on 2006 May 26 3:42 AM
We are now implementing SAP EP(NW04s) and ECC HR(ERP2005) with thousands of employees and thinking of utilizing Active Directory which will be newly implemented with the SAP system. Some users will use both EP and SAPGUI to access the new system.
Q1. When exporting HR master to AD, which master table is used?
Q2. Will organizational assignment data be transferred as group of AD (not only SAP_HR level but which department the users assigned)? And can be used for authorize in AD and as EP role?
Q3. Can you bulk activate users created in AD deactivated?
Q4. Is it possible that SSO through AD, EP and ECC via SAPGUI? If possible, any development is required
any help is appreciated. Thanks.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Megumi,
I would like to know how this implementation went. We are doing the same thing and using the ECC HR system to populate the LDAP server via the LDAP connector delivered with the system. Utilizing the mapping function on the ECC HR side, the groups and user ID's are being established in the LDAP server.
From there, we configured the EP UME to utilize the LDAP server for authentication and SSO. Rather than use the SAPGUI, iViews were configured with ESS/MSS access to HR data.
Thanks, Phil
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Active Directory is basically used for Enterprise Identity Managment and so will hold mostly user profile data and organization data (although nothing holds it in storing other things) but thats what it's purpose is. So, AD would just be used as user managent store fot EP.
Q3-> yes you can, but you will have to run a script for that
Q4--> yes, but AD is UME store and by doing user mapping on EP, SSO can be achieved with ECC
Regards,
Piyush
ps: please mark all useful answers.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
there is a difference in conneting EP with AD and connecting ECC with AD. EP can use the AD as user data store (UME persistance store), but ECC still has its own persistance store in the ECC database.
Therefore you have to create all users in ECC manually or via LDAP synchronization. May be it's possible, to create the users with the user synchronization in the EP.
Q1: You can specify in the LDAP synchronization which tables and fields should be synchronized.
Q2: As far as I know, this is not possible.
Q4: SSO is possible. Within EP the easiest way is LDAP bind. In ECC the only way is the KERBEROS protocol (SAP supports only ECC servers running MS Windows, but Unix servers can use Kerberos, too).
Please remember, if you connect an ECC system directly with the AD, you can only synchronize the user data, i.e. the data is redundantly stored in AD and ECC. Synchronization isn't done automatically but can be planned as batch job.
You should think about IDM (identity management). There is a IDM solution from Microsoft called MIIS. Other tools like Siemens DirX are supported, too.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
67 | |
8 | |
8 | |
6 | |
6 | |
6 | |
6 | |
6 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.