Connector configuration
This section describes prerequisites and proper configuration of the SAP connector in Omada Identity.
Prerequisites
For SAP provisioning, an account with administrative access is required. The account should have rights to create, update, and delete relevant objects.
Provisioning configuration
Expand this section to learn about provisioning configuration
This section describes the configuration of the provisioning for the Omada SAP Connectivity with SAP Framework 6.0.
| Setting | Description |
|---|---|
| Method for accounts | Select the method for the provisioning of accounts and password reset. In case of SAP select Omada Provisioning Service. |
| Method for assignments | Select the method for the provisioning of assignments. In case of SAP select Omada Provisioning Service. |
| Provisioning connector | Select SAP Connectivity Framework 6.0. |
| Use default configuration | Select this to use default configuration for a selected connector. Enabling this option will overwrite any existing configuration |
Connector settings
Expand this section to learn about connector settings
This section describes the configuration of the SAP connector for the Omada SAP Connectivity.
| Setting | Description |
|---|---|
| Client | Specify the client number from SAP to which to connect. |
| Host name | Type the Fully Qualified Domain Name of a valid host name. You must include the port number of the application server to make the setting valid. |
| User name | Type the user name of the administrative user used to access the service. |
| Password | Type the password for the administrative user. Each time you make a change to any of the settings in the Connector settings dialog box, you must type your password again. |
| Initial password | Provide a password that will be used as a initial password for newly created users. |
| Test connection | Enable this setting to test the specified connection details. |
Provisioning: Process integration details
Expand this section to learn about provisioning: Process integration details
| Setting | Description |
|---|---|
| Use process integration (PI) | Use this setting to enable the use of process integration (PI) for provisioning and open additional PI settings. |
Provisioning: Web service settings
Expand this section to learn about provisioning: Web service settings
| Setting | Description |
|---|---|
| Connect using SSL | Enable this setting to enable the use of a secure HTTPS connection via Secure Sockets Layer (SSL). |
| Skip certificate check | Select this to ignore any certificate check while connecting using SSL |
| Setting/string | Default value | Description |
|---|---|---|
| User get single service | abap_user_get_single_send | |
| User get single binding | abap_user_get_single_send | |
| User create service | abap_user_cre_send | |
| User create binding | abap_user_cre_send | |
| User modify service | abap_user_mod_send | |
| User modify binding | abap_user_mod_send | |
| User delete service | abap_user_rem_send | |
| User delete binding | abap_user_rem_send | |
| User password change service | abap_user_pwch_send | |
| User password change binding | abap_user_pwch_send | |
| Role assignment service | abap_ops_user_role_delta_send | |
| Role assignment binding | abap_ops_user_role_delta_send | |
| Profile assignment service | abap_ops_user_profile_delta_send | |
| Profile assignment binding | abap_ops_user_profile_delta_send |
Data model
The data model for SAP Connectivity supports the following objects.
SapUser
The connector supports all properties from the Web services on the SapUser object.
Supported operations: Create, Update, and Delete.
Below is a list of main properties on the User object.
Properties on structs are specified by the [name of the struct property].[propertyname], for example ADDRESS.PERS_NO.
Properties on structs are specified by the [name of the struct property].[propertyname], for example ADDRESS.PERS_NO.
| Property | Type | Description |
|---|---|---|
| SYSID* | stringType | The system for which the user belongs. |
| MANDT* | stringType | The mandate for which the user belongs. |
| USERNAME* | stringType | The name of the user. |
| LOCK | stringType | Select to lock the user or not to lock the user. The value can be True or False. |
| ADDRESS.PERS_NO | stringType | |
| ADDRESS-ADDR_NO | stringType | |
| ADDRESS.TITLE_P | stringType | Academic title. |
| ADDRESS.FIRSTNAME** | stringType | The first name of user. |
| ADDRESS.LASTNAME** | stringType | The last name of user. |
| ADDRESS.BIRTH_NAME | stringType | |
| ADDRESS.MIDDLENAME | stringType | The middle name of user. |
| ADDRESS.SECONDNAME | stringType | |
| ADDRESS.FULLNAME | stringType | |
| ADDRESS.NICKNAME | stringType | |
| ADDRESS.INITIALS | stringType | |
| ADDRESS.DEPARTMENT | stringType | The name of department. |
| ADDRESS.FUNCTION | stringType | The user’s function. |
| ADDRESS.TITLE | stringType | The user’s title, for example Mr or Ms. This field may be required on some systems. |
| ADDRESS.NAME | stringType | |
| PASSWORD.BAPIPWD | secureStringType | The password for the user. The connector expects a clear-text string. The OPS service performs the necessary decryption. |
| PASSWORD.INITIAL | booleanType | If the password is an initial password, the user is prompted to change the password on first logon. |
| PASSWORD.PRODUCTION | booleanType | Select if the password is a production password for none-dialog users. |
| LOGONDATA.USTYPE | stringType | The type of user. The default user type is DIALOG. |
Properties marked with * are required. Properties marked with ** are required on Create actions.
SapRoleAssignment
The SapRoleAssignment object is used to add, remove or update an assignment between a User and a Role.
Supported operations: Create, Update, and Delete.
| Property | Type | Description |
|---|---|---|
| USERNAME* | stringType | The name of the user for which to add or remove a profile assignment. |
| PROFILE* | stringName | The name of the profile to add or remove for the user. |
Properties marked with * are required.
SapProfileAssignment
The SapProfileAssignment object is used to add or remove an assignment between a User and a Profile.
Supported operations: Create and Delete.
| Property | Type | Description | |--- | --- | | USERNAME* | stringType | The name of the user for which to add or remove a profile assignment. | | PROFILE* | stringName | The name of the profile to add or remove for the user. |
Properties marked with * are required.
SapPasswordChange
The SapPasswordChange object is used to change passwords on existing users.
Supported operations: Update.
| Property | Type | Description |
|---|---|---|
| USERNAME* | stringType | The name of user for which to add or remove a profile assignment. |
| PASSWORD.BAPIPWD* | secureStringType | The password for the user.The connector expects a clear-text string. The OPS service creates the necessary decryption. |
| PASSWORD.INITIAL | booleanType | If the password is an initial password, the user is prompted to change the password on first logon. |
| PASSWORD.PRODUCTION | booleanType | If the password is a production password, you must set PASSWORD.INITIAL to False. |
Properties marked with * are required.
The parameters listed in the tables above are not all the available parameters but only the commonly used ones. You can extend the objects with additional parameters if required.
Task mappings
Omada SAP Connectivity uses the following mappings:
| Parameter | Description |
|---|---|
| ROPE Account to SAP User | Contains mappings of Role and Policy Engine accounts to SAP users |
| SSPR SAP | Contains mappings of resetting the passwords for SAP users |
| ROPE Assignments to SAP Role Assignments | Contains mappings of Role and Policy Engine assignments to SAP Role assignments |
| ROPE Assignments to SAP Profile Assignments | Contains mappings of Role and Policy Engine assignments to SAP Profile assignments |