One Identity Manager SAP Experience #3 Identity and user-lifecycle processes #1

[MUSIC PLAYING] When we synchronize an SAP client, we will get a lot more information than just only about the SAP client. The SAP client table is a system-wide table. So when we synchronize a specific client, we will get the list of all clients on that system as well as the login languages or licenses that are available on the system since licenses and login languages and printers are configured per system. In this scenario, we have the client 400, which is the client that we have synchronized in our Identity Manager environment. And in the client 400, we have 14 user accounts, 4,000 SAP roles, profiles, and companies, cost centers that you can see here in that system overview. So when I just jump to a specific user account-- in this case, it is Charles Purchasing-- you can see that the user account is linked to a specific client, is linked to an employee, and that a specific role has been assigned to this user account. As you can see, this role has also sub roles. In this case, this role is a composite role. Composite roles are roles that are containing other roles, and roles themself can contain SAP profiles. When I jump to specific SAP profiles in the environment, you can see there's a lot of SAP profiles available. I'm just selecting a generated SAP profile. And as you can see, that profile is linked to a single role. That role is assigned to the system and to a client. What we can also see in this environment that the profiles can contain SAP authorization, which is also being synchronized through the SAP connector. When I look into the details of a profile, we can see the contents that are being synchronized through the SAP connector. Identity Manager is capable of provisioning user accounts into SAP, changing them, and deleting them in the system that is being connected. As you can see on this screen, we have Purchasing Charles that has a user account assigned to him. What we can see in the details of that user account is the information that is being provisioned into SAP. If you look into the screen, you will see that this screen has been designed pretty much like the SU01 transaction in SAP to maintain user accounts. This data will be pre-filled based on account definition information that can be assigned to an employee and will be pre-generated and provisioned into the SAP system. So if you want to create a user account in SAP, we can easily go to the manager and directly create a new user account in the system or we can take an account definition that has been created for this SAP client and assign this account definition to the employee object that we'll also create based on templates and definitions and a user account for this client. In this scenario, we will create a user account directly in the SAP environment without assigning the user account definition to an employee. I'm going to enter the details. So once I've entered the details like client, user account name, first name, last name, company details, the necessary information that are required for this user account, the provisioning into the target system will be started and the user account will be provisioned into the target system. The same can be achieved, as described earlier, by assigning an account definition to an employee object. So next I will select an employee and assign an account definition to that employee, and the user account will be also created for this employee. So I'm going to select the employee HR Frank who does not have a user account in SAP, and I will just assign him an account definition, which will create a user account for SAP and then provision the user account into my SAP environment. In this case, I am selecting the account definition. As you can see, there's a list of account definitions, and this is the account definition for client 400 in my demo environment, and I'm assigning the account definition to my user employee, and the employee will get a user account created in this SAP client. Now that the provisioning to the target system has been successfully done, we will go into the SAP GUI and look how the created user accounts look like in SAP. And to review the SAP user account information, the transaction SU01 user maintenance will be needed. And once we executed the transaction, we can enter the user account name. In our case, the initially created, directly created user account was called estark. So I'm entering the estark account name. And by pressing onto this display icon, we will get the user account information displayed in SAP. So as you can see, last name, first name information has been synchronized. Login data has been synchronized. In this case, you can see when the user has been created until when the user account is being valid. And the rest of the information will be empty since no information has been provided maybe during the initial user account creation. So when we go back and review the second user account that has been created by assigning an account finishing to that employee, we can see that more information have been created in the SAP due to the detailed information that are available to the employee record. So as you can see, in contrast to the directly created user account, the HR Frank account has the department information synchronized into SAP. This information has been derived from the employee record. The employee is being assigned to the Human Resources department. So the Human Resources department has been provisioned to SAP as well. So when we look onto further information here-- logon data-- you can see that the user type is dialogue, that the user account is valid from and valid through dates have been set. Additionally, SNC information has been set, although the SNC information in this example is not correct. The SNC information has been derived from the user account name, which can be changed accordingly based on the templates that are available. The defaults have been set in this screen. You can see the default information has been adjusted to be 24-hour format and the German date format. [MUSIC PLAYING]