Supported Features

The SAP Direct connector supports the following features:

Note
Before you can use any item marked with an asterisk (*), SailPoint must activate the feature for your site.

  • Manages SAP users as Accounts

  • Aggregation, Delta Aggregation (to sync changes from SAP Direct), Refresh Accounts

  • Create, Update, and Delete

  • Enable, Disable, and Unlock

  • *Password Management

  • Add and Remove Entitlements

    • Entitlements are Roles (for user), Profiles (for user), UserGroup (User group of the user), and ContractualUserType (Licenses of the user).

  • Add and Remove Contractual User Type ID

  • Read and update the SAP UUID (Global User ID) associated with SAP Direct Accounts.

  • Add and Remove the EmployeeID assigned to an Account

  • Manage the Indirect Roles assigned to the accounts via Organization Data.

    For more information, refer to Supported Features.

Note
UserGroup (User group of the user) is managed as an entitlement account attribute only.

For more information on features, refer to Identity Security Cloud Source Features.

The SAP Direct connector supports following group and entitlement objects:

SAP Direct Source Object

Supported Operation

Roles as group object

Read

ContractualUserType (Licenses for user)

Add and Remove Entitlement

Entitlement objects

  • Roles (for user)

  • Profiles (for user)

Add and Remove Entitlements

The SAP Direct connector displays the parent child relationship between composite role and child roles on the connector UI as Parent and Child Entitlements.

Note
When using group aggregation in a SAP Central User Administration (CUA) environment, the connector does not fetch child roles or child profiles of any composite role or profile. The CUA system does not maintain child level roles or profile details for child subsystems. This works in the same way that ID does not fetch TCCodes or generated profiles for the group object type.

The following lists the details of the supported features:

Feature

Users

Create

Aggregate

Enable and Disable

Delta Aggregation

Password Management

Group Entitlements (Read, Request, Revoke, and Access Certifications)

✔ Roles

Entitlements (Read, Request, Revoke, and Access Certifications)

✔ (Profiles, UserGroups, and ContractualUserType)

Group Entitlements

Group entitlements are the entitlement types for which Identity Security Cloud provides the ability to aggregate additional details of these entitlement types from the managed system. These objects have a separate schema defining list of attributes that the aggregation task fetches as additional details when aggregation is run for that group entitlement type.

Feature

Groups

Aggregation

Read group hierarchy

Notes

The following table lists the special considerations of certain supported features:

Supported Features

Notes

Pass Through Authentication

If Pass-Through authentication is enabled, the user can login through Identity Security Cloud using the user name and password without any authorization required.

Aggregation

Identity Security Cloud for SAP Direct aggregates Generated Profile associated to Role as a part of Account-Group Aggregation.

Change Password

  • For "Change password in Permanent Mode" ensure that the SNC is configured on SAP server. The log on session during which a productive password is set must be secured using Secure Network Communications (SNC).

  • SAP recommends that setting of productive passwords is more risky than setting an initial one, therefore additional security checks must be applied as follows:

    • The log on session during which a productive password is set must be secured using Secure Network Communications (SNC).

    • The user needs an additional authorization to set a productive password (authorization object: S_USER_GRP, activity: 'PP' - Set Productive)

For more information, refer to SAP note https://service.sap.com/sap/support/notes/1287410 (SAP Service marketplace login required).

Manages SAP Profiles as Account-Groups

A few system composite profiles might have child profiles which are not present in SAP system. For example, for each release composite profile SAP_NEW contains a single profile SAP_NEW_<rel>, (for example, SAP_NEW_21D). This profiles holds its release status. Profiles like SAP_NEW_<rel> may not be aggregated.

Account - Group Aggregation

In Account-Group aggregation for SAP CUA landscape, IdentityIQ for SAP ERP will not fetch child roles, child profiles of any composite role and profile, as CUA system does not maintain child level roles and profile details for child subsystems. Same way it will not fetch TCodes and Generated Profile for group object type.