Skip to main content

SAP Server

Bravura Security Fabric can perform operations as well as manage group membership for SAP systems using the agtsapnw (64bit) or agtsap (32bit) SAP connector.

Table 1. agtsapnw (64bit)

Connector name

agtsapnw

Connector type

Executable

Type (UI field value)

SAP Server (Netweaver 7.5+)

Target system versions supported / tested

Application users on SAP systems such as SAP S/4 HANA, ECC, or for R/3.

Supports the NetWeaver 7.5+ SDK that is currently supported by SAP.

To manage SAP HANA database users, use agthana instead; see SAP HANA Database .

Connector status / support

Bravura Security-Verified

This connector has been tested and is fully supported by Bravura Security.

Upgrade notes

The agtsapnw (64bit) connector should be used instead of the older agtsap (32bit) connector.

The agtsap connector is using a version of the API that SAP has deprecated and may no longer work with future updates from SAP. It is unknown how much longer SAP will have compatibility with the legacy API.

The original SAP RFC SDK (librfc32) that the agtsap connector uses has been deprecated and has been out of support since March 31st, 2016. The new agtsapnw connector transitions to the new SAP RFC NETWEAVER SDK (librfcnw).



Table 2. agtsap (32bit)

Connector name

agtsap

Connector type

Executable

Type (UI field value)

SAP Server

Target system versions supported / tested

Application users on SAP systems such as SAP S/4 HANA, ECC, or for R/3.

Does not support the NetWeaver 7.5+ SDK.

To manage SAP HANA database users, use agthana instead; see SAP HANA Database .

Connector status / support

Customer-Verified

Clients may contact Bravura Security support for assistance with this connector. Troubleshooting and testing must be completed in the client's test environment as Bravura Security does not maintain internal test environments for the associated target system.

Deprecation status

The agtsap connector is deprecated starting with Connector Pack 4.7.0 and will be removed for Connector Pack 4.9.0.

The agtsapnw (64bit) connector should be used instead of the older (32bit) connector.

Upgrade notes

The agtsap connector is using a version of the API that SAP has deprecated and may no longer work with future updates from SAP. It is unknown how much longer SAP will have compatibility with the legacy API.

The original SAP RFC SDK (librfc32) that the agtsap connector uses has been deprecated and has been out of support since March 31st, 2016. The new agtsapnw connector transitions to the new SAP RFC NETWEAVER SDK (librfcnw).



The following Bravura Security Fabric operations are supported by agtsapnw and agtsap:

  • get server information

  • administrator verify password

  • user change password

  • expire password

  • check password expiry

  • administrator reset password

  • administrator reset+expire password

  • unexpire password

  • create account

  • delete account

  • disable account

  • enable account

  • check account enabled

  • add user to group

  • delete user from group

  • update attributes

  • list account attributes

  • accounts

  • attributes

  • List:

    • accounts

    • attributes

    • groups

    • members

    Note

    The OSS Note 750_390 patch is applied for most SAP servers. If this patch has been applied on the SAP server, see Configuring the SAP server after applying OSS Note 750_390 regarding this patch and for additional configuration.

The following sections show you how to:

  • Prepare for SAP integration

  • Target the SAP server

  • Configure the SAP server after applying OSS Note 750_390

  • Take advantage of SAP load balancing

  • Create template accounts for SAP target systems

This chapter also describes how Bravura Identity handles special attributes, which are used when creating or modifying accounts on an SAP target.

Overview

Bravura Security Fabric uses the RFC mechanism in the SAP client GUI to invoke built-in functions on the SAP server. SAP versions 4.5 or higher include all of the remote function calls (RFCs) required by Bravura Security Fabric to manage accounts and/or passwords on the system. No new functions, and in fact no new software at all, are installed on the SAP server.

Ensure that these functions are all available for the target administrator credential in order for the connector operations to be successful and that they are configured as listed in Configuring a target system administrator. Contact Bravura Security support if your SAP administrator would like to reduce access for the target administrator credential.

Note that earlier versions of SAP may not include all of the required RFCs or operations. If you have an earlier version of SAP, contact Bravura Security support for assistance.

Bravura Security Fabric uses the following calls to carry out connector operations:

  • BAPI_USER_GET_DETAIL

  • BAPI_USER_CREATE

  • BAPI_USER_ACTGROUPS_ASSIGN

  • BAPI_USER_PROFILES_ASSIGN

  • BAPI_USER_CHANGE

  • BAPI_USER_LOCK

  • BAPI_USER_UNLOCK

  • BAPI_USER_DELETE

  • BAPI_USER_GETLIST

  • RFC_GET_TABLE_ENTRIES

  • BAPI_HELPVALUES_GET

Note that RFC_GET_TABLE_ENTRIES does not function correctly on systems that have applied the Unicode patch. On newer Unicode systems, most of the functionality provided by RFC_GET_TABLE_ENTRIES can be replaced by:

  • BAPI_USER_GET_DETAILS

  • BAPI_USER_CHANGE

  • BAPI_USER_GETLIST

Not all functionality can be replaced by these function calls, missing functionality includes: user status and last login date.

RFC_GET_TABLE_ENTRIES return 2 and RFC_EXCEPTION: INTERNAL_ERROR errors indicate incorrect use of this function.

The following subsections detail the RFC functions used to implement some Bravura Security Fabric functions:

Verifying passwords

When Bravura Security Fabric needs to verify a user’s current password, it simply tries to connect to the SAP server using RFC. The password is assumed to be correct if the connection succeeds or if the connection fails but the error indicates that the user does not have RFC access. All other conditions are assumed to indicate an invalid password. The exact steps are:

  1. Connect to the SAP server using RFC with the user’s login ID and password.

  2. The result status tells Bravura Security Fabric if the password was good or bad.

  3. Disconnect.

Changing passwords

When Bravura Security Fabric changes a SAP password on behalf of a user who knows his current password, it uses RFC as follows:

  1. Connect to the SAP server (hostname, system number, and client number) using RFC with the user’s login ID and password.

  2. The result status tells Bravura Security Fabric if the password was good or bad.

  3. Disconnect.

  4. If the password was bad, terminate the process.

  5. If the password was valid, use the ’Resetting passwords’ process described below to set a new password value.

Resetting passwords

To administratively reset a user’s password to a new value, Bravura Security Fabric uses the following steps:

Log the user in:

  1. Connect to the SAP server with RFC, using the administrator ID and password that has been configured.

  2. Call the BAPI_USER_CHANGE RFC and invoke the PASSWORDX operation to reset the user’s password.

  3. Call the BAPI_USER_CHANGE RFC and invoke the LOGONDATA operation to set the user’s last logon time.

  4. Log the user in to set the new password.

  5. The result status tells Bravura Security Fabric if the password reset was successful.

  6. Disconnect.

Set the LTIME field:

  1. Connect to the SAP server with RFC, using the administrator ID and password that has been configured.

  2. Call the BAPI_USER_CHANGE RFC and invoke the PASSWORDX operation to reset the user’s password.

  3. Call the BAPI_USER_CHANGE RFC and invoke the LOGONDATA operation to set the user’s last logon time.

  4. The result status tells Bravura Security Fabric if the password reset was successful.

  5. Disconnect.

Use the SUSR_USER_CHANGE_PASSWORD_RFC procedure:

  1. Connect to the SAP server with RFC, using the administrator ID and password that has been configured.

  2. Call the BAPI_USER_CHANGE RFC and invoke the PASSWORDX operation to reset the user’s password.

  3. Call the SUSR_USER_CHANGE_PASSWORD_RFC to change the user’s password.

  4. The result status tells Bravura Security Fabric if the password reset was successful.

  5. Disconnect.

Set the PRODUCTIVE_PWD flag in BAPI_USER_CHANGE:

  1. Connect to the SAP server with RFC, using the administrator ID and password that has been configured.

  2. Call the BAPI_USER_CHANGE RFC to set the flag PRODUCTIVE_PWD and invoke the PASSWORDX operation to reset the user’s password.

  3. Call the BAPI_USER_CHANGE RFC and invoke the logondata operation to set the user’s last logon time.

  4. The result status tells Bravura Security Fabric if the password reset was successful.

  5. Disconnect.

Do not make the password productive:

  1. Connect to the SAP server with RFC, using the administrator ID and password that has been configured.

  2. Call the BAPI_USER_CHANGE RFC and invoke the PASSWORDX operation to reset the user’s password.

  3. The result status tells Bravura Security Fabric if the password reset was successful.

  4. Disconnect.

  5. User will be prompted to manually enter new password upon next login.

Listing users

Nightly, the Bravura Security Fabric server extracts a list of users from every system, including SAP. This list is used to automatically update user profiles so that users are presented with a list of systems where they have a login account rather than every system on the network.

For SAP versions 6.4 and above use BAPI_USER_GETLIST to retrieve the list of users. For earlier versions of SAP, execute RFC_GET_TABLE_ENTRIES on table V_USR_NAME.

Selection ranges

You can filter which users will be listed from the SAP server by using selection ranges. Selection ranges are based on the Select-Options keyword in SAP ABAP.

You can define one or more selection ranges, using a list or a KVG file. This option can be configured in Target System Options .

Selection ranges are defined using the following format:

 parameter|field|sign|option|low|high

Examples:

  • Exclude listing of locked-out user accounts:

    ISLOCKED|NO|USER_PW|E|EQ|L|

  • exclude listing of super users:

    LOGONDATA|CLASS|I|NE|SUPER|

  • Include listing of users with user type ’A’:

    LOGONDATA|USTYP|I|EQ|A|

If using a file, it should be in the proper KVG format:

# KVGROUP-V2.0
listuserselectionrange = {
  "filter1";
  "filter2";
  ...etc.
}

Refer to the SAP documentation for more information regarding ABAP Select-Options.

Other Bravura Security Fabric functions

The following list details how other Bravura Security Fabric functions are carried out.

  • check account enable Look at the status bitfield of the UFLAG column of the USR02 table. If the Unicode patch is in place, this will not function correctly.

  • enable account Call BAPI_USER_LOCK.

  • disable account Call BAPI_USER_UNLOCK.

  • unlock account Call BAPI_USER_UNLOCK.

  • create account Call BAPI_USER_GET_DETAIL on the template user.

Use BAPI_USER_CREATE to set the creation attributes. Other attributes are set as detailed in Attribute update. If create account succeeds it performs a password reset; the password reset is affected by the OSS Note 750_390 patch - see Configuring the SAP server after applying OSS Note 750_390 .

  • delete account Call BAPI_USER_DELETE.

  • update attributes Call BAPI_USER_GET_DETAIL to get information on the user.

    Then use BAPI_USER_CHANGE to make most attribute changes.

    Exceptions include activity groups and roles, which are assigned using BAPI_USER_PROFILES_ASSIGN and BAPI_USER_ACTGROUPS_ASSIGN.

    If Central User Administration (CUA) is enabled, use:

    • BAPI_USER_LOCACTGROUPS_READ and

    • BAPI_USER_LOCPROFILES_READ to read local groups and profiles, and

    • BAPI_USER_LOCACTGROUPS_ASSIGN and

    • BAPI_USER_LOCPROFILES_ASSIGN to update local activity groups and profiles.

  • add user to group Read users by calling BAPI_USER_GET_DETAIL.

    Add them by calling BAPI_USER_ACTGROUPS_ASSIGN.

  • delete user from group Read users by calling BAPI_USER_GET_DETAIL.

    Delete them by calling BAPI_USER_ACTGROUPS_ASSIGN.

  • list groups and members Call BAPI_HELPVALUES_GET and read AGR_DEFINE.

    Note

    RFC_GET_TABLE_ENTRIES will be called if the system is 6.3 or older.

Implications for SAP technical support

Bravura Security Fabric does not impact technical support offered to clients by SAP or third-party vendors.

Bravura Security Fabric only uses mechanisms published by SAP to list users and manage passwords. Remote access from the Bravura Security Fabric server to the SAP server is provided by RFCs, and all server functionality uses BAPI function calls provided by SAP.

Since no server software is installed, and only recommended and published BAPIs are used to manage passwords, using Bravura Security Fabric will in no way impact existing SAP support contracts.

To limit technical support because a customer installs Bravura Security Fabric is equivalent to prohibiting the use of SAP-supplied BAPI functions. Since every SAP installation uses BAPIs, and especially SAP-supplied ones, no SAP or third-party vendor can prohibit this.

Preparation

Installing client software

Note

This section is only required for the agtsap connector.

Before you begin, you must install the SAP GUI on the Bravura Security Fabric server. The client software must also be installed on Bravura Security Fabric proxy servers.

Ensure that the SAP GUI version corresponds to your newest SAP system.

OSS Note 750_390 patch

If the OSS Note 750_390 patch has been applied on the SAP server (which is applied by default in most SAP BASIS 7 and up instances), see Configuring the SAP server after applying OSS Note 750_390 about additional configuration required for the Bravura Security Fabric server.

If you are using a BASIS version before 7 and the OSS Note 750_390 is not applied, there’s no need to set up the PSYNCH_USER role or allow the admin credentials to apply it. In this case, the value for the address configuration option Method to make a password productive after a reset is set to Set the LTIME field.

Configuring a target system administrator

Bravura Security Fabric uses a designated account on the SAP target system to carry-out connector operations.

Ensure that the functions are all available and configured as listed below for the target administrator credential in order for the connector operations to be successful. Contact Bravura Security support if your SAP administrator would like to reduce access for any of these functions.

Create this account (for example, psadmin) with the following authorizations:

Cross-application Authorization Objects > Authorization Check For RFC Access:

  • Name of RFC to be protected = *

  • Type of RFC object to be protected = *

    This authorization allows a user to remote logon to the SAP server and run RFC functions.

Cross-application Authorization Objects > Transaction Code Check at Transaction Start:

  • Transaction code = SU01

    This authorization allows a user to run transaction SU01.

Basis: Administration > User Master Maintenance: User Groups:

  • Activity = *

  • User group in user master maintenance = *

    This authorization allows a user to manage another user. User group in user master maintenance is set to ⋆, which means that users with this authorization can manage all users.

    In your environment, you can select a set of user groups if Bravura Security Fabric will not manage all the users on the SAP target.

Basis: Administration > Authorizations: Role Check:

  • Activity = 02 Change

  • Activity = 22 Enter, Include, Assign

  • Role Name = *

    This authorization allows a user to add/delete a user to/from a role.

Basis: Administration > Table Maintenance (via standard tools such as SM30):

  • Activity = 03 Display

  • Authorization Group = *

    This authorization allows a user to list users, groups, and their attributes.

Basis: Administration > User Master Maintenance: Authorization Profile:

  • Activity = 22 Enter, Include, Assign

Basis: Administration > User Master Maintenance: System for Central User Maintenance:

  • Activity = 02 Change

  • Receiving system for central user administration = *

    Note

    If your system is a CUA system, you may require additional authorization(s).

Warning

Due to the customizable nature of SAP, these authorizations may not be complete or accurate for your SAP installation. If you experience any problems, contact your SAP administrator for assistance in deriving adequate permissions.

Ensure that you set and note the account’s password. You will be required to enter the login ID and password when you add the target system to Bravura Security Fabric.

Netweaver 7.5+ support

The SAP Server (Netweaver 7.5+) connector type supports NetWeaver 7.5+ SDK.

This section details how to configure the agtsapnw connector to communicate to an SAP instance. This is generally done through an SAP Message Service.

Targeting SAP Server

Target options vary depending on Connector Pack version.

Option

Added in Connector Pack

Enable listing of group membership as attributes

4.3.0

Trace Logging

4.6.1

Engage RFC trace logging

4.5.2, 4.7.0

For each SAP system, add a target (Manage the system > Resources > Target systems):

  • Type:

    • SAP Server (Netweaver 7.5+)

    or

    • SAP Server

  • The target system address uses options described in the table below.

    The syntax for the target address is:

     {server=<hostname>; system=<systemNo>; client=<clientNo>; resetmethod=<option>;
  [usecuagroups=<true|false>;][nocache=<true|false>;][gettableswork=<true|false>;]
  [unlocktype=<option>;][listnestedagr=<true|false>;][listmemberattr=<true|false>;]
  [systemname=<name>;][cuaaddress=<address>;][cuasystem=<number>;]
  [cuaclient=<number>;][sncpartnername=<name>;][snclib=<library>;] 
  [listuserselectionrange=<range>;][rfctrace=0|1|2|3][trace=low|medium|high;]}

The Administrator ID and Password are the login ID and password for the target system administrator you configured earlier.

For SAP versions older than SAP 7, the Program to set the case of new IDs is set to upper.pss.

The full list of target parameters is explained in Target System Options .

SAP Server address configuration

Option

Description

Options marked with a redstar.png are required.

Server redstar.png

The server name or IP address or the SAP server. If Bravura Security Fabric is using SAP’s load balancing capabilities, replace <hostname> with the necessary load balancing capabilities .

(key: server)

System number redstar.png

The two-digit R/3 System ID (TCP/IP service). If Bravura Security Fabric is using SAP’s load balancing capabilities , this must be set to -1.

(key: system)

Client number redstar.png

The client number used to logon to the SAP system.

(key: client)

SAP Basis version number redstar.png

The SAP BASIS release number. This is separate from the SAP application and module versions.

agtsapnw does not have this option.

(key: version)

Method to make a password productive after a reset redstar.png

Sets the method used to make a password productive after reset:

Log the user in Set to this value when the OSS Note 750_390 patch has been applied on the SAP server. This is to log the user in via RFC to make the password productive.

(value: loginreset)

Set the LTIME field Set to this value if you are using a BASIS version before 7 and the OSS Note 750_390 is not applied on the SAP server.

(value: ltime)

Use the SUSR_USER_CHANGE_PASSWORD_RFC procedure Set to this value when this procedure is configured on the SAP server to reset a password.

(value: susrchangepassword)

Set PRODUCTIVE_PWD flag in BAPI_USER_CHANGE Sets the PRODUCTIVE_PWD flag for a password that is productive, to be used only when SNC (secure network communication) has been configured in SAP.

(value: productivepwd)

Do not make the password productive Set to this value to not make the password productive.

(value: notproductive)

(key: resetmethod)

Use CUA groups

Enable when using central system groups when listing attributes.

(key: usecuagroups)

Disable SAP caching on BAPI calls to improve list performance

Enable to list users without cache.

(key: nocache)

Use gettableswork

Enable for Unicode systems.

(key: gettableswork)

Method used to determine lock type

Sets the behavior for unlocking an account:

islocked Used for reset and create operations on an auto-locked account for a successful unlock. However, if the account is locked by an administrator it cannot be unlocked with this option.

always Unlocks the account even if it is locked by an administrator. This is the default behavior.

(key: unlocktype)

Enable listing of nested roles, profiles, and t-codes as groups

This option is disabled by default.

(key: listnestedagr)

Enable listing of group membership as attributes

Implemented in Connector Pack 4.3.

Disable to exclude listing group memberships.

agtsap does not have this option.

(key: listmemberattr)

Name of local client system

Only required if using the CUA central system to manage user roles during password changes.

(key: systemname)

Address of CUA central system

Only required if using the CUA central system to manage user roles during password changes.

(key: cuaaddress)

System number of the CUA central system

Only required if using the CUA central system to manage user roles during password changes.

(key: cuasystem)

Client number of the CUA central system

Only required if using the CUA central system to manage user roles during password changes.

(key: cuaclient)

SNC Partner name

The application server’s SNC name.

(key: sncpartnername)

SNC Library

The full path of the SNC library.

(key: snclib)

List user filtered with selection range

Filter users based on a selection range.

(key: listuserselectionrange)

Engage RFC trace logging

This option is to enable RFC trace diagnostics and logging. Default is 0 which means that logging is turned off. See the RFC Trace File for more information.

(key: rfctrace)

Trace Logging

Provides detailed multiline logging for connectors. Default is None. Other options include Low, Medium, and High.

(key: trace)

Trace logging

The Trace Logging option provides detailed multi-line logging for the connectors and exposes a way to engage trace logging to a file. Trace logging are things that are generally multi-line such as input/output kvg options, http request/response data, and generally verbose data for diagnosing and troubleshooting issues. It provide a simple mechanism to redirect multi-lined information to an output file.

A trace log file is created within the <Program Files path>\Bravura Security\Bravura Security Fabric\Logs\<instance> directory and has a format of trc-<connector-name>-<unix-time>-<process-id>.log.

The Trace Logging option can be found in the advanced section when modifying the target system address configuration page for individual target systems. It can be set to the following values:

None

Default value. Log no trace information and no trace log file is created.

Low

Contains kvgroup data for the Input KVG and for the Output KVG.

Medium

Telemetry data for Http Post/Get request/response data.

High

Not yet used, to be implemented in a future release.

(key: trace)

Configuring the SAP server after applying OSS Note 750_390

Some Bravura Security Fabric functions perform an administrative password reset. The reset is affected by the OSS Note 750_390 patch.If you have applied the OSS Note 750_390 patch, an administrative password reset on your SAP target system now sets the user’s Ltime field in the SAP database to 000000, which forces the user to reset his password on the next login and effectively makes it a single use password. This also happens when a user resets his SAP password using Bravura Pass .

The solution to this change is to first reset the user’s password to an intermediate value using the standard administrative reset facilities, and then log the user in through the RFC interface to change his password. A problem arises if the user does not have permission to use the RFC interface; in this case, a temporary role (PSYNCH_USER) providing the required RFC permissions must be created and assigned to the user. The role is removed after the user has been logged in and the password has been changed. The following procedure details how to configure this setup.

In the case, where the user has the required RFC permissions, the only configuration step required is to set the value for Method to make a password productive after a reset to Log the user in in the target address configuration.

To configure the SAP server after applying the OSS Note 750_390 patch, do the following:

  1. Run transaction PFCG. Type PSYNCH_USER in the Role field and click Create role. The name of the role is recommended, but it can be set to something different.

  2. On the Bravura Security Fabric server, create a registry string called SAP_PSYNCH_USER_ROLE in the Bravura Security FabricRegistry Path for the instance and set it to the name of the role specified in the previous step.

    • Entry name SAP_PSYNCH_USER_ROLE

    • Value The name of the specified role

    • Data type REG_SZ

  3. Ensure that you are comfortable and knowledgeable in the mechanics of the registry before you attempt to change any configuration settings. Contact support@bravurasecurity.com if in doubt. Select the Authorizations tab and click Change authorization data.

  4. Click Selection criteria to see the Change role: Insert authorizations page.

    1. Choose Cross-application Authorization Objects > Authorization Check For RFC Access.

    2. Click Insert chosen.

  5. Modify its values as follows:

    1. Click in the Activity row, select the 16 Execute checkbox, and click Save.

    2. Edit the Name of RFC to be protected row to SUSO, SYST.

    3. Select Function Group in the Type of RFC to be protected row.

  6. Generate the profile.

  7. Ensure that the Bravura Security Fabric SAP administrative user has S_USER_AGR authorization. This authorization allows the administrative user to add/delete a user to/from the PSYNCH_USER role.

  8. In Bravura Security Fabric , log into the Manage the system (PSA) module and modify the SAP target system address configuration so that the value for Method to make a password productive after a reset is set to Log the user in.

    The Log the user in value indicates a patched server.

Load balancing

Bravura Security Fabric can take advantage of SAP’s load balancing capabilities when verifying or resetting passwords or managing accounts. Your SAP server and client must be configured to support load balancing in order to use this feature.

To configure Bravura Security Fabric to use SAP load balancing:

  1. Add an SAP target system to Bravura Security Fabric .

  2. Replace the hostname argument in the target system address for the Server option with the SAP message server name, and optionally, the system ID and group name (separated by a |).

    <message server>[|<system ID>|<group name>]

    The load balancing parameters are as follows:

    • message server The server name or IP address of the message server. When a user logs on to the SAP system, the message server routes them to the appropriate application server.

    • system ID The name of the SAP target system (for example, PRD).

    • group name The application server group name to be used.

  3. Set the systemNo to -1.

For example, to target an SAP system using load balancing, type:

 mesgsrv.example.com|PRD|HR/system=-1/client=000/version=4.6c

If you receive a message like the following from agtsap/agtsapnw :

  LOCATION CPIC (TCP/IP) on local host
  ERROR service 'sapmsDH2' unknown

edit the C:\%windir%\system32\drivers\etc\services file on the Bravura Security Fabric server on which the SAP client is installed. Include entries mapping the R/3 system name and number of each SAP server; for example:

 sapmsDX1 3636/tcp
 sapmsDR2 3610/tcp
 sapmsDW2 3615/tcp
 sapmsDC2 3612/tcp
 sapmsDE2 3614/tcp
 sapmsDB2 3613/tcp
 sapmsDH2 3616/tcp
       ^    ^^

Where the character indicated by ^ is related to the R/3 system name in the target system address line, and the numbers indicated by ^^ are related to the system number. Obtain these values from an SAP administrator.

Creating a template account

Use the following procedure to create a user account for SAP. See your SAP system administrator or documentation for more information.

To create a template SAP user account:

  1. Launch SAP Logon.

  2. Select a server and click Logon.

    A main logon screen displays.

  3. Type a user name and password.

  4. Press Enter.

  5. In the command box, type SU01 and press Enter.

  6. Type a user ID in the USER field and click Create (on the tool bar) to create the new user, or Copy to copy an existing user.

  7. On the user information screen, you can modify the attributes listed on the following tabs:

    • Address: FIRSTNAME, MIDDLENAME, and LASTNAME attributes must be set. They are required attributes for SAP targets.

    • Logon data

    • Defaults

    • Parameters

    • Activity groups

    • Profiles

    • Groups

    Note

    The email address of the template user should be the same as the user ID. That is, if the user ID is TEMPLATE, the email address should be TEMPLATE@mercury.com.

  8. After all mandatory and other information is complete, select Save from the Usernames menu.

Handling account attributes

When Bravura Security Fabric creates a new account, all tables and structures are copied from the template to the new account. The SAP target system supports having multiple values for the following attributes:

  • ACTIVITYGROUPS set user’s permissions, privileges or roles (copied by default)

  • PROFILES provide information for the user’s profile

  • PARAMETERS set the user’s parameters

Managing groups

You can configure Bravura Security Fabric ’s workflow engine to manage group membership on SAP systems. In Bravura Security Fabric , group membership is determined by the ACTIVITYGROUPS attribute in SAP. The SAP GROUPS attribute is not used.

Normally, SAP synchronizes users with activity groups during its user compare process. This process can be run during auto discovery. Bravura Security Fabric can automatically synchronize users and groups if the PRGN_ACTIVITY_GROUP_USERPROF custom call is exposed in SAP. To enable this method, contact your SAP support.

Troubleshooting

Password fails

If a password reset fails:

  • Verify that the PSYNCH_USER role has been configured correctly.

  • Assign the PSYNCH_USER role manually to a test account and then perform a password reset from Bravura Security Fabric for that user.

  • Check that the RFC rights SUSO and SYST have been granted to the PSYNCH_USER role.

User cannot be added to a group

If a user cannot be added to a group, ensure that the SAP target administrator credential has the S_USER_AGR authorization configured in the SAP system being targeted as well as in CUA if used.

Testing connectivity issues when running auto-discovery

If you encounter issues listing users:

  • Set the target system address parameter for Engage RFC trace logging to 3.

  • A resulting trace log file will be in the following format: rfc<pid>_<thread>.trc. The location of this log file will be noted by the agtsapnw.exe connector in the Bravura Security Fabric log file.

  • If you see the following in the logs for agtsapnw:

    • agtsapnw.exe [10836,8956] Warning: RfcInvoke failed [[Error while calling BAPI_USER_GETLIST], RC code [13:R], error detail: [RFC_INVALID_HANDLE: An invalid handle 'RFC_FUNCTION_HANDLE' was passed to the API call]]

  • In the trace log file you may also see that an exception occurred for something like this:

    • RfcGetFunctionDesc(BAPI_USER_GETLIST) via handle 2028524486592 (SID=DR1) returned 0000000000000000 2024-03-15 20:24:01.836266 [01388] << RfcGetFunctionDesc returned RFC_ABAP_RUNTIME_FAILURE RFC_ERROR_INFO.key: RFC_NO_AUTHORITY RFC_ERROR_INFO.message: No RFC authorization for function module DDIF_FIELDINFO_GET.

  • This will indicate that when RfcGetFunctionDesc is called for BAPI_USER_GETLIST, that the SAP administrative user does not have the RFC authorization for the function module DDIF_FIELDINFO_GET.

RFC Trace File

The agtsapnw connector provides the Engage RFC trace logging target system address configuration option to allow for enabling RFC trace diagnostics and logging.

By default this is set to 0 which means that logging is turned off. This option can be set to the following log levels:

0

off

1

brief

2

verbose

3

full

When logging is enabled, a log file is created in the <Program Files path>\Bravura Security\Bravura Security Fabric\Logs\<instance> directory in the following format: rfc<PID>_<THREAD>.trc, where <PID> and <THREAD> are the initial rfc connect.

The log file contains various information such as:

  • Initial RFC options (parameters) passed into the connect.

  • Any errors, warnings, etc such as for example, authorization issues.

  • RFC calls that are made, for example:

    2024-03-02 02:13:46.582751 [39084] >> RfcGetFunctionDesc

    RfcGetFunctionDesc(BAPI_USER_GET_DETAIL) via handle 2133721882624

  • Table or row information passed back from RFC function calls, for example:

    BAPI_USER_GET_DETAIL

Testing connectivity issues without agtsapnw

When testing connectivity issues, it is often useful to remove the agent as a root cause. The NetWeaver RFC SDK provides the startrfc utility that can provide a useful way to troubleshooting integration or connectivity issues.

To use the startrfc utility, complete the following:

  1. Ensure the NetWeaver RFC SDK is installed .

  2. Open a command prompt and navigate to the NWRFC SDK bin directory:

    C:\Program Files\SAP\nwrfc< version >\nwrfcsdk\bin

  3. Execute startrfc with the "-i" option. This connects to the target system and displays the system information. Specify the <host>, <user>, <password>, <sysnr> and <client> values. The -t <trace> option also leaves a trace file to help troubleshoot more detailed diagnostics. See the full command line usage and example below.

    See the RFC Trace File section for more details on diagnosing integration issues using trace files.

Usage

 startrfc.exe -h <hostname> -u <adminid> -p <adminpw> -s <sysnr> -c <client> [-i] [-t <level>]

For example:

 C:\> startrfc.exe -h mysap.acme.com -u "SAPADM" -p '<SAP-Password>' -s 00 -c 001 -i -t 1
 SAP System ID: ACME
 SAP System Number: 00
 Partner Host: mysap
 Own Host: JOHNDOE
 Partner System Release: 731
 Partner Kernel Release: 722
 Own Release: 753
 Partner Codepage: 4103
 Own Codepage: 4103
 User: SAPADM
 Client: 001
 Language: E

sapnwrfc.dll not found

Note

This section is only applicable for the agtsapnw connector.

The agtsapnw SAP Server connector will return the follow error with and newer when testing credentials or listing:

Unable to resolve DLL dependency [[sapnwrfc.dll] was not found]

The SAP Server connector is missing the necessary dependencies to connect to the SAP instance.

See both Setting up the NW RFC (Netweaver RFC) SDK {SAP Server} and Testing connectivity issues without agtsapnw for more information to troubleshoot this issue.

librfc32.dll not found

Note

This section is only applicable for the agtsap connector.

The SAP Server connector(agtsap) will return the follow error with SAP GUI clients 7.5 and newer when testing credentials or listing:

Failed: Unable to resolve DLL dependency [[LIBRFC32.dll] was not found].

The SAP GUI Client 7.5+ self contains the LIBRFC32.dll in the product installer folder and no long copies it to the Windows\System32 or Windows\Syswow64 directories.

To resolve the problem, copy the C:\Program Files (x86)\SAP\FrontEnd\SAPgui\librfc32.dll to C:\Windows\System32 and C:\Windows\Syswow64

The agtsap connector should be able to operate within normal define functional parameters.

External links

The RFC library has changed in the 7.5 SAPGUI. See SAP note 2417687 .

Any custom application that uses librfc32.dll should take this into consideration, and use the new sapnwrfc.dll. There is code change involved for custom applications that use this dll. For detailed information, see SAP Note 2256415 .

In this section: