Configure the RoleSync solution in Duet Enterprise for SharePoint and SAP Server 2.0
Applies to: Duet Enterprise for Microsoft SharePoint and SAP Server 2.0
Summary: Learn how to configure role synchronization (RoleSync) for Duet Enterprise 2.0.
The Role Synchronization (RoleSync) solution provided with Duet Enterprise for Microsoft SharePoint and SAP Server 2.0 enables SharePoint administrators to synchronize the SAP roles property that is stored in the SAP profile store with SharePoint user profiles. After role synchronization is performed, users can use SharePoint People Picker to grant permissions on any securable object in SharePoint, such as sites, lists, and files. It also enhances the Reporting solution because shared reports can only be shared by using SAP roles and users can subscribe to shared reports.
This article assumes the following:
An SAP administrator has created the SAP-user-to-SAP-role mapping in the SAP system.
A SharePoint administrator has started the User Profile Service application and has created a Profile synchronization connection to the Active Directory Domain Services (AD DS) service that contains the user accounts that are used by the SharePoint Server farm. For information about how to complete these procedures, see Synchronize user and group profiles in SharePoint Server 2013.
The SharePoint administrator has synchronized the AD DS service with the SharePoint user profile store. For more information, see Manage user profile synchronization in SharePoint Server 2013.
Note
The SharePoint user profiles to which you want to synchronize SAP roles must already exist before you perform role synchronization. SAP roles will only be synchronized with SharePoint user profiles that already exist. You can create these user profiles in the SharePoint user profile store manually but the recommended way for them to be created is to perform profile synchronization with AD DS.
In this article:
Before you begin
Activate the Duet Enterprise Claim Provider feature
Identify the SharePoint Timer Service account
Grant permissions to the Metadata Store
Ensure that the farm administrator has full control permissions
Provide the SharePoint Timer service account
Synchronize SAP profiles with the SharePoint User Profile Store
Verification step
Grant an SAP role permissions to a site
Before you begin
Before you configure role synchronization, the SAP administrator must have completed the following:
- Trusted the SSL certificate that you created earlier in Prepare the environment for Duet Enterprise for SharePoint and SAP Server 2.0.
The SharePoint administrator must have completed the following:
- Import the RoleSync model. For more information, see Import models in Duet Enterprise for SharePoint and SAP Server 2.0.
Activate the Duet Enterprise Claim Provider feature
Note
You must be a member of the Farm Administrators group to complete this procedure.
To enable the Duet Enterprise Claim Provider feature
On the SharePoint Central Administration website, on the Quick Launch, click Central Administration.
In the System Settings section, click Manage farm features.
In the Duet Enterprise SAP Roles Claims Provider row, click Activate.
The status column changes to Active. When active, the SAP roles are available in People Picker after the SharePoint Server 2013 user profile store is synchronized with the SAP profile store.
Identify the SharePoint Timer Service Account
To perform the next three procedures, you must first know what user account is assigned to the SharePoint Timer Service.
Note
You must be a member of the Windows Administrator group to complete this procedure.
To identify the SharePoint Timer Service account
Log on to a server in the SharePoint farm as a Windows Administrator.
Click Start and then click Run.
In the Run dialog box, in the Open box, enter services.msc and then click OK.
In the Services window, in the Name column, double-click SharePoint Timer Service.
Click the Log On tab.
Record the account name shown in the This account box.
Grant permissions to the Metadata Store
Note
You must be a member of the Farm Administrators group to complete this procedure.
To grant permissions to the Metadata Store
In Central Administration, on the Quick Launch, click Application Management.
In the Service Applications section, click Manage service applications.
In the Name column, click the link for the Business Data Connectivity Service Application.
In the Permissions group of the ribbon, click Set Metadata Store Permissions.
In the Set Metadata Store Permissions dialog box, in the top box, enter the user account that the timer job is running on..
Click Add.
In the <user account> section (bottom section), ensure that the Execute check box is selected.
Where <user account> us the name of the account you added in steps 1 through 6.
Click OK.
Note
If at least one user has not yet been granted the Set Permissions permission on the Metadata Store, you might receive the following error message: "At least one user/group in the Access Control List must have the Set Permissions right to avoid creating a non-manageable object." To resolve this issue, grant at least one user the Set Permissions permission on the Metadata Store.
Ensure the Timer account has full control and verify name of User Profile service application
Use this procedure to ensure that the account assigned to the SharePoint Timer account has full control permissions to the default User Profile service application and the Business Data Connectivity service application in the SharePoint farm. The farm administrator who will configure profile synchronization, later in this article, must be granted this permission.
Tip
SharePoint Server 2013 supports multiple User Profile service applications. However, Duet Enterprise role synchronization works only with the default User Profile service application.
Note
You must be a member of the Farm Administrators group or an administrator of the User Profile service application to complete this procedure.
To ensure that Timer account has full control
In Central Administration, on the Quick Launch, click Central Administration.
In the Application Management section, click Manage service applications.
In the Type column, click the row that contains the default User Profile Service Application to select the row.
The name of the User Profile service application is listed in the Name column. Note the name of this service application because you will need it for a later procedure.
In the Sharing group of the ribbon, click Permissions.
In the Connection Permissions dialog box, ensure that the account used for the SharePoint Timer service is granted Full Control permissions.
Click OK.
Provide the SharePoint Timer service account
You must provide the SAP administrator with the user account that is assigned to the SharePoint Timer service, also known as the SPTimerV4 service. The SAP administrator must ensure that this account is mapped to an SAP user who is granted sufficient permissions on the SAP system to query the UserRoles assignments query.
Note
You must be a member of the Windows Administrators group to complete this procedure.
To get the user account for the SharePoint Timer service
Log on to a front-end web server in the SharePoint Server 2013 farm as a member of the Administrators group.
Click Start, point to Administrative Tools, and then click Services.
In the Name column, right-click SharePoint Timer, and then click Properties.
In the SharePoint Timer Service Properties dialog box, on the Log On tab, note the account name that is listed in the This account text box.
Give this account name to the SAP administrator.
Click Cancel to close the SharePoint Timer Service Properties dialog box.
Synchronize SAP roles with the SharePoint user profile store
Note
You must be a member of the Farm Administrators group to complete this procedure.
Before you start this procedure, do the following:
Ensure that the SAP administrator has configured an OData endpoint.
Ask the SAP administrator to ensure that the "Synchronize roles to consumers" job has finished running on the SAP system.
The SAP administrator must run the "Synchronize roles to consumers" job periodically to synchronize the user roles on the SAP system with the SAP profile store on the server that is running SAP NetWeaver. We recommend that you do not synchronize the SAP user profile store with the SharePoint user profile store until the SAP administrator has completed the synchronization job. Otherwise, the synchronization job between the SAP profile store and the SharePoint user profile store can take much longer to complete. Note that the "Synchronize roles to consumers" job takes approximately 80 minutes to synchronize 100,000 users, while synchronizing the profile store in SAP NetWeaver to the SharePoint user profile store takes approximately 100 minutes to synchronize 100,000 users. If you plan to schedule these synchronization jobs, we recommend that you run them manually first to determine how much time each takes, on average, to run on your systems.
To synchronize profiles
In Central Administration, on the Quick Launch, click Monitoring.
On the Monitoring page, in the Timer Jobs section, click Review job definitions.
On the Job Definitions page, in the Title column, click the Duet Enterprise Profile Synchronization for <User Profile service application name> link.
Where <User Profile service application name> is the name of the User Profile service application that you are using for role synchronization.
Tip
If you have only one User Profile service application, by default this name is Duet Enterprise Profile Synchronization for User Profile Service Application.
On the Edit Timer Job page, click Run Now.
Note
This timer job is scheduled to run one time per day but you can configure it to run less often if it causes a performance problem.
For more information about SharePoint timer jobs, see View timer job status in SharePoint 2013.
Verification step
After role synchronization is complete, the SAP Roles property appears at the bottom of each SharePoint user profile page and displays the SAP roles that they are assigned to. These SAP roles will also be available in People Picker when granting permissions to securable objects, such as sites, list, and files. SAP roles will also be available when you run shared reports if you have configured the Reporting solution.
Grant an SAP role permissions to a site
After the SAP user profile store is synchronized with the SharePoint user profile store, you can perform this procedure to grant users permissions to a site based on their SAP roles. Note that only sites that are in a web application that uses claims-based authentication and that are associated with the User Profile service application that you used to configured role synchronization are supported.
Tip
Before you can use SAP roles to set permissions on a site, the site collection must already exist and SAP roles must have already been synchronized to the SharePoint user profile store. After you have granted an SAP role permissions to a site, the site collection must not be renamed or deleted.
Note
You must be a Site Owner to perform this procedure.
To grant an SAP role permissions to a site
In a browser, go to the site for which you want to enable SAP roles.
Click the Settings icon, and then click Site Settings.
Tip
The Settings icon resembles a gear.
Under Users and Permissions, click Site Permissions.
In the Grant group of the ribbon, click Grant Permissions.
In the Grant Permissions dialog box, do the following:
Click SHOW OPTIONS.
Under Select a group or permission level, select the group or permission level to which you want to assign the SAP role.
In the top box, type part of the SAP role’s name.
Tip
A drop-down list appears with all available SAP roles.
Either finish typing the name of the SAP role or select it from the drop-down list, and then click Share.
See also
Install and configure Duet Enterprise for SharePoint and SAP Server 2.0