SAP Connector

Last modified 22 Apr 2021 17:31 +02:00

Identity connector for SAP R/3 systems.

Functionalitystable
Development statusdormant (not developed actively, but still somehow maintained)
Support statussupported
OriginEvolveum
Support provided byEvolveum
Target systemsSAP R/3
ProtocolSAP RFC
Source codehttps://github.com/Evolveum/connector-sap

Connector for SAP R3, based on SAP Java Connector. SAP JCo is proprietary, you need SAP login to download it. SAP Connector is Apache-licensed.

SAP connector uses BAPI functions to manage accounts in SAP. It supports all importing parameter types and table parameter types except UCLASSSYS, EXTIDHEAD, EXTIDPART a SYSTEMS to create and change account attributes, lock, unlock the account and change its password. You can assign/unassign SAP accounts to activity groups (SAP roles), to groups (USERGROUP) and profiles managed in SAP. It also supports reading arbitrary SAP tables using BAPI function RFC_GET_TABLE_ENTRIES, for example reading SAP activity groups (roles) from AGR\_DEFINE table or reading SAP user groups from USGRP table.

Capabilities and Features

Provisioning

YES

Live Synchronization

YES

liveSync doesn’t find deleted accounts

Password

YES

Activation

YES

status, validFrom, validTo, lockoutStatus

Filtering changes

currently limited

Paging support

YES

Simple Paged Results

Native attribute names

YES

Use ri:USERNAME instead of icfs:nameand of icfs:uid if useUsernameAsNativeName is enabled

Interoperability

Tested on SAP System (R07) Netweaver 7 EHP 2 (aka 7.31)

Limitations

  • no support for Central User Administration in SAP (CUA landscape),

  • liveSync doesn’t see deleted accounts - you need sometimes to run full recompute, or use only disabling users in SAP,

  • at the first time (getLatestSyncToken) liveSync returns current time as SyncToken - you need to synchronize midPoint server time with SAP server time or use full recompute after the first liveSync,

  • rename account is not supported in SAP.

History

Version Origin Binary Sources Build Date Description

1.0.0.0

Evolveum

download jar

GitHub

October 2016

Official release

1.0.1.0

Evolveum

download jar

GitHub

June 2017

Official release

1.1

Evolveum

download jar

GitHub

September 2019

Upgrade to Java SAP Connector 3.0.19
Support for load balancing (contributed)
Allow setting of expired initial password (contributed)
Parameter-related improvements (contributed)

Documentation

Building with Maven

  1. download SAP connector source code from github

  2. download sapjco (SAP credentials needed) and find sapjco3.jar for your hardware processor (tested with sapjco3-NTAMD64-3.0.13)

  3. put it to your local maven repository, for example: mvn install:install-file -Dfile="{pathToJCo}\sapjco3.jar" -DgroupId=com.sap.conn.jco -DartifactId=sapjco -Dversion=3.0.13 -Dpackaging=jar

  4. build SAP connector with maven:
    mvn clean install -Dmaven.test.skip=true

  5. find connector-sap-\*.jar in \target folder

Installation

  1. download sapjco (SAP credentials needed) and find javadoc/installation.html

  2. install JCo in your operating system

  3. put sapjco3.jar to {Tomcat_home}\lib\ directory

  4. put connector-sap-*.jar to {midPoint_home}\icf-connectors\directory

  5. run/restart tomcat and midPoint search for new connectors in startup

Object classes

SAP connector by default support these object classes:

  • AccountObjectClass (_ACCOUNT_) - read, create, update, delete users in SAP

  • CustomPROFILEObjectClass (PROFILE) - read profile names

  • CustomACTIVITYGROUPObjectClass (ACTIVITYGROUP) - read activity groups (roles) and his parent

  • CustomGROUPObjectClass (GROUP) - read user group names

  • any other SAP tables to read, see tables parameter

Config

Please see help in connector.SAP have many user parameters, see here. There are several types of parameters: "Importing" and "Tables" are relevant. Importing parameter types are structures, for example, ADDRESS has some other single value attributes in it, for example, FIRSTNAME. This is represented as "ADDRESS.FIRSTNAME" in midPoint.Table parameter types and its rows are represented over SAP connector as XML, for example, connector attribute ACTIVITYGROUPS contains the value:

<?xml version="1.0" encoding="UTF-8"?><item><AGR_NAME>/CCM/CATALOG_APPROVER</AGR_NAME><FROM_DAT>2016-03-07</FROM_DAT><TO_DAT>9999-12-31</TO_DAT><AGR_TEXT>Role for Content Approver</AGR_TEXT><ORG_FLAG></ORG_FLAG></item>

You can use also attribute ACTIVITYGROUPS.AGR_NAME having the content of "/CCM/CATALOG_APPROVER".

Other available attributes: PROFILES.BAPIPROF, GROUPS.USERGROUP.

Other table parameter types are supported only in an XML way. You can use XmlMatchingRule to compare them.

To speed up reading user details you can set to config tableParameterNames only table type parameters, what you need, for example, ACTIVITYGROUPS, or ignore all as <sap:tableParameterNames/>.

Reading any SAP table data

Over BAPI function RFC_GET\_TABLE\_ENTRIES you can read any SAP table. You need only define table name and its structure in _tables_ parameter as follows:

{table name in SAP} as {alias in object class}={first field name:length{:IGNORE|KEY}},{next field what you need...}

if you don’t need an attribute, you can ignore it using "IGNORE". To set what column will be mapped to icfs:uid and icfs:name, please use "KEY" word. For example activity groups are by default defined as:

AGR_DEFINE as ACTIVITYGROUP=MANDT:3:IGNORE,AGR_NAME:30:KEY,PARENT_AGR:30

You could find fields names and lengths for example here (for ARG\_DEFINE).

Data are returned by SAP as fixed width with no delimiter, so you must define all field names and their length in order to parse them correctly.

If you update tableParameterNames or tables connector parameters via midpoint Configuration → Repository objects, please delete <schema> section before saving it in order to generate new schema.

SAP permissions

The following table contains all SAP permissions required for all use cases. Detailed permissions for each Use Case are shown in Use Cases section.

Authorization Object Field Value

S_RFC

ACTVT

16

RFC_NAME

BAPT, BFHV, DDIF_FIELDINFO_GET, RFC1, SDIFRUNTIME, SUSE, SUSO, SU_USER, SYST

RFC_TYPE

FUGR

S_RFC

ACTVT

16

RFC_NAME

PASSWORD_FORMAL_CHECK

RFC_TYPE

FUNC

S_TCODE

TCD

SU01

S_TABU_NAM

ACTVT

03

TABLE

AGR_DEFINE, USGRP

S_USER_AGR

ACTVT

02

ACT_GROUP

* (may be restricted to specific values)

S_USER_GRP

ACTVT

01, 02, 03, 05, 06, 22, 78

CLASS

* (may be restricted to specific values)

S_USER_PRO

ACTVT

22

PROFILE

* (may be restricted to specific values)

Use Cases

The following table contains typical use cases, a list of related BAPI functions, and SAP permissions needed for these use cases. See also testBapiFunctionPermission.

Column RFC Name contains the RFC_NAME which must be permitted in Authorization object S_RFC for RFC_TYPE FUGR (see table above)

Use cases Functions RFC Authorisation Additional Authorisations

test connection

JCoDestination.ping()

SYST

search and list SAP accounts

BAPI_USER_GETLIST

BAPI_USER_GET_DETAIL

SU_USER

S_USER_GRP

Field

Value

Comment

ACTVT

03

Display

CLASS

*

may be restricted to specific value

create, update, delete account
assign/unassign group

BAPI_USER_CREATE1

BAPI_USER_CHANGE

BAPI_USER_DELETE

SU_USER

S_USER_GRP

Field

Value

Comment

ACTVT

01
02
05
06
78

Create or generate
Change
Lock
Delete
Assign

CLASS

*

may be restricted to specific value

use transaction to create and update account
when config useTransaction=true

BAPI_TRANSACTION_COMMIT

BAPI_TRANSACTION_ROLLBACK

BAPT

lock/unlock account

BAPI_USER_LOCK

BAPI_USER_UNLOCK

SU_USER

S_USER_GRP

Field

Value

Comment

ACTVT

05

Lock

CLASS

*

may be restricted to specific value

assign/unassign activity groups

BAPI_USER_ACTGROUPS_ASSIGN

SU_USER

S_USER_GRP

Field

Value

Comment

ACTVT

22

Enter, Include, Assign

CLASS

*

may be restricted to specific value

S_USER_AGR

Field

Value

Comment

ACTVT

02

Change

ACT_GROUP

*

May be restricted to specific values

assign/unassign profiles

BAPI_USER_PROFILES_ASSIGN

SU_USER

S_USER_GRP

Field

Value

Comment

ACTVT

22

Enter, Include, Assign

CLASS

*

may be restricted to specific value

S_USER_PRO

Field

Value

Comment

ACTVT

22

Enter, Include, Assign

PROFILE

*

May be restricted to specific values

change password

when config changePasswordAtNextLogon=false

check password

SUSR_USER_CHANGE_PASSWORD_RFC

SUSR_GENERATE_PASSWORD

SUSR_LOGIN_CHECK_RFC, PASSWORD_FORMAL_CHECK

SUSO

SUSE

SDIFRUNTIME

DDIF_FIELDINFO_GET

S_RFC

Field

Value

Comment

RFC_NAME

PASSWORD_FORMAL_CHECK

RFC_TYPE

FUNC

read any SAP table, see config tables (activity groups, user groups)

RFC_GET_TABLE_ENTRIES

RFC1

S_TABU_NAME

Field

Value

Comment

ACTVT

03

Display

TABLE

AGR_DEFINE
USGRP
*

Activity groups
User groups
any table (to be restricted as required)

read profile

BAPI_HELPVALUES_GET

BFHV

read additional account login info:
LAST_LOGON_DATE, LOCK_STATUS, PASSWORD_STATUS

when config sap.config.alsoReadLoginInfo=true

SUSR_GET_ADMIN_USER_LOGIN_INFO

SUSO

S_TCODE

Field

Value

Comment

TCD

SU01

Display

Resource Examples

Please see samples in Github.

sap-medium.xml contains a sample to create/read account in/from SAP with roles (activity groups) as RoleType. To use it, please also import role-activity-group-metarole.xml, object-template-role.xml (SAP ActivityGroup metarole assignment mapping is enough), enable it and import roles from sap over task-import-activity-groups.xml.

sap-advanced.xmlcontains a sample to create/read the account in/from SAP with roles (activity groups) and also with profiles and groups as OrgType. In this sample uniqueness of names are solved with name prefixes 'r:' (role), 'p:' (profile) and 'g:' (group). Please import all files from the appropriate folder and run all import tasks.

In subdirectory assignment, you see a similar sample as in sap-advanced, but when you import account from SAP, you also import assigned SAP roles, profiles and groups to extension attributes what you see in extension-sap.xsd. From this new attributes over enabled object-template-org.xml is created assignment to appropirate OrgType (roles, profiles and groups).

Using Encryption / SAP SNC

This Section is under "heavy" work in progress.

If you deploy the connector without SNC the communication between SAP and Midpoint is not encrypted. To use a Secure High encrypted Connection you have to use SAP SNC. Here is a short list what you have to do:

The tomcat must use same user as we create the pse file.pse file is generated as follows. to get the tools you have to downlaod them from SAP.

extract sapcrypto file on midpoint system under a common directory we use /staging/

[root@midpoint sapryptolib]# ls -ltr /staging/sapcryptolib
total 3876
-rwxrwxrwx 1 root root 2361998 Apr  7 16:11 libsapcrypto.so
-rwxrwxrwx 1 root root      26 Apr  7 16:11 sapcrypto.lst
-rwxrwxrwx 1 root root   20720 Apr  7 16:11 sapgenpse
drwxr-xr-x 2 root root    4096 Jul  6 11:23 sec
-rwxr-xr-x 1 root root 1436445 Jul 19 15:25 sapjco3.jar

generate the snc pse/certs for the user which you use to connect to the sap system

sapgenpse get_pse -p MIDPOINTSNC -x <PW> "<DN>"
sapgenpse seclogin -p MIDPOINTSNC -x <PW>

It´s important to execute the following command as the same user that runs Midpoint:

sapgenpse export_own_cert -o <filename> -p SAPSNCS -x <PW>

On your SAP System, export the own cert of the SAP System and import it into the PSE on the MIDPOINT Server.
You can do this via SAP GUI (Transaction STRUST) or like above:

sapgenpse export_own_cert -o <Filename> -p SAPSNCS -x <PW>

Import the MIDPOINT Cert into SAP and vice versa

sapgenpse maintain_pk -a <certfile> -x <PW>


Tomcat need to find the right libs , put this also in the startupscript of tomcat

export LD_LIBRARY_PATH=/staging/sapryptolib/:$LD_LIBRARY_PATH
export SNC_LIB=/staging/sapryptolib
export SECUDIR=/staging/sapryptolib/sec