Chat now with support
Chat with Support

Identity Manager 8.2 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP objects Removing a Central User Administration Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

Deleting and restoring SAP user accounts

NOTE: As long as an account definition for an employee is valid, the employee retains the user account that was created by it. If the account definition assignment is removed, the user account that was created from this account definition, is deleted.

To delete a user account

  1. Select the SAP R/3 > User accounts category.
  2. Select the user account in the result list.
  3. Click to delete the user account.
  4. Confirm the security prompt with Yes.

To restore a user account

  1. Select the SAP R/3 > User accounts category.
  2. Select the user account in the result list.
  3. Click in the result list.
Configuring deferred deletion

You can use deferred deletion to specify how long the user accounts remain in the database after deletion is triggered before they are finally removed. By default, user accounts are finally deleted from the database after 30 days. First, the user accounts are disabled or blocked. You can reenable the user accounts up until deferred deletion runs. After deferred deletion is run, the user accounts are deleted from the database and cannot be restored anymore.Deferred deletion has no influence over the login permission in assigned CUAClosed child systems.

You have the following options for configuring deferred deletion.

  • Global deferred deletion: Deferred deletion applies to user accounts in all target system. The default value is 30 days.

    In the Designer, enter a different value for deferred deletion in the Deferred deletion [days] property of the SAPUser table.

  • Object-specific deferred deletion: Deferred deletion can be configured depending on certain properties of the accounts.

    To use object-specific deferred deletion, in the Designer, create a Script (deferred deletion) for the SAPUser table.

    Example:

    Deferred deletion of privileged user accounts is 10 days. The following Script (deferred deletion) is entered in the table.

    If Not $IsPrivilegedAccount:Bool$ Then

    Value = 10

    End If

For detailed information on editing table definitions and configuring deferred deletion in the Designer, see the One Identity Manager Configuration Guide.

Entering external user identifiers for an SAP user account

External authentication methods for logging in to a system can be used in SAP R/3. With One Identity Manager, you can maintain login data for logging in external system users, for example, Active Directory on an SAP R/3 environment.

You can use One Identity Manager to enter external user IDs and delete them. You can only change the option "Account is enabled" for existing user ID's.

To enter external IDs

  1. Select the SAP R/3 > External IDs category.
  2. Select the external identifier in the result list. Select the Change main data task.

    - OR -

    Click in the result list.

  3. Enter the required data on the main data form.
  4. Save the changes.

Enter the following data for an external identifier.

Table 54: External ID properties
Property Description
External user ID

User login name for the user to log into external systems. The syntax you require depends on the type of authentication selected. The complete user identifier is compiled by template.

NOTE: The BAPI One Identity Manager uses the default settings RSUSREXT for generating the user identifier, which means that the user name is reset. The value provided in the interface is passed as prefix.

If you SAP R/3 environment uses something other than these default settings, modify the template for column SAPUserExtId.EXTID respectively.

External identifier type

Authentication type for the external user. This results in the syntax for the external identifier.

Table 55: External identifier types

Distinguished Name for X.509

Login uses the distinguished name for X.509.

Windows NTLM or password verification

Login uses Windows NT Lan Manager or password verification with the Windows domain controller.

LDAP bind <user-defined >

Login uses LDAP bind (for other authentication mechanisms).

SAML token Authentication uses an SAML token profile.

The default type is specified in the "TargetSystem | SAPR3 | Accounts | ExtID_Type" configuration parameter.

Target system type Can be called up together with the external ID type to test the login data. The default type is specified in the "TargetSystem | SAPR3 | Accounts | TargetSystemID" configuration parameter. Permitted values are ADSACCOUNT and NTACCOUNT.
Account is enabled Specifies whether the user or an external authentication system can log in to the system.
User account Assignment of the external user ID to a user account.
Sequential number Sequential number, if a user account has more than one external identifiers.
Valid from Date from which the external user ID is valid.
Related topics

SAP groups, SAP roles, and SAP profiles

Groups, roles, and profiles are mapped in the One Identity Manager, in order to provide the necessary permissions for user accounts. Groups, roles, and profiles can be assigned to user accounts, requested, or inherited through hierarchical roles in One Identity Manager. No groups, roles, or profiles can be added or deleted.

Groups

You can share maintenance of user accounts over different administrators by assigning user accounts to groups.

Roles

A role includes all transactions and user menus that an SAP user requires to fulfill its tasks. Roles are separated into single and composite roles. Single roles can be grouped together into composite roles. User account member in the roles can be set for a limit period.

Profiles

Access permissions to the system are regulated though profiles. Profiles are assigned through single roles or directly to user accounts. Profiles can be grouped into composite profiles.

Editing main data of SAP groups, SAP roles, and SAP profiles

You can edit the following data about groups, roles, and profiles in One Identity Manager:

  • Assigned SAP user accounts
  • Usage in the IT Shop
  • Risk assessment
  • Inheritance through roles and inheritance restrictions
  • License information for system measurement

To edit group main data

  1. Select the SAP R/3 > Groups category.
  2. Select the group in the result list. Select the Change main data task.
  3. Enter the required data on the main data form.
  4. Save the changes.

To edit profile main data

  1. Select the SAP R/3 > Profiles category.
  2. Select a profile in the result list. Select the Change main data task.
  3. Enter the required data on the main data form.
  4. Save the changes.

To edit role main data

  1. Select the SAP R/3 > Roles category.
  2. Select the role in the result list. Select the Change main data task.
  3. Enter the required data on the main data form.
  4. Save the changes.
Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating