Chat now with support
Chat with Support

Identity Manager 9.3 - Administration Guide for the SAP R/3 Compliance Add-on

SAP functions and identity audit Setting up a synchronization project for synchronizing SAP authorization objects Basics of the authorization check Setting up SAP functions Compliance rules for SAP functions Mitigating controls for SAP functions Configuration parameters for SAP functions Default project template for the SAP R/3 Compliance Add-on Module Referenced SAP R/3 tables and BAPI calls

SAP functions and identity audit

One Identity Manager can be used to define rules that maintain and monitor regulatory requirements and automatically deal with rule violations. Define compliance rules to test entitlements or combinations of entitlements in the context of identity audit for identities in the company. On the one hand, existing rule violations can be found by checking rules. On the other hand, possible rule violations can be preemptively identified and thus prevented.

Figure 1: Identity audit in One Identity Manager

In addition to rule checking, One Identity Manager offers a detailed examination of effective authorizations of SAP user accounts for SAP R/3 target systems. Linking SAP user accounts to identities allows combinations of SAP authorizations that an identity receives through different SAP user accounts to be checked. Invalid or potentially dangerous authorizations and combinations of them can easily be recognized this way and the necessary action taken.

SAP authorizations are checked on the basis of the authorization objects permitted for an SAP user account. SAP roles and profile assignments determine which authorization objects are permitted. To check whether invalid or potentially dangerous SAP authorizations are assigned within the company, define SAP functions that describe invalid combinations of authorization objects. One Identity Manager finds all the SAP roles, profiles, and profiles that have exactly these authorization objects assigned to them. Use compliance rules to determine the identities that are linked to these user accounts and therefore have invalid authorizations.

If identities are granted SAP authorizations through IT Shop requests, the invalid authorizations can be detected and handled respectively when the request is made with the appropriate approval processes. For more information about approval processes in the IT Shop, see the One Identity Manager IT Shop Administration Guide.

Based on this information, you can made corrections to data in One Identity Manager and transfer them to the connected SAP R/3 systems. The integrated report function in One Identity Manager can be used to provide information for the appropriate tests.

NOTE: Compliance Rules Module and SAP R/3 Compliance Add-on Module must be installed in order to set up and analyze SAP functions.

NOTE: You cannot use SAP functions to check the authorizations in the central user administration client.

Related topics

One Identity Manager users for managing SAP functions

The following users are used for the administration of SAP functions.

Table 1: Users
Users Tasks

Compliance rules administrators

Administrators must be assigned to the Identity & Access Governance | Identity Audit | Administrators application role.

Users with this application role:

  • Enter base data for setting up company policies.

  • Create compliance rules and assign rule supervisors to them.

  • Can start rule checking and view rule violations as required.

  • Create reports about rule violations.

  • Define SAP functions and assign these to managers.

  • Define function instances and variables sets for SAP functions.

  • Enter mitigating controls.

  • Create and edit risk index functions.

  • Monitor Identity Audit functions.

  • Administer application roles for rule supervisors, exception approvers and attestors.

  • Set up other application roles as required.

Responsible for maintaining SAP functions.

Those responsible for maintaining the SAP functions must be assigned to the Identity & Access Governance | Identity Audit | Maintenance SAP Functions application role or a child application role.

Users with this application role:

  • Are responsible for SAP function contents.

  • Edit working copies of function definitions for which they are responsible.

  • Define function instances and variables sets for SAP functions.

  • Assign mitigating controls.

One Identity Manager administrators

One Identity Manager administrator and administrative system users Administrative system users are not added to application roles.

One Identity Manager administrators:

  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

Compliance and security officer

Compliance and security officers must be assigned to the Identity & Access Governance | Compliance & Security Officer application role.

Users with this application role:

  • View all compliance relevant information and other analysis in the Web Portal. This includes attestation policies, company policies and policy violations, compliance rules, and rule violations, critical SAP functions and risk index functions.

  • Edit attestation polices.

Prerequisites for setting up SAP functions

All the information regarding SAP authorizations, SAP users, SAP roles, and SAP profiles must be transferred to the One Identity Manager database so that One Identity Manager can test the effective SAP authorizations based on SAP functions.

Setting Up SAP Functions

  1. In the Designer, set the QER | ComplianceCheck and the TargetSystem | SAPR3 | SAPRights configuration parameters.

    NOTE: If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

  2. Set up a synchronization project for synchronizing the necessary SAP schema types and start synchronization.

Detailed information about this topic

Configuration parameters for SAP functions

Use configuration parameters to configure the behavior of the system's basic settings. One Identity Manager provides default settings for various configuration parameters. Check the configuration parameters and modify them as necessary to suit your requirements.

Configuration parameters are defined in the One Identity Manager modules. Each One Identity Manager module can also install configuration parameters. In the Designer, you can find an overview of all configuration parameters in the Base data > General > Configuration parameters category.

IMPORTANT: The TargetSystem | SAPR3 | SAPRights | TestWithoutTCD configuration parameter will be deleted in a future version of One Identity Manager and cannot be set anymore in version 9.3.

When updating the One Identity Manager database from a version older than 9.3 to version 9.3, the configuration parameter setting is transferred without alteration. This functionality stays the same. However, the configuration parameter can neither be set nor cleared in the current One Identity Manager version.

For more information, see Ignoring SAP applications.

Related topics
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating