[MUSIC PLAYING] When connecting R/3, ECC, or S/4HANA instances, the One Identity Manager Connect Synchronization Editor is used to configure the SAP connector for these instances. So, in this case I have started the Synchronization Editor and will configure a new connection to this SAP instance of mine.
So, running the Synchronization Editor project for SAP, we'll jump into the SAP R/3 Connection wizard, which will ask for specific information about the target system. As discussed earlier in this video series, there are three different ways an SAP environment can be contacted. One instance is using an application server, or SAP router, or the other possibility is to go through a messaging server. Depending on which configuration you encounter, you will have to choose different options on this screen.
The detailed information about the server names, the logon groups, and different configuration options depending on the connection option will be provided to you by the SAP basis administrators of the customer. In my environment, I will connect to the application server instance. So, I choose the SAP R/3 application server option.
Next, I will be asked for an SAP R/3 host or router, which is in this case the hostname of my SAP instance. The system number and the system ID will be provide to you by the SAP basis administrators. The system number is usually 00-- or, it has two numbers. And the system ID is a three-letter code. There are some recommendations from SAP how to name these system IDs.
Mainly, production systems start with P, test system start with a T. But customers are not required to follow these naming conventions from SAP. So, in my case the system ID is completely different.
On this screen, no information is needed. Just in case, if your SAP user account that connects to SAP should use SNC logon, then you would have to check the SNC checkbox here, and need SNC configuration. SNC is the Secure Network Communications option of SAP so the communication will be encrypted. And the password to log on will be password-less using, for example, Active Directory, for every single sign-on. In my case, username, password will be required. So, no option is checked.
And on the next screen, I will be asked for client-specific information. Each SAP system can contain several clients. In my case, I will be connecting to client 400. And the logon name is the name of the service account I am going to use. In that case, I will use pre-defined user and not the service account I have created, and provide the password for this user account. And the login language can be selected.
The login language is sometimes relevant if you have non-English instances or have translations for role names, et cetera. So, ask your customer if any customizations have been done that are not present in the English version.
So, when we go to the next screen, the connection will be tested. And during this test, not only the connection test is being executed, but also the transfers are going to be checked on the system. So, whether the user is a member of the role or has the required permissions, or the namespace is available on that client, this will be checked by this step. And when this step is successful, we will be going to the next screen, where we will get other configuration options.
So, the test has been executed. And the system is reachable. And the connection was successful. On the next screen, I can add additional expert settings. But the remaining steps are just fine.
So, when I click on Finish the communication will be initiated. The schema will be downloaded from the SAP system, meaning checks will be executed on the SAP side as well as on the One Identity Manager database side. And the different options will be provided.
Once the schema has been loaded, when I click Next One Identity Manager's Synchronization Editor will provide me with different project templates. Project templates define the subset of information that I want to synchronize from this instance of the SAP service, SAP server, or this client. So, the first synchronization would be the Base Administration. The Base Administration manages user accounts, roles, profiles, menus, and these options from an SAP system.
An additional project could be authorization objects, which will synchronize the contents of a profile, like transactions, authorization objects, fields, and their values. And a third option would be Business Warehouse. So, if I have other analysis authorizations configured in this system, I can synchronize this information.
Another option is employee objects. This will provide me information about employees, organizations, positions. If I want to have this information, or if I am interested in future dated events on employee objects, I will require to adjust a specific project template. If I am confident with what is provided in the standard template, I will get employees, their work dates, managers, departments, et cetera. And one last project template is structural profiles, which is specific permissions in the HR system that can be assigned to employees or accounts that are using the employee module, the HR module, to operate on employee data.
And there is another specific project template if the customer environment uses the CUA. The CUA is the Central User Administration component of SAP, in which case a central client is being promoted to master and will maintain the other client instances from the master instance of an SAP. So, basically this is the first versions of an SAP-only identity management approach, where the master instance is maintaining client instances where user accounts are being provisioned, and permission is assigned through this master instance.
So, if the customer has this setup we will be able to synchronize the information from the CUA master, synchronize the information from the CUA client, and maintain this situation or this setup through One Identity Manager. Or we can resolve this situation by directly moving the client management or account management into One Identity Manager and resolving the CUA.
There are some dependencies between these project templates. So, for example, if you want to synchronize authorization objects which are the contents of profiles, then you will require-- or the system will require a Base Administration project template to be set up and executed. The synchronization must be run, because otherwise the authorization objects will not be added into the system, since the relationship between the transactions, and profiles, and authorization objects into profiles is not given.
Same is true for the HR parts. As you can see, if you want to synchronize HR structural profiles, then you should at least have the information about employees and the information about accounts that are in the SAP client. So, these are dependencies that you need to check before synchronizing these different templates.
For each template, when you select a template the system will run and ask additional information, like whether this system should be read-write or read-only connected. In most cases, read-write is the correct choice. In the HR module case, the read-write option is only valid if the customer wants the employees' communication data to be written back to the HR instance, which is email address, phone number, fax number. If the customer doesn't want this information to be fed back to the SAP HR module, then read-only option is a safe option.
So, once you select the Next button the Connector will ask you about the tables that are being synchronized and which changes should be filtered. The next screen will give you revision filter options, so you can select that revision filtering should be enabled. And you can select for which tables revision filtering should be enabled or not.
Finally, login information will be required. If you want to have login information for synchronization or provisioning operations, you can select them on these next two screens. And finally, you have to select synchronization server queue where the synchronization will be executed. And the project will get a name, which you can change.
So, once the connection is being provisioned all the schema objects will be set up, all the mappings will be predefined for you in this configuration template. And then customizations can be executed if necessary. So, as you can see the mappings, as seen earlier, are in here. So, I can see user account information. And the user mapping has been set up for me.
These project templates provided by One Identity will allow you to easily kick off your project. These are meant as recommendations or based on our best practices that we see at customers sites. If this project template does not fit the customer environment, you are absolutely free to build your own mappings or start with this template and customize the project template mappings to your needs at the customer site. Or, if you want to start with a completely blank project, which I haven't mentioned earlier, in the project template screen you can select Blank Project Template, and you can create the mappings and schema objects you're interested in directly from there.
[MUSIC PLAYING]
13:07