Target system managers
A default application role exists for the target system manager in One Identity Manager. Assign employees to this application role who have permission to edit all clients in One Identity Manager.
Define additional application roles if you want to limit the permissions for target system managers to individual clients. The application roles must be added under the default application role.
For more information about implementing and editing application roles, see the One Identity Manager Authorization and Authentication Guide.
Implementing application roles for target system managers
-
The One Identity Manager administrator allocates employees to be target system administrators.
-
These target system administrators add employees to the default application role for target system managers.
Target system managers with the default application role are authorized to edit all the clients in One Identity Manager.
-
Target system managers can authorize other employees within their area of responsibility as target system managers and if necessary, create additional child application roles and assign these to individual tenants.
Table 27: Default application roles for target system managers
|
Target system managers
|
Target system managers must be assigned to the Target systems | SAP R/3 application role or a child application role.
Users with this application role:
-
Assume administrative tasks for the target system.
-
Create, change, or delete target system objects.
-
Edit password policies for the target system.
-
Prepare system entitlements to add to the IT Shop.
-
Can add employees who have another identity than the Primary identity.
-
Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.
-
Edit the synchronization's target system types and outstanding objects.
-
Authorize other employees within their area of responsibility as target system managers and create child application roles if required. |
To initially specify employees to be target system administrators
-
Log in to the Manager as a One Identity Manager administrator (Base role | Administrators application role)
-
Select the One Identity Manager Administration > Target systems > Administrators category.
-
Select the Assign employees task.
-
Assign the employee you want and save the changes.
To add the first employees to the default application as target system managers
-
Log in to the Manager as a target system administrator (Target systems | Administrators application role).
-
Select the One Identity Manager Administration > Target systems > SAP R/3 category.
-
Select the Assign employees task.
-
Assign the employees you want and save the changes.
To authorize other employees as target system managers when you are a target system manager
-
Log in to the Manager as a target system manager.
-
Select the application role in the SAP R/3 > Basic configuration data > Target system managers category.
-
Select the Assign employees task.
-
Assign the employees you want and save the changes.
To specify target system managers for individual tenants
-
Log in to the Manager as a target system manager.
-
Select the SAP R/3 > Clients category.
-
Select the tenant in the result list.
-
Select the Change main data task.
-
On the General tab, select the application role in the Target system manager menu.
- OR -
Next to the Target system manager menu, click 
to create a new application role.
-
Enter the application role name and assign the Target systems | SAP R/3 parent application role.
-
Click OK to add the new application role.
- Save the changes.
-
Assign employees to this application role who are permitted to edit the tenant in One Identity Manager.
Related topics
Basic data for user account administration
One Identity Manager supplies the following basic data for user administration, by default:
If configured, other basic data that cannot be edited in One Identity Manager is read from SAP R/3 during synchronization. It is used only for assignments to SAP user accounts. These include:
Certain user account properties can be defined as default for all user accounts through the configuration settings. These include:
User account types
The user account types are available in One Identity Manager by default. SAP R/3 recognizes the user account types listed below.
Table 28: User account types
| Dialog (A) |
Dialog user in a system. |
| System (B) |
Background processing within a system. |
| Communication (C) |
Communication between systems without a dialog. |
| Service (S) |
Common user account for anonymous system access, for example.
User account of this type should have heavily restricted access permissions. |
| Reference (L) |
Common user account for additional granting of permissions. |
The default user account type for new user accounts is specified in the "TargetSystem | SAPR3 | Accounts | Ustyp" configuration parameter.
To modify the default user account type
- In the Designer, edit the value of the "TargetSystem | SAPR3 | Accounts | Ustyp" configuration parameter.
External identifier types
External authentication methods for logging in to a system can be used in SAP R/3. One Identity Manager supplies the following types as user identifiers to find the login data necessary for different authentication mechanisms for external systems on an SAP system:
Table 29: External identifier types
| DN |
Distinguished Name for X.509. |
| NT |
Windows NTLM or password verification with the Windows domain controller. |
| LD |
LDAP bind <user-defined> (For other external authentication mechanisms). |
| SA |
SAML Token. |
To specify a default type for external identifiers
- In the Designer, set the "TargetSystem | SAPR3 | UserDefaults | ExtID_Type" configuration parameter and specify a value.
