Chat now with support
Chat with Support

Identity Manager 9.0 LTS - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP objects Removing a Central User Administration Troubleshooting an SAP R/3 connection Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

Users and authorizations for synchronizing with SAP R/3

The following users are involved in synchronizing One Identity Manager with SAP R/3.

Table 2: Users for synchronization

User

Authorizations

One Identity Manager Service user account

The user account for the One Identity Manager Service requires user permissions to carry out operations at file level (adding and editing directories and files).

The user account must belong to the Domain users group.

The user account must have the Login as a service extended user permissions.

The user account requires permissions for the internal web service.

NOTE: If the One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can grant permissions for the internal web service with the following command line call:

netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

The user account needs full access to the One Identity Manager Service installation directory in order to automatically update One Identity Manager.

In the default installation, One Identity Manager is installed under:

  • %ProgramFiles(x86)%\One Identity (on 32-bit operating systems)

  • %ProgramFiles%\One Identity (on 64-bit operating systems)

User for accessing the target system (synchronization user)

You must provide a user account with the following authorizations for full synchronization of SAP R/3 objects with the supplied One Identity Manager default configuration.

Required authorization objects and their meanings:

  • S_TCODE with a minimum of transaction codes SU01, SU53, PFCG

  • S_ADDRESS1 (address services) with activities 01, 02, 03, 06 and valid address groups (at least BC01)

  • S_USER_AGR (role maintenance) with activities 02, 03, 22, 78, possibly with a restricted name range (for example Z*)

  • S_USER_GRP (group maintenance) with activities 01, 02, 03, 22, 78 and PP (if available in the SAP R/3 environment)

  • S_USER_AUT (authorizations) with activities 03, 08

  • S_USER_PRO (profile) with activities 01, 02, 03, 22

  • S_USER_SAS (system specific assignments) with activities 01, 06, 22

  • S_USER_UID with the activity 03

  • S_RFC (authorization check by RFC access) with activity 16 at least for function groups ZVI, /VIAENET/ZVI0, /VIAENET/ZVI_L, /VIAENET/Z_HR, SU_USER, SYST, SDTX, RFC1, RFC_METADATA, SDIFRUNTIME, SYSU,

  • /VIAENET/ZVIL_TABLE

    NOTE:

    As of One Identity Manager version 8.2, an updated BAPI transport SAPTRANSPORT_70.ZIP is provided. This replaces the RFC_READ_TABLE SAP module with the /VIAENET/READTABLE function module. When it accesses an SAP R/3 environment, the SAP R/3 connector checks whether the /VIAENET/READTABLE function module exists and uses it.

    If the function module is not available, the connector uses the RFC_READ_TABLE SAP module.

    In this case, the synchronization user needs the authorization object S_TABU_NAM with the activity 03.

    Alternatively you can define access permissions on the tables using the S_TABU_NAM or the S_TABU_DIS authorization object. These are tested equally.

    In the TABLE field, the names of the tables to be read can be specified individually.

Apart from the authorizations listed, the user account has to get all objects from the authorization classes ZVIH_AUT, ZVIA_AUT, and ZVIL_AUT that are installed by the transport package for synchronization. These authorization objects are there to guarantee principal authorization for running function modules.

In addition, the authorization objects ZVIH_OP, ZVIA_OP, ZVIL_OP need to be assigned. This regulates the type of access to SAP R/3 data using the ACTVT authorization field. Possible values are 01 add or create, 02 change, 03 display, 06 delete. The respective activity is checked before accessing data. If only the 03 display activity has been assigned, it means that absolutely no write operations can be carried out with this user account using the One Identity Manager Business Application Programing Interface.

The following authorization objects are required in addition for the child system in order to synchronize central user administration:

  • S_RFC with the function group SUU6

  • S_TCODE with the transaction code SU56

User for accessing the One Identity Manager database

The Synchronization default system user is provided to run synchronization using an application server.

TIP: The transport file provided by default, SAPRole.zip, includes a transport package with a role that the base authorization object already possesses. This role can be assigned to the user account. You will find the transport files on the One Identity Manager installation medium in the Modules\SAP\dvd\AddOn\Bapi directory.

The named authorizations are required so that the SAP R/3 connector has read and write access to the SAP R/3 system. If only read access is permitted, set up a profile that has authorizations for carrying out for transactions SU01 and PFCG but prevents write access at activity or field level. Also be aware of granting authorizations for activities regarding the authorization objects ZVIH_OP, ZVIA_OP, ZVIL_OP. If access is read-only, only the 03 display activity is enabled.

The user account requires the user type dialog, communication, or system to load more information.

NOTE: In SAP R/3 versions up to and including SAP Web Application Server 6.40, the password and user input are not case-sensitive. this no longer applies to the password for SAP NetWeaver Application Server 7.0 and later. Passwords are case sensitive.

All SAP’s own tools that are supplied up to SAP Web Application Server 6.40, apart from the SAP GUI (RFC-SDK, SAP .Net Connector), therefore change the password to capital letters before passing them to SAP R/3. You must set the password in capital letters for the user account used by the SAP .Net Connector to authenticate itself on the SAP R/3 system. If this is done, all the usual tools can be accessed on SAP NetWeaver Application Server 7.0 by RFC.

Related topics

Installing the One Identity Manager Business Application Programing Interface

NOTE: The Business Application Programming Interface in One Identity Manager is certified.

Certificates:

  • Integration with SAP S/4HANA

  • Powered by SAP NetWeaver

For more information, see SAP Certified Solutions Directory.

In order to access One Identity Manager data and business processes with the SAP R/3, you must load the Business Application Programming Interface (BAPI) into the SAP R/3 system. You will find the required transport files on the One Identity Manager installation medium in the Modules\SAP\dvd\AddOn\Bapi directory.

TIP: Instead of installing SAPTRANSPORT_70.ZIP, you can also install the Assembly Kit T070020759523_0000006.PAT. For more information, see Uninstalling BAPI transports.

Install the BAPI transport in the following order:

Table 3: BAPI transport

Transport

Explanation

1

SAPRepository.zip

Creates the /VIAENET/ in the SAP system repository.

2

SAPTable.zip

Defines the table structure for /VIAENET/USERS in the SAP system dictionary.

3

SAPTRANSPORT_70.ZIP

Contains the functions defined in the /VIAENET/ environment.

Select the transport package that suits your SAP system.

  • Archive directory UNICODE: Transports for systems that support unicode; transports for copies

  • Archive directory NON_UNICODE: Transports for systems not supporting unicode

  • Archive directory UNICODE_WORKBENCH: Transports for systems that support unicode; workbench transports

  • Archive directory NON_UNICODE_WORKBENCH: Transports for systems that do not support unicode; workbench transport

4

(Optional) SAPBusinesspartnerProxies.zip

Contains the functions defined in the /VIAENET/HELPER package.

The transport is only required if an SAP S/4HANA system is connected and you want to map business partner data associated with SAP user accounts.

Select the transport package that suits your SAP system.

  • Archive directory UNICODE: Transports for systems that support unicode; transports for copies

  • Archive directory UNICODE_WORKBENCH: Transports for systems that support unicode; workbench transports

5

(Optional) SAPAuthorization.zip

Imports all authorization objects defined in the /VIAENET/ environment as a workbench transport.

The transport package contains only the authorization objects from the complete SAPTRANSPORT_70.ZIP transport package. Install this transport package if you want to test whether the authorization objects cause issues in your SAP R/3 environment.

Set the following import options for the transport:

  • Overwrite Originals

  • Overwrite Objects in Unconfirmed Repairs

  • Ignore Non-Matching Component Versions

The SAP R/3 connector uses other BAPI SAP R/3s in parallel.

Related topics

Uninstalling BAPI transports

The SAP Add-On Assembly Kit allows SAP to support deinstallation of a BAPI. An uninstallable Assembly Kit is proved for this.

Prerequisites
  • SAP NetWeaver Application Server 7.00 or later

  • SAP ECC 6.0

  • SAP Add-On Assembly Kit 5.0 or later

  • Unicode is supported.

To uninstall a BAPI transport at a later date

  • Install the Assembly Kit T070020759523_0000006.PAT instead of the transport file SAPTRANSPORT_70.ZIP.

    You will find the kit on the One Identity Manager installation medium in the Modules\SAP\dvd\AddOn\Bapi directory.

The kit contains the functions that are defined in the /VIAENET/ environment. The kit has the deinstall_allowed option set.

Related topics

Setting up the synchronization server

To set up synchronization with an SAP R/3 environment, a server has to be available that has the following software installed on it:

  • Windows operating system

    The following versions are supported:

    • Windows Server 2022

    • Windows Server 2019

    • Windows Server 2016

    • Windows Server 2012 R2

    • Windows Server 2012

  • Microsoft .NET Framework version 4.8 or later

    NOTE: Take the target system manufacturer's recommendations into account.
  • Windows Installer
  • SAP .Net Connector for .NET 4.0 on x64, with at least version 3.0.15.0
  • One Identity Manager Service, Synchronization Editor, SAP R/3 connector
    • Install One Identity Manager components with the installation wizard.
      1. Select Select installation modules with existing database.
      2. Select the Server | Job Server | SAP R/3 machine role.

Further requirements

  • Following files must either be in the Global Assemblies Cache (GAC) or in the One Identity Manager installation directory.
    • libicudecnumber.dll
    • rscp4n.dll
    • sapnco.dll
    • sapnco_utils.dll
  • Following files must either be in the Global Assemblies Cache (GAC) or in C:\Windows\System32 or in the One Identity Manager's installation directory.
    • msvcp100.dll
    • msvcr100.dll

All One Identity Manager Service actions are run against the target system environment on the synchronization server. Data entries required for synchronization and administration with the One Identity Manager database are processed by the synchronization server. The synchronization server must be declared as a Job server in One Identity Manager.

NOTE: If several target system environments of the same type are synchronized under the same synchronization server, it is recommended that you set up a Job server for each target system for performance reasons. This avoids unnecessary swapping of connections to target systems because a Job server only has to process tasks of the same type (re-use of existing connections).

Use the One Identity Manager Service to install the Server Installer. The program runs the following steps:

  • Sets up a Job server.

  • Specifies machine roles and server function for the Job server.

  • Remotely installs One Identity Manager Service components corresponding to the machine roles.

  • Configures the One Identity Manager Service.

  • Starts the One Identity Manager Service.

NOTE: The program performs a remote installation of the One Identity Manager Service. Local installation of the service is not possible with this program.

To remotely install the One Identity Manager Service, you must have an administrative workstation on which the One Identity Manager components are installed. For more information about installing a workstation, see the One Identity Manager Installation Guide.

NOTE: To generate processes for the Job server, you need the provider, connection parameters, and the authentication data. By default, this information is determined from the database connection data. If the Job server runs through an application server, you must configure extra connection data in the Designer. For more information about setting up Job servers, see the One Identity Manager Configuration Guide.

To remotely install and configure One Identity Manager Service on a server

  1. Start the Server Installer program on your administrative workstation.

  1. On the Database connection page, enter the valid connection credentials for the One Identity Manager database.

  2. On the Server properties page, specify the server on which you want to install the One Identity Manager Service.

    1. Select a Job server from the Server menu.

      - OR -

      To create a new Job server, click Add.

    2. Enter the following data for the Job server.

      • Server: Name of the Job server.

      • Queue: Name of the queue to handle the process steps. Each Job server within the network must have a unique queue identifier. The process steps are requested by the Job queue using this exact queue name. The queue identifier is entered in the One Identity Manager Service configuration file.

      • Full server name: Full server name in accordance with DNS syntax.

        Syntax:

        <Name of servers>.<Fully qualified domain name>

      NOTE: You can use the Extended option to make changes to other properties for the Job server. You can also edit the properties later with the Designer.

  1. On the Machine roles page, select SAP R/3.

  2. On the Server functions page, select SAP R/3 connector.

  3. On the Service Settings page, enter the connection data and check the One Identity Manager Service configuration.

    NOTE: The initial service configuration is predefined. If further changes need to be made to the configuration, you can do this later with the Designer. For more information about configuring the service, see the One Identity Manager Configuration Guide.

    • For a direct connection to the database:

      1. Select Process collection > sqlprovider.

      2. Click the Connection parameter entry, then click the Edit button.

      3. Enter the connection data for the One Identity Manager database.

    • For a connection to the application server:

      1. Select Process collection, click the Insert button and select AppServerJobProvider.

      2. Click the Connection parameter entry, then click the Edit button.

      3. Enter the connection data for the application server.

      4. Click the Authentication data entry and click the Edit button.

      5. Select the authentication module. Depending on the authentication module, other data may be required, such as user and password. For more information about One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.

  4. To configure remote installations, click Next.

  1. Confirm the security prompt with Yes.

  2. On the Select installation source page, select the directory with the install files. Change the directory if necessary.

  3. If the database is encrypted, on the Select private key file page, select the file with the private key.

  4. On the Service access page, enter the service's installation data.

    • Computer: Enter the name or IP address of the server that the service is installed and started on.

    • Service account: Enter the details of the user account that the One Identity Manager Service is running under. Enter the user account, the user account's password and password confirmation.

    The service is installed using the user account with which you are logged in to the administrative workstation. If you want to use another user account for installing the service, you can enter it in the advanced options. You can also change the One Identity Manager Service details, such as the installation directory, name, display name, and the One Identity Manager Service description, using the advanced options.

  5. Click Next to start installing the service.

    Installation of the service occurs automatically and may take some time.

  6. Click Finish on the last page of the Server Installer.

    NOTE: In a default installation, the service is entered in the server’s service management with the name One Identity Manager Service.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating