Chat now with support
Chat with Support

Identity Manager 8.2.1 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP objects Removing a Central User Administration Troubleshooting an SAP R/3 connection Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

Creating a synchronization project for initial synchronization of an SAP client

Use the Synchronization Editor to configure synchronization between the One Identity Manager database and SAP R/3 environment. The following describes the steps for initial configuration of a synchronization project.

After the initial configuration, you can customize and configure workflows within the synchronization project. Use the workflow wizard in the Synchronization Editor for this. The Synchronization Editor also provides different configuration options for a synchronization project.

Have the following information available for setting up a synchronization project.

Table 4: Information required for setting up a synchronization project

Data

Explanation

SAP R/3 application server

Name of the application server used to RFC communication.

System number

Number of the SAP system for connecting the SAP R/3 connector.

System ID

System ID of this SAP system.

Client

Number of the client to be synchronized. You need the central system's client number to synchronize central user administration (CUAClosed).

Login name and password

The name and password of the user account used by the SAP R/3 connector to log in to the SAP R/3 system. Make a user account available with sufficient permissions.

If the network connection must be secure, you require the user account's SNC name.

Login language

Login language for logging the SAP R/3 connection into the SAP R/3 system.

Synchronization server

All One Identity Manager Service actions are run against the target system environment on the synchronization server. Data entries required for synchronization and administration with the One Identity Manager database are processed by the synchronization server.

Installed components:

  • SAP .Net Connector for .NET 4.0 on x64, with at least version 3.0.15.0
  • One Identity Manager Service (started)
  • Synchronization Editor
  • SAP R/3 connector

The synchronization server must be declared as a Job server in One Identity Manager. Use the following properties when you set up the Job server.

Table 5: Additional properties for the Job server

Property

Value

Server function

SAP R/3 connector

Machine role

Server/Job server/SAP R/3

For more information, see Setting up the synchronization server.

One Identity Manager database connection data

  • Database server

  • Database name

  • SQL Server login and password

  • Specifies whether integrated Windows authentication is used

    Use of the integrated Windows authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication.

Remote connection server

To configure synchronization with a target system, One Identity Manager must load the data from the target system. One Identity Manager communicates directly with the target system to do this. Sometimes direct access from the workstation, on which the Synchronization Editor is installed, is not possible. For example, because of the firewall configuration or the workstation does not fulfill the necessary hardware and software requirements. If direct access is not possible from the workstation, you can set up a remote connection.

The remote connection server and the workstation must be in the same Active Directory domain.

Remote connection server configuration:

  • One Identity Manager Service is started

  • RemoteConnectPlugin is installed

  • SAP R/3 connector is installed

The remote connection server must be declared as a Job server in One Identity Manager. The Job server name is required.

TIP: The remote connection server requires the same configuration as the synchronization server (with regard to the installed software and entitlements). Use the synchronization as remote connection server at the same time, by simply installing the RemoteConnectPlugin as well.

For more detailed information about setting up a remote connection, see the One Identity Manager Target System Synchronization Reference Guide.

Additional information about setting up the synchronization project may be required depending on the configuration of the SAP R/3 system.

Table 6: Information for setting up a synchronization project

Data

Explanation

SAP R/3 router

Name of the router that provides a network port for the SAP R/3 connector for communicating with the application server.

SAP R/3 message server

Name of the message server with which the SAP R/3 connector communicates when logging in.

Login group

Name of the login group used by the SAP R/3 connector for logging in when communication is working over a message server within the SAP R/3 environment.

SNC host name

SNC name of the host for the secure network connection.

SNC Name

SCN name of the user account with which the SAP R/3 connector logs into the SAP R/3 system if a secure network connection is required. The SNC name must be entered using the same syntax as in the user account in SAP R/3.

SNC client API

API containing SNC encryption. Enter the file name and path of the synchronization server.

Only file name is required if the file is in the default search path of the operating system. If encryption has been applied to the operating system, the file is located in the operating system directory and can be found through the standard search path. If a third-party product was used for encryption, the file can only be found if the installation directory of this product was added to the default search path (PATH variable).

NOTE: The following sequence describes how to configure a synchronization project if the Synchronization Editor is both:

  • Run in default mode

  • Started from the Launchpad

If you run the project wizard in expert mode or directly from the Synchronization Editor, additional configuration settings can be made. Follow the project wizard instructions through these steps.

NOTE: Just one synchronization project can be created per target system and default project template used.

To set up an initial synchronization project for an SAP client

  1. Start the Launchpad and log in on the One Identity Manager database.

    NOTE: If synchronization is run by an application server, connect the database through the application server.

  2. Select the Target system type SAP R/3 entry and click Start.

    This starts the Synchronization Editor's project wizard.

  1. On the System access page, specify how One Identity Manager can access the target system.

    • If access is possible from the workstation on which you started the Synchronization Editor, do not change any settings.

    • If access is not possible from the workstation on which you started the Synchronization Editor, you can set up a remote connection.

      Enable the Connect using remote connection server option and select the server to be used for the connection under Job server.

  1. Select a connection type on Connection type.

    Table 7: Connection type

    Property

    Description

    SAP R/3 application server or SAP R/3 router

    Specifies whether the connection is established through an application server or a router.

    SAP R/3 message server

    Specifies whether the connection is established over a messaging server.

    • On the Connection data page, enter the connection data for SAP R/3 application server or SAP R/3 router connection type.

      ClosedConnection data for the SAP R/3 application server or the SAP R/3 router

    • On the Message server page, enter the connection data for the SAP R/3 Message Server connection type.

      ClosedConnection credentials for the SAP R/3 Message Server connection type.

  2. Enter the network settings on Secure network communication.

    Table 10: Network settings

    Property

    Description

    Program ID

    Identifies the connection that the SAP R/3 connector establishes with the SAP R/3 system.

    SNC logon

    Specifies whether the SNC user account name is used when the SAP R/3 connector logs in on the SAP R/3 system.

    NOTE: In this case, when new user accounts are being provisioned, the effective passwords are only set if single sign-on is used to login.

    • If you have enabled SNC login on Secure connection, the SNC connection data page opens. Enter the data required for logging into the target system using a secure network connection.

      ClosedSNC connection data

  3. Enter data for logging into the target system on Login data.

    This page is shown if you have not set the SNC login option on the Secure connection page or if you have set the SNC login using username/password option on the SNC connection data page.

    ClosedLogin data

  4. Supply additional information about synchronizing objects and properties on Additional settings. You can check the connection settings.

    • In Central user administration (CUA), specify whether the connection to a central user administration's central system should be established. In this case, set CUA central system.
    • You can test the captured connection data in Verify connection settings. Click on Verify project.

      The system tries to connect to the server. If CUA central system is set, the given client is tested to see if it is the central system of a CUA.

      NOTE: There is no check to see if the supplied BAPI is installed.
    • Click Finish, to end the system connection wizard and return to the project wizard.

  5. Click Next on SAP HCM settings.

    This page is only needed for synchronizing additional personnel planning data in the SAP R/3 Structural Profiles Add-on Module.

  6. Click Next on SAP connector schema.

    TIP: You can enter a file with additional schema types on this page. The connector schema is extended by these custom schema types. You can also enter this data after saving the synchronization project. For more information, see Adding other schema types.

  1. On the One Identity Manager Connection tab, test the data for connecting to the One Identity Manager database. The data is loaded from the connected database. Reenter the password.

    NOTE:

    • If you use an unencrypted One Identity Manager database and have not yet saved any synchronization projects to the database, you need to enter all connection data again.

    • This page is not shown if a synchronization project already exists.

  2. The wizard loads the target system schema. This may take a few minutes depending on the type of target system access and the size of the target system.

  1. On the Select project template page, select a project template to use for setting up the synchronization configuration.

    Table 13: Standard project templates

    Project template

    Description

    SAP R/3 Synchronization (Basic Administration)

    Use this project template for the initial setup of the synchronization project for individual clients or the central system of a CUA.

    SAP R/3 (CUA subsystem)

    Use this project template for the initial setup of the synchronization project for child systems of a CUA that belong to a different SAP system than the central system.

    NOTE: A default project template ensures that all required information is added in One Identity Manager. This includes mappings, workflows, and the synchronization base object. If you do not use a default project template you must declare the synchronization base object in One Identity Manager yourself.Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the Synchronization Editor.
  1. On the Restrict target system access page, specify how system access should work. You have the following options: Read-only access to target system.
    Table 14: Specify target system access
    Option Meaning

    Specifies that a synchronization workflow is only to be set up for the initial loading of the target system into the One Identity Manager database.

    The synchronization workflow has the following characteristics:

    • Synchronization is in the direction of One Identity Manager.

    • Processing methods in the synchronization steps are only defined for synchronization in the direction of One Identity Manager.

    Read/write access to target system. Provisioning available.

    Specifies whether a provisioning workflow is set up in addition to the synchronization workflow for the initial loading of the target system.

    The provisioning workflow displays the following characteristics:

    • Synchronization is in the direction of the Target system.

    • Processing methods are only defined in the synchronization steps for synchronization in the direction of the Target system.

    • Synchronization steps are only created for such schema classes whose schema types have write access.

    This page is only shown if the project template SAP® R/3® synchronization (basic administration) was selected. If the SAP® R/3® (child CUA system) project template was selected, the Read-only access to target system option is automatically enabled.

  1. On the Synchronization server page, select the synchronization server to run the synchronization.

    If the synchronization server is not declared as a Job server in the One Identity Manager database yet, you can add a new Job server.

    1. Click to add a new Job server.

    2. Enter a name for the Job server and the full server name conforming to DNS syntax.

    3. Click OK.

      The synchronization server is declared as Job server for the target system in the One Identity Manager database.

    4. NOTE: After you save the synchronization project, ensure that this server is set up as a synchronization server.

  1. To close the project wizard, click Finish.

    This creates and allocates a default schedule for regular synchronization. Enable the schedule for regular synchronization.

    This sets up, saves and immediately activates the synchronization project.

    NOTE:

    • If enabled, a consistency check is carried out. If errors occur, a message appears. You can decide whether the synchronization project can remain activated or not.

      Check the errors before you use the synchronization project. To do this, in the General view on the Synchronization Editor‘s start page, click Verify project.

    • If you do not want the synchronization project to be activated immediately, disable the Activate and save the new synchronization project automatically option. In this case, save the synchronization project manually before closing the Synchronization Editor.

    • Disable this option, if you want to add your own schema types in this synchronization project.

    • The connection data for the target system is saved in a variable set and can be modified in the Synchronization Editor in the Configuration > Variables category.

To configure the content of the synchronization log

  1. In the Synchronization Editor, open the synchronization project.

  2. To configure the synchronization log for target system connection, select the Configuration > Target system category.

  3. To configure the synchronization log for the database connection, select the Configuration > One Identity Manager connection category.

  4. Select the General view and click Configure.

  5. Select the Synchronization log view and set Create synchronization log.

  6. Enable the data to be logged.

    NOTE: Some content generates a particularly large volume of log data. The synchronization log should only contain data required for error analysis and other analyzes.

  7. Click OK.

To synchronize on a regular basis

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Configuration > Start up configurations category.

  3. Select a start up configuration in the document view and click Edit schedule.

  4. Edit the schedule properties.

  5. To enable the schedule, click Activate.

  6. Click OK.

To start initial synchronization manually

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Configuration > Start up configurations category.

  3. Select a start up configuration in the document view and click Run.

  4. Confirm the security prompt with Yes.

NOTE:

In the default installation, after synchronizing, employees are automatically created for the user accounts. If an account definition for the client is not known at the time of synchronization, user accounts are linked with employees. However, account definitions are not assigned. The user accounts are therefore in a Linked state.

To manage the user accounts using account definitions, assign an account definition and a manage level to these user accounts.

To manage user accounts through account definitions

  1. Create an account definition.

  2. Assign an account definition to the client.

  3. Assign a user account in the Linked state to the account definition. The account definition's default manage level is applied to the user account.

    1. In the Manager, select the SAP R/3 > User accounts > Linked but not configured > Client> category.

    2. Select the Assign account definition to linked accounts task.

    3. In the Account definition menu, select the account definition.

    4. Select the user accounts that contain the account definition.

    5. Save the changes.

Detailed information about this topic
  • One Identity Manager Target System Synchronization Reference Guide
Related topics

Special features of synchronizing with a CUA central system

NOTE:

  • Only child system roles and profiles that match the login language of the administrative user account for synchronization are mapped in One Identity Manager.
  • Maintain all child system roles and profile in the target system in the language set as login language in the synchronization project for the central system in the system connection.

If a central user administration is connected to One Identity Manager, regular synchronization is only required with the central system. The synchronization configuration is created for the client labeled as central system. The CUAClosed Application Link Enabling (ALE) distribution model is loaded during synchronization and tries to assign all clients, which are configured as child systems to the central system in One Identity Manager. All clients in the same SAP system as the central system are automatically added in One Identity Manager in the process and assigned to the central system (in CUA central system). All clients in another SAP system must already exist in One Identity Manager at this point in time.

If a text comparison of roles and profiles between child and central systems was run the target system in the target system, the child system roles and profiles are taken into account by synchronization. These roles and profiles are assigned to the originating client in One Identity Manager.

When a comparison of role and profile text is carried out between the child and the central system in the target system, roles and profiles are saved in USRSYSACTT with respect to language. Only roles and profile matching the login language of the administrative account for synchronization are read from the USRSYSACTT during synchronization with One Identity Manager. If single roles and profiles are not maintained in this language, they are not transferred to One Identity Manager. In order to map all roles and profiles from child systems in One Identity Manager, they must all be all maintained in the language specified as login language in the central system.

To set up an initial synchronization project for central user administration

  1. Create synchronization projects the child systems, not in the same SAP system as the central system.

    Follow the steps described in Creating a synchronization project for initial synchronization of an SAP client. The following special features apply:

    1. In Select project template in the project wizard, select the "SAP R/3 (CUA subsystem)" project template.
    2. The Restrict target system access page is not displayed. The target system is only loaded.
    3. Start synchronization manually to load the required data.

      All clients from the selected system and their license data are loaded.

      NOTE: Do not synchronize using schedules. Re-synchronizing is only necessary if the active price lists for charging licenses were changed in the target system.

  2. Repeat step 1 for all child system in other SAP subsystems.
  3. Create a synchronization project for the central system.

    Follow the steps described in Creating a synchronization project for initial synchronization of an SAP client. The following special features apply:

    1. On the Additional settings page, enable the Central User Administration (CUA) instance option.
    2. On the Select project template page, select the "SAP R/3 synchronization (base administration)” project template.
    3. Configure the scheduled synchronization.
  4. Start central system synchronization, after all child systems have been loaded in the SAP database from One Identity Manager subsystems.
Related topics

Excluding a child system from synchronization

Certain administrative task in SAP R/3 required that the child system is temporarily excluded from the central user administration. If these child systems are synchronized during this period, the SAP roles and SAP profile of the temporarily excluded child system are marked as outstanding or deleted in the One Identity Manager database. To prevent this, remove the child system from the synchronization scope.

SAP roles and profiles are removed from the synchronization scope by deleting the ALE model name in the client. The client properties are synchronized anyway. To ensure that the ALE model name is not reintroduced, disable the rule for mapping this schema property.

To exclude a child system from synchronization

  1. Select the SAP R/3 > Clients category.
  2. Select the child system in the result list. Select the Change main data task.
  3. Delete the entry in the ALE model name field.
  4. Save the changes.

  5. In the Synchronization Editor, open the synchronization project.

  6. Select the Workflows category.
  7. Select the workflow to use for synchronizing the central system in the navigation view.
  8. Double-click on the synchronization step "client" in the workflow view.
  9. Select Rule filter.
  10. Select "ALEModelName_ALEModelName" in the Exluded rules pane.
  11. Click OK.
  12. Save the changes.

NOTE: Unsuccessful database operations for assigning SAP roles and profiles to user account that originate from the temporarily excluded child system are logged depending on the setting in the synchronization log. You can ignore these messages. Once the child system is available again, the memberships are handled properly.

You must reactivate synchronization of the child system's SAP roles and profiles the moment it becomes part of the central user administration again.

To re-include a child system in synchronization

  1. Select the SAP R/3 > Clients category.
  2. Select the child system in the result list. Select the Change main data task.
  3. Enter the ALE model name of the central system's CUAClosed in the ALE model name field.

    The child system is only synchronized if the same ALE model named is entered in the central system and the child system.

  4. Save the changes.

  5. In the Synchronization Editor, open the synchronization project.

  6. Select the Workflows category.
  7. Select the workflow in the navigation, to use for synchronizing the central system (default is "Initial Synchronization").
  8. Double-click on the synchronization step "client" in the workflow view.
  9. Select Rule filter.
  10. Deselect "ALEModelName_ALEModelName" in the Exluded rules pane.
  11. Click OK.
  12. Save the changes.

For more information about editing synchronization steps, see One Identity Manager Target System Synchronization Reference Guide.

Related topics

Displaying synchronization results

Synchronization results are summarized in the synchronization log. You can specify the extent of the synchronization log for each system connection individually. One Identity Manager provides several reports in which the synchronization results are organized under different criteria.

To display a synchronization log

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Logs category.

  3. Click in the navigation view toolbar.

    Logs for all completed synchronization runs are displayed in the navigation view.

  4. Select a log by double-clicking it.

    An analysis of the synchronization is shown as a report. You can save the report.

To display a provisioning log

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Logs category.

  3. Click in the navigation view toolbar.

    Logs for all completed provisioning processes are displayed in the navigation view.

  4. Select a log by double-clicking it.

    An analysis of the provisioning is shown as a report. You can save the report.

The log is marked in color in the navigation view. This mark shows you the status of the synchronization/provisioning.

TIP: The logs are also displayed in the Manager under the <target system> > synchronization log category.

Synchronization logs are stored for a fixed length of time.

To modify the retention period for synchronization logs

  • In the Designer, enable the DPR | Journal | LifeTime configuration parameter and enter the maximum retention period.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating