In the SAP HCM connector, we are using SailPoint’s ABAP Integration(SailPoint Add On) to import the data.
During SailPoint add on installation, there is an option to select the SAP column name in the ‘/SAILPOIN/CONF’ table which we need to import from SAP table to IDN.
We have added few SAP columns in the ‘/SAILPOIN/CONF’ table but IDN is still importing the column(attribute) which were not added in ‘/SAILPOIN/CONF’ table.
For example. column “Birth Place” of infotype 0002 is not added but aggregation is still importing this column.
We don’t want to import this column but somehow IDN is still importing it.
Anyone has faced this issue before?
I haven’t implemented this connector, however, from having a quick read through the documentation, it seems to imply that these attributes will always be returned by default.
Have you tried removing the attributes you don’t want from the account schema on IDN connector side?
Earlier with the RFC_READ_TABLE, there was only option to set permissions on SAP tables.
With new SailPoint add on plugin installed on SAP allow us to set the permissions on the columns at more granular level. To do so, during plugin installation, we can add the required columns in “SAILPOIN/CONF” table so that service account only has permissions to import the specified columns.
We have added few columns but still SailPoint is importing the extra attributes as well.
Also, remove schema attribute should work but we are looking for the option to directly set permissions on the columns.
Unfortunately, I don’t have access to a SAP environment to test this locally, however, based on what I’ve read and understood of this connector, it seems like the default attributes on the connector will always be returned. If this is the case, the only way to ignore it is to remove it from the account schema on IDN.
Again, I speak under correction and could be wrong as I am unable to test and validate this with this connector but I believe this is how it would work.
We are working with SailPoint support team.
So far we have below findings:
SAP HCM connector fetches some data by using standard SAP BAPIs and some data using Sailpoint’s Add on.
As connector is pulling additional personal data, there is a connectorAttribute which can be used to exclude personal data. If “disablePersonalData” is set to true in application(backend key), connector will skip aggregation of personal data.
API call:
Sources->Update source(Partial) → {{baseUrl}}/sources/:id
If we disable the personal data flag, it does not pull the first name or last name of users. Additionally, the support engineer recommended not deleting unwanted schema as it may impact connector functionality.
We are planning to use the SAP Build Map rule to filter additional attributes. There are also some custom attributes that need to be imported into the identity now. However, the rule documentation only discusses standard attributes and does not cover custom attributes.
If anyone has written an SAP HCM Build Map rule to import custom attributes, please share rule format.