Skip to content

Connecting Your SAP Systems

Use the agent to register your SAP systems in order to safely extract and transmit security-related data to Access Risk Management. This data is used to identify potential risks and violations.

To register your SAP systems:

  1. Download the agent to your VM. Reach out to SailPoint Support to receive the latest agent executable file link.
  2. Select Install on the VM for the US/EU data server file.
  3. Select the ARM Agent Configuration desktop icon or go to http://localhost:5000.
  4. Enter your SailPoint-provided user ID and password.
  5. Select Add to register a new SAP system.

    Note

    Only select the dropdown option SAP System with Fiori if SailPoint support instructs you to do so.

  6. Enter your SAP system details, including the Application Server, Client Number, Instance Number, Time Zone of your SAP system, and the username and password of the SAP user with the appropriate roles.

    Best Practice

    Although Time Zone is not a required field, setting it to the same time zone as the target SAP system helps Emergency Access Management to produce more accurate results.

    SAP System Details including info like Accounts, Username, Instance number, and application server.

  7. Install and configure the custom SailPoint function module.

  8. Enable the toggle to Use SailPoint Table Extraction.
  9. If you are using Emergency Access Management, you must edit the utilization options to use the SAP Security Audit Log.
  10. Select Test Connection to check the agent’s connection to your SAP system.
  11. Select Save to integrate your SAP system to Access Risk Management.

Troubleshooting

If you can't log in with the provided sysJob ID and password, you may need to work with SailPoint support to set up a proxy server.

If you can't validate the connection to SAP, you may need to update your server's allow list.

Using a proxy server

If you are required to connect through a proxy server for external communication, such as to the Access Risk Management Cloud Service, and you are running the agent as a Windows service, you may need to manually configure the agent to communicate through it using the command-line interface (CLI).

Important

Work with SailPoint Support to set up a proxy using the following directions.

Configuring the agent to use a proxy server:

  1. Stop the SailPoint Agent Service. Ensure it is marked as Stopped.
  2. Stop the SailPoint Access Risk Management SAP Connector. Ensure it is marked as Stopped.
  3. From a CLI with administrative access, navigate to the Agent binary folder. This folder will have the file SailPoint.Agents.Application.exe in it.
  4. Execute the following command:

    cd\
    C:\>cd program files\SailPoint ARM\Agent 
    SailPoint.Agents.Application.exe proxy set --hostname 10.6.222.2 --port 3128 
    >cdHost} --port {Proxy Server Port} --username {Username (if your proxy server does not require a username, do not include this parameter)} --password {Password (if you proxy server does not require a password, do not include this parameter)}cd\
    

    Note

    If your proxy server does not require a username or password, do not include that parameter.

  5. Restart the SailPoint Access Risk Management SAP Connector. Ensure it is marked as Running.

  6. Restart the SailPoint Agent Service. Ensure it is marked as Running.

When you have finished using the proxy, you can remove it.

Removing the proxy:

  1. Stop the SailPoint Agent Service. Ensure it is marked as Stopped.
  2. Stop the SailPoint Access Risk Management SAP Connector. Ensure it is marked as Stopped.
  3. Delete the proxy.settings file from the parent directory of the agent.
  4. Restart the SailPoint Access Risk Management SAP Connector. Ensure it is marked as Running.
  5. Restart the SailPoint Agent Service. Ensure it is marked as Running.

Note

The local encryption key for securing the proxy server credentials is autogenerated based upon the machine name and several other factors. If a significant system change occurs, the encryption key may not work.

Updating your allow list

If you can’t validate the connection between the agent and SAP, verify that the SAP system info is correct. If it is correct but the connection still fails, add the following URLs to the server’s allow list:

US Tenants Tenants Outside the US
app.erpmaestro.com grc-eu.erpmaestro.com
dashsvc.erpmaestro.com dashsvc-eu.erpmaestro.com
authsvc.erpmaestro.com authsvc-eu.erpmaestro.com
api.erpmaestro.com api-eu.erpmaestro.com
rulebooks.erpmaestro.com rulebooks-eu.erpmaestro.com
jobsvc.erpmaestro.com jobsvc-eu.erpmaestro.com

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.