

      All clients from the selected system and their license data are loaded.

      NOTE: Do not synchronize using schedules. Re-synchronizing is only necessary, if the active price lists for charging licenses were changed in the target system.

  2. Repeat step 1 for all child system in other SAP subsystems.
  3. Create a synchronization project for the central system.

    Proceed as described in section Creating a Synchronization Project for initial Synchronization of an SAP Client. The following anomalies apply:

    1. Set the option CUA central system on the Additional settings page.
    2. Select the project template "SAP R/3 synchronization (base administration)" on the Select project template page.
    3. Configure scheduled synchronization.
  4. Start central system synchronization, after all child systems have been loaded in the SAP database from One Identity Manager subsystems.
Related Topics

Excluding child Systems from Synchronization

Excluding child Systems from Synchronization

Certain administrative task in SAP R/3 required that the child system is temporarily excluded from the central user administration. If these child system are synchronized during this period, the SAP roles and SAP profile of the temporarily excluded child system are marked as outstanding or deleted in the One Identity Manager database. To prevent this, remove the child system from the synchronization scope.

SAP roles and profiles are removed from the synchronization scope by deleting the ALE model name in the client. The client properties are synchronized anyway. To ensure that the ALE model name is not reintroduced, disable the rule for mapping this schema property.

To exclude a child system from synchronization

  1. Select the category SAP R/3 | Clients.
  2. Select the child system in the result list. Select Change master data in the task view.
  3. Delete the entry in ALE model name.
  4. Save the changes.
  5. Open the synchronization project in the Synchronization EditorClosed.

  6. Select the category Workflows.
  7. Select the workflow to use for synchronizing the central system in the navigation view.
  8. Double-click on the synchronization step "client" in the workflow view.
  9. Select the Rule filter tab.
  10. Select the property mapping rule "ALEModelName_ALEModelName" in Exluded rules.
  11. Click OK.
  12. Save the changes.

You must reactivate synchronization of the child system's SAP role and profiles the moment it becomes part of the central user administration again.

To re-include a child system in synchronization

  1. Select the category SAP R/3 | Clients.
  2. Select the child system in the result list. Select Change master data in the task view.
  3. Enter the ALE model name of the central system's CUAClosed in the textbox ALE model name.

    The child system is only synchronized if the same ALE model named is entered in the central system and the child system.

  4. Save the changes.
  5. Open the synchronization project in the SynchronizationClosed Editor.

  6. Select the category Workflows.
  7. Select the workflow in the navigation, to use for synchronizing the central system (default is "Initial Synchronization").
  8. Double-click on the synchronization step "client" in the workflow view.
  9. Select the Rule filter tab.
  10. Deselect the property mapping rule "ALEModelName_ALEModelName" in Exluded rules.
  11. Click OK.
  12. Save the changes.

For more information about editing synchronization steps, see One Identity Manager Target SystemClosed Synchronization Reference Guide.

Related Topics

Show Synchronization Results

Show Synchronization Results

SynchronizationClosed results are summarized in the synchronization log. You can specify the extent of the synchronization log for each system connection individually. One Identity Manager provides several reports in which the synchronization results are organized under different criteria.

To display a synchronization log

  1. Open the synchronization project in the Synchronization EditorClosed.
  2. Select the category Logs.
  3. Click in the navigation view toolbar.

    Logs for all completed synchronization runs are displayed in the navigation view.

  4. Select a log by double-clicking on it.

    An analysis of the synchronization is shown as a report. You can save the report.

To display a provisioning log.

  1. Select the category Logs.
  2. Click in the navigation view toolbar.

    Logs for all completed provisioning processes are displayed in the navigation view.

  3. Select a log by double-clicking on it.

    An analysis of the provisioning is show as a report. You can save the report.

The log is marked in color in the navigation view. This mark shows you the execution status of the synchronization/provisioning.

Synchronization logs are stored for a fixed length of time. The retention period is set in the configuration parameter "DPR\Journal\LifeTime" and its sub parameters.

To modify the retention period for synchronization logs

  • Set the configuration parameter "Common\Journal\LifeTime" in the Designer and enter the maximum retention time for entries in the database journal. Use the configuration sub parameters to specify the retention period for each warning level.
  • If there is a large amount of data, you can specify the number of objects to delete per DBQueue Processor operation and run in order to improve performance. Use the configuration parameters "Common\Journal\Delete\BulkCount" and "Common\Journal\Delete\TotalCount" to do this.
  • Configure and set the schedule "Delete journal" in the Designer.

Customizing Synchronization Configuration

Customizing Synchronization Configuration

You have used the Synchronization EditorClosed to set up a synchronization project for initial synchronization of an SAP client. You can use this synchronization project to load SAP objects into the One Identity Manager database. If you manage user accounts and their authorizations with One Identity Manager, changes are provisioned in the SAP environment.

You must customize the synchronization configuration in order to compare the SAP R/3 database with the regularly and to synchronize changes.

  • Create a workflow with the direction of synchronization "target system" to use One Identity Manager as the master system for synchronization.
  • To specify which SAP objects and database object are included in synchronization, edit the scope of the target system connection and the One Identity Manager database connection. To prevent data inconsistencies, define the same scope in both systems. If no scope is defined, all objects will be synchronized.
  • You can use variables to create generally applicable synchronization configurations which contain the necessary information about the synchronization objects when synchronization starts. Variables can be implemented in base objects, schema classes or processing methods, for example.
  • Use variables to set up a synchronization project which can be used for several different clients. Store a connection parameter as a variable for logging in to the clients.
  • Update the schema in the synchronization project, if the One Identity Manager schema or target system schema has changed. Then you can add the changes to the mapping.
  • Add your own schema types if you want to synchronize data, which does not have schema types in the connector schema.

IMPORTANT: As long as synchronization is running, you must not start another synchronization for the same target system. This applies especially, if the same synchronization objects would be processed.

  • The moment another synchronization is started with the same start up configuration, the running synchronization process is stopped and given the status, "Frozen". An error message is written to the One Identity Manager Service log file.
  • If another synchronization is started with another start up configuration, that addresses same target system, it may lead to synchronization error or loss of data. Plan your start times carefully. If possible, specify your start times so that synchronization does not overlap.

For more detailed information about configuring synchronization, see the One Identity Manager Target SystemClosed SynchronizationClosed Reference Guide.

Detailed information about this topic
Related Documents