Chat now with support
Chat with Support

Identity Manager 9.2 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP objects Removing a Central User Administration Troubleshooting an SAP R/3 connection Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

Entering external user IDs for SAP user accounts

External authentication methods for logging in to a system can be used in SAP R/3. With One Identity Manager, you can maintain login data for logging in external system users, for example, Active Directory on an SAP R/3 environment.

You can use One Identity Manager to enter external user IDs and delete them.

To enter external IDs

  1. Select the SAP R/3 > External IDs category.

  2. Select the external identifier in the result list. Select the Change main data task.

    - OR -

    Click in the result list.

  3. Enter the required data on the main data form.

  4. Save the changes.

Enter the following data for an external identifier.

Table 54: External ID properties

Property

Description

External user ID

User login name for the user to log into external systems. The syntax you require depends on the type of authentication selected. The complete user identifier is compiled by template.

NOTE: The BAPI One Identity Manager uses the default settings RSUSREXT for generating the user identifier, which means that the user name is reset. The value provided in the interface is passed as prefix.

If you SAP R/3 environment uses something other than these default settings, modify the template for column SAPUserExtId.EXTID respectively.

External identifier type

Authentication type for the external user. This results in the syntax for the external identifier.

  • Distinguished Name for X.509: Login uses the distinguished name for X.509.

  • Windows NTLM or password verification with Windows domain controller: Login uses Windows NT Lan Manager or password verification with the Windows domain controller.

  • LDAP bind <user defined>: Login uses LDAP Bind (for other authentication mechanisms).

  • SAML Token: Authentication uses an SAML token profile.

The default type is specified in the TargetSystem | SAPR3 | Accounts | ExtID_Type configuration parameter.

Target system type

Can be called up together with the external ID type to test the login data. The default type is specified in the TargetSystem | SAPR3 | Accounts | TargetSystemID configuration parameter. Permitted values are ADSACCOUNT and NTACCOUNT.

External user ID is enabled

Specifies whether the system can use the external user ID for the user to log in with an external authentication system.

User account

Assignment of the external user ID to a user account.

Sequential number

Sequential number, if a user account has more than one external identifiers.

Valid from

Date from which the external user ID is valid.

Related topics

SAP groups, SAP roles, and SAP profiles

Groups, roles, and profiles are mapped in the One Identity Manager, in order to provide the necessary permissions for user accounts. Groups, roles, and profiles can be assigned to user accounts, requested, or inherited through hierarchical roles in One Identity Manager. No groups, roles, or profiles can be added or deleted.

Groups

You can share maintenance of user accounts over different administrators by assigning user accounts to groups.

Roles

A role includes all transactions and user menus that an SAP user requires to fulfill its tasks. Roles are separated into single and composite roles. Single roles can be grouped together into composite roles. User account member in the roles can be set for a limit period.

Profiles

Access permissions to the system are regulated though profiles. Profiles are assigned through single roles or directly to user accounts. Profiles can be grouped into composite profiles.

Editing main data of SAP groups, SAP roles, and SAP profiles

You can edit the following data about groups, roles, and profiles in One Identity Manager:

  • Assigned SAP user accounts
  • Usage in the IT Shop
  • Risk assessment
  • Inheritance through roles and inheritance restrictions
  • License information for system measurement

To edit group main data

  1. Select the SAP R/3 > Groups category.
  2. Select the group in the result list. Select the Change main data task.
  3. Enter the required data on the main data form.
  4. Save the changes.

To edit profile main data

  1. Select the SAP R/3 > Profiles category.
  2. Select a profile in the result list. Select the Change main data task.
  3. Enter the required data on the main data form.
  4. Save the changes.

To edit role main data

  1. Select the SAP R/3 > Roles category.
  2. Select the role in the result list. Select the Change main data task.
  3. Enter the required data on the main data form.
  4. Save the changes.
Detailed information about this topic

General main data of SAP groups

Table 55: Configuration parameters for risk assessment of SAP user accounts
Configuration parameter Effect when set
QER | CalculateRiskIndex Preprocessor relevant configuration parameter controlling system components for calculating the risk index. Changes to the parameter require recompiling the database.

If the parameter is enabled, values for the risk index can be entered and calculated.

Edit the following main data of a group.

Table 56: SAP group main data
Property Description
Display name Name of the group as displayed in One Identity Manager tools. The group name is taken from the group identifier by default.
Name Name of group in the target system.
Client Client, in which the group is added.
Service item Service item data for requesting the group through the IT Shop.

Risk index

Value for evaluating the risk of assigning the group to user accounts. Set a value in the range 0 to 1. This input field is only visible if the QER | CalculateRiskIndex configuration parameter is activated.

Category Categories for group inheritance. Groups can be selectively inherited by user accounts. To do this, groups and user accounts are divided into categories. Select one or more categories from the menu.
Description Text field for additional explanation.
IT Shop

Specifies whether the group can be requested through the IT Shop. If this option is set, the group can be requested through the Web Portal and allocated by defined approval processes. The group can still be assigned directly to hierarchical roles.

Only for use in IT Shop

Specifies whether the group can only be requested through the IT Shop. If this option is set, the group can be requested through the Web Portal and allocated by defined approval processes. Direct assignment of the group to hierarchical roles or user accounts is not permitted.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating