The following users play a role in synchronizing One Identity Manager with SAP R/3.
One Identity Manager Service user account
The user account for the One Identity Manager Service requires user permissions to carry out operations at file level (adding and editing directories and files).
The user account must belong to the Domain users group.
The user account must have the Login as a service extended user permissions.
The user account requires permissions for the internal web service.
NOTE: If the One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can grant permissions for the internal web service with the following command line call:
netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"
The user account needs full access to the One Identity Manager Service installation directory in order to automatically update One Identity Manager.
In the default installation, One Identity Manager is installed under:
User for accessing the One Identity Manager database
The Synchronization default system user is provided to run synchronization using an application server.
User for accessing the target system (synchronization user)
You must provide a user account with the following authorizations for full synchronization of SAP R/3 objects with the supplied One Identity Manager default configuration.
Required authorization objects and their meanings:
-
S_TCODE with a minimum of transaction codes SU01, SU53, PFCG
-
S_ADDRESS1 (address services) with activities 01, 02, 03, 06 and valid address groups (at least BC01)
-
S_USER_AGR (role maintenance) with activities 02, 03, 22, 78, possibly with a restricted name range (for example Z*)
-
S_USER_GRP (group maintenance) with activities 01, 02, 03, 22, 78 and PP (if available in the SAP R/3 environment)
-
S_USER_AUT (authorizations) with activities 03, 08
-
S_USER_PRO (profile) with activities 01, 02, 03, 22
-
S_USER_SAS (system specific assignments) with activities 01, 06, 22
-
S_USER_UID with the activity 03
-
S_RFC (authorization check by RFC access) with activity 16 at least for function groups ZVI, /VIAENET/ZVI0, /VIAENET/ZVI_L, /VIAENET/Z_HR, SU_USER, SYST, SDTX, RFC1, RFC_METADATA, SDIFRUNTIME, SYSU,
-
/VIAENET/ZVIL_TABLE
NOTE:
As of One Identity Manager version 8.2, an updated BAPI transport SAPTRANSPORT_70.ZIP is provided. This uses the /VIAENET/READTABLE function module instead of the RFC_READ_TABLE SAP module. When it accesses an SAP R/3 environment, the SAP R/3 connector checks whether the /VIAENET/READTABLE function module exists and uses it.
If the function module is not available, the connector uses the RFC_READ_TABLE SAP module.
In this case, the synchronization user needs the authorization object S_TABU_NAM with the activity 03.
Alternatively you can define access permissions on the tables using the S_TABU_NAM or the S_TABU_DIS authorization object. These are tested equally.
In the TABLE field, the names of the tables to be read can be specified individually.
Apart from the authorizations listed, the user account must obtain all the authorizations from the ZVIH_AUT, ZVIA_AUT, and ZVIL_AUT authorization objects that are installed by the transport package. These authorization objects are there to guarantee principal authorization for running function modules.
In addition, the authorization objects ZVIH_OP, ZVIA_OP, ZVIL_OP need to be assigned. This regulates the type of access to SAP R/3 data using the ACTVT authorization field. Possible values are 01 add or create, 02 change, 03 display, 06 delete. The respective activity is checked before accessing data. If only the 03 display activity has been assigned, it means that absolutely no write operations can be carried out with this user account using the One Identity Manager Business Application Programing Interface.
The following authorization objects are required in addition for the child system in order to synchronize central user administration:
TIP: The transport file provided by default, SAPRole.zip, includes a transport package with a role that the base authorization object already possesses. This role can be assigned to the user account. You will find the transport files on the One Identity Manager installation medium in the Modules\SAP\dvd\AddOn\Bapi directory.
The named authorizations are required so that the SAP R/3 connector has read and write access to the SAP R/3 system. If only read access is permitted, set up a profile that has authorizations for carrying out for transactions SU01 and PFCG but prevents write access at activity or field level. Also be aware of granting authorizations for activities regarding the authorization objects ZVIH_OP, ZVIA_OP, ZVIL_OP. If access is read-only, only the 03 display activity is enabled.
The user account requires the user type dialog, communication, or system to load more information.
NOTE: In SAP R/3 versions up to and including SAP Web Application Server 6.40, the password and user input are not case-sensitive. This no longer applies to the password for SAP NetWeaver Application Server 7.0 and later. Passwords are case sensitive.
All SAP’s own tools that are supplied up to SAP Web Application Server 6.40, apart from the SAP GUI (RFC-SDK, SAP .Net Connector), therefore change the password to capital letters before passing them to SAP R/3. You must set the password in capital letters for the user account used by the SAP .Net Connector to authenticate itself on the SAP R/3 system. If this is done, all the usual tools can be accessed on SAP NetWeaver Application Server 7.0 by RFC.
Related topics
NOTE: The Business Application Programming Interface in One Identity Manager is certified.
Certificates:
For more information, see SAP Certified Solutions Directory.
In order to access One Identity Manager data and business processes with the SAP R/3, you must load the Business Application Programming Interface (BAPI) into the SAP R/3 system. You will find the required transport files on the One Identity Manager installation medium in the Modules\SAP\dvd\AddOn\Bapi directory.
TIP: Instead of installing SAPTRANSPORT_70.ZIP, you can also install the Assembly Kit T070020759523_0000018.PAT. In this case, install the SAPAuthorization.zip transport beforehand because the Assembly Kit does not contain and authorization objects.
For more information, see Uninstalling BAPI transports.
Install the BAPI transport in the following order:
Table 2: BAPI transport
1 |
SAPRepository.zip |
Creates the /VIAENET/ in the SAP system repository. |
2 |
SAPTable.zip |
Defines the table structure for /VIAENET/USERS in the SAP system dictionary. |
3 |
SAPTRANSPORT_70.ZIP |
Contains the functions defined in the /VIAENET/ environment.
Select the transport package that suits your SAP system.
-
Archive directory UNICODE: Transports for systems that support unicode; transports for copies
-
Archive directory NON_UNICODE: Transports for systems not supporting unicode
-
Archive directory UNICODE_WORKBENCH: Transports for systems that support unicode; workbench transports
-
Archive directory NON_UNICODE_WORKBENCH: Transports for systems that do not support unicode; workbench transport |
4 |
(Optional) SAPBusinesspartnerProxies.zip |
Contains the functions defined in the /VIAENET/HELPER package.
The transport is only required if an SAP S/4HANA system is connected and you want to map business partner data associated with SAP user accounts.
Select the transport package that suits your SAP system.
|
5 |
(Optional) SAPAuthorization.zip |
Imports all authorization objects defined in the /VIAENET/ environment as a workbench transport.
The transport package contains only the authorization objects from the complete SAPTRANSPORT_70.ZIP transport package. Install this transport package if:
|
Set the following import options for the transport:
The SAP R/3 connector uses other BAPI SAP R/3s in parallel.
Related topics
The SAP Add-On Assembly Kit allows SAP to support deinstallation of a BAPI. An uninstallable Assembly Kit package is provided for this.
Prerequisites
To uninstall a BAPI transport at a later date
Related topics
To set up synchronization with an SAP R/3 environment, a server has to be available that has the following software installed on it:
- Windows operating system
The following versions are supported:
-
Windows Server 2022
-
Windows Server 2019
-
Windows Server 2016
-
Windows Server 2012 R2
-
Windows Server 2012
-
Microsoft .NET Framework version 4.8 or later
NOTE: Take the target system manufacturer's recommendations into account.
- Windows Installer
- SAP .Net Connector 3.1 for x64, with at least version 3.1.2.0, for Microsoft .NET 4.8
- One Identity Manager Service, Synchronization Editor, SAP R/3 connector
- Install One Identity Manager components with the installation wizard.
- Select Select installation modules with existing database.
- Select the Server | Job Server | SAP R/3 machine role.
Further requirements
- Following files must either be in the Global Assemblies Cache (GAC) or in the One Identity Manager installation directory.
- libicudecnumber.dll
- rscp4n.dll
- sapnco.dll
- sapnco_utils.dll
- Following files must either be in the Global Assemblies Cache (GAC) or in C:\Windows\System32 or in the One Identity Manager's installation directory.
- msvcp100.dll
- msvcr100.dll
All One Identity Manager Service actions are run against the target system environment on the synchronization server. Data entries required for synchronization and administration with the One Identity Manager database are processed by the synchronization server. The synchronization server must be declared as a Job server in One Identity Manager.
NOTE: If several target system environments of the same type are synchronized under the same synchronization server, it is recommended that you set up a Job server for each target system for performance reasons. This avoids unnecessary swapping of connections to target systems because a Job server only has to process tasks of the same type (re-use of existing connections).
To set up a Job server, perform the following steps.
-
Create a Job server and install and configure the One Identity Manager Service.
Use the One Identity Manager Service to install the Server Installer. The program runs the following steps:
-
Sets up a Job server.
-
Specifies machine roles and server function for the Job server.
-
Installs One Identity Manager Service components corresponding to the machine roles.
-
Configures the One Identity Manager Service.
-
Starts the One Identity Manager Service.
Use the Server Installer to install the One Identity Manager Service locally or remotely.
To remotely install the One Identity Manager Service, provide an administrative workstation on which the One Identity Manager components are installed. Ensure that the One Identity Manager components are installed on the server before installing locally. For more information about installing One Identity Manager components, see the One Identity Manager Installation Guide.
-
If you are working with an encrypted One Identity Manager database, declare the database key in the One Identity Manager Service. For more information about working with an encrypted One Identity Manager database, see the One Identity Manager Installation Guide.
-
To generate processes for the Job server, you need the provider, connection parameters and the authentication data. By default, this information is determined from the database connection data. If the Job server runs through an application server, you must configure extra connection data in the Designer. For more information about connection data, see the One Identity Manager Configuration Guide.
To install and configure the One Identity Manager Service on a server
-
Start the Server Installer program.
NOTE: To install remotely, start the Server Installer program on your administrative workstation. To install locally, start the program on the server.
-
On the Database connection page, enter the valid connection credentials for the One Identity Manager database.
You can connect via the application server or directly to connect to the database.
-
On the Server properties page, specify the server on which you want to install the One Identity Manager Service.
-
Select a Job server from the Server menu.
- OR -
To create a new Job server, click Add.
-
Enter the following data for the Job server.
-
Server: Name of the Job server.
-
Queue: Name of the queue to handle the process steps. Each Job server within the network must have a unique queue identifier. The process steps are requested by the Job queue using this exact queue name. The queue identifier is entered in the One Identity Manager Service configuration file.
-
Full server name: Full server name in accordance with DNS syntax.
Syntax:
<Name of servers>.<Fully qualified domain name>
NOTE: You can use the Extended option to make changes to other properties for the Job server. You can also edit the properties later with the Designer.
-
On the Machine roles page, select SAP R/3.
-
On the Server functions page, select SAP R/3 connector.
-
On the Service Settings page, enter the connection data and check the One Identity Manager Service configuration.
NOTE: The initial service configuration is predefined. If further changes need to be made to the configuration, you can do this later with the Designer. For more information about configuring the service, see the One Identity Manager Configuration Guide.
For a direct connection to the database:
-
In the module list, select Process collection > sqlprovider.
-
Click the Connection parameter entry, then click the Edit button.
-
Enter the connection data for the One Identity Manager database.
-
Click OK.
For a connection to the application server:
-
In the module list, select the Process collection entry and click the Insert button.
-
Select AppServerJobProvider and click OK.
-
In the module list, select Process collection > AppServerJobProvider.
-
Click the Connection parameter entry, then click the Edit button.
-
Enter the address (URL) for the application server and click OK.
-
Click the Authentication data entry and click the Edit button.
-
In the Authentication method dialog, select the authentication module for logging in. Depending on the authentication module, other data may be required, such as user and password. For more information about One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.
-
Click OK.
-
To configure the installation, click Next.
-
Confirm the security prompt with Yes.
-
On the Select installation source page, select the directory with the install files. Change the directory if necessary.
-
On the Service access page, enter the service's installation data.
-
Computer: Select the server, on which you want to install and start the service, from the menu or enter the server's name or IP address.
To run the installation locally, select Local installation from the menu.
-
Service account: Enter the details of the user account that the One Identity Manager Service is running under. Enter the user account, the user account's password and password confirmation.
The service is installed using the user account with which you are logged in to the administrative workstation. If you want to use another user account for installing the service, you can enter it in the advanced options.
You can also change the One Identity Manager Service details, such as the installation directory, name, display name, and the One Identity Manager Service description, using the advanced options.
-
Click Next to start installing the service.
Installation of the service occurs automatically and may take some time.
-
Click Finish on the last page of the Server Installer.
NOTE: In a default installation, the service is entered in the server’s service management with the name One Identity Manager Service.