Skip to content

Connecting Your SAP Systems

Use the agent to register your SAP systems in order to safely extract and transmit security-related data to Access Risk Management. This data is used to identify potential risks and violations.

To register your SAP systems:

  1. Download the agent to your VM. Reach out to SailPoint Support to receive the latest agent executable file link.
  2. Select Install on the VM for the US/EU data server file.
  3. Select the ARM Agent Configuration desktop icon or go to http://localhost:5000.
  4. Enter your SailPoint-provided user ID and password.

  5. Select Add to register a new SAP system.

    Note

    Only select the dropdown option SAP System with Fiori if SailPoint support instructs you to do so.

  6. Enter your SAP system details, including the Application Server, Client Number, Instance Number, Time Zone of your SAP system, and the username and password of the SAP user with the appropriate roles.

    Caution

    Time zone is mandatory for Emergency Access Management to function correctly. Failing to set it accurately for each system will result in missed activity that may allow some of the controls to fail.

    SAP System Details including info like Accounts, Username, Instance number, and application server.

  7. Install and configure the custom SailPoint function module.

    Caution

    SAP RISE requires the custom SailPoint function module for table extraction. You must install and enable the Use SailPoint Table Extraction option when configuring the ARM Agent for each SAP RISE system or ARM functionality will fail due to duplicated records in the extracted tables.

  8. Enable the toggle to Use SailPoint Table Extraction.

  9. If you are using Emergency Access Management, you must edit the utilization options to use the SAP Security Audit Log.
  10. Select Test Connection to check the agent’s connection to your SAP system.
  11. Select Save to integrate your SAP system to Access Risk Management.

Updating the Agent

To check which version of the agent is currently installed, complete the following:

  1. Log on to server where the agent is installed.
  2. Use following link on the server browser: http://localhost:5000/api/home/version
  3. Confirm the agent version results displayed inside browser.

Update the agent:

  1. Reach out to SailPoint Support to receive the latest agent executable file link.
  2. Uninstall the agent from the desktop icon or control panel / program files.
  3. Confirm whether agent folders in the locations below are deleted and manually delete any remaining agent folders after uninstalling the old agent, if needed.
    • C:\PROGRAMFILES%\Sailpoint ARM
    • C:\Windows\Temp\Sailpoint ARM
    • C:\Windows\System32\config\systemprofile\AppData\Roaming\Sailpoint ARM
    • C:\programdata\ErpMaestro
  4. Download the latest agent to your VM.

When you update the agent, you can use the checklist below to confirm that the prerequisites are in place and that the agent is correctly configured.

  1. Confirm and test EM_Connector authentication details Username and password on the agent ERP system configuration screen. Request password reset of the RFC User in SAP, if needed.
  2. Confirm that EM_Connector in SAP is not locked.
  3. Confirm that the roles assigned to EM_Connector in SAP are correct and up to date.
  4. Use the following link to confirm that Microsoft .NET is version 4.8: https://dotnet.microsoft.com/download/dotnet-framework/thank-you/net48-web-installer
  5. Confirm that the agent .exe install file is the latest and correct version.
  6. Confirm whether the client is using a proxy for internet access on the server. The proxy file is found in the C:\Program Files\SailPoint ARM folder under icons.
  7. Use the following telnet command to confirm that hostname/host IP is reachable: telnet 3300
  8. Perform a connection test by selecting Test Connection at the bottom of the system setup page in the agent.
  9. Check and export agent log files for errors and / or additional information.
  10. Confirm that your server meets the agent host server requirements.
  11. Confirm whether the client has load balancer(s) set up in SAP.
  12. Confirm that the correct Instance Name is used in the agent for all required SAP systems.

Troubleshooting

If you can't log in with the provided sysJob ID and password, you may need to work with SailPoint support to set up a proxy server.

If you can't validate the connection to SAP, you may need to update your server's allow list.

Using a Proxy Server

If you are required to connect through a proxy server for external communication, such as to the Access Risk Management Cloud Service, and you are running the agent as a Windows service, you may need to manually configure the agent to communicate through it using the command-line interface (CLI).

Important

Work with SailPoint Support to set up a proxy using the following directions.

Configuring the agent to use a proxy server:

  1. Stop the SailPoint Agent Service. Ensure it is marked as Stopped.
  2. Stop the SailPoint Access Risk Management SAP Connector. Ensure it is marked as Stopped.
  3. From a CLI with administrative access, navigate to the Agent binary folder. This folder will have the file SailPoint.Agents.Application.exe in it.

  4. Execute the following command:

    cd\
C:\>cd program files\SailPoint ARM\Agent 
SailPoint.Agents.Application.exe proxy set --hostname 10.6.222.2 --port 3128 
>cdHost} --port {Proxy Server Port} --username {Username (if your proxy server does not require a username, do not include this parameter)} --password {Password (if you proxy server does not require a password, do not include this parameter)}cd\

    Note

    If your proxy server does not require a username or password, do not include that parameter.

  5. Restart the SailPoint Access Risk Management SAP Connector. Ensure it is marked as Running.

  6. Restart the SailPoint Agent Service. Ensure it is marked as Running.

When you have finished using the proxy, you can remove it.

Removing the proxy:

  1. Stop the SailPoint Agent Service. Ensure it is marked as Stopped.
  2. Stop the SailPoint Access Risk Management SAP Connector. Ensure it is marked as Stopped.
  3. Delete the proxy.settings file from the parent directory of the agent.
  4. Restart the SailPoint Access Risk Management SAP Connector. Ensure it is marked as Running.
  5. Restart the SailPoint Agent Service. Ensure it is marked as Running.

Note

The local encryption key for securing the proxy server credentials is autogenerated based upon the machine name and several other factors. If a significant system change occurs, the encryption key may not work.

Updating Your Allow List

If you can’t validate the connection between the agent and SAP, verify that the SAP system info is correct. If it is correct but the connection still fails, add the following URLs to the server’s allow list:

US Tenants Tenants Outside the US
app.erpmaestro.com grc-eu.erpmaestro.com
dashsvc.erpmaestro.com dashsvc-eu.erpmaestro.com
authsvc.erpmaestro.com authsvc-eu.erpmaestro.com
api.erpmaestro.com api-eu.erpmaestro.com
rulebooks.erpmaestro.com rulebooks-eu.erpmaestro.com
jobsvc.erpmaestro.com jobsvc-eu.erpmaestro.com

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.