Assigning SAP user accounts directly to SAP roles
To react quickly to special requests, you can assign roles directly to user accounts.
The following applies if user accounts are managed by :
-
The role is assigned to the central system, or
-
The role's client is assigned as a child system to the user accounts.
NOTE: Roles can also be directly assigned to a user account if the client's assignment to the user account is marked as outstanding. This removes the outstanding mark.
To assign a role directly to user accounts
-
Select the SAP R/3 > Roles category.
-
Select the role in the result list.
-
Select the Assign user accounts task.
To assign a role to a user account
-
Click Add.
This inserts a new row in the table.
-
Select the user account you want to assign to the role from the User account menu.
-
Enter a validity period for the role assignment in the Valid from and Valid until fields, if that applies.
-
Enter another user account if required.
- Save the changes.
To edit a role assignment
-
Select the role assignment you want to edit in the table. Edit the validity period.
- Save the changes.
To remove a role assignment.
-
Select the role assignment you want to remove in the table.
-
Click Delete.
- Save the changes.
Related topics
Adding SAP groups, SAP roles, and SAP profiles to system roles
Installed modules: |
System Roles Module |
Groups, roles, and profiles can be added to different system roles. When you assign a system role to an employee, the groups, roles, and profiles are inherited by all SAP user accounts that these employees have. System roles that exclusively contain SAP groups, roles, or profiles can be labeled with "SAP product". Groups, roles, and profiles can also be added to system roles that are not SAP products.
NOTE: Only profiles that are not assigned to an SAP role can be assigned to system roles.
NOTE: Groups, roles, and profiles with Only use in IT Shop can only be assigned to system roles that also have this option set. For more information about providing system roles in the IT Shop, see the One Identity Manager System Roles Administration Guide.
To assign a group to system roles
- Select the SAP R/3 > Groups category.
- Select the group in the result list.
- Select the Assign system roles task.
-
In the Add assignments pane, assign system roles.
TIP: In the Remove assignments pane, you can remove assigned system roles.
To remove an assignment
- Save the changes.
To assign a role to system roles
- Select the SAP R/3 > Roles category.
- Select the role in the result list.
- Select the Assign system roles task.
-
In the Add assignments pane, assign system roles.
TIP: In the Remove assignments pane, you can remove assigned system roles.
To remove an assignment
- Save the changes.
To assign a profile to system roles
- Select the SAP R/3 > Profiles category.
- Select a profile in the result list.
- Select the Assign system roles task.
-
In the Add assignments pane, assign system roles.
TIP: In the Remove assignments pane, you can remove assigned system roles.
To remove an assignment
- Save the changes.
Detailed information about this topic
Related topics
Adding SAP groups, SAP roles, and SAP profiles to the IT Shop
NOTE: Only profiles that are not assigned to IT Shop roles can be assigned to SAP shelves.
When you assign a group, a role, or a profile to an IT Shop shelf, it can be requested by the shop customers. To ensure it can be requested, further prerequisites need to be guaranteed:
-
The group , the role, or the profile must be labeled with the IT Shop option.
-
The group , the role or profile must be assigned a service item.
TIP: In the Web Portal, all products that can be requested are grouped together by service category. To make the group, the role, or profile easier to find in the Web Portal, assign a service category to the service item.
-
If you only want the group, the role or profile to be assigned to employees through IT Shop requests, the group, the role or the profile must also be labeled with the Use only in IT Shop option. Direct assignment to hierarchical roles or user accounts is no longer permitted.
NOTE: With role-based login, the IT Shop administrators can assign groups, roles, and profiles to IT Shop shelves. Target system administrators are not authorized to add groups, roles, and profiles to IT Shop.
To add a group, a role, or a profile to the IT Shop.
-
In the Manager, select the SAP R/3 > Groups or SAP R/3 > Roles or SAP R/3 > Profiles (non role-based login) category.
- OR -
In the Manager, select the Entitlements > SAP groups or Entitlements > SAP roles or Entitlements > SAP profiles (role-based login) category.
-
In the result list, select the group, the role or the profile.
-
Select the Add to IT Shop task.
-
Select the IT Shop structures tab.
-
In the Add assignments pane, assign the group, the role or profile to the IT Shop shelves.
- Save the changes.
To remove a group, a role or profile from individual shelves of the IT Shop
-
In the Manager, select the SAP R/3 > Groups or SAP R/3 > Roles or SAP R/3 > Profiles (non role-based login) category.
- OR -
In the Manager, select the Entitlements > SAP groups or Entitlements > SAP roles or Entitlements > SAP profiles (role-based login) category.
-
In the result list, select the group, the role or the profile.
-
Select the Add to IT Shop task.
-
Select the IT Shop structures tab.
-
In the Remove assignments pane, remove the group the role or profile from the IT Shop shelves.
- Save the changes.
To remove a group, a role or profile from all shelves of the IT Shop
-
In the Manager, select the SAP R/3 > Groups or SAP R/3 > Roles or SAP R/3 > Profiles (non role-based login) category.
- OR -
In the Manager, select the Entitlements > SAP groups or Entitlements > SAP roles or Entitlements > SAP profiles (role-based login) category.
-
In the result list, select the group, the role or the profile.
-
Select the Remove from all shelves (IT Shop) task.
- Confirm the security prompt with Yes.
-
Click OK.
The group , the role, or the profile is removed from all shelves by the One Identity Manager Service. All requests and assignment requests with this group, this role or profile are canceled.
For more information about requesting company resources through the IT Shop, see the One Identity Manager IT Shop Administration Guide.
Related topics
Assignment and inheritance of SAP profiles and SAP roles to SAP user accounts
The following SAP sided limitation influence the user account assignment and inheritance of profiles and roles in One Identity Manager.
-
Composite profiles can be put together from 0...n profiles or composite profiles. If a user account is assigned a composite profile, the target system only returns the user account membership in the assigned composite profile and not the membership in subprofiles.
-
Single roles can put together from 0..n profiles. Only profiles that are not composite profiles can be assigned. Profiles that are assigned to a single role can no longer be assigned to a user account.
-
Composite roles can be made up of 0...n single roles. Assignment of profiles or composite profiles to composite roles is not possible.
These limitations result in the following:
In assignment:
-
Triggering prevents the assignment of roles which are assigned to single roles, to user accounts, products, roles, and employees.
In inheritance behavior:
-
If a user account is assigned a composite role that owns single roles, the single roles are not added to the SAPuserInSAPGroupTotal table.
-
If a user account is assigned a single role that owns profiles, the profiles are not added to the SAPUserInSAPProfile table.
-
If a user account is assigned a single role and this single role is part of a composite role that is also assigned to this user account, the single role is not added to the SAPUserInSAPRole table under certain circumstances:
-
If a user account is assigned a composite profile with child profiles, the child profiles are not added to the SAPUserInSAPProfile table. If a child profile is additionally directly assigned to the user account, then the SAPUserInSAPProfile table also contains this direct assignment.
If a user account obtains additional roles or profiles through a reference user, these roles or profiles are only added in the SAPUserInSAPRole and SAPUserInSAPProfile tables for the reference user. When company resources assigned to an employee (PersonHasObject table) are calculated, the roles and profiles inherited by a user account through single roles, composite roles, composite profiles, and reference users are also taken into account.
Related topics