The SAP connector lets you create, synchronize, and manage SAP users, groups, roles, locations, companies, user roles, and group membership within EmpowerID. This topic demonstrates how to configure and use the connector.
To connect EmpowerID to SAP, you need an SAP account, and you need to install SAP GUI Server on your EmpowerID Server.
You also need the following from SAP to create your Account Store.
App server FQDN
When you connect EmpowerID to SAP and configure your SAP Account Store, the first time you run inventory, EmpowerID discovers all of the user accounts in SAP and creates them in the EmpowerID data warehouse. Subsequent inventory runs update any changes occurring since the LastTimeStamp value tracked by the SAP connector.
Connecting EmpowerID to SAP involves the following steps.
To install SAP GUI Server
Download and extract the GUI7.3.zip file (or a newer version).
From that folder, copy the SAP .NET connector file, librfc32.dll and paste it into your C:\Windows\System32 folder.
To connect EmpowerID to SAP
There are two types of SAP connectors in EmpowerID.
The SAP ABAP connector connects to SAP ECC.
The SAP HCM connector connects to SAP HR.
You can set up either or both. This example shows how to connect to SAP ECC, but it uses the same settings for SAP HR.
Log in to the EmpowerID Management Console as an administrator.
Click the EmpowerID icon, and select
Configuration Manager from the menu.
Account Stores, and then click the
Add New button above the grid.
Add New Security Boundary window that opens, select the
SAP ABAP Security Boundary type and click
In the Add SAP ECC Connection window that appears, enter these settings.
Host - FQDN of your SAP Server e.g. sap.mySAPserver.com
Your SAP ECC System Administrator's user name
Your SAP ECC System Administrator's password
Confirm Password - Re-enter your password
System Number - The instance number from your SAP ECC account, e.g. 77.
Default Language - The two-letter language code to use, e.g. en.
Client - The client ID from your SAP ECC account, e.g. 500.
Ok. EmpowerID creates the SAP ECC account store and adds a record for it in the Account Stores and
Resource Systems grids.
EmpowerID uses these credentials to connect to your SAP account. If they are incorrect, the connection fails and the account store is not created.
The Account Store Details for the SAP ECC system opens so that you can configure it.
To configure the account store
The Details screen has three panes—a
General pane, an
Inventory pane, and a
Group Membership Reconciliation pane—each with settings for configuring a different aspect of the SAP
account store you just created. For more information, expand each drop-down below.
This pane is used to enable or disable inventory of the Account Store as well as to set the run schedule
for the EmpowerID Inventory Job.
Inventory Schedule - The time span between complete inventories of the Account Store. The
default value is 10 minutes. To change this (and other settings), click the
Enable Inventory - Allows EmpowerID to inventory the Account Store. The Inventory Job must
be enabled for inventory to occur. See below for more information.
Inventory Provision Request Workflow - The request workflow to initiate when new groups are
discovered during inventory. If you set this workflow, the
Allow Automatic Person Provision and
Allow Automatic Person Join flags described below are ignored.
Inventory Provision Request Workflow is not enabled by default and should be used only where customization of the process
Allow Automatic Person Provision on Inventory - Allows EmpowerID to provision EmpowerID people
for new accounts discovered during the inventory process if they meet the Provision Rule specified
Custom_Account_InventoryInboxGetAccountsToProvision SQL stored procedure.
Allow Automatic Person Join on Inventory - This allows EmpowerID to join newly discovered
accounts to people during the inventory process if they meet the Join Rule as specified by the
Custom_Account_InventoryInboxJoinBulk SQL stored procedure.
RBAC-Assign Initial Group Membership On First Inventory - This setting pertains to Active
Directory account stores only.
Re-Inventory - Enabling this option re-inventories all changes.
This pane is used to enable and set the schedule for how often to reconcile group membership for the
Membership Schedule - The time span between complete inventories of the account store. The
default value is 10 minutes. To change this, click the
Enable This Functionality - Allows or disallows EmpowerID to reconcile group membership for
the account store.
Before configuring EmpowerID to manage the account store, determine whether you want EmpowerID to provision Person objects from the user records it discovers. If so, answer the following questions before turning on inventory.
When do you want EmpowerID to provision Person objects for those user accounts? At inventory or at a later point in time?
If inventory provisioning is desired, in what Business Role and Location should those Person objects be placed?
How many user accounts can one Person have in the account store?
If people can have more than one user account in the account store, do you want EmpowerID to automatically join
any user accounts meeting the conditions of your Join rules to an existing Person during inventory?
Do you want attribute flow to occur between EmpowerID and the account store? If so, what rules do you want to apply?
Inventory pane of the Account Store Details screen, toggle the Enable inventory button from a red sphere to a green check.
Click Run Now for the Inventory and Group Membership Reconciliation, and after a pause, click Refresh Data to see the Total Accounts, People, Groups, and Computers fields populate in the Inventory pane.