Retrieval of Employee-Related Data by SAP ERP HCM

You can use this function to make time-dependent employee data in a distributed system landscape available centrally in SAP NetWeaver Identity Management . This means you can use your data cross-application and cross-platform, and access the data using a standardized log.

The retrieval of the data is delta compatible, so that following an initial data transfer subsequent changes to the data are transferred to SAP NetWeaver Identity Management quickly.

SAP NetWeaver Identity Management is from a technical point view an LDAP-enabled directory service, which in particular can process time-dependent employee data. You can use this function to process employee data in the Personnel Administration application component of SAP ERP HCM as follows, and to transfer it to SAP NetWeaver Identity Management:

• You can obtain the data in Personnel Administration using a query.

• You can format the data in Personnel Administration.

  Within Personnel Administration, formatting data includes the function of mapping query fields to logical SAP data fields.

• You can make the data available in SAP NetWeaver Identity Management 7.1.

This function is integrated with the functions that are available to you with the Directory Services within the SAP Web Application Server. Before you can retrieve employee and organizational data from an LDAP-enabled directory service, you must make the required general settings (transaction LDAPMAP) for the directory services in the SAP Web Application Server, that is, execute the Synchronization of the SAP Database with the LDAP-Enabled Directory Service.

To be able to use this function, you must have installed the application component Personnel Administration of SAP ERP Human Capital Management (as of SAP Enhancement Package 4 for SAP ERP 6.0) and SAP NetWeaver Identity Management (from Release 7.1), and connected them together. The following prerequisites also apply:

SAP ERP HCM

• You use SAP Web Application Server 7.0 in your system landscape. This contains the LDAP connector as a software component that regulates the communcation between an SAP ERP HCM system and SAP NetWeaver Identity Management.

• You have created an RFC destination from your SAP ERP HCM system to the SAP Web Application Server.

• You have decided which employee-related data you want to make accessible as attributes in SAP Identity Management.

  Note

  In the standard system, SAP delivers an example query. For more information, see Data Retrieval Using a Query.

• You have decided that certain employee communication data is to be distributed to SAP ERP HCM using SAP NetWeaver Identity Management.

  Recommendation

  In this instance, you are advised to use an SAP query that does not contain this communication data. The example query contains fields from infotypes Communication (0105) or Internal Data (0032) as communication data fields.

  You have made the required settings that enable the system to map the SAP data fields to the directory service attributes (transaction LDAPMAP). For more information, see the documentation for the SAP Web Application Server under Mapping and Synchronization Process.

SAP NetWeaver Identity Management

• You have installed SAP NetWeaver Identity Management.

  Note

  Note that to have the full range of functions described in this documentation, you must have installed at least SAP NetWeaver Identity Management 7.1.

• You have set up a staging area for employee data and an identity store in SAP NetWeaver Identity Management.

• You have configured the Virtual Directory Server.

To obtain the employee data, you require an InfoSet and a corresponding query. The InfoSet must contain the fields that are evaluated in the query. We deliver an example query and corresponding BAdI implementations that illustrate what sort of attributes you evaluate, and how you can format them for data extraction in SAP NetWeaver Identity Management.

You execute the data extraction from Personnel Administration with report RPLDAP_EXTRACT_IDM. The system transfers the data to the SAP Web Application Server using the RFC-enabled function module SPLDAP_RECEIVE_ATTRIBUTES. The function module exports the data by means of the LDAP Connector to SAP Identity Management.

The data is initially transferred to the staging area you have configured and that you have reserved for employee-related data. As of SAP NetWeaver Identity Management 7.1, the system automatically transfers and stores the data from the staging area to the identity store in the next step. Once the data has been successfully transferred to the identity store, the system begins the automatic distribution of the data to the connected systems.

This distribution makes it possible for you create or change system users, or in the case of user assignments, delete as appropriate. In addition, processes are run automatically specifically for the successful creation of users, and the subsequent logon of the user in these systems enabled. Alternatively, the system disables a user from being able to log on if, for example, he has left the company. The distribution also covers the automatic assignment of the authorizations required by the user to carry out tasks in the system.

If you want to update the data in your SAP Identity Management system at regular intervals, you can schedule report RPLDAP_EXTRACT_IDM to run regularly as a background job in Delta Downloadmode.

You can restrict the set of personnel numbers whose data you want to transfer to the directory service either in report RPLDAP_EXTRACT_IDM or using a query variant.

If you want to retain status information on the data transport from the SAP ERP HCM system to the LDAP-enabled directory service, you can use reports SPLDAP_DISPLAY_LOG_TABLES and RPLDAP_CLEAN_UP_LOG_TABLES. You can use the reports to display or delete the transport log of the data record export.