Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 Environments Setting up SAP R/3 Synchronization Base Data for Managing SAP R/3 SAP Systems SAP Clients SAP User Accounts SAP Groups, SAP Roles and SAP Profiles SAP Products Providing System Measurement Data Reports about SAP Systems Appendix: Configuration Parameters for Managing an SAP R/3 Environment Appendix: Default Project Templates for Synchronizing an SAP R/3 Environment Appendix: Referenced SAP R/3 Tables and BAPI Calls Appendix: Example of a Schema Extension File

Transferring Calculated Licenses

Transferring Calculated Licenses

In order to execute system measurement in the SAP R/3 environment, you need to transfer employee related calculated licenses to the active license. This transfer is done separately for each client in the system.

NOTE: If the task Publishing calculated licenses is run, the active license stored directly with the user account is overwritten by the calculated license!

Exception: "04 (substitute)" is entered as active license and the substitute time period is currently valid or is in the future.

NOTE: The task Publishing calculated licenses is only for clients with CUAClosed status "No CUA system" or empty CUA status.

To transfer calculated licenses to active licenses

  1. Select the category SAP R/3 | Clients.
  2. Select the client whose licenses are to be transferred.
  3. Select Publish calculated licenses.

    A security prompt appears.

  4. Confirm the security prompt with Yes.

Once the calculated licenses are transferred to active licenses, the active licenses are published in the target system.

The One Identity Manager transfers the calculated employee related license for all this client‘s user accounts to the active license. You can edit this data later, if required. Once the licenses are published in the SAP R/3 system and system measurement has been carried out, you can synchronize the current measurement data with the One Identity Manager database.

Special Features for User Accounts with a Substitute's License

If the active license "04 (substitute)" is entered in the user account and the substitution period is current valid, the active license is not replaced by the calculated employee-related license. The same applies if the substitution period is in the future (Substituted from later than "today").

If the substitution period has expired, the calculated employee-related license is transferred to the active license by the task Publishing calculated licenses. Information about the substitute and the substitution period is deleted from the user account.

NOTE: In order to publish a active license "04 (substitute) in the target system, the price list and all usable user types must be enabled in the program part system measurement in the SAP R/3 environment.
Related Topics

Reports about SAP Systems

Reports about SAP Systems

One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. The following reports are available for SAP systems.

NOTE: Other sections may be available depending on the which modules are installed.
Table 82: Reports for the Target SystemClosed
Report Description
Overview of all assignments (system) This report finds all roles containing employees with at least one user account in the selected system.
Overview of all assignments (client) This report finds all roles containing employees with at least one user account in the selected client.
Overview of all assignments (group, role, profile) This report find all roles containing employees with the selected group, role or profile.
Show orphaned user accounts This report shows all user accounts in the client, which are not assigned to an employee. The report contains assigned system entitlements and risk assessment.
Show employees with multiple user accounts This report shows all employees with more than one user account in the client. The report contains a risk assessment.
Show entitlement drifts This report shows all the client's system entitlements that are the result of manual operations in the target system rather than using the One Identity Manager provisioning engine.
Show unused user accounts This report shows all the client's user accounts that have not been used in the last few months.
Show user accounts with an above average number of system entitlements This report contains all the client's user accounts with an above average number of system entitlements.
SAP user account and group administration This report contains a summary of user account and group distribution in all clients. You can find the report in the category My One Identity Manager | Target system overviews.
Data quality summary for SAP user accounts This report contains different evaluations of user account data quality in all clients. You can find the report in the category My One Identity Manager | Data quality analysis.

Overview of all Assignments

Overview of all Assignments

The report "Overview of all Assignments" is displayed for certain objects, for example, permissions, compliance rules or roles. The report finds all the roles, for example, departments, cost centers, locations, business roles and IT Shop structures in which there are employee who own the selected base object. In this case, direct as well as indirect base object assignments are included.

Example
  • If the report is created for a resource, all roles are determined in which there are employees with this resource.
  • If the report is created for a group, all roles are determined in which there are employees with this group.
  • If the report is created for a compliance rule, all roles are determined in which there are employees with this compliance rule.
  • If the report is created for a department, all roles are determined in which employees of the selected department are also members.
  • If the report is created for a business role, all roles are determined in which employees of the selected business role are also members.

To display detailed information about assignments

  • To display the report, select the base object from the navigation or the result list and select the report Overview of all assignments.
  • Use the Used by button in the report's toolbar to select the role class (department, location, business role or IT Shop structure) for which you determine if roles exist in which there are employees with the selected base object.

    All the roles of the selected role class are shown. The color coding of elements identifies the role in which there are employees with the selected base object. The meaning of the report control elements is explained in a separate legend. In the report's toolbar, click to open the legend.

  • Double-click a control to show all child roles belonging to the selected role.
  • By clicking the button in a role's control, you display all employees in the role with the base object.
  • Use the small arrow next to to start a wizard that allows you to bookmark this list of employee for tracking. This creates a new business role to which the employees are assigned.

Figure 6: Toolbar for Report "Overview of all assignments"

Table 83: Meaning of Icons in the Report Toolbar
Icon Meaning
Show the legend with the meaning of the report control elements
Saves the current report view as a graphic.
Selects the role class used to generate the report.

Displays all roles or only the affected roles.

Appendix: Configuration Parameters for Managing an SAP R/3 Environment

Appendix: Configuration Parameters for Managing SAP R/3

The following configuration parameters are additionally available in One Identity Manager after the module has been installed.

Table 84: Configuration parameter
Configuration parameter Description
TargetSystem\SAPR3 SAP is supported. The parameter is a precompiler dependent configuration parameter. Changes to the parameter require recompiling the database.

TargetSystem\SAPR3\Accounts

Default values should be used for SAP user accounts.

TargetSystem\SAPR3\Accounts\Datfm Specifies the default date format for SAP user accounts.
TargetSystem\SAPR3\Accounts\Dcpfm Specifies the default decimal point format for SAP user accounts.
TargetSystem\SAPR3\Accounts\ExtID_Type Specifies the default type for external identification of SAP user accounts.
TargetSystem\SAPR3\Accounts\Fax_Group Specifies the default fax group for SAP user accounts.
TargetSystem\SAPR3\Accounts\Guiflag Specifies whether secure communication is permitted for SAP user accounts.
TargetSystem\SAPR3\Accounts\InitialRandomPassword

This configuration parameter specifies whether a random generated password is issued when a new user account is added. The password must contain at least those character sets that are defined in the password policy.

TargetSystem\SAPR3\Accounts\InitialRandomPassword\
SendTo
This configuration parameter specifies to which employee the email with the random generated password should be sent (manager cost center/department/location/business role, employee’s manager or XUserInserted). If no recipient can be found, the password is sent to the address stored in the configuration parameter "TargetSystem\SAP\DefaultAddress".
TargetSystem\SAPR3\Accounts\InitialRandomPassword\
SendTo\MailTemplateAccountName

This configuration parameter contains the name of the mail template sent to inform users about their initial login data (name of the user account). Use the mail template "Employee - new account created".

TargetSystem\SAPR3\Accounts\InitialRandomPassword\
SendTo\MailTemplatePassword

This configuration parameter contains the name of the mail template sent to inform users about their initial login data (initial password). Use the mail template "Employee - initial password for new user account".

TargetSystem\SAPR3\Accounts\Langu_p Specifies default language key for SAP users.
TargetSystem\SAPR3\Accounts\Langup_iso Specifies default language (ISO 639).

TargetSystem\SAPR3\Accounts\MailTemplateDefaultValues

This configuration parameter contains the mail template used to send notifications if default IT operating data mapping values are used for automatically creating a user account. Use the mail template "Employee - new user account with default properties created".

TargetSystem\SAPR3\Accounts\Spda Specifies default setting for printer parameter 3 (delete after print).
TargetSystem\SAPR3\Accounts\Spdb Specifies default setting for printer parameter 3 (print immediately).
TargetSystem\SAPR3\Accounts\Splg Specifies the default printer (print parameter 1).
TargetSystem\SAPR3\Accounts\TargetSystemID Specifies default target system identification for mapping external users.
TargetSystem\SAPR3\Accounts\Time_zone Specifies the default time zone value for the SAP user account’s address.
TargetSystem\SAPR3\Accounts\Tzone Specifies the default value for the time zone.
TargetSystem\SAPR3\Accounts\Ustyp Specifies the default user type for SAP user accounts.
TargetSystem\SAPR3\DefaultAddress Default email address (recipient) for messages about actions in the target system.
TargetSystem\SAPR3\KeepRedundantProfiles

This configuration parameter regulates behavior for handling single role and profile assignments to users.

If the parameter is set, the user's single roles or profiles, which are already part of the user's collective roles, are retained.

If the parameter is not set, the user's single roles or profiles, which are already part of the user's collective roles, are removed (default).

TargetSystem\SAPR3\MaxFullsyncDuration Specifies the maximum runtime for synchronization.
TargetSystem\SAPR3\PersonAutoDefault

This configuration parameter specifies the mode for automatic employee assignment for user accounts added to the database outside synchronization.

TargetSystem\SAPR3\PersonAutoDisabledAccounts

This configuration parameters specifies whether employees are automatically assigned to disable user accounts. User accounts do not obtain an account definition.

TargetSystem\SAPR3\PersonAutoFullSync

This configuration parameter specifies the mode for automatic employee assignment for user accounts added to or updated in the database through synchronization.

TargetSystem\SAPR3\ValidDateHandling Configuration parameter for handling the validity period in SAP user account assignments to SAP roles.
TargetSystem\SAPR3\ValidDateHandling\
DoNotUsePWODate
This configuration parameter specifies whether the validity dates from request procedure are copied from SAP user account assignments to SAP roles. If the configuration parameter is set, the dates, "Valid from" and "Valid to" from the request procedure, are not copied from SAP user account assignments to SAP roles.
TargetSystem\SAPR3\ValidDateHandling\
ReuseInheritedDate
This configuration parameter specifies whether the validity date's format of inherited SAP user account assignments to SAP roles remains intact. The configuration parameter is only relevant in systems that were migrated from a pre 7.0 version. If the configuration parameter is set, the format of the dates "Valid from" and "Valid to" stays the same if SAP user account assignments to roles are inherited.
TargetSystem\SAPR3\ValidDateHandling\
ReuseInheritedDate\UseTodayForInheritedValidFrom
This configuration parameter specifies whether the "Valid from" date in inherited SAP user accounts assignments to SAP roles is set to <Today> or to "1900-01-01".

TargetSystem\SAPR3\VerifyUpdates

This configuration parameter specifies whether modified properties are checked by updating. If this parameter is set, the objects in the target system are verified after every update.

Related Documents