Creating a new user in SAP requires a password. If one is not supplied during creation, the creation process will most likely fail. This requirement extends to the ERP MA and thus a password needs to supplied for create operations. For this purpose it's recommended that you follow the three steps outlined below

The steps below shows how to

  1. Configure user add operations to use a temporary password during object creation.

  2. Configure a password-set operations in your configuration.

Passwords are normally write-only data meaning once written then cannot be read back and therefore cannot be imported. Because of this, they cannot be treated as normal attributes. Attempts to use them is this manner is both insecure and will result in an “export-entry-not-reimported” error.

Configuring the use of temporary password

To create users in SAP using the ERP MA, you must supply a temporary password. The recommended strategy is to flow a temporary password to SAP (details steps below) during creation. You do this by configuring the password parameter/field on the BAPI to reference the pre-defined alias 'ma.runtimeGeneratedPassword' Doing this will cause a new password to be generated and passed to the receiving BAPI, every time the corresponding operation is run.

You can control the temporary password that gets generated by editing the server settings in ERPConfig Tool. Click File > Server Settings > Password Generation (tab) and adjust the rules used for generating password.

The following steps show how to configure user/add operation to use a temporary password.

  • Start the ERP Configuration Tool.

  • Open your MA configuration file.

  • Edit operation ‘user > add’.

  • Edit function ‘BAPI_USER_CREATE’ and set it to reference the alias 'PASSWORD.BAPIPWD'.

  • Set a Reference to alias ‘ma.runtimeGeneratedPassword’.

  • Save.

Example: The resulting add section of your configuration should look similar to this:

  Copy Code
<operation name="add">
	<functionRef name="BAPI_USER_CREATE">
		<param name="PASSWORD.BAPIPWD" aliasRef="ma.runtimeGeneratedPassword" />

Configuring password set support

When the 'add' operation is run, FIM calls the corresponding ‘add’ section of your configuration file. Immediately after, FIM will call the ‘SetPassword’ section of your configuration in order to securely set the user’s password. Therefore, you'll need to make sure your MA is configured to support password sets.