Skip to Content

Tivoli Security Management for SAP solutions can be categorized in Identity Management (User Management), Access Management (Single Sign On) and Privacy management. These disciplines mostly rely on a directory server infrastructure, which can be IBM Tivoli Directory Server (ITDS). Tivoli Directory Integrator completes this environment, where multiple data repositories can be integrated and synchronised. Tivoli Identity Manager and Tivoli Access Manager are SAP certified. ITDS Certification will be finalized soon.

Most of the security scenarios used in enterprises can be integrated with standard out-of-the-box Tivoli functionality. For user management there are more than 70 connectors and adapters with Tivoli Identity Manager and Tivoli Directory Integrator to integrate 3rd party components to manage users and roles with a central instance. To connect applications for use with authentication and single sign-on capabilities this can be done using the WebSeal or WebPIug-in components of Tivoli Access Manager.

This week we will focus on Identity Management using IBM Tivoli Identity Manager (ITIM) 4.5 Agent for SAP R/3

The ITIM Agent for SAP R/3 uses the RFC SDK to connect to SAP as an RFC client. The agent maps and responds to ITIM server requests for the purpose of managing users in SAP R/3.

This functionality works in both cases: CUA and non-CUA. The only difference is that a flag must been set to tell the agent the presence of CUA or not .

The agent management functions include user creation, deletion, modification, and listing. In support of this, the agent is able to read and assign users to SAP authorization roles, profiles, and groups.

The IBM Tivoli Identity Manager is certified for SAP NetWeaver, on the component BC-SEC-USR. The following certified functions could be leveraged with SAP R/3 Enerprise 4.7 either using Central User Administration (CUA) or not, based on SAP Web Application Server 6.20.

* Reconcile users and/or support data

* Create, change and delete users

* Lock and unlock users

* Activity group assignment for CUA and non-CUA

* Profile assignment for CUA and non-CUA

* CUA subsystem assignment

More information at

More on ITIM at

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply