ILM and SAP – Basic MA Installation

I’ve just installed the SAP MA (also called the ERP MA) for the first time. As usual it took four times as long as seemed strictly necessary so, in this post, I shall summarise the steps I took to create a basic MA, able to import Users and Employees from SAP into ILM.

1. Software Requirements

For some reason I found it really hard to find a nice, simple list of what is required on the ILM server. So here’s my attempt:

  

Windows 2003 Enterprise 32-bit Not 64-bit, as I found out the hard way.
Visual Studio 2005 Installed with preferred language – VB.NET or VC#. You can deselect the other options if you like.
SQL 2005 I believe SQL 2000 is also ok.
Visual Studio 2003 Yes! As well! This is needed by the SAP .NET Connector, though again you can install it with minimal settings. In fact there is a way to avoid installing VS 2003 but you will need access to a computer with the SAP Connector already installed, from which you can copy certain files. See this post by Tomek for his workaround.
SAP .NET Connector 2.0.1 Downloadable from http://service.sap.com/connectors though it needs a username and password, so maybe you can see if the local SAP admin already has one.
ERP MA There’s a more recent version that the CD one available here.

2. Configure the Schema

The SAP MA is not able to go off into your SAP system, discovering the schema for itself. It is necessary to use the ERP MA Configuration Tool to produce copy of the required schema elements in an XML  file, which you will then import into your MA.

We mucked around for quite some time trying to create our own configuration, before paying attention to the template referred to in the documentation. This is a preconfigured schema which should work for most standard SAP installations (I would imagine, being no SAP expert – though it worked for the one I was connecting to), and will grab all active users and employees.

So here’s what you need to do:

  1. Run the ERP MA Configuration Tool from the Programs menu created by the installation
  2. Choose File -> Open Configuration
  3. Browse for the Microsoft ERP Management Agent program folder
  4. Open the ERPDefaultTemplate.xml
  5. Fill in the Connection Information as follows:
    • Connect To: ASHOST=SAP_Server  SYSNR=00 CLIENT=800
    • Username: SAP username with sufficient access to retrieve user and employee records
    • Password: SAP password
  6. Have a look through it, while thinking “what the heck does all this mean??”
  7. Choose File -> Save As
  8. Save it to the Extensions folder, using the same name as you will use for the MA.

3. Create the MA

No you can go into Identity Manager and create a SAP MA.

Remember to give it the same name as the schema file you saved above. The connection details are the same ones you entered in the configuration tool – step 5 above.

When prompted to enter a schema file, the one you want is MAName_schemaAttributes.xml.

After that the configuration is the same as for any other MA.

4. Importing

The template schema only includes a “full” method for imports – no “delta”.  So you will be stuck with Full Imports for the time being.

There is something in the Help about enabling “change docs” – but I haven’t got that far yet myself. Once I figure out how to do delta imports from SAP you can be sure there will be another post.

 

About: Carol

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.


5 thoughts on “ILM and SAP – Basic MA Installation”

  1. Hi Carol,
    Just wondering if you figured out the Delta portion of this MA?
    Thanks,
    Peter

  2. Many thanks for this post !
    It was really helpful for a customer of mine.

    I hope you are doing well !

    Greetings,

    Sébastien

  3. Hi Carol,

    Thx for this helpfull guide. I used this in our test environment. I have a question about “SAP username with sufficient access to retrieve user and employee records”. SAP gave me a user with SAP_ALL authorization object for test environment, but they cant give the same authorization object for production environment. Do you know what authorization objects should be given to the user to access the datas and provision these datas for other SAP systems (SAP BW, SAP ERP etc.). By the way our authoritative resource is SAP HR and we only reconcile from this resource and provision the users to other SAP Systems. Could you please give me a clue?

    Regards
    Dinçer

  4. I can’t really help more – haven’t done anything with SAP for a long time. You will need a SAP administrator or consultant to help you with that.

Comments are closed.