Skip to end of metadata
Go to start of metadata

Status

Stable. Works well.

Limitations:

  • no support for Central User Administration in SAP (CUA landscape), 
  • liveSync doesn't see deleted accounts - you need sometimes to run full recompute, or use only disabling users in SAP, 
  • at the first time (getLatestSyncToken) liveSync returns current time as SyncToken - you need to synchronize midPoint server time with SAP server time or use full recompute after the first liveSync, 
  • rename account is not supported in SAP.

Description

Connector for SAP R3, based on SAP Java Connector. SAP JCo is proprietary, you need SAP login to download it. SAP Connector is Apache-licensed.

SAP connector uses BAPI functions to manage accounts in SAP. It supports all importing parameter types and table parameter types except UCLASSSYS, EXTIDHEAD, EXTIDPART a SYSTEMS to create and change account attributes, lock, unlock the account and change its password. You can assign/unassign SAP accounts to activity groups (SAP roles), to groups (USERGROUP) and profiles managed in SAP. It also supports reading arbitrary SAP tables using BAPI function RFC_GET_TABLE_ENTRIES, for example reading SAP activity groups (roles) from AGR_DEFINE table or reading SAP user groups from USGRP table.

Protocol

SAP's RFC protocol

Framework

ConnId 1.4.x, midPoint 3.3 support branch

Bundle name

com.evolveum.polygon.connector-sap

Connector name

com.evolveum.polygon.connector.sap.SapConnector

Capabilities and Features

Provisioning

YES

 

Live Synchronization

YES

liveSync doesn't find deleted accounts

Password

YES

 

Activation

YES

status, validFrom, validTo, lockoutStatus

Filtering changes

 

currently limited

Paging support

YES

Simple Paged Results

Native attribute namesYES

Use ri:USERNAME instead of icfs:name

and of icfs:uid if useUsernameAsNativeName is enabled

History

First official release.

Versions

Version

Origin

Binary

Sources

Build Date

Description

1.0.0.0

Polygon

download jar

GitHub

october 2016

Official release

1.0.1.0Polygondownload jarGitHubjune 2017Official release

Documentation

Build with Maven

  1. download SAP connector source code from github
  2. download sapjco (SAP credentials needed) and find sapjco3.jar for your hardware processor (tested with sapjco3-NTAMD64-3.0.13)
  3. put it to your local maven repository, for example: 

    mvn install:install-file -Dfile="{pathToJCo}\sapjco3.jar" -DgroupId=com.sap.conn.jco -DartifactId=sapjco -Dversion=3.0.13 -Dpackaging=jar

  4. build SAP connector with maven: 
    mvn clean install -Dmaven.test.skip=true
  5. find connector-sap-*.jar in \target folder

Installation

  1. download sapjco (SAP credentials needed) and find javadoc/installation.html
  2. install JCo in your operating system
  3. put sapjco3.jar to {Tomcat_home}\lib\ directory
  4. put connector-sap-*.jar to {midPoint_home}\icf-connectors\directory
  5. run/restart tomcat and midPoint search for new connectors in startup

Object classes

SAP connector by default support these object classes:

  • AccountObjectClass (__ACCOUNT__) - read, create, update, delete users in SAP
  • CustomPROFILEObjectClass (PROFILE) - read profile names
  • CustomACTIVITYGROUPObjectClass (ACTIVITYGROUP) - read activity groups (roles) and his parent
  • CustomGROUPObjectClass (GROUP) - read user group names
  • any other SAP tables to read, see tables parameter

Config

Please see help in connector.

SAP have many user parameters, see here. There are several types of parameters: "Importing" and "Tables" are relevant. 

Importing parameter types are structures, for example, ADDRESS has some other single value attributes in it, for example, FIRSTNAME. This is represented as "ADDRESS.FIRSTNAME" in midPoint.

Table parameter types and its rows are represented over SAP connector as XML, for example, connector attribute ACTIVITYGROUPS contains the value:

You can use also attribute ACTIVITYGROUPS.AGR_NAME having the content of "/CCM/CATALOG_APPROVER".

Other available attributes: PROFILES.BAPIPROF, GROUPS.USERGROUP.

Other table parameter types are supported only in an XML way. You can use XmlMatchingRule to compare them.

To speed up reading user details you can set to config tableParameterNames only table type parameters, what you need, for example, ACTIVITYGROUPS, or ignore all as <sap:tableParameterNames/>.

Reading any SAP table data

Over BAPI function RFC_GET_TABLE_ENTRIES you can read any SAP table. You need only define table name and its structure in tables parameter as follows:

{table name in SAP} as {alias in object class}={first field name:length{:IGNORE|KEY}},{next field what you need...}

if you don't need an attribute, you can ignore it using "IGNORE". To set what column will be mapped to icfs:uid and icfs:name, please use "KEY" word. For example activity groups are by default defined as:

You could find fields names and lengths for example here (for ARG_DEFINE).

Data are returned by SAP as fixed width with no delimiter, so you must define all field names and their length in order to parse them correctly.

If you update tableParameterNames or tables connector parameters via midpoint Configuration -> Repository objects, please delete <schema> section before saving it in order to generate new schema.

 

SAP permissions

The following table contains all SAP permissions required for all use cases. Detailed permissions for each Use Case are shown in Use Cases.

Authorization ObjectFieldValue
S_RFCACTVT16
RFC_NAME

BAPT, BFHV, DDIF_FIELDINFO_GET, RFC1, SDIFRUNTIME, SUSE, SUSO, SU_USER, SYST

RFC_TYPEFUGR
S_RFCACTVT16
RFC_NAME

PASSWORD_FORMAL_CHECK

RFC_TYPEFUNC
S_TCODETCDSU01
S_TABU_NAMACTVT03
TABLEAGR_DEFINE, USGRP
S_USER_AGRACTVT02
ACT_GROUP* (may be restricted to specific values)
S_USER_GRPACTVT01, 02, 03, 05, 06, 22, 78
CLASS* (may be restricted to specific values)
S_USER_PROACTVT22
PROFILE* (may be restricted to specific values)

 

 

Use Cases

The following table contains typical use cases, a list of related BAPI functions, and SAP permissions needed for these use cases. See also testBapiFunctionPermission.

Column RFC Name contains the RFC_NAME which must be permitted in Authorization object S_RFC for RFC_TYPE FUGR (see table above)

Use casesFunctions

RFC Authorisation

Additional Authorisations
 

test connection
JCoDestination.ping()
SYST

 

search and list SAP accounts

BAPI_USER_GETLIST

BAPI_USER_GET_DETAIL

SU_USER

S_USER_GRP

FieldValueComment
ACTVT03Display
CLASS*

 may be restricted to specific value

create, update, delete account

assign/unassign group

BAPI_USER_CREATE1

BAPI_USER_CHANGE

BAPI_USER_DELETE

SU_USER

S_USER_GRP

FieldValueComment
ACTVT

01
02
05
06
78

Create or generate
Change
Lock
Delete
Assign
CLASS*

 may be restricted to specific value

use transaction to create and update account

when config useTransaction=true

BAPI_TRANSACTION_COMMIT

BAPI_TRANSACTION_ROLLBACK

BAPT
 
lock/unlock account

BAPI_USER_LOCK

BAPI_USER_UNLOCK

SU_USER

S_USER_GRP

FieldValueComment
ACTVT05Lock
CLASS*

 may be restricted to specific value


assign/unassign activity groupsBAPI_USER_ACTGROUPS_ASSIGN

SU_USER

S_USER_GRP

FieldValueComment
ACTVT22Enter, Include, Assign
CLASS*

 may be restricted to specific value

S_USER_AGR

FieldValueComment
ACTVT02Change
ACT_GROUP*

May be  restricted to specific values

assign/unassign profilesBAPI_USER_PROFILES_ASSIGN

SU_USER

S_USER_GRP

FieldValueComment
ACTVT22Enter, Include, Assign
CLASS*

 may be restricted to specific value


S_USER_PRO

FieldValueComment
ACTVT22Enter, Include, Assign
PROFILE*

May be  restricted to specific values

change password

when config changePasswordAtNextLogon=false

check password

SUSR_USER_CHANGE_PASSWORD_RFC

SUSR_GENERATE_PASSWORD

SUSR_LOGIN_CHECK_RFC, PASSWORD_FORMAL_CHECK

SUSO
SUSE
SDIFRUNTIME
DDIF_FIELDINFO_GET

S_RFC

FieldValueComment
RFC_NAME

PASSWORD_FORMAL_CHECK

 
RFC_TYPEFUNC

 

read any SAP table, see config tables (activity groups, user groups)RFC_GET_TABLE_ENTRIES

RFC1

S_TABU_NAME

FieldValueComment
ACTVT03Display
TABLE

AGR_DEFINE
USGRP
*

Activity groups
User groups
any table (to be restricted as required)

read profileBAPI_HELPVALUES_GETBFHV
 

read additional account login info: LAST_LOGON_DATE, LOCK_STATUS, PASSWORD_STATUS

when config sap.config.alsoReadLoginInfo=true

SUSR_GET_ADMIN_USER_LOGIN_INFOSUSO

S_TCODE

FieldValueComment
TCDSU01Display

 

Resource Examples

Please see samples in Github.

sap-medium.xml contains a sample to create/read account in/from SAP with roles (activity groups) as RoleType. To use it, please also import role-activity-group-metarole.xmlobject-template-role.xml (SAP ActivityGroup metarole assignment mapping is enough), enable it and import roles from sap over task-import-activity-groups.xml.

sap-advanced.xml contains a sample to create/read the account in/from SAP with roles (activity groups) and also with profiles and groups as OrgType. In this sample uniqueness of names are solved with name prefixes 'r:' (role), 'p:' (profile) and 'g:' (group). Please import all files from the appropriate folder and run all import tasks.

In subdirectory assignment, you see a similar sample as in sap-advanced, but when you import account from SAP, you also import assigned SAP roles, profiles and groups to extension attributes what you see in extension-sap.xsd. From this new attributes over enabled object-template-org.xml is created assignment to appropirate OrgType (roles, profiles and groups).

 

Using Encryption / SAP SNC

This Section is under "heavy" work in progress .

If you deploy the connector without SNC the communication between SAP and Midpoint is not encrypted. To use a Secure High encrypted Connection you have to use SAP SNC. Here is a short list what you have to do:

 

 

 

  • No labels