Connecting to SAP

The SAP connector lets you create, synchronize, and manage SAP users, groups, roles, locations, companies, user roles, and group membership within EmpowerID. This topic demonstrates how to configure and use the connector.

Prerequisites:

To connect EmpowerID to SAP, you need an SAP account, and you need to install SAP GUI Server on your EmpowerID Server.

You also need the following from SAP to create your Account Store.

  • Username
  • Password
  • App server FQDN
  • Instance number
  • System ID

When you connect EmpowerID to SAP and configure your SAP Account Store, the first time you run inventory, EmpowerID discovers all of the user accounts in SAP and creates them in the EmpowerID data warehouse. Subsequent inventory runs update any changes occurring since the LastTimeStamp value tracked by the SAP connector.

Connecting EmpowerID to SAP involves the following steps.

To install SAP GUI Server

  1. Download and extract the GUI7.3.zip file (or a newer version).
  2. Navigate to:
    GUI7.3\NW_7.0_Presentation_\PRES1\GUI\WINDOWS\WIN32\
    and run SetupAll.exe.
  3. In the installer, select SAP GUI for Windows 7.30 (Compilation 1) (or a newer version), and click Next.
  4. Select the target directory where you want to install it and click Next.
  5. When it finishes installing, open SAP Logon from the desktop icon.
  6. In SAP Logon, click to select the Connections folder, then in the toolbar, click New to create a new system entry.
  7. In the Create New System Entry wizard that appears, on the first page, click Next, then fill in the System Connection Parameters with values like the following on the second page.
    • Description: ECC
    • Application Server: FQDN of your SAP Server e.g. sap.mySAPserver.com
    • Instance Number: e.g. 77
    • System ID: e.g. EH9
    • SAProuter String: Leave this field empty.
  8. Click Finish. The new connection appears in the grid.
  9. Open File Explorer as Administrator and in the extracted GUI7.3.zip file, navigate to:
    GUI7.3\NW_7.0_Presentation_\PRES1\GUI\WINDOWS\WIN32\system\
  10. From that folder, copy the SAP .NET connector file, librfc32.dll and paste it into your C:\Windows\System32 folder.

To connect EmpowerID to SAP

There are two types of SAP connectors in EmpowerID.

  • The SAP ABAP connector connects to SAP ECC.
  • The SAP HCM connector connects to SAP HR.
You can set up either or both. This example shows how to connect to SAP ECC, but it uses the same settings for SAP HR.

  1. Log in to the EmpowerID Management Console as an administrator.
  2. Click the EmpowerID icon, and select Configuration Manager from the menu.
  3. Click Account Stores, and then click the Add New button above the grid.
  4. In the Add New Security Boundary window that opens, select the SAP ABAP Security Boundary type and click OK.
  5. In the Add SAP ECC Connection window that appears, enter these settings.
    1. Host - FQDN of your SAP Server e.g. sap.mySAPserver.com
    2. Username - Your SAP ECC System Administrator's user name
    3. Password - Your SAP ECC System Administrator's password
    4. Confirm Password - Re-enter your password
    5. System Number - The instance number from your SAP ECC account, e.g. 77.
    6. Default Language - The two-letter language code to use, e.g. en.
    7. Client - The client ID from your SAP ECC account, e.g. 500.

  6. Click Ok. EmpowerID creates the SAP ECC account store and adds a record for it in the Account Stores and Resource Systems grids.
  7. EmpowerID uses these credentials to connect to your SAP account. If they are incorrect, the connection fails and the account store is not created.
  8. The Account Store Details for the SAP ECC system opens so that you can configure it.

To configure the account store

The Details screen has three panes—a General pane, an Inventory pane, and a Group Membership Reconciliation pane—each with settings for configuring a different aspect of the SAP account store you just created. For more information, expand each drop-down below.

  • General Pane

    Use this pane to configure the Account Store.

    • Connection Account - The settings you used to connect to SAP. To change these settings (or any of the settings below), click the Edit button.
    • Credential Policy - The name of the Account Store resource system.
    • Password Manager Policy - The Password Manager policy to use for SAP.
    • Maximum Accounts per Person - The maximum number of user accounts from SAP that an EmpowerID Person can have. Unless you need users to join multiple accounts to the same Person, 1 is recommended.
    • Role and Location Re-Eval Order - If multiple account stores allow role and location recalculation, this ordinal number on each one tells EmpowerID which to give precedence.
    • Icon - The image to use to represent the Account Store.
    • Allow Password Sync - Allows or disallows EmpowerID to sync password changes discovered during inventory.
    • Queue Password Changes - Allows or disallows EmpowerID to send password changes to the Account Password Reset Inbox for batch processing.
    • Allow Person Provisioning - Allows or disallows EmpowerID Persons to be created from the user records discovered during inventory.
    • Allow RET Provisioning - Allows or disallows EmpowerID to create new Groups in SAP from requests discovered during inventory.
    • Allow RET De-Provisioning - Allows or disallows EmpowerID to delete Groups in SAP based on requests discovered during inventory.
    • Enable Attribute Flow - Allows or disallows attribute changes to flow between EmpowerID and the account store.
    • Recertify All Group Changes - Allows or disallows EmpowerID to generate recertification review tasks for all changes in SAP Groups.
  • Inventory Pane

    This pane is used to enable or disable inventory of the Account Store as well as to set the run schedule for the EmpowerID Inventory Job.

    • Inventory Schedule - The time span between complete inventories of the Account Store. The default value is 10 minutes. To change this (and other settings), click the Edit button.
    • Enable Inventory - Allows EmpowerID to inventory the Account Store. The Inventory Job must be enabled for inventory to occur. See below for more information.
    • Inventory Provision Request Workflow - The request workflow to initiate when new groups are discovered during inventory. If you set this workflow, the Allow Automatic Person Provision and Allow Automatic Person Join flags described below are ignored.
    • Inventory Provision Request Workflow is not enabled by default and should be used only where customization of the process is required.
    • Allow Automatic Person Provision on Inventory - Allows EmpowerID to provision EmpowerID people for new accounts discovered during the inventory process if they meet the Provision Rule specified by the Custom_Account_InventoryInboxGetAccountsToProvision SQL stored procedure.
    • Allow Automatic Person Join on Inventory - This allows EmpowerID to join newly discovered accounts to people during the inventory process if they meet the Join Rule as specified by the Custom_Account_InventoryInboxJoinBulk SQL stored procedure.
    • RBAC-Assign Initial Group Membership On First Inventory - This setting pertains to Active Directory account stores only.
    • Re-Inventory - Enabling this option re-inventories all changes.
  • Group Membership Reconciliation Pane

    This pane is used to enable and set the schedule for how often to reconcile group membership for the Account Store.

    • Membership Schedule - The time span between complete inventories of the account store. The default value is 10 minutes. To change this, click the Edit button.
    • Enable This Functionality - Allows or disallows EmpowerID to reconcile group membership for the account store.
Before configuring EmpowerID to manage the account store, determine whether you want EmpowerID to provision Person objects from the user records it discovers. If so, answer the following questions before turning on inventory.
  1. When do you want EmpowerID to provision Person objects for those user accounts? At inventory or at a later point in time?
  2. If inventory provisioning is desired, in what Business Role and Location should those Person objects be placed?
  3. How many user accounts can one Person have in the account store?
  4. If people can have more than one user account in the account store, do you want EmpowerID to automatically join any user accounts meeting the conditions of your Join rules to an existing Person during inventory?
  5. Do you want attribute flow to occur between EmpowerID and the account store? If so, what rules do you want to apply?

For a greater discussion of these points within the context of connecting EmpowerID to an account store, see Connecting EmpowerID to Active Directory.

  1. On the Inventory pane of the Account Store Details screen, toggle the Enable inventory button from a red sphere to a green check.
  2. Click Run Now for the Inventory and Group Membership Reconciliation, and after a pause, click Refresh Data to see the Total Accounts, People, Groups, and Computers fields populate in the Inventory pane.