Definition

Controls the use of user restriction in LDAP search filter.

Use

If this indicator is not set, the system first imports the value of the filter attribute for all directory entries below the base entry, converts it to SAP format (uppercase) and then uses the entered restrictions.

This procedure guarantees that the restrictions are used correctly, even if the value of the filter attribute in the directory is in lowercase or the directory uses a different sort order from the SAP system. However, there is a disadvantage: that it is possible that a large amount of data needs to be read from the directory, even if only a small number of users have been explicitly selected for synchronization.

Setting this indicator means that the system converts the restrictions for the user into an LDAP search filter and uses this filter to search the entries below the base entry in the directory. This reduces the affected volume of data and therefore the synchronization time, especially if the filter attribute is indexed in the directory.

Dependencies

If you set this indicator, you need to ensure that the filter attribute in the directory fulfills the following conditions:

• The content is exclusively in the SAP format (uppercase), or the attribute can be searched in the directory irrespective of the case (caseIgnoreMatch). The administrator of the directory can tell you if this is the case.
• If you use restrictions with ranges, the set of objects found in the directory must correspond to the set that would have been found if the restriction had been used on the filter attribute converted into SAP format. To put it another way: the directory uses the same sort order as the SAP system in the context of the ranges you are using.

Warning

If the above prerequisites are not fulfilled, it could mean that entries are not found in the directory.

In combination with the option "Objects that only exist in the database: delete/lock in the database", this can lead to undesired changes of the user master record in the SAP system.

Example

The filter attribute is "sapUsername", which is defined in the directory without "caseIgnoreMatch".

An entry in the directory has the value "abc123". On the selection screen, you enter "ABC123" as the user name (this is automatically converted to uppercase) and execute the report.

The LDAP search filter will now search for users with the value "ABC123" in the filter attribute and will not find the entry (no "caseIgnoreMatch"). If the option "Delete in database" is selected, user ABC123 will be deleted from the SAP system.

Example

To check that these prerequisites are fulfilled for a specified restriction, you can proceed as follows:

• Enter the restriction, do not set the indicator, choose "Ignore Objects" for all sets, and execute the report.
• Note the "Number of Objects in the Directory" shown in the log.
• Set the indicator and run the report again.
• If the "Number of Objects in the Directory" has not changed, the use of the user restriction in the directory produced the same result as the subsequent filtering in the SAP system.

Check the transferability of this result to any restrictions with the directory administrator.