Integrating with Your SAP System
To integrate your SAP system with Access Risk Management, you will first create SAP system users with the necessary roles to provide data from your system. SailPoint provides an agent you can install on a Virtual Machine (VM) to connect your SAP accounts.
When your SAP systems are connected, you must run a security extract to securely pull down and display data from the connected systems. You can then edit your SAP role details and create block lists within Access Risk Management. You can also work with SailPoint Support to configure SSO.
Creating SAP System Users
An SAP administrator must create an SAP System User within each target system. You will use the SAP username and password to enable Remote Function Call communications between the target system and the Access Risk Management agent.
You can select any user with proper authorizations, but we recommend the following user specifications:
-
User: EM_Connector
-
User Type: System
-
Assign the roles:
- Download the SAP file for standard access roles and assign them to all users.
- If you use Emerency Access Management or Access Reviews, you will also download the SAP file for additional roles and assign them to users.
Note
Contact your SAP administrator if you need assistance using transaction PFCG to upload the roles.
Setting up a VM
SAP systems are connected using an agent that lives on a VM in the same network as the SAP environment.
The agent runs as a Windows Service that will start when the machine starts and stay running even if nobody is logged in to the machine. The agent is designed to be the only agent necessary in a company’s infrastructure.
Configure your VM on the same network as your SAP environment with the following requirements:
-
64-bit Windows operating system (Server 2012 or later)
-
6GB RAM (8-16 preferable)
-
10GB disk space (30+GB preferred. Exceptionally large or complex ERP systems may need more disk space.)
-
Broadband connection to the internet
When you have created a VM on the same network as your SAP environment, you can install the agent and connect your SAP systems.
Connecting Your SAP Systems
You will use the agent to register your SAP systems in order to safely extract and transmit security-related data to Access Risk Management. This data is used to identify potential risks and violations.
To register your SAP systems:
- Download the agent to your VM. The agent is provided by SailPoint Support.
- Select Install. When the installation is complete, your browser will open to http://localhost:5000 with the login screen to Access Risk Management. You can also select the shortcut on your desktop.
- Select I am a Customer and enter the sysjob user ID and password provided by SailPoint Support.
- Select Log In to view a list of registered SAP systems.
- Select Add to register a new SAP system.
- Select the Accounts dropdown menu and choose an account.
-
Enter your SAP system details, including the Application Server, Client Number, Instance Number, and the username and password of the SAP user with the appropriate roles.
-
Select Test Connection to check the agent’s connection to your SAP system.
- If you are using Emergency Access Management, you must edit the utilization options to use SAP Security Audit Log.
- Select Save to integrate your SAP system to Access Risk Management.
Setting Emergency Access Utilization Options
If your organization uses Emergency Access Management, you must have SAP Security Audit Logs installed in your SAP system and edit the system utilization data when registering the system. This will pull the usage data needed to review emergency access usage.
To enable Security Audit Logs for EAM Utilization reporting:
-
In the Utilization Options section of the SAP system registration page, select the Expand icon
.
-
Select a STAD option.
- If you are running SAP 4.x version, select STAD – use SAPWL_WORKLOAD_GET_STATISTIC
- If you are running SAP ECC version 5.0 or later, select STAD – use SWNC_COLLECTOR_GET_AGGREGATES
-
Follow the directions from SailPoint Support to determine which SAP Security Audit Log option to select:
-
Use RSAU_READ_LOG
-
Use SM20 - Variable Data Column
-
Use SM20 - Transaction Code Column
-
Use SM20 - Transaction Code Column - Older 4.x Versions
-
-
In the Application Server Connections section, select + Connection and enter the Host IP address, Instance Number, and Instance Name of the application server.
Repeat for each application server you have.
Important
You must add every application server connection to ensure that all EAM activity is tracked. Security Audit Log will not work without these connections.
-
Select Save to register your SAP system with these utilization settings.
Troubleshooting
If you can't log in with the provided sysJob ID and password, you may need to work with SailPoint support to set up a proxy server.
If you can't validate the connection to SAP, you may need to update your server's allow list.
Using a proxy server
If you are required to connect through a proxy server for external communication, such as to the Access Risk Management Cloud Service, and you are running the agent as a Windows service, you may need to manually configure the agent to communicate through it using the command-line interface (CLI).
Important
Work with SailPoint Support to set up a proxy using the following directions.
Configuring the agent to use a proxy server:
- Stop the SailPoint Agent Service. Ensure it is marked as Stopped.
- Stop the SailPoint Access Risk Management SAP Connector. Ensure it is marked as Stopped.
- From a CLI with administrative access, navigate to the Agent binary folder. This folder will have the file ErpMaestro.Agents.Application.exe in it.
-
Execute the following command:
./ErpMaestro.Agents.Application.exe proxy set --hostname {Proxy Server Host} --port {Proxy Server Port} --username {Username} --password {Password}
Note
If your proxy server does not require a username or password, do not include that parameter.
-
Restart the SailPoint Access Risk Management SAP Connector. Ensure it is marked as Running.
- Restart the SailPoint Agent Service. Ensure it is marked as Running.
When you have finished using the proxy, you can remove it.
Removing the proxy:
- Stop the SailPoint Agent Service. Ensure it is marked as Stopped.
- Stop the SailPoint Access Risk Management SAP Connector. Ensure it is marked as Stopped.
- Delete the proxy.settings file from the parent directory of the agent.
- Restart the SailPoint Access Risk Management SAP Connector. Ensure it is marked as Running.
- Restart the SailPoint Agent Service. Ensure it is marked as Running.
Note
The local encryption key for securing the proxy server credentials is autogenerated based upon the machine name and several other factors. If a significant system change occurs, the encryption key may not work.
Updating your allow list
If you can’t validate the connection between the agent and SAP, verify that the SAP system info is correct. If it is correct but the connection still fails, add the following URLs to the server’s allow list:
- app.erpmaestro.com
- dataserver01.erpmaestro.com
- dashsvc.erpmaestro.com
- authsvc.erpmaestro.com
- api.erpmaestro.com
- rulebooks.erpmaestro.com
- jobsvc.erpmaestro.com
Managing SAP Role Details
Once you have used the agent to register your SAP systems, you will run a security extract. When the security extract has completed, you to view and edit role details, role approvers, owners, location, and description within Access Risk Management.
Tip
The location is not related to the SAP role but can be helpful for filtering by roles.
After running a security extract, select the Menu icon in the top right and choose SAP ROLES
to view the roles that have been pulled in from your SAP account.
You can edit the role details using an .xlsx file or through the Access Risk Management UI.
To edit role details in the .xlsx file:
-
Select Export to download the .xlsx template to use.
-
Use the template to update the approvers, owners, location, description, and whether the description should be retained from your .xlsx file or updated the next time you pull from SAP.
-
Save your changes to the template and select Import to upload your updated .xlsx file to display those changes in Access Risk Management.
To edit role details within Access Risk Management:
- Select the Edit icon
next to the SAP role in the SAP Roles.
- Update the approvers, owners, location, description, and if the description should be retained from your .xlsx file or updated the next time you pull from SAP.
- Select Save to update the role details.
If the automatic role update job fails as part of the security extract, select Refresh from Extract. This will take you to the Activity History to view the successful job.
Blocking SAP Users and Roles
You can exclude SAP users and roles from reports, filters, and analyses. If you are using EAM, you will want to exclude roles with temporary elevated access since there are already controls in place for managing emergency access requests.
Warning
If you block a role in EAM, do not assign it to someone as part of standard access or they will have elevated permissions and be excluded from reports.
-
Select the Menu icon
in the top right and select BLOCK LISTS.
-
Use the dropdown menu next to Type to select User or Role.
-
Select Add.
-
Enter the users or roles to exclude using comma-separated values or new lines and select Save.
Configuring SSO
You can contact SailPoint Support to request SSO integration with Access Risk Management. The available integrations are for Azure AD and SAML 2.0 Identity Providers (IdP). After you have configured your SAP account and users in Access Risk Management, those users can log in to the application using their corporate credentials.
Before contacting SailPoint Support, you will need to gather the following information from your IdP:
Azure AD
-
Azure AD Issuer:
https://sts.windows.net/AzureADDirectoryID
-
Email addresses or User Principal Names (UPN) for all users in Access Risk Management.
SAML 2.0 Identity Providers
-
URL to download your IdP metadata OR the metadata file for Access Risk Management. Ensure the metadata includes the public key of the certificate that will be used to sign the SAML response.
-
User Name Identifiers for all Access Risk Management users.
After you've collected the above information, contact SailPoint Support to activate the SSO feature on your account.
Note
If your organization is using a SAML 2.0 IdP and the metadata can only be provided in a file format, include the metadata file in your request to SailPoint Support.