Synchronize profiles and roles (Duet Enterprise)

Applies to: Duet Enterprise for Microsoft SharePoint and SAP

This article describes how to enable role synchronization for Duet Enterprise for Microsoft SharePoint and SAP. This article assumes the following:

• An SAP administrator has created the SAP-user-to-SAP-role mapping in the SAP system.

• A SharePoint administrator has started the User Profile Synchronization service and has created a Profile synchronization connection to the Active Directory Domain Services (AD DS) service that contains the user accounts that are used by the SharePoint Server farm. For information about how to complete these procedures, see Configure profile synchronization (SharePoint Server 2010) (https://go.microsoft.com/fwlink/p/?LinkID=202966).

• The SharePoint administrator has synchronized the AD DS service with the SharePoint User Profile Store. Follow the instructions in Start profile synchronization manually (SharePoint Server 2010) (SharePoint Server 2010) (https://go.microsoft.com/fwlink/p/?LinkID=201163) to synchronize user profile information between AD DS and SharePoint Server 2010.

In this article:

• Activate the thisProduct_2nd_NoVer Claim Provider feature

• Grant permissions to the Metadata Store

• Ensure that the farm administrator has full control permissions

• Provide the SharePoint 2010 Timer service account

• Configure the thisProduct_installer.exe.config file

• Configure Profile Synchronization

• Synchronize SAP profiles with the SharePoint User Profile Store

• Grant an SAP role permissions to a site

Activate the Duet Enterprise Claim Provider feature

To enable the Duet Enterprise Claim Provider feature

1. In the Central Administration Web site, on the Quick Launch, click Central Administration.

2. In the System Settings section, click Manage farm features.

3. In the Duet Enterprise SAP Roles Claims Provider row, click Activate.

   The status column changes to Active. When active, the SAP roles are available in People Picker after the SharePoint Server 2010 user profile store is synchronized with the SAP profile store.

Grant permissions to the Metadata Store

To grant permissions to the Metadata Store

1. In Central Administration, on the Quick Launch, click Application Management.

2. In the Service Applications section, click Manage service applications.

3. In the Name column, click the link for the Business Data Connectivity Service Application.

4. In the Permissions group of the ribbon, click Set Metadata Store Permissions.

5. In the Set Metadata Store Permissions dialog box, in the top box, enter the user account of the administrator who is deploying Duet Enterprise.

   If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), this name is listed in the “Setup user account” row of Table 3 of the worksheet.

6. Click Add.

7. In the Permissions for All Authenticated Users section (bottom section), ensure that the Execute check box is selected.

8. Click OK.

   Note

   If at least one user has not yet been granted the Set Permissions permission on the metadata store, you may receive the following error message “At least one user/group in the Access Control List must have the Set Permissions right to avoid creating a non-manageable object.” To resolve this issue, grant at least one user the Set Permissions permission on the Metadata Store.

Ensure farm administrator has full control permissions and verify name of User Profile Service Application

Use this procedure to ensure that members of the Farm Administrators group have full control permissions to the default User Profile Service and the Business Data Connectivity service application in the SharePoint farm. The farm administrator who will configure profile synchronization, later in this article, must be granted this permission.

To ensure that farm administrator has full control permissions

1. In Central Administration, on the Quick Launch, click Central Administration.

2. In the Application Management section, click Manage service applications.

3. In the Type column, click the row that contains the default User Profile Service Application to select the row.

4. The name of the User Profile Service Application is listed in the Name column. Note the name of this service application because you will need it for a later procedure.

   If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), type this name in the “User Profile Service Application name” row of Table 1 of the worksheet.

5. In the Sharing group of the ribbon, click Permissions.

6. In the Connection Permissions dialog box, ensure that the farm administrator was granted Full Control permissions.

7. Click OK.

8. In the Type column, click the Business Data Connectivity Service Application for the service that you are using for role synchronization.

9. In the Sharing group of the ribbon, click Permissions.

10. In the Connection Permissions dialog box, ensure that the farm administrator was granted the Full Control permission.

Provide the SharePoint 2010 Timer service account

You must provide the SAP administrator with the user account that is assigned to the SharePoint 2010 Timer service, also known as the SPTimerV4 service. The SAP administrator must ensure that this account is mapped to an SAP user who is granted sufficient permissions on the SAP system to query the UserRoles assignments query.

To get the user account for the SharePoint 2010 Timer service

1. Log on to a front-end Web server in the SharePoint Server 2010 farm as a member of the Administrators group.

2. Click Start, point to Administrative Tools, and then click Services.

3. In the Name column, right-click SharePoint 2010 Timer, and then click Properties.

4. In the SharePoint 2010 Timer Properties dialog box, on the Log On tab, note the account name that is listed in the This account text box.

5. Give this account name to the SAP administrator.

   If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), type this account name, in the format domain\account in the “SharePoint 2010 Timer service account” row of Table 1 of the worksheet.

6. Click Cancel to close the SharePoint 2010 Timer Properties dialog box.

Configure the DuetConfig.exe.config file

Perform the following steps to configure the settings in the ProfileSynchronization node of the DuetConfig.exe.config.xml file that are used by role synchronization. These settings are used by the SharePoint timer job that is used to synchronize the SharePoint User Profile store with the SAP profile store.

To configure the DuetConfig.exe.config file

1. Open a Command Prompt window and go to the <drive>:\Program Files\Duet Enterprise\1.0 folder.

   Where:

   <drive> is the drive on which the Duet Enterprise files are stored.

2. At the prompt, type notepad DuetConfig.exe.config and press Enter.

3. In the DuetConfig.exe.config file, add values to the following keys in the ProfileSychronizations node: UserProfileServiceApplicationName, LOBSystemInstanceName, EntityName, EntityNamespace, MethodInstanceName, Batchsize, and MembershipProvider.

   The following sections provide detailed instructions about the values to provide for these keys.

UserProfileServiceApplicationName key

The value of the UserProfileServiceApplicationName must be set to the name of the User Profile Service application that you want to use for profile synchronization with the SAP environment. Note that the default name of this service application is User Profile Service Application. An administrator can change this name or you might have more than one User Profile Service Application.

If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), this name is listed in the “User Profile Service Application name” row of Table 1 of the worksheet.

To specify the value of the UserProfileServiceApplicationName key

• If the name of the User Profile Service Application that you want to use for Duet Enterprise is not the default value as shown in the DuetConfig.exe.config file (User Profile Service Application), change the value of the "UserProfileServiceApplicationName" key to the name of your User Profile Service Application.

LOBSystemInstanceName, EntityName, EntityNamespace, and MethodInstanceName keys

In most cases, the default value of the LOBSystemInstanceName, EntityName, EntityNamespace, and MethodInstanceName keys in the DuetConfig.exe.config file are appropriate because they match the values seen in the UserRoles.xml BDC models that are provided with Duet Enterprise. If the SAP administrator changes the values of these keys in the UserRoles.xml file, you must configure the values in the DuetConfig.exe.config file so that they are identical.

To view the UserRoles.xml file

1. Open a Command Prompt window as administrator and go to the folder that contains the unzipped model files.

   If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), the location of the unzipped model files is listed in the “Unzipped model file location” row of Table 1, of the worksheet.

2. In the Command Prompt window, type notepad UserRoles.xml and press Enter.

Verify and update the key values

1. In the UserRoles.xml file, search for the LOBSystemInstance key.

2. If the value of the Name property is “SAPUsersService”, then go to step 4. Otherwise, go to step 3.

3. Change the value of the LOBSystemInstanceName key in the DuetConfig.exe.config file to match the value of the Name property of the LOBSystemInstance key from the UserRoles.xml file.

4. In the UserRoles.xml file, search for the Entity key. If the value of the Name property is SAPUsers, go to step 6. Otherwise, go to step 5.

5. Change the value of the EntityName key in the DuetConfig.exe.config file to match the value of the Name property of the Entity node in UserRoles.xml.

6. In the UserRoles.xml file, for the Entity key, if the value of the Namespace property of the Entity key is “SAP.Office.DuetEnterprise.Roles”, then go to step 8. Otherwise, go to step 7.

7. Change the value of the EntityName key in DuetConfig.exe.config to match.

8. In the UserRoles.xml file, search for MethodInstanceName. If the value of MethodInstanceName is “employeeGetAll”, go to step 9. Otherwise, change the value of the MethodInstanceName key in the DuetConfig.exe.config file to match the value of the MethodInstanceName property in UserRoles.xml.

9. Close the UserRoles.xml file.

Batchsize key

You can use the Batchsize parameter to specify the maximum number of user accounts that can be synchronized in a single network call. The default value is 100. Changing this value to a larger number might improve role synchronization performance. However, you will have to experiment to determine the value that works best for your deployment.

MembershipProvider key

This key is not used. It is provided for future support. We recommend that you accept the default value of this key, which is “membership”.

Configure profile synchronization

This procedure creates the Business Connectivity Services connection between the SharePoint and SAP systems and updates the settings for the Profile Synchronization job definition that you will use in a later procedure to synchronize the SharePoint and SAP profile stores.

To configure profile synchronization

1. Open a Command Prompt window and go to the “<drive>:\Program Files\Duet Enterprise\1.0” folder.

   Where <drive> is the drive on which the Duet Enterprise files are stored.

2. At the prompt type DuetConfig.exe /configureprofileSync and then press Enter.

   When profile synchronization is configured, the “The settings for the specified Profile Sychronizations Job were updated successfully” message appears.

Synchronize SAP profiles with the SharePoint User Profile Store

Before you start this procedure, do the following:

• Ensure that the SAP administrator has configured SAML to create an endpoint.

  If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), the value of the “SAML is configured (Yes/No)” row of Table 2 of the worksheet will be Yes if this is configured.

• Ensure that the “Synchronize roles to consumers” job has finished running on the SAP system.

  The SAP administrator must run the “Synchronize roles to consumers” job periodically to synchronize the user roles on the SAP system to the profile store on the server running SAP NetWeaver. We recommend that you do not synchronize the SAP user profile store with the SharePoint User Profile Store until the SAP administrator has completed the synchronization job. Otherwise, the synchronization job between the SAP profile store and the SharePoint User Profile Store can take much longer to complete. Note that the “Synchronize roles to consumers” job takes approximately 80 minutes to synchronize 100,000 users, while synchronizing the profile store in SAP NetWeaver to the SharePoint User Profile Store takes approximately 100 minutes to synchronize 100,000 users. If you plan to schedule these synchronization jobs, we recommend that you run them manually first to determine how much time each takes, on average, to run on your systems.

To synchronize profiles

1. In Central Administration, on the Quick Launch, click Monitoring.

2. On the Monitoring page, in the Timer Jobs section, click Review job definitions.

3. On the Job Definitions page, in the Title column, click the Duet Enterprise Profile Synchronization for <User profile service application name> link.

   Where <User profile service application name> is the name of the User Profile Service Application that you are using for role synchronization.

   Tip

   By default, the name of this link is Duet Enterprise Profile Synchronization for User Profile Service Application.

   If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), this name is listed in the “BDC service name” row of Table 1.

4. On the Edit Timer Job page, click Run Now.

   Note

   This timer job is scheduled to run one time per day but you can configure it to run less often if it causes a performance problem.

   For more information about SharePoint timer jobs, see View timer job status (SharePoint Server 2010) (https://go.microsoft.com/fwlink/?LinkId=204641).

Grant an SAP role permissions to a site

After the SAP user profile store is synchronized with the SharePoint User Profile Store, you can perform this procedure to grant users permissions to a site based on their SAP roles. Note that only sites that are in a Web application that uses claims based authentication are supported.

To grant an SAP role permissions to a site

1. In a browser, go to the site for which you want to enable SAP roles.

2. On the Site Actions menu, click Site Permissions.

3. In the Grant group of the ribbon, click Grant Permissions.

4. In the Grant Permissions dialog box, in the Select Users section, click Browse.

   Tip

   Browse is represented by an icon that resembles a book.

5. In the Find box, type part of the SAP role name that you want to find and then click Search.

6. Select the SAP role name, click Add, and then click OK.

7. In the Grant Permissions dialog box, in the Grant Permissions section, select the group to which you want to add the user and then click OK.