About the EmpowerID SAP S/4HANA Connector

EmpowerID SAP S/4HANA Connector

Overview

The EmpowerID SAP S/4HANA Connector enables seamless integration between EmpowerID and SAP S/4HANA, allowing organizations to manage user accounts, roles, profiles, and access rights efficiently. The connector facilitates automatic synchronization, provisioning, and inventory of SAP Transaction Codes (TCodes), Authorization Objects, and Field Type values as rights within EmpowerID.

Key Features

Account Management

Inventory User Accounts: Automatically import SAP S/4HANA user accounts into EmpowerID.
Create User Accounts: Provision new SAP S/4HANA user accounts directly from EmpowerID.
Update User Accounts: Modify existing user account information.
Enable and Disable User Accounts: Control the activation status of user accounts.
Change User Passwords: Reset or update user passwords securely.

Role and Profile Management

Inventory Roles and Profiles: Import SAP roles and profiles as groups in EmpowerID.
Manage Memberships: Add or remove users from roles or profiles.
Synchronize Assignments: Keep role and profile assignments up-to-date across systems.

SAP TCode Inventory

Inventory SAP Modules: Retrieve all SAP modules and store them in EmpowerID.
Inventory Transaction Codes: Import SAP transaction codes and establish relationships between TCodes and SAP modules.
Assign Rights: Map transaction codes to local rights within EmpowerID for access control.

SAP Authorization Objects and Field Types Inventory

Inventory Authorization Objects: Import from SAP into EmpowerID’s rights management system.
Inventory Field Types: Capture field types from SAP for authorization control.
Map Relationships: Establish relationships between authorization objects, field types, roles, and transaction codes for comprehensive rights management.

Prerequisites

Required SAP Tables and Columns

The SAP proxy account must have read access to the following key SAP tables and columns:

SAP Table	Required Columns
ADCP	CLIENT, ADDRNUMBER, PERSNUMBER, DATE_FROM, NATION
ADR2	CLIENT, ADDRNUMBER, PERSNUMBER, DATE_FROM, CONSNUMBER, TEL_NUMBER
ADR3	CLIENT, ADDRNUMBER, PERSNUMBER, DATE_FROM, CONSNUMBER
ADR6	CLIENT, ADDRNUMBER, PERSNUMBER, DATE_FROM, CONSNUMBER, FLGDEFAULT, SMTP_ADDR
ADRP	CLIENT, PERSNUMBER, DATE_FROM, NATION, NAME_FIRST, NAME_LAST
AGR_1016	MANDT, AGR_NAME, COUNTER, PROFILE
AGR_1251	MANDT, AGR_NAME, OBJECT, FIELD, LOW, HIGH
AGR_1252	MANDT, AGR_NAME, COUNTER
AGR_AGRS	MANDT, AGR_NAME, CHILD_AGR
AGR_DEFINE	MANDT, AGR_NAME
AGR_TEXTS	MANDT, AGR_NAME, SPRAS, LINE, TEXT
AGR_USERS	MANDT, AGR_NAME, UNAME, FROM_DAT, TO_DAT
AUSOBT	NAME, TYPE, OBJECT, FIELD, LOW
AUTHX	FIELDNAME
BUT000	CLIENT, PARTNER, TYPE
BUT051	CLIENT, RELNR, PARTNER1, PARTNER2, DATE_TO
BUT100	MANDT, PARTNER, RLTYP, DFVAL
DD04T	ROLLNAME, DDLANGUAGE, AS4LOCAL, AS4VERS
GRACFFCTRL	MANDT, APP_TYPE, FFOBJECT, CONNECTOR, CNTRL_ID
GRACFFOWNER	MANDT, APP_TYPE, FFOBJECT, CONNECTOR, OWNER
GRACFFOWNERT	MANDT, LANGU, APP_TYPE, FFOBJECT, CONNECTOR, OWNER
GRACFFUSER	MANDT, APP_TYPE, FFOBJECT, CONNECTOR, FF_USER
HRP1000	MANDT, PLVAR, OTYPE, OBJID, ISTAT, BEGDA, ENDDA, LANGU, SEQNR, OTJID
HRP1001	MANDT, OTYPE, OBJID, PLVAR, RSIGN, RELAT, ISTAT, PRIOX, BEGDA, ENDDA, VARYF, SEQNR, SCLAS, SOBID
HRP1032	MANDT, PLVAR, OTYPE, SUBTY, OBJID, ISTAT, ENDDA, BEGDA, VARYF, SEQNR
PA0000	MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR
PA0001	MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR
PA0002	MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR
PA0006	MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR
PA0016	MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR
PA0032	MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR
PA0105	MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR
PA2006	MANDT, PERNR, SUBTY, OBJPS, SPRPS, ENDDA, BEGDA, SEQNR
RSBPCE_TEAM	APPSET_ID, TEAM_ID, OBJVERS
RSBPCE_USER_TEAM	APPSET_ID, TEAM_ID, OBJVERS, USER_ID
T591S	MANDT, SPRSL, INFTY, SUBTY
TACT	ACTVT
TACTZ	BROBJ, ACTVT
TADIR	PGMID, OBJECT, OBJ_NAME
TB003	CLIENT, ROLE
TB003T	CLIENT, SPRAS, ROLE
TDEVC	DEVCLASS
TOBC	OCLSS
TOBJ	OBJCT
TOBJC	OBJCT, OCLSS
TOBJT	LANGU, OBJECT
TSAD3	CLIENT, TITLE
TSAD3T	CLIENT, TITLE, LANGU
TSTC	TCODE
TSTCT	SPRSL, TCODE
USCOMPANY	MANDT, COMPANY
USGRP	MANDT, USERGROUP
USGRP_USER	MANDT, BNAME, USERGROUP, FROM_DAT, TO_DAT
USOBT	NAME, TYPE, OBJECT, FIELD, LOW
USOBT_C	NAME, TYPE, OBJECT, FIELD, LOW
USOBX	NAME, TYPE, OBJECT
USOBX_C	NAME, TYPE, OBJECT
USORG	FIELD
USR01	MANDT, BNAME
USR02	MANDT, BNAME, GLTGV, GLTGB, USTYP, CLASS, UFLAG, TRDAT, LTIME
USR05	MANDT, BNAME, PARID
USR06	MANDT, BNAME
USR10	MANDT, PROFN, AKTPS, TYP
USR11	MANDT, LANGU, PROFN, AKTPS, PTEXT
USR21	MANDT, BNAME
USRACL	MANDT, BNAME
USREFUS	MANDT, BNAME
UST04	MANDT, BNAME, PROFILE
UST10C	MANDT, PROFN, AKTPS, SUBPROF
UST10S	MANDT, PROFN, AKTPS, OBJCT, AUTH
UST12	MANDT, OBJCT, AUTH, AKTPS, FIELD, VON, BIS

Required Remote Procedure Calls (BAPIs and RFCs)

The service account must be able to execute the following remote procedure calls:

Remote Procedure Call	Required Activity
BAPI_USER_ACTGROUPS_ASSIGN	Execute
BAPI_USER_CHANGE	Execute
BAPI_USER_CREATE1	Execute
BAPI_USER_DELETE	Execute
BAPI_USER_EXISTENCE_CHECK	Execute
BAPI_USER_GETLIST	Execute
BAPI_USER_GET_DETAIL	Execute
BAPI_USER_LOCK	Execute
BAPI_USER_UNLOCK	Execute
BAPI_USER_PROFILES_ASSIGN	Execute
IDENTITY_MODIFY	Execute
PING	Execute
RFCPING	Execute
RFC_GET_FUNCTION_INTERFACE	Execute
RFC_GET_NAMETAB	Execute
RFC_PING	Execute
RFC_READ_TABLE	Execute
RFC_READ_TABLE2	Execute
SUSR_CHECK_LOGON_DATA	Execute

General Requirements

SAP Account: A user account in SAP with necessary permissions.
SAP GUI Server Installation: Required on the EmpowerID server.
Connection Methods: EmpowerID supports Application Server and Message Server connections.

SAP Account Permissions

Access to Required Tables: The SAP proxy account must have read access to specific SAP tables.
Remote Procedure Calls: The service account must execute necessary BAPIs and RFCs.
Read-Only Connections: Read access to SAP tables for inventory operations.

Attribute Mapping

EmpowerID maps SAP user attributes to corresponding fields:

User Attributes

SAP Attribute	EmpowerID Attribute	Description
NAME_FIRST	FirstName	First name of the user
NAME_LAST	LastName	Last name of the user
NAMEMIDDLE	MiddleName	Middle name of the user
BNAME	LogonName	User logon name
BNAME	SystemIdentifier	Unique System Identifier of the user
TEL_NUMBER_MOBILE	MobileNumber	Mobile number of the user
TEL_NUMBER	Telephone	Home phone number of the user
SMTP_ADDR	Email	Email ID of the user
LANGU	PreferredLanguage	Preferred language of the user
UFLAG	Disabled	Indicates if the user is active
TITLE	PersonalTitle	Personal title of the user
TITLE_ACA1	AcademicTitle	Academic title of the user
FUNCTION	BusinessFunction	Business function of the user
ROOMNUMBER	RoomNumber	Room number of the user
FLOOR	Floor	Floor of the user
BUILDING	BuildingCode	Building code of the user
FAX_NUMBER	Fax	Fax number of the user
USERALIAS	Alias	Alias of the user
USTYP	UserType	Type of user account
SECURITY_POLICY	SecurityPolicy	Security policy assigned to the user
DEPARTMENT	Department	Department name of the user
CLASS	UserGroup	User group of the user
GLTGV	ValidFrom	Start date of user validity
GLTGB	ValidUntil	End date of user validity
ACCNT	AccountNo	Account number of the user
KOSTL	CostCenter	Cost center of the user
TZONE	TimeZone	Time zone of the user
PWDCHGDATE	PasswordLastChanged	Last password change date
TRDAT+LTIME	LastLogonTime	Last logon time of the user
COMPANY	Company	Company name of the user
PNAME	UserPrincipalName	SNC Name of the user

Role Attributes

SAP roles are imported into EmpowerID groups with the following attribute mappings:

SAP Role Attribute	EmpowerID Attribute	Description
AGR_NAME(AGR_DEFINE)	Name	Name of the Group.
“Role_” + AGR_NAME(AGR_DEFINE)	LogonName	Logon Name of the Group
TEXT(AGR_TEXTS) where LINE column from AGR_TEXTS = '00000'	FriendlyName	Friendly Name of the Group
Concatenation of all rows from TEXT(AGR_TEXTS) where LINE column from AGR_TEXTS != '00000'	Description, Notes	Description, Notes of the Group
Use Relation FROM AGR_AGRS table	GroupTypeID	Identifier to distinguish the SAP role type as either single or composite role

Profile Attributes

SAP profiles are imported into EmpowerID groups with the following attribute mappings:

SAP Profile Attribute	EmpowerID Attribute	Description
PROFN(USR10)	Name	Name of the Group
“Profile_” + PROFN(USR10)	LogonName	Logon Name of the Group
PTEXT(USR11)+(SAP CompositeProfile or SAP Single Profile)	FriendlyName	Friendly Name of the Group
PTEXT(USR11)+(SAP CompositeProfile or SAP Single Profile)	Description	Description of the Group
Use TYP from USR10 table	GroupTypeID	Identifier to distinguish the SAP profile type as either single or composite profile
SAP Attribute	EmpowerID Attribute	Description
--------------	--------------------	-------------
AGR_NAME	Name	Name of the role
AGR_TEXTS	FriendlyName	Friendly name of the role
PROFN	LogonName	Logon name of the profile

Configuration Settings

EmpowerID provides configurable options for inventory of SAP TCodes and Authorization Objects:

Setting	Type	Description	Value
SAPInventorySAPPBAC	Boolean	Enables inventory of SAP TCodes and Authorization data	`true`
SAPInventorySAPPBACTcodes	Boolean	Enables inventory of TCodes only	`true`

For more detailed setup steps, refer to the Connecting to SAP S/4HANA guide.

EmpowerID SAP S/4HANA Connector

Overview​

Key Features​

Account Management​

Role and Profile Management​

SAP TCode Inventory​

SAP Authorization Objects and Field Types Inventory​

Prerequisites​

Required SAP Tables and Columns​

Required Remote Procedure Calls (BAPIs and RFCs)​

General Requirements​

SAP Account Permissions​

Attribute Mapping​

User Attributes​

Role Attributes​

Profile Attributes​

Configuration Settings​