cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Active Directory Integration (user admin & SSO)

Go to solution
Former Member

on ‎05-26-2006 3:42 AM

0 Kudos

We are now implementing SAP EP(NW04s) and ECC HR(ERP2005) with thousands of employees and thinking of utilizing Active Directory which will be newly implemented with the SAP system. Some users will use both EP and SAPGUI to access the new system.

Q1. When exporting HR master to AD, which master table is used?

Q2. Will organizational assignment data be transferred as group of AD (not only “SAP_HR” level but which department the users assigned)? And can be used for authorize in AD and as EP role?

Q3. Can you bulk activate users created in AD deactivated?

Q4. Is it possible that SSO through AD, EP and ECC via SAPGUI? If possible, any development is required

any help is appreciated. Thanks.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-26-2006 11:40 AM
0 Kudos

Try this link:

http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000668595&;

and this one:

https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/bc72b890-0201-0010-3a8d-e31...

Show replies
Show replies

Answers (3)

Answers (3)

Former Member
‎05-19-2008 7:25 PM
0 Kudos

Megumi,

I would like to know how this implementation went. We are doing the same thing and using the ECC HR system to populate the LDAP server via the LDAP connector delivered with the system. Utilizing the mapping function on the ECC HR side, the groups and user ID's are being established in the LDAP server.

From there, we configured the EP UME to utilize the LDAP server for authentication and SSO. Rather than use the SAPGUI, iViews were configured with ESS/MSS access to HR data.

Thanks, Phil

Show replies
Show replies
Former Member
‎05-27-2006 6:04 PM
0 Kudos

Active Directory is basically used for Enterprise Identity Managment and so will hold mostly user profile data and organization data (although nothing holds it in storing other things) but thats what it's purpose is. So, AD would just be used as user managent store fot EP.

Q3-> yes you can, but you will have to run a script for that

Q4--> yes, but AD is UME store and by doing user mapping on EP, SSO can be achieved with ECC

Regards,

Piyush

ps: please mark all useful answers.

Show replies
Show replies
RainerKunert
Active Participant
‎05-26-2006 12:18 PM
0 Kudos

Hi,

there is a difference in conneting EP with AD and connecting ECC with AD. EP can use the AD as user data store (UME persistance store), but ECC still has its own persistance store in the ECC database.

Therefore you have to create all users in ECC manually or via LDAP synchronization. May be it's possible, to create the users with the user synchronization in the EP.

Q1: You can specify in the LDAP synchronization which tables and fields should be synchronized.

Q2: As far as I know, this is not possible.

Q4: SSO is possible. Within EP the easiest way is LDAP bind. In ECC the only way is the KERBEROS protocol (SAP supports only ECC servers running MS Windows, but Unix servers can use Kerberos, too).

Please remember, if you connect an ECC system directly with the AD, you can only synchronize the user data, i.e. the data is redundantly stored in AD and ECC. Synchronization isn't done automatically but can be planned as batch job.

You should think about IDM (identity management). There is a IDM solution from Microsoft called MIIS. Other tools like Siemens DirX are supported, too.

Show replies
Show replies
Ask a Question