Skip to main content

Target system

Omada provides several Enterprise Services for reading and updating data in SAP. In addition, the custom transaction codes are also made available for the configuration of the employee extraction. The Enterprise Services can be imported directly into SAP HCM.

Prerequisites

Before you start to generate the Web services for the interfaces or object types, following prerequisites

  • Activate the required services in transaction SICF:

    • sap/bc/webdynpro/sap/APPL_SOAP_MANAGEMENT
    • sap/bc/srt (including sub-nodes)

  • Omada SAP Connectivity Add-On package must be imported with the ABAP Proxies.

Minimum required permissions

SAP HCM Connectivity in Omada Identity requires access to run transaction code SOAMANAGER in the backend system.

Required authorizations in SAP

For configuration and execution of the Omada SAP HCM Connectivity package, you can use the SAP Connectivity Interface template role:

For the SAP HCM system:

  • Y_OMADA_SAPMA_DEVELOPER_ECC
  • Y_OMADA_SAPMA_CONSUMER_ECC

The SAP Connectivity Interface composite role for developers enable you to administer and configure service providers and consumer proxies for your local backend. The roles provide only normal SAP developer system access for the SAP backend.

The consumer role is to be assigned to the user used by OPS and ODW, and who connects to SAP and reads/updates/creates objects in SAP.

These roles are delivered as part of the Add-on package provided by Omada.

Role details

Y_OMADA_SAPMA_DEVELOPER_ECC

The SAP ECC composite role, Y_OMADA_SAPMA_DEVELOPER_ECC, contains the following single roles:

Role nameDescription
Y_OMADA_SAPMA_CONSUMER_ECCMaster role for Omada SAP MA, OPS, and ODW
Y_OMADA_SAPMA_WEBS_ADMINWeb Service Administrator
Y_OMADA_SAPMA_WEBS_ADMIN_BIZUser Role for Business Administrator
Y_OMADA_SAPMA_WEBS_ADMIN_TECStandard Role for Technical Administration of Web Services
Y_OMADA_SAPMA_WEBS_CONSUMERWeb Service Consumer
Y_OMADA_SAPMA_WEBS_DEBUGGERTemplate Role for Web Service Debugger
Y_OMADA_SAPMA_WEBS_OBSERVERUser Role for Viewing All Web Service Information
Y_OMADA_SAPMA_WEB_SERVICE_USERPattern Role for Web Service Runtime Background User

Y_OMADA_SAPMA_CONSUMER_ECC

The SAP ECC role, Y_OMADA_SAPMA_CONSUMER_ECC is a single role which contains all required authorizations for the user who are to connect to SAP from Omada Identity.

Network requirements

The TCP/IP ports used by the SAP system are customer specific, typically the SAP Basic administrator can provide this information. The port numbers are maintained in the SAP NetWeaver Application Server profile.

Example of configured parameters in the SAP NetWeaver Application Server profile

SAP Add-ON

As the first step in preparing the SAP backend, you must import the enterprise services and extract program provided by Omada.

After upgrading all web services are already configured and no additional configuration is required.

Omada's SAP HCM Connectivity utilizes the SAP Add-On installation Tool (SAINT) to install the Omada components into the SAP system(s).

The screenshots below are based on SAP NetWeaver Application Server 7.50. There may be differences in older versions.

  1. Download the .sar file, that is relevant for your SAP solution, from the Omada Help Desk and copy it to the folder on your local PC.

  2. Log into client 000 in SAP via SAP GUI and execute transaction SAINT.

  3. Select the menu More > Extras > Settings and deselect the Check for digital signature of to be imported OCS Packages option marked below.

    CheckOCSPack

  4. The list of installed components is displayed.

    InstalledComp

  5. Select the menu More > Installation Package > Load Packages > Sar Archive from Frontend.

    SARArchive

  6. Navigate to the folder where the downloaded .sar file is located and click Open.

    SelectSAR

  7. If the below pop-up appears, select Allow.

    SAPGUISecurity

  8. You can ignore the warning about the archive not being signed. Select Decompress to unpack and copy the file to target directory on the SAP server.

    Decompress

  9. You will be returned to the below screen again where you select Start.

    StartInstall

  10. The Omada Add-On is now listed as an installable Add-on package, select the package by ticking the box to the left of the row and click Continue.

    InstallAddOn

  11. There are no Support Packages to apply, select Continue.

    SupportPackage

  12. The Omada Add-on is added to the installation queue, select Continue.

    InstallQueue

  13. When you are asked if you want to add Modification Adjustment Transports, select No.

    ModAdjustTransport

  14. The Add-On is now ready to be installed. By default, it runs in a dialog mode, but optionally you can also change the Start Options to run the installation in the background. This guide will demonstrate running in dialog mode. Click the checkicon icon to continue.

    DialogMode

  15. After some time, you should receive the below confirmation that the Add-On was successfully imported, click Finish.

    ImportDone

  16. You are prompted if you want to send runtime analysis, select Do not send.

    DoNotsend

  17. Add-On import is now completed, and you can continue to the configuration part.

    Completed

Note that Omada provides newer versions of the Add-On when required, so the Release and Level numbers shown in the above screenshot can be higher. The latest version is always available on the Omada Help Desk.

Target system configuration

Dynamic extract program

The SAP HCM interface extracts the identity management relevant information that is related to the identities stored in SAP. The frequently used parameters that drives access and provisioning in an identity management solution are provided out of the box.

The interface enables you to carry out a full extract of the identities found in SAP.

The identities are extracted to the internal table called SAPHREMPLOYEEDATA. The table fields are defined in a structure which is only used by this function module. The structure is called ZHRIDENTITYDATA and the predefined fields are listed in the General config section.

The logic utilizes the BAPI_EMPLOYEE_GETDATA method, a function module, which is included in the SAP standard installation. The method allows to retrieve data from several crucial info types:

  • info type 0001 - Org. Assignment
  • info type 0002 - Personal Data,
  • info type 0032 - Internal Data,
  • info type 0105 - Communications.

These four info types do not normally cover all the relevant data needed. Therefore, logic has been added to retrieve the following:

  • Data from additional info types using the SAP standard function module HR_READ_INFOTYPE
  • Organizational structure data using the SAP standard function module RH_SETUP_TREE_TABLE
  • Text of the job and position using the SAP standard function module HR_READ_FOREIGN_OBJECT_TEXT
  • Company code data using the SAP standard function module BAPI_COMPANYCODE_GETDETAIL

The extract program, running in the background (specifically during night hours), populates the /OMADA/HRCACHE and /OMADA/HRCACHE2 cache tables

The extract program uses the configuration tables to fetch employee records and populate the cache tables. The cache tables are exposed via an ABAP proxy for which a SOAP web service is generated as described in the Generate Web Services using SOAMANAGER.

TableConfig

Initial configuration

The initial extract configuration rules defined by Omada for the employee extraction are delivered as a Business Configuration Set (BC Set).

warning

It is recommended to only import the BC Set during the initial implementation of the Omada SAP HCM Connectivity Interface.

The activation of BC set overwrites existing configuration with the initial configuration rules provided by Omada for employee extraction. This is especially relevant if you have defined:

  • Extraction rules including fields, conditions, and exceptions to extract
  • Rules for dates utilized in selection parameters and general configuration, relevant for conditions or exceptions, that uses the Transaction code /N/OMADA/CONFXHR.

The BC Set is delivered as part of the Add-On installation but must be activated in the SAP client from where employees are exported to Omada Identity.

Activation of the BC set

  1. Log in to the SAP client where the employees exist, enter transaction SCPR20.

    SAPtransact

  2. Hit F4 to search for /OMADA and click Start Search.

    SAPsearch

  3. The below entry will be displayed -- select it and click the check mark icon.

    SearchCheck2

  4. Click the icon (F7) to activate the BC Set.

    F7BCSet2

  5. You are prompted for a transport request -- choose an existing or create a new one. You will use this transport request to import the initial configuration into the other SAP HCM systems in your SAP landscape. Click the check mark icon to continue.

    CheckTransp

  6. You are presented with the below dialogue, keep default settings and click the check mark icon to continue.

    SAPActivationOpt

  7. When activation completes the below screen is presented.

    BusinessConfigSet2

    You can now continue with the next step.

Configuration of dynamic extract program

The configuration of the dynamic extract program is stored in a number of custom tables provided by Omada. For easy access to these tables maintenance screens, the transaction code /N/OMADA/CONFXHR is provided. For more information, go to Additional information.

Basic selection - /OMADA/BASICSEL

The configuration is stored in the /OMADA/BASICSEL table.

note

The single quote mark is a placeholder for the value specified in the Dynamic condition column.

BasicselTab2

You can have more groups but only one as active.

The rules are as follows:

  • If you delete one entry from a group -- the entire group will be deleted.
  • If you change "Active" for one entry in a group -- the complete group will be active.
  • If you want to activate another group, you must deactivate the active one.

Functionality regarding "Execution", "Select criteria", and "Dynamic condition" is the same as in the Conditions for extract section.

The second group can be an example of how you can use the "(" symbol. The result for group 2 will be:

( STAT2 = '3'
AND BEGDA LE SY-DATUM
AND ENDDA GE SY-DATUM )
OR
( STAT2 = '3'
AND ENDDA EQ '99991231')

Fields to extract

Here you can define data from which fields is extracted to the /OMADA/HRCACHE and /OMADA/HRCACHE2 output tables, and how it is mapped. Based on the import parameter, the identities are extracted one by one.You can find some entries that are not active. These entries are provided as examples for your convenience.

The configuration is stored in table /OMADA/MAPPARAM.

MapParamTable

The CT column has two values

  • FM: Function Module
  • T: Tableselect

These values decide on how the extract program extracts data.

In addition to the call of the standard function modules, you can also directly retrieve data from tables defined in SAP Dictionary entries where Input tab has <TABLESELECT> value. The mapping of data from these tables must also be defined in the /OMADA/MAPPARAM customized table. However, you must specify the actual call with the specific extract conditions in the /OMADA/XTRACTCND customized table, which means entries in /OMADA/XTRACTCND must be defined in /OMADA/MAPPARAM.

Conditions for extract

Here you can specify the conditions of the extract from SAPHREMPLOYEEDATA. Entries in this table are related to entries in the /OMADA/MAPPARAM table that has <TABLESELECT> value in the Input tab.

XtractcndTable

For example, CSKT is a <TABLESELECT> , and thus, you can find entries in /OMADA/XTRACTCND for the same Subject ID. The extract is based on the content in the /OMADA/MAPPARAM table. This table comes with some predefined records. If you do not need one or more of the predefined records, you can delete them from the table. The extraction order is defined in the Execution field. The ability to retrieve a value may require other data to be available.

warning

The order in which data is extracted impacts the retrieval of data. An incorrect order will lead to inaccurate data selection.

Exceptions to extract

In this tab, you can configure if you want to exclude some entries from the extract. The configuration is stored in the /OMADA/XTRCT_XCE table. You can use this table by creating entries so the program can make the table select from the backend.

note

This table is always Tableselect.

This table also comes with predefined exceptions that you can activate by setting a checkmark for the fields in the Active column. You enter conditions to check whether the identity in question complies with the rules. If the identity complies with the rules, it is not extracted.

XtrctXceTable

note

The predefined exceptions require the synchronized Employees to be Active and have the PERNO attribute populated. This may require a change to match the customer's requirements.

Maintain Exception Conditions

To specify a dynamic SQL call in ABAP, different parts of the statement can be built dynamically by code to allow more flexibility. This is not offering good performance and is mostly discouraged for normal use. It can be used in a batch program being executed in the background to reduce the impact on the performance.

The general form of a dynamic SQL statement is:

SELECT [field] INTO TABLE <itab>
FROM [table]
WHERE [where-clause]

The dynamic parts of the statement are enclosed in brackets [ ]. The <itab> is a pointer to an internal table for the resulting data.

  • The [field] is a string with a list of fields as they would be written in OpenSQL.
  • The [table] is the table specification. This can be a single table name or a join of tables including the join condition.
  • The [where-clause] is a string with the where clause using the same syntax as OpenSQL.
Join of tables limitations
  • The first table in the join must be the same as Subject ID
  • Only fields from the table specified by Subject ID can be returned. This is because the internal table <itab> is created dynamically from the structure of that table.

Placeholders are named %1 - %9 and can be used to insert the value of a program variable. This is often not necessary as the where-clause should be written as a normal ABAP statement would be written. For example, it is necessary when the value needs to be enclosed between quotation marks.

There is no mechanism to verify if a program variable is valid or if the syntax of the SQL statement is correct.

note

To deactivate a statement, all lines of that statement have to be disabled. If a single line of the statement is marked as active, the whole statement is active. When a line of a statement is checked/unchecked the result is that all lines get checked/unchecked.

The Delete Row functionality removes the whole statement.

The CALL_TYPE and DYN_CONDITION are legacy columns that are not used but remain to avoid deleting data of existing implementations.

Creating a new exception

  1. Insert a new entry.

    ExceptNewEntr

  2. Enter the table in Subject ID and a Subject. The subject must be unique within the Subject ID.

    ExceptSubject

  3. Select the new entry and click the edit SQL icon.

    ExceptSQL

    This opens the Edit SQL statement window.

    EditSQL

    The Table field has already been filled with the table (from the Subject ID).

  4. Enter the conditions and click Copy Changes.

    CopyChanges

    The changes are saved.

    SavedChange

Additional details for setup of HCM extract control tables

/OMADA/MAPPARAM

MAPPARAM

Use sequence number to generate unique link if more information is to be extracted from the same table using different selection criteria.

/OMADA/XTRACTCND

XTRACTCND

This table is only used for table selects.

/OMADA/XTRCT_XCE

XTRCTXCE

Rules for dates used for conditions or exceptions - /OMADA/DYN_DATE table

This setting allows you to extract records with a valid to date, set in the past. This is relevant and required if an employee's valid to date is updated after the expiration date has passed.

important

If you do not require to extract terminated records, don't remove the row in the figure, instead set the days, months, and years value to blank.

DynDateTable

Termination types

This tab allows you to find the actual termination date for a specific employee. The date is entered into the TERMDATE field in the /OMADA/HRCACHE and /OMADA/HRCACHE2 tables. The SAP Collector in Omada uses an expression for the Identity object to read ValidTo from TERMDATE if the field is populated.

HrCacheTable

The entries from the /OMADA/HRCACHE table are used to find the correct termination date if the employee status value is set to terminated. Termination types (Action Type) used to find the correct termination date must be entered into this table. In the extract program, entries are selected and, if status from actual/future employee period is one of the entries in /OMADA/TERM_TYPE, the termination date for the employee in the extract will be set as the beginning date from the actual termination period.

/* Define the parameters to determine the starting date of the employee */
SELECT * INTO wa_actiontypes
    FROM /omada/id_strtdt.

    SELECT * INTO wa_t529t
    FROM t529t WHERE mntxt = wa_actiontypes-mntxt AND
                     sprsl = sy-langu.
        APPEND wa_t529t TO itab_t529t.
    ENDSELECT.
ENDSELECT.

Start dates

This setting allows you to change the start date, if the future entry has the rehire action type value, equal to one of the table entries.

StartDatesTable

Entries are stored in the /OMADA/ID_STRTDT table and are plain text. However, the text has to be corresponding with the T529T. The entries are used to find other start dates as periods in PA0000. These texts are used in the extract program to select Action Types in the T529T - Personnel Action texts table, which are chosen by Name of action type.

General Config

This setting is used to determine the Unique ID for the extract to /OMADA/HRCACHE or /OMADA/HRCACHE2 tables, and thereby the anchor for the SAP MA. Only employees with values in the selected anchor field will be written to the cache table. This also drives the value of in the attribute Manager PersonnelNo.

The configuration is stored in the /OMADA/EXTRACT_C table.

ExtractCtable

Delta Config

This setting allows you to change the selection of which infotypes to include for delta.

The selection column can be set in a following way:

  • initial - do not include in delta

  • Set as X - include in delta

You can only use PA infotype tables.

Example

The value 0000 in the Infotype column means infotype table PA0000.

delta-config

Function - Test Interface

When you have made changes to the configuration of the dynamic extract program, you can test the configuration by using the below button.

TestInterf

You can test and verify with a single employee if the record is included in the /OMADA/HRACHE table or not -- dependent on the configuration.

TestEmployee

You can only test one employee at the same time.

ShowDetails

To show details, click details (the example shows SAP GUI 750).

Details

Function - Log Display

You can display the logs of every execution of the extract program. Both manual tests and the executions performed via a background job.

LogDisp

You can select a specific date or an interval.

LogDate

Log summary shows the date and time of extract, including duration, no. of records, and who initiated the extract.

LogSummary

Function - Clear Log

You can delete the logs of every execution of the extract program. Both manual tests and the executions performed via a background job.

ClearLog

You can select a specific date or an interval.

ClearLogDate

All logs relevant for selection range Extract date will be deleted.

Transport configuration changes

When you introduce changes to the dynamic extract program in the development instance of the SAP HCM system, it requires reentering the changes into Test/QA/Production SAP HCM systems. To automate reentering the changes use a SAP Transport Request to add the table contents of the involved /OMADA tables.

If you don't have access to the transaction code SE10 (Transport Organizer) in your SAP system ask your SAP Basis Team for assistance,

note

SAP supports automatic recording of changes only via transaction code SM30, hence recording changes performed in transaction code /OMADA/CONFXHR is not possible.

SAP HCM background job scheduling

The Read all Employees service either returns information on all employees or only those that had their information updated after a provided date (the delta date). Returning information on all employees takes a considerable amount of time to execute in environments with large numbers of employees. This can cause timeout errors from multiple places in the SAP stack.

For this reason, instead of computing the result for every call, the service returns results retrieved from a cache tables. Specifically, the /OMADA/HRCACHE and /OMADA/HRCACHE2 tables. The content of those cache tables needs to be refreshed periodically by a background job. The suggested update interval is once per day.

important

Scheduling the background job requires user with appropriate permissions in the SAP.

The background job must be scheduled by a SAP administrator in transaction SM36. The report in question is /OMADA/UPDATEHRCACHE. Ad hoc cache updates can be performed by scheduling the report for immediate execution in transaction SM36. Should errors occur during the cache refresh, the job will be flagged red with status Cancelled in the background job list (transaction SM37). In this case, the job log will contain more information about why the job has failed.

note

Note that if a delta date is provided in the web service call, the information will always be computed and returned synchronously. Cached data will only be returned if no delta date is provided.

Generate Web Services using SOAMANAGER

Objects supported by Omada Connectivity Framework for SAP Solutions:

SAP ObjectInternal Name (SOAMANAGER)Description
Employees/OMADA/EMPL_GET_RESPRead all Employees
Employees/OMADA/EMPL_MOD_RESPChange existing Employee
Company Code/OMADA/FICO_COMP_CODE_RESPRead all Company Codes
Cost Centers/OMADA/FICO_COST_CENTER_RESPRead all Cost Centers
Building/OMADA/HR_BUILD_RESPRead all buildings
Jobs/OMADA/HR_JOBS_RESPRead all jobs
Positions/OMADA/HR_ORGPOS_RESPRead all Positions
Org. Units/OMADA/HR_ORGUNIT_RESPRead all Organizational Units
Personnel Area/OMADA/HR_PERSAREA_RESPRead all Personnel Areas
Personnel Subarea/OMADA/HR_PERSSUBAREA_RESPRead all Personnel Sub Areas

  1. Start transaction SOAMANAGER in the SAP backend where you want to generate the Web service.

    Your standard browser will open (Internet Explorer 11 is shown below):

  2. Select the Service Administration tab.

  3. Click the Web Service Configuration link.

  4. Set up the following search criteria:

    Search by: Object Name; Search Criteria: contains; Search Pattern: /OMADA*

  5. Click Search. The search results will now be shown.

  6. Choose the relevant interface (see the information in table above) by clicking it, the below screen appears.

  7. Click Create Service.

  8. Enter a Service Name, Description, and Binding Name. Make sure that the names and description reflect the interface that you have chosen. When you have done so, click Next.

    important

    The values entered in Service Name and New Binding Name will be part of the generated web service url, so in order to use as much of the predefined query and mapping configuration in the System Onboarding wizard in Omada Identity, it is recommended to name the services according to below table.

An overview of service names and binding names:

ObjectService Name / New Binding Name
Employeesemployee_get
employee_modify
Company Codecompanycode_get
Cost Centerscostcenter_get
Buildingbuilding_get
JobsJobs_get
Positionsposition_get
Org. Unitsorgunit_get
Personnel Areapersonnelarea_get
Personnel Subareapersonnelsubarea_get

  1. Under Authentication Settings, Transport Channel Authentication, select User ID/Password, and then click Next.)

  2. There is nothing to configure in the step SOAP Protocol, click Next.

  3. There is nothing to configure in the step Operation Settings, click Finish.

  4. You can now see the new service and the binding that you have generated.

  5. Now you have to find the corresponding Web service and link to it. In the same screen, click the Open Binding WSDL Generation icon.

  6. Click the icon Open WSDL document for selected binding.

  7. You will be prompted for username and password

  8. After you enter correct username and password, the WSDL is shown in your standard browser (Internet Explorer 11 is shown below):

    You can now continue to create services for the remaining interfaces.

OPTIONAL - Implement BADI in SAP ABAP backend system

For customers who have requirements which cannot be met via configuration of the dynamic extract program, a BADI is provided as an enhancement option in the service interface. Customers must implement BADI to suit the custom requirements. The interface's outbound processing should be implemented to enhance the output structure.

All skilled developers can prepare coding in below BADI's by double click required BADI.

BAdi - /OMADA/EMPL_GET_SEND:

  • Interface - OUTBOUND_PROCESSING

The screenshot below presents BADI Code Snippet from the service interface method.

BadiOutbound

  • Interface -- DELTADATE_CHANGE

The screenshot below presents BADI Code Snippet from the extract program (FM: OMADA/GET_HR_IDENTITIES).

BadiDelta

  • Interface -- BEFORE_FM_FIND_DATA_END

The screenshot below presents BADI Code Snippet from the extract program (FM: OMADA/GET_HR_IDENTITIES).

BadiBefore

Further functionalities not handled by configuration program

The functionalities described below are not utilized by the configuration program.

Subtype for Infotype PA0006 - /OMADA/INFTP6UPD

You can use transaction code /N/OMADA/UPD_INFTP6UPD to access the maintenance screens for this table.

SubType

This table is only used for updating employee infotype 6 - subtype. The extract searches only for entries in this table -- infotype 6 subtypes - in case an employee has data from infotype 6. In this case, the extract program updates required infotype by running SAP standard methods (actual Function Module) HR_MAINTAIN_MASTERDATA.

Cust_extx fields for extract

Ten fields are inserted to cache table /OMADA/HRCACHE2 -- "CUST_EXT1", "CUST_EXT2"...."CUST_EXT10"). These fields are not used as standard solution, but can be used in the configuration.

Example

You can save data in CUST_EXT1 as follows:

  1. From configuration functionality go to "Fields to extract". See the Maintain Exception Conditions section on how to insert new entry.

    NewCustFields

  2. STAT2 is moved to fields INF00EMPL_STATUS and, as a test, CUST_EXT1. Remember this is NOT part of standard entries.

Additional information

ComponentComponent TypeData TypeLengthShort Description
INF02FIRST_NAMEPAD_VORNACHAR40First Name
INF02LAST_NAMEPAD_NACHNCHAR40Last Name
INF02MIDDLE_NAMEPAD_MIDNMCHAR40Middle Name
INF02NICK_NAMEPAD_RUFNMCHAR40Nickname
INF06COM01COMKYCHAR4Communication Type
INF06NUM01COMNRCHAR20Communication Number
INF06COM02COMKYCHAR4Communication Type
INF06NUM02COMNRCHAR20Communication Number
INF06COM03COMKYCHAR4Communication Type
INF06NUM03COMNRCHAR20Communication Number
INF06COM04COMKYCHAR4Communication Type
INF06NUM04COMNRCHAR20Communication Number
INF06COM05COMKYCHAR4Communication Type
INF06NUM05COMNRCHAR20Communication Number
INF06COM06COMKYCHAR4Communication Type
INF06NUM06COMNRCHAR20Communication Number
INF105SMTPADRAD_SMTPADRCHAR241E-Mail Address
INF105SUBTYPMAILAD_SMTPADRCHAR241E-Mail Address
INF105TLNMBR1AD_SMTPADRCHAR241E-Mail Address
INF105USERIDAD_SMTPADRCHAR241UserID