Linking SAP HCM/HR to AD, based on SAP BAPI and RFC XML

User Management Resource Administrator (UMRA) offers a variety of methods to manage user accounts in a network environment. UMRA establishes how user accounts should be managed based on scenarios. For example, a scenario determines what the naming convention of a user account is, the systems in which the account must be created and also the authorizations which should apply to the account. The scenarios determine how a user account must be managed. Which user account is determined by the input into UMRA. The input is multiform and can be offered to UMRA in a number of ways. Options include: via form input by the helpdesk (delegation), self-service and/or workflow management from the organization, or by linking UMRA to a source system.

The figure below provides a schematic overview of UMRA’s operation in conjunction with a source system.

UMRA supports a wide range of source systems, varying from an HR system to one for ID badges, as well as data warehouses, flex labor applications (for temporary workers or consultants), planning and scheduling packages, etc. UMRA offers the ability to communicate with SAP HCM. Communication to and from SAP HCM is routed through the UMRA 'SRC SAP HCM' module.

UMRA-SRC-SAP-HCM

UMRA-SRC-SAP-HCM is an UMRA module and a part of the UMRA connector suite. This module was developed primarily to read information on user accounts from SAP HCM and to forward it to the UMRA base module. UMRA-SRC-SAP-HCM supports a wide range of interfaces to SAP HCM to retrieve the desired information. The figure below provides a schematic representation of the way UMRA is constructed and which SAP HCM interface types are supported.

BAPI objects and RFC function (Build in)

Standard SAP features are accessed via the standard BAPI interface via the RFC functions. These features are used to retrieve employee details such as name and address. The advantage of this approach is that no modifications are required on the SAP side and that access rights to information in SAP can be properly regulated.

RFC function read table and RFC functions (custom)

If more information needs to be retrieved which is not available via the BAPI objects or the standard built-in RFC functions, the RFC function read table or custom RFC functions are used. The advantage of the RFC function read table is that it can be realized easily and quickly. The disadvantage is that the UMRA RFC user must have the rights to carry out this function. All tables within SAP HCM can be read using this function. However it is possible to restrict access to these scripts within UMRA. Unlike standard RFC functions, it is not possible to restrict the rights to this functionality to a limited number of tables in SAP. This may not be desirable from a security aspect. In that case, a custom RFC function can be written by a SAP programmer, which can then be run by UMRA.

XML Export/Import

It is possible to carry out a manual or scheduled XML export from SAP. This data can then be imported on a scheduled basis or manually into UMRA.

Note: A custom and/or BAPI function for XML import/export is not implemented and/or maintained by Tools4ever. Tools4ever can act as the main contractor during the development, testing, acceptance and delivery, but will not develop a BAPI function itself. The preferred party for developing the BAPI function is the existing group of developers who already carry out modifications to the client’s SAP environment.

Mapping data

UMRA-SRC-SAP-HCM’s primary task is the interface with SAP HCM. Translating the information from SAP HCM into the target systems is determined by the UMRA scenarios. Among other things, these scenarios determine which fields from SAP HCM must be linked in the network, often referred to as mappings. ). Setting up the UMRA scenarios is carried out by a Tools4ever consultant based on the customer’s input. This input must contain at least the following information:

Mapping SAP HCM fields to network systems and attributes

In general, this mapping is reproduced in the form of a table. An example of such a table is shown below. Should there be a link based on “RFC function read table,” it is important that the name of the table and attribute is given per SAP field.

Conditions per field/attribute

For the information from SAP HCM, it is possible to carry out translations to the attributes in the network. All conceivable forms of translation are possible. This includes simple translations from the SAP field to the application attribute, e.g. NL date format to US date format. Combination translations from multiple fields from SAP to a single attribute in an application are also supported. An example of translation description is:

The organizational fields, with the exception of the main cost center and the care companies, are in SAP Organizational Management (OM). An employee number is linked to one or more formation places. A department is linked to a cost center. These relationships are in table HRP1001 and can be seen in SAP in the PPOSE transaction. Multiple relationships can occur for each OM object. If there are more relationships than the AD can manage, then the relationships found first will be stored in AD. Thus, if an employee has three formation places, each with a different function and a different department, only two functions and two departments will be recorded in AD. If only one relationship is present, function two and department two remain empty in AD.

Prerequisities for setting up UMRA-SRC-SAP-HCM

The following issues are important for successfully and safely establishing the link with SAP HCM.

• It is common to activate the synchronization scenarios each night via a batch job. To activate the jobs, UMRA itself has scheduling facilities through the UMRA scheduler. If desired, it is also possible to activate the jobs manually at any desired time (interactive job activation).
• For performance optimization, the UMRA scans operate on the basis of an assessment date. Only an employee’s current status is retrieved by applying the assessment date, not the entire change history.
• The UMRA scans operate on the basis of “full compare.” Each night, the entire relevant dataset is retrieved from SAP and compared against the status in the linked participating systems. This mechanism is more reliable than a trigger/event-based mechanism in situations where transactions could occur during processing in a participating system. Finally, it is rarely the case that a target system supports a transaction system (Roll Back, Commit Transaction, etc.) and can guarantee that a transaction has been processed. Using the “full compare” method, however, it is possible to achieve a reliable link.
• Given the nature of the “full compare” link, it is important that during testing, a stress test is included to determine the system load of UMRA on SAP.
• The following operations must be carried out by the client:
  
  • Draw up functional design of translation of SAP fields to application attributes.
  • Indicate preferred linking method.
  • Draw up and carry out acceptance tests. System tests and general operations are carried out by Tools4ever. A component of the acceptance tests is the stress testing detailed above.
  • Provide access to the DTAP SAP HCM environment and, if possible, a comparable environment for the target systems (applications). It is important that the configuration, version and data in the SAP HCM per environment (in the DTAP roadmap) are exactly the same.
  • Create a user account in SAP with sufficient rights to access the recorded information. The user account is used by the UMRA service to access the information.