Categories
- ABAP Development
- BASIS Security
- BASIS Administration
- BASIS Database
- BI - Business Intelligence
- CRM Customer Relationship
- EP Enterprise Portals
- FICO Financials
- HCM HR Human Capital
- JAVA Development
- Management Accounting
- Master Data Management
- MM Material Management
- PLM Customer Service
- PLM Data Management
- PLM Plant Management
- PLM Project Management
- PLM Quality Management
- PP Production Planning
- SAP Analytics
- SAP ERP Fundamentals
- SCM Discreet Mfg
- SCM Inventory Warehouse
- SCM Logistics Execution
- SCM Process Mfg
- SCM TM Transportation
- SD Sales and Distribution
- SMI Solution Manager
- SOA Service Architecture
- SRM Supplier Relationship
- XI PI Process Integration
Most Rated Articles
»
BASIS Administration
Rate Author : Current :
2.87 /5
Rate this Article : Current :
2.02 /5
Roadmap
After the technical connection of a directory server to an SAP system based on SAP Web AS, the actual data exchange has to be prepared and performed. To do this, information is required about how SAP data fields are mapped to directory attributes, which fields are used where (mapping indicators), and the direction in which data is synchronized (synchronization indicators).
All of the steps are described in more detail in the following:
Mapping
Mapping describes the assignment of SAP fields to directory attributes. In the simplest case, this is a 1:1 assignment. However, more complex link rules may be required.
Schema Extension
The directory servers from various vendors have much in common in their data models (schemata). On the other hand, there are differences in the details. Understandably, there are no attributes for SAP-specific information in the vendor standards, such as
• SAP username
• Alias
• Validity period
• Settings for logon language, printer, number formats, time zone
• Assigned roles
• Assigned authorization profiles
SAP has decided not to develop its own schema, but rather to support the schemata available on the market. This is important for heterogeneous system landscapes, if you want to connect non-SAP applications to your directory service in addition to SAP systems.
As the delivered schemata for the various products do not know many SAP data fields, you must use schema extensions to make these fields known. An extension of this type is provided and imported into the directory server in a special format (LDIF for "LDAP Data Interchange Format").
You can easily create files of this type in the SAP system for all certified and some additional products using report RSLDAPSCHEMAEXT. After you have chosen a product, this report outputs a list that you can save as a file on your front end computer and then import into your directory server. For more information, see the comment lines in this file.
Linking Details
Essentially, mapping is about linking an SAP data field with a directory attribute. As stated previously, this can be a simple 1:1 assignment or a more complex rule, if, for example, multiple SAP fields are to be mapped to one attribute (or multiple attributes to one SAP field).
SAP delivers a number of function modules that implement certain types of link. Additional parameters are required to some extent, for example, to specify a particular character at which a string is to be divided. Customers can, of course, also develop their own modules for particular purposes.
Note: The names of the delivered function modules all start with MAP_* and are in the function group FSLDAP_MAP. For information about their functions, see the BC-SEC-DIR area of the SAP Library.
If no function modules are specified during mapping, function module MAP_DEFAULT is used implicitly; this function module is a simple 1:1 assignment.
Mapping Indicator
In addition to the link (one or more SAP data fields with one or more directory attributes), a mapping also includes its purpose. Is the mapping to be used only for export, only for import, or for both synchronization directions? Are there mandatory fields, without which it is not possible to create an entry in the directory server?
These questions and others are answered by the indicators to be maintained for each mapping. You can perform the associated Customizing in transaction LDAP on the Server Names tab page, in the Mapping area.
Meaning of the Mapping Indicators
Filter --------------------------- Mapping used for the search filter of the directory server; corresponds to the key in the SAP system (exists only once; must match the LDAP application; usually for the same mapping as the RDN flag)
Import --------------------------- Mapping that can be used for reading directory entries
Export --------------------------- Mapping that can be used for writing directory entries
Required ------------------------- Mapping without which it is not possible to write an entry in the directory (can only be chosen for mappings with the Export indicator)
RDN ------------------------------ Mapping used to create the RDN (must exist for exactly one mapping)
SAP provides a mapping proposal for a large number of products, which you can transfer in the mapping maintenance at the push of a button.
Synchronization Indicators
As the customer, you must ultimately decide the direction in which a synchronization works. There is no SAP proposal for this, as which data is maintained where depends on the scenario. It is certainly conceivable that, during a synchronization for a user, some information is transferred from the directory server to the SAP system (import) and other data is transferred in the opposite direction, that is, is written to the directory (export).
You can set the synchronization indicators for each individual mapping to Import, Export, or not at all in transaction LDAP on the Server Names tab page, in the Synchronization area.
Meaning of the Synchronization Indicators
Import ----------------------------------------- Object is imported during the synchronization (this can only be selected for mappings with the Import mapping indicator)
Export ----------------------------------------- Object is exported during the synchronization (this can only be selected for mappings with the Export mapping indicator)
Regardless of the indicators that you have set, the following rules apply:
• The fields that are mandatory in the directory (Required mapping indicator) and the key fields in the SAP system (Filter mapping indicator) are automatically exported when creating (but not when updating) an entry in the directory.
• The fields that are mandatory in the SAP system (this cannot be identified in the mapping maintenance) and the key fields in the SAP system (Filter mapping indicator) are automatically imported when creating (but not when updating) an entry in the SAP system.
For existing objects (that is, when updating objects), only the synchronization indicator settings apply.
Caution: In addition to field mapping, the synchronization indicators are vital for a correct data exchange. Incorrect Customizing can lead to data loss or inconsistencies.
Executing and Monitoring the Synchronization
After you have made all settings, you can perform the synchronization, perhaps first manually as a test and then later, in production, as a periodically scheduled background job.
Preparing and Performing the Synchronization
It is important that you are clear about what data is maintained where. Not all user attributes must necessarily be administered in one place - in this way, users could be created, assigned a telephone number, and assigned an SAP role in different places. Users should, of course, be created at exactly one place.
Usually, either the directory or the SAP system defines the existence of users. Users newly created there can then be automatically generated in the system and users deleted there can be automatically deleted or locked. However, this "one way street" is not mandatory. A synchronization indicator must be maintained for each mapping where attributes can be synchronized in different directions (exactly one direction for each attribute; either import or export).
In the case illustrated, users are either created manually in the directory server, or are created by an external application, such as in an HR system. Newly created users would then be created in the SAP system during the next synchronization. If this is the central system of Central User Administraion (CUA), the user would also be created in the specified child systems.
In this scenario, it is still technically possible for an SAP administrator to administrate the user master in the central system and (depending on the configuration) also in the child systems. However, these changes may be overwritten during the next synchronization process.
Another scenario could have the connected SAP system as the leading system. Users created there are immediately distributed to the affected child systems. After the next synchronization, these users also exist in the directory server, and can be accessed by other applications.
You always control the actual synchronization with the directory server from the SAP system, using transaction RSLDAPSYNC_USER or the report with the same name: RSLDAPSYNC_USER. You can start the report in dialog (for example, with transaction SA38), or schedule it as a background job with a suitable variant. You specify the desired LDAP server when you call the report (the system can determine the LDAP Connector automatically). You can also restrict the synchronization to certain user names. With the correction described in SAP Note 790112, you can also restrict by user group or class of users (such as communication users) on the selection screen in report RSLDAPSYNC_USER.
During the synchronization process, three groups of users are identified, which are processed sequentially in accordance with the settings of report RSLDAPSYNC_USER and the synchronization indicators.
1. Handling of the users that exist only in the SAP system
2. Handling of the users that exist only in the directory server
3. Handling of the users that exist in both repositories
RSLDAPSYNC_USER offers different options for each of the identified user groups. The Ignore Objects default settings for each group are non-critical. With a run of this type, no objects are changed; however, you can find out from the log how many objects would be synchronized.
• The users SAP*, DDIC, SAPCPIC, and EARLYWATCH are always excluded from every synchronization.
• Instead of deleting users (that do not exist in the directory), we recommend that you simply lock them (for audit purposes).
• Before you delete users (that do not exist in the SAP system) from the directory, you must be sure that the entries are not required for other applications.
• Compare Time Stamp for the users that exist in both repositories performs a delta synchronization (that is, only users changed since the last run are synchronized).
• Ignore Time Stamp for the users in both repositories performs a complete synchronization (that is, all users are synchronized in accordance with the synchronization indicators).
Logs
If you run RSLDAPSYNC_USER online, the system displays the associated log immediately after the program run. Small traffic light icons show you whether there were problems. The runtime required is also displayed.
If you ran the synchronization in the background (or want to access older logs), transaction LDAPLOG allows you to evaluate historical logs. The selection screen allows you to use convenient search options.
Note: As an alternative to transaction LDAPLOG, you can also use the (general) transaction SLG1 (use it with object LDAPSYNC and subobject USER).
The logs use the Application Log, a tool of the SAP Web AS, to collect messages, exceptions, and errors (component BC-SRV-BAL). This tool provides a range of user-friendly functions for logs. You can archive old logs (with transaction SARA, archiving object BC_SBAL) or, if they are no longer required, delete them manually or automatically (with transaction SLG2 ).
Which options exist for accessing entries in the directory server directly? One approach is the Search operation in transaction LDAP. In addition to the directory services vendors, there are also other LDAP browsers available from third-party vendors.
Outlook: Transferring HR Data to a Directory Service
In the scenario presented so far, we have assumed that the synchronized users have a user master record in the SAP system. SAP also supports the requirement that employee data that is stored in Human Resources (HR) in an SAP system is to be transferred to an LDAP-compatible directory server. Report RPLDAP_EXTRACT is available for this purpose. You can use this report to retrieve and prepare the HR data in the SAP system, and to transfer this data to a directory server. For more information, see SAP Note 784697.
After the technical connection of a directory server to an SAP system based on SAP Web AS, the actual data exchange has to be prepared and performed. To do this, information is required about how SAP data fields are mapped to directory attributes, which fields are used where (mapping indicators), and the direction in which data is synchronized (synchronization indicators).
All of the steps are described in more detail in the following:
Mapping
Mapping describes the assignment of SAP fields to directory attributes. In the simplest case, this is a 1:1 assignment. However, more complex link rules may be required.
Schema Extension
The directory servers from various vendors have much in common in their data models (schemata). On the other hand, there are differences in the details. Understandably, there are no attributes for SAP-specific information in the vendor standards, such as
• SAP username
• Alias
• Validity period
• Settings for logon language, printer, number formats, time zone
• Assigned roles
• Assigned authorization profiles
SAP has decided not to develop its own schema, but rather to support the schemata available on the market. This is important for heterogeneous system landscapes, if you want to connect non-SAP applications to your directory service in addition to SAP systems.
As the delivered schemata for the various products do not know many SAP data fields, you must use schema extensions to make these fields known. An extension of this type is provided and imported into the directory server in a special format (LDIF for "LDAP Data Interchange Format").
You can easily create files of this type in the SAP system for all certified and some additional products using report RSLDAPSCHEMAEXT. After you have chosen a product, this report outputs a list that you can save as a file on your front end computer and then import into your directory server. For more information, see the comment lines in this file.
Linking Details
Essentially, mapping is about linking an SAP data field with a directory attribute. As stated previously, this can be a simple 1:1 assignment or a more complex rule, if, for example, multiple SAP fields are to be mapped to one attribute (or multiple attributes to one SAP field).
SAP delivers a number of function modules that implement certain types of link. Additional parameters are required to some extent, for example, to specify a particular character at which a string is to be divided. Customers can, of course, also develop their own modules for particular purposes.
Note: The names of the delivered function modules all start with MAP_* and are in the function group FSLDAP_MAP. For information about their functions, see the BC-SEC-DIR area of the SAP Library.
If no function modules are specified during mapping, function module MAP_DEFAULT is used implicitly; this function module is a simple 1:1 assignment.
Mapping Indicator
In addition to the link (one or more SAP data fields with one or more directory attributes), a mapping also includes its purpose. Is the mapping to be used only for export, only for import, or for both synchronization directions? Are there mandatory fields, without which it is not possible to create an entry in the directory server?
These questions and others are answered by the indicators to be maintained for each mapping. You can perform the associated Customizing in transaction LDAP on the Server Names tab page, in the Mapping area.
Meaning of the Mapping Indicators
Filter --------------------------- Mapping used for the search filter of the directory server; corresponds to the key in the SAP system (exists only once; must match the LDAP application; usually for the same mapping as the RDN flag)
Import --------------------------- Mapping that can be used for reading directory entries
Export --------------------------- Mapping that can be used for writing directory entries
Required ------------------------- Mapping without which it is not possible to write an entry in the directory (can only be chosen for mappings with the Export indicator)
RDN ------------------------------ Mapping used to create the RDN (must exist for exactly one mapping)
SAP provides a mapping proposal for a large number of products, which you can transfer in the mapping maintenance at the push of a button.
Synchronization Indicators
As the customer, you must ultimately decide the direction in which a synchronization works. There is no SAP proposal for this, as which data is maintained where depends on the scenario. It is certainly conceivable that, during a synchronization for a user, some information is transferred from the directory server to the SAP system (import) and other data is transferred in the opposite direction, that is, is written to the directory (export).
You can set the synchronization indicators for each individual mapping to Import, Export, or not at all in transaction LDAP on the Server Names tab page, in the Synchronization area.
Meaning of the Synchronization Indicators
Import ----------------------------------------- Object is imported during the synchronization (this can only be selected for mappings with the Import mapping indicator)
Export ----------------------------------------- Object is exported during the synchronization (this can only be selected for mappings with the Export mapping indicator)
Regardless of the indicators that you have set, the following rules apply:
• The fields that are mandatory in the directory (Required mapping indicator) and the key fields in the SAP system (Filter mapping indicator) are automatically exported when creating (but not when updating) an entry in the directory.
• The fields that are mandatory in the SAP system (this cannot be identified in the mapping maintenance) and the key fields in the SAP system (Filter mapping indicator) are automatically imported when creating (but not when updating) an entry in the SAP system.
For existing objects (that is, when updating objects), only the synchronization indicator settings apply.
Caution: In addition to field mapping, the synchronization indicators are vital for a correct data exchange. Incorrect Customizing can lead to data loss or inconsistencies.
Executing and Monitoring the Synchronization
After you have made all settings, you can perform the synchronization, perhaps first manually as a test and then later, in production, as a periodically scheduled background job.
Preparing and Performing the Synchronization
It is important that you are clear about what data is maintained where. Not all user attributes must necessarily be administered in one place - in this way, users could be created, assigned a telephone number, and assigned an SAP role in different places. Users should, of course, be created at exactly one place.
Usually, either the directory or the SAP system defines the existence of users. Users newly created there can then be automatically generated in the system and users deleted there can be automatically deleted or locked. However, this "one way street" is not mandatory. A synchronization indicator must be maintained for each mapping where attributes can be synchronized in different directions (exactly one direction for each attribute; either import or export).
In the case illustrated, users are either created manually in the directory server, or are created by an external application, such as in an HR system. Newly created users would then be created in the SAP system during the next synchronization. If this is the central system of Central User Administraion (CUA), the user would also be created in the specified child systems.
In this scenario, it is still technically possible for an SAP administrator to administrate the user master in the central system and (depending on the configuration) also in the child systems. However, these changes may be overwritten during the next synchronization process.
Another scenario could have the connected SAP system as the leading system. Users created there are immediately distributed to the affected child systems. After the next synchronization, these users also exist in the directory server, and can be accessed by other applications.
You always control the actual synchronization with the directory server from the SAP system, using transaction RSLDAPSYNC_USER or the report with the same name: RSLDAPSYNC_USER. You can start the report in dialog (for example, with transaction SA38), or schedule it as a background job with a suitable variant. You specify the desired LDAP server when you call the report (the system can determine the LDAP Connector automatically). You can also restrict the synchronization to certain user names. With the correction described in SAP Note 790112, you can also restrict by user group or class of users (such as communication users) on the selection screen in report RSLDAPSYNC_USER.
During the synchronization process, three groups of users are identified, which are processed sequentially in accordance with the settings of report RSLDAPSYNC_USER and the synchronization indicators.
1. Handling of the users that exist only in the SAP system
2. Handling of the users that exist only in the directory server
3. Handling of the users that exist in both repositories
RSLDAPSYNC_USER offers different options for each of the identified user groups. The Ignore Objects default settings for each group are non-critical. With a run of this type, no objects are changed; however, you can find out from the log how many objects would be synchronized.
• The users SAP*, DDIC, SAPCPIC, and EARLYWATCH are always excluded from every synchronization.
• Instead of deleting users (that do not exist in the directory), we recommend that you simply lock them (for audit purposes).
• Before you delete users (that do not exist in the SAP system) from the directory, you must be sure that the entries are not required for other applications.
• Compare Time Stamp for the users that exist in both repositories performs a delta synchronization (that is, only users changed since the last run are synchronized).
• Ignore Time Stamp for the users in both repositories performs a complete synchronization (that is, all users are synchronized in accordance with the synchronization indicators).
Logs
If you run RSLDAPSYNC_USER online, the system displays the associated log immediately after the program run. Small traffic light icons show you whether there were problems. The runtime required is also displayed.
If you ran the synchronization in the background (or want to access older logs), transaction LDAPLOG allows you to evaluate historical logs. The selection screen allows you to use convenient search options.
Note: As an alternative to transaction LDAPLOG, you can also use the (general) transaction SLG1 (use it with object LDAPSYNC and subobject USER).
The logs use the Application Log, a tool of the SAP Web AS, to collect messages, exceptions, and errors (component BC-SRV-BAL). This tool provides a range of user-friendly functions for logs. You can archive old logs (with transaction SARA, archiving object BC_SBAL) or, if they are no longer required, delete them manually or automatically (with transaction SLG2 ).
Which options exist for accessing entries in the directory server directly? One approach is the Search operation in transaction LDAP. In addition to the directory services vendors, there are also other LDAP browsers available from third-party vendors.
Outlook: Transferring HR Data to a Directory Service
In the scenario presented so far, we have assumed that the synchronized users have a user master record in the SAP system. SAP also supports the requirement that employee data that is stored in Human Resources (HR) in an SAP system is to be transferred to an LDAP-compatible directory server. Report RPLDAP_EXTRACT is available for this purpose. You can use this report to retrieve and prepare the HR data in the SAP system, and to transfer this data to a directory server. For more information, see SAP Note 784697.