Assigning SAP groups, SAP roles, and SAP profiles to SAP user accounts
Groups, roles, and profiles can be directly and indirectly assigned to user accounts. In the case of indirect assignment, employees, groups, roles, and profiles are arranged in hierarchical roles. The number of groups, roles, and profiles assigned to an employee is calculated from the position in the hierarchy and the direction of inheritance. If you add an employee to roles and that employee owns a user account, the user account is added to the group, role, or profile.
Furthermore, groups, roles, and profiles can be assigned to employees through IT Shop requests. Add employees to a shop as customers so that groups, roles, and profiles can be assigned through IT Shop requests. All groups, roles, and profiles are assigned to this shop can be requested by the customers. Requested groups, roles, and profiles are assigned to the employees after approval is granted.
Prerequisites for indirect assignment of SAP groups to employee user accounts
-
Assignment of employees and groups is permitted for role classes (departments, cost centers, locations, or business roles).
-
User accounts are marked with the Groups can be inherited option.
-
The user accounts and groups belong to the same SAP client.
Prerequisites for indirect assignment of SAP profiles to employee user accounts
-
Assignment of employees and profiles is permitted for role classes (departments, cost centers, locations, or business roles).
-
User accounts are labeled with the Profiles can be inherited option.
-
The user accounts and profiles belong to the same SAP client.
- OR -
If the user accounts are managed through the Central User Administration, the user accounts have access permissions in the SAP clients to which the profiles belong.
NOTE: Only profiles that are not assigned to an SAP role can be assigned to hierarchical roles.
Prerequisites for indirect assignment of SAP roles to employee user accounts
-
Assignment of employees and roles is permitted for role classes (departments, cost centers, locations, or business roles).
-
User accounts are labeled with the Roles can be inherited option.
-
The user accounts and roles belong to the same SAP client.
- OR -
If the user accounts are managed through the Central User Administration, the user accounts have access permissions in the SAP clients to which the roles belong.
For detailed information see the following guides:
Basic principles for assigning and inheriting company resources |
One Identity Manager Identity Management Base Module Administration Guide
One Identity Manager Business Roles Administration Guide |
Assigning company resources through IT Shop requests |
One Identity Manager IT Shop Administration Guide |
System roles |
One Identity Manager System Roles Administration Guide |
Detailed information about this topic
Assigning SAP groups, SAP roles, and SAP profiles to organizations
Assign groups, roles, and profiles to departments, cost centers, and locations in order to assign user accounts to them through these organizations.
To assign a group to departments, cost centers, or locations (non role-based login)
- Select the SAP R/3 > Groups category.
- Select the group in the result list.
- Select the Assign organizations task.
- In the Add assignments pane, assign the organizations.
- Assign departments on the Departments tab.
- Assign locations on the Locations tab.
- Assign cost centers on the Cost centers tab.
- OR -
Remove the organizations in the Remove assignments pane.
- Save the changes.
To assign a role to departments, cost centers, or locations (non role-based login)
- Select the SAP R/3 > Roles category.
- Select the role in the result list.
- Select the Assign organizations task.
- In the Add assignments pane, assign the organizations.
- Assign departments on the Departments tab.
- Assign locations on the Locations tab.
- Assign cost centers on the Cost centers tab.
- OR -
Remove the organizations in the Remove assignments pane.
- Save the changes.
To assign a profile to departments, cost centers, or locations (non role-based login)
- Select the SAP R/3 > Profiles category.
- Select a profile in the result list.
- Select the Assign organizations task.
- In the Add assignments pane, assign the organizations.
- Assign departments on the Departments tab.
- Assign locations on the Locations tab.
- Assign cost centers on the Cost centers tab.
- OR -
Remove the organizations in the Remove assignments pane.
- Save the changes.
To assign groups, roles, or profiles to departments, cost centers, or locations (non role-based login)
- Select the Organizations > Departments category.
- OR -
Select the Organizations > Cost centers category.
- OR -
Select the Organizations > Locations category.
- Select the department, cost center, or location in the result list.
- Select the Assign SAP groups task.
- OR -
Select the Assign SAP roles task.
- OR -
Select the Assign SAP profiles task.
- In the Add assignments pane, assign groups, roles, or profiles.
- OR -
In the Remove assignments pane, remove the groups, roles, or profiles.
- Save the changes.
Related topics
Assigning SAP groups, SAP roles, and SAP profiles to business roles
Installed modules: |
Business Roles Module |
You assign groups, roles, and profiles to business roles in order to assign them to user accounts over business roles.
To assign a group to a business role (non role-based login)
- Select the SAP R/3 > Groups category.
- Select the group in the result list.
- Select the Assign business roles task.
- In the Add assignments pane, assign business roles.
- OR -
In the Remove assignments pane, remove business roles.
- Save the changes.
To assign a role to a business role (non role-based login)
- Select the SAP R/3 > Roles category.
- Select the role in the result list.
- Select the Assign business roles task.
- In the Add assignments pane, assign business roles.
- OR -
In the Remove assignments pane, remove business roles.
- Save the changes.
To assign a profile to a business role (non role-based login)
- Select the SAP R/3 > Profiles category.
- Select a profile in the result list.
- Select the Assign business roles task.
- In the Add assignments pane, assign business roles.
- OR -
In the Remove assignments pane, remove business roles.
- Save the changes.
To assign groups, roles, or profiles to a business role (non role-based login)
- Select the Business roles > <Role class> category.
- Select the business role in the result list.
- Select the Assign SAP groups task.
- OR -
Select the Assign SAP roles task.
- OR -
Select the Assign SAP profiles task.
- In the Add assignments pane, assign groups, roles, or profiles.
- OR -
In the Remove assignments pane, remove the groups, roles, or profiles.
- Save the changes.
Related topics
Assigning SAP user accounts directly to SAP groups and SAP profiles
To react quickly to special requests, you can assign groups and profiles directly to user accounts.
NOTE:
- Only profiles that are not assigned to SAP roles can be assigned to user accounts.
- Generated profiles cannot be assigned to user accounts.
The following applies if user accounts are managed by :
-
The group (the profile) is assigned to the central system, or
-
The group's (the profile's) client is assigned as a child system to the user accounts
-
A group or profile can also be directly assigned to a user account if the client's assignment to the user account is marked as outstanding. This removes the outstanding mark.
To assign a group directly to user accounts
-
Select the SAP R/3 > Groups category.
-
Select the group in the result list.
-
Select the Assign user accounts task.
-
Assign user accounts in Add assignments.
- OR -
Remove user accounts from Remove assignments.
- Save the changes.
To assign a profile directly to user accounts
-
Select the SAP R/3 > Profiles category.
-
Select a profile in the result list.
-
Select the Assign user accounts task.
-
Assign user accounts in Add assignments.
- OR -
Remove user accounts from Remove assignments.
- Save the changes.
Related topics