Configure Indirect Role Assignment
The SailPoint SAP Direct connector can indirectly manage the roles assigned to an account. This feature is only supported with SailPoint's function modules: /SAILPOIN/SAIL_READ_TABLE_LEG and /SAILPOIN/SAIL_READ_TABLE.
The following topics are discussed:
Required Permissions for Indirect Role Management
Account Attributes for Organization Data
The following steps help illustrate this process:
-
The connector aggregates the relationship between the SailPoint account and the SAP employee. It fetches the EmployeeID assigned to an employee in the SAP system and associates it with the SailPoint account for that employee in the SailPoint system.
The connector also aggregates Organization Data assigned to an employee within the SAP system. The Organization Data consists of the employee's position, job, or organization unit. The connector also aggregates roles assigned to the Organization Data.
-
Using the EmployeeID and Organization Data with its assigned roles, SailPoint can fetch the roles assigned to an employee in the SAP system using the effective transitive relationship (Employee–Organization Data–Roles).
-
Within SailPoint, the SAP employee's roles are indirectly assigned to the SailPoint account based on the SAP employee's associated Organization Data.
The connector also enables SailPoint to assign a role indirectly to an account using the transitive relationship between the account and the SAP employee. It does so by assigning the SAP employee's EmployeeID to the account. This update can then be provisioned to the SAP system. For more information, refer to How Indirect Role Assignment During Provisioning Works.
Note
Indirect role assignment requires a relationship between roles and HR objects. This should be established and synchronized on a regular basis in the SAP system.
For more general information, refer to Schema Extension and Provisioning Policy Attributes.
Required Permissions for Indirect Role Management
Expand the table below to view a list of permissions required to support the management of indirect roles. For information on all permissions required for all connector features, including indirect role management, refer to Required Permissions.
Indirect Role Assignment Permissions
|
Connector Feature |
Authorization Objects |
Field Name |
Field |
Field Value |
|---|---|---|---|---|
|
Account Aggregation |
S_RFC (To aggregate Organization Data) |
Activity: 16 RFC_NAME |
Name of RFC object |
BAPI_EMPLOYEE_GETDATA RFC_METADATA |
|
S_TABU_NAM (To aggregate Organization Data) |
Activity: 03 Table Name |
Table affected by the operation |
PA0105 |
|
|
P_Orgin (To aggregate Organization Data) |
AUTH |
Authorization Level |
R |
|
|
INFTY |
INFOTYPE |
0001 |
||
|
PERSA |
Personal area |
* |
||
|
PERSG |
Employee group |
* |
||
|
SUBTYPE |
SUBTY |
* |
||
|
PERSK |
Employee subgroup |
* |
||
|
VDSK1 |
Organization Key |
* |
||
|
Group Aggregation |
S_TABU_NAM |
Activity: 03 Table Name |
Table affected by the operation |
Add the following: HRP1000 HRP1001 |
|
Provision EmployeeID Link username with the System user name for SAP HR. For more information on table-level permissions, refer to Configuration Table for SAP Direct. |
S_RFC |
ACTVT |
Activity |
|
|
RFC_NAME |
Name of RFC object |
Add the following: BAPI_EMPLCOMM_CHANGE BAPI_EMPLCOMM_CREATE BAPI_EMPLOYEE_ENQUEUE BAPI_EMPLOYEE_DEQUEUE BAPI_EMPLOYEE_GETDATA BAPI_EMPLOYEE_CHECKEXISTENCE BAPI_EMPLCOMM_GETDETAILEDLIST |
||
|
S_USER_GROUP |
AUTHC |
Authorization Level |
Add the following: E S W |
|
|
INFTY |
INFOTYPE |
|
||
|
PERSA |
Personal area |
* |
||
|
PERSG |
Employee group |
* |
||
|
SUBTYPE |
SUBTY |
* |
||
|
PERSK |
Employee subgroup |
* |
||
|
VDSK1 |
Organization Key |
* |
||
|
S_RFC |
ACTIVITY |
Activity |
|
|
|
CLASS |
User group in user master maintenance |
* |
Required Service Account Permissions for Organization Data
Expand the tables below to view the permissions required for the service account to process Organization Data, which is required for indirect role management. For more information on service account permissions, refer to Configuration Table for SAP Direct.
Account Aggregation and Provisioning
|
SERVICE_ACCOUNT |
NAME |
COLUMNNAME |
ENTITY_TYPE |
COLUMN_DNAME |
COLUMN_DTYPE |
COLUMN_LENGTH |
|---|---|---|---|---|---|---|
|
<your-service-account-name> |
PA0105 |
PERNR |
TABLE |
PERSNO |
N |
8 |
|
<your-service-account-name> |
PA0105 |
SUBTY |
TABLE |
SUBTY |
C |
4 |
|
<your-service-account-name> |
PA0105 |
USRID |
TABLE |
SYSID |
C |
30 |
Group Aggregation
|
SERVICE_ACCOUNT |
NAME |
COLUMNNAME |
ENTITY_TYPE |
COLUMN_DNAME |
COLUMN_DTYPE |
COLUMN_LENGTH |
|---|---|---|---|---|---|---|
|
<your-service-account-name> |
HRP1001 |
ENDDA |
TABLE |
ENDDATUM |
D |
8 |
|
<your-service-account-name> |
HRP1001 |
ISTAT |
TABLE |
ISTAT_D |
C |
1 |
|
<your-service-account-name> |
HRP1001 |
OBJID |
TABLE |
HROBJID |
N |
8 |
|
<your-service-account-name> |
HRP1001 |
OTYPE |
TABLE |
OTYPE |
C |
2 |
|
<your-service-account-name> |
HRP1001 |
PLVAR |
TABLE |
PLVAR |
C |
2 |
|
<your-service-account-name> |
HRP1001 |
SCLAS |
TABLE |
SCLAS |
C |
2 |
|
<your-service-account-name> |
HRP1001 |
SOBID |
TABLE |
SOBID |
C |
5 |
|
<your-service-account-name> |
HRP1000 |
ENDDA |
TABLE |
ENDDATUM |
D |
8 |
|
<your-service-account-name> |
HRP1000 |
LANGU |
TABLE |
LANGU |
C |
2 |
|
<your-service-account-name> |
HRP1000 |
OBJID |
TABLE |
HROBJID |
N |
8 |
|
<your-service-account-name> |
HRP1000 |
OTYPE |
TABLE |
OTYPE |
C |
2 |
|
<your-service-account-name> |
HRP1000 |
PLVAR |
TABLE |
PLVAR |
C |
2 |
|
<your-service-account-name> |
HRP1000 |
STEXT |
TABLE |
STEXT |
C |
40 |
For Group Aggregation in CUA systems, additional permissions are required as follows:
|
SERVICE_ACCOUNT |
NAME |
COLUMNNAME |
ENTITY_TYPE |
COLUMN_DNAME |
COLUMN_DTYPE |
COLUMN_LENGTH |
|---|---|---|---|---|---|---|
|
<your-service-account-name> |
USRSYSPRF |
SUBSYSTEM |
TABLE |
RFCRCVSYS |
C |
10 |
|
<your-service-account-name> |
USRSYSPRF |
PROFN |
TABLE |
XUPROFNAME |
C |
12 |
Account Attributes for Organization Data
The connector uses the attributes listed below to fetch a user's Organization Data.
EmployeeID
Employee ID associated with the user
Organization Data
Position, Job, and Organization Units associated with the user. Mark this attribute as follows:
entitlement="true" managed="true" multi="true" schemaObjectType="organizationdata"
Customizing the Organization Data Fetched for Accounts
By default, the connector fetches all positions, jobs, and organization units for each user during group aggregation processes. You can configure this by adding the orgData entry key with the data you want to fetch via REST API.
<entry key="orgData">
<value>
<List>
<String>orgunit</String>
<String>position</String>
<String>job</String>
</List>
</value>
</entry>Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.
Group Attributes for Organization Data
The connector uses the attributes listed below to fetch Organization Data and the roles associated it. The Group Object type is organizationdata.
Note
These attributes are not provided by default, and must be configured manually.
ID
ID of the position, job, or organization unit
This is an Account ID which must not be changed.
Name
Name of the position, job, or organization unit
Type
Organization Data type
Roles
Roles associated with the position, job, or organization unit
To fetch Organization Data and its roles, add the Organization Data group object to the application XML as exemplified below:
<Schema aggregationType="group" descriptionAttribute="" displayAttribute="Name" identityAttribute="ID" instanceAttribute="" nativeObjectType="Organization Data" objectType="organizationdata">
<AttributeDefinition name="ID" type="string">
<Description>ID of the Position, Job, or Organization Unit</Description>
</AttributeDefinition>
<AttributeDefinition name="Name" type="string">
<Description>Name of the Position, Job, or Organization Unit </Description>
</AttributeDefinition>
<AttributeDefinition name="Type" type="string">
<Description>Organization data type</Description>
</AttributeDefinition>
<AttributeDefinition entitlement="true" multi="true" name="Roles" schemaObjectType="role" type="string">
<Description>Roles associated with the Position, Job, or Organization unit</Description>
</AttributeDefinition>
</Schema>Customizing Fetched Organization Data
By default, the connector fetches all positions, jobs, and organization units during group aggregation processes. You can configure this by adding the orgData entry key with the data you want to fetch via REST API.
Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.
<entry key="orgData">
<value>
<List>
<String>orgunit</String>
<String>position</String>
<String>job</String>
</List>
</value>
</entry>How Indirect Role Assignment During Provisioning Works
SailPoint does not directly assign positions to SAP users within the SAP system. The relationship between the SAP HR Employee and the valid position assigned to them (as well as roles assigned to the valid position) need to be configured in the SAP system. The valid position also must be assigned to the SAP HR Employee.
SailPoint links a valid EmployeeID received during provisioning to a SAP User ID with the 0105 infotype. SailPoint then links SAP users with SailPoint accounts using the EmployeeID common between them. With this EmployeeID correlation established, any roles assigned via Organization Data to SAP HR Employees are automatically assigned to the SAP user within the SAP system following a provisioning operation.
Note
To further help link SAP users and SAP employees within SailPoint, SailPoint provides a dummy position called a Provisional Position. The Provisional Position triggers a joiner flow if there are no direct roles available in the SAP Direct access profile. The Provisional Position is not required to link the SAP user and the SAP HR Employee, however the EmployeeID is still required.
EmployeeID
The SAP HR Employee ID that the SAP user is linked to