Direct assignments can occur in two different ways:
-
Synchronizing profile assignments
The Valid from and Valid to columns are taken into account in the default mapping. Synchronization writes the validity period of profile assignments in the One Identity Manager database.
-
Direct assignment of structural profiles to user accounts in the Manager
If structural profiles are assigned directly to user accounts, you can add a validity period. Valid from and Valid to dates are provisioned in the target system.
Related topics
When the validity period is calculated, the following configuration parameters are taken into account. These configuration parameters are disabled by default.
-
TargetSystem | SAPR3 | ValidDateHandling | DoNotUsePWODate
Specifies whether the request's validity period is transferred when profile assignments are requested.
Not set: The request's validity period is transferred. If there is no validity period given, the default values of 1900-01-01 and 9999-12-31 are set.
Set: The profile assignment is unlimited.
-
TargetSystem | SAPR3 | ValidDateHandling | ReuseInheritedDate
Controls reuse of existing profile assignments.
Set: Existing unlimited profile assignments are reused if the same assignment is created by different means of inheritance. The following applies:
-
The Valid from date of the existing assignment is in the past.
-
The Valid until date of the existing assignment is 9999-12-31 or the new assignment has the same Valid until date as the existing assignment.
Any other unlimited assignment or any other assignment with the same Valid until date does not generate a new entry in the SAPUserInSAPHRP table. This can reduce the number of entries in the SAPUserInSAPHRP table.
Not set: An entry in the SAPUserInSAPHRP table is created for every new profile assignment. Existing assignments are not reused.
NOTE: In databases that are migrated from versions older than 7.0, you may see assignments with a Valid until date of 9998-12-31. This is a valid date for unlimited profile assignments, which means that these assignments can also be reused.
-
TargetSystem | SAPR3 | ValidDateHandling | ReuseInheritedDate | UseTodayForInheritedValidFrom
Specifies the value that indirect profile assignments' Valid from date contain when they are added.
Not set: 1900-01-01
Set: <today>
IMPORTANT: Depending on the amount of data to be handled, the calculation of indirect profile assignments is noticeably slowed down by this.
Do not set this configuration parameter if the information about when a profile assignment's validity period starts is not absolutely necessary in SAP R/3.
To reuse an existing profile assignment:
- In the Designer, set the TargetSystem | SAPR3 | ValidDateHandling | ReuseInheritedDate configuration parameter.
To set the assignment's date as the first day of the profile assignment's validity period
To prevent the request's validity date being copied to the profile assignment
-
In the Designer, set the TargetSystem | SAPR3 | ValidDateHandling | DoNotUsePWODate configuration parameter.
This adds an unlimited profile assignment.
Related topics
Structural profiles that are assigned to departments, cost centers, locations, or business roles are indirectly assigned through them to user accounts. By default, indirect assignments are unlimited. The TargetSystem | SAPR3 | ValidDateHandling configuration parameter is used to determine the validity period of indirect assignments.
You can enter a valid from date if the requests are made in the IT Shop. An entry in SAPUserInSAPHRP table only exists between the first and last days of the request's validity period. The request's validity period is copied to profile assignments under the following prerequisites:
By default, an entry in the SAPUserInSAPHRP table is created for every new profile assignment. If the same assignment is created by different means of inheritance, the number of entries in the SAPUserInSAPHRP table grows rapidly. In this case, if the validity period is identical, the same entries can be reused. Existing profile assignments can be reused under the following prerequisites:
-
The Valid from date of the existing assignment is in the past.
-
The Valid until date of the existing assignment is 9999-12-31 or the new assignment has the same Valid until date as the existing assignment.
Any other unlimited assignment or any other assignment with the same Valid until date does not generate a new entry in the SAPUserInSAPHRP table. The number of entries in the SAPUserInSAPHRP table can be reduced in this way.
NOTE: In databases that are migrated from versions older than 7.0, you may see assignments with a Valid until date of 9998-12-31. This is a valid date for unlimited profile assignments, which means that these assignments can also be reused.
By default, the first day that indirect assignments are valid is 1900-01-01. This does not tell us when the assignments were created. If you need this information, in the Valid from field, you can enter the date on which the structural profile will be assigned. The date of the assignment is set as the first valid day of the indirect profile assignments under the following prerequisites:
IMPORTANT: Depending on the amount of data to be handled, the calculation of indirect profile assignments is noticeably slowed down by this.
Do not set the UseTodayForInheritedValidFrom configuration parameter if the information about the valid from date of the profile assignment is not absolutely necessary in SAP R/3!
Detailed information about this topic
Related topics
Personnel planning data and parts of the organization structure from the One Identity Manager HCM system can be mapped in SAP. Set up a synchronization project to import personnel planing data. For more information, see Setting up a synchronization project for synchronizing with an SAP HCM system. For all objects imported into the One Identity Manager database in this way, SAP R/3 is given as the import data source (ImportSource = 'SAP' column).
Use this synchronization project to import employee main data and departments into One Identity Manager database. In addition, information about identities, working hours, communication data, and department managers are imported. This information can be evaluated during identity audit by assigning employees to SAP user accounts.
Furthermore, you can configure synchronization for other personnel planning data. For more information, see Setting up a synchronization project for synchronizing additional personnel planning data.