Enabling working copies
SAP authorizations are only checked on the basis of active SAP functions. When you enable the working copy, the changes are transferred to the function definition. An active function definition is added to a new working copy.
To transfer changes from a working copy to a function definition
- In the Manager, select the Identity Audit > SAP functions > Function definition working copies category.
- Select the function definition in the result list.
- Select the Enable working copy task.
- Confirm the security prompt with OK.
Related topics
Exporting function definitions
To transfer SAP functions from a development environment to a production environment, for example, you can export function definitions to CSV files. These CSV files can be imported into other databases.
To export the function definition to a CSV file
- In the Manager, select the Identity Audit > SAP functions > Function definitions category.
- Select the function definition in the result list.
-
Select the Change main data task.
- Select the Export task.
- Specify the file name and storage location for the CSV file.
-
Click Save.
The following properties are exported:
Table 14: Exported main data of a function definition
|
Name of the function definition |
Function |
|
Assigned function category |
Process |
|
Description |
Function Description |
|
Significance |
Risk Level |
|
Suggested authorization value |
TransactionType |
|
Transaction code |
Transaction |
|
TADIR program ID |
AUTHPGMID |
|
TADIR object type |
AUTHOBJTYP |
|
TADIR object name |
AUTHOBJNAM |
|
Type of external service |
SRV_TYPE |
|
Name of external service |
SRV_NAME |
|
RFC object type |
RFC_TYPE |
|
RFC object name |
RFC_NAME |
|
Hash value |
SAPHashValue |
|
Authorization objects |
Object |
|
Authorization fields |
Field |
|
Description of authorization field. |
Field Description |
|
Value/lower scope limit |
Value From |
|
Upper scope limit |
Value To |
The import status (State) is included with each data record in the CSV file as additional information. The import status is set to 1 by default on export. This data is evaluated when function definitions are imported.
Related topics
Exporting working copies
To transfer SAP functions from a development environment to a production environment, for example, you can export function definitions to CSV files. These CSV files can be imported into other databases.
To export the function definition of a working copy to a CSV file
- In the Manager, select the Identity Audit > SAP functions > Function definition working copies category.
- Select the function definition in the result list.
-
Select the Change main data task.
- Select the Export task.
- Specify the file name and storage location for the CSV file.
-
Click Save.
The following properties are exported:
Table 15: Exported main data of a function definition
|
Name of the function definition |
Function |
|
Assigned function category |
Process |
|
Description |
Function Description |
|
Significance |
Risk Level |
|
Suggested authorization value |
TransactionType |
|
Transaction code |
Transaction |
|
TADIR program ID |
AUTHPGMID |
|
TADIR object type |
AUTHOBJTYP |
|
TADIR object name |
AUTHOBJNAM |
|
Type of external service |
SRV_TYPE |
|
Name of external service |
SRV_NAME |
|
RFC object type |
RFC_TYPE |
|
RFC object name |
RFC_NAME |
|
Hash value |
SAPHashValue |
|
Authorization objects |
Object |
|
Authorization fields |
Field |
|
Description of authorization field. |
Field Description |
|
Value/lower scope limit |
Value From |
|
Upper scope limit |
Value To |
The import status (State) is included with each data record in the CSV file as additional information. The import status is set to 1 by default on export. This data is evaluated when function definitions are imported.
Related topics
Assigning mitigating controls to SAP functions
Mitigating controls can be stored with SAP functions. These reduce the effects on the company when SAP users match with SAP functions. At the same time, you specify how to deal with SAP users or SAP groups that match the SAP function. For example, changing a user assignment to an SAP role in the SAP system can be used as a mitigating control for an SAP function.
Mitigating controls can also be used as controlling measures for compliance rules. Mitigating controls assigned to the SAP functions for testing are automatically transferred into compliance rules about SAP functions.
Prerequisites:
- Enabled compliance rules are assigned to a functional area and a department.
- The SAP functions for testing are assigned to the same functional area and then associated variable set of the same department.
To edit mitigating controls
- In the Designer, enable the QER | CalculateRiskIndex configuration parameter.
Detailed information about this topic
