Chat now with support
Chat with Support

Identity Manager 9.1.2 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP objects Removing a Central User Administration Troubleshooting an SAP R/3 connection Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

Target system managers

A default application role exists for the target system manager in One Identity Manager. Assign employees to this application role who have permission to edit all clients in One Identity Manager.

Define additional application roles if you want to limit the permissions for target system managers to individual clients. The application roles must be added under the default application role.

For more information about implementing and editing application roles, see the One Identity Manager Authorization and Authentication Guide.

Implementing application roles for target system managers
  1. The One Identity Manager administrator allocates employees to be target system administrators.

  2. These target system administrators add employees to the default application role for target system managers.

    Target system managers with the default application role are authorized to edit all the clients in One Identity Manager.

  3. Target system managers can authorize other employees within their area of responsibility as target system managers and if necessary, create additional child application roles and assign these to individual clients.

Table 27: Default application roles for target system managers
User Tasks

Target system managers

 

Target system managers must be assigned to the Target systems | SAP R/3 application role or a child application role.

Users with this application role:

  • Assume administrative tasks for the target system.

  • Create, change, or delete target system objects.

  • Edit password policies for the target system.

  • Prepare system entitlements to add to the IT Shop.

  • Can add employees who have another identity than the Primary identity.

  • Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.

  • Edit the synchronization's target system types and outstanding objects.

  • Authorize other employees within their area of responsibility as target system managers and create child application roles if required.

To initially specify employees to be target system administrators

  1. Log in to the Manager as a One Identity Manager administrator (Base role | Administrators application role)

  2. Select the One Identity Manager Administration > Target systems > Administrators category.

  3. Select the Assign employees task.

  4. Assign the employee you want and save the changes.

To add the first employees to the default application as target system managers

  1. Log in to the Manager as a target system administrator (Target systems | Administrators application role).

  2. Select the One Identity Manager Administration > Target systems > SAP R/3 category.

  3. Select the Assign employees task.

  4. Assign the employees you want and save the changes.

To authorize other employees as target system managers when you are a target system manager

  1. Log in to the Manager as a target system manager.

  2. Select the application role in the SAP R/3 > Basic configuration data > Target system managers category.

  3. Select the Assign employees task.

  4. Assign the employees you want and save the changes.

To specify target system managers for individual clients

  1. Log in to the Manager as a target system manager.

  2. Select the SAP R/3 > Clients category.

  3. Select the client in the result list.

  4. Select the Change main data task.

  5. On the General tab, select the application role in the Target system manager menu.

    - OR -

    Next to the Target system manager menu, click to create a new application role.

    1. Enter the application role name and assign the Target systems | SAP R/3 parent application role.

    2. Click OK to add the new application role.

  6. Save the changes.
  7. Assign employees to this application role who are permitted to edit the client in One Identity Manager.

Related topics

Basic data for user account administration

One Identity Manager supplies the following basic data for user administration, by default:

If configured, other basic data that cannot be edited in One Identity Manager is read from SAP R/3 during synchronization. It is used only for assignments to SAP user accounts. These include:

Certain user account properties can be defined as default for all user accounts through the configuration settings. These include:

User account types

The user account types are available in One Identity Manager by default. SAP R/3 recognizes the user account types listed below.

Table 28: User account types
User account type Meaning
Dialog (A) Dialog user in a system.
System (B) Background processing within a system.
Communication (C) Communication between systems without a dialog.
Service (S) Common user account for anonymous system access, for example.

User account of this type should have heavily restricted access permissions.

Reference (L) Common user account for additional granting of permissions.

The default user account type for new user accounts is specified in the "TargetSystem | SAPR3 | Accounts | Ustyp" configuration parameter.

To modify the default user account type

  • In the Designer, edit the value of the "TargetSystem | SAPR3 | Accounts | Ustyp" configuration parameter.

External identifier types

External authentication methods for logging in to a system can be used in SAP R/3. One Identity Manager supplies the following types as user identifiers to find the login data necessary for different authentication mechanisms for external systems on an SAP system:

Table 29: External identifier types
Type Description
DN Distinguished Name for X.509.
NT Windows NTLM or password verification with the Windows domain controller.
LD LDAP bind <user-defined> (For other external authentication mechanisms).
SA SAML Token.

To specify a default type for external identifiers

  • In the Designer, set the "TargetSystem | SAPR3 | UserDefaults | ExtID_Type" configuration parameter and specify a value.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating