Installing and Configuring the Custom SailPoint Function Module
Extracting data out of SAP with the Access Risk Management agent relies on remotely enabled function modules to access the SAP database. By default, Access Risk Management calls the SAP function module RFC_READ_TABLE. However, SailPoint created a custom function module replacement that is SAP certified called /SAILPOIN/SAIL_READ_TABLE. This module introduces additional security and improvements.
The Access Risk Management agent has a checkbox labeled Use SailPoint Table Extraction that should be enabled after installing the custom function module in SAP and correctly configuring it. This allows the Access Risk Management agent to successfully extract data from SAP tables for security extracts or as part of a change log extract for Emergency Access Management (EAM).
Refer to Installation of SAILPOIN Add-On for prerequisites and installation steps.
Using the custom SailPoint function module
The /SAILPOIN/SAIL_READ_TABLE function module has two layers of security:
- SAP permissions, assigned via PFCG roles.
- Download the SAP roles, including all necessary permissions. Refer to Creating SAP System Users.
- A custom table in SAP where the Access Risk Management agent SAP user must be authorized for each table and each column in that table.
- Download a script to generate the necessary table entries.
Configuring custom table entries
You can use the custom SailPoint function module script to configure custom table entries that are required for the Access Risk Management agent user.
- Execute TCODE SE38.
- Enter program Z_CONFIGURE_SERVICEACCOUNT and press F8.
- Enter the SAP username that the Access Risk Management agent uses to connect to SAP, e.g. EM_CONNECTOR, in the Service Account field and ARM_EAM in the second field.
- Select Execute to be authorized to process Change Logs for EAM.
- Go back and again enter the SAP username that the Access Risk Management agent uses to connect to SAP, e.g. EM_CONNECTOR, in the Service Account field and ARM_STANDARD in the second field.
- Select Execute to be authorized to process Security Extracts.
- If you are using the SAP USER_ADDRS table, go back and again enter the SAP username that the Access Risk Management agent uses to connect to SAP, e.g. EM_CONNECTOR, in the Service Account field and ARM_USER_ADDR in the second field.
- Select Execute.
Troubleshooting
When Security Extract or Change Log jobs fail and you receive an error stating the job exceeded the maximum number of retries, this indicates there is an authorization issue with the agent user related to the new custom security table.
Make sure that the agent user is appropriately authorized.
- Log in to SAP and execute Tcode SE16.
- Enter table name /SAILPOIN/CONF
- Enter the SAP username that the Access Risk Management agent uses to connect to SAP, e.g. EM_CONNECTOR, in the Service Account field to verify that the user has access to run Security Extracts.
- Select Execute.
- Verify that you see UST12 in the Name column of the table. If so, the user has been authorized to run Security Extracts.
- Verify that you see CDHDR in the Name column of the table. If so, the user has been authorized for EAM.
Test connection
If you are using Emergency Access Management, you must edit the utilization options to use the SAP Security Audit Log.
Select Test Connection to check the agent’s connection to your SAP system.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.