SAP User Management

The SAP User Management connector lets you synchronize users from Advanced Identity Cloud to SAP user accounts. This application can only be a target application.

Register the application

In the Advanced Identity Cloud admin console, go to Applications, and click grid_view Browse App Catalog.
In the Browse App Catalog modal, select an application, and click Next.
Review the Application Integration information, and click Next.
In the Application Details window, specify the name, description, application owners, and logo for the application.
To make the application an Authoritative source of identity data, select the Authoritative check box. This option is not available for every application.
Click Create Application.

Configure provisioning

Set up a remote connector server (RCS).
In the Advanced Identity Cloud admin console, on the Provisioning tab:
- If setting up provisioning for the first time, click Set up Provisioning.
- When editing existing settings in the Connection area, click Settings.

Configure the following fields:

Field/Option Description

Field/Option	Description
SAP Application Server FQDN	The FQDN of your SAP Application Server. For example, `sap.example.com`.
SAP Gateway Host	The SAP gateway host name.
SAP Gateway Server	The SAP gateway server.
SAP User	The SAP Logon user.
Password	The SAP Logon password.
SAP Client	The SAP client.
SAP System Number	The SAP system number.
SAP System Language	The language of the remote SAP system.
SAP Router	The IP address, port, and optional password of the SAP router, if applicable. The syntax is `/H/host/S/port/W/optionalPassword`. For example: `/H/203.0.113.0/S/3299/W/48npb_hg815.77rr62.hdj`
CUA	Whether to enable SAP Central User Administration (CUA).

SAP Application Server FQDN

The FQDN of your SAP Application Server. For example, sap.example.com.

SAP Gateway Host

The SAP gateway host name.

SAP Gateway Server

The SAP gateway server.

SAP User

The SAP Logon user.

Password

The SAP Logon password.

SAP Client

The SAP client.

SAP System Number

The SAP system number.

SAP System Language

The language of the remote SAP system.

SAP Router

The IP address, port, and optional password of the SAP router, if applicable. The syntax is /H/host/S/port/W/optionalPassword. For example:

/H/203.0.113.0/S/3299/W/48npb_hg815.77rr62.hdj

CUA

Whether to enable SAP Central User Administration (CUA).

Optionally, click Show advanced settings to set any of the following options:

Field/Option Description

Destination

SAP JCo destination name.

Direct Connection

If selected, use a direct connection to an SAP ABAP Application server or SAP router. If cleared, use a connection to a group of SAP instances through a SAP message server.

Target Directory

The directory to write classes.

Warning Level

The compiler warning level.

Disabled Global AST Transformations

A list of global AST transformations which should not be loaded even if they are defined in META-INF/org.codehaus.groovy.transform.ASTTransformation files. By default, none are disabled.

SourceEncoding

The encoding for source files.

X509 Certificate

The X509 certificate to supply for authentication.

Trace

Whether to enable RFC trace.

CPIC Trace

Whether to enable CPIC trace. Possible values are 0-3.

SAP Message Server Host

The message server host.

Group

The group name of the application servers. Used when you log in to a logon group that uses load balancing.

Message Server Service

The message server service name.

R3 Name

The name of the SAP system used when you log in to a logon group that uses load balancing.

SNC Mode

Flag used to activate SNC (Secure Network Connection). Possible values are 0 (OFF) and 1 (ON).

SNC QoP

The connection security level to use. Possible values are:

`1`	Authentication only
`2`	Integrity protection
`3`	Privacy protection
`8`	Use the application server value `snc/data_protection/use`
`9`	Use the application server value `snc/data_protection/max`

SNC Library

The external library path for the Secure Network Connection service. The default is the system-defined library as defined in the environment variable SNC_LIB.

SNC Partner Name

The application server ABAP SNC name. For example, "p:CN=ABC, O=MyCompany, C=US". You can find the name in the profile parameter snc/identity/as on the AS ABAP.

SNC Name

The connector SNC name. For example, "p:CN=OpenIDM, O=MyCompany, C=US". This parameter is optional, but set it to make sure that the correct SNC name is used for the connection.

SNC SSO

Whether the connection should be configured for single sign-on (SSO). Possible values are 0 (OFF) and 1 (ON).

Pool Capacity

The maximum number of idle connections kept open by the destination. If there is no connection pooling, set this to 0. The default value is 1.

For optimum performance, set this value to an integer between 5 and 10.

Expiration time

After this time (in milliseconds) has elapsed, the system closes the free connection. The default value is 60000.

Max Get time

If the pool has allocated the maximum allowed number of connections, the maximum time (in milliseconds) to wait for a connection.

Peak Limit

The maximum number of active connections that can be created for a destination simultaneously. The value 0 is unlimited.

Expiration Period

After this time (in milliseconds) has elapsed, the destination checks released connections for expiration.

Exclude Unmodified

Select this option to synchronize only the modified properties on a target resource.

Pool configuration
Field	Description
Max idle and active container instances	The maximum number of idle and active container instances. The default value is `10`.
Max Idle Connector Instances	The maximum number of idle connector instances. The default value is `10`.
Set Timeout Period	Select to enable a timeout period for the connection. After enabling, configure the following: Timeout period (ms): The timeout period in milliseconds.
Set Minimum Idle Time	Select to set a minimum time (in milliseconds) before an idle object is removed. After enabling, configure the following: Min idle time (ms): The minimum idle time in milliseconds.
Min Idle Instances	The minimum number of idle connector instances.

Result Handler configuration
Field	Description
Enable for connectors with the attribute normalizer interface	Enables the attribute normalizer interface for supported connectors.
Enable local filtering/search features	Enables local filtering and search capabilities.
Enable case insensitive filter	Configures filters to ignore case sensitivity.
Enable configuration of search attributes; disable for local connectors	Enables search attribute configuration. Disable this option for local connectors.

In the Operation Timeouts (ms) area, select the operations to enforce timeouts on and enter the duration in milliseconds.

Available operations include Create, Validate, Test, Enable a Script on the Connector, Schema, Delete, Update, Sync, Authenticate, Get, Enable a Script on the Target, and Search.
In the Operation Rate Limits area, select the operations to enforce rate limits on.

You can enforce limits on specific operations, including Create, Validate, Test, Script on Connector, Schema, Delete, Update, Sync, Authenticate, Get, Script on Target, and Search.

For each selected operation, configure the following fields:

Field Description

Request Limit

Requests allowed over time.

Request Period

Limit resets after this time (ms).

Request Timeout

Time before exception thrown (ms).

Click Connect.
Verify the information in the Details tab.

Field	Description
Request Limit	Requests allowed over time.
Request Period	Limit resets after this time (ms).
Request Timeout	Time before exception thrown (ms).

Provision side tabs

The object type determines the side tabs that display on the Provisioning tab. Use the object type list to select an object type, such as Group. Afterward, you can configure properties in the different sub-tabs under the Provisioning tab.

Provisioning tab	Description	Related sections
Details	View and manage an application, including name, ID, and native type.	Select the specific application from Provision settings for an application.
Properties	View and manage properties for the selected object type.	Manage application attributes
Data	View data about the selected object type.	View user access data
Mapping	View and manage mappings from the Advanced Identity Cloud admin console properties to external system properties and from external system properties to the Advanced Identity Cloud admin console properties.	Manage mappings
Reconciliation	Preview mappings on target applications between external systems and the Advanced Identity Cloud admin console, and reconcile the data between the two systems. View and manage rules for the users and groups that use your application. View and manage schedules for Full and Incremental reconciliation.	Reconcile and synchronize end-user accounts
Privacy & Consent	Manage end-user data sharing and synchronization.	Configure end-user data sharing
Rules	View and manage provisioning rules for mappings between Advanced Identity Cloud and a target application.	Manage provisioning rules
Advanced Sync	Create and manage mappings between an identity profile and an application or between applications.	Manage advanced sync

Provisioning tab

Description

Related sections

Details

View and manage an application, including name, ID, and native type.

Select the specific application from Provision settings for an application.

Properties

View and manage properties for the selected object type.

Manage application attributes

Data

View data about the selected object type.

View user access data

Mapping

View and manage mappings from the Advanced Identity Cloud admin console properties to external system properties and from external system properties to the Advanced Identity Cloud admin console properties.

Manage mappings

Reconciliation

Preview mappings on target applications between external systems and the Advanced Identity Cloud admin console, and reconcile the data between the two systems.

View and manage rules for the users and groups that use your application.

View and manage schedules for Full and Incremental reconciliation.

Reconcile and synchronize end-user accounts

Privacy & Consent

Manage end-user data sharing and synchronization.

Configure end-user data sharing

Rules

View and manage provisioning rules for mappings between Advanced Identity Cloud and a target application.

Manage provisioning rules

Advanced Sync

Create and manage mappings between an identity profile and an application or between applications.

Manage advanced sync