Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 Environments Setting up SAP R/3 Synchronization Base Data for Managing SAP R/3 SAP Systems SAP Clients SAP User Accounts SAP Groups, SAP Roles and SAP Profiles SAP Products Providing System Measurement Data Reports about SAP Systems Appendix: Configuration Parameters for Managing an SAP R/3 Environment Appendix: Default Project Templates for Synchronizing an SAP R/3 Environment Appendix: Referenced SAP R/3 Tables and BAPI Calls Appendix: Example of a Schema Extension File

Speeding Up Synchronization with Revision Filtering

Speeding Up Synchronization with Revision Filtering

When you start synchronization, all synchronization objects are loaded. Some of these objects have not be modified since the last synchronization and, therefore, must not be processed. SynchronizationClosed is accelerated by only loading those object pairs that have changed since the last synchronization. One Identity Manager uses revision filtering to accelerate synchronization.

SAP R/3 supports revision filtering. The SAP objects' date of last change is used as revision counter. Each synchronization save its last execution date as revision in the the One Identity Manager database (table DPRRevisionStore, column Value). This value is used as a comparison for revision filtering when the same workflow is synchronized the next time. When this workflow is synchronized the next time, the SAP objects' change date is compared with the revision saved in the One Identity Manager database. Only those objects that have been changed since this date are loaded from the target system.

NOTE: SAP roles are given the last date the role was generated in the target system. Only SAP roles that have be regenerated since the last synchronization are updated in the database on synchronization with revision filtering.

The revision is found at start of synchronization. Objects changed after this point are included with the next synchronization.

RevisionClosed filtering can be applied to workflows and start up configuration.

To permit revision filtering on a workflow

  • Open the synchronization project in the Synchronization EditorClosed.

  • Edit the workflow properties. Select the entry Use revision filter from Revision filtering.

To permit revision filtering for a start up configuration

  • Open the synchronization project in the Synchronization Editor.

  • Edit the start up configuration properties. Select the entry Use revision filter from Revision filtering.
Detailed information about this topic
  • One Identity Manager Target SystemClosed Synchronization Reference Guide

Synchronizing Collective Roles

Synchronizing Collective Roles

Only directly assigned single and collective roles are mapped in the table SAPUserInSAPRole. Assignments of single roles to collective roles are mapped in the SAPCollectionRPG table. You can establish which single roles are indirectly assigned to a user account through both tables.

By default, the following applies to inheritance of single roles by user accounts: If a single role is assigned to a user account and the single role is part of a collective role, which is also assigned to the user account the single role is not inherited by the user account as well. This removes membership of user accounts in single roles when group memberships are provisioned in SAP R/3. This membership is deleted from the One Identity Manager database by the next synchronization or marked as outstanding, depending on the synchronization's configuration.

To prevent memberships being removed from single roles when single roles are part of collective roles

  • Set the configuration parameter "TargetSystem\SAP\KeepRedundantProfiles" in the Designer.

Restricting Synchronization Objects using User Permissions

Restricting Synchronization Objects using User Permissions

The One Identity Manager offers the possibility to restrict user account and groups for synchronization by using user permissions. In this case, only the user accounts and groups are synchronized that the user account used by the SAP R/3 connector to log into the target system, is authorized for. All other groups and user accounts are filtered out of the user lists and the groups list of the function module "/VIAENET/U". If only a small part of the user account in the SAP R/3 environment should be synchronized with the One Identity Manager then the synchronization can be accelerated with this method.

Prerequisites
  • The user account used by the SAP R/3 connector to log into the target system, is assigned exactly those groups in the SAP R/3 authorization object S_USER_GRP, characteristic CLASS, that should be synchronized.
  • There are user accounts that one of these groups is assigned to in the SAP R/3 environment as user group for testing authorization (in the login data).

During synchronization, the groups are loaded into the One Identity Manager database that the user account used by the SAP R/3 connector to log into the target system, has access to in the authorization object SUSER_GRP. All user accounts that are assigned one of these groups as user group for authorization testing, are also synchronized. All other groups and user accounts are handled as non-existent objects in the target system during synchronization.

Post-Processing Outstanding Objects

Post-Processing Outstanding Objects

Objects, which do not exist in the target system, can be marked as outstanding in One Identity Manager by synchronizing. This prevents objects being deleted because of an incorrect data situation or an incorrect synchronization configuration.

Objects marked as outstanding:

  • Cannot be edited in One Identity Manager.
  • Are ignored by subsequent synchronization.
  • Must be post-processed separately in One Identity Manager.

Start target system synchronization to do this.

To post-process outstanding objects

  1. Select the category SAP R/3 | Target system synchronization: SAP R/3.

    All tables assigned to the target system type SAP R/3 as synchronization tables are displayed in the navigation view.

  1. Select the table whose outstanding objects you want to edit in the navigation view.

    This opens the target system synchronization form. All objects are shown here that are marked as outstanding.

    TIP:

    To display object properties of an outstanding object

    1. Select the object on the target system synchronization form.
    2. Open the context menu and click Show object.
  1. Select the objects you want to rework. Multi-select is possible.
  2. Click one of the following icons in the form toolbar to execute the respective method.
    Table 24: Methods for handling outstanding objects

    Icon

    Method

    Description

    Delete

    The object is immediately deleted in the One Identity Manager. Deferred deletion is not taken into account. The "outstanding" label is removed from the object.

    Indirect memberships cannot be deleted.

    Publish

    The object is added in the target system. The "outstanding" label is removed from the object.

    The method triggers the event "HandleOutstanding". This runs a target system specific process that triggers the provisioning process for the object.

    Prerequisites:

    • The table containing the object can be published.
    • The target system connector has write access to the target system.

    Reset

    The "outstanding" label is removed from the object.

  3. Confirm the security prompt with Yes.

NOTE: By default, the selected objects are processed in parallel, which speeds up execution of the selected method. If an error occurs during processing, the action is stopped and all changes are discarded.

Bulk processing of objects must be disabled if errors are to be localized, which means the objects are processed sequentially. Failed objects are named in the error message. All changes that were made up until the error occurred are saved.

To disable bulk processing

  • Deactivate in the form toolbar.

You must customize synchronization to synchronize custom tables.

To add custom tables to the target system synchronization.

  1. Select the category SAP R/3 | Basic configuration data | Target system types.
  2. Select the target system type SAP R/3 in the result list.
  3. Select Assign synchronization tables in the task view.
  4. Assign custom tables whose outstanding objects you want to handle in Add assignments.
  5. Save the changes.
  6. Select Configure tables for publishing.
  7. Select custom tables whose outstanding objects can be published in the target system and set the option Publishable.
  8. Save the changes.

NOTE: The target system connector must have write access to the target system in order to publish outstanding objects that are being post-processed. That means, the option Connection is read only must no be set for the target system connection.
Related Documents