Chat now with support
Chat with Support

Identity Manager 8.1.4 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP systems Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

Entering external user identifiers for an SAP user account

External authentication methods for logging in to a system can be used in SAP R/3. With One Identity Manager, you can maintain login data for logging in external system users, for example, Active Directory on an SAP R/3 environment.

You can use One Identity Manager to enter external user IDs and delete them. You can only change the option "Account is enabled" for existing user ID's.

To enter external IDs

  1. Select the SAP R/3 | External IDs category.
  2. Select the external identifier in the result list. Select the Change master data task.

    - OR -

    Click in the result list.

  3. Enter the required data on the master data form.
  4. Save the changes.

Enter the following data for an external identifier.

Table 58: External ID properties
Property Description
External user ID

User login name for the user to log into external systems. The syntax you require depends on the type of authentication selected. The complete user identifier is compiled by template.

NOTE: The BAPI One Identity Manager uses the default settings RSUSREXT for generating the user identifier, which means that the user name is reset. The value provided in the interface is passed as prefix.

If you SAP R/3 environment uses something other than these default settings, modify the template for column SAPUserExtId.EXTID respectively.

External identifier type

Authentication type for the external user. This results in the syntax for the external identifier.

Table 59: External identifier types

Distinguished Name for X.509

Login uses the distinguished name for X.509.

Windows NTLM or password verification

Login uses Windows NT Lan Manager or password verification with the Windows domain controller.

LDAP bind <user-defined >

Login uses LDAP bind (for other authentication mechanisms).

SAML token Authentication uses an SAML token profile.

The default type is specified in the "TargetSystem | SAPR3 | Accounts | ExtID_Type" configuration parameter.

Target system type Can be called up together with the external ID type to test the login data. The default type is specified in the "TargetSystem | SAPR3 | Accounts | TargetSystemID" configuration parameter. Permitted values are ADSACCOUNT and NTACCOUNT.
Account is enabled Specifies whether the user or an external authentication system can log in to the system.
User account Assignment of the external user ID to a user account.
Sequential number Sequential number, if a user account has more than one external identifiers.
Valid from Date from which the external user ID is valid.
Related topics

SAP groups, SAP roles, and SAP profiles

Groups, roles, and profiles are mapped in the One Identity Manager, in order to provide the necessary permissions for user accounts. Groups, roles, and profiles can be assigned to user accounts, requested, or inherited through hierarchical roles in One Identity Manager. No groups, roles, or profiles can be added or deleted.

Groups

You can share maintenance of user accounts over different administrators by assigning user accounts to groups.

Roles

A role includes all transactions and user menus that an SAP user requires to fulfill its tasks. Roles are separated into single and composite roles. Single roles can be grouped together into composite roles. User account member in the roles can be set for a limit period.

Profiles

Access permissions to the system are regulated though profiles. Profiles are assigned through single roles or directly to user accounts. Profiles can be grouped into composite profiles.

Editing master data for SAP groups, SAP roles, and SAP profiles

You can edit the following data about groups, roles, and profiles in One Identity Manager:

  • Assigned SAP user accounts
  • Usage in the IT Shop
  • Risk assessment
  • Inheritance through roles and inheritance restrictions
  • License information for system measurement

To edit group master data

  1. Select the SAP R/3 | Groups category.
  2. Select the group in the result list. Select the Change master data task.
  3. Enter the required data on the master data form.
  4. Save the changes.

To edit profile master data

  1. Select the SAP R/3 | Profiles category.
  2. Select a profile in the result list. Select the Change master data task.
  3. Enter the required data on the master data form.
  4. Save the changes.

To edit role master data

  1. Select the SAP R/3 | Roles category.
  2. Select the role in the result list. Select the Change master data task.
  3. Enter the required data on the master data form.
  4. Save the changes.
Detailed information about this topic

General master data for SAP groups

Table 60: Configuration parameters for risk assessment of SAP user accounts
Configuration parameter Effect when set
QER\CalculateRiskIndex Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database.

If the parameter is enabled, values for the risk index can be entered and calculated.

Edit the following master data for a group.

Table 61: SAP group master data
Property Description
Display name Name of the group as displayed in One Identity Manager tools. The group name is taken from the group identifier by default.
Name Name of group in the target system.
Client Client, in which the group is added.
Service item Service item data for requesting the group through the IT Shop.

Risk index

Value for evaluating the risk of assigning the group to user accounts. Enter a value between 0 and 1. This input field is only visible if the QER | CalculateRiskIndex configuration parameter is activated.

Category Categories for group inheritance. Groups can be selectively inherited by user accounts. To do this, groups and user accounts are divided into categories. Select one or more categories from the menu.
Description Text field for additional explanation.
IT Shop

Specifies whether the group can be requested through the IT Shop. If this option is set, the group can be requested by the employees through the Web Portal and distributed with a defined approval process. The group can still be assigned directly to hierarchical roles.

Only for use in IT Shop

Specifies whether the group can only be requested through the IT Shop. If this option is set, the group can be requested by the employees through the Web Portal and distributed with a defined approval process. Direct assignment of the group to hierarchical roles or user accounts is not permitted.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating