Novell & SAP Integration

advertisement
Integrating Novell
™
eDirectory with SAP R/3
and MySAPPortal
www.novell.com
Matt Graves
eBusiness Consultant
Novell, Inc.
mgraves@novell.com
John Ovali
Systems Engineer
Novell, Inc. (Germany)
jovali@novell.com
Vision…one Net
A world where networks of all types—corporate and public,
intranets, extranets, and the Internet—work together as
one Net and securely connect employees, customers,
suppliers, and partners across organizational boundaries
Mission
To solve complex business and technical challenges with Net
business solutions that enable people, processes, and
systems to work together and our customers to profit from
the opportunities of a networked world
Change of
a Paradigm
User Demand for one Net
Intranet
Storage
Application
Extranet
Storage
Application
Information
Internet
Storage
Application
one Net Services
Intranet
Storage
Application
Extranet
Storage
Application
Security
Portal
eDirectory™
Internet
Storage
Application
Management vs. Provisioning
ASSIGN
• Rights
• Policies
• Applications
• Settings
OFFER
• Resources
• Services
DEPENDING on
• Servers
• Workstations
DEPENDING on
• Applications
• Servers
LIMITS/BORDERS
• Intranet
LIMITS/BORDERS
• Extranet
Provisioning vs. Novell Net Services
OFFER
• Resources
• Services
OFFER
• User services
• Admin services
• Resources
DEPENDING on
• Applications
• Servers
DEPENDING on
• User
LIMITS/BORDERS
• Extranet
LIMITS/BORDERS
• Internet (none)
Novell eProvisioning Solutions
• User provisioning

Services to manage and maintain consistent user and employee
identity in a heterogenous environment
• Application provisioning

Offer and maintain application and information in your LAN,
WAN, and Internet, including billing and accounting
• Employee provisioning

Offer and maintain information and vital resources for your
employees
• eDirectory-centric technologies reduce not only IT costs
eProvisioning Architecture Details
Distribution Mechanism
User Accounts
User
Provisioning
Server Applications
User Accounts
Operating Systems
Security Mechanisms
Client
Applications
Direct Access
Single Sign-On
Application
Provisioning
Metaframe
Collaboration
Employee
Provisioning
User and Resources Database—
Novell eDirectory
Portal
Novell and
SAP
Integration
SAP or R/3?, SAPPortals or MySap...
• SAP=vendor
• R/3=product of this vendor
 R/3
“classic” (ERP, Base + HR, FI, CO, MM...)
 Other products: e.g., APO (Advanced Planning
and Organizing), B2B, CRM, SCM, BW (“New
Dimension”)
• SAPPortals=vendor, 100% daughter company
of SAP AG
• MySAPPortal=product of SAPPortals
Terminology...
• Related to micro-economics
 Menu
• Complex
• Client
• System
entry = transaction (what it is <-> what it does)
R/3 Organization
MiddleWare
Desktop
Application
Service to
Show Data
Back-end
System
Processing
Data
R/3 Back-End
R/3 System Landscape
Development
System
D1,D2,D3,...
Quality-Assurance
System
Q1,Q2,...
Productive
System
P1,P2,P3,...
R/3 Component System
• Basic system
 HR,
CUA, ...
• Other components (also called modules)
 FI
– Finance
 CO—Controlling
 S&D—Sales and Distribution
 ...
Overview
R/3 Back-end
SAP GUI
(Win32)
Role
Browser
Profile
ITS
Transaction
Browser
MySAP
Portal
HR
Novell eDirectory
CUA
Rights Assignment Concept
•
•
•
•
Complex, table-focused, multi-nested tables
Biggest challenge on all R/3 projects
UA—User Administration per client
CUA—Central User Administration
 Central
 Can
be used for all SAP products
 Nice idea of a corporate-wide CUA mostly stays
an idea
 Extremely difficult to realize and administer
Rights Assignment and Login Concept
User
Role
Activity
Group
System
Profile
Transaction
Client
Rights Concept
Corp. Division
FI
SD
MM
Rolle
Accounting
Debitors
ISR
Warehouse entry
T-Code
Extend
Extend
Extend
MM01
V
V
X
X
X
MM02
...
Activity Group
Novell and SAP: Three Initiatives
HR
CUA
Portal
DirXML™ Driver
LDAP Sync tool
Portal and corp
directory
Vendor Novell
Vendor SAP
Vendor Novell
Brings person‘s
(employee) data
to eDirectory
Synchronizes specific
Stores portal and
user-data between CUA user information in
and eDirectory
the directory
Supports also MS and
Netscape
HR-Driver is validated
eDirectory is the only
certified directory
eDirectory comes
in the box with the
portal product
The Forgotten Driver: SAP SD
• SAP SD DirXML™ Driver
• Transfers customer data from eDirectory
to SD Module (Sales and Distribution)
• Was originally made by marchFIRST
• Now available
• Not yet validated by SAP
What Customers Always Request
• Administer SAP users by eDirectory because of
extreme complexity of SAP user administration
 Not possible with our products
• Rights assignment has to be done with SAP tools,
the same as it is with Exchange or Notes
• Single Sign-On mechanisms between modules and
systems—causes confusion with our SSO
SAP HR—
DirXML Driver
SAP HR and Novell eDirectory
John Ovali
Systems Engineer
<email>?
<phone>?
SAP HR
Novell
eDirectory
E-mail System
John Ovali
123-456
PBX, Building Access Systems, Work Time Tracking Systems
SAP HR and Novell eDirectory
John Ovali
Systems Engineer
<email>?
<phone>?
SAP HR
John Ovali
Systems Engineer
jovali@novell.com
123-456
Novell
eDirectory
E-mail System
John Ovali
123-456
PBX, Building Access Systems, Work Time Tracking Systems
SAP HR and Novell eDirectory
John Ovali
Systems Engineer
Jovali@novell.com
123-456
SAP HR
John Ovali
Systems Engineer
Jovali@novell.com
123-456
Novell
eDirectory
E-mail System
John Ovali
123-456
PBX, Building Access Systems, Work Time Tracking Systems
Novell DirXML
Subscriber
eDirectory
Publisher
Stylesheets
App Shim
XML Engine
Application
Index
Database
What the DirXML Driver Does
to SAP HR
• Transfers person (employee) data to Novell
eDirectory
 Name,
Department, Title, ID, etc.
• Limited transfer back from eDirectory to HR
module
 Phone
number
 E-mail adress
 Similar
What the DirXML Driver Does Not
Do to SAP HR
• Does not create R/3 users
• Does not administer R/3 users
(This has to be done using CUA, not HR module)
• Does not deliver Single Sign-on capabilities
DirXML-HR Driver:
What the Customer Needs
• R/3 Classic
• Novell DirXML 1.1
• SAP HR Consultant
• SAP ALE Consultant
• Novell Consultant
How the DirXML-SAP-HR Driver Works
(Publisher Channel)
Here all
employee data
is maintained
Interface to all other
applications—has to
be well configured
File with the
transferred
employee data,
somewhere in the
file system
Polling-mechanism
reads IDOC files and
converts needed
information to XML
Takes the XML
document and sends it
encrypted using SSL to
the DirXML Server
R/3 Back-End Host
HR
Module
ALE
Application Link-Enabler
IDOC
DirXML
Driver Shim
DirXML
Remote Loader
SSL-encrypted
DirXML
Remote Shim
Gets the XML Document
and passes it to the DirXML
engine
DirXML
Engine
Processes the document
and enters information
into the directory
Novell
eDirectory
Now contains these employee
data—It can be used to
distribute it to other
applications as well
DirXML Server
iDocs
iDocs
SAP Organizations in ConsoleOne®
SAP HR Title and Department from HR
Issues
• Queuing
• Future events
• Content of iDocs
SAPPortals
and Novell
eDirectory
SAPPortals and Novell eDirectory
User Management API
Attribute Mapping
PCD
Novell eDirectory
Role Data
Corporate LDAP
Portal LDAP
Basic user data
Basic group data
User/group assignment
Group hierarchy
Portal-related user properties
Portal-related group properties
User/group role assignment
Access information for
component systems (user mapping)
The SAPPortals Idea of Directory Use
Corporate Directory
Portal Directory
Content Directory
May be eDirectory,
iPlanet, or ADS
May be eDirectory or
iPlanet (no ADS)
Is proprietary in the
file system of server
Is intended to be there Is intended to be set
already
up on deployment
Will be set up on
deployment
Read-only access to
User and Group
information, User to
Group assignment
Role/Meta Data
Content to Role
Assignment
Read/Write Access
Group to Role
Assignment
Single Sign-On
<No Replication>
<Equal Attribute Mapping>
What SAPPortals Says...
• Corporate directory for user data is already there
• Set up a portal directory for portal data
• Maintain two directories
• But it is possible to use the same directory
SAPPortals User Management
•
•
•
•
•
•
What we call a gadget they call an iView
Roles contain iViews
Roles are assigned to groups
Users are assigned to groups
Tied connection is iView-Role-Group-User
Role in MySAPPortal does not equal the role in SAP
R/3
• Whatever role a user has is a menu entry on top
of the browser window  don’t assign too many roles
to a user
SAP CUA
and Novell
eDirectory
CUA Central User Administration
• One single CUA for all systems and modules is
possible
• Modules or systems can have own CUAs
• Idea of a single corporate CUA mostly stays an
idea—realization is too complex
SAP Basic and Novell eDirectory
LDAP Sync Tool
(SAP)
WPAS 6.10
FI CO ...
HR
SAP R/3 Version 4.5 / 4.6 b/c
Novell
DirXML
Driver
Novell eDirectory
CUA
E-mail
System
Worktime
tracking
Others
(e.g. MySAP
Portal)
What the LDAP Sync Tool Does...
• Synchronizes R/3 user database with eDiretcory
• Cron job
• Attribute Mapping defines which R/3 field is
mapped to which attribute in the directory
• Reads new users from the directory, then a role
can be assigned to the user
What the LDAP Sync Tool
Does Not Do...
• Give rights to new users from the directory other than
the role assignment
• Does not assign the profile to the user, which is more
important
• Make employees (or other persons) a user—it is not
connected to other R/3 modules
• Transfer transaction groups or codes assigned to SAP users
to the directory
What the Customer Needs
• SAP R/3 Version 4.5/4.6b/4.6c
• Web Application Server 6.10
(includes the Sync Tool)
Issues
• Scalability
• No Event System, polling only
• Only one sync direction at once (attribute level)
A Visionary
Outlook
to the Future
Architecture
User
Single Sign-On
Applications
Directories
ERP, Lotus Notes
Active Directory, iPlanet
ODBC, LDAP
NDAP, NCP
NDS 8.5
XML
John Ovali
(Flaim Database, Security, Maintenance Tools)
Authorization by redirection
OS/390, Solaris, HP-UX, AIX,
Linux, FreeBSD, AS400, RADIUS,
IIS, IBM RACF, CA ACF, many
others, others coming
Synchronization / Authorization / Native
Solaris,
NetWare AIX
Linux
Admin
NT
W2K
Distributed User Access Management
•
•
•
•
Access to needed resources
Decentric administration possible
Centric control distributed administration properties
Administration back to the roots of demand
Advantages
• Shorter response time
• Smaller administration effort
• Significant reduction of cost
• Higher efficiency
User Access Management
Add user to
workgroup
Access to File
System
Add to e-mail
distribution list,
apply needed
applications
Your Benefit—Higher Efficiency
• User provisioning using eDirectory
• Application provisioning using eDirectory
• Employee provisioning using eDirectory
• Base support for future SLAs
• Higher security
• Fast ROI
Highly Recommended On...
• High employee fluctuation, e.g., seasonal
influence
 Accelerate
registration (e.g., HR-System -> time
tracking, access systems)
• Higher security needs
 Data
integrity (e.g., lock employee in HR systems –>
deny access to building or remote dial-in services)
• High administration efforts
 Significant
reduction of cost
Download