Assigning function definitions to mitigating controls
Use this task to specify the function definitions for which a mitigating control is valid. You can only assign function definitions that are enabled on the assignment form.
To assign SAP function definitions to mitigating controls
-
In the Manager, select the Risk index functions > Mitigating controls category.
-
Select the mitigating control in the result list.
-
Select the Assign function definitions task.
In the Add assignments pane, assign the function definitions.
TIP: In the Remove assignments pane, you can remove function definitions assignments.
To remove an assignment
- Save the changes.
Related topics
Calculating mitigating controls for SAP functions
The reduction in significance of a mitigating control supplies the value by which the risk index of an SAP function is reduced when the control is implemented. One Identity Manager calculates a reduced risk index based on the risk index and the significance reduction. One Identity Manager supplies default functions for calculating reduced risk indexes. These functions cannot be edited with One Identity Manager tools.
The reduced risk index is calculated from the SAP function and the significance reduced sum of all assigned mitigating controls.
Risk index (reduced) = Risk index - sum significance reductions
If the significance reduction sum is greater than the risk index, the reduced risk index is set to 0.
Related topics
Configuration parameters for SAP functions
The following configuration parameters are additionally available in One Identity Manager after the module has been installed.
Table 20: Configuration parameters for the module
TargetSystem | SAPR3 | SAPRights |
Preprocessor relevant configuration parameter for controlling component parts for testing authorizations in SAP R/3 using SAP functions. If the parameter is set, the components are available. Changes to the parameter require recompiling the database.
If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide. |
TargetSystem | SAPR3 | SAPRights | TestWithoutTCD |
Checks SAP authorizations without taking SAP applications into account. |
The following configuration parameters are also required.
Table 21: Additional configuration parameters
QER | CalculateRiskIndex |
Preprocessor relevant configuration parameter controlling system components for calculating the risk index. Changes to the parameter require recompiling the database.
If the parameter is enabled, values for the risk index can be entered and calculated.
If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide. |
QER | ComplianceCheck |
Preprocessor relevant configuration parameter for controlling the database model components for checking the rule base. Changes to the parameter require recompiling the database. If the parameter is enabled, you can use the model components.
If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide. |
Default project template for the SAP R/3 Compliance Add-on Module
A default project template ensures that all required information is added in One Identity Manager. This includes mappings, workflows, and the synchronization base object. If you do not use a default project template you must declare the synchronization base object in One Identity Manager yourself.
Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the Synchronization Editor.
Use the SAP R/3 authorization objects project template to synchronize authorization objects and transactions. The project template uses mappings for the following schema types.
Table 22: Mapping SAP R/3 schema types to tables in the One Identity Manager schema
TOBJ |
SAPAuthObject |
ObjectClass |
SAPAuthObjectClass |
AUTHX |
SAPField |
Transactions |
SAPTransaction |
TACT |
SAPActivity |
ObjectHasField |
SAPAuthObjectHasField |
ObjectHasActivity |
SAPAuthObjectHasSapActivity |
FieldHasRcTable |
SAPFieldHasSAPRCTable |
TMENU01 |
SAPMenu |
MenuHasTransaction |
SAPMenuHasSAPTransaction |
ProfileHasAuthObjectField |
SAPProfileHasAuthObjectElem |
RcTable |
SAPRCTable |
Variable |
SAPRCVariable |
TRANSACTIONHASTOBJ |
SAPTransactionHasSAPAuthObject |
RFCFUNCTION |
SAPTransaction |
USOBHASH |
SAPTransaction |