Managing SAP R/3 environments
One Identity Manager offers simplified user administration for SAP R/3 environments. One Identity Manager concentrates on setting up and processing user accounts as well as groups, roles, and profiles assignments. External identifiers and parameters can also be assigned to user accounts. The necessary data for system measurement is also mapped. The system measurement data is available in One Identity Manager, but the measurement itself takes place in the SAP R/3 environment.
One Identity Manager provides company employees with the user accounts required to allow you to use different mechanisms for connecting employees to their user accounts. You can also manage user accounts independently of employees and therefore set up administrator user accounts.
Groups, roles, and profiles are mapped in One Identity Manager, in order to provide the necessary permissions for user accounts. Groups, roles, and profiles can be grouped into products and assigned to employees. One Identity Manager ensures that the right group memberships are created for the employee’s user account.
If user accounts are managed through the central user administration () in SAP R/3, access to the child client can be guaranteed for or withdrawn from user accounts in One Identity Manager.
Architecture overview
In One Identity Manager, the following servers play a role in managing SAP R/3:
- SAP R/3 application server
Application server on which synchronization is run The synchronization server connects to this server in order to access SAP R/3 objects.
- SAP R/3 database server
Server on which the SAP R/3 application database is installed.
- Synchronization server
The synchronization server for synchronizing data between One Identity Manager and SAP R/3. The One Identity Manager Service with the SAP R/3 connector is installed on this server. The synchronization server connects to the SAP R/3 application server.
- SAP R/3 router
Router which provides a network port to the SAP connector for communicating with the SAP R/3 application server.
- SAP R/3 message server
Server with which the SAP R/3 connector communicates during login if a direct connection to application servers is not permitted.
The SAP R/3 One Identity Manager connector runs synchronization and provision of data between SAP R/3 and the One Identity Manager database. The SAP R/3 connector uses the SAP connector for Microsoft .NET (NCo 3.0) for 64-bit systems for communicating with the target system.
The One Identity Manager Service is responsible for synchronizing data between the One Identity Manager database and SAP R/3. The application server ABAP must be installed as a prerequisite for synchronization. An SAP R/3 system that is only based on a Java application server cannot be accessed with the SAP connector.
Figure 1: Architecture for synchronization - Direct communication
Figure 2: Architecture for synchronization - Communication through message server
Figure 3: Architecture for synchronization - Communication through router
One Identity Manager users for managing SAP R/3
The following users are used for setting up and administration of SAP R/3.
Table 1: Users
Target system administrators |
Target system administrators must be assigned to the Target systems | Administrators application role.
Users with this application role:
-
Administer application roles for individual target system types.
-
Specify the target system manager.
-
Set up other application roles for target system managers if required.
-
Specify which application roles for target system managers are mutually exclusive.
-
Authorize other employees to be target system administrators.
-
Do not assume any administrative tasks within the target system. |
Target system managers |
Target system managers must be assigned to the Target systems | SAP R/3 application role or a child application role.
Users with this application role:
-
Assume administrative tasks for the target system.
-
Create, change, or delete target system objects.
-
Edit password policies for the target system.
-
Prepare system entitlements to add to the IT Shop.
-
Can add employees who have another identity than the Primary identity.
-
Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.
-
Edit the synchronization's target system types and outstanding objects.
-
Authorize other employees within their area of responsibility as target system managers and create child application roles if required. |
One Identity Manager administrators |
administrator and administrative system users Administrative system users are not added to application roles.
administrators:
-
Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.
-
Create system users and permissions groups for non role-based login to administration tools in the Designer as required.
-
Enable or disable additional configuration parameters in the Designer as required.
-
Create custom processes in the Designer as required.
-
Create and configure schedules as required.
-
Create and configure password policies as required. |
Administrators for the IT Shop |
Administrators must be assigned to the Request & Fulfillment | IT Shop | Administrators application role.
Users with this application role:
|
Administrators for organizations |
Administrators must be assigned to the Identity Management | Organizations | Administrators application role.
Users with this application role:
|
Business roles administrators |
Administrators must be assigned to the Identity Management | Business roles | Administrators application role.
Users with this application role:
|
Setting up SAP R/3 synchronization
One Identity Manager supports synchronization with SAP systems for the following versions:
-
SAP Web Application Server 6.40
-
SAP NetWeaver Application Server 7.00, 7.01, 7.02, 7.10, 7.11, 7.20, 7.31, 7.40, 7.40 SR 2, 7.41, 7.50, 7.51, 7.52, 7.54, and 7.69
-
SAP ECC 5.0 and 6.0
-
SAP S/4HANA On-Premise edition
Central User Administration is supported for all versions named here.
NOTE: The application server ABAP must be installed as a prerequisite for synchronization. An SAP R/3 system that is only based on a Java application server cannot be accessed with the SAP connector.
To load SAP R/3 objects into the One Identity Manager database for the first time
- Prepare a user account with sufficient permissions for synchronizing in SAP R/3.
- Install the One Identity Manager Business Application Programming Interface in the SAP R/3 system.
-
One Identity Manager components for managing SAP R/3 environments are available if the TargetSystem | SAPR3 configuration parameter is set.
-
In the Designer, check if the configuration parameter is set. Otherwise, set the configuration parameter and compile the database.
NOTE: If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.
-
Other configuration parameters are installed when the module is installed. Check the configuration parameters and modify them as necessary to suit your requirements.
- Download the installation source for the SAP .Net Connector for .NET 4.0 on x64, with at least version 3.0.15.0.
- Install and configure a synchronization server and declare the server as a Job server in One Identity Manager.
- Create a synchronization project with the Synchronization Editor.
Detailed information about this topic