The Identity functionalities of this connector enable you as an Identity administrator to configure SAP NetWeaver as a connected system and then make Identity users part of the SAP NetWeaver system. This enables the user or Identity administrator to reset SAP NetWeaver account passwords. This also enables you to enable and disable user accounts.
The Provisioning functionalities of this connector enable exporting and importing user accounts on a SAP NetWeaver system. The connector supports managing role and profile assignments for users. This includes exporting, adding, modifying, and deleting role and profile assignments of users.
This connector was developed and tested with SAP ECC 6.0. Because the connector uses standard user management BAPIs/RFCs for user management and provisioning, it is expected that the connector will work for other versions of SAP.
Functionalities
Identity Integration
Product Feature |
Supported |
---|---|
Authenticate (Test Connection) |
Yes |
Validate User |
Yes |
Enable/Disable User |
Yes |
Reset Password |
Yes |
Expire Password Immediately |
Yes |
Expire Password by Date |
No |
Provisioning Integration
Data Format |
Export |
Create |
Modify |
Delete |
Trigger |
---|---|---|---|---|---|
User |
Yes |
Yes |
Yes |
Yes |
No |
Role |
Yes |
No |
No |
No |
No |
GRC Role |
Yes |
No |
No |
No |
No |
Value Lookup |
Yes |
No |
No |
No |
No |
PersonalData |
Yes |
No |
No |
No |
No |
OrganizationalAssignment |
Yes |
No |
No |
No |
No |
Communication |
Yes |
No |
No |
No |
No |
InternalControl |
Yes |
No |
No |
No |
No |
Address |
Yes |
No |
No |
No |
No |
Actions |
Yes |
No |
No |
No |
No |
HRCombined |
Yes |
No |
No |
No |
No |
PDObjectTypes |
Yes |
No |
No |
No |
No |
Prerequisites
Ensure that these prerequisites are satisfied:
- An administrator account that can be used to establish a connection and has authority to manage accounts on the connected system.
- This connector uses SAP JCo3 to communicate with SAP. SAP JCo3 running on Windows requires Visual Studio 2005 C/C++ runtime libraries. This is shipped as Windows side-by-side assemblies. If it is not available in the machine, use the link https://www.microsoft.com/en-us/ download/details.aspx?id=21254 for 64-bit and https://www.microsoft.com/en-in/download/ details.aspx?id=3387 for 32-bit to download and install it.
- Download SAP JCo3 components from SAP Service Marketplace http://service.sap.com/connectors. The path to reach download link is SAP Java Connector --> Tools & Services. This is available as a zip file. These components are platform dependent; so download the components suitable for your platform.
-
Notes:
- SAP libraries cannot be redistributed. You must have a valid SAP NetWeaver license to download the libraries as described in this chapter.
- The JCo should be accessible to anyone who has an On-line Service System (OSS) ID.
- Extract sapjco3.jar and sapjco3.dll from the zip file (downloaded above). For non-Windows platforms, it is libsapjco3.so instead of sapjco3.dll.
Installing the SAP JCo dll and jar Files
Notes:
- Identity and Provisioning should already be installed prior to completing the procedures in this section.
- If a GIG is to be used it should already be installed prior to completing the procedures in this section.
- If the Workflow and Connectivity Studio is to be used, it should already be installed prior to completing the procedures in this section.
Follow the steps below for your server installation:
Identity
For the connector to support Identity features only, the SAP JCo components must be installed in the Identity Server. If the connector is used only for Identity, deployment of components in Provisioning is not required.
Ensure that these prerequisites are satisfied:
- For Windows platforms, ensure that Visual Studio 2005 C/C++ runtime libraries are installed.
- Download SAP JCo3 components suitable for your platform.
- Locate fisc-sap-dest-data-provider.jar from IdM Suite Software folder\Identity\Resource\Connectors\SAPNetWeaver.
For Windows platforms, follow these steps:
- Stop your Web application server.
- Copy the jar files sapjco3.jar and fisc-sap-dest-data-provider.jar to lib folder of the application server. For apache-tomcat, it is:
<CATALINA_HOME>/lib - Copy the sapjco3.dll file to this directory:
<installation folder>/IdM/identity/agentdll - Add agentdll folder to the path. This can be done using either one of the following options.
- Update PATH environment variable to include <installation folder>/IdM/identity/agentdll
- Through tomcat's JAVA_OPTS as -Djava.library.path=<installation folder>/IdM/identity/agentdll
- Restart your Web application server.
Provisioning
For the connector to support Provisioning features, the SAP JCo components must be installed on the Provisioning Server. If the connector is used only for Provisioning, deployment of components in Identity is not required.
Ensure that these prerequisites are satisfied:
- For Windows platforms, ensure that Visual Studio 2005 C/C++ runtime libraries are installed.
- Download SAP JCo3 components suitable for your platform.
- Locate fisc-sap-dest-data-provider.jar from IdM Suite Software folder\Provisioning\Resource\Connectors\SAPNetWeaver.
For Windows platforms, follow these steps:
- Stop your Web application server.
- Copy the jar files sapjco3.jar and fisc-sap-dest-data-provider.jar to lib folder of the application server. For apache-tomcat, it is:
<CATALINA_HOME>/lib
Note: You can skip this step 2 if Identity and Provisioning are sharing the same application server. - Copy the sapjco3.dll file to this directory:
<installation folder>/Provisioning/dataforum/agentdll - Add agentdll folder to the path. This can be done using either one of the following options.
- Update PATH environment variable to include <installation folder>/Provisioning/dataforum/ agentdll
- Through tomcat's JAVA_OPTS as -Djava.library.path=<installation folder>/Provisioning/ dataforum/agentdll.
- Restart your Web application server.
GIG
If the connector is used in a GIG, the SAP JCo components must be installed in the GIG. If the connector is used only in a GIG, deployment of components in Identity and Provisioning is not required.
Ensure that these prerequisites are satisfied:
- For Windows platforms,ensure that Visual Studio 2005 C/C++ runtime libraries are installed.
- Download SAP JCo3 components suitable for your platform.
- Locate fisc-sap-dest-data-provider.jar from IdM Suite Software folder\Identity\Resource\Connectors\SAPNetWeaver.
For Windows platforms, follow these steps:
- Stop your Web application server.
- Copy the jar files sapjco3.jar and fisc-sap-dest-data-provider.jar to lib folder of the application server. For apache-tomcat, it is:
<CATALINA_HOME>/lib - Copy the sapjco3.dll file to these directories:
<installation folder>/gig/agentdll/idm
<installation folder>/gig/agentdll/prov - Add agentdll folder to the path. This can be done using either one of the following options.
- Update PATH environment variable to include <installation folder>/gig/agentdll/idm and <installation folder>/gig/agentdll/prov
- Through tomcat's JAVA_OPTS as -Djava.library.path=<installation folder>/gig/agentdll/ idm;<installation folder>/gig/agentdll/prov
- Restart your Web application server.
Workflow and Connectivity Studio
If the connector is used in the Workflow and Connectivity Studio, the SAP JCo components must be installed in the Studio.
Ensure that these prerequisites are satisfied:
- For Windows platforms, ensure that Visual Studio 2005 C/C++ runtime libraries are installed.
- Download SAP JCo3 components for Windows platforms.
- Stop the Workflow and Connectivity Studio.
- Copy the sapjco3.jar file to this directory:
<installation folder>/Provisioning/jars - Copy the sapjco3.dll file to this directory:
<installation folder>/Provisioning/dataforum/agentdll - Restart the Workflow and Connectivity Studio.
Creating the Connected System in the Admin UI
Note: You must have already performed the steps described in Installing the SAP JCo dll and jar Files before proceeding.
-
Log in to Identity Administration and click the Systems tab.
-
On the Connected System View page, click the Add button and select the SAP NetWeaver connected system from the Type drop-down list. The Connected System Details page displays the default values:
-
Enter the desired information:
Definition Supported Connectors
Displays whether the connected system is Identity only, Provisioning only, or both. Type Select the connected system type. Locale
Select the preferred language (default: English). Locale specific information such as Display Name and Description can be added only while modifying the connected system. Name The name for this connected system. Note: The name cannot be modified later. Display Name The display name of the new connected system. Description The description of the connected system. Associated With
Select how the connector associated with this system will run:
- Server (default) - Runs locally on the Provisioning/Identity Server.
- Global Identity Gateway - Runs remotely on a Global Identity Gateway cluster member. Note: Only GIG clusters that have at least one registered and enabled member will display in this list.
- See Using the Global Identity Gateway with Connected Systems for additional information.
Password Reset By Enables administrators to configure password management functions normally available to Users and OBO (On Behalf Of) Users: - OBO User Only - Connected system and account association information is displayed only in Self-Service user management (for OBO Users). OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/ disable, validate, associate user, and password reset). End users will not see their accounts on this connected system in Self-Service and Kiosk; therefore, they cannot reset passwords for accounts on this connected system.
- Users and OBO User - Connected system and account association information is displayed in Self-Service password reset, Self- Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users can reset passwords for accounts on this connected Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset).
- External - Connected system and account association information is not displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users cannot reset passwords for accounts on this connected
Note: When user management configuration enables OBO Users to perform password resets, this definition must be set to OBO User Only or Users and OBO User. For connectors that support Provisioning only, there is no password reset capability.
Provisioning Option Select the provisioning option: - Automated (default) - The connected system functions as a normal connected system; there are no restrictions.
- Administrative - The connected system cannot be used as an object in a workflow.
Enable HPAM Support Select to make the connected system HPAM enabled (default: cleared). Note: This can only be set for systems that support Identity. Enable Transfer Of Accounts Select to make the transfer of Accounts enabled (default cleared). Connection Information Connection Type Select the connection type: - Direct (Default) - Connects directly to an SAP
- Group - Connects to a load balancing group of SAP instances.
Application/Message Server Host
SAP server host address. This should be the host name of the ABAP (Advanced Business Application Programming) application server when the connection type is Direct and SAP message server when connection type is Group. Message Server Port SAP message server port. This is an optional parameter used only when the connection type is Group. System Number/ID
The system number of the ABAP (Advanced Business Application Programming) application server when the connection type is Direct and System ID of the SAP system when connection type is Group. Group Name
Group name of SAP application servers. This is a mandatory parameter when connection type is Group. Client
The Client ID number. SAP Router String
The SAP router string for connection to systems behind a SAP router. Service Account Name
The name of the administrative user account used to connect to the server. Service Account Password
The administrative user password. Connection Pool (JCO) Size
Select the maximum number of connections that can be created in the connection pool by the connector to a SAP Server. As needed, the connection pool will grow only to this maximum limit. Unicode Enabled
Check this box if the connection is to be Unicode enabled. GRC Webservice URL
Specify the URL syntax to build the SAP GRC web service URL. This syntax is used to build the end point URL for each web service by substituting the place holders. Place holder ##WS_Name## is replaced with the web service name and ##Client_ID## is replaced with the Client provided with connected system. A sample URL syntax is: http://sapsrv:8000/sap/bc/srt/rfc/sap/##WS_Name##/ ##Client_ID##/##WS_Name##/##WS_Name##_binding Password Expiration Support Expiration Options For Admin/OBO User Password Reset
Specify the password expiration: None or Immediate. System Owner
Add or Remove users assigned as the owners of the system. Displays the Connected System Owner Search page for selecting users. The HPAM column indicates whether the system owner is authorized to use the HPAM feature. The Approvers column indicates whether the system owner is an approver in the approval process. -
Click the Test Connection button to test the Connection Information:
- If successful, one or both of these messages may display::
Message: Connection from Provisioning to the connected system was established successfully.
Message: Connection from Identity to the connected system was established successfully.- If unsuccessful, one or both of these messages may display:
Error: Failed to establish connection from Provisioning to the connected system.
Error: Failed to establish connection from Identity to the connected system.
Note: If the connection fails, additional messages may display providing more information regarding the failure, and additional information may be posted to the Provisioning logs. -
(Optional) To select owners of the system, click the System Owner Add button. The Connected System Owner Search page displays:
- Select the owners and then click the Select button. The system owner displays under the System Owner section:
- To add additional system owners, click the Add button.
- Select the owners and then click the Select button. The system owner displays under the System Owner section:
- On the Connected System Details page, click the Add button to save the configured connected system. The Object Category Association page displays a list of categories that are already associated and/or can be selected to add additional associations to this connected system:
-
Select one or more available object categories or provide search criteria and click the Search button to find specific categories to select. If there are no available categories to select, proceed to Step 7.
-
Click the Add Association button to associate the selected object categories to the connected system.
-
-
Click the Back button to return to the Connected System View page. The new connected system displays in the list.
See Copying, Modifying, and Deleting Connected Systems for additional information.
Creating the Connected System in the Studio
- Log in to the Workflow and Connectivity Studio and click Connectivity ► Add Systems on the menu bar. The Add Connected Systems window displays.
- Select the SAP NetWeaver connected system from the Type drop-down list. The default values display.
-
Enter the desired information:
Definition Type Select the connected system type. Name The name for this connected system. Note: The name cannot be modified later. Display Name The display name of the new connected system. Description The description of the connected system. Supported Connectors Displays whether the connected system is Identity only, Provisioning only, or both. Only connectors that support Provisioning are available here. Associated With
Select how the connector associated with this system will run:
- Server (default) - Runs locally on the Provisioning/Identity
- Global Identity Gateway - Runs remotely on a Global Identity Gateway cluster member. Note: Only GIG clusters that have at least one registered and enabled member will display in this
Password Reset By Enables administrators to configure password management functions normally available to Users and OBO (On Behalf Of) Users:
- OBO User Only - Connected system and account association information is displayed only in Self-Service user management (for OBO Users). OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset). End users will not see their accounts on this connected system in Self-Service and Kiosk; therefore, they cannot reset passwords for accounts on this connected system.
- Users and OBO User - Connected system and account association information is displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset).
- External - Connected system and account association information is not displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users cannot reset passwords for accounts on this connected system.
Note: When user management configuration enables OBO Users to perform password resets, this definition must be set to OBO User Only or Users and OBO User. For connectors that support Provisioning only, there is no password reset capability.
Provisioning Option
Select the provisioning option:
- Automated (default) - The connected system functions as a normal connected system; there are no restrictions.
- Administrative - The connected system cannot be used as an object in a workflow.
Enable HPAM Support Select to make the connected system HPAM enabled (default: cleared). Note: This can only be set for systems that support Identity. Enable Transfer Of Accounts Select to make the transfer of Accounts enabled (default cleared). Connection Information Connection Type Select the connection type: - Direct (Default) - Connects directly to an SAP
- Group - Connects to a load balancing group of SAP instances.
Application/Message Server Host
SAP server host address. This should be the host name of the ABAP (Advanced Business Application Programming) application server when the connection type is Direct and SAP message server when connection type is Group. Message Server Port SAP message server port. This is an optional parameter used only when the connection type is Group. System Number/ID
The system number of the ABAP (Advanced Business Application Programming) application server when the connection type is Direct and System ID of the SAP system when connection type is Group. Group Name
Group name of SAP application servers. This is a mandatory parameter when connection type is Group. Client
The Client ID number. SAP Router String
The SAP router string for connection to systems behind a SAP router. Service Account Name
The name of the administrative user account used to connect to the server. Service Account Password
The administrative user password. Connection Pool (JCO) Size
Select the maximum number of connections that can be created in the connection pool by the connector to a SAP Server. As needed, the connection pool will grow only to this maximum limit. Unicode Enabled
Check this box if the connection is to be Unicode enabled. GRC Webservice URL
Specify the URL syntax to build the SAP GRC web service URL. This syntax is used to build the end point URL for each web service by substituting the place holders. Place holder ##WS_Name## is replaced with the web service name and ##Client_ID## is replaced with the Client provided with connected system. A sample URL syntax is: http://sapsrv:8000/sap/bc/srt/rfc/sap/##WS_Name##/ ##Client_ID##/##WS_Name##/##WS_Name##_binding Password Expiration Support Expiration Options For Admin/OBO User Password Reset
Specify the password expiration: None or Immediate. - Click the Connect button to test the Connection Information:
- If successful, this message displays:
Connection from Studio to the connected system was established successfully.
- If unsuccessful this message displays:
Failed to establish connection from Studio to the connected system.
Note: If the connection fails, additional messages may display providing more information regarding the failure.
-
Click the Apply button to apply changes. The Category Association window displays.
-
Select one or more object categories from the Available Categories list or enter a category name and click the Search button to find a specific category to select. If there are no available categories to select, proceed to Step 6.
-
Click the Add button to associate the selected object categories to the connected system.
-
-
Click OK to accept selected categories.
See Copying, Modifying, and Deleting Connected Systems for additional information.
Using JCo Trace
SAP JCo has native trace support. This is for debugging SAP JCo calls, and it can be controlled by using the configuration property SAP JCO Trace Level. If this greater than 0, JCo traces are written to one or multiple files named JCO<date>_<time>.<no>.trc under the logs folder. JCo offers trace levels from 0 to 10. The amount of traced data increases with the chosen trace level. Each trace level also contains all the trace data from the lower trace levels.
JCo trace can be managed in Identity using the SAP JCO Trace Level property under the section Identity Server Logs, and in Provisioning under the section Provisioning Server Logs.
JCo trace can be managed for a GIG in the Admin UI -> Server tab, by selecting the GIG from GIG and changing this property under Configuration-> Logs.
JCo trace can be managed in the Workflow and Connectivity Studio by changing the property SAPJCOTraceLevel in studio.properties. Then either restart the Workflow and Connectivity Studio or reload the configuration using Tools -> Refresh Configuration for the changes to take effect.
Using the Connected System for Identity
Perform these procedures to configure the connector:
Connector Details for Identity
This table lists values to enter when associating the Identity user with an existing user in the connected system:
Field |
System Attribute |
Example Value |
Login ID |
USERNAME |
BLANE |
Account ID |
USERNAME |
BLANE |
Identity
These standard BAPIs are used to achieve the Identity operations such as enable, disable, reset- password, validate, and check the status of a SAP user account:
- BAPI_USER_GETLIST
- SUSR_LOGIN_CHECK_RFC
- BAPI_USER_EXISTENCE_CHECK
- BAPI_USER_LOCK
- BAPI_USER_CHANGE
- BAPI_USER_UNLOCK
During password reset, the initial password is set. This is a temporary password and the user must change this password when logging in from the SAP UI.
Identity Password Management
See the Identity Suite Administration documentation for details on password management.
Using the Connected System for Provisioning
Perform these procedures to configure the connector:
Note: If the number of records to be processed exceeds one thousand, we recommend configuring the workflow to use bulk mode, which lowers the memory consumption of the system by streaming data to files. Because data is streamed for every task, performance of the workflow execution will be decreased due to increased read-write operations. See the Workflow and Connectivity Studio document for details on how to configure bulk mode.
See the appendix SAP NetWeaver Library Workflows for details on the library workflows included in the IdM Suite.
Configuring for Export
Perform these procedures to configure the connector:
- Configuring the Export Connector
- Configuring the Export Link
From the Workflow and Connectivity Studio, select the SAP NetWeaver UserExport workflow listed under the projects folder.
If a workflow does not already exist, create an export workflow. See the Workflow and Connectivity Studio document for details on creating export workflows.
Configuring the Export Connector
- In the Design pane, double-click the export object (the first workflow object after the Start object). The Configure Data Source window displays:
- From the Configure Plug-in tab, set these properties as required:
Associated Connected System | Select the connected system from the list. The export operation will be done from this connected system. |
Data Formats | Select the type of data format to use: User, Role, GRC Role, Value Lookup, PersonalData, OrganizationalAssignment, Communication, InternalControl, Address, Actions, HRCombined or PDObjectTypes. |
DeltaExportMode |
Select the type of attribute to export if a change takes place (this works in conjunction with ExportMode when DeltaExport is selected):
|
DynamicConnectedSystem | Select the global variable to use as the dynamic connected system name. This works in conjunction with DynamicConnectedSystemOption when GlobalVariable is selected. |
DynamicConnectedSystemOption | Select how to control Dynamic System Support (DSS):
|
EndDate |
Enter the date (in the format YYYY-MM-DD) or select the date from the calendar to return PD objects that are valid before this date. Note: This property is available in PDObjectTypes data format only. |
ExecuteGIGAssociatedTaskAsynchronously | If this property is True, GIG associated tasks will execute asynchronously. |
ExportMode |
Select the type of data to export:
|
ExportRoleType |
Select the type of role to be returned depending on whether you are connecting to a CUA or non CUA system:
Note: This property is available in Role data format only. |
Filter |
Specify a filter to return only those entries that match the search criteria. Use the Set Filter button that becomes active to create a filter (see "Set Filter" below). Note: This property is available in User, Role and GRC Role data formats only. |
FilterByAttributes |
Specify a filter to return only those attributes that match the search criteria. Use the Set Filter button that becomes active to create a filter (see "Set Filter" below). Note: This property is available in PersonalData, OrganizationalAssignment, Communication, InternalControl, Address, Actions and HRCombined data formats only. |
FilterByPerNo |
Enter the employee number of a user. If set, only the details of the given user are returned and all other filter options are overridden. This must be the exact employee number (no wild card characters are supported). Note: This property is available in PersonalData, OrganizationalAssignment, Communication, InternalControl, Address, Actions and HRCombined data formats only. |
FoldSubRecords |
If set to TRUE, sub records will be folded and returned as attributes. Note: This property is available in User, Role, Communication, Address, Actions and HRCombined data formats only. |
GetUserDetails |
Enter the name of a user. If set, only the details of the given user are returned. This must be the exact user name (no wild card characters are supported). Note: This property is available in User data format only. |
GRCRoleType |
Select the type of GRC Role to be returned:
Note: This property is available in GRC Role data format only. |
MaxResults |
Select the maximum number of results to be returned (this works in conjunction with ExportMode when FullExport is selected). If this is 0, all entries matching the search criteria are returned. |
ObjectType |
Select the type of PD object to be returned: WorkCenter, Job (default), OrganizationalUnit, or Position. Note: This property is available in PDObjectTypes data format only. |
PlanningStatus |
Select the status of the PD object to be returned: All, Active (default), Planned, Submitted, Approved, or Rejected. Note: This property is available in PDObjectTypes data format only. |
StartDate |
Enter the date (in the format YYYY-MM-DD) or select the date from the calendar to return PD objects that are valid after this date. Note: This property is available in PDObjectTypes data format only. |
ValueLookupType |
Select the type of Value to Lookup:
Note: This property is available in Value Lookup data format only. |
Note: Hover the pointer over a property to view its description.
Set Filter
Setting the filter is a means to narrow the search scope and return specific results. Enter the required text in the Filter field or click the Set button to set the search filter. The Set Filter window displays.
Attributes | Select the attribute of the filter. This represents the attribute name for searching the SAP NetWeaver directory. SAP supports only certain attributes to be used in the filter. Only the supported attributes while configuring the filter are listed. |
Comparison |
Select the operator value for this filter. |
Condition List |
Lists configured conditions. |
Add |
Creates a condition based on the settings and adds it to the Condition List. |
Delete |
Removes the selected condition from the Condition List. |
Clear |
Removes all conditions from the Condition List. |
All must be TRUE (AND) |
If there is more than one condition in the Condition List, the filter is created by linking the conditions using AND. If this is used, only the entries matching all conditions are returned while executing the export task. |
Any must be TRUE (OR) |
If there is more than one condition in the Condition List, the filter is created by linking the conditions using OR. If this is used, entries matching any conditions are returned while executing the export task. Note: This option is not available for the FilterByAttributes property. |
Filter Syntax |
Displays the filter syntax used to retrieve entries from the SAP Server and to build the export list. |
Edit Filter Manually |
Check this box to manually edit the filter in the Filter Syntax to build complex filters. |
Notes:
- For the AND operator, if more than one identical field for the same structured multi-valued attribute is specified, the filter returns an empty
- While building a filter involving texts, if the number of characters exceeds the value specified by SAP, the filter ignores the characters beyond that permitted value.
3. (Optional) Select the Attributes tab. Only standard attributes display
Modify schema attributes using these buttons:
Add |
Adds additional attributes to the list. The Add New Attribute dialog displays. |
Export | Exports the schema list to an XML file. |
Import |
Imports the schema list from an XML file. |
Refresh Schema | Dynamically discovers the schema from the connected system. It also includes local as well as global attributes added in the Studio. |
Reset Schema | Resets the schema definition to the default schema prepackaged with the IdM Suite, plus any global variable added. |
For information about supported attributes, see the sectionsSingle Valued Attributes and Structured Multi-valued Attributes.
5. (Optional) Select the Appearance tab to change how the Connected System object displays in the Design
6. Click OK to save any changes and return to the Workflow and Connectivity Studio
Connector Attributes
These are the attributes per data format:
- User Attributes
- Role Attributes
- GRC Role Attributes
- Value Lookup Attributes
- PersonalData, OrganizationalAssignment, Communication, InternalControl, Address, HRCombined, and PDObjectTypes Attributes
- Actions Attributes
User Attributes
Single Valued Attributes
This table lists the single-valued attributes supported for User data format. All attributes can be exported except PASSWORD.BAPIPWD. Only USERNAME is needed to delete a user. Other attributes are not considered when changetype is delete. M = Mandatory.
Attribute Name |
Type |
Length |
Import |
Import Add |
Description |
---|---|---|---|---|---|
USERNAME |
CHAR |
12 |
M |
M |
Primary Key User Name |
ADDRESS.ADDR_NO |
CHAR |
10 |
Y |
Y |
Address number |
ADDRESS.ADR_NOTES |
CHAR |
50 |
Y |
Y |
Address notes |
ADDRESS.BIRTH_NAME |
CHAR |
40 |
Y |
Y |
Name of person at birth |
ADDRESS.BUILDING |
CHAR |
10 |
Y |
Y |
old: building (no. or abbreviation) |
ADDRESS.BUILDING_P |
CHAR |
10 |
Y |
Y |
Building (number or code) |
ADDRESS.BUILD_LONG |
CHAR |
20 |
Y |
Y |
Building (number or code) |
ADDRESS.CHCKSTATUS |
CHAR |
1 |
Y |
Y |
City file test status |
ADDRESS.CITY |
CHAR |
40 |
Y |
Y |
City |
ADDRESS.CITY_NO |
CHAR |
12 |
Y |
Y |
City code for city/street file |
ADDRESS.COMM_TYPE |
CHAR |
3 |
Y |
Y |
Communication Method (Key) (Business Address Services) |
ADDRESS.COUNTRY |
CHAR |
3 |
Y |
Y |
Country Key |
ADDRESS.COUNTRYISO |
CHAR |
2 |
Y |
Y |
Country ISO code |
ADDRESS.C_O_NAME |
CHAR |
40 |
Y |
Y |
C/O name |
ADDRESS.DELIV_DIS |
CHAR |
15 |
Y |
Y |
(Not Supported) Post Delivery District |
ADDRESS.DEPARTMENT |
CHAR |
40 |
Y |
Y |
Department |
ADDRESS.DISTRCT_NO |
CHAR |
8 |
Y |
Y |
District code for City and Street file |
ADDRESS.DISTRICT |
CHAR |
40 |
Y |
Y |
District |
ADDRESS.DONT_USE_P |
CHAR |
4 |
Y |
Y |
PO Box Address Undeliverable Flag |
ADDRESS.DONT_USE_S |
CHAR |
4 |
Y |
Y |
Street Address Undeliverable Flag |
ADDRESS.E_MAIL |
CHAR |
241 |
Y |
Y |
E-Mail Address |
ADDRESS.FAX_EXTENS |
CHAR |
10 |
Y |
Y |
First fax no.: extension |
ADDRESS.FAX_NUMBER |
CHAR |
30 |
Y |
Y |
First fax no.: dialing code+number |
ADDRESS.FIRSTNAME |
CHAR |
40 |
Y |
Y |
First name |
ADDRESS.FLOOR |
CHAR |
10 |
Y |
Y |
Floor in building |
ADDRESS.FLOOR_P |
CHAR |
10 |
Y |
Y |
Floor in building |
ADDRESS.FULLNAME |
CHAR |
80 |
Y |
Y |
Full name of person |
ADDRESS.FULLNAME_X |
CHAR |
1 |
Y |
Y |
Status of Field 'Full Name' NAME_TEXT |
ADDRESS.FUNCTION |
CHAR |
40 |
Y |
Y |
Function |
ADDRESS.HOMECITYNO |
CHAR |
12 |
Y |
Y |
Different city for city/street file |
ADDRESS.HOME_CITY |
CHAR |
40 |
Y |
Y |
City (different from postal city) |
ADDRESS.HOUSE_NO |
CHAR |
10 |
Y |
Y |
House Number |
ADDRESS.HOUSE_NO2 |
CHAR |
10 |
Y |
Y |
House number supplement |
ADDRESS.HOUSE_NO3 |
CHAR |
10 |
Y |
Y |
(Not supported) House Number Range |
ADDRESS.INHOUSE_ML |
CHAR |
10 |
Y |
Y |
Int. mail postal code |
ADDRESS.INITIALS |
CHAR |
10 |
Y |
Y |
"Middle Initial" or personal initials |
ADDRESS.INITS_SIG |
CHAR |
10 |
Y |
Y |
Short name for correspondence |
ADDRESS.LANGU |
CHAR |
1 |
Y |
Y |
Language Key |
ADDRESS.LANGUCPISO |
CHAR |
2 |
Y |
Y |
Language according to ISO 639 |
ADDRESS.LANGUP_ISO |
CHAR |
2 |
Y |
Y |
Language according to ISO 639 |
ADDRESS.LANGU_CR_P |
CHAR |
1 |
Y |
Y |
Address record creation original language |
ADDRESS.LANGU_ISO |
CHAR |
2 |
Y |
Y |
Language according to ISO 639 |
ADDRESS.LANGU_P |
CHAR |
1 |
Y |
Y |
Language Key |
ADDRESS.LASTNAME |
CHAR |
40 |
M |
Y |
Last name |
ADDRESS.LOCATION |
CHAR |
40 |
Y |
Y |
Street 5 |
ADDRESS.MIDDLENAME |
CHAR |
40 |
Y |
Y |
Middle name or second forename of a person |
ADDRESS.NAMCOUNTRY |
CHAR |
3 |
Y |
Y |
Country for name format rule |
ADDRESS.NAME |
CHAR |
40 |
Y |
Y |
Name 1 |
ADDRESS.NAMEFORMAT |
CHAR |
2 |
Y |
Y |
Name format |
ADDRESS.NAME_2 |
CHAR |
40 |
Y |
Y |
Name 2 |
ADDRESS.NAME_3 |
CHAR |
40 |
Y |
Y |
Name 3 |
ADDRESS.NAME_4 |
CHAR |
40 |
Y |
Y |
Name 4 |
ADDRESS.NICKNAME |
CHAR |
40 |
Y |
Y |
Nickname or name used |
ADDRESS.PBOXCIT_NO |
CHAR |
12 |
Y |
Y |
City PO box code (City file) |
ADDRESS.PCODE1_EXT |
CHAR |
10 |
Y |
Y |
(Not Supported)City Postal Code Extension (e.g., ZIP+4+2 Code) |
ADDRESS.PCODE2_EXT |
CHAR |
10 |
Y |
Y |
(Not Supported) PO Box Postal Code Extension |
ADDRESS.PCODE3_EXT |
CHAR |
10 |
Y |
Y |
(Not Supported) Major Customer Postal Code Extension |
ADDRESS.PERS_NO |
CHAR |
10 |
Y |
Y |
Person number |
ADDRESS.POBOX_CTRY |
CHAR |
3 |
Y |
Y |
PO box country |
ADDRESS.POSTL_COD1 |
CHAR |
10 |
Y |
Y |
City postal code |
ADDRESS.POSTL_COD2 |
CHAR |
10 |
Y |
Y |
PO Box postal code |
ADDRESS.POSTL_COD3 |
CHAR |
10 |
Y |
Y |
Company postal code (for large customers) |
ADDRESS.PO_BOX |
CHAR |
10 |
Y |
Y |
PO Box |
ADDRESS.PO_BOX_CIT |
CHAR |
40 |
Y |
Y |
PO Box city |
ADDRESS.PO_BOX_REG |
CHAR |
3 |
Y |
Y |
Region for PO Box (Country, State, Province, ...) |
ADDRESS.PO_CTRYISO |
CHAR |
2 |
Y |
Y |
Country ISO code |
ADDRESS.PO_W_O_NO |
CHAR |
1 |
Y |
Y |
Flag: PO Box without number |
ADDRESS.PREFIX1 |
CHAR |
20 |
Y |
Y |
Name prefix |
ADDRESS.PREFIX2 |
CHAR |
20 |
Y |
Y |
2nd name prefix |
ADDRESS.REGIOGROUP |
CHAR |
8 |
Y |
Y |
Regional structure grouping |
ADDRESS.REGION |
CHAR |
3 |
Y |
Y |
Region (State, Province, County) |
ADDRESS.ROOM_NO |
CHAR |
10 |
Y |
Y |
Room or Apartment Number |
ADDRESS.ROOM_NO_P |
CHAR |
10 |
Y |
Y |
Room or Apartment Number |
ADDRESS.SECONDNAME |
CHAR |
40 |
Y |
Y |
Second surname of a person |
ADDRESS.SORT1 |
CHAR |
20 |
Y |
Y |
Search Term 1 |
ADDRESS.SORT1_P |
CHAR |
20 |
Y |
Y |
Search Term 1 |
ADDRESS.SORT2 |
CHAR |
20 |
Y |
Y |
Search Term 2 |
ADDRESS.SORT2_P |
CHAR |
20 |
Y |
Y |
Search Term 2 |
ADDRESS.STREET |
CHAR |
60 |
Y |
Y |
Street |
ADDRESS.STREET_NO |
CHAR |
12 |
Y |
Y |
Street Number for City/Street File |
ADDRESS.STR_ABBR |
CHAR |
2 |
Y |
Y |
(Not Supported) Abbreviation of Street Name |
ADDRESS.STR_SUPPL1 |
CHAR |
40 |
Y |
Y |
Street 2 |
ADDRESS.STR_SUPPL2 |
CHAR |
40 |
Y |
Y |
Street 3 |
ADDRESS.STR_SUPPL3 |
CHAR |
40 |
Y |
Y |
Street 4 |
ADDRESS.TAXJURCODE |
CHAR |
15 |
Y |
Y |
Tax Jurisdiction |
ADDRESS.TEL1_EXT |
CHAR |
10 |
Y |
Y |
First Telephone No.: Extension |
ADDRESS.TEL1_NUMBR |
CHAR |
30 |
Y |
Y |
First telephone no.: dialing code+number |
ADDRESS.TIME_ZONE |
CHAR |
6 |
Y |
Y |
Address time zone |
ADDRESS.TITLE |
CHAR |
30 |
Y |
Y |
Title text |
ADDRESS.TITLE_ACA1 |
CHAR |
20 |
Y |
Y |
Academic Title: Written Form |
ADDRESS.TITLE_ACA2 |
CHAR |
20 |
Y |
Y |
2nd academic title: written form |
ADDRESS.TITLE_P |
CHAR |
30 |
Y |
Y |
Title text |
ADDRESS.TITLE_SPPL |
CHAR |
20 |
Y |
Y |
Name supplement (e.g., noble title [written form]) |
ADDRESS.TRANSPZONE |
CHAR |
10 |
Y |
Y |
Transportation zone to or from which the goods are delivered |
ALIAS.USERALIAS |
CHAR |
40 |
Y |
Y |
Internet user alias |
COMPANY.COMPANY |
CHAR |
42 |
Y |
Y |
Company address, cross-system key |
DEFAULTS.CATTKENNZ |
CHAR |
1 |
Y |
Y |
CATT: Test status |
DEFAULTS.DATFM |
CHAR |
1 |
Y |
Y |
Date format |
DEFAULTS.DCPFM |
CHAR |
1 |
Y |
Y |
Decimal notation |
DEFAULTS.KOSTL |
CHAR |
8 |
Y |
Y |
Cost center |
DEFAULTS.LANGU |
CHAR |
1 |
Y |
Y |
Language |
DEFAULTS.SPDA |
CHAR |
1 |
Y |
Y |
Print parameter 3 |
DEFAULTS.SPDB |
CHAR |
1 |
Y |
Y |
Print parameter 2 |
DEFAULTS.SPLD |
CHAR |
4 |
Y |
Y |
Spool: Output device |
DEFAULTS.SPLG |
CHAR |
1 |
Y |
Y |
Print parameter 1 |
DEFAULTS.START_MENU |
CHAR |
30 |
Y |
Y |
Start menu |
DEFAULTS.STCOD |
CHAR |
20 |
Y |
Y |
Start menu (old, replaced by XUSTART) |
DEFAULTS.TIMEFM |
CHAR |
1 |
Y |
Y |
Time Format (12/24-Hour Specification) |
ISLOCKED.GLOB_LOCK |
CHAR |
1 |
N |
N |
Status of User Lock |
ISLOCKED.LOCAL_LOCK |
CHAR |
1 |
N |
N |
Status of User Lock |
ISLOCKED.NO_USER_PW |
CHAR |
1 |
N |
N |
Status of User Lock |
ISLOCKED.WRNG_LOGON |
CHAR |
1 |
N |
N |
Status of User Lock |
LASTMODIFIED.MODDATE |
DATE |
8 |
N |
N |
Modification date |
LASTMODIFIED.MODTIME |
TIME |
6 |
N |
N |
Modification time |
LOGONDATA.ACCNT |
CHAR |
12 |
Y |
Y |
Account ID |
LOGONDATA.BCODE |
BYTE |
8 |
Y |
Y |
Password Hash Key |
LOGONDATA.CLASS |
CHAR |
12 |
Y |
Y |
User group in user master maintenance |
LOGONDATA.CODVC |
CHAR |
1 |
Y |
Y |
Code Version of Password Hash Algorithm (New Systems) |
LOGONDATA.CODVN |
CHAR |
1 |
Y |
Y |
Code Version of Password Hash Algorithm (Old Systems) |
LOGONDATA.GLTGB |
DATE |
8 |
Y |
Y |
User valid to |
LOGONDATA.GLTGV |
DATE |
8 |
Y |
Y |
User valid from |
LOGONDATA.LTIME |
TIME |
6 |
N |
N |
Last Logon Time |
LOGONDATA.PASSCODE |
BYTE |
20 |
Y |
Y |
Password Hash Value (SHA1, 160 Bit) |
LOGONDATA.TZONE |
CHAR |
6 |
Y |
Y |
Time Zone |
LOGONDATA.USTYP |
CHAR |
1 |
Y |
Y |
User Type |
NAME_IN.BAPIBNAME |
CHAR |
12 |
Y |
Y |
User Name in User Master Record |
PASSWORD.BAPIPWD |
CHAR |
40 |
M |
Y |
New password |
REF_USER.REF_USER |
CHAR |
12 |
Y |
Y |
User Name in User Master Record |
SNC.GUIFLAG |
CHAR |
1 |
Y |
Y |
Unsecure communication permitted (user-specific) |
SNC.PNAME |
CHAR |
255 |
Y |
Y |
SNC: Printable name |
UCLASS.BNAME_CHARGEABLE |
CHAR |
12 |
Y |
Y |
Chargeable User |
UCLASS.CLIENT |
CHAR |
3 |
Y |
Y |
Client |
UCLASS.COUNTRY_SURCHARGE |
BCD |
2 |
Y |
Y |
System Measurement: Country Surcharge (3 Characters) |
UCLASS.LIC_TYPE |
CHAR |
2 |
Y |
Y |
ID for the User Types of the SAP System |
UCLASS.SPEC_VERS |
CHAR |
2 |
Y |
Y |
Assignment to special version |
UCLASS.SUBSTITUTE_FROM |
DATE |
8 |
Y |
Y |
Substitute 'from date' |
UCLASS.SUBSTITUTE_UNTIL |
DATE |
8 |
Y |
Y |
Substitute 'to date' |
UCLASS.SYSID |
CHAR |
8 |
Y |
Y |
Name of the SAP System |
EX_ADDRESS |
CHAR |
10 |
Y |
Y |
Do not use |
FORCE_SYSTEM_ASSIGNMENT |
CHAR |
1 |
Y |
Y |
Always Perform System Assignment (Even if Called in the Central System) |
SELF_REGISTER |
CHAR |
1 |
Y |
Y |
Create for Self-Registration |
Structured Multi-valued Attributes
This table lists the single-valued attributes supported for User data format. All attributes can be exported except PASSWORD.BAPIPWD. Only USERNAME is needed to delete a user. Other attributes are not considered when changetype is delete. M = Mandatory.
Attribute Name |
Type |
Length |
Import |
Import Add |
Description |
---|---|---|---|---|---|
ACTIVITYGROUPS – Attribute for exporting and managing role association of the user. |
|||||
ACTIVITYGROUPS->AGR_NAME |
CHAR |
30 |
Y |
Y |
Role Name |
ACTIVITYGROUPS->AGR_TEXT |
CHAR |
80 |
N |
N |
Role name |
ACTIVITYGROUPS->FROM_DAT |
DATE |
8 |
Y |
Y |
Date of menu generation. Specify date in YYYY-MM-DD format. |
ACTIVITYGROUPS->ORG_FLAG |
CHAR |
1 |
N |
N |
Indicator: Indirect Assignment of the User to the Role |
ACTIVITYGROUPS->TO_DAT |
DATE |
8 |
Y |
Y |
Date of menu generation. Specify date in YYYY-MM-DD format. |
ADDCOMREM – Attribute for exporting and managing Notes on all communication types. |
|||||
ADDCOMREM->COMM_NOTES |
CHAR |
50 |
Y |
Y |
Communication link notes |
ADDCOMREM->COMM_TYPE |
CHAR |
3 |
N |
N |
Communication Method (Key) (Business Address Services) |
ADDCOMREM->CONSNUMBER |
NUM |
3 |
N |
N |
Sequence number |
ADDCOMREM->ERRORFLAG |
CHAR |
1 |
N |
N |
Flag: Record not processed |
ADDCOMREM->LANGU |
CHAR |
1 |
N |
N |
Language Key |
ADDCOMREM->LANGU_ISO |
CHAR |
2 |
N |
N |
Language according to ISO 639 |
ADDFAX – Structured attribute for exporting and managing Fax. You have to use this attribute when there are multiple values or you want to set additional FAX fields. Single-valued attributes corresponding to this are ADDRESS.FAX_NUMBER and ADDRESS.FAX_EXTENS. |
|||||
ADDFAX->CONSNUMBER |
NUM |
3 |
Y |
Y |
Sequence number |
ADDFAX->COUNTRY |
CHAR |
3 |
Y |
Y |
Country for telephone/fax number |
ADDFAX->COUNTRYISO |
CHAR |
2 |
Y |
Y |
Country ISO code |
ADDFAX->ERRORFLAG |
CHAR |
1 |
Y |
Y |
Flag: Record not processed |
ADDFAX->EXTENSION |
CHAR |
10 |
Y |
Y |
Fax no.: Extension |
ADDFAX->FAX |
CHAR |
30 |
Y |
Y |
Fax number: dialing code+number |
ADDFAX->FAX_GROUP |
CHAR |
1 |
Y |
Y |
Fax group (G3, G4, ...) |
ADDFAX->FAX_NO |
CHAR |
30 |
Y |
Y |
Complete number: dialing code+number+extension |
ADDFAX->FLG_NOUSE |
CHAR |
1 |
Y |
Y |
Flag: This Communication Number is Not Used |
ADDFAX->HOME_FLAG |
CHAR |
1 |
Y |
Y |
Recipient address in this communication type (mail sys.grp) |
ADDFAX->R_3_USER |
CHAR |
1 |
Y |
Y |
Flag: Connected to a SAP System |
ADDFAX->SENDER_NO |
CHAR |
30 |
Y |
Y |
Fax number for finding sender |
ADDFAX->STD_NO |
CHAR |
1 |
Y |
Y |
Standard Sender Address in this Communication Type |
ADDFAX->STD_RECIP |
CHAR |
1 |
Y |
Y |
Flag: Recipient is standard recipient for this number |
ADDFAX->VALID_FROM |
CHAR |
14 |
Y |
Y |
Communication Data: Valid From (YYYYMMDDHHMMSS) |
ADDFAX->VALID_TO |
CHAR |
14 |
Y |
Y |
Communication Data: Valid To (YYYYMMDDHHMMSS) |
ADDPAG – Structured attribute for exporting and managing Pager services for the user. |
|||||
ADDPAG->CALLER_NO |
CHAR |
30 |
Y |
Y |
Pager number for finding sender |
ADDPAG->CONSNUMBER |
NUM |
3 |
Y |
Y |
Sequence number |
ADDPAG->COUNTRY |
CHAR |
3 |
Y |
Y |
Country for telephone/fax number |
ADDPAG->COUNTRYISO |
CHAR |
2 |
Y |
Y |
Country ISO code |
ADDPAG->ERRORFLAG |
CHAR |
1 |
Y |
Y |
Flag: Record not processed |
ADDPAG->FLG_NOUSE |
CHAR |
1 |
Y |
Y |
Flag: This Communication Number is Not Used |
ADDPAG->HOME_FLAG |
CHAR |
1 |
Y |
Y |
Recipient address in this communication type (mail sys.grp) |
ADDPAG->PAGER |
CHAR |
30 |
Y |
Y |
Pager number |
ADDPAG->PAGER_NO |
CHAR |
30 |
Y |
Y |
Normalized pager search field |
ADDPAG->PAGER_TYPE |
CHAR |
4 |
Y |
Y |
Pager Service |
ADDPAG->R_3_USER |
CHAR |
1 |
Y |
Y |
Encoded Reference to a Sequence Number |
ADDPAG->STD_NO |
CHAR |
1 |
Y |
Y |
Standard Sender Address in this Communication Type |
ADDPAG->STD_RECIP |
CHAR |
1 |
Y |
Y |
Encoded Reference to a Sequence Number |
ADDPAG->VALID_FROM |
CHAR |
14 |
Y |
Y |
Communication Data: Valid From (YYYYMMDDHHMMSS) |
ADDPAG->VALID_TO |
CHAR |
14 |
Y |
Y |
Communication Data: Valid To (YYYYMMDDHHMMSS) |
ADDPRT – Structured attribute for exporting and managing Printers for the user. |
|||||
ADDPRT->CONSNUMBER |
NUM |
3 |
Y |
Y |
Sequence number |
ADDPRT->ERRORFLAG |
CHAR |
1 |
Y |
Y |
Flag: Record not processed |
ADDPRT->FLG_NOUSE |
CHAR |
1 |
Y |
Y |
Flag: This Communication Number is Not Used |
ADDPRT->HOME_FLAG |
CHAR |
1 |
Y |
Y |
Recipient address in this communication type (mail sys.grp) |
ADDPRT->PRINT_DEST |
CHAR |
4 |
Y |
Y |
Spool: Output device |
ADDPRT->STD_NO |
CHAR |
1 |
Y |
Y |
Standard Sender Address in this Communication Type |
ADDPRT->STD_RECIP |
CHAR |
1 |
Y |
Y |
Flag: Recipient is standard recipient for this number |
ADDPRT->VALID_FROM |
CHAR |
14 |
Y |
Y |
Communication Data: Valid From (YYYYMMDDHHMMSS) |
ADDPRT->VALID_TO |
CHAR |
14 |
Y |
Y |
Communication Data: Valid To (YYYYMMDDHHMMSS) |
ADDRFC – Structured attribute for exporting and managing RFC addresses. |
|||||
ADDRFC->CONSNUMBER |
NUM |
3 |
Y |
Y |
Sequence number |
ADDRFC->ERRORFLAG |
CHAR |
1 |
Y |
Y |
Flag: Record not processed |
ADDRFC->FLG_NOUSE |
CHAR |
1 |
Y |
Y |
Flag: This Communication Number is Not Used |
ADDRFC->HOME_FLAG |
CHAR |
1 |
Y |
Y |
Recipient address in this communication type (mail sys.grp) |
ADDRFC->LOG_DEST |
CHAR |
32 |
Y |
Y |
RFC logical destination |
ADDRFC->R_3_USER |
CHAR |
1 |
Y |
Y |
Flag: Connected to a SAP System |
ADDRFC->STD_NO |
CHAR |
1 |
Y |
Y |
Standard Sender Address in this Communication Type |
ADDRFC->STD_RECIP |
CHAR |
1 |
Y |
Y |
Flag: Recipient is standard recipient for this number |
ADDRFC->VALID_FROM |
CHAR |
14 |
Y |
Y |
Communication Data: Valid From (YYYYMMDDHHMMSS) |
ADDRFC->VALID_TO |
CHAR |
14 |
Y |
Y |
Communication Data: Valid To (YYYYMMDDHHMMSS) |
ADDRML – Structured attribute for exporting and managing remote mail addresses. |
|||||
ADDRML->CONSNUMBER |
NUM |
3 |
Y |
Y |
Sequence number |
ADDRML->ERRORFLAG |
CHAR |
1 |
Y |
Y |
Flag: Record not processed |
ADDRML->FLG_NOUSE |
CHAR |
1 |
Y |
Y |
Flag: This Communication Number is Not Used |
ADDRML->HOME_FLAG |
CHAR |
1 |
Y |
Y |
Recipient address in this communication type (mail sys.grp) |
ADDRML->REC_TYPE |
CHAR |
1 |
Y |
Y |
Recipient type (not currently used) |
ADDRML->R_3_USER |
CHAR |
1 |
Y |
Y |
Flag: Connected to a SAP System |
ADDRML->R_MAIL |
CHAR |
12 |
Y |
Y |
RML Name (Remote Mail, SAP - SAP - Communication) |
ADDRML->R_MAIL_CLT |
CHAR |
3 |
Y |
Y |
RML- Client (Remote Mail, SAP - SAP - Communication) |
ADDRML->STD_NO |
CHAR |
1 |
Y |
Y |
Standard Sender Address in this Communication Type |
ADDRML->STD_RECIP |
CHAR |
1 |
Y |
Y |
Flag: Recipient is standard recipient for this number |
ADDRML->SYMB_DEST |
CHAR |
10 |
Y |
Y |
Symbolic destination |
ADDRML->VALID_FROM |
CHAR |
14 |
Y |
Y |
Communication Data: Valid From (YYYYMMDDHHMMSS) |
ADDRML->VALID_TO |
CHAR |
14 |
Y |
Y |
Communication Data: Valid To (YYYYMMDDHHMMSS) |
ADDSMTP – Structured attribute for exporting and managing email addresses. You have to use this attribute when there are multiple values or you want to set additional email fields. A single-valued attribute corresponding to this is ADDRESS.E_MAIL. |
|||||
ADDSMTP->CONSNUMBER |
NUM |
3 |
Y |
Y |
Sequence number |
ADDSMTP->EMAIL_SRCH |
CHAR |
20 |
Y |
Y |
E-Mail Address Search Field |
ADDSMTP->ENCODE |
CHAR |
1 |
Y |
Y |
Desired Data Coding (E-Mail) |
ADDSMTP->ERRORFLAG |
CHAR |
1 |
Y |
Y |
Flag: Record not processed |
ADDSMTP->E_MAIL |
CHAR |
241 |
Y |
Y |
E-Mail Address |
ADDSMTP->FLG_NOUSE |
CHAR |
1 |
Y |
Y |
Flag: This Communication Number is Not Used |
ADDSMTP->HOME_FLAG |
CHAR |
1 |
Y |
Y |
Recipient address in this communication type (mail sys.grp) |
ADDSMTP->R_3_USER |
CHAR |
1 |
Y |
Y |
Flag: Connected to a SAP System |
ADDSMTP->STD_NO |
CHAR |
1 |
Y |
Y |
Standard Sender Address in this Communication Type |
ADDSMTP->STD_RECIP |
CHAR |
1 |
Y |
Y |
Flag: Recipient is standard recipient for this number |
ADDSMTP->TNEF |
CHAR |
1 |
Y |
Y |
Flag: Receiver can receive TNEF coding via SMTP |
ADDSMTP->VALID_FROM |
CHAR |
14 |
Y |
Y |
Communication Data: Valid From (YYYYMMDDHHMMSS) |
ADDSMTP->VALID_TO |
CHAR |
14 |
Y |
Y |
Communication Data: Valid To (YYYYMMDDHHMMSS) |
ADDSSF – Structured attribute for exporting and managing remote SSF (Secure Store and Forward) address. |
|||||
ADDSSF->CONSNUMBER |
NUM |
3 |
Y |
Y |
Sequence number |
ADDSSF->DUMMY |
CHAR |
1 |
Y |
Y |
Single-Character Flag |
ADDSSF->ERRORFLAG |
CHAR |
1 |
Y |
Y |
Flag: Record not processed |
ADDSSF->FLG_NOUSE |
CHAR |
1 |
Y |
Y |
Flag: This Communication Number is Not Used |
ADDSSF->HOME_FLAG |
CHAR |
1 |
Y |
Y |
Recipient address in this communication type (mail sys.grp) |
ADDSSF->RFCDEST |
CHAR |
32 |
Y |
Y |
Logical Destination (Specified in Function Call) |
ADDSSF->SSFIDPART1 |
CHAR |
250 |
Y |
Y |
SSF name signatory/recipient: Parts 1-8 |
ADDSSF->SSFIDPART2 |
CHAR |
250 |
Y |
Y |
SSF name signatory/recipient: Parts 1-8 |
ADDSSF->SSFIDPART3 |
CHAR |
250 |
Y |
Y |
SSF name signatory/recipient: Parts 1-8 |
ADDSSF->SSFIDPART4 |
CHAR |
250 |
Y |
Y |
SSF name signatory/recipient: Parts 1-8 |
ADDSSF->SSFIDPART5 |
CHAR |
250 |
Y |
Y |
SSF name signatory/recipient: Parts 1-8 |
ADDSSF->SSFIDPART6 |
CHAR |
250 |
Y |
Y |
SSF name signatory/recipient: Parts 1-8 |
ADDSSF->SSFIDPART7 |
CHAR |
250 |
Y |
Y |
SSF name signatory/recipient: Parts 1-8 |
ADDSSF->SSFIDPART8 |
CHAR |
250 |
Y |
Y |
SSF name signatory/recipient: Parts 1-8 |
ADDSSF->SSFIDPART9 |
CHAR |
48 |
Y |
Y |
SSF name signatory/recipient - part 9 |
ADDSSF->SSFIDSHORT |
CHAR |
132 |
Y |
Y |
SSFID field for screen display |
ADDSSF->SSF_NS |
CHAR |
10 |
Y |
Y |
SSF Namespace label |
ADDSSF->SSF_PROF |
CHAR |
132 |
Y |
Y |
SSF profile name |
ADDSSF->STD_NO |
CHAR |
1 |
Y |
Y |
Standard Sender Address in this Communication Type |
ADDSSF->STD_RECIP |
CHAR |
1 |
Y |
Y |
Flag: Recipient is standard recipient for this number |
ADDSSF->VALID_FROM |
CHAR |
14 |
Y |
Y |
Communication Data: Valid From (YYYYMMDDHHMMSS) |
ADDSSF->VALID_TO |
CHAR |
14 |
Y |
Y |
Communication Data: Valid To (YYYYMMDDHHMMSS) |
ADDTEL – Structured attribute for exporting and managing Telephone and Mobile phone numbers. You have to use this attribute when there are multiple values or you want to set additional phone fields. Single-valued attributes corresponding to this are ADDRESS. TEL1_NUMBER and ADDRESS. TEL1_EXT. |
|||||
ADDTEL->CALLER_NO |
CHAR |
30 |
Y |
Y |
Telephone number for determining caller |
ADDTEL->CONSNUMBER |
NUM |
3 |
Y |
Y |
Sequence number |
ADDTEL->COUNTRY |
CHAR |
3 |
Y |
Y |
Country for telephone/fax number |
ADDTEL->COUNTRYISO |
CHAR |
2 |
Y |
Y |
Country ISO code |
ADDTEL->ERRORFLAG |
CHAR |
1 |
Y |
Y |
Flag: Record not processed |
ADDTEL->EXTENSION |
CHAR |
10 |
Y |
Y |
Telephone no.: Extension |
ADDTEL->FLG_NOUSE |
CHAR |
1 |
Y |
Y |
Flag: This Communication Number is Not Used |
ADDTEL->HOME_FLAG |
CHAR |
1 |
Y |
Y |
Recipient address in this communication type (mail sys.grp) |
ADDTEL->R_3_USER |
CHAR |
1 |
Y |
Y |
Indicator: Telephone is a Mobile Telephone |
ADDTEL->STD_NO |
CHAR |
1 |
Y |
Y |
Standard Sender Address in this Communication Type |
ADDTEL->STD_RECIP |
CHAR |
1 |
Y |
Y |
Indicator: Telephone is SMS- Enabled |
ADDTEL->TELEPHONE |
CHAR |
30 |
Y |
Y |
Telephone no.: dialing code+number |
ADDTEL->TEL_NO |
CHAR |
30 |
Y |
Y |
Complete number: dialing code+number+extension |
ADDTEL->VALID_FROM |
CHAR |
14 |
Y |
Y |
Communication Data: Valid From (YYYYMMDDHHMMSS) |
ADDTEL->VALID_TO |
CHAR |
14 |
Y |
Y |
Communication Data: Valid To (YYYYMMDDHHMMSS) |
ADDTLX – Structured attribute for exporting and managing telex numbers. |
|||||
ADDTLX->CONSNUMBER |
NUM |
3 |
Y |
Y |
Sequence number |
ADDTLX->COUNTRY |
CHAR |
3 |
Y |
Y |
Country Key |
ADDTLX->COUNTRYISO |
CHAR |
2 |
Y |
Y |
Country ISO code |
ADDTLX->ERRORFLAG |
CHAR |
1 |
Y |
Y |
Flag: Record not processed |
ADDTLX->FLG_NOUSE |
CHAR |
1 |
Y |
Y |
Flag: This Communication Number is Not Used |
ADDTLX->HOME_FLAG |
CHAR |
1 |
Y |
Y |
Recipient address in this communication type (mail sys.grp) |
ADDTLX->R_3_USER |
CHAR |
1 |
Y |
Y |
Flag: Connected to a SAP System |
ADDTLX->STD_NO |
CHAR |
1 |
Y |
Y |
Standard Sender Address in this Communication Type |
ADDTLX->STD_RECIP |
CHAR |
1 |
Y |
Y |
Flag: Recipient is standard recipient for this number |
ADDTLX->TELEX_NO |
CHAR |
30 |
Y |
Y |
Telex number |
ADDTLX->VALID_FROM |
CHAR |
14 |
Y |
Y |
Communication Data: Valid From (YYYYMMDDHHMMSS) |
ADDTLX->VALID_TO |
CHAR |
14 |
Y |
Y |
Communication Data: Valid To (YYYYMMDDHHMMSS) |
ADDTTX – Structured attribute for exporting and managing teletex numbers. |
|||||
ADDTTX->CONSNUMBER |
NUM |
3 |
Y |
Y |
Sequence number |
ADDTTX->COUNTRY |
CHAR |
3 |
Y |
Y |
Country Key |
ADDTTX->COUNTRYISO |
CHAR |
2 |
Y |
Y |
Country ISO code |
ADDTTX->ERRORFLAG |
CHAR |
1 |
Y |
Y |
Flag: Record not processed |
ADDTTX->FLG_NOUSE |
CHAR |
1 |
Y |
Y |
Flag: This Communication Number is Not Used |
ADDTTX->HOME_FLAG |
CHAR |
1 |
Y |
Y |
Recipient address in this communication type (mail sys.grp) |
ADDTTX->R_3_USER |
CHAR |
1 |
Y |
Y |
Flag: Connected to a SAP System |
ADDTTX->STD_NO |
CHAR |
1 |
Y |
Y |
Standard Sender Address in this Communication Type |
ADDTTX->STD_RECIP |
CHAR |
1 |
Y |
Y |
Flag: Recipient is standard recipient for this number |
ADDTTX->TELETEX |
CHAR |
30 |
Y |
Y |
Teletex number |
ADDTTX->VALID_FROM |
CHAR |
14 |
Y |
Y |
Communication Data: Valid From (YYYYMMDDHHMMSS) |
ADDTTX->VALID_TO |
CHAR |
14 |
Y |
Y |
Communication Data: Valid To (YYYYMMDDHHMMSS) |
ADDURI – Structured attribute for exporting and managing URI. URI is Universal Resource Identifier (URL, FTP, etc.). |
|||||
ADDURI->CONSNUMBER |
NUM |
3 |
Y |
Y |
Sequence number |
ADDURI->ERRORFLAG |
CHAR |
1 |
Y |
Y |
Flag: Record not processed |
ADDURI->FLG_NOUSE |
CHAR |
1 |
Y |
Y |
Flag: This Communication Number is Not Used |
ADDURI->HOME_FLAG |
CHAR |
1 |
Y |
Y |
Recipient address in this communication type (mail sys.grp) |
ADDURI->STD_NO |
CHAR |
1 |
Y |
Y |
Standard Sender Address in this Communication Type |
ADDURI->STD_RECIP |
CHAR |
1 |
Y |
Y |
Flag: Recipient is standard recipient for this number |
ADDURI->URI |
CHAR |
132 |
Y |
Y |
URI (e.g., Homepage or ftp Address) |
ADDURI->URI_PART1 |
CHAR |
250 |
Y |
Y |
Universal Resource Identifier (URI): Parts 1-8 |
ADDURI->URI_PART2 |
CHAR |
250 |
Y |
Y |
Universal Resource Identifier (URI): Parts 1-8 |
ADDURI->URI_PART3 |
CHAR |
250 |
Y |
Y |
Universal Resource Identifier (URI): Parts 1-8 |
ADDURI->URI_PART4 |
CHAR |
250 |
Y |
Y |
Universal Resource Identifier (URI): Parts 1-8 |
ADDURI->URI_PART5 |
CHAR |
250 |
Y |
Y |
Universal Resource Identifier (URI): Parts 1-8 |
ADDURI->URI_PART6 |
CHAR |
250 |
Y |
Y |
Universal Resource Identifier (URI): Parts 1-8 |
ADDURI->URI_PART7 |
CHAR |
250 |
Y |
Y |
Universal Resource Identifier (URI): Parts 1-8 |
ADDURI->URI_PART8 |
CHAR |
250 |
Y |
Y |
Universal Resource Identifier (URI): Parts 1-8 |
ADDURI->URI_PART9 |
CHAR |
48 |
Y |
Y |
Universal Resource Identifier (URI) - Part 9 |
ADDURI->URI_TYPE |
CHAR |
3 |
Y |
Y |
URI type flag |
ADDURI->VALID_FROM |
CHAR |
14 |
Y |
Y |
Communication Data: Valid From (YYYYMMDDHHMMSS) |
ADDURI->VALID_TO |
CHAR |
14 |
Y |
Y |
Communication Data: Valid To (YYYYMMDDHHMMSS) |
ADDX400 – Structured attribute for exporting and managing X.400 addresses. |
|||||
ADDX400->ADM_DOM |
CHAR |
16 |
Y |
Y |
X.400 administration domain |
ADDX400->CONSNUMBER |
NUM |
3 |
Y |
Y |
Sequence number |
ADDX400->COUNTRY |
CHAR |
3 |
Y |
Y |
X.400 country code |
ADDX400->COUNTRYISO |
CHAR |
2 |
Y |
Y |
Country ISO code |
ADDX400->DDA_TYPE1 |
CHAR |
8 |
Y |
Y |
X.400 domain defined attribute, type 1 |
ADDX400->DDA_TYPE2 |
CHAR |
8 |
Y |
Y |
X.400 domain defined attribute, type 2 |
ADDX400->DDA_TYPE3 |
CHAR |
8 |
Y |
Y |
X.400 domain defined attribute, type 3 |
ADDX400->DDA_TYPE4 |
CHAR |
8 |
Y |
Y |
X.400 domain defined attribute, type 4 |
ADDX400->DDA_VALUE1 |
CHAR |
128 |
Y |
Y |
X.400 domain defined attribute, value 1 |
ADDX400->DDA_VALUE2 |
CHAR |
128 |
Y |
Y |
X.400 domain defined attribute, value 2 |
ADDX400->DDA_VALUE3 |
CHAR |
128 |
Y |
Y |
X.400 domain defined attribute, value 3 |
ADDX400->DDA_VALUE4 |
CHAR |
128 |
Y |
Y |
X.400 domain defined attribute, value 4 |
ADDX400->ERRORFLAG |
CHAR |
1 |
Y |
Y |
Flag: Record not processed |
ADDX400->FIRSTNAME |
CHAR |
16 |
Y |
Y |
X.400 first name |
ADDX400->FLG_NOUSE |
CHAR |
1 |
Y |
Y |
Flag: This Communication Number is Not Used |
ADDX400->GENERATION |
CHAR |
3 |
Y |
Y |
X.400 generation |
ADDX400->HOME_FLAG |
CHAR |
1 |
Y |
Y |
Recipient address in this communication type (mail sys.grp) |
ADDX400->INITIALS |
CHAR |
5 |
Y |
Y |
X.400 Initials |
ADDX400->LASTNAME |
CHAR |
40 |
Y |
Y |
X.400 last name |
ADDX400->ORGANIZATN |
CHAR |
64 |
Y |
Y |
X.400 organization |
ADDX400->ORG_UNIT_1 |
CHAR |
32 |
Y |
Y |
X.400 organizational unit 1 |
ADDX400->ORG_UNIT_2 |
CHAR |
32 |
Y |
Y |
X.400 organizational unit 2 |
ADDX400->ORG_UNIT_3 |
CHAR |
32 |
Y |
Y |
X.400 organizational unit 3 |
ADDX400->ORG_UNIT_4 |
CHAR |
32 |
Y |
Y |
X.400 organizational unit 4 |
ADDX400->PRIV_DOM |
CHAR |
16 |
Y |
Y |
X.400 private domain |
ADDX400->R_3_USER |
CHAR |
1 |
Y |
Y |
Flag: Connected to a SAP System |
ADDX400->STD_NO |
CHAR |
1 |
Y |
Y |
Standard Sender Address in this Communication Type |
ADDX400->STD_RECIP |
CHAR |
1 |
Y |
Y |
Flag: Recipient is standard recipient for this number |
ADDX400->TERM_ID |
CHAR |
24 |
Y |
Y |
X.400 Terminal ID |
ADDX400->TERM_TYPE |
CHAR |
1 |
Y |
Y |
X.400 terminal type |
ADDX400->TNEF |
CHAR |
1 |
Y |
Y |
Flag: Receiver can receive TNEF coding via X.400 |
ADDX400->TXT_ENCODE |
CHAR |
1 |
Y |
Y |
Desired text data coding (X.400) |
ADDX400->UANID |
CHAR |
32 |
Y |
Y |
X.400 user agent numeric ID |
ADDX400->VALID_FROM |
CHAR |
14 |
Y |
Y |
Communication Data: Valid From (YYYYMMDDHHMMSS) |
ADDX400->VALID_TO |
CHAR |
14 |
Y |
Y |
Communication Data: Valid To (YYYYMMDDHHMMSS) |
ADDX400->X_121_ADDR |
CHAR |
15 |
Y |
Y |
X.400 X.121 network address |
EXTIDHEAD – Structured attribute for exporting and managing Header Data for External ID of a User. |
|||||
EXTIDHEAD->CODE_TYPE |
CHAR |
1 |
Y |
Y |
Way in Which Data is Coded |
EXTIDHEAD->EXTFLAG |
CHAR |
4 |
Y |
Y |
Indicator for External ID |
EXTIDHEAD->EXTID_LEN |
INT2 |
2 |
Y |
Y |
Length of an LCHR or LRAW field in the database |
EXTIDHEAD->ISSUER_LEN |
INT2 |
2 |
Y |
Y |
Length of an LCHR or LRAW field in the database |
EXTIDHEAD->SEQ_NO_ID |
NUM |
4 |
Y |
Y |
Sequence Number of External ID of a User |
EXTIDHEAD->SERIAL_LEN |
INT2 |
2 |
Y |
Y |
Length of an LCHR or LRAW field in the database |
EXTIDHEAD->STATUS |
CHAR |
1 |
Y |
Y |
Status of entry for external ID |
EXTIDHEAD->TYPE |
CHAR |
2 |
Y |
Y |
External ID type |
EXTIDHEAD->VALITYINFO |
BYTE |
16 |
Y |
Y |
Validity Information for External ID of a User |
EXTIDHEAD->VERSION |
INT1 |
1 |
Y |
Y |
Version of Validity Information for External ID of a User |
EXTIDPART – Structured attribute for exporting and managing Part of a Long Field for the External ID of a User. |
|||||
EXTIDPART->EXTFLAG |
CHAR |
4 |
Y |
Y |
Indicator for External ID |
EXTIDPART->FIELDNAME |
CHAR |
30 |
Y |
Y |
Field Name for a Part of an External ID of a User |
EXTIDPART->PART_DATA |
CHAR |
192 |
Y |
Y |
Content of a Part of a Field of an External ID |
EXTIDPART->SEQ_NO_ID |
NUM |
4 |
Y |
Y |
Sequence Number of External ID of a User |
EXTIDPART->SEQ_NO_PART |
NUM |
4 |
Y |
Y |
Sequence Number of Part of a Field of an External ID |
GROUPS – Attribute for exporting and managing Group assignments of a User. |
|||||
GROUPS->USERGROUP |
CHAR |
12 |
Y |
Y |
User group in user master maintenance |
PARAMETER – Structured attribute for exporting and managing Parameters of a User. |
|||||
PARAMETER->PARID |
CHAR |
20 |
Y |
Y |
Set/Get parameter ID |
PARAMETER->PARTXT |
CHAR |
60 |
Y |
Y |
Short Description of Repository Objects |
PARAMETER->PARVA |
CHAR |
18 |
Y |
Y |
Parameter value |
PARAMETER1 – Structured attribute for exporting and managing Parameters of a User. If the value of a parameter is greater than 18 chars, you must use this attribute. |
|||||
PARAMETER1->PARID |
CHAR |
20 |
Y |
Y |
Set/Get parameter ID |
PARAMETER1->PARTXT |
CHAR |
60 |
Y |
Y |
Short Description of Repository Objects |
PARAMETER1->PARVA |
CHAR |
40 |
Y |
Y |
Parameter value |
PROFILES – Structured attribute for exporting and managing Profile assignments of a User. |
|||||
PROFILES->BAPIAKTPS |
CHAR |
1 |
N |
N |
Active or maintenance version |
PROFILES->BAPIPROF |
CHAR |
12 |
Y |
Y |
Profile name |
PROFILES->BAPIPTEXT |
CHAR |
60 |
N |
N |
Texts in user master/authorizations |
PROFILES->BAPITYPE |
CHAR |
1 |
N |
N |
Type of Profile (Composite or Single) |
SYSTEMS – Attribute for exporting and managing CUA child systems in which the user exists. |
|||||
SYSTEMS->SUBSYSTEM |
CHAR |
10 |
Y |
Y |
Receiving system for central user administration |
UCLASSSYS – Structured attribute for exporting and managing System-specific license-related user classification. |
|||||
UCLASSSYS- >BNAME_CHARGEABLE |
CHAR |
12 |
Y |
Y |
Chargeable User |
UCLASSSYS->CLIENT |
CHAR |
3 |
Y |
Y |
Client |
UCLASSSYS- >COUNTRY_SURCHARGE |
BCD |
2 |
Y |
Y |
System Measurement: Country Surcharge (3 Characters) |
UCLASSSYS->LIC_TYPE |
CHAR |
2 |
Y |
Y |
ID for the User Types of the SAP System |
UCLASSSYS->RCVSYSTEM |
CHAR |
10 |
Y |
Y |
Receiving system for central user administration |
UCLASSSYS->SPEC_VERS |
CHAR |
2 |
Y |
Y |
Assignment to special version |
UCLASSSYS- >SUBSTITUTE_FROM |
DATE |
8 |
Y |
Y |
Substitute 'from date' |
UCLASSSYS- >SUBSTITUTE_UNTIL |
DATE |
8 |
Y |
Y |
Substitute 'to date' |
UCLASSSYS->SYSID |
CHAR |
8 |
Y |
Y |
Name of the SAP System |
Role Attributes
Attribute Name |
Type |
Length |
Multi Valued |
Description |
Role |
CHAR |
30 |
N |
Primary Key. |
RoleName |
CHAR |
80 |
N |
|
RoleType |
CHAR |
1 |
N |
Single(S) or Composite(C). |
SUBSYSTEM |
CHAR |
10 |
N |
Name of the child system that this role belongs to. This is valid only when connected to a SAP CUA system and ExportRoleType is CUA Child System Roles. |
|
|
|
|
|
MemberUser->NAME |
CHAR |
12 |
|
Name of user that this rule is assigned to. |
MemberUser->FROM_DAT |
DATE |
|
|
Validity start date. |
MemberUser->TO_DAT |
DATE |
|
|
Validity end date. |
GRC Role Attributes
Attribute Name |
Type |
Length |
Multi Valued |
Description |
RoleName |
CHAR |
300 |
N |
Primary Key |
RoleDesc |
CHAR |
132 |
N |
Filterable |
RoleType |
CHAR |
3 |
N |
Single(SIN), Composite(COM), Business (BUS), Derived (DRD). |
RoleTypeDesc |
CHAR |
132 |
N |
|
Landscape |
CHAR |
10 |
N |
Filterable |
LandscapeDesc |
CHAR |
40 |
N |
|
System |
CHAR |
32 |
N |
Filterable |
Role Owner |
CHAR |
12 |
N |
Filterable |
SubProcess |
CHAR |
|
N |
|
SubProcessDesc |
CHAR |
|
N |
|
TechnicalRole |
CHAR |
30 |
Y |
|
Business Process |
CHAR |
|
N |
|
BusinessProcessDesc |
CHAR |
|
N |
|
FunctionalArea |
CHAR |
|
N |
|
FunctionalAreaDesc |
CHAR |
|
N |
|
Value Lookup Attributes
Attribute Name |
Type |
Length |
Multi Valued |
Description |
DisplayValue |
CHAR |
|
N |
Filterable |
Value |
CHAR |
|
N |
Primary Key, Filterable |
PersonalData, OrganizationalAssignment, Communication, InternalControl, Address, HRCombined, and PDObjectTypes Attributes
Name |
Description |
Filterable |
PersonalData |
No |
|
PERNO |
Personnel Number |
No |
PERSONAL_DATA.INFOTYPE |
Infotype |
No |
PERSONAL_DATA.SUBTYPE |
Subtype |
No |
PERSONAL_DATA.OBJECT_ID |
Object Identification |
No |
PERSONAL_DATA.LOCK_IND |
Lock Indicator for HR Master Data Record |
No |
PERSONAL_DATA.TO_DATE |
End Date |
No |
PERSONAL_DATA.FROM_DATE |
Start Date |
No |
PERSONAL_DATA.SEQNO |
Number of Infotype Record with Same Key |
No |
PERSONAL_DATA.CH_ON |
Changed On |
No |
PERSONAL_DATA.CHANGED_BY |
Name of Person Who Changed Object |
No |
PERSONAL_DATA.HIST_FLAG |
Historical Record Flag |
No |
PERSONAL_DATA.TEXTFLAG |
Text Exists for Infotype |
No |
PERSONAL_DATA.REF_FLAG |
Reference Fields Exist (Primary/Secondary Costs) |
No |
PERSONAL_DATA.CNFRM_FLAG |
Confirmation Fields Exist |
No |
PERSONAL_DATA.SCREENCTRL |
Infotype Screen Control |
No |
PERSONAL_DATA.REASON |
Reason for Changing Master Data |
No |
PERSONAL_DATA.INITIALS |
Initials |
No |
PERSONAL_DATA.LAST_NAME |
Last Name |
No |
PERSONAL_DATA.LAST_NAME2 |
Second Name / Name at Birth |
No |
PERSONAL_DATA.FIRSTNAME |
First Name |
No |
PERSONAL_DATA.TITLE |
Title |
No |
PERSONAL_DATA.TITLE_2 |
Second Title |
No |
PERSONAL_DATA.ARI_TITLE |
Other Title |
No |
PERSONAL_DATA.NAMEAFFIX |
Name Prefix |
No |
PERSONAL_DATA.NAMEPREFIX |
Second Name Prefix |
No |
PERSONAL_DATA.KNOWN_AS |
Nickname |
No |
PERSONAL_DATA.NAME_FORM |
Name Format Indicator for Employee |
No |
PERSONAL_DATA.FORMOFADR |
Form-of-Address Key |
No |
PERSONAL_DATA.GENDER |
Gender Key |
No |
PERSONAL_DATA.BIRTHDATE |
Date of Birth |
No |
PERSONAL_DATA.BIRTHCTRY |
Country of Birth |
No |
PERSONAL_DATA.BIRTHSTATE |
State |
No |
PERSONAL_DATA.BIRTHPLACE |
Birthplace |
No |
PERSONAL_DATA.NATIONAL |
Nationality |
No |
PERSONAL_DATA.NATIONAL_2 |
Second Nationality |
No |
PERSONAL_DATA.NATIONAL_3 |
Third Nationality |
No |
PERSONAL_DATA.LANGU |
Language Key |
No |
PERSONAL_DATA.RELIGION |
Religious Denomination Key |
No |
PERSONAL_DATA.MAR_STATUS |
Marital Status Key |
No |
PERSONAL_DATA.MAR_DATE |
Valid From Date of Current Marital Status |
No |
PERSONAL_DATA.NO_O_CHLDR |
Number of Children |
No |
PERSONAL_DATA.NAME_CON |
Name Connection |
No |
PERSONAL_DATA.PERMO |
Modifier for Personnel Identifier |
No |
PERSONAL_DATA.PERID |
Personnel ID Number |
No |
PERSONAL_DATA.BIRTHDTPP |
Date of Birth According to Passport |
No |
PERSONAL_DATA.FST_NAME_K |
First name (Katakana) |
Yes |
PERSONAL_DATA.LST_NAME_K |
Last Name (Katakana) |
Yes |
PERSONAL_DATA.FST_NAME_R |
First name (Romaji) |
Yes |
PERSONAL_DATA.LST_NAME_R |
Last name (Romaji) |
Yes |
PERSONAL_DATA.BIRTHNME_K |
Name of Birth (Katakana) |
No |
PERSONAL_DATA.BIRTHNME_R |
Name of Birth (Romaji) |
No |
PERSONAL_DATA.NICKNAME_K |
Nickname (Katakana) |
No |
PERSONAL_DATA.NICKNAME_R |
Nickname (Romaji) |
No |
PERSONAL_DATA.BIRTHYEAR |
Year of Birth |
No |
PERSONAL_DATA.BIRTHMONTH |
Month of Birth |
No |
PERSONAL_DATA.BIRTHDAY |
Birth Date (to Month/Year) |
No |
PERSONAL_DATA.LASTNAME_M |
Last Name (Field for Search Help) |
Yes |
PERSONAL_DATA.FSTNAME_M |
First Name (Field for Search Help) |
Yes |
OrganizationalAssignment |
||
PERNO |
Personnel Number |
No |
ORG_ASSIGNMENT.INFOTYPE |
Infotype |
No |
ORG_ASSIGNMENT.SUBTYPE |
Subtype |
No |
ORG_ASSIGNMENT.OBJECT_ID |
Object Identification |
No |
ORG_ASSIGNMENT.LOCK_IND |
Lock Indicator for HR Master Data Record |
No |
ORG_ASSIGNMENT.TO_DATE |
End Date |
No |
ORG_ASSIGNMENT.FROM_DATE |
Start Date |
No |
ORG_ASSIGNMENT.SEQNO |
Number of Infotype Record with Same Key |
No |
ORG_ASSIGNMENT.CH_ON |
Changed On |
No |
ORG_ASSIGNMENT.CHANGED_BY |
Name of Person Who Changed Object |
No |
ORG_ASSIGNMENT.HIST_FLAG |
Historical Record Flag |
No |
ORG_ASSIGNMENT.TEXTFLAG |
Text Exists for Infotype |
No |
ORG_ASSIGNMENT.REF_FLAG |
Reference Fields Exist (Primary/Secondary Costs) |
No |
ORG_ASSIGNMENT.CNFRM_FLAG |
Confirmation Fields Exist |
No |
ORG_ASSIGNMENT.SCREENCTRL |
Infotype Screen Control |
No |
ORG_ASSIGNMENT.REASON |
Reason for Changing Master Data |
No |
ORG_ASSIGNMENT.COMP_CODE |
Company Code |
No |
ORG_ASSIGNMENT.PERS_AREA |
Personnel Area |
No |
ORG_ASSIGNMENT.EGROUP |
Employee Group |
No |
ORG_ASSIGNMENT.ESUBGROUP |
Employee Subgroup |
No |
ORG_ASSIGNMENT.ORG_KEY |
Organizational Key |
No |
ORG_ASSIGNMENT.BUS_AREA |
Business Area |
No |
ORG_ASSIGNMENT.P_SUBAREA |
Personnel Subarea |
No |
ORG_ASSIGNMENT.LEG_PERSON |
Legal Person |
No |
ORG_ASSIGNMENT.PAYAREA |
Payroll Area |
No |
ORG_ASSIGNMENT.CONTRACT |
Work Contract |
No |
ORG_ASSIGNMENT.COSTCENTER |
Cost Center |
Yes |
ORG_ASSIGNMENT.ORG_UNIT |
Organizational Unit |
No |
ORG_ASSIGNMENT.POSITION |
Position |
No |
ORG_ASSIGNMENT.JOB |
Job |
No |
ORG_ASSIGNMENT.SUPERVISOR |
Supervisor Area |
No |
ORG_ASSIGNMENT.PAYR_ADMIN |
Payroll Administrator |
No |
ORG_ASSIGNMENT.PERS_ADMIN |
Administrator for HR Master Data |
No |
ORG_ASSIGNMENT.TIME_ADMIN |
Administrator for Time Recording |
No |
ORG_ASSIGNMENT.SORT_NAME |
Employee's Name (Sortable by LAST NAME FIRST NAME) |
No |
ORG_ASSIGNMENT.NAME |
Formatted Name of Employee or Applicant |
No |
ORG_ASSIGNMENT.OBJECTTYPE |
Object Type |
No |
ORG_ASSIGNMENT.ADMINGROUP |
Administrator Group |
No |
ORG_ASSIGNMENT.CO_AREA |
Controlling Area |
No |
ORG_ASSIGNMENT.FUNDS_CTR |
Funds Center |
No |
ORG_ASSIGNMENT.FUND |
Fund |
No |
ORG_ASSIGNMENT.ORGTXT |
Short Text of Organizational Unit |
Yes |
ORG_ASSIGNMENT.JOBTXT |
Job Title |
Yes |
ORG_ASSIGNMENT.POSTXT |
Position (Short Text) |
Yes |
ORG_ASSIGNMENT.FKBER |
Functional Area |
No |
ORG_ASSIGNMENT.GRANT_NBR |
Grant |
No |
Communication |
||
PERNO |
Personnel Number |
No |
COMMUNICATION->INFOTYPE |
Infotype |
No |
COMMUNICATION->SUBTYPE |
Subtype |
No |
COMMUNICATION->OBJECT_ID |
Object Identification |
No |
COMMUNICATION->LOCK_IND |
Lock Indicator for HR Master Data Record |
No |
COMMUNICATION->TO_DATE |
End Date |
No |
COMMUNICATION->FROM_DATE |
Start Date |
No |
COMMUNICATION->SEQNO |
Number of Infotype Record with Same Key |
No |
COMMUNICATION->CH_ON |
Changed On |
No |
COMMUNICATION->CHANGED_BY |
Name of Person Who Changed Object |
No |
COMMUNICATION->HIST_FLAG |
Historical Record Flag |
No |
COMMUNICATION->TEXTFLAG |
Text Exists for Infotype |
No |
COMMUNICATION->REF_FLAG |
Reference Fields Exist (Primary/Secondary Costs) |
No |
COMMUNICATION->CNFRM_FLAG |
Confirmation Fields Exist |
No |
COMMUNICATION->SCREENCTRL |
Infotype Screen Control |
No |
COMMUNICATION->REASON |
Reason for Changing Master Data |
No |
COMMUNICATION->USERTYPE |
Communication Type |
No |
COMMUNICATION->USERID |
Communication ID/Number |
Yes |
COMMUNICATION->USRID_LONG |
E-Mail Address |
No |
InternalControl |
||
PERNO |
Personnel Number |
No |
INTERNAL_CONTROL.INFOTYPE |
Infotype |
No |
INTERNAL_CONTROL.SUBTYPE |
Subtype |
No |
INTERNAL_CONTROL.OBJECT_ID |
Object Identification |
No |
INTERNAL_CONTROL.LOCK_IND |
Lock Indicator for HR Master Data Record |
No |
INTERNAL_CONTROL.TO_DATE |
End Date |
No |
INTERNAL_CONTROL.FROM_DATE |
Start Date |
No |
INTERNAL_CONTROL.SEQNO |
Number of Infotype Record with Same Key |
No |
INTERNAL_CONTROL.CH_ON |
Changed On |
No |
INTERNAL_CONTROL.CHANGED_BY |
Name of Person Who Changed Object |
No |
INTERNAL_CONTROL.HIST_FLAG |
Historical Record Flag |
No |
INTERNAL_CONTROL.TEXTFLAG |
Text Exists for Infotype |
No |
INTERNAL_CONTROL.REF_FLAG |
Reference Fields Exist (Primary/Secondary Costs) |
No |
INTERNAL_CONTROL.CNFRM_FLAG |
Confirmation Fields Exist |
No |
INTERNAL_CONTROL.SCREENCTRL |
Infotype Screen Control |
No |
INTERNAL_CONTROL.REASON |
Reason for Changing Master Data |
No |
INTERNAL_CONTROL.PREV_PERNO |
Previous Personnel Number |
No |
INTERNAL_CONTROL.COMPIDCARD |
Company ID |
No |
INTERNAL_CONTROL.TAX_REG |
Regulation for Taxation of Company Car |
No |
INTERNAL_CONTROL.CARVALUE |
Car Value |
No |
INTERNAL_CONTROL.LIPLATE_NO |
License Plate Number |
Yes |
INTERNAL_CONTROL.CURRENCY |
Currency Key |
No |
INTERNAL_CONTROL.ASSETNO |
Car Asset Number |
No |
INTERNAL_CONTROL.BLDING_NO |
Building Number |
Yes |
INTERNAL_CONTROL.ROOM_NO |
Room Number |
Yes |
INTERNAL_CONTROL.PHONENO1 |
In-House Telephone Number |
No |
INTERNAL_CONTROL.PHONENO2 |
In-House Telephone Number |
No |
INTERNAL_CONTROL.COMTYPE1 |
Communication Type |
No |
INTERNAL_CONTROL.COMNO1 |
Communication Number |
No |
INTERNAL_CONTROL.COMTYPE2 |
Communication Type |
No |
INTERNAL_CONTROL.COMNO2 |
Communication Number |
No |
INTERNAL_CONTROL.COMTYPE3 |
Communication Type |
No |
INTERNAL_CONTROL.COMNO3 |
Communication Number |
No |
INTERNAL_CONTROL.COMTYPE4 |
Communication Type |
No |
INTERNAL_CONTROL.COMNO4 |
Communication Number |
No |
INTERNAL_CONTROL.COMTYPE5 |
Communication Type |
No |
INTERNAL_CONTROL.COMNO5 |
Communication Number |
No |
INTERNAL_CONTROL.COMTYPE6 |
Communication Type |
No |
INTERNAL_CONTROL.COMNO6 |
Communication Number |
No |
Address |
||
PERNO |
Personnel Number |
No |
ADDRESS->ADDRESSTYPE |
Subtype |
No |
ADDRESS->CITY |
City |
No |
ADDRESS->CONAME |
C/O name |
No |
ADDRESS->COUNTRY |
Country key |
No |
ADDRESS->DISTRICT |
District |
No |
ADDRESS->NAMEOFADDRESSTYPE |
Name of address type |
No |
ADDRESS->NAMEOFCOUNTRY |
Country Name |
No |
ADDRESS->NAMEOFSTATE |
Name of region |
No |
ADDRESS->POSTALCODECITY |
Postal code |
No |
ADDRESS->RETURN |
Structure for return code |
No |
ADDRESS->SCNDADDRESSLINE |
2nd Address Line |
No |
ADDRESS->STATE |
Region |
No |
ADDRESS->STREETANDHOUSENO |
House number and street |
No |
ADDRESS->TELEPHONENUMBER |
Telephone number |
No |
HRCombined Because this data format is the combination of the above data formats, it supports all attributes specified in each data format. |
||
PDObjectTypes |
||
PLAN_VERS |
Plan Version |
No |
OBJECTTYPE |
Object Type |
Yes |
OBJECT_ID |
Object ID |
No |
START_DATE |
Start Date |
Yes |
END_DATE |
End Date |
Yes |
PLAN_STAT |
Planning Status |
No |
HISTO_FLAG |
Historical Record Flag |
No |
SHORT_TEXT |
Object Abbreviation |
No |
LONG_TEXT |
Object Name |
No |
EXT_OBJ_ID |
Extended Object ID |
No |
Actions Attributes
This table lists the single-valued attributes supported for Actions data format.
Attribute Name |
SAP Field |
Description |
SAP UI Representation |
ACTIONS->CLIENT |
MANDT |
Client |
|
PERNO |
PERNR |
Personnel number |
Pers. No. [Display Actions screen] |
ACTIONS->SUB_TYPE |
SUBTY |
Subtype |
|
ACTIONS->END_DATE |
ENDDA |
End Date |
Start [Display Actions screen] |
ACTIONS->START_DATE |
BEGDA |
Start Date |
to [Display Actions screen] |
ACTIONS- >CHANGED_ON_DATE |
AEDTM |
Changed On |
Chng [Display Actions screen] |
ACTIONS->CHANGED_BY |
UNAME |
Name of Person Who Changed Object |
Administration [Display Actions screen] |
ACTIONS-> REASON_FOR_CHANGE_MAST ER |
PREAS |
Reason for Changing Master Data |
|
ACTIONS->ACTION_TYPE |
MASSN |
Action Type |
Act [Display Actions screen] |
ACTIONS- >REASON_FOR_ACTION |
MASSG |
Reason for Action |
ActR [ Display Actions screen] |
ACTIONS->CUST_SPC_STATUS |
STAT1 |
Customer-Specific Status |
Cus.-Spef [Overview Actions screen] |
ACTIONS->EMPL_STATUS |
STAT2 |
Employment Status |
Employment [Overview Actions screen] |
ACTIONS->SPL_PYMT_STATUS |
STAT3 |
Special Payment Status |
Spe. Pymt. [Overview Actions screen] |
ADDL_ACTIONS-> CLIENT |
MANDT |
Client |
|
ADDL_ACTIONS->SUB_TYPE |
SUBTY |
Subtype |
|
ADDL_ACTIONS->END_DATE |
ENDDA |
End Date |
Will be same as Start Date |
ADDL_ACTIONS->START_DATE |
BEGDA |
Start Date |
Start Date [Display Actions screen] |
ADDL_ACTIONS-> CHANGED_ON_DATE |
AEDTM |
Changed On |
Chng. [Display Actions screen] |
ADDL_ACTIONS-> CHANGED_BY |
UNAME |
Name of Person Who Changed Object |
Administration [Display Actions screen] |
ADDL_ACTIONS-> REASON_FOR_CHANGE_MAST ER |
PREAS |
Reason for Changing Master Data |
|
ADDL_ACTIONS- >ACTION_TYPE |
MASSN |
Action Type |
Act [Display Actions screen] |
ADDL_ACTIONS-> REASON_FOR_ACTION |
MASSG |
Reason for Action |
ActR [ Display Actions screen] |
Configuring the Export Link
-
In the Design pane, double-click the export link between the export object (the first workflow object after the Start object) and the Data Mapper object. The Configure Link window displays:
Source Attributes Select the attributes to export. Selected Attributes
Displays default attributes and those attributes that have been selected from the Source Attributes.
Notes:
The check boxes are used only for delta export operations. These checked attributes will always be exported whether they were changed or not. Usually, the attributes that are selected as mandatory attributes help in identifying or verifying an entry when completing mapping functions.
Format Displays the Format Date window to specify a date/time format to be applied to the selected date type attribute, for example, BirthDate. During export, the attribute's value is converted to the specified format. See the Format Date steps below for additional information.
Notes:- The Format button is only enabled for date attributes.
- The Refresh Schema button on the Configure Data Source window’s Attributes tab must be used to refresh the schema and enable the Format button for date attributes.
Advanced Settings Displays the Configure Attributes window for selecting any attributes that need to be encrypted. -
From the Attribute Selection tab, select attributes to export. Usually, these attributes that are selected (mandatory attributes) help in identifying or verifying an entry when completing Data Mapper functions.
- (Optional) Click the Format button to specify a date/time format to be applied to the selected date type attribute. The Format Date window displays.
- Select the Include Time check box to add the timestamp with the date.
- Select the 24 Hour or 12 Hour option button and then select the required date/time format.
- Click OK to save the selected format. The Configure Link window displays.
- (Optional) Select the Appearance tab to change how the link displays in the Design pane.
- Click OK to save any changes and return to the Workflow and Connectivity Studio window
- (Optional) To create scripts for advanced functionality, right-click the export link and select the export task properties. See the section ‘Success Scripts and Failure Scripts’ in the Workflow and Connectivity Studio document for specific details.
- Deploy the workflow by selecting Deploy ► New Deployment.
See the Workflow and Connectivity Studio documentation for details of deployment options. - Manage and run the deployed workflow from the Admin UI ► Server See the Identity Suite Administration Guide documentation for details.
Configuring For Import
Perform these procedures to configure the connector for data import:
From the Workflow and Connectivity Studio, select the SAP NetWeaver UserAdd, UserModify, or UserDelete workflow listed under the projects folder.
If a workflow does not already exist, create an import workflow. See the Workflow and Connectivity Studio document for details on creating import workflows.
Configuring the Import Connector
- In the Design pane, double-click the import object (the last workflow object). The Configure Data Source window displays:
- From the Configure Plug-in tab, set these properties as required:
Associated Connected System
Select the connected system from the list. The import operation will be done to this connected system. Data Formats Select the type of data format to use: User (this is the only data format supported at this time). DynamicConnectedSystem
Select the global variable to use as the dynamic connected system name. This works in conjunction with DynamicCon- nectedSystemOption when GlobalVariable is selected. DynamicConnectedSystemOption
Select how to control Dynamic System Support (DSS):
- None - There will not be any Dynamic System
- Transaction-SystemName - The value of the Transaction- SystemName attribute in data will be used as the dynamic connected system. The connected system name must be passed as the value of the attribute Transaction- SystemName; if it is missing in data, the operation will
- GlobalVariable - Select a global variable to use as the dynamic connected system name from the property DynamicConnectedSystem.
Id *
Enter the attribute that contains the value used to uniquely identify the user account user ID on the connected system. loginId *
Enter the attribute that contains the value used to uniquely identify the user account login ID on the connected system. SubRecordsInFoldedState When set to TRUE, the connector accepts multi-level attributes in a folded state -
Notes:* Id and loginId are used by the Provisioning Policy and IdentityHub features to populate the ACCOUNT_ID and ACCOUNT_USERNAME columns of the FISC_USER_ACCOUNT table of the Product database. See the ‘Provisioning Policy’ and ‘Provisioning Using the IdentityHub’ chapters of the Identity Suite Administration Guide for details.
Hover the pointer over a property to view its description.
- (Optional) Select the Attributes Only standard attributes display:
Modify schema attributes with the buttons. - (Optional) Select the Appearance tab to change how the Connected System object displays in the Design pane.
- Click OK to save any changes and return to the Workflow and Connectivity Studio window.
Configuring the Import Link
-
In the Design pane, double-click the import link between the Data Mapper object and the import object (the last workflow object). The Configure Link window displays:
Source Attributes
Select the attributes to import. Check for attribute-level auditing
If auditing is enabled and these attributes below are checked, Provisioning will log all events for auditing purposes. Selected Attributes
Displays default attributes and those attributes that have been selected from the Source Attributes. Check the box of any attribute required for attribute-level auditing. Advanced Settings
Displays the Configure Attributes window for selecting any attributes that need to be encrypted. Audit Key Select the attribute to associate with the Audit Key. - From the Attribute Selection tab, select attributes to import.
- (Optional) Select the Appearance tab to change how the link displays in the Design pane.
- Click OK to save any changes and return to the Workflow and Connectivity Studio window.
- Deploy the workflow by selecting Deploy ► New Deployment.
See the Workflow and Connectivity Studio document for details of deployment options. - Manage and run the deployed workflow from the Admin UI ► Server tab.
See the Identity Suite Administration Guide documentationfor details.
Connector Details for Provisioning
Configuration import properties Id and loginId are used by the Provisioning Policy and IdentityHub features to populate the ACCOUNT_ID and ACCOUNT_USERNAME columns of the FISC_USER_ACCOUNT table of the Product database. See the ‘Provisioning Policy’ and ‘Provisioning Using the IdentityHub’ chapters of the Identity Suite Administration Guide for details.
This table shows the default attributes specified for these properties for the connected system:
Import Property |
System Attribute |
Id |
USERNAME |
loginId |
USERNAME |
The connector supports export and import operations. The data is exported from, or imported to the SAP system in different data formats:
- This connector supports exporting User, Role, PersonalData, OrganizationalAssignment, Communication, InternalControl, Address, and HRCombined See Export Data Format.
- This connector supports importing only the User data format. Using this data format, you can create, modify and delete users. See Import Data Format.
See the appendix SAP NetWeaver Library Workflows for details on the library workflows included in the IdM Suite.
Export Data Format
This connector export has these data formats:
- User - Exports user details such as user company details, user role and profile assignments, etc.
- Role - Exports available roles, and user associations for each role
- PersonalData - Exports personal data information of a single employee if PERNO is selected as a filter; otherwise, it exports all employee records, by specifying search criteria,
- GRC Role - Exports available GRC Roles.
- Value Lookup - Exports available values of the ValueLookupType selected
- OrganizationalAssignment - Exports the organizational assignment of a single employee if PERNO is selected as a filter; otherwise, it exports all employee records, by specifying search criteria.
- Communication - Exports communication information of a single employee if PERNO is selected as a filter; otherwise, it exports all employee records, by specifying search criteria.
- InternalControl - Exports the internal data of a single employee if PERNO is selected as a filter; otherwise, it exports all employee records, by specifying search criteria.
- Address - Exports address information of a single employee if PERNO is selected as a filter; otherwise, it exports all employee records, by specifying search criteria.
- Actions - Exports Actions-PA0000 and/or AdditionalActions-PA0302.
- HRCombined - Exports HR data in a combined format of a single employee if PERNO is selected as a filter; otherwise, it exports all employee records, by specifying search criteria. The combined information includes the organizational assignment, personal data, internal data, communication, and address information
- PDObjectTypes - Exports PD object types for all employees by specifying ObjectType, PlanningStatus, StartDate, EndDate, etc.
Sub records can be exported in a folded state as attributes. The attribute name is the same as the sub record name. Each sub attribute in a sub record is added as <name>=<value> format with ( ; ) as the delimiter. For the Role data format, MemberUser is the only multi-level attribute.
The following details are of the same role in the folded and non-folded states.
Folded
<entry changetype="add">
<USERNAME>JOHN THOMAS</USERNAME>
<ADDRESS.FIRSTNAME>John</ADDRESS.FIRSTNAME>
<ADDRESS.LASTNAME>Thomas</ADDRESS.LASTNAME>
<ACTIVITYGROUPS>AGR_NAME=SAP_J2EE_ADMIN;FROM_DAT=2010-08-25;TO_DAT=2011-06-25;AGR_TEXT=Administration User
for the SAP J2EE Engine</ACTIVITYGROUPS>
<ADDSMTP>STD_NO=X;E_MAIL=John.Thomas@fisc.com;HOME_FLAG=X</ADDSMTP>
</entry>
Non-Folded
<entry changetype="add">
<USERNAME>JOHN THOMAS</USERNAME>
<ADDRESS.FIRSTNAME>John</ADDRESS.FIRSTNAME>
<ADDRESS.LASTNAME>Thomas</ADDRESS.LASTNAME>
<ACTIVITYGROUPS>
<AGR_NAME>SAP_J2EE_ADMIN</AGR_NAME>
<FROM_DAT>2010-08-25</FROM_DAT>
<TO_DAT>2011-06-25</TO_DAT>
<AGR_TEXT>Administration User for the SAP J2EE Engine</AGR_TEXT>
</ACTIVITYGROUPS>
<ADDSMTP>
<STD_NO>X</STD_NO>
<E_MAIL>John.Thomas@fisc.com</E_MAIL>
<HOME_FLAG>X</HOME_FLAG>
</ADDSMTP>
</entry>
Import Data Format
This connector import has one data format - User. This can create, modify, and delete users. It can add, modify, and delete role and profile assignments of the user. When connected to a CUA system, it can add, modify, and delete role and profile assignments of the user in child systems.
Sub records can be imported in a folded state as attributes. The data source configuration property SubRecordsInFoldedState must be set to accept sub records in a folded state.
When connected to a Non CUA system, the User data format can also add and remove entitlements (Roles, Profiles, Groups, and Attributes).
Entitlement Support
This connector supports static and dynamic entitlements in the form of Roles, Profiles, Groups or GRC Roles. Entitlements are configured from the Admin UI _ Server _ Resources. See the Resource Management chapter in the Identity Suite Administration Guide for details on resources.
To configure entitlements
- On the Resource Detail page, under Entitlement Options, enter a Name and Value, and select the Type, for example:
To enable Roles, Profiles, Groups and or GRC Roles entitlement
- From the Admin UI, click the Server tab, and then on the Function Menu, click Resources. The Resource View page displays:
- Click Add to create the resource. The Resource Detail (Add New) page displays:
See the chapter 'Administering Security' in the Identity Suite Administration Guide for a description of this page.
- Enter a Name (e.g., SAP Entitlement), Display Name, Description, and select a Resource Type (Entitlement).
Note: Before continuing, ensure that the Resource workflows are deployed. - Select a System associated with the resource by clicking the Select button. The Connected System View page displays:
- Select SAP NetWeaver and then click the Select button or double-click the option button next to the connected system to select it.
- Under Resource Workflows, select the appropriate check box of the Transaction Type to assign a Resource workflow.
- Click Add/Modify to select the deployed workflows associated with the connected system selected. The Deployed Workflow List page displays:
Note: Clicking Add/Modify to select deployed workflows associated with the connected system only displays Resource workflows.
- Select the desired workflow and then click Select or double-click the option button next to the desired workflow to select it. Repeat Step 6. and Step 7. to select the Remove Workflow.
- If this resource is for account provisioning and deprovisioning, the Resource Type should be Account.
- Under Entitlement Options, click Add. The Entitlement Search on SAP NetWeaver System page displays.
- Select the Type (Roles, Profiles, Groups or GRC Roles).
Roles
For Type Roles, this page displays:
- Select the Role Type (Single and/or Composite), enter search criteria (if desired), and then click Search. The Provisioning Entitlements View page displays the first 400 results:
Profiles
For Type Profiles, this page displays:
Select the Profile Type (Single or Composite), enter search criteria (if desired), and then click Search. The Provisioning Entitlements View page displays the first 400 results:
Groups
For Type Groups, this page displays:
Enter search criteria (if desired), and then click Search. The Provisioning Entitlements View page displays the first 400 results:
GRC Roles
For Type GRC Roles, this page displays:
- Enter search criteria (if desired), and then click Search. The Provisioning Entitlements View page displays the first 400 results:
- Select the desired entitlement(s) and then click the Select button.
- For static entitlement, single-level and multi-level attributes can be specified. The single-level attribute is specified by using the (.) separator and the multi-level attribute is specified by using the (->) separator. For example, these settings include the single-level attribute REF_USER.REF_USER and the multi-level attribute PARAMETER→PARID:
- To view entitlements that have been provisioned for existing users, From the Admin UI ► Users ► Search Users to Modify _ User Access View page, all entitlements associated for the user are listed.
Lookup Data
To filter data, use the Data Mapper rule Lookup Data
- Log in to the Workflow and Connectivity Studio and double-click the Data Mapper object on the Design The Configure Data Mapper window displays.
- Select the Lookup Data rule under the Mapping Rule column, and then click the Source Value. The Configure Lookup window displays.
- Select the SAP NetWeaver system from the Select System drop-down list:
- In the Enter Lookup Prefix field, enter the prefix to be added to the Lookup fields.
- Select the SAP Lookup Type from the drop-down list, for example, User.
- Click the Selected Filter Build button, and then from the Set Filter window, generate the search filter, for example:
See Set Filter for a description of this window. - Click the Selected Fields Pick button to select the attributes to be fetched after a successful lookup. The Lookup Configuration dialog displays:
- Select the attribute(s) from the Selected Attributes list that require a date and/or time format and click the Format The Format Date window displays.
-
Select the Include Time check box to use a date and time format. Select the required date/ time format for your target database.
-
- Select the Exit as Mapper Task Failed on Lookup Failure check box to exit the task with Failed status on lookup failure. It will not process the succeeding entries and will ignore the already processed entries and will not return any data. This is selected by default.
- Click OK.
SAP GRC Support
SAP connector supports SAP GRC (Governance, Risk, and Compliance) for user provisioning from Fischer IdM. If an SAP resource has at least one GRC role, account management for that resource is done using GRC processing. This is applicable when request/remove access feature in self-service is used or an account is Provisioned/de-Provisioned by policy engine. When GRC is used for user provisioning, user creation and GRC role assignment is done by GRC. USSP/Policy engine launch the resource workflows just to manage the account/entitlement association.
GRC processing is done by creating a GRC access request in SAP GRC. There are different types of requests in SAP GRC. Fischer IdM uses the request types New Account, Change Account and Lock Account. Once the request is created in SAP GRC, the approval process has to be completed in GRC. For that, the approver has to login to SAP GRC and approve, reject or cancel the request.
There can be one or more levels of approval based on the SAP GRC configuration. Fischer IdM proceeds with the further processing of request only after receiving the completed status of the request from SAP GRC.
When the user does not have an account in the SAP system and requests an account in that system, USSP engine will create an SAP GRC request of type New Account. Similarly if a user who does not have an account in the SAP system is qualified for a policy having resource for that system, Policy engine will create an SAP GRC request of type New Account.
If the user already has an account in the SAP system and requests an account to that system, it will create an SAP GRC request of type Change Account. If the user already has an account in the SAP system and requests/removes a GRC role entitlement to that system, it will create an SAP GRC request of type Change Account. Similarly if the user already has an account in the SAP system and qualified/disqualified for a policy having GRC role entitlement resource, it will create an SAP GRC request of type Change Account.
When an SAP account removal request is made from Self-Service or through policy engine, the type of the SAP GRC request generated is decided by the Provisioning Server Configuration property “SAP GRC Remove Role and Account Behavior”. If this property is set to “Role Removal and Account Lock by Workflow” no GRC request is created. If the property is set to “Role Removal by GRC and Account Lock by Workflow”, it will create an SAP GRC request of type Change Account. If the property is set to “Role Removal and Account Lock by GRC, it will create an SAP GRC request of type Lock Account.
SAP GRC Mapping
SAP GRC request is created using the data generated for the resource workflow. This data is in product attribute schema and will have the user details merged with the pre-process data for self- service request. For policy workflow, this will be the data given to the policy engine. So there is option to provide extra attributes when required. SAP GRC component will convert this data to the format in which the GRC web service is expecting. This is done with the help of SAP GRC mapping. This mapping can be configured at the Org level from product attributes page once the Provisioning Server Configuration property "Enable SAP GRC Mapping" is set to “True” for the Org. Following table shows the default mapping for these attributes.
SAP GRC Attribute |
Mandatory |
Product Attribute |
Comments |
Date Format |
N |
Other1-Other_04 |
|
Decimal Notation |
N |
Other1-Other_03 |
|
Department |
N |
Job-Department |
|
Employee No |
N |
Employee-Id |
|
Employment Status |
N |
Employee-Status |
|
End Date |
N |
Account-EndDate |
|
First Name |
Y |
Person-Firstname |
|
Last Name |
Y |
Person-Lastname |
|
|
Y |
Employee-Email1 |
|
Manager |
Y |
Transaction- ManagerUserID |
Transaction-ManagerUserID must be the SAP user ID of the manager. If this attribute is not available, manager is identified with Job-Manager attribute and his account ID for the SAP system is used as the manager. |
Phone |
N |
Employee-Phone |
|
SAP User ID |
Y |
Account-ID |
If there is any issue with setting Account- ID from workflow, use the Account- NewAccountID attribute to provide the SAP User ID for new account creation. |
There are three types of attributes in a SAP GRC request data. They are header data, user data and role data attributes. Currently the mapping is used only for user data attributes.
Role data attributes are populated using the entitlements. Other that that, the following attribute is supported to set role data.
SAP GRC Attribute |
Mandatory |
Product Attribute |
Comments |
Provisioning Environment |
N |
Transaction- ProvisioningEnvironment |
Supported only for business roles. |
Since header data is not user specific, we use the following predefined product attributes to build header data.
SAP GRC Attribute |
Mandatory |
Product Attribute |
Comments |
Business Process |
N |
Transaction- BusinessProcess |
|
Functional Area |
N |
Transaction- FunctionArea |
|
Priority |
Y |
Transaction-Priority |
If not provided, Medium is used as the default priority. |
Request Init System |
Y |
Transaction- RequestInitSystem |
If not provided, available systems are fetched and use the first one. |
Request Reason |
Y |
Transaction- RequestorComment |
If not provided, comment given in request access page is used. |
Request Type |
Y |
Transaction- RequestType |
If not provided, dynamically taken based on the data and configuration. |
Requestor Email |
Y |
Transaction- RequestorEmail |
If not provided, user data Mail value is used. |
Requestor ID |
Y |
Transaction- RequestorUserID |
If not provided, requestor’s account ID for the SAP system is used. |
There are few attributes which are supported in SAP but not in GRC. Such attributes are handled by the resource workflows. The first entry is always used to manage account/entitlement association. So, USSP/Policy engine add extra entries to handle the attributes that are not supported by GRC.
SAP GRC Role Consolidation
When multiple resources having GRC roles are requested together, the default behavior is to create an SAP GRC request for each resource. SAP GRC Segregations of Duties (SoD) can be processed properly only when the GRC roles are requested in a single request. To allow this, there is a Provisioning Server Configuration property, "Enable SAP GRC Role Consolidation". When this property is true, if multiple resources are requested together, all GRC roles from these resources are consolidated and send as a single request to GRC. If there is approval for these resources, the consolidation happens after the approval process is completed. When there is approval, consolidation happens only for items fetched by approval engine in a single pick. So the consolidation may not happen properly if the approval process of different resources is completed in separate steps.
SAP GRC Polling
SAP GRC supports two options to notify the user provisioning status. First is the polling option in which the IdM server has to periodically call GRC to identify status changes of the request. Second is the callback option in which GRC will send a notification when provisioning process is completed. Fischer IdM is using the polling option since it is more
reliable. The polling period can be configured based on the requirement using the Provisioning Background Processes Configuration property “SAP GRC Request Status Polling Interval”.
Using the Global Identity Gateway with Connected Systems
Note: You must have already performed the steps described in Installing the SAP JCo dll and jar Files for the GIG.
See the appendix Using the Global Identity Gateway with Connected Systems.