--- title: SAP User Management description: The SAP User Management connector lets you synchronize users from Advanced Identity Cloud to SAP user accounts. This application can only be a target application. component: pingoneaic page_id: pingoneaic:app-management:applications/sap-user-management canonical_url: https://docs.pingidentity.com/pingoneaic/app-management/applications/sap-user-management.html section_ids: register_the_application: Register the application configure_provisioning: Configure provisioning provision_side_tabs: Provision side tabs next_steps: Next steps --- # SAP User Management The SAP User Management connector lets you synchronize users from Advanced Identity Cloud to SAP user accounts. This application can only be a [target application](../applications.html#target_and_authoritative_applications). ## Register the application 1. In the Advanced Identity Cloud admin console, go to Applications, and click [icon: grid_view, set=material, size=inline] Browse App Catalog. 2. In the Browse App Catalog modal, select an application, and click Next. 3. Review the Application Integration information, and click Next. 4. In the Application Details window, specify the name, description, application owners, and logo for the application. 5. To make the application an [Authoritative](../applications.html#target_and_authoritative_applications) source of identity data, select the Authoritative check box. This option is not available for every application. 6. Click Create Application. ## Configure provisioning 1. Set up a [remote connector server (RCS)](../../identities/sync-identities.html). 2. In the Advanced Identity Cloud admin console, on the Provisioning tab: * If setting up provisioning for the first time, click Set up Provisioning. * When editing existing settings in the Connection area, click Settings. 3. Configure the following fields: | Field/Option | Description | | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | SAP Application Server FQDN | The FQDN of your SAP Application Server. For example, `sap.example.com`. | | SAP Gateway Host | The SAP gateway host name. | | SAP Gateway Server | The SAP gateway server. | | SAP User | The SAP Logon user. | | Password | The SAP Logon password. | | SAP Client | The SAP client. | | SAP System Number | The SAP system number. | | SAP System Language | The language of the remote SAP system. | | SAP Router | The IP address, port, and optional password of the SAP router, if applicable. The syntax is `/H/host/S/port/W/optionalPassword`. For example:```none /H/203.0.113.0/S/3299/W/48npb_hg815.77rr62.hdj ``` | | CUA | Whether to enable SAP Central User Administration (CUA). | 4. Optionally, click Show advanced settings to set any of the following options: **Application specific settings** | Field/Option | Description | | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Destination | SAP JCo destination name. | | Direct Connection | If selected, use a direct connection to an SAP ABAP Application server or SAP router. If cleared, use a connection to a group of SAP instances through a SAP message server. | | Target Directory | The directory to write classes. | | Warning Level | The compiler warning level. | | Disabled Global AST Transformations | A list of global AST transformations which should not be loaded even if they are defined in `META-INF/org.codehaus.groovy.transform.ASTTransformation` files. By default, none are disabled. | | SourceEncoding | The encoding for source files. | | X509 Certificate | The X509 certificate to supply for authentication. | | Trace | Whether to enable RFC trace. | | CPIC Trace | Whether to enable CPIC trace. Possible values are `0`-`3`. | | SAP Message Server Host | The message server host. | | Group | The group name of the application servers. Used when you log in to a logon group that uses load balancing. | | Message Server Service | The message server service name. | | R3 Name | The name of the SAP system used when you log in to a logon group that uses load balancing. | | SNC Mode | Flag used to activate SNC (Secure Network Connection). Possible values are `0` (OFF) and `1` (ON). | | SNC QoP | The connection security level to use. Possible values are:1 Authentication only 2 Integrity protection 3 Privacy protection 8 Use the application server value snc/data\_protection/use 9 Use the application server value snc/data\_protection/max | | SNC Library | The external library path for the Secure Network Connection service. The default is the system-defined library as defined in the environment variable `SNC_LIB`. | | SNC Partner Name | The application server ABAP SNC name. For example, `"p:CN=ABC, O=MyCompany, C=US"`. You can find the name in the profile parameter `snc/identity/as` on the AS ABAP. | | SNC Name | The connector SNC name. For example, `"p:CN=OpenIDM, O=MyCompany, C=US"`. This parameter is optional, but set it to make sure that the correct SNC name is used for the connection. | | SNC SSO | Whether the connection should be configured for single sign-on (SSO). Possible values are `0` (OFF) and `1` (ON). | | Pool Capacity | The maximum number of idle connections kept open by the destination. If there is no connection pooling, set this to `0`. The default value is `1`.For optimum performance, set this value to an integer between `5` and `10`. | | Expiration time | After this time (in milliseconds) has elapsed, the system closes the free connection. The default value is `60000`. | | Max Get time | If the pool has allocated the maximum allowed number of connections, the maximum time (in milliseconds) to wait for a connection. | | Peak Limit | The maximum number of active connections that can be created for a destination simultaneously. The value `0` is unlimited. | | Expiration Period | After this time (in milliseconds) has elapsed, the destination checks released connections for expiration. | | Exclude Unmodified | Select this option to synchronize only the modified properties on a target resource. | **Pool configuration** | Field | Description | | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Max idle and active container instances | The maximum number of idle and active container instances. The default value is `10`. | | Max Idle Connector Instances | The maximum number of idle connector instances. The default value is `10`. | | Set Timeout Period | Select to enable a timeout period for the connection. After enabling, configure the following:- Timeout period (ms): The timeout period in milliseconds. | | Set Minimum Idle Time | Select to set a minimum time (in milliseconds) before an idle object is removed. After enabling, configure the following:- Min idle time (ms): The minimum idle time in milliseconds. | | Min Idle Instances | The minimum number of idle connector instances. | **Result Handler configuration** | Field | Description | | ----------------------------------------------------------------------- | --------------------------------------------------------------------------------- | | Enable for connectors with the attribute normalizer interface | Enables the attribute normalizer interface for supported connectors. | | Enable local filtering/search features | Enables local filtering and search capabilities. | | Enable case insensitive filter | Configures filters to ignore case sensitivity. | | Enable configuration of search attributes; disable for local connectors | Enables search attribute configuration. Disable this option for local connectors. | 1. In the Operation Timeouts (ms) area, select the operations to enforce timeouts on and enter the duration in milliseconds. Available operations include Create, Validate, Test, Enable a Script on the Connector, Schema, Delete, Update, Sync, Authenticate, Get, Enable a Script on the Target, and Search. 2. In the Operation Rate Limits area, select the operations to enforce rate limits on. You can enforce limits on specific operations, including Create, Validate, Test, Script on Connector, Schema, Delete, Update, Sync, Authenticate, Get, Script on Target, and Search. For each selected operation, configure the following fields: | Field | Description | | --------------- | ---------------------------------- | | Request Limit | Requests allowed over time. | | Request Period | Limit resets after this time (ms). | | Request Timeout | Time before exception thrown (ms). | 5. Click Connect. 6. Verify the information in the Details tab. ## Provision side tabs The object type determines the side tabs that display on the Provisioning tab. Use the object type list to select an object type, such as `Group`. Afterward, you can configure properties in the different sub-tabs under the Provisioning tab. ![Sub-tabs under the Provisioning tab](../_images/ui-workforce-provisioning.png) | Provisioning tab | Description | Related sections | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | | Details | View and manage an application, including name, ID, and native type. | Select the specific application from [Provision settings for an application](../provision-an-application.html#provision_settings_for_an_application). | | Properties | View and manage properties for the selected object type. | [Manage application attributes](../provision-an-application.html#manage_application_attributes) | | Data | View data about the selected object type. | [View user access data](../provision-an-application.html#view_user_access_data) | | Mapping | View and manage mappings from the Advanced Identity Cloud admin console properties to external system properties and from external system properties to the Advanced Identity Cloud admin console properties. | [Manage mappings](../provision-an-application.html#manage_mappings) | | Reconciliation | Preview mappings on target applications between external systems and the Advanced Identity Cloud admin console, and reconcile the data between the two systems.View and manage rules for the users and groups that use your application.View and manage schedules for Full and Incremental reconciliation. | [Reconcile and synchronize end-user accounts](../provision-an-application.html#recon-sync-end-users) | | Privacy & Consent | Manage end-user data sharing and synchronization. | [Configure end-user data sharing](../provision-an-application.html#config-end-user-data-sharing) | | Rules | View and manage provisioning rules for mappings between Advanced Identity Cloud and a target application. | [Manage provisioning rules](../provision-an-application.html#manage-provisioning-rules) | | Advanced Sync | Create and manage mappings between a managed object type and an application or between applications. | [Manage advanced sync](../provision-an-application.html#manage-advanced-sync) | ## Next steps * [icon: check-square-o, set=fa][Application management](../applications.html) * [icon: check-square-o, set=fa][App catalog](../app-catalog.html) * [icon: check-square-o, set=fa][Register an application](../register-an-application.html) or [Register a custom or SSO application](../register-a-custom-application.html) * [icon: check-square-o, set=fa][Provision an application](../provision-an-application.html) * [icon: square-o, set=fa]*[Manage end users and roles](../manage-users-and-roles.html)* * [icon: square-o, set=fa][Manage application registrations](../manage-app-status.html)