Chat now with support
Chat with Support

Identity Manager 8.1.5 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP systems Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

Overview of all assignments

The Overview of all assignments report is displayed for some objects, such as authorizations, compliance rules, or roles. The report finds all the roles, for example, departments, cost centers, locations, business roles, and IT Shop structures in which there are employees who own the selected base object. In this case, direct as well as indirect base object assignments are included.

Examples
  • If the report is created for a resource, all roles are determined in which there are employees with this resource.
  • If the report is created for a group or another system entitlement, all roles are determined in which there are employees with this group or system entitlement.
  • If the report is created for a compliance rule, all roles are determined in which there are employees who violate this compliance rule.
  • If the report is created for a department, all roles are determined in which employees of the selected department are also members.
  • If the report is created for a business role, all roles are determined in which employees of the selected business role are also members.

To display detailed information about assignments

  • To display the report, select the base object from the navigation or the result list and select the Overview of all assignments report.
  • Click the Used by button in the report toolbar to select the role class for which you want to determine whether roles exist that contain employees with the selected base object.

    All the roles of the selected role class are shown. The color coding of elements identifies the role in which there are employees with the selected base object. The meaning of the report control elements is explained in a separate legend. To access the legend, click the icon in the report's toolbar.

  • Double-click a control to show all child roles belonging to the selected role.
  • By clicking the button in a role's control, you display all employees in the role with the base object.
  • Use the small arrow next to to start a wizard that allows you to bookmark this list of employees for tracking. This creates a new business role to which the employees are assigned.

Figure 7: Toolbar of the Overview of all assignments report.

Table 78: Meaning of icons in the report toolbar

Icon

Meaning

Show the legend with the meaning of the report control elements

Saves the current report view as a graphic.

Selects the role class used to generate the report.

Displays all roles or only the affected roles.

Configuration parameters for managing an SAP R/3 environment

The following configuration parameters are additionally available in One Identity Manager after the module has been installed.

Table 79: Configuration parameter

Configuration parameter

 Description

TargetSystem | SAPR3

 SAP is supported. The parameter is a precompiler dependent configuration parameter. Changes to the parameter require recompiling the database.

TargetSystem | SAPR3 | Accounts

Default values should be used for SAP user accounts.

TargetSystem | SAPR3 | Accounts | CalculateLicence

Parameter for controlling the calculation of SAP system measurement for SAP user accounts.

TargetSystem | SAPR3 | Accounts | Datfm

 Specifies the default date format for SAP user accounts.

TargetSystem | SAPR3 | Accounts | Dcpfm

 Specifies the default decimal point format for SAP user accounts.

TargetSystem | SAPR3 | Accounts | ExtID_Type

 Specifies the default type for external identification of SAP user accounts.

TargetSystem | SAPR3 | Accounts | Fax_Group

 Specifies the default fax group for SAP user accounts.

TargetSystem | SAPR3 | Accounts | Guiflag

 Specifies whether secure communication is permitted for SAP user accounts.

TargetSystem | SAPR3 | Accounts | InitialRandomPassword

This configuration parameter specifies whether a random generated password is issued when a new user account is added. The password must contain at least those character sets that are defined in the password policy.

TargetSystem | SAPR3 | Accounts | InitialRandomPassword |
SendTo

 This configuration parameter specifies to which employee the email with the random generated password should be sent (manager cost center/department/location/business role, employee’s manager or XUserInserted). If no recipient can be found, the password is sent to the address stored in the "TargetSystem | SAPR3 | DefaultAddress" configuration parameter.

TargetSystem | SAPR3 | Accounts | InitialRandomPassword |
SendTo | MailTemplateAccountName

This configuration parameter contains the name of the mail template sent to provide users with the login data for their user accounts. The Employee - new user account created mail template is used.

TargetSystem | SAPR3 | Accounts | InitialRandomPassword |
SendTo | MailTemplatePassword

This configuration parameter contains the name of the mail template sent to provide users with information about their initial password. The Employee - initial password for new user account mail template is used.

TargetSystem | SAPR3 | Accounts | Langu_p

 Specifies default language key for SAP users.

TargetSystem | SAPR3 | Accounts | Langup_iso

 Specifies default language (ISO 639).

TargetSystem | SAPR3 | Accounts | MailTemplateDefaultValues

This configuration parameter contains the mail template used to send notifications if default IT operating data mapping values are used for automatically creating a user account. The Employee - new user account with default properties created mail template is used.

TargetSystem | SAPR3 | Accounts | Spda

 Specifies default setting for printer parameter 3 (delete after print).

TargetSystem | SAPR3 | Accounts | Spdb

 Specifies default setting for printer parameter 3 (print immediately).

TargetSystem | SAPR3 | Accounts | Splg

 Specifies the default printer (print parameter 1).

TargetSystem | SAPR3 | Accounts | TargetSystemID

 Specifies default target system identification for mapping external users.

TargetSystem | SAPR3 | Accounts | Time_zone

 Specifies the default time zone value for the SAP user account’s address.

TargetSystem | SAPR3 | Accounts | Tzone

 Specifies the default value for the time zone.

TargetSystem | SAPR3 | Accounts | Ustyp

 Specifies the default user type for SAP user accounts.

TargetSystem | SAPR3 | AutoCreateDepartment

This configuration parameter specifies whether departments are automatically created when user accounts are modified or synchronized.

TargetSystem | SAPR3 | AutoFillSAPUserMandant

Specifies whether SAP roles and SAP profiles can be inherited by the user accounts in a Central User Administration if the user accounts do not have access authorization for the clients to which these roles and profiles belong.

If the configuration parameter is set, access authorization is granted during the inheritance calculation (entry in the SAPUserMandant table) and the roles and profiles are assigned to the user accounts. If the configuration parameter is not set, these roles and profiles are not inherited (default).

TargetSystem | SAPR3 | DefaultAddress

 Default email address (recipient) for messages about actions in the target system.

TargetSystem | SAPR3 | KeepRedundantProfiles

This configuration parameter regulates behavior for handling single role and profile assignments to users.

If the parameter is set, the user's single roles or profiles, which are already part of the user's composite roles, are retained.

If the parameter is not set, the user's single roles or profiles, which are already part of the user's composite roles, are removed (default).

TargetSystem | SAPR3 | MaxFullsyncDuration

 Specifies the maximum runtime for synchronization.

TargetSystem | SAPR3 | PersonAutoDefault

This configuration parameter specifies the mode for automatic employee assignment for user accounts added to the database outside synchronization.

TargetSystem | SAPR3 | PersonAutoDisabledAccounts

This configuration parameter specifies whether employees are automatically assigned to disabled user accounts. User accounts do not obtain an account definition.

TargetSystem | SAPR3 | PersonAutoFullsync

This configuration parameter specifies the mode for automatic employee assignment for user accounts added to or updated in the database through synchronization.

TargetSystem | SAPR3 | ValidDateHandling

 This configuration parameter is for handling validity periods in SAP role and structural profile assignments to SAP user accounts.

TargetSystem | SAPR3 | ValidDateHandling |
DoNotUsePWODate

 This configuration parameter specifies whether the validity period is taken from the request and copied to the SAP role and structural profile assignments to SAP user accounts. If the configuration parameter is set, the Valid from and Valid until dates are not copies from the request to the assignments.

TargetSystem | SAPR3 | ValidDateHandling |
ReuseInheritedDate

Controls reuse of existing SAP role and structural profile assignments to SAP user accounts.

If this configuration parameter is set, existing assignments are reused if the same assignment is created by different means of inheritance and the validity period matches.

TargetSystem | SAPR3 | ValidDateHandling |
ReuseInheritedDate | UseTodayForInheritedValidFrom

This configuration parameter specifies whether the Valid from data of indirect SAP role and structural profile assignments to SAP user accounts is set to <today> or to 1900-01-01.

TargetSystem | SAPR3 | VerifyUpdates

This configuration parameter specifies whether modified properties are checked by updating. If this parameter is set, the objects in the target system are verified after every update.

Default project templates for synchronizing an SAP R/3 environment

A default project template ensures that all required information is added in One Identity Manager. This includes mappings, workflows, and the synchronization base object. If you do not use a default project template you must declare the synchronization base object in One Identity Manager yourself.

Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the Synchronization Editor.

Detailed information about this topic

Project template for client without CUA

Use "SAP® R/3® synchronization (base administration)" to synchronize clients that are not connected to a central user administration. The template uses mappings for the following schema types.

Table 80: Mapping SAP R/3 schema types to tables in the One Identity Manager schema.
Schema type in the target system Table in the One Identity Manager Schema
Company SAPCompany
GROUP SAPGrp
LICENSETYPE SAPLicence
LicenceExtension SAPLicenceExtension
LoginLanguage SAPLoginLanguages
CLIENT SAPMandant
Parameters SAPParameter
Printer SAPPrinter
PROFILE SAPProfile
ProfileInProfile SAPProfileInSAPProfile
ProfileInRole SAPProfileInSAPRole
PROFITCENTER SAPProfitCenter
ROLE SAPRole
RoleInRole SAPRoleInSAPRole
STARTMENUE SAPStartMenu
SAPTSAD3T SAPTitle
USER SAPUser
UserComFax SAPComFax
UserComPhone SAPComPhone
UserComSMTP SAPComSMTP
SAPCOMMTYPE SAPCommType
UserExtId SAPUserExtId
UserHasParameter SAPUserHasParameter
UserInGroup SAPUserInSAPGrp
UserInProfile SAPUserInSAPProfile
UserInRole SAPUserInSAPRole
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating