Account tracking is the ability to track each user’s accounts and identities in your system. This solution tracks the user accounts in your SAP system.
Complete the following sections to enable account tracking for your SAP system. The items in the prerequisites section must be completed before the other section.
After the sections are complete, you can track the accounts through Sentinel reports included in the Sentinel Solution Pack for SAP or in the identity browser in Sentinel.
The steps for the solution assume the following:
All of the procedures in Section 6.1, Enabling Auditing are complete.
You have installed and configure the Sentinel driver and the Identity Vault Collector. For more information, see Checklist for Enabling Account Tracking
in the Identity Manager 3.6.1 Driver for Sentinel 6.1 and the Identity Vault Collector Implementation Guide.
Complete the following tasks to enable Account Tracking for each SAP Portal and SAP User Management driver you have installed and configured in your environment. The SAP HR driver and the SAP Business Logic drivers are not enabled for Account Tracking.
Access the Account Tracking GCV on the SAP driver:
In Designer: Right-click the driver icon, then select .
In iManager: Edit the driver properties, then click the tab.
Set the > option to .
Use the following information to enable account tracking:
Enable account tracking: Select to enable the policies in the driver to use the DirXML-Accounts attribute.
Realm: Specify the name of your realm, security domain, or namespace where the account name is unique.
Object Class: Specify the object classes to track with account tracking. The class name must be in the application namespace.
Identifiers: Each driver has different account identifier attribute. By default the attributes are prepopulated for each driver.
SAP User Management: association, USERNAME:BAPIBNAME
SAP Portal: association, logonname
Status attribute: Specify the name of the attribute in the application namespace that represents the account status. By default the attributes are:
SAP User Management: LOCKUSER
SAP Portal: isLocked
Status active attribute: The value of the status attribute that represents an active state. By default, the value is .
Status inactive attribute: The value of the status attribute that represents an inactive state. By default, the value is .
Subscription default status: The default status the policies assume when an object is subscribed to the application and the status attribute is not set in the Identity Vault. By default, the status is .
Publication default status: The default status the policies assume when an object is published to the Identity Vault and the status attribute is not set in the application. By default, the status is .
Click to save the changes.
If the driver is running, it must be restarted for the changes to take effect.
Repeat Step 1 through Step 4 for each SAP driver in your environment.