サポートと今すぐチャット
サポートとのチャット

Identity Manager 9.2.1 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP objects Removing a Central User Administration Troubleshooting an SAP R/3 connection Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

Adding SAP groups, SAP roles, and SAP profiles to the IT Shop

NOTE: Only profiles that are not assigned to IT Shop roles can be assigned to SAP shelves.

When you assign a group, a role, or a profile to an IT Shop shelf, it can be requested by the shop customers. To ensure it can be requested, further prerequisites need to be guaranteed:

  • The group , the role, or the profile must be labeled with the IT Shop option.

  • The group , the role or profile must be assigned a service item.

    TIP: In the Web Portal, all products that can be requested are grouped together by service category. To make the group, the role, or profile easier to find in the Web Portal, assign a service category to the service item.

  • If you only want the group, the role or profile to be assigned to identities through IT Shop requests, the group, the role or the profile must also be labeled with the Use only in IT Shop option. Direct assignment to hierarchical roles or user accounts is no longer permitted.

NOTE: With role-based login, the IT Shop administrators can assign groups, roles, and profiles to IT Shop shelves. Target system administrators are not authorized to add groups, roles, and profiles to IT Shop.

To add a group, a role, or a profile to the IT Shop.

  1. In the Manager, select the SAP R/3 > Groups or SAP R/3 > Roles or SAP R/3 > Profiles (non role-based login) category.

    - OR -

    In the Manager, select the Entitlements > SAP groups or Entitlements > SAP roles or Entitlements > SAP profiles (role-based login) category.

  2. In the result list, select the group, the role or the profile.

  3. Select the Add to IT Shop task.

  4. Select the IT Shop structures tab.

  5. In the Add assignments pane, assign the group, the role or profile to the IT Shop shelves.

  6. Save the changes.

To remove a group, a role or profile from individual shelves of the IT Shop

  1. In the Manager, select the SAP R/3 > Groups or SAP R/3 > Roles or SAP R/3 > Profiles (non role-based login) category.

    - OR -

    In the Manager, select the Entitlements > SAP groups or Entitlements > SAP roles or Entitlements > SAP profiles (role-based login) category.

  2. In the result list, select the group, the role or the profile.

  3. Select the Add to IT Shop task.

  4. Select the IT Shop structures tab.

  5. In the Remove assignments pane, remove the group the role or profile from the IT Shop shelves.

  6. Save the changes.

To remove a group, a role or profile from all shelves of the IT Shop

  1. In the Manager, select the SAP R/3 > Groups or SAP R/3 > Roles or SAP R/3 > Profiles (non role-based login) category.

    - OR -

    In the Manager, select the Entitlements > SAP groups or Entitlements > SAP roles or Entitlements > SAP profiles (role-based login) category.

  2. In the result list, select the group, the role or the profile.

  3. Select the Remove from all shelves (IT Shop) task.

  4. Confirm the security prompt with Yes.
  5. Click OK.

    The group , the role, or the profile is removed from all shelves by the One Identity Manager Service. All requests and assignment requests with this group, this role or profile are canceled.

For more information about requesting company resources through the IT Shop, see the One Identity Manager IT Shop Administration Guide.

Related topics

Assignment and inheritance of SAP profiles and SAP roles to SAP user accounts

The following SAP sided limitation influence the user account assignment and inheritance of profiles and roles in One Identity Manager.

  • Composite profiles can be put together from 0...n profiles or composite profiles. If a user account is assigned a composite profile, the target system only returns the user account membership in the assigned composite profile and not the membership in subprofiles.

  • Single roles can put together from 0..n profiles. Only profiles that are not composite profiles can be assigned. Profiles that are assigned to a single role can no longer be assigned to a user account.

  • Composite roles can be made up of 0...n single roles. Assignment of profiles or composite profiles to composite roles is not possible.

These limitations result in the following:

In assignment:

  • Triggering prevents the assignment of roles which are assigned to single roles, to user accounts, products, roles, and identities.

In inheritance behavior:

  • If a user account is assigned a composite role that owns single roles, the single roles are not added to the SAPuserInSAPGroupTotal table.

  • If a user account is assigned a single role that owns profiles, the profiles are not added to the SAPUserInSAPProfile table.

  • If a user account is assigned a single role and this single role is part of a composite role that is also assigned to this user account, the single role is not added to the SAPUserInSAPRole table under certain circumstances:

    • The validity period of both assignments is identical.

      - OR -

    • The TargetSystem | SAPR3 | KeepRedundantProfiles configuration parameter is not set.

  • If a user account is assigned a composite profile with child profiles, the child profiles are not added to the SAPUserInSAPProfile table. If a child profile is additionally directly assigned to the user account, then the SAPUserInSAPProfile table also contains this direct assignment.

If a user account obtains additional roles or profiles through a reference user, these roles or profiles are only added in the SAPUserInSAPRole and SAPUserInSAPProfile tables for the reference user. When company resources assigned to an identity (PersonHasObject table) are calculated, the roles and profiles inherited by a user account through single roles, composite roles, composite profiles, and reference users are also taken into account.

Related topics

Configuring single role assignment

Only directly assigned single and composite roles are mapped in SAPUserInSAPRole. Assignments of single roles to composite roles are mapped in SAPCollectionRPG. You can establish which single roles are indirectly assigned to a user account through both tables.

The following applies by default for the inheritance of single roles by user accounts: If a single role is assigned to a user account and this single role is part of a composite role that is also assigned to the user account, then the assignment of the single role is additionally mapped in the SAPUserInSAPRole table if the validity period of the assigned single and composite role is not identical.

To not map memberships in single roles in the SAPUserInSAPRole table if the single roles are part of assigned composite roles

  • In the Designer, disable the TargetSystem | SAPR3 | KeepRedundantProfiles configuration parameter.

    The table contains only the membership in the composite role.

Effect of the KeepRedundantProfiles configuration parameter

A single role is assigned to a user account, as well as a composite role that contains this single role.

  • The configuration parameter is set. Both role assignments have a different validity period.

    The SAPUserInSAPRole table contains both the composite role assignment and the single role assignment.

  • The configuration parameter is set. Both role assignments have the same validity period.

    The SAPUserInSAPRole table contains only the assignment of the composite role.

  • The configuration parameter is not set.

    The SAPUserInSAPRole table contains only the assignment of the composite role. This applies regardless of the validity period of either role assignment.

Related topics

Inheriting SAP profiles and SAP roles in a central user administration

If user accounts are managed through the central user administration, SAP roles and profiles can only inherited by user accounts if the user accounts have access permission for the client that the role and profiles belong to. By default, roles and profiles can only be inherited by user account if access to the clients is guaranteed explicitly. Otherwise, the roles and profiles are not inherited.

User accounts can be granted the missing client access automatically as soon as a role or profile is inherited by the client.

To automatically grant missing access permission to user accounts

  • In the Designer, set the TargetSystem | SAPR3 | AutoFillSAPUserMandant configuration parameter.

The missing access permission is granted when inheritance is calculated (entry in the SAPUserMandant table) and the roles and profiles are assigned to the user accounts.

WARNING: As inheritance is an automated process, user accounts can therefore be given access permission to clients without the target system owners knowing about it.

Related topics
関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択