Maintaining SAP functions
You can assign SAP functions to identities that are responsible for the content of those SAP functions. To do this, assign the an application for maintaining SAP functions to an application role. Assign to this application role, the identities that are authorized to enable and edit working copies of this function definition and can define function instances.
A default application role exists for maintaining One Identity Manager functions in SAP. Create more application roles if required. For more information about implementing and editing application roles, see the One Identity Manager Authorization and Authentication Guide.
Table 15: Default application roles for maintaining SAP functions
|
Responsible for maintaining SAP functions. |
Administrators must be assigned to the Identity & Access Governance | Identity Audit | Maintain SAP functions application role or a child application role.
Users with this application role:
-
Are responsible for SAP function contents.
-
Edit working copies of function definitions for which they are responsible.
-
Define function instances and variables sets for SAP functions.
-
Assign mitigating controls. |
To add identities to the default application role for maintaining SAP functions
-
In the Manager, select the Identity Audit > Basic configuration data > Maintain SAP functions category.
-
Select the Assign identities task.
-
In the Add assignments pane, add identities.
TIP: In the Remove assignments pane, you can remove assigned identities.
To remove an assignment
- Save the changes.
Related topics
Exporting function definitions
To transfer SAP functions from a development environment to a production environment, for example, you can export function definitions to CSV files. These CSV files can be imported into other databases.
To export all function definitions to a CSV file
-
In the Manager, select the Identity Audit category.
-
Select the Plugins > Export all SAP function definitions menu item.
-
To only export working copies, click Yes.
- OR -
To only export enabled SAP functions, click No.
-
Specify the file name and storage location for the CSV file.
-
Click Save.
All function definitions are written to file in sequence.
The following properties are exported:
Table 16: Exported main data of a function definition
|
Name of the function definition |
Function |
|
Assigned function category |
Process |
|
Description |
Function Description |
|
Significance |
Risk Level |
|
Suggested authorization value |
TransactionType |
|
Transaction code |
Transaction |
|
TADIR program ID |
AUTHPGMID |
|
TADIR object type |
AUTHOBJTYP |
|
TADIR object name |
AUTHOBJNAM |
|
Type of external service |
SRV_TYPE |
|
Name of external service |
SRV_NAME |
|
RFC object type |
RFC_TYPE |
|
RFC object name |
RFC_NAME |
|
Hash value |
SAPHashValue |
|
Authorization objects |
Object |
|
Authorization fields |
Field |
|
Description of authorization field. |
Field Description |
|
Value/lower scope limit |
Value From |
|
Upper scope limit |
Value To |
The import status (State) is included with each data record in the CSV file as additional information. The import status is set to 1 by default on export. This data is evaluated when function definitions are imported.
NOTE: SAP function managers can only export those function definitions for which they are responsible, as entered in the main data.
Related topics
Importing function definitions
To transfer SAP functions from a development environment to a production environment, for example, you can export function definitions to CSV files. These CSV files can be imported into other databases.
When importing SAP functions from an existing CSV file, the function definitions contained in the CSV file are transferred to the database as working copies. The following data fields must be in the CSV file so that function definitions can be imported.
Table 17: Data fields for importing function definitions
|
Function |
Function definition |
|
TransactionType |
Suggested authorization value |
|
Object |
Authorization objects |
|
Field |
Authorization field |
|
Value From |
Value/lower scope limit |
|
Value To |
Upper scope limit |
|
State |
No equivalent.
The import status controls which data records are imported into One Identity Manager.
1: Import |
|
Process (optional) |
Category |
|
Function description (optional) |
Description of the function definition. |
|
Risk level (optional) |
Significance
Possible values are {Low|Medium|High|Critical}. |
|
Transaction (optional) |
Transaction code |
|
AUTHPGMID (optional) |
TADIR program ID |
|
AUTHOBJTYP (optional) |
TADIR object type |
|
AUTHOBJNAM (optional) |
TADIR object name |
|
SRV_TYPE (optional) |
Type of external service |
|
SRV_NAME (optional) |
Name of external service |
|
RFC_TYPE (optional) |
RFC object type |
|
RFC_NAME (optional) |
RFC object name |
|
SAPHashValue (optional) |
Hash value |
|
Field description (optional) |
Describes the authorization fields, authorization objects and SAP applications. |
NOTE:
-
The order of the data fields is arbitrary.
-
All required data fields must be defined in the header and must be present in the data sets.
-
Mark data fields without values with two sequential delimiters.
-
Data sets with empty mandatory fields are not imported.
To import function definitions
-
In the Manager, select the Identity Audit category.
-
Select the Plugins > Import SAP function definitions menu item.
-
Select the CSV file you want to import and click Open.
-
Confirm the security prompt with Yes.
The functions definitions are transferred to the database as working copies. If there is already a working copy with the same name in the database, it is overwritten by the import.
Related topics
Compliance rules for SAP functions
Compliance rules can be checked through effective authorizations as well as through authorizations, which an identity has in an SAP R/3 system due to their user accounts and group and role memberships. Effective write permissions are tested through SAP functions. To do this, SAP functions are added to rule conditions.
The validity period of role assignments is taken into account in the rule check.
For more information about compliance rules, see the One Identity Manager Compliance Rules Administration Guide.
Detailed information about this topic
.