Creating connection for SAP

To create new SAP connection:

  1. On the Connections page, click New and click SAP to display the SAP: New Connection page.
  2. Provide a user defined connection name. This name is used to refer to this connection while scheduling an extraction.
  3. Provide a description for this connection.
  4. To use Secure Network Communications (SNC) while creating connections, select the check box Use SNC.The relevant fields are displayed. For details on configuring SNC, see the Infor Risk & Compliance SAP - Configuration Guide .
  5. From the Quality of Service to be used drop-down list, select one of these required quality of the protection level.
    • Digital signature: Quality of protection level in SNC is set to 1 in SAP. With this protection level, the system verifies the identity of the communication partners. This is the minimum protection level offered by SNC. No actual data protection is provided.
    • Digital signature and encryption: Quality of protection level in SNC is set to 2 in SAP. With this protection level, the system detects any changes or manipulation of the data which may have occurred between the two end points of a communication. Integrity protection also includes authentication.
    • Digital signature, encryption, and user authentication: Quality of protection level in SNC is set to 3 in SAP. With this protection level, the system encrypts the messages being transferred to make eavesdropping useless. Privacy protection also includes integrity protection of the data. This is the maximum level of protection provided by SNC.
    • Digital signature, encryption, and user authentication: Quality of protection level in SNC is set to 8 in SAP. This is default protection.
    • Digital signature, encryption, and user authentication:Quality of protection level in SNC is set to 9 in SAP. This is maximum protection.
  6. Specify the SNC Library Path and the SNC Partner Name, provided by the SAP Administrator. Ensure that one of these GSS product (Generic Security Services) is available in the Infor Risk & Compliance server before creating connection. SNC Library Path refers to the path of the SNC library files in the Infor Risk & Compliance server. Ensure that the SNC library files are available in the Infor Risk & Compliance server while creating the connection. For example,
    • For SNC with Kerberos authentication protocol:
      • SNC Library Path - <Security Product location>\SLL\SECGSS.dll
      • SNC Partner name - p:CN=SAP/KerberosSC2
    • For SNC with SAP Cryptographic library
      • SNC Library Path - <Location of SAP Cryptographic software>\sapcrypto.dll
      • SNC Partner name - p:CN=ABAP-ED6, OU=Organization
        Note: X.509 Certificate can be used only with SAP Cryptographic library.
  7. To login by X.509 certificate, select the check box Login through an X.509 certificate.
  8. Browse to select the X.509 Certificate Path provided by the SAP Administrator and click Upload to upload the certificate
  9. The Certificate Subject field is automatically populated on uploading the X.509 certificate.
  10. Select one of the following connection modes:
    1. Connect without Logon Group: This is the default option. Add the following details:
      1. In the System Number field, specify the system number of the target SAP system. This value can be changed later, if required.
      2. In the Client field, specify the  name of the client from which you want to extract data.
      3. In the User Name and Password fields, specify the credentials necessary to create a connection and later to extract data. This user must have the appropriate privileges within the SAP system to extract data for the Authorizations Insight for SAP.
      4. In the Server Host Name field, specify the server host name. This is the machine or server on which the SAP application is installed. This name can be changed later, if required.
      Note:  If the System Number and the Server Host Name fields are modified later, a long running task is created on the Tasks page to update all the data from this connection.
    2. Connect with Logon Group: SAP uses logon groups for load balancing purposes. When you select this option, the following additional details are required:
      Note: Before connecting with SAP Logon Groups, a manual entry must be made in System32 folder. Go to the bottom of the <services> file at C:\WINDOWS\system32\drivers\etc\services and modify the service name, port number /protocol as follows:
      • The service name should be ' SAPMS' followed by the system ID of the message server.
      • Provide the port number/protocol for the message server.
      1. The name of the client from which you want to extract data in the Client field.
      2. The credentials necessary to create a connection and later to extract data in the User Name and Password fields.
      3. The name of the logon group in the Logon Group field.
      4. The system identification number of the message server in the System ID field.
      5. Provide the message server host name in the Message Server Host field. The message server is a dedicated server for load balancing and automatically assigns users to the application server with the least workload of the logon group it controls.
  11. From the SAP Application Type drop-down list, select the SAP module, for example SAP R/3. This module cannot be edited after the connection is created.
  12. From the Language drop-down list, select the language in which to extract data. The supported languages are English, French, Spanish, German, and Portuguese. The language once set, cannot be edited.
  13. Selecting the User ID Policies check box enables you to define the combination of characters that should be used to specify the User ID for the users created for this connection through a User Creation What-if or a User Creation Request. Clear this check box if you do not wish to define the user ID policies. By default, the check box is selected.
    Note: 
    • If the combination of characters for the user ID is defined, the User ID specified in the New User ID field while creating a User Creation What-if or a User Creation Request must follow the same combination of characters that is defined here.
    • If the combination of characters for the user ID is not defined, the User ID may be specified as required by the creator of the request or What-if and will be retained as it is typed.
    • If the Platform is upgraded from a previous version, the page for the connection created in the previous version displays the check box User ID Policies and the following conditions for the user ID as selected.
    • The User ID Type drop-down list displays the option UPPER CASE.
    • The Minimum User ID length text box displays, 1, which means the minimum length of the user ID must be 1 character.
    • The Maximum User ID length text box displays 12, which means the maximum length of the user ID must be 12 characters.
  14. Leave the Custom BIF check box cleared.
  15. Connection time zone offset: If the Infor Risk & Compliance and SAP servers are in different time zones, one of the following scenarios can arise for an emergency access request, which by default has automatic completion set:
    • The emergency access role will expire before the specified expiry time, if the Infor Risk & Compliance time is behind the SAP time.
    • The emergency access role will have an extended validity period if the Infor Risk & Compliance time is ahead of the SAP time.

      To avoid this, the validity dates of SAP objects must be set according to the SAP time and not the Infor Risk & Compliance time. For this, specify the time difference between the two servers in the Connection time zone offset field. For example:

      • If the Infor Risk & Compliance time is 570 minutes behind the SAP time, then enter 570 in the Connection time zone offset field.
      • If the Infor Risk & Compliance time is 570 minutes ahead of the SAP time, then enter -570(minus 570) in the Connection time zone offset field.
    Note: Add the DST (Daylight Saving Time) to the time difference, if applicable. This field must be periodically updated depending on the DST.
  16. Configuration Settings for the Access Management Insight: If you are creating this connection for Access Manager, you can configure the following additional options for request completion:
    • Manual Request Completion: Select this option for the System Administrator to manually update the ERP system after a request is approved.
    • Automatic Request Completion: Select this option for the application to automatically update the ERP system after a request is approved.
  17. Configuration Settings for Central User Administration (CUA) Clients: If you plan to use SAP Central User Administration (CUA) for requests, select the check box CUA Server Managed. Provide the required details as described below. Multiple CUA clients may be configured in this way.
    1. Provide the logical client name of the target child client as configured in SAP.
    2. Provide the host name of the CUA server.
    3. Provide the system number of the CUA server.
    4. Provide the client number of the CUA server.
    5. Provide the application user account name for the CUA server. This user must have the required permissions that are shipped with Infor Risk & Compliance as a pre-defined BIZRIGHTS_CUA role.

      For details, refer to the SAP - Configuration Settings Guide.

    6. Provide the application user account password for the CUA server.
    7. From the Language drop-down list, select the language to extract data.
  18. Select whether data from this connection should be secured.
  19. Select whether users extracted from this connection should be mapped
    • Select Map Connection Users (Participation in Cross Connection Analysis) to map users extracted from the connection to a single Infor Risk & Compliance profile.
    • Select Do not map Connection Users  (No Participation in Cross Connection Analysis) to create independent user profiles.
  20. Click Save. The new connection is displayed on the SAP panel of the Connections page. You can now schedule an extraction from this connection.
    Note: If the parameters provided in the mandatory fields is incorrect, the connection is not created, the application displays an error message that is generated by the SAP connector. In such a case, ensure the following and click Save
    • The parameters specified are correct.
    • The SAP router settings for SNC are same for all routers connecting all instances of the central SAP server.
    • The Associated server or instances of the Central SAP server have the same SNC configuration.