SAP Connector

loadBalancing

Boolean

NO

If false (the default), connect to the SAP ABAP application server gateway, else connect via message server (less common)

false

host

String

YES

SAP ABAP application server gateway, or message server host

-

user

String

YES

Logon user

TODO list required rights to provision accounts

-

password

String

YES

Logon password

-

logonGroup

String

NO

SAP Logon group, applicable only if loadBalancing is set to true

SPACE

systemId

String

YES

System ID of the SAP system (r3Name)

-

Example: S4H

systemNumber

String

NO

System number of the SAP ABAP application server

00

client

String

YES

SAP client (mandant), 3 digits

-

Example: 100

messageServer

String

NO

Message Server, applicable only if loadBalancing is set to true. It could be a port, or the symbolic service name, like for example “sapmsABC”

If provided, then systemId will be ignored. Both of these properties should not be set. Directly specifying the port number enhances performance a little bit

-

destinationName

String

NO if non-CUA env

YES if CUA env

Destination name. For SAP CUA (see cuaEnabled parameter), it must be set with the name of the destination of the Central CUA System.

For non-CUA, it may be left empty, it then defaults to the concatenation of systemId+systemNumber+client+user

Non-CUA : concatenation of systemId+systemNumber+client+user

CUA: Central CUA destination name, for example: S4HCLNT400

lang

String

NO

SAP language used by the logon user

EN

poolCapacity

String

NO

Maximum number of idle RFC connections kept in the connection pool. 0 means no connection pooling

1

peakLimit

String

NO

Maximum total number of active RFC connections allowed at the same time.

Includes:

• Connections currently in use

• Connections idle in the pool

Once this limit is reached, new RFC requests wait until a connection is released.

0 means no limit, any number of concurrent RFC calls is allowed

0

changePasswordAtNextLogon

Boolean

NO

If true, at next SAP GUI logon the user must change their password

false

alsoReadLoginInfo

Boolean

NO

If true, for each user, run BAPI function SUSR_GET_ADMIN_USER_LOGIN_INFO to read LAST_LOGON_DATE, LOCK_STATUS, PASSWORD_STATUS

false

includeIndirectActivityGroups

Boolean

NO

When reading a SAP user, whether role assignments coming from a composite role are included in the user account properties.

If set to false, then a special multi-valued XML attribute ALL_ACTIVITYGROUPS is added to the user account, including all roles, both direct and indirect, in XML format

false

preserveActivityGroupsMetadataOnUpdate

Boolean

NO

Preserve role metadata when updating user roles, namely the “assigned from” and “assigned until” information

true

tables

String

(multi-valued)

NO

Describe the name and structure of generic SAP tables to read, aside users and profiles. User and profiles tables management is built-in in the SAP Connector.

For example:
AGR_DEFINE as ACTIVITYGROUP=MANDT:3:IGNORE,AGR_NAME:30:KEY,PARENT_AGR:30

In this example, we aim to import or provision activity groups (user roles):

• AGR_DEFINE is the SAP table name listing all activity groups (roles)

• it is aliased as ACTIVITYGROUP. This alias acts as ObjectClass value, when configuring inbound import or outbound provisioning tasks

• a role’s unique id is the SAP column named AGR_NAME, because it is suffixed by the KEY keyword. This unique id is available as usual in the __objectId__ Shadow property

• other Shadow properties are enumerated, they match column names, such as PARENT_AGR, whose SAP column size is 30

• if a column name is suffixed by the keyword IGNORE, it is skipped, i.e. it is not part of the Shadow properties

Due to technical constraints, all columns of a SAP table must be enumerated in their native SAP order, even those who shall be ignored. Only the trailing columns which aren’t of interest can be omitted from the table description

Note: the structure of SAP table names can be found online, see for example https://leanx.eu/sap/table/AGR_DEFINE/

2 values are configured by default:

AGR_DEFINE as ACTIVITYGROUP=MANDT:3:IGNORE,AGR_NAME:30:KEY,PARENT_AGR:30

USGRP as GROUP=MANDT:3:IGNORE,USERGROUP:12:KEY

nonFatalErrorCodes

String

(multi-valued)

NO

Specify which SAP error codes are considered as non-fatal in user create/update response. For example, 025 (company address cannot be selected), 410 (maintenance of locked user)

Empty list

baseAccountQuery

String

NO

Simple filter added to all user account queries to limit the accounts read by BAPI_USER_GETLIST. Format is "option,parameter,value". “Option” means an operator in SAP language. Commas are currently not escaped in “value”, thus aren’t supported.

Example: CP,USERNAME,PRE* limits all queries to all accounts with username prefix PRE.

-

considerGlobalLock

Boolean

NO

Evaluate local and global lock for user account status, i.e. consider account GLOB_LOCK value as well as LOCAL_LOCK when evaluating whether an account is enabled or disabled

false

cuaEnabled

Boolean

NO

Whether SAP CUA is enabled. If true, then the main connection properties, such as host and client, must reference the Central CUA System.

Enabling CUA support has the following consequences:

• the multi-valued user property SYSTEMS contains the user’s CUA target system names, AKA destination names. For example: "S4HCLNT200", "S4HCLNT400"

• the user role names, exposed in the multi-valued user property ACTIVITYGROUPS.AGR_NAME, are all prefixed by the CUA system name on which the role has been assigned. For example: “S4HCLNT400:SAP_ASR_EMPLOYEE”

CUA aspects are detailed in the next sections

false

ACTIVITYGROUPS.AGR_NAME

Read Write

Contains the simple names of the roles assigned to the SAP user. Other role assignment properties, such as “valid from”, are omitted.

By default, only direct role assignments are present in this property, unless the SAP Connector is configured with includeIndirectActivityGroups=true, which is not advised.

When provisioning SAP users, this property can be used to set (write) the user roles. It overrides then all the user’s roles.

If this property is used when creating a user, then by default, FROM_DAT is set to today, and TO_DAT to the year 9999.

If this property is used when updating a user, then the original FROM_DAT and TO_DAT are preserved, unless the SAP Connector is configured with preserveActivityGroupsMetadataOnUpdate=false, which is not advised.

For the SAP CUA case:

• for a read operation, all role names are prefixed with the CUA system name (AKA destination name)

• for a write operation, role names are expected to be prefixed with the CUA system name. If the prefix is omitted, then the role is assigned by default on the Central CUA System

The simplicity of this property (list of simple strings) makes it a good candidate to drive a basic provisioning of user roles.

However, it is not possible to specify the role assignment validity dates through this property. To achieve that, see next property ACTIVITYGROUPS.

Non CUA case, 2 roles are represented:

SAP_ASR_EMPLOYEE, /SAPAPO/LINE_PLANNER

CUA case, equivalent roles:

S4HCLNT200:SAP_ASR_EMPLOYEE, S4HCLNT400:/SAPAPO/LINE_PLANNER

ACTIVITYGROUPS

Read Write

Lists the direct roles assigned to a user in XML format (indirect roles are also listed if includeIndirectActivityGroups=true, which is not the default)

Each role is represented by a single one-liner XML document, formatted as follows:

<?xml version="1.0" encoding="UTF-8"?><item><AGR_NAME>SAP_ASR_EMPLOYEE</AGR_NAME><FROM_DAT>2026-01-06</FROM_DAT><TO_DAT>9999-12-31</TO_DAT></item>

When creating or updating a SAP user, setting this attribute enables to define the role assignment validity dates.

Due to a technical limitation of the current SAP Connector version, this format must be strictly respected if ACTIVITYGROUPS is configured as Application Attribute Mapping, unless deltas are always detected when comparing the SAP state with the IM state. When generating values for this attribute, the order of XML tags must respect the one presented in the examples.

If both ACTIVITYGROUPS.AGR_NAME and ACTIVITYGROUPS are configured as Application Attribute Mappings, both will be used to write user roles, and the order in which they are applied is unpredictable.

To avoid conflicts, only one of them should be configured as Attribute Mapping.

Non CUA case, 2 roles are represented:

<?xml version="1.0" encoding="UTF-8" standalone="no"?><item><AGR_NAME>SAP_ASR_EMPLOYEE</AGR_NAME><FROM_DAT>2026-01-15</FROM_DAT><TO_DAT>9999-12-31</TO_DAT></item>

<?xml version="1.0" encoding="UTF-8" standalone="no"?><item><AGR_NAME>/SAPAPO/LINE_PLANNER</AGR_NAME><FROM_DAT>2026-01-13</FROM_DAT><TO_DAT>9999-12-31</TO_DAT></item>

CUA case, equivalent roles, note the presence of the SUBSYSTEM tag:

<?xml version="1.0" encoding="UTF-8" standalone="no"?><item><SUBSYSTEM>S4HCLNT200</SUBSYSTEM><AGR_NAME>SAP_ASR_EMPLOYEE</AGR_NAME><FROM_DAT>2026-01-15</FROM_DAT><TO_DAT>9999-12-31</TO_DAT></item>

<?xml version="1.0" encoding="UTF-8" standalone="no"?><item><SUBSYSTEM>S4HCLNT400</SUBSYSTEM><AGR_NAME>/SAPAPO/LINE_PLANNER</AGR_NAME><FROM_DAT>2026-01-13</FROM_DAT><TO_DAT>9999-12-31</TO_DAT></item>

ALL_ACTIVITYGROUPS

Read Only

This property is set on the user when includeIndirectActivityGroups=false, which is the default.

It is a read-only property, aimed at displaying in full XML format all the user’s roles, both direct and indirect. Indirect roles are assigned via composite roles, they can be identified by the presence of the <ORG_FLAG>C</ORG_FLAG> tag (“C” means “Composite”) of an XML role representation.

Direct roles are characterized by the empty <ORG_FLAG/> tag.

If a role description has been configured, it will be displayed in the <AGR_TEXT> tag.

When obtaining all a user’s role in the ALL_ACTIVITYGROUPS attribute, composite roles are expanded for the Central CUA System only. They are not expanded for other child subsystems. Roles listed for subsystems other than the Central CUA System are thus all direct roles. This is a known limitation, that may be alleviated in a future SAP Connector version.

Non CUA case. In this example:

• SAP_ASR_EMPLOYEE is a simple role

• SAPAPO/LINE_PLANNER is a composite role, inducing:

  • /SAPAPO/AMO_SUPERUSER,

  • /SAPAPO/MD_SUPERUSER,

  • /SAPAPO/PPS_SUPERUSER,

  • /SAPAPO/CIF_EXPERT

2 of those roles are represented below (direct and indirect):

<?xml version="1.0" encoding="UTF-8" standalone="no"?><item><SUBSYSTEM>S4HCLNT200</SUBSYSTEM><AGR_NAME>SAP_ASR_EMPLOYEE</AGR_NAME><FROM_DAT>2026-01-15</FROM_DAT><TO_DAT>9999-12-31</TO_DAT><AGR_TEXT>HR Administrative Services: Employee</AGR_TEXT><ORG_FLAG/></item>

<?xml version="1.0" encoding="UTF-8" standalone="no"?><item><AGR_NAME>/SAPAPO/MD_SUPERUSER</AGR_NAME><FROM_DAT>2026-01-13</FROM_DAT><TO_DAT>9999-12-31</TO_DAT><AGR_TEXT/><ORG_FLAG>C</ORG_FLAG></item>