SAP S/4HANA

Description

The SAP S/4HANA connector uses the OData REST API over HTTPS to discover SAP user accounts, roles, and authorization profiles within an SAP S/4HANA system. It authenticates using Basic authentication and queries the SAP Gateway services to enumerate business users and their assigned SAP roles and authorization objects, providing visibility into ERP application access.

System Type Classification

Field	Value
System Type	Application
Default Scan Priority	500

Version Support

OrbisID Edition	Supported
Community	No
Pro	Yes
Enterprise	Yes

Supported Protocol

Protocol	Port	Notes
OData REST API (HTTPS)	443 TCP	HTTP Basic authentication

What OrbisID Discovers

Data	Source
Business users	`GET /sap/opu/odata/sap/API_BUSINESS_USER`
User roles	Role assignments via `BusinessUserRole` navigation
User enabled state	`IsLocked` flag
System access	`IsAccessToSystemAllowed`
Authorization profiles	Derived from role-to-profile mappings

Connection Requirements

Required Permissions

Create a dedicated SAP dialog or technical user with display access to user management objects.

Minimum permissions:

Authorization object S_USER_GRP with activity 03 (Display) for all user groups
Authorization object S_USER_USR with activity 03 for user display

Credential Mapping

OrbisID Field	Value
`credential.username`	SAP username (e.g., `ORBISID_SCANNER`)
`credential.password`	SAP password
`system.hostname`	SAP application server hostname
`system.clientId`	SAP client number (e.g., `100`)

Network Requirements

The OrbisID server must have HTTPS access to the SAP application server on port 443.

Configuration Steps

Create a technical user in SAP transaction SU01 with appropriate authorizations
Assign role SAP_BC_USER_DISPLAY_BASIC or equivalent read-only user display authorizations
Create a Credential in OrbisID:
- Username: SAP username
- Password: SAP password
Navigate to Systems → Add System
Fill in the fields:

Field	Value
Name	Descriptive name (e.g., `SAP S/4HANA – S4P Production`)
OS Type	`SapS4Hana`
System Type	`Application`
Hostname	SAP application server hostname
Client ID	SAP client number
Credential	The scanning credential

Click Test Connection
Click Save

Troubleshooting

Symptom	Likely Cause	Resolution
`Authentication failed`	Invalid SAP credentials	Verify user in SAP transaction `SU01`
`401 Unauthorized`	OData service not enabled	Activate `API_BUSINESS_USER` in SAP transaction `SICF`
No users returned	Insufficient authorizations	Add `S_USER_GRP` and `S_USER_USR` authorization objects
`403 Forbidden`	Client not authorised	Verify the SAP client number and API user access

Description​

System Type Classification​

Version Support​

Supported Protocol​

What OrbisID Discovers​

Connection Requirements​

Required Permissions​

Credential Mapping​

Network Requirements​

Configuration Steps​

Troubleshooting​