Embed Size (px)
Citation preview
www.novell.com
Integrating Novell eDirectory™ with SAP R/3 and MySAPPortal
Integrating Novell eDirectory™ with SAP R/3 and MySAPPortal
Matt GraveseBusiness ConsultantNovell, [email protected]
John OvaliSystems EngineerNovell, Inc. (Germany)[email protected]
Vision…one NetA world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries
MissionTo solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world
Change of a Paradigm
User Demand for one Net
Storage Application
Intranet
Storage Application Storage Application
Extranet Internet
Information
one Net Services
Storage Application
Security
Portal
Intranet
Storage Application Storage Application
Extranet Internet
eDirectory™
Management vs. Provisioning
ASSIGN• Rights• Policies• Applications• Settings
DEPENDING on• Servers• Workstations
LIMITS/BORDERS• Intranet
OFFER• Resources• Services
DEPENDING on• Applications• Servers
LIMITS/BORDERS• Extranet
Provisioning vs. Novell Net Services
OFFER • Resources• Services
DEPENDING on• Applications• Servers
LIMITS/BORDERS• Extranet
OFFER• User services• Admin services• Resources
DEPENDING on• User
LIMITS/BORDERS• Internet (none)
Novell eProvisioning Solutions
• User provisioning Services to manage and maintain consistent user and
employee identity in a heterogenous environment
• Application provisioning Offer and maintain application and information in your
LAN, WAN, and Internet, including billing and accounting
• Employee provisioning Offer and maintain information and vital resources for your
employees
• eDirectory-centric technologies reduce not only IT costs
EmployeeProvisioning
eProvisioning Architecture Details
User Provisioning
ApplicationProvisioning
User a
nd
Resou
rces D
ata
base—
Novell e
Dire
cto
ry
Client Applications
Distribution Mechanism
Portal
Secu
rity M
ech
an
isms
Operating Systems
Server Applications
Dire
ct Acce
ss
User Accounts
Metaframe
User Accounts
Sin
gle
Sig
n-O
n
Colla
bora
tion
Novell and SAP
Integration
SAP or R/3?, SAPPortals or MySap...
• SAP=vendor• R/3=product of this vendor
R/3 “classic” (ERP, Base + HR, FI, CO, MM...) Other products: e.g., APO (Advanced Planning
and Organizing), B2B, CRM, SCM, BW (“New Dimension”)
• SAPPortals=vendor, 100% daughter company
of SAP AG• MySAPPortal=product of SAPPortals
Terminology...
• Related to micro-economics Menu entry = transaction (what it is <-> what it
does)
• Complex
• Client
• System
R/3 Organization
Back-end System
ProcessingData
Back-end System
ProcessingData
MiddleWare
Service toShow Data
MiddleWare
Service toShow Data
Desktop ApplicationDesktop
Application
R/3 System Landscape
R/3 Back-End
Quality-AssuranceSystem
Q1,Q2,...
Quality-AssuranceSystem
Q1,Q2,...
ProductiveSystem
P1,P2,P3,...
ProductiveSystem
P1,P2,P3,...
DevelopmentSystem
D1,D2,D3,...
DevelopmentSystem
D1,D2,D3,...
R/3 Component System
• Basic system HR, CUA, ...
• Other components (also called modules) FI – Finance CO—Controlling S&D—Sales and Distribution ...
R/3 Back-end
Overview
BrowserBrowser
BrowserBrowser MySAPPortal
MySAPPortal
ProfileProfile
TransactionTransaction
CUACUAHRHR
Novell eDirectoryNovell eDirectory
RoleRole
ITSITS
SAP GUI(Win32)
SAP GUI(Win32)
Rights Assignment Concept
• Complex, table-focused, multi-nested tables• Biggest challenge on all R/3 projects• UA—User Administration per client• CUA—Central User Administration
Central Can be used for all SAP products Nice idea of a corporate-wide CUA mostly stays
an idea Extremely difficult to realize and administer
Rights Assignment and Login Concept
User
Role
Profile
ActivityGroup
Transaction ClientClient
SystemSystem
Rights Concept
Corp. Division
FI SD MM
Rolle Accounting Debitors
ISR Warehouse entry
T-Code Extend Extend Extend
MM01 V V X
MM02 X X
...
Activity Group
Novell and SAP: Three Initiatives
HR CUA PortalDirXML™ Driver LDAP Sync tool Portal and corp
directory
Vendor Novell Vendor SAP Vendor Novell
Brings person‘s (employee) data to eDirectory
Synchronizes specific user-data between CUA and eDirectory
Stores portal and user information in the directory
Supports also MS and Netscape
HR-Driver is validated
eDirectory is the only certified directory
eDirectory comes in the box with the portal product
The Forgotten Driver: SAP SD
• SAP SD DirXML™ Driver• Transfers customer data from eDirectory
to SD Module (Sales and Distribution)• Was originally made by marchFIRST• Now available• Not yet validated by SAP
What Customers Always Request
• Administer SAP users by eDirectory because of extreme complexity of SAP user administration Not possible with our products
• Rights assignment has to be done with SAP tools, the same as it is with Exchange or Notes
• Single Sign-On mechanisms between modules and systems—causes confusion with our SSO
SAP HR—DirXML Driver
SAP HR and Novell eDirectory
SAP HR
Novell eDirectory
John OvaliSystems Engineer<email>?<phone>?
PBX, Building Access Systems, Work Time Tracking Systems
John Ovali123-456
E-mail System
PBX, Building Access Systems, Work Time Tracking Systems
SAP HR and Novell eDirectory
SAP HR
Novell eDirectory
John OvaliSystems Engineer<email>?<phone>?
John Ovali123-456
E-mail System
John OvaliSystems [email protected]
SAP HR and Novell eDirectory
SAP HR
Novell eDirectory
John Ovali123-456
E-mail System
John OvaliSystems [email protected]
John OvaliSystems [email protected]
PBX, Building Access Systems, Work Time Tracking Systems
Novell DirXML
eDirectoryApplication
IndexDatabase
SubscriberSubscriber
PublisherPublisher
XML Engine
StylesheetsA
pp S
him
What the DirXML Driver Does to SAP HR
• Transfers person (employee) data to Novell eDirectory
Name, Department, Title, ID, etc.
• Limited transfer back from eDirectory to HR module
Phone number E-mail adress Similar
What the DirXML Driver Does Not Do to SAP HR
• Does not create R/3 users
• Does not administer R/3 users (This has to be done using CUA, not HR module)
• Does not deliver Single Sign-on capabilities
DirXML-HR Driver:What the Customer Needs
• R/3 Classic
• Novell DirXML 1.1
• SAP HR Consultant
• SAP ALE Consultant
• Novell Consultant
DirXML Server
How the DirXML-SAP-HR Driver Works(Publisher Channel)
R/3 Back-End Host
DirXML Remote Shim
Gets the XML Document and passes it to the DirXML engine
DirXML Engine
Processes the document and enters information into the directory
NovelleDirectory
Now contains these employee data—It can be used to distribute it to other applications as well
HR Module
Here all employee data is maintained
ALEApplication Link-Enabler
Interface to all other applications—has to be well configured
IDOC
File with the transferred employee data, somewhere in the file system
DirXML Driver Shim
Polling-mechanism reads IDOC files and converts needed information to XML
DirXML Remote Loader
Takes the XML document and sends it encrypted using SSL to the DirXML Server
SSL-encrypted
iDocs
iDocs
SAP Organizations in ConsoleOne®
SAP HR Title and Department from HR
Issues
• Queuing
• Future events
• Content of iDocs
SAPPortals and Novell eDirectory
SAPPortals and Novell eDirectory
User Management APIUser Management API
PCD
Role Data
PCD
Role Data
Corporate LDAP
Basic user dataBasic group data
User/group assignmentGroup hierarchy
Corporate LDAP
Basic user dataBasic group data
User/group assignmentGroup hierarchy
Attribute MappingAttribute Mapping
Portal LDAP
Portal-related user propertiesPortal-related group properties
User/group role assignmentAccess information for
component systems (user mapping)
Portal LDAP
Portal-related user propertiesPortal-related group properties
User/group role assignmentAccess information for
component systems (user mapping)
Novell eDirectory
The SAPPortals Idea of Directory Use
Corporate Directory
Portal Directory Content Directory
May be eDirectory, iPlanet, or ADS
May be eDirectory or iPlanet (no ADS)
Is proprietary in the file system of server
Is intended to be there already
Is intended to be set up on deployment
Will be set up on deployment
Read-only access to User and Group information, User to Group assignment
Read/Write AccessGroup to Role AssignmentSingle Sign-On
Role/Meta DataContent to Role Assignment
<No Replication><Equal Attribute Mapping>
What SAPPortals Says...
• Corporate directory for user data is already there
• Set up a portal directory for portal data
• Maintain two directories
• But it is possible to use the same directory
SAPPortals User Management
• What we call a gadget they call an iView• Roles contain iViews• Roles are assigned to groups• Users are assigned to groups• Tied connection is iView-Role-Group-User• Role in MySAPPortal does not equal the role in SAP
R/3• Whatever role a user has is a menu entry on top
of the browser window don’t assign too many roles to a user
SAP CUA and Novell eDirectory
CUA Central User Administration
• One single CUA for all systems and modules is possible
• Modules or systems can have own CUAs
• Idea of a single corporate CUA mostly stays an idea—realization is too complex
SAP Basic and Novell eDirectory
SAP R/3 Version 4.5 / 4.6 b/c
WPAS 6.10
CUA LDAP Sync Tool(SAP)
Novell e
Dire
cto
ryE-mailSystem
Worktimetracking
Others (e.g. MySAP
Portal)
HRFI CO ...Novell DirXMLDriver
What the LDAP Sync Tool Does...
• Synchronizes R/3 user database with eDiretcory
• Cron job
• Attribute Mapping defines which R/3 field is mapped to which attribute in the directory
• Reads new users from the directory, then a role can be assigned to the user
What the LDAP Sync Tool Does Not Do...
• Give rights to new users from the directory other than the role assignment
• Does not assign the profile to the user, which is more important
• Make employees (or other persons) a user—it is not connected to other R/3 modules
• Transfer transaction groups or codes assigned to SAP users to the directory
What the Customer Needs
• SAP R/3 Version 4.5/4.6b/4.6c
• Web Application Server 6.10 (includes the Sync Tool)
Issues
• Scalability
• No Event System, polling only
• Only one sync direction at once (attribute level)
A Visionary Outlook to the Future
XMLODBC, LDAPNDAP, NCP
Architecture
ApplicationsERP, Lotus Notes
DirectoriesActive Directory, iPlanet
NetWareSolaris,
AIX Linux NT W2KOS/390, Solaris, HP-UX, AIX,
Linux, FreeBSD, AS400, RADIUS, IIS, IBM RACF, CA ACF, many others, others
coming
John OvaliNDS 8.5(Flaim Database, Security, Maintenance Tools)
Synchronization / Authorization / Native
Single Sign-On
Admin
Authorization by redirection
User
Distributed User Access Management
• Access to needed resources• Decentric administration possible• Centric control distributed administration properties• Administration back to the roots of demand
Advantages• Shorter response time• Smaller administration effort• Significant reduction of cost• Higher efficiency
User Access Management
Add to e-mail distribution list, apply needed applications
Access to File System
Add user to workgroup
Your Benefit—Higher Efficiency
• User provisioning using eDirectory• Application provisioning using eDirectory• Employee provisioning using eDirectory
• Base support for future SLAs• Higher security• Fast ROI
Highly Recommended On...
• High employee fluctuation, e.g., seasonal influence
Accelerate registration (e.g., HR-System -> time tracking, access systems)
• Higher security needs Data integrity (e.g., lock employee in HR
systems –> deny access to building or remote dial-in services)
• High administration efforts Significant reduction of cost
