Integrating Novell ™ eDirectory with SAP R/3 and MySAPPortal www.novell.com Matt Graves eBusiness Consultant Novell, Inc. mgraves@novell.com John Ovali Systems Engineer Novell, Inc. (Germany) jovali@novell.com Vision…one Net A world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries Mission To solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world Change of a Paradigm User Demand for one Net Intranet Storage Application Extranet Storage Application Information Internet Storage Application one Net Services Intranet Storage Application Extranet Storage Application Security Portal eDirectory™ Internet Storage Application Management vs. Provisioning ASSIGN • Rights • Policies • Applications • Settings OFFER • Resources • Services DEPENDING on • Servers • Workstations DEPENDING on • Applications • Servers LIMITS/BORDERS • Intranet LIMITS/BORDERS • Extranet Provisioning vs. Novell Net Services OFFER • Resources • Services OFFER • User services • Admin services • Resources DEPENDING on • Applications • Servers DEPENDING on • User LIMITS/BORDERS • Extranet LIMITS/BORDERS • Internet (none) Novell eProvisioning Solutions • User provisioning Services to manage and maintain consistent user and employee identity in a heterogenous environment • Application provisioning Offer and maintain application and information in your LAN, WAN, and Internet, including billing and accounting • Employee provisioning Offer and maintain information and vital resources for your employees • eDirectory-centric technologies reduce not only IT costs eProvisioning Architecture Details Distribution Mechanism User Accounts User Provisioning Server Applications User Accounts Operating Systems Security Mechanisms Client Applications Direct Access Single Sign-On Application Provisioning Metaframe Collaboration Employee Provisioning User and Resources Database— Novell eDirectory Portal Novell and SAP Integration SAP or R/3?, SAPPortals or MySap... • SAP=vendor • R/3=product of this vendor R/3 “classic” (ERP, Base + HR, FI, CO, MM...) Other products: e.g., APO (Advanced Planning and Organizing), B2B, CRM, SCM, BW (“New Dimension”) • SAPPortals=vendor, 100% daughter company of SAP AG • MySAPPortal=product of SAPPortals Terminology... • Related to micro-economics Menu • Complex • Client • System entry = transaction (what it is <-> what it does) R/3 Organization MiddleWare Desktop Application Service to Show Data Back-end System Processing Data R/3 Back-End R/3 System Landscape Development System D1,D2,D3,... Quality-Assurance System Q1,Q2,... Productive System P1,P2,P3,... R/3 Component System • Basic system HR, CUA, ... • Other components (also called modules) FI – Finance CO—Controlling S&D—Sales and Distribution ... Overview R/3 Back-end SAP GUI (Win32) Role Browser Profile ITS Transaction Browser MySAP Portal HR Novell eDirectory CUA Rights Assignment Concept • • • • Complex, table-focused, multi-nested tables Biggest challenge on all R/3 projects UA—User Administration per client CUA—Central User Administration Central Can be used for all SAP products Nice idea of a corporate-wide CUA mostly stays an idea Extremely difficult to realize and administer Rights Assignment and Login Concept User Role Activity Group System Profile Transaction Client Rights Concept Corp. Division FI SD MM Rolle Accounting Debitors ISR Warehouse entry T-Code Extend Extend Extend MM01 V V X X X MM02 ... Activity Group Novell and SAP: Three Initiatives HR CUA Portal DirXML™ Driver LDAP Sync tool Portal and corp directory Vendor Novell Vendor SAP Vendor Novell Brings person‘s (employee) data to eDirectory Synchronizes specific Stores portal and user-data between CUA user information in and eDirectory the directory Supports also MS and Netscape HR-Driver is validated eDirectory is the only certified directory eDirectory comes in the box with the portal product The Forgotten Driver: SAP SD • SAP SD DirXML™ Driver • Transfers customer data from eDirectory to SD Module (Sales and Distribution) • Was originally made by marchFIRST • Now available • Not yet validated by SAP What Customers Always Request • Administer SAP users by eDirectory because of extreme complexity of SAP user administration Not possible with our products • Rights assignment has to be done with SAP tools, the same as it is with Exchange or Notes • Single Sign-On mechanisms between modules and systems—causes confusion with our SSO SAP HR— DirXML Driver SAP HR and Novell eDirectory John Ovali Systems Engineer <email>? <phone>? SAP HR Novell eDirectory E-mail System John Ovali 123-456 PBX, Building Access Systems, Work Time Tracking Systems SAP HR and Novell eDirectory John Ovali Systems Engineer <email>? <phone>? SAP HR John Ovali Systems Engineer jovali@novell.com 123-456 Novell eDirectory E-mail System John Ovali 123-456 PBX, Building Access Systems, Work Time Tracking Systems SAP HR and Novell eDirectory John Ovali Systems Engineer Jovali@novell.com 123-456 SAP HR John Ovali Systems Engineer Jovali@novell.com 123-456 Novell eDirectory E-mail System John Ovali 123-456 PBX, Building Access Systems, Work Time Tracking Systems Novell DirXML Subscriber eDirectory Publisher Stylesheets App Shim XML Engine Application Index Database What the DirXML Driver Does to SAP HR • Transfers person (employee) data to Novell eDirectory Name, Department, Title, ID, etc. • Limited transfer back from eDirectory to HR module Phone number E-mail adress Similar What the DirXML Driver Does Not Do to SAP HR • Does not create R/3 users • Does not administer R/3 users (This has to be done using CUA, not HR module) • Does not deliver Single Sign-on capabilities DirXML-HR Driver: What the Customer Needs • R/3 Classic • Novell DirXML 1.1 • SAP HR Consultant • SAP ALE Consultant • Novell Consultant How the DirXML-SAP-HR Driver Works (Publisher Channel) Here all employee data is maintained Interface to all other applications—has to be well configured File with the transferred employee data, somewhere in the file system Polling-mechanism reads IDOC files and converts needed information to XML Takes the XML document and sends it encrypted using SSL to the DirXML Server R/3 Back-End Host HR Module ALE Application Link-Enabler IDOC DirXML Driver Shim DirXML Remote Loader SSL-encrypted DirXML Remote Shim Gets the XML Document and passes it to the DirXML engine DirXML Engine Processes the document and enters information into the directory Novell eDirectory Now contains these employee data—It can be used to distribute it to other applications as well DirXML Server iDocs iDocs SAP Organizations in ConsoleOne® SAP HR Title and Department from HR Issues • Queuing • Future events • Content of iDocs SAPPortals and Novell eDirectory SAPPortals and Novell eDirectory User Management API Attribute Mapping PCD Novell eDirectory Role Data Corporate LDAP Portal LDAP Basic user data Basic group data User/group assignment Group hierarchy Portal-related user properties Portal-related group properties User/group role assignment Access information for component systems (user mapping) The SAPPortals Idea of Directory Use Corporate Directory Portal Directory Content Directory May be eDirectory, iPlanet, or ADS May be eDirectory or iPlanet (no ADS) Is proprietary in the file system of server Is intended to be there Is intended to be set already up on deployment Will be set up on deployment Read-only access to User and Group information, User to Group assignment Role/Meta Data Content to Role Assignment Read/Write Access Group to Role Assignment Single Sign-On <No Replication> <Equal Attribute Mapping> What SAPPortals Says... • Corporate directory for user data is already there • Set up a portal directory for portal data • Maintain two directories • But it is possible to use the same directory SAPPortals User Management • • • • • • What we call a gadget they call an iView Roles contain iViews Roles are assigned to groups Users are assigned to groups Tied connection is iView-Role-Group-User Role in MySAPPortal does not equal the role in SAP R/3 • Whatever role a user has is a menu entry on top of the browser window don’t assign too many roles to a user SAP CUA and Novell eDirectory CUA Central User Administration • One single CUA for all systems and modules is possible • Modules or systems can have own CUAs • Idea of a single corporate CUA mostly stays an idea—realization is too complex SAP Basic and Novell eDirectory LDAP Sync Tool (SAP) WPAS 6.10 FI CO ... HR SAP R/3 Version 4.5 / 4.6 b/c Novell DirXML Driver Novell eDirectory CUA E-mail System Worktime tracking Others (e.g. MySAP Portal) What the LDAP Sync Tool Does... • Synchronizes R/3 user database with eDiretcory • Cron job • Attribute Mapping defines which R/3 field is mapped to which attribute in the directory • Reads new users from the directory, then a role can be assigned to the user What the LDAP Sync Tool Does Not Do... • Give rights to new users from the directory other than the role assignment • Does not assign the profile to the user, which is more important • Make employees (or other persons) a user—it is not connected to other R/3 modules • Transfer transaction groups or codes assigned to SAP users to the directory What the Customer Needs • SAP R/3 Version 4.5/4.6b/4.6c • Web Application Server 6.10 (includes the Sync Tool) Issues • Scalability • No Event System, polling only • Only one sync direction at once (attribute level) A Visionary Outlook to the Future Architecture User Single Sign-On Applications Directories ERP, Lotus Notes Active Directory, iPlanet ODBC, LDAP NDAP, NCP NDS 8.5 XML John Ovali (Flaim Database, Security, Maintenance Tools) Authorization by redirection OS/390, Solaris, HP-UX, AIX, Linux, FreeBSD, AS400, RADIUS, IIS, IBM RACF, CA ACF, many others, others coming Synchronization / Authorization / Native Solaris, NetWare AIX Linux Admin NT W2K Distributed User Access Management • • • • Access to needed resources Decentric administration possible Centric control distributed administration properties Administration back to the roots of demand Advantages • Shorter response time • Smaller administration effort • Significant reduction of cost • Higher efficiency User Access Management Add user to workgroup Access to File System Add to e-mail distribution list, apply needed applications Your Benefit—Higher Efficiency • User provisioning using eDirectory • Application provisioning using eDirectory • Employee provisioning using eDirectory • Base support for future SLAs • Higher security • Fast ROI Highly Recommended On... • High employee fluctuation, e.g., seasonal influence Accelerate registration (e.g., HR-System -> time tracking, access systems) • Higher security needs Data integrity (e.g., lock employee in HR systems –> deny access to building or remote dial-in services) • High administration efforts Significant reduction of cost