Mail Address Derivation
The table controls show how the SAP user ID is matched to the corresponding Active Directory identity (and ultimately to the user's authoritative e-mail address, which is used for the encryption and decryption processes). It is critical to choose a mechanism that is protected against tampering by the user. To configure Mail Address Derivation, follow the below steps:
Call transaction /n/SECUDESD/MAIL_DRV - Directory Mapping of SAP User Master.
Click Display −> Change icon to edit the table.
Enter the name of the User Group as given in User Master maintenance for authorization check.
Enter a brief description of the authorizations in the Text.
Select the mail derivation method you require from the Derivation method list. The following options are available:
Mail address in user master: The mail address is retrieved from the SAP user master field (E-Mail Address on the Address tab).
Login name = SAP user ID: The mail address is read from AD, by querying against the sAMAccountName with the SAP user ID. You should use this option only if a match between the SAP user ID and the sAMAccountName can be reliably established.
Login name in Alias field: The mail address is read from AD, by querying against the sAMAccountName with the content of the Alias field (Alias on tab LogonData).
UPN in Alias field: The mail address is read from AD, by querying against the userPrincipalName with the content of the Alias field (Alias on tab LogonData).
Mail address in Alias field: The mail address is read from the Alias field (Alias on tab Logon Data).
UPN in SNC name: The mail address is read from AD, by querying against the userPrincipalName with the content of the SNC name field (SNC name on tab SNC); as the SNC name is often prefixed by an identifier to specify the name type, always indicate this prefix in the table.
DN in SNC name: The mail address is read from AD, by querying against the distinguishedName with the content of the SNC name field (SNC name on tab SNC); as the SNC name is often prefixed by an identifier to specify the name type, you will also have to indicate this prefix in the table.
Own implementation of BAdI: If you prefer to use a different mechanism, you may implement the BAdI/SECUDESD/BADI_DERIVE_MAIL.
Specify the prefix (e.g., name type) of the SNC name in SNC Prefix.
Directory mapping of SAP user master
Click Save to save your settings.
The below table lists the allowed Mail Address Derivation method based on the selected Active Directory.
Method | Active Directory | Microsoft Entra ID | No directory |
|---|---|---|---|
Mail address in user master | Yes | Yes | Yes |
Login Name = SAP user ID | Yes | No | No |
Login Name in Alias field | Yes | No | No |
UPN in Alias field | Yes | Yes | No |
Mail address in Alias field | Yes | Yes | Yes |
UPN in SNC name | Yes | Yes | No |
DN in SNC Name | Yes | No | No |
Own implementation of BAdl | Yes | Yes | Yes |
Mail Address Derivation