Until One Identity Manager (1IM) version 8.0 it was possible to assign SAPUsers to SAPRoles of another client (of the same CUA). This was possible both by inheritance and direct assignment. In this case, the system automatically generated any missing assignment of the user to the client (SAPUserInSAPMandant).
Since version 8.1 this behavior was changed. Now the assignments of SAPUsers (of the central client) to child clients of the same CUA can be managed via account definitions. In this context, the function that client assignments are created automatically has been dropped.
This change significantly restricts the functionality that was still available in 8.0. Even if this is the correct implementation from a governance and security perspective, this does not correspond to the behavior in SAP directly (there it is also possible to assign a role to a user from another client, the logon authorisation in this client is then also automatically generated by SAP).
For this reason, the old behavior (configurable) should also be available again in 8.1.
This is a product defect (33624).
WORKAROUND
None
STATUS
This will be fixed in a future release of the product. If you require this immediately corrected, please contact Support for a hotfix referencing the defect ID 33624.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center