Skip to main content

SAP ERP 6.0 and SAP S4/HANA

This connector exports and fulfills users and roles from/to an SAP ERP 6.0 or SAP HANA instance.

This page is about ERP/SAP ERP 6.0.

Package: ERP/SAP ERP 6.0

Overview

The SAP Enterprise Resource Planning (SAP ERP) software incorporates the core business processes of an organization, such as finance, production, supply chain services, procurements, human resources (HR), etc. The SAP ERP connector exports and fulfills data from/to an SAP ERP 6.0 system.

Prerequisites

Implementing this connector requires:

  • Reading first the appsettings documentation; See the appsettings.agent topic for additional information.
  • An ASE or HANA database with a service account, as a database administrator
  • A service account, as a SAP user with at least the roles for user management
  • The prerequisites for reading should be set up
  • The prerequisites for writing should be set up

ASE or HANA database with a service account, as a database administrator

To connect to the SAP database using SSH, use the following commands:

Code attributes enclosed with <> need to be replaced with a custom value before entering the script in the command line.

su sybaba
isql -S <database (ABA is the default value)> -U<administrator's login> -P<administrator's password> -X

For example:

Code attributes enclosed with <> need to be replaced with a custom value before entering the script in the command line.

isql -S ABA -Usapsso -PV1H#M$4JIgU$qd -X

Service account, as a SAP user with at least the roles for user management

Create a login for Identity Manager's service account with at least reading access on user management tables by using a command from the table below:

TableUsage
USR02Users table
AGR_USERSLinks between Users and Roles
AGR_TEXTSRoles labels according to the language
USER_ADDR
AGR_1016 AGR_PROFLinks between Profiles and Roles
USR10Profiles tables
USR11Profiles labels
AGR_DEFINERoles table
AGR_AGRSComposition links
USGRPGroups table
USGRPTGroups labels
UST04Links between Users and Profiles
UST10CLinks between Profiles and Sub-profiles
AGR_TCODESLinks between Roles and Transactions
T002Languages codes

For example:

Code attributes enclosed with <> need to be replaced with a custom value before entering the script in the command line.

execute sp_addlogin <login>, <password>, <database (ABA is the default value)>go use ABA go execute sp_adduser <login>go grant select on ABA.SAPSR3.USR02 to usercube grant select on ABA.SAPSR3.AGR_USERS to usercube grant select on ABA.SAPSR3.USER_ADDR to usercube grant select on ABA.SAPSR3.AGR_1016 to usercube grant select on ABA.SAPSR3.USR10 to usercube grant select on ABA.SAPSR3.USR11 to usercube grant select on ABA.SAPSR3.AGR_AGRS to usercube grant select on ABA.SAPSR3.USGRP to usercube grant select on ABA.SAPSR3.UST04 to usercube grant select on ABA.SAPSR3.AGR_TCODES to user grant select on ABA.SAPSR3.T002 to usercube Go

Set up the prerequisites for reading

To set up the prerequisites for reading follow the steps below.

Step 1 – Copy the DLL Sap.Data.Hana.Core.v2.1.dll into the Runtime of Identity Manager.

connectorreadprerequisites1

Step 2 – Unzip the “hdbclient.zip” archive to C: drive and add the path to the Path environment variables.

connectorreadprerequisites2

Step 3 – Create environment variables: HDBADOTNET=C:\hdbclient\ado.net and HDBADOTNETCORE=C:\hdbclient\dotnetcore.

Set up the prerequisites for writing

NOTE: Make sure the Read prerequisites are configured first.

Step 1 – Copy the provided DLL sapnwrfc.dl into the Runtime of Identity Manager.

Step 2 – Unzip the dotnet86.zip archive to C:\dotnetx86.

Step 3 – Copy the DLLs icudt50.dll, icuin50.dll and icuuc50.dll into the Runtime of Identity Manager.

connectorwriteprerequisites

Step 4 – Disable DLLs search by adding the environment variable NLSUI_7BIT_FALLBACK=YES.

connectorwriteprerequisites2

Step 5 – Add new environment variable USERCUBE_DOTNET32 containing the path to dotnetx86 (e.g.: C: \donetx86\dotnet.exe).

Export

This connector extracts users, roles, profiles, profile memberships, role memberships and groups from an SAP ERP instance, and writes the output to CSV files.

Configuration

This process is configured through a connection in the UI and/or the XML configuration, and in the appsettings.agent.json > Connections section. See the Connection topic for additional information.

Code attributes enclosed with <> need to be replaced with a custom value before entering the script in the command line.

appsettings.agent.json
{
  ...
  "Connections": {
    ...
    "<ConnectionIdentifier>": {
      ...
    }
  }
}

Remember, the identifier of the connection and thus the name of the subsection must:

  • Be unique
  • Not begin with a digit.
  • Not contain <, >, :, /, \, |, ?, *, and _.

For example:

Code attributes enclosed with <> need to be replaced with a custom value before entering the script in the command line.

appsettings.agent.json
{
    ...
    "Connections": {
        ...
        "SAPExportFulfillment": {
            "Server": "serverUrl",
            "AseLogin": "login",
            "AsePassword": "password",
            "Instance": "sapInstance",
            "Port": "4242",
            "Client": "123",
            "Language": "fr"
        }
    }
}

NameTypeDescription
IsHana default value: falseBooleanTrue to connect to an S/4 HANA instance instead of an ERP 6.0.
AseLogin requiredStringLogin to connect to SAP ASE.
AsePassword requiredStringPassword to connect to SAP ASE.
Client requiredStringClient id of SAP.
Instance requiredStringInstance of the SAP database.
Language requiredStringSAP language.
Port requiredStringPort of the SAP ERP server.
Server requiredStringURL of the SAP ERP server.

Output details

This connector is meant to generate to the ExportOutput folder the following files:

  • SAPExportFulfillment_users.csv;
  • SAPExportFulfillment_roles.csv;
  • SAPExportFulfillment_usersroles.csv;
  • SAPExportFulfillment_profiles.csv;
  • SAPExportFulfillment_profilesprofiles.csv;
  • SAPExportFulfillment_rolesprofiles.csv;
  • SAPExportFulfillment_usersprofiles.csv;
  • SAPExportFulfillment_rolesroles.csv;
  • SAPExportFulfillment_groups.csv;
  • SAPExportFulfillment_rolestransactions.csv.

See the Application Settings topic for additional information.

Fulfill

This connector can provision users, role memberships and group memberships to SAP ERP.

Configuration

Same as for export, fulfill is configured through connections. See the SAP ERP 6.0 and SAP S4/HANA topic for additional information.

For example:

Code attributes enclosed with <> need to be replaced with a custom value before entering the script in the command line.

appsettings.agent.json
{
    ...
    "Connections": {
        ...
        "SAPExportFulfillment": {
            "Server": "<serverUrl>",
            "BapiLogin": "<login>",
            "BapiPassword": "<password>"
        }
    }
}

Setting attributes

NameTypeDescription
IsHana default value: falseBooleanTrue to connect to an S/4 HANA instance instead of an ERP 6.0.
Server requiredStringURL of the SAP ERP server.
BapiLogin requiredStringLogin to connect to the specified server.
BapiPassword requiredStringPassword to connect to the specified server.

Password reset

See the appsettings.agent topic for additional information on how to configure password reset settings.

When setting a password for an SAP ERP user, the password attribute is defined by the password specified in the corresponding RessourceTypeMapping. See the Sap Resource Type Mapping topic for additional information.

Credential protection

Data protection can be ensured through:

  • RSA encryption, configured in the appsettings.encrypted.agent.json file
  • An Azure Key Vault safe
AttributeNaming Convention for the Key in Azure Key Vault
ServerConnections--<identifier>--Server
AseLoginConnections--<identifier>--AseLogin
AsePasswordConnections--<identifier>--AsePassword
InstanceConnections--<identifier>--Instance
PortConnections--<identifier>--Port
ClientConnections--<identifier>--Client
LanguageConnections--<identifier>--Language
BapiLoginConnections--<identifier>--BapiLogin
BapiPasswordConnections--<identifier>--BapiPassword
SystemNumberConnections--<identifier>--SystemNumber
  • A CyberArk Vault able to store Active Directory's Login, Password, and Server.

See the RSA Encryption , Azure Key Vault, and CyberArk's AAM Credential Providers topics for additional information.

Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be retrieved by Identity Manager from appsettings.cyberark.agent.json.

For example:

Code attributes enclosed with <> need to be replaced with a custom value before entering the script in the command line.

appsettings.cyberark.agent.json
{
  ...
  "Connections": {
    ...
    "SAPExportFulfillment": {
        "Login": "SAPExportFulfillment_CyberArkKey",
        "Password": "SAPExportFulfillment_CyberArkKey",
        "Server": "SAPExportFulfillment_CyberArkKey"
    }
  }
}