Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Identity Manager 8.2.1 - Administration Guide for Connecting to SAP R/3

Table of Contents

Managing SAP R/3 environments

Architecture overview One Identity Manager users for managing SAP R/3

Setting up SAP R/3 synchronization

Users and authorizations for synchronizing with SAP R/3 Installing the One Identity Manager Business Application Programing Interface

Uninstalling BAPI transports

Setting up the synchronization server Creating a synchronization project for initial synchronization of an SAP client Special features of synchronizing with a CUA central system

Excluding a child system from synchronization

Displaying synchronization results Customizing the synchronization configuration

How to configure SAP R/3 synchronization Configuring synchronization of different clients Changing system connection settings of SAP clients

Editing connection parameters in the variable set Editing target system connection properties

Updating schemas Adding other schema types Creating a schema extension file

Defining tables Defining functions Defining schema types

Speeding up synchronization with revision filtering Restricting synchronization objects using user permissions Post-processing outstanding objects Configuring the provisioning of memberships Configuring single object synchronization Accelerating provisioning and single object synchronization Help for analyzing synchronization issues Disabling synchronization Synchronizing single objects Ignoring data error in synchronization

Basic data for managing an SAP R/3 environment

Setting up account definitions

Creating an account definition

Main data for an account definition

Creating manage levels

Main data for manage levels

Creating a formatting rule for IT operating data Collecting IT operating data Modify IT operating data Assigning account definitions to employees

Assigning account definitions to departments, cost centers, and locations Assigning account definitions to business roles Assigning account definitions to all employees Assigning account definitions directly to employees Assigning account definitions to system roles Adding account definitions to the IT Shop

Assigning account definitions to a target system Deleting an account definition

Editing a server

Main data for a Job server Specifying server functions

Target system managers

Basic data for user account administration

User account types External identifier types SAP parameters

Displaying main data of SAP parameters General main data of SAP parameters Assigning SAP parameters to departments, cost centers, and locations Assigning SAP parameters to business roles Editing parameter values for indirect SAP parameter assignment Inheritance of parameter values by SAP user accounts

Printers Cost centers Start menus Companies Login languages Security policies Communication types Licenses Special versions Password policies for SAP user accounts

Predefined password policies Using password policies Editing password policies

General main data of password policies Policy settings Character classes for passwords

Custom scripts for password requirements

Checking passwords with a script Generating passwords with a script

Password exclusion list Checking a password Testing password generation

Initial password for new SAP user accounts Email notifications about login data

SAP systems SAP clients

General main data of SAP clients Specifying categories for inheriting SAP groups, SAP roles, and SAP profiles Editing synchronization projects

SAP user accounts

Linking user accounts to employees Supported user account types Central user administration in One Identity Manager Entering main data of SAP user accounts

General main data of an SAP user account Workplace data for SAP user accounts SAP user account login data Phone numbers Fax numbers Email addresses Fixed values for an SAP user account Measurement data SNC data for an SAP user account

Directly assigning SAP parameters Additional tasks for managing SAP user accounts

Overview of SAP user accounts Changing the manage level of SAP user accounts Assigning SAP groups and SAP profiles directly to an SAP user account Assigning SAP roles directly to an SAP user account Assigning structural profiles Granting access to clients of a central user administration Assigning SAP licenses Locking and unlocking SAP user accounts Assigning extended properties Renaming SAP user accounts

Assigning employees automatically to SAP user accounts

Editing search criteria for automatic employee assignment

Automatically creating departments based on SAP user account information Locking SAP user accounts Deleting and restoring SAP user accounts Entering external user identifiers for an SAP user account

SAP groups, SAP roles, and SAP profiles

Editing main data of SAP groups, SAP roles, and SAP profiles

General main data of SAP groups General main data of SAP roles General main data of SAP profiles

Assigning SAP groups, SAP roles, and SAP profiles to SAP user accounts

Assigning SAP groups, SAP roles, and SAP profiles to organizations Assigning SAP groups, SAP roles, and SAP profiles to business roles Assigning SAP user accounts directly to SAP groups and SAP profiles Assigning SAP user accounts directly to SAP roles Adding SAP groups, SAP roles, and SAP profiles to system roles Adding SAP groups, SAP roles, and SAP profiles to the IT Shop Assignment and inheritance of SAP profiles and SAP roles to SAP user accounts Configuring single role assignment Inheriting SAP profiles and SAP roles in a central user administration

Additional tasks for managing SAP groups, SAP roles, and SAP profiles

Overview of SAP groups, SAP roles, and SAP profiles Effectiveness of SAP groups, SAP roles, and SAP profiles SAP group, SAP role, and SAP profile inheritance based on categories Assigning extended properties to SAP groups, SAP roles, and SAP profiles Showing SAP authorizations

Validity period of role assignments

Assigning the validity period of direct role assignments Configuring the validity period of indirect role assignments Determining the validity period of indirect role assignments

General main data of SAP products Assigning SAP products to employees

Assigning SAP products to organizations Assigning SAP products to business roles Assigning SAP products directly to employees Adding SAP products to system roles Adding SAP products to the IT Shop

Additional tasks for managing SAP products

Overview of SAP products Assigning SAP groups, SAP roles, and SAP profiles to an SAP product Assigning account definitions to SAP products Assigning subscribable reports to SAP products Assigning extended properties to SAP products Editing conflicting system roles

Providing system measurement data

Mapping the measurement data Entering licenses for SAP user accounts Finding licenses using SAP roles and SAP profiles

Determining an SAP user account rating Transferring calculated licenses Disabling license calculation

Reports about SAP objects

Overview of all assignments

Removing a Central User Administration

Release child systems Converting the central system Checking for successful conversion

Troubleshooting an SAP R/3 connection

Table accesses not performed correctly

Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment

Project template for client without CUA Project template for the CUA central system Project template for CUA subsystems

Referenced SAP R/3 table and BAPI calls Example of a schema extension file

Configuring single role assignment

Only directly assigned single and composite roles are mapped in SAPUserInSAPRole. Assignments of single roles to composite roles are mapped in SAPCollectionRPG. You can establish which single roles are indirectly assigned to a user account through both tables.

The following applies by default for the inheritance of single roles by user accounts: If a single role is assigned to a user account and this single role is part of a composite role that is also assigned to the user account, then the assignment of the single role is additionally mapped in the SAPUserInSAPRole table if the validity period of the assigned single and composite role is not identical.

To not map memberships in single roles in the SAPUserInSAPRole table if the single roles are part of assigned composite roles

In the Designer, disable the TargetSystem | SAPR3 | KeepRedundantProfiles configuration parameter.

The table contains only the membership in the composite role.

Effect of the KeepRedundantProfiles configuration parameter

A single role is assigned to a user account, as well as a composite role that contains this single role.

The configuration parameter is set. Both role assignments have a different validity period.

The SAPUserInSAPRole table contains both the composite role assignment and the single role assignment.
The configuration parameter is set. Both role assignments have the same validity period.

The SAPUserInSAPRole table contains only the assignment of the composite role.
The configuration parameter is not set.

The SAPUserInSAPRole table contains only the assignment of the composite role. This applies regardless of the validity period of either role assignment.

Related topics

Assignment and inheritance of SAP profiles and SAP roles to SAP user accounts

Inheriting SAP profiles and SAP roles in a central user administration

If user accounts are managed through the central user administration, SAP roles and profiles can only inherited by user accounts if the user accounts have access permission for the client that the role and profiles belong to. By default, roles and profiles can only be inherited by user account if access to the clients is guaranteed explicitly. Otherwise, the roles and profiles are not inherited.

User accounts can be granted the missing client access automatically as soon as a role or profile is inherited by the client.

To automatically grant missing access permission to user accounts

In the Designer, set the TargetSystem | SAPR3 | AutoFillSAPUserMandant configuration parameter.

The missing access permission is granted when inheritance is calculated (entry in the SAPUserMandant table) and the roles and profiles are assigned to the user accounts.

WARNING: As inheritance is an automated process, user accounts can therefore be given access permission to clients without the target system owners knowing about it.

Related topics

Additional tasks for managing SAP groups, SAP roles, and SAP profiles

After you have entered the main data, you can run the following tasks.

Overview of SAP groups, SAP roles, and SAP profiles

Effectiveness of SAP groups, SAP roles, and SAP profiles

SAP group, SAP role, and SAP profile inheritance based on categories

Assigning extended properties to SAP groups, SAP roles, and SAP profiles

Showing SAP authorizations

Overview of SAP groups, SAP roles, and SAP profiles

To obtain an overview of a group

Select the SAP R/3 > Groups category.
Select the group in the result list.
Select the SAP group overview task.

To obtain an overview of a profile

Select the SAP R/3 > Profiles category.
Select a profile in the result list.
Select the SAP profile overview task.

To obtain an overview of a role

Select the SAP R/3 > Roles category.
Select the role in the result list.
Select the SAP role overview task.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center