Chat now with support
Chat with Support

Identity Manager 8.2 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP objects Removing a Central User Administration Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

Release child systems

The child systems can be released individually from the CUAClosed without removing it entirely. Removing a CUA can be done step-by-step and tested. The following steps must be performed for each child system:

  1. Release the child system in One Identity Manager from the CUA
  2. Set up a new synchronization project and synchronize the client
  3. Release child systems from the CUA distribution model of the SAP R/3 environment

To release a child system from the CUA

  1. In the Manager, select the SAP R/3 > Clients category.

  2. In the results list, select the child system you want to release.

  3. Select the Release client from CUA task and confirm the security prompt with Yes.

After checking whether the client can be removed, One Identity Manager converts the data.

  • User accounts and their external identifiers are copied from the central system to the child system.
  • SAP groups and group assignments to user accounts are copied from the central system to the child system.
  • SAP roles and profiles are converted and assigned to the copied user accounts.
  • Removes user account access permissions to the child system (purges SAPUserMandant table).
  • The client assignment to the central system is removed.
  • If an account definition is assigned to the client, it is converted. The SAPUser table is assigned as a user account table.

To set up synchronization for the released client

  1. If the client is hosted in a different SAP system than the central system, then there is a synchronization project for the client. Delete this synchronization project.

  2. Create a new synchronization project. For this purpose, use the SAP R/3 synchronization (base administration) project template.

    For more information, see Creating a synchronization project for initial synchronization of an SAP client.

    TIP: If a suitable synchronization project already exists for an SAP client with an identical schema, then the released client can be assigned to this synchronization project as another base object.

  3. Start the synchronization.

  4. Check the synchronization result. Fix errors and handle outstanding objects.

To release the child system from the CUA distribution model

  • If the synchronization was run without errors, delete the child system from the CUA distribution model in the SAP R/3 environment.

    Only the client assignment to the CUA distribution model is to be removed. For more information, see your SAP R/3 documentation.

Related topics

Converting the central system

As soon as all child systems have been removed from a central user administration, the central system can also be converted. The following steps must be performed:

  1. Convert the central system in One Identity Manager
  2. Delete user accounts without central system access
  3. Delete the CUAClosed from the distribution model of the SAP R/3 environment
  4. Set up a new synchronization project and synchronize the client

To convert the central system

  1. In the Manager, select the SAP R/3 > Clients category.

  2. Select the target system in the result list.

  3. Select the Release client from CUA task and confirm the security prompt with Yes.

    After checking whether the client qualifies for conversion, the data is converted in the One Identity Manager database.

    • Converts SAP roles and profiles in the central system.
    • Converts SAP role and profile assignments to user accounts.
    • Removes user account access permissions to the central system (purges SAPUserMandant table).
    • Removes the client's central system identifier.

  4. Once conversion is complete, it is necessary to decide how to proceed with user accounts that did not have access permissions to the central system within the CUA.

    • If you want to delete these user accounts, click Yes.

      Select this option to ensure that only the users who were authorized to access the client before the conversion are granted access. User accounts created by an IT Shop request or by inheritance of a valid account definition remain intact.

      All other user accounts without access permissions are deleted.

    • If you want to keep these user accounts, click No.

      The user accounts are retained and are thus authorized for access in this client.

  5. Decide what to do with user accounts that were created using a valid account definition. If you want to delete these user accounts, remove the account definition assignment to the employees.

    For more information, see Assigning account definitions to employees.

IMPORTANT: All provisioning processes must be completed before conversion can continue.

Perform the following step before creating a new synchronization project for the client.

To delete the CUA from the distribution model of the SAP R/3 environment

  • Once all child systems have been released from the CUA distribution model in the SAP R/3 environment, you can delete the entire CUA from the distribution model.

    • Specify how to proceed with user accounts that did not have access permissions to the central system within CUA.

      If these user accounts have been deleted in One Identity Manager, select the Additionally Lock Users Locally option here.

      As a result, the user accounts that were created using an account definition are locked and do not get access permissions to the client.

    For more information, see your SAP R/3 documentation.

To set up synchronization for the client

  1. Delete the synchronization project for the central system.

  2. Create a new synchronization project. For this purpose, use the SAP R/3 synchronization (base administration) project template.

    • On the Additional settings page, disable the Central User Administration (CUA) option.

    For more information, see Creating a synchronization project for initial synchronization of an SAP client.

    TIP: If a suitable synchronization project already exists for an SAP client with an identical schema, then the released client can be assigned to this synchronization project as another base object.

  3. Start the synchronization.

  4. Check the synchronization result. Fix errors and handle outstanding objects.

    User accounts that did not have access permissions for the central system and were created through an account definition are blocked.

  5. Check locked user accounts.

    1. Unlock all user accounts that should have access to the client.

    2. Remove the account definition from the linked employee of all user accounts to be deleted.

      For more information, see Assigning account definitions to employees.

Related topics

Checking for successful conversion

If all child systems have been removed without errors and the central system has been converted without errors, the CUAClosed is removed. The SAP user accounts in all previously involved clients can be managed either separately or through the linked employee.

To check for correct conversion of a child system

  1. In the Manager, select the SAP R/3 > Clients category.

  2. In the results list, select the client of the former child system.

  3. Check the following main data

    • ALE name: Value deleted.
    • ALE model name: Value deleted.
    • CUA status: None.
    • CUA central system: None assigned.

  4. Select the SAP client overview task.

  5. Click the form element for the assigned account definition and check the account definition's main data.

    • User account table: SAPUser.

    • Required account definition: The central system's account definition is assigned.

  6. Check if the required account definition is still needed.

    After the removing the CUA, a user account in the central system is no longer a necessary prerequisite for the creation of a user account in the former child system. In this case, the required account definition can be removed.

  7. Synchronization is set up and works correctly.

To check for correct conversion of a central system

  1. In the Manager, select the SAP R/3 > Clients category.

  2. In the results list, select the client of the former central system.

  3. Check the following main data

    • ALE name: Empty value.
    • ALE model name: Value deleted.
    • CUA status: None.

  4. Select the SAP client overview task.

    No child system is assigned.

  5. Synchronization is set up and works correctly.

Configuration parameters for managing an SAP R/3 environment

The following configuration parameters are available in One Identity Manager after the module has been installed.

Table 76: Configuration parameter

Configuration parameters

 Description

TargetSystem | SAPR3

SAP is supported. The parameter is a precompiler dependent configuration parameter. Changes to the parameter require recompiling the database.

If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

TargetSystem | SAPR3 | Accounts

Default values should be used for SAP user accounts.

TargetSystem | SAPR3 | Accounts | CalculateLicence

Parameter for controlling the calculation of SAP system measurement for SAP user accounts.

TargetSystem | SAPR3 | Accounts | Datfm

 Specifies the default date format for SAP user accounts.

TargetSystem | SAPR3 | Accounts | Dcpfm

 Specifies the default decimal point format for SAP user accounts.

TargetSystem | SAPR3 | Accounts | ExtID_Type

 Specifies the default type for external identification of SAP user accounts.

TargetSystem | SAPR3 | Accounts | Fax_Group

 Specifies the default fax group for SAP user accounts.

TargetSystem | SAPR3 | Accounts | Guiflag

 Specifies whether secure communication is permitted for SAP user accounts.

TargetSystem | SAPR3 | Accounts | InitialRandomPassword

Specifies whether a random password is generated when a new user account is added. The password must contain at least those character sets that are defined in the password policy.

TargetSystem | SAPR3 | Accounts | InitialRandomPassword |
SendTo

 This configuration parameter specifies to which employee the email with the random generated password should be sent (manager cost center/department/location/business role, employee’s manager or XUserInserted). If no recipient can be found, the password is sent to the address stored in the "TargetSystem | SAPR3 | DefaultAddress" configuration parameter.

TargetSystem | SAPR3 | Accounts | InitialRandomPassword |
SendTo | MailTemplateAccountName

Mail template name that is sent to supply users with the login credentials for the user account. The Employee - new user account created mail template is used.

TargetSystem | SAPR3 | Accounts | InitialRandomPassword |
SendTo | MailTemplatePassword

Mail template name that is sent to supply users with the initial password. The Employee - initial password for new user account mail template is used.

TargetSystem | SAPR3 | Accounts | Langu_p

 Specifies default language key for SAP users.

TargetSystem | SAPR3 | Accounts | Langup_iso

 Specifies default language (ISO 639).

TargetSystem | SAPR3 | Accounts | MailTemplateDefaultValues

Mail template used to send notifications about whether default IT operating data mapping values are used for automatically creating a user account. The Employee - new user account with default properties created mail template is used.

TargetSystem | SAPR3 | Accounts | Spda

 Specifies default setting for printer parameter 3 (delete after print).

TargetSystem | SAPR3 | Accounts | Spdb

 Specifies default setting for printer parameter 3 (print immediately).

TargetSystem | SAPR3 | Accounts | Splg

 Specifies the default printer (print parameter 1).

TargetSystem | SAPR3 | Accounts | TargetSystemID

 Specifies default target system identification for mapping external users.

TargetSystem | SAPR3 | Accounts | Time_zone

 Specifies the default time zone value for the SAP user account’s address.

TargetSystem | SAPR3 | Accounts | Tzone

 Specifies the default value for the time zone.

TargetSystem | SAPR3 | Accounts | Ustyp

 Specifies the default user type for SAP user accounts.

TargetSystem | SAPR3 | AutoCreateDepartment

This configuration parameter specifies whether departments are automatically created when user accounts are modified or synchronized.

TargetSystem | SAPR3 | AutoFillSAPUserMandant

Specifies whether SAP roles and SAP profiles can be inherited by the user accounts in a Central User Administration if the user accounts do not have access permission for the clients that these roles and profile belong to.

If the configuration parameter is set, access permission is granted when inheritance is calculated (entry in the SAPUserMandant table) and the roles and profiles are assigned to the user accounts. If the configuration parameter is not set, these roles and profiles are not inherited (default).

TargetSystem | SAPR3 | DefaultAddress

 Default email address (recipient) for messages about actions in the target system.

TargetSystem | SAPR3 | KeepRedundantProfiles

This configuration parameter regulates behavior for handling single role and profile assignments to users.

If the parameter is set, the user's single roles or profiles, which are already part of the user's composite roles, are retained.

If the parameter is not set, the user's single roles or profiles, which are already part of the user's composite roles, are removed (default).

TargetSystem | SAPR3 | MaxFullsyncDuration

 Specifies the maximum runtime for synchronization.

TargetSystem | SAPR3 | PersonAutoDefault

Mode for automatic employee assignment for user accounts added to the database outside synchronization.

TargetSystem | SAPR3 | PersonAutoDisabledAccounts

Specifies whether employees are automatically assigned to disabled user accounts. User accounts are not given an account definition.

TargetSystem | SAPR3 | PersonAutoFullsync

Mode for automatic employee assignment for user accounts that are added to or updated in the database by synchronization.

TargetSystem | SAPR3 | ValidDateHandling

 This configuration parameter is for handling validity periods in SAP role and structural profile assignments to SAP user accounts.

TargetSystem | SAPR3 | ValidDateHandling |
DoNotUsePWODate

 This configuration parameter specifies whether the validity period is taken from the request and copied to the SAP role and structural profile assignments to SAP user accounts. If the configuration parameter is set, the Valid from and Valid until dates are not copies from the request to the assignments.

TargetSystem | SAPR3 | ValidDateHandling |
ReuseInheritedDate

Controls reuse of existing SAP role and structural profile assignments to SAP user accounts.

If this configuration parameter is set, existing assignments are reused if the same assignment is created by different means of inheritance and the validity period matches.

TargetSystem | SAPR3 | ValidDateHandling |
ReuseInheritedDate | UseTodayForInheritedValidFrom

This configuration parameter specifies whether the Valid from data of indirect SAP role and structural profile assignments to SAP user accounts is set to <today> or to 1900-01-01.

TargetSystem | SAPR3 | VerifyUpdates

Specifies whether changed properties are checked when the system is updated. If this parameter is set, the objects in the target system are verified after every update.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating