サポートと今すぐチャット
サポートとのチャット

Identity Manager 8.1.5 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP systems Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

Showing SAP authorizations

You can view authorization objects and authorizations of One Identity Manager roles and profiles in SAP. All single profiles with their associated authorization objects and fields are displayed in a hierarchical overview.

To display role authorizations

  1. Select the SAP R/3 | Roles category.
  2. Select the role in the result list.
  3. Select the Show SAP authorizations task.

To display profile authorizations

  1. Select the SAP R/3 | Profiles category.
  2. Select a profile in the result list.
  3. Select the Show SAP authorizations task.

Validity period of role assignments

You can enter a validity period for assigning SAP roles to user accounts. If no validity period is given to the role assignments, they are allocated the following validity dates by default:

  • Valid from: 1900-01-01
  • Valid to : 9999-12-31

These role assignments are therefore unlimited.

The SAPUserInSAPRole table contains all role assignments, limited, and unlimited.

The HelperSAPUserInSAPRole table only contains current valid role assignments. The Daily calculation of SAP user accounts assignments to SAP roles schedule controls the calculation of this table.

Detailed information about this topic
Related topics

Assigning the validity period of direct role assignments

Direct assignments can occur in two different ways:

  1. Synchronizing role assignments

    The Valid from and Valid to columns are taken into account in the default mapping. Synchronization writes the validity period of role assignments into the One Identity Manager database.

  2. Direct assignment of SAP roles to user accounts in the Manager

    A validity period can be entered for direct assignment of SAP roles to user accounts. Valid from and Valid to dates are provisioned in the target system.

Related topics

Configuring the validity period of indirect role assignments

When the validity period is calculated, the following configuration parameters are taken into account. These configuration parameters are disabled by default.

  • TargetSystem | SAPR3 | ValidDateHandling | DoNotUsePWODate

    Specifies whether the request's validity period is transferred when role assignments are requested.

    Not set: The request's validity period is transferred. If there is no validity period given, the default values of 1900-01-01 and 9999-12-31 are set.

    Set: The role assignment is unlimited.

  • TargetSystem | SAPR3 | ValidDateHandling | ReuseInheritedDate

    Controls reuse of existing profile assignments if another assignment for the same combination of user account and SAP role is added.

    Set: Existing role assignments are reused if the same assignment is created by different means of inheritance. The following applies:

    • The Valid from date of the existing assignment is in the past.
    • The Valid until date of the existing assignment is 9999-12-31 or the new assignment has the same Valid until date as the existing assignment.

    Any other unlimited assignment or any other assignment with the same Valid until date does not generate a new entry in the SAPUserInSAPRole table. This can reduce the number of entries in the SAPUserInSAPRole table.

    Not set: An entry in the SAPUserInSAPRole table is created for every new role assignment. Existing assignments are not reused.

    NOTE: In databases that are migrated from versions older than 7.0, you may see assignments with a Valid until date of 9998-12-31. This is a valid date for unlimited role assignments, which means that these assignments can also be reused.

  • TargetSystem | SAPR3 | ValidDateHandling | ReuseInheritedDate | UseTodayForInheritedValidFrom

    Specifies the value that indirect role assignments' Valid from date contain when they are added.

    Not set: 1900-01-01

    Set: <today>

    IMPORTANT: Calculating indirect role assignments can become much slower depending on the amount of data to be processed.

    Do not set this configuration parameter if the information about when a role assignment's validity period starts is not absolutely necessary in SAP R/3.

To reuse an existing role assignment:

  • In the Designer, set the TargetSystem | SAPR3 | ValidDateHandling | ReuseInheritedDate configuration parameter.

To set the assignment's date as the first day of the role assignment's validity period

  • In the Designer, set the TargetSystem | SAPR3 | ValidDateHandling | ReuseInheritedDate | UseTodayForInheritedValidFrom configuration parameter.

To prevent the request's validity date being copied to the role assignment

  • In the Designer, set the TargetSystem | SAPR3 | ValidDateHandling | DoNotUsePWODate configuration parameter.

    This adds an unlimited role assignment.

Related topics
関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択