Supported Features

The SAP Direct connector supports the following features:

Account Management

  • Manages SAP users as Accounts

  • Aggregation, Partitioning Aggregation, Delta Aggregation, Refresh Accounts, and Pass-Through Authentication
    For more information on Delta Aggregation and Partitioning Aggregation, refer to Delta Aggregation and Partitioning Aggregation respectively.

  • Create, Update, and Delete

  • Enable, Disable, and Unlock

  • Change Password

  • Add and Remove Entitlements

    Entitlements are Roles (for user), Profiles (for user), UserGroup (User group of the user), and ContractualUserType (Licenses of the user).

  • Add and Remove Contractual User Type ID

  • Read and update the SAP UUID (Global User ID) associated with SAP Direct Accounts.

  • Add and Remove the EmployeeID assigned to an Account

  • Manage the Indirect Roles assigned to the accounts via Organization Data.

    For more information, refer to Supported Features.

Account - Group Management

  • Manages SAP Roles as Account-Groups

  • Manages SAP Profiles as Account-Groups

  • Aggregate and Refresh Groups

Notes

The following table lists the special considerations of certain supported features:

Supported Features

Notes

Pass Through Authentication

If Pass-Through authentication is enabled, the user can login through IdentityIQ using the user name and password without any authorization required.

Aggregation

IdentityIQ for SAP Direct aggregates Generated Profile associated to Role as a part of Account-Group Aggregation.

Change Password

  • For "Change password in Permanent Mode" ensure that the SNC is configured on SAP server. The log on session during which a productive password is set must be secured using Secure Network Communications (SNC).

  • SAP recommends that setting of productive passwords is more risky than setting an initial one, therefore additional security checks must be applied as follows:

    • The log on session during which a productive password is set must be secured using Secure Network Communications (SNC).

    • The user needs an additional authorization to set a productive password (authorization object: S_USER_GRP, activity: 'PP' - Set Productive)

For more information, refer to SAP note https://service.sap.com/sap/support/notes/1287410 (SAP Service marketplace login required).

Manages SAP Profiles as Account-Groups

A few system composite profiles might have child profiles which are not present in SAP system. For example, for each release composite profile SAP_NEW contains a single profile SAP_NEW_<rel>, (for example, SAP_NEW_21D). This profiles holds its release status. Profiles like SAP_NEW_<rel> may not be aggregated.

Account - Group Aggregation

In Account-Group aggregation for SAP CUA landscape, IdentityIQ for SAP ERP will not fetch child roles, child profiles of any composite role and profile, as CUA system does not maintain child level roles and profile details for child subsystems. Same way it will not fetch TCodes and Generated Profile for group object type.