Data import
Connection details
| Setting | Description |
|---|---|
| Host Name Address | Type the Fully Qualified Domain Name of a valid host name. |
| Connection type | Select if the connection is to be done via HTTP or secured HTTP. |
| Client | Specify the client number from SAP to which to connect. |
| Port | Type the port number of the application server. |
| Timeout in seconds | The number of seconds before a timeout occurs when calling the web services. By default, the value 3600 seconds (one hour) is selected. Optionally, you can change this value to increase or lower the value. |
| User | Type the username of the administrative user used to access the service. |
| Password | Type the password for the administrative user. Each time you make a change to any of the settings in the Connection details dialog box, you must type your password again. |
| Skip certificate check | Select this checkbox to ignore any certificate check when connecting using SSL. |
| Security protocol | Select the protocol used for HTTPS handshake. |
| Test connection | Enable this setting to test the specified connection details. |
System definition: Advanced
The Advanced section of the System definition contains following settings.
| Setting | Description |
|---|---|
| Language | When you connect to SAP, you define a language so that the text in the user interface is provided in the required language. By default, English (EN) is selected as the language of the SAP system. Optionally, you can remove this value and type the proper country code for your system, for example, DE (Germany). |
| Use delta | When having this checkbox selected the imports will be set to Delta mode. For Delta mode to work properly, enable the Paging option. For more information go to the Paging section of the document. Additionally, when having Delta mode enabled, be sure to periodically run a Full import. |
System definition: Queries and mappings
If you are planning an upgrade from version 14.0.8 or lower, follow these steps after the upgrade is complete, but before the first import:
-
Add a filter attribute for the Profiles query
status!="P" -
Enable the Distinct option for all queries.
The following queries and mappings are provided out of the box:
| Object type | Biding | Service | Description |
|---|---|---|---|
| Account | user_get | omadanet/user_get_all_resp | Users |
| Resource | role_get | omadanet/auth_roles_resp | Roles |
| Resource | profile_get | omadanet/auth_prof_resp | Profiles |
| Resource parent/child | role_get | omadanet/auth_roles_resp | Child roles |
| Resource assignment | user_get | omadanet/user_get_all_resp | Resource Assignments - Profiles |
| Resource assignment | user_get | omadanet/user_get_all_resp | Role Assignments (only direct) |
Edit query mappings
To edit a query mapping, click the Edit button in the Queries and mappings window. This button opens the Edit query mapping dialog box, where you can define settings for that particular mapping.
The Edit query mapping dialog box consists of four tabs:
- Web Method
- Paging
- Mappings
- Web Method
- Paging
- Mappings
In this tab you can define the web method for the query mapping.The tab consists of the following fields:
-
Binding - Enter the binding name you had used when the web services were generated in SAP via transaction SOAMANAGER.It is recommended to use the default naming convention, so you are only required to change the value if you have used a custom naming of the binding in SAP.
-
Service - Enter the service name you had used when the web services were generated in SAP via transaction SOAMANAGER.It is recommended to use the default naming convention, so you are only required to change the value if you have used a custom naming of the service in SAP.
-
Distinct - Set this option to Yes to allow the query to yield more rows with the same values.
-
Filter - Provide a logical expression for each row imported, for example, Name eq 'John.' If it is evaluated to false, the row will be skipped by the collector.
-
Enabled - If the query is not Enabled the collector will not perform it.
-
Description - Provide a meaningful description of the query mapping.
This tab allows you to enable and define the paging method.The tab consists of the following fields:
-
Use paging - Set this option to No to disable Paging for the collector.
-
Request Page Number - Specify the page number from which the collector will start collecting data.
-
Request Rows Per Page - Specify the number of rows that will be collected per each page.
This tab provides a standard mapping table to define Source and Destination of the mappings between the SAP system and Omada Identity.
Enable/Disable import of objects
All Object types are enabled per default, if an Object type is not required it is possible to disable the import of individual objects.
Omada recommends to disable not used object types to optimize the performance of the import.
Once an import has been performed for an object type, it's impossible to disable that object type. You can enable an object if it was initially disabled. To enable or disable object types, select the ones that are to be changed and use the context menu to choose the desired option.
Mapping of resource owners
If you create a query to import resource owners, it is possible to specify the resource's owner in two ways. You can do it either by directly importing the UID of the identity or by specifying the account from which the resolved owner is imported as a resource owner.
When mapping directly to the UID of identity, ensure that identities are already imported to Omada Identity.
When mapping to an owned account, it is possible to either specify the business key of the account or the composed businesskey. The former should be used if the account is in the same system as the resource; the latter should be used if the account is imported into any of the trusted systems.
When the account stems from another system, you should use a Lookup mapping.
SAP mappings to Data Warehouse
Provided Queries and Mappings are supplied as templates and can be adapted to meet customer requirements. The tables below present pre-defined set of names for each object type. See the column Alias Mappings.
SAP Access Data connectivity uses Alias mappings that are all lowercase.
Account
The following attributes are available for the Account dimension.
| XML | Data Warehouse (Destination) | Alias mappings (Source) | Comment |
|---|---|---|---|
| /USER/USERNAME | Name, UID, ComposedBusinessKey | username | Used as part of the business key |
| /USER/MANDT | client | ||
| /USER/SYSID | systemId | ||
| /USER/LOGONDATA/ACCNT | accountno | ||
| /USER/LOGONDATA/ANAME | creator | Creator of the user master record | |
| /USER/LOGONDATA/BCDA1 | lastpasswordchange | Date of last password change | |
| /USER/LOGONDATA/CLASS | usergroup | ||
| /USER/LOGONDATA/GLTGV | ValidFrom | validfrom | |
| /USER/LOGONDATA/GLTGB | ValidTo | validto | |
| /USER/LOGONDATA/LOCNT | nofailedlogons | Number of failed logon attempts | |
| /USER/LOGONDATA/LTIME | lastlogontime | Last Logon Time | |
| /USER/LOGONDATA/PWDINITIAL | pwdinitial | Indicator: Password is initial (=set by admin) | |
| /USER/LOGONDATA/PWDLGNDATE | pwdlastlogon | ||
| /USER/LOGONDATA/PWDLOCKDATE | pwdlockdate | Date: Setting of Password Lock | |
| /USER/LOGONDATA/PWDSETDATE | pwdset | Date: password reset by admin | |
| /USER/LOGONDATA/TRDAT | LastLogon | lastlogon | |
| /USER/LOGONDATA/TZONE | timezone | ||
| /USER/LOGONDATA/UFLAG | Status | statusflag | Status set to "Admin-Lock", "Expired" or "Active" based on the uflag value |
| /USER/LOGONDATA/USTYP | usertype | ||
| /USER/ADDRESS/BUILDING | buildingcode | ||
| /USER/ADDRESS/COMM_TYPE | commmeth | ||
| /USER/ADDRESS/DEPARTMENT | department | ||
| /USER/ADDRESS/EMAIL | emailaddress | ||
| /USER/ADDRESS/FAX_EXTENS | fax-extension | ||
| /USER/ADDRESS/FAX_NUMBER | fax | ||
| /USER/ADDRESS/FIRSTNAME | firstname | ||
| /USER/ADDRESS/FLOOR | floor | ||
| /USER/ADDRESS/FULLNAME | DisplayName | name | |
| /USER/ADDRESS/FUNCTION | function | ||
| /USER/ADDRESS/LANGU | language | ||
| /USER/ADDRESS/LASTNAME | lastname | ||
| /USER/ADDRESS/ROOM_NO | roomnumber | ||
| /USER/ADDRESS/TEL1_EXT | telephone-extension | ||
| /USER/ADDRESS/TEL1_NUMBER | telephone | ||
| /USER/ADDRESS/TITLE_ACA1 | academictitle | ||
| /USER/ADDRESS/TITLE_P | title | ||
| /USER/DEFAULTS/CATTKENNZ | teststatus | ||
| /USER/DEFAULTS/DATFM | dateformat | ||
| /USER/DEFAULTS/DCPFM | decimalnotation | ||
| /USER/DEFAULTS/KOSTL | costcenter | ||
| /USER/DEFAULTS/LANGU | logonlanguage | ||
| /USER/DEFAULTS/SPDA | deleteafteroutput | ||
| /USER/DEFAULTS/SPDB | printimmed | ||
| /USER/DEFAULTS/SPLD | outputdevice | ||
| /USER/DEFAULTS/START_MENU | startmenu | ||
| /USER/DEFAULTS/TIMEFM | timeformat | ||
| /USER/UCLASS/LIC_TYPE | licensetype | ||
| /USER/ALIAS/USERALIAS | alias | ||
| /USER/COMPANY/COMPANY | company | ||
| /USER/PARAMETER/PARID | parameterid | ||
| /USER/PARAMETER/PARVA | parametervalue | ||
| /USER/SNC/GUIFLAG | permitpasswordlogon | ||
| /USER/SNC/PNAME | sncname | ||
| /USER/GROUPS/USERGROUP | groupusergroup |
Resource - profile
The following attributes are available for the Resource dimension for resources that are sourced from SAP Profiles.
| XML | Data Warehouse (Destination) | Alias mappings (Source) | Comment |
|---|---|---|---|
| /PROFILES/PROFN | ComposedBusinessKey, Name | profilename | Used as part of the business key |
| /PROFILES/PTEXT | DisplayName | description | |
| /PROFILES/SYSID | systemid | ||
| /PROFILES/MANDT | client | ||
| /PROFILES/AKTPS | status |
Resource - role
The following attributes are available for the Resource dimension for resources that are sourced from SAP Roles.
| XML | Data Warehouse (Destination) | Alias mappings (Source) | Comment |
|---|---|---|---|
| /ROLES/ROLE | ComposedBusinessKey, Name | roleid | Used as part of the business key |
| /ROLES/ROLE_TEXT | DisplayName | name | |
| /ROLES/ROLE_LONG_TEXT | Description | description | |
| /ROLES/SYSID | systemid | ||
| /ROLES/MANDT | client | ||
| /ROLES/IS_COMPO | composite | ||
| /ROLES/COMPO_CONTAINS | childroles | ||
| /ROLES/TCODE | tcodes |
Resource - child roles
The following attributes are available for the Resource dimension for resources that are sourced from SAP Child Roles.
| XML | Data Warehouse (Destination) | Alias mappings (Source) | Comment |
|---|---|---|---|
| /ROLES/SYSID | systemid | ||
| /ROLES/MANDT | client | ||
| /ROLES/ROLE | roleid | ||
| /ROLES/COMPO_CONTAINS | childrole |
ResourceAssignments - profile
The following attributes are available for the ResourceAssignments dimension for resource assignments that are sourced from SAP Profiles.
| XML | Data Warehouse (Destination) | Alias mappings (Source) | Comment |
|---|---|---|---|
| /USER/PROFILES/BAPIPROF | Resource_ComposedBusinessKey | profilename | Used as part of the resource business key |
| /USER/USERNAME | Account_ComposedBusinessKey | username | Used as part of the account business key |
| /USER/SYSID | systemid | ||
| /USER/MANDT | client | ||
| /USER/PROFILES/BAPIAKTPS | status |
ResourceAssignments - role
The following attributes are available for the ResourceAssignments dimension for resource assignments that are sourced from SAP Roles.
| XML | Data Warehouse (Destination) | Alias mappings (Source) | Comment |
|---|---|---|---|
| /USER/ACTIVITYGROUPS/AGR_NAME | Resource_ComposedBusinessKey | roleid | Used as part of the resource business key |
| /USER/USERNAME | Account_ComposedBusinessKey | username | Used as part of the account business key |
| /USER/SYSID | systemid | ||
| /USER/MANDT | client | ||
| /USER/ACTIVITYGROUPS/FROM_DAT | ValidFrom | validfrom | |
| /USER/ACTIVITYGROUPS/TO_DAT | ValidTo | validto | |
| /USER/ACTIVITYGROUPS/ORG_FLAG | composite | Used to determine if the resource assignment is direct or indirect |
Default collected data
When you register the SAP Access Data system, three new resource types are created.
| Resource type | Description |
|---|---|
| SAP <systemname> Account | This is the default Account resource type. Two standard account resources are also created. One resource is for personal accounts and the other resource is for orphan accounts with no primary owner. |
| SAP Role | This is a Permission resource type. When you import roles from SAP, this type is used. |
| SAP Profile | This is a Permission resource type. When you import profiles from SAP, this type is used. |
Warehouse to portal mappings
In order to import the SAP Access Data from the Data Warehouse to the Enterprise Server, the below default mappings are provided.
| Data object type | Enabled | Description | SAP object |
|---|---|---|---|
| Resources | Yes | Resource update | Role, Profile |
| Resources | Yes | Resource update - Omada Identity | Role, Profile |
| Resources | Yes | Resource owner (Explicit owner) | Role, Profile |
| Resources | Yes | Resource delete | Role, Profile |
With the Horizons feature enabled, the behavior of Warehouse to Portal mappings has changed. For more information, go to Migrating to Horizons documentation.