Chat now with support
Chat with Support

Identity Manager 8.2.1 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP objects Removing a Central User Administration Troubleshooting an SAP R/3 connection Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

General main data of SAP clients

Enter the following general main data on the General tab.

Table 37: General main data of a client

Property

Description

Client no.

Number of the client.

Name

Client's name.

System

System to which the client belongs.

Canonical name

Client's canonical name.

Company

Company for which the client is set up. The company given here is used when a new user account is set up.

City

City where company resides.

Has user administration

Specifies whether the client is used for user administration.

If this option is set, the most significant license of the user account is used for system measurement.

Account definition (initial)

Initial account definition for creating user accounts. This account definition is used if automatic assignment of employees to user accounts is used for this client and if user accounts are to be created that are already managed (Linked configured). The account definition's default manage level is applied.

User accounts are only linked to the employee (Linked) if no account definition is given. This is the case on initial synchronization, for example.

NOTE: If the CUAClosed status Child is assigned, no account definition should be assigned.

Target system managers

Application role, in which target system managers are specified for the client. Target system managers only edit the objects from clients to which they are assigned. A different target system manager can be assigned to each client.

Select the One Identity Manager application role whose members are responsible for administration of this client. Use the button to add a new application role.

Synchronized by

NOTE: You can only specify the synchronization type when adding a new client. No changes can be made after saving.

If you create a client with the Synchronization Editor, One Identity Manager is used.

Type of synchronization through which data is synchronized between the client and One Identity Manager. Once objects are available for this client in One Identity Manager, the type of synchronization can no longer be changed.

If you create a client with the Synchronization Editor, One Identity Manager is used.

Table 38: Permitted values
Value Synchronization by Provisioned by
One Identity Manager SAP R/3 connector SAP R/3 connector
No synchronization none none
NOTE: If you select No synchronization, you can define custom processes to exchange data between One Identity Manager and the target system.

ALE name

Name used to map the client as logical system in the SAP distribution model.

ALE model name

Name of the SAP distribution model that maps the relation between the logical systems of the central user administration. SAP roles and profiles of all child systems with the same ALE model name as the central system, are synchronized when the central system is synchronized.

CUA status

Client usage when the central user administration is in use. Possible values are Central and Child.

The value None indicates that the client is not being used in a central user administration.

CUA central system

Central system to which the client belongs. Assign the relevant system for clients with the CUA status Child.

Description

 Text field for additional explanation.
Related topics

Specifying categories for inheriting SAP groups, SAP roles, and SAP profiles

NOTE: In order to easy understanding the behavior is described with respect to SAP groups in this section. It applies in the same way to roles and profiles.

In One Identity Manager, user accounts can selectively inherit groups. To do this, groups and user accounts are divided into categories. The categories can be freely selected and are specified using a mapping rule. Each category is given a specific position within the template. The mapping rule contains different tables. Use the user account table to specify categories for target system dependent user accounts. Each table contains the category positions position 1 to position 63.

NOTE: If central user administration is implemented, define the categories in the central system as well as in the child system. The same categories must be defined in the child system as in the central system so that groups from a child system can be inherited by user accounts.

To define a category

  1. In the Manager, select the client in the SAP R/3 > Clients category.

  2. Select the Change main data task.

  3. Switch to the Mapping rule category tab.

  4. Extend the relevant roots of a table.

  5. To enable the category, double-click .

  6. Enter a category name of your choice for user accounts and groups in the login language that you use.

  7. Save the changes.
Detailed information about this topic

Editing synchronization projects

Synchronization projects in which a client is already used as a base object can also be opened in the Manager. You can, for example, check the configuration or view the synchronization log in this mode. The Synchronization Editor is not started with its full functionality. You cannot run certain functions, such as, running synchronization or simulation, starting the target system browser and others.

NOTE: The Manager is locked for editing throughout. To edit objects in the Manager, close the Synchronization Editor.

To open an existing synchronization project in the Synchronization Editor

  1. Select the SAP R/3 > Tenants category.
  2. Select the client in the result list. Select the Change main data task.
  3. Select the Edit synchronization project... task.
Detailed information about this topic
  • One Identity Manager Target System Synchronization Reference Guide
Related topics

SAP user accounts

You can manage SAP R/3 user accounts with One Identity Manager. One Identity Manager concentrates on setting up and editing SAP user accounts. Groups, roles, and profiles are mapped in SAP, in order to provide the necessary permissions for One Identity Manager user accounts. The necessary data for system measurement is also mapped. The system measurement data is available in One Identity Manager, but the measurement itself takes place in the SAP R/3 environment.

If user accounts are managed through the central user administration (CUAClosed) in SAP R/3, access to the child client can be guaranteed for or withdrawn from user accounts in One Identity Manager.

NOTE: The following user accounts are read into the One Identity Manager database during synchronization, but cannot be edited, created, or deleted in One Identity Manager.

  • sap*

  • sapcpic

  • sapjsf

  • ddic

  • j2ee_admin

  • j2ee_guest

  • sladpiuser

  • slddsuser

  • adsuser

  • ads_agent

  • tmsadm

  • earlywatch

Changes to these user accounts can only be made in SAP R/3 and transferred to the One Identity Manager by subsequent synchronization.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating