SAP and AD: Make the Connection With Access Management

SAP is an indispensable tool for controlling and managing business resources centrally, especially in larger companies. However, the software itself must also be managed. What does that mean, you ask?

Well, every single Active Directory user has to be copied to SAP. And every single change (e.g. when someone switches to a different department or goes on parental leave) must be updated in both systems. If you prefer not to do all this manually, having a connection between the two might come in handy. In this article, we are going to examine how SAP AD integration can be achieved with the help of access management software.

The demand for an interface between Active Directory and SAP did not arise simply because admins don’t have time to create a new user in both programs. If that was all it takes, there would be no need for connecting the two systems. The problem is that there’s way more to it.

Impossible? No. But it is a pain. Just imagine doing this manually for hundreds or even thousands of employees. At some point, having no integration between the two programs becomes a question of resources.

Sure enough, SAP itself actually does provide an interface to the AD – sort of. You can configure AD as an information source for SAP, under the prerequisite that the SAP Cloud Connector is also installed in the company environment.

However, this interface only ensures that user information from the AD (group membership, access to objects, etc.) can also be viewed via SAP. It does not spare the admin of having to make the same changes twice. To learn more about this solution, click here.

So far, we have learned that connecting SAP and AD is a matter of resources. But it is also a matter of security. There are certain internal and external compliance guidelines which obligate businesses to update any changes to personal data promptly and in full across all systems, and to keep precise records of these changes.

tenfold manages all physical IT users centrally, which means that a data modification conducted in tenfold will automatically trigger the same modification in Active Directory, SAP and any other connected systems.

The software comes with an out-of-the-box SAP connector, the SAP ERP® Plugin. For the technical integration, tenfold exclusively uses functions (BAPIs) provided by SAP. These BAPIs support both communication with individual systems as well as systems that are part of a CUA network.

The basis for integration with SAP is tenfold’s RFC Connector. This connector allows the free use of RFCs: Processes from the SAP Solution Manager can be integrated, and procurement processes (such as hardware requests for users) can further be triggered in MM.

On SAP’s side, the only thing you need to do is set up an RFC user with the necessary administrative rights to perform user maintenance. It is not necessary to import additional, user-specific BAPIs into the Z-space (only exception: password reset). The SAP Connector offers the following functions for managing users in SAP:

New SAP users can be created directly with tenfold. The master data contained in tenfold’s person master record serves as a basis for this. Another option is to connect tenfold to the personnel database (SAP HCM). Here, the software will update the data in all other systems whenever manual changes are made in SAP HCM. If furthermore the Active Directory is connected, the use of SAP’s identity management solution becomes obsolete in many cases.

Whenever an admin edits user data, be it manually or through an automatic update from SAP HCM, tenfold automatically triggers an update of the SAP ERP user master record. This means that the data in the Active Directory and in SAP are automatically updated at the same time.

tenfold is able to model the entire user lifecycle (from joining to leaving date and including any departmental changes or breaks in between). When an employee leaves the company, the software automatically locks or deletes that person’s user in SAP, as well as the associated Active Directory account.

Aside from the above-mentioned functions related to identity management, i.e. the administration of user accounts, the SAP connector also allows you to assign roles to users in SAP (and of course to delete these role assignments when needed).

The SAP Connector is also used in tenfold’s self-service password reset feature. This feature allows end users to reset forgotten SAP passwords autonomously via the web portal. The prerequisite for this is the authentication via alternative methods (e.g. secret questions, SMS PINs, alternative e-mail addresses, etc.).

SAP has a function for user maintenance (transaction SU01) which theoretically allows admins to work directly in SAP instead of having to go through tenfold. Such “detours“ will eventually lead to the data in tenfold no longer representing the status quo. To prevent this from happening, the SAP connector provides a re-synchronization feature for SAP. In the re-synchronization process, all users, available roles and role assignments are reviewed and resynchronized with tenfold.

This process ensures that the software is always up-to-date and can therefore serve as a reliable basis for any evaluations that need to be conducted.

An access management software that creates an interface between SAP and Active Directory will bring you the following advantages: