Adding SAP groups, SAP roles, and SAP profiles to system roles
Installed modules: |
System Roles Module |
Groups, roles, and profiles can be added to different system roles. When you assign a system role to an employee, the groups, roles, and profiles are inherited by all SAP user accounts that these employees have. System roles that exclusively contain SAP groups, roles, or profiles can be labeled with "SAP product". Groups, roles, and profiles can also be added to system roles that are not SAP products.
NOTE: Only profiles that are not assigned to an SAP role can be assigned to system roles.
NOTE: Groups, roles, and profiles with Only use in IT Shop can only be assigned to system roles that also have this option set. For more information about providing system roles in the IT Shop, see the One Identity Manager System Roles Administration Guide.
To assign a group to system roles
- Select the SAP R/3 > Groups category.
- Select the group in the result list.
- Select the Assign system roles task.
-
In the Add assignments pane, assign system roles.
TIP: In the Remove assignments pane, you can remove assigned system roles.
To remove an assignment
- Save the changes.
To assign a role to system roles
- Select the SAP R/3 > Roles category.
- Select the role in the result list.
- Select the Assign system roles task.
-
In the Add assignments pane, assign system roles.
TIP: In the Remove assignments pane, you can remove assigned system roles.
To remove an assignment
- Save the changes.
To assign a profile to system roles
- Select the SAP R/3 > Profiles category.
- Select a profile in the result list.
- Select the Assign system roles task.
-
In the Add assignments pane, assign system roles.
TIP: In the Remove assignments pane, you can remove assigned system roles.
To remove an assignment
- Save the changes.
Detailed information about this topic
Related topics
Adding SAP groups, SAP roles, and SAP profiles to the IT Shop
NOTE: Only profiles that are not assigned to IT Shop roles can be assigned to SAP shelves.
When you assign a group, a role, or a profile to an IT Shop shelf, it can be requested by the shop customers. To ensure it can be requested, further prerequisites need to be guaranteed:
-
The group , the role, or the profile must be labeled with the IT Shop option.
-
The group , the role or profile must be assigned a service item.
TIP: In the Web Portal, all products that can be requested are grouped together by service category. To make the group, the role, or profile easier to find in the Web Portal, assign a service category to the service item.
-
If you only want the group, the role or profile to be assigned to employees through IT Shop requests, the group, the role or the profile must also be labeled with the Use only in IT Shop option. Direct assignment to hierarchical roles or user accounts is no longer permitted.
NOTE: With role-based login, the IT Shop administrators can assign groups, roles, and profiles to IT Shop shelves. Target system administrators are not authorized to add groups, roles, and profiles to IT Shop.
To add a group, a role, or a profile to the IT Shop.
-
In the Manager, select the SAP R/3 > Groups or SAP R/3 > Roles or SAP R/3 > Profiles (non role-based login) category.
- OR -
In the Manager, select the Entitlements > SAP groups or Entitlements > SAP roles or Entitlements > SAP profiles (role-based login) category.
- In the result list, select the group, the role or the profile.
- Select the Add to IT Shop task.
- In the Add assignments pane, assign the group, the role or profile to the IT Shop shelves.
- Save the changes.
To remove a group, a role or profile from individual shelves of the IT Shop
-
In the Manager, select the SAP R/3 > Groups or SAP R/3 > Roles or SAP R/3 > Profiles (non role-based login) category.
- OR -
In the Manager, select the Entitlements > SAP groups or Entitlements > SAP roles or Entitlements > SAP profiles (role-based login) category.
- In the result list, select the group, the role or the profile.
- Select the Add to IT Shop task.
- In the Remove assignments pane, remove the group the role or profile from the IT Shop shelves.
- Save the changes.
To remove a group, a role or profile from all shelves of the IT Shop
-
In the Manager, select the SAP R/3 > Groups or SAP R/3 > Roles or SAP R/3 > Profiles (non role-based login) category.
- OR -
In the Manager, select the Entitlements > SAP groups or Entitlements > SAP roles or Entitlements > SAP profiles (role-based login) category.
- In the result list, select the group, the role or the profile.
- Select the Remove from all shelves (IT Shop) task.
- Confirm the security prompt with Yes.
- Click OK.
The group, the role or profile is removed from all shelves by the One Identity Manager Service. All requests and assignment requests with this group, this role or profile are canceled.
For detailed information about requesting company resources through the IT Shop, see the One Identity Manager IT Shop Administration Guide.
Related topics
Assignment and inheritance of SAP profiles and SAP roles to SAP user accounts
The following SAP sided limitation influence the user account assignment and inheritance of profiles and roles in One Identity Manager.
-
Composite profiles can be put together from 0...n profiles or composite profiles. If a user account is assigned a composite profile, the target system only returns the user account membership in the assigned composite profile and not the membership in subprofiles.
-
Single roles can put together from 0..n profiles. Only profiles that are not composite profiles can be assigned. Profiles that are assigned to a single role can no longer be assigned to a user account.
-
Composite roles can be made up of 0...n single roles. Assignment of profiles or composite profiles to composite roles is not possible.
These limitations result in the following:
In assignment:
-
Triggering prevents the assignment of roles which are assigned to single roles, to user accounts, products, roles, and employees.
In inheritance behavior:
-
If a user account is assigned a composite role that owns single roles, the single roles are not added to the SAPuserInSAPGroupTotal table.
-
If a user account is assigned a single role that owns profiles, the profiles are not added to the SAPUserInSAPProfile table.
-
If a user account is assigned a single role and this single role is part of a composite role that is also assigned to this user account, the single role is not added to the SAPUserInSAPRole table under certain circumstances:
-
If a user account is assigned a composite profile with child profiles, the child profiles are not added to the SAPUserInSAPProfile table. If a child profile is additionally directly assigned to the user account, then the SAPUserInSAPProfile table also contains this direct assignment.
If a user account obtains additional roles or profiles through a reference user, these roles or profiles are only added in the SAPUserInSAPRole and SAPUserInSAPProfile tables for the reference user. When company resources assigned to an employee (PersonHasObject table) are calculated, the roles and profiles inherited by a user account through single roles, composite roles, composite profiles, and reference users are also taken into account.
Related topics
Configuring single role assignment
Only directly assigned single and composite roles are mapped in SAPUserInSAPRole. Assignments of single roles to composite roles are mapped in SAPCollectionRPG. You can establish which single roles are indirectly assigned to a user account through both tables.
The following applies by default for the inheritance of single roles by user accounts: If a single role is assigned to a user account and this single role is part of a composite role that is also assigned to the user account, then the assignment of the single role is additionally mapped in the SAPUserInSAPRole table if the validity period of the assigned single and composite role is not identical.
To not map memberships in single roles in the SAPUserInSAPRole table if the single roles are part of assigned composite roles
-
In the Designer, disable the TargetSystem | SAPR3 | KeepRedundantProfiles configuration parameter.
The table contains only the membership in the composite role.
Effect of the KeepRedundantProfiles configuration parameter
A single role is assigned to a user account, as well as a composite role that contains this single role.
-
The configuration parameter is set. Both role assignments have a different validity period.
The SAPUserInSAPRole table contains both the composite role assignment and the single role assignment.
-
The configuration parameter is set. Both role assignments have the same validity period.
The SAPUserInSAPRole table contains only the assignment of the composite role.
-
The configuration parameter is not set.
The SAPUserInSAPRole table contains only the assignment of the composite role. This applies regardless of the validity period of either role assignment.
Related topics