Setting up a synchronization project for synchronizing SAP authorization objects
SAP authorizations are verified on the basis of the SAP applications permitted for an SAP user account and the associated authorization objects. Authorization objects and SAP applications must be loaded into the One Identity Manager database first before you can create SAP functions. For each client, create a synchronization project for synchronizing the necessary schema types. A separate project template is required for this.
Use the Synchronization Editor to configure synchronization between the One Identity Manager database and SAP R/3 environment.
NOTE: Just one synchronization project can be created per target system and default project template used.
To set up a synchronization project for SAP authorization objects.
-
Set up an initial synchronization project as described in the One Identity Manager Administration Guide for Connecting to SAP R/3. The following special features apply:
NOTE: You cannot use SAP functions to check the authorizations in the child systems of a central user administration. Set up the synchronization project for one client only, which is not a system.
- In the project wizard on the Select project template page, select the SAP R/3 authorization objects project template.
- The Restrict target system access page is not displayed. The target system is only loaded.
For more information, see the One Identity Manager Administration Guide for Connecting to SAP R/3.
-
Configure and set a schedule to run synchronization regularly.
For more information, see the One Identity Manager Target System Synchronization Reference Guide.
Related topics
Synchronizing authorizations with overlapping values
In SAP R/3, if the same authorization is assigned to an SAP profile several times with overlapping value ranges, only one authorization assignment is read in by the synchronization. Therefore, the authorization check does not include all the values that user accounts with this profile can actually use.
Probable reason
When synchronizing the ProfileHasAuthObjectField schema type, the complete object list is loaded straight away. Only one data set is selected for each authorization assignment to an SAP profile. Other data sets are ignored.
Solution
If several authorization assignments with overlapping value ranges exist for one profile, the lowest lower value and the highest upper value must be read in by synchronization. To do this, the value ranges are evaluated separately by the synchronization. The objects must be loaded by single record access.
To enable single record access
-
In the Synchronization Editor, edit the properties of the profileHasAuthObjectField synchronization step.
-
Select the Extended tab.
-
Select the Reload threshold property and disable Use start up configuration settings.
-
Enter a value between 4 and 7.
- Save the changes.
NOTE: Changing the reload threshold may affect synchronization performance for this synchronization step.
For more about configuring the reload threshold, see the One Identity Manager Target System Synchronization Reference Guide.
Related topics
Setting up SAP functions
You can create function definitions, function instances, and variable sets for SAP functions. A function definition contains the authorization definition as well as general main data. An authorization definition contains at least one SAP application. Each SAP application belongs to at least one authorization object. Each authorization object consists of at least one function element (activity or authorization field) with concrete instances. Instances are given as single values or as upper and lower scope limits. Function elements can be listed more than once per authorization object.
You can use an SAP function for different instances. To do this, use variables in the authorization definition. Fixed variable values are grouped in variable sets and used in the function instances.
Figure 2: Structure of an authorization definition
To set up an SAP function
-
Create a function definition.
-
Create the authorization definition.
-
Consider the explanations for determining invalid authorizations.
-
Take the notes on authorization definitions into account.
-
Use variables for the values or scope limits if needed.
-
Check the completeness of the authorization objects.
-
(Optional) Assign mitigating controls to the function definition to be implemented when invalid authorizations are detected by the SAP function.
-
To be able to use the function definition for authorization checking, enable the working copy of this function definition.
-
Create at least one function instance for this function definition.
To find all the identities that match this SAP function through their SAP user accounts, apply the SAP function in compliance rules.
Detailed information about this topic
Creating function definitions
A working copy is added to the database for every new function definition. The changes are not passed on to the production function definition until the working copy is enabled. SAP authorizations are only checked on the basis of active function definitions.
To create a new function definition
-
In the Manager, select the Identity Audit > SAP functions > Function definitions category.
-
Click in the result list.
-
Enter the function definition main data.
-
Save the changes.
This adds a working copy.
-
Select the Authorization Editor task and set up the authorization definition.
-
Select the Enable working copy task and confirm the security prompt with Yes.
This adds an enabled function definition in the database. The working copy is retained and can be used to make changes later.
Related topics