지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager 9.1 - Administration Guide for the SAP R/3 Compliance Add-on

SAP functions and identity audit Setting up a synchronization project for synchronizing SAP authorization objects Base data for SAP functions Finding non-compliant authorizations Setting up SAP functions Compliance rules for SAP functions Mitigating controls for SAP functions Configuration parameters for SAP functions Default project template for the SAP R/3 Compliance Add-on Module Referenced SAP R/3 tables and BAPI calls

Creating authorization definitions in the Authorization Editor

Use the Authorization Editor to set up the SAP function authorization definition. To do this, group SAP applications and authorization objects together that should be covered by the SAP function.

To compile an authorization definition

  1. In the Manager, select the Identity Audit > SAP functions > Function definition working copies category.
  2. Select the function definition in the result list.
  3. Select the Authorization Editor task.
  4. Select one of the following tasks.
    • 1. Add by menu template

      Select from which menu you want to select the menu items and the SAP system whose menu tree should be displayed. Then select a menu item from the menu tree. Transaction codes that are linked to a menu item are shown in brackets in the menu tree as additional information.

      All the transactions and their authorization objects are loaded that can be called from the selected menu item or its submenu items.

    • 2. Add by SAP application

      Select the type of SAP application and the SAP application whose authorization objects should be loaded into the Authorization Editor. All authorization object are added that are linked with the selected SAP application. You can defined a file to list the limit the number of SAP applications available.

    • 3. Add via existing function definition

      Select an existing function definition whose authorization definition is to be loaded into the Authorization Editor.

      Only the enabled function definitions can be selected.

  5. Specify details for each element in the Authorization Editor.

  6. Save the changes.

The functionality of the Authorization Editor is based on the SAPGUI Authorization Editor. The columns in the Authorization Editor have the following meaning.

Table 11: Properties of an authorization definition

Property

Description

Function definition / SAP application / authorization / function element

Function definition hierarchy. SAP applications, their associated authorization objects and function elements are mapped in a hierarchy.

Processing status

Processing status of hierarchy objects.

: No value is specified for the function element.

: A value is specified for the function element.

Add

Click +, to add more objects to the authorization definition. This adds a sub object.

Click C, to copy the function element.

Remove

Click -, to remove objects from the authorization definition.

Description

Object description.

Any

Click *, to define the value of a function element as * (any value).

Value / lower limit

Values permitted for the function element. For example, you can limit SAP authorizations to specific SAP groups. When you specify a range, enter the lower limit here.

Values can be added as variables. System variables can also be used.

Wildcards can be used in the values. For more information, see Syntax examples for values.

Display value / lower limit

Display name for the function element's value, when a hash value is specified, for example.

Upper scope limit

Upper limit for the range of a function element Values can be added as variables.

Table 12: Syntax examples for values

Syntax (example)

SAP authorization is tested for

Example for value in the SAP system

*

Any value

abc

1234

Any string (from)

Exact given value

abc

[*]

The value *

*

String[*] (abc[*])

Values beginning with the given string and ending with *

from*

String* (abc[*])

Values beginning with the given string and ending with any string

from*

abcd

Comma delimited list (abc, 1234, d*)

A value contained in the list

Comma-delimited lists can only be used with ACTVT elements. This list is used like a string on other function elements.

abc

1234

c*

cde

Variable ($Var$)

Value stored in the variable

System variable ($var)

Value stored in the system variable

All function elements in an SAP application that are defined in a separate row must be fulfilled for the SAP function to match. If the SAP functions should only match when an SAP profile has one of several possible instances of one and the same function element, define this instance as a comma-delimited list of values for this function element.

To edit the properties of the selected object

  • Double-click on a function element in the Authorization Editor.

    You can edit the description of the function element and the upper and lower limits.

Table 13: Function element properties

Property

Description

Type

Specifies whether the selected function element is an activity or a authorization field.

Name

Name of the function element.

Lower limit, upper limit

Values permitted for the function element. When you specify a range, enter a lower and an upper limit. Values can be added as variables.

Click to select variables from the variable definitions available.

Description

Detailed description of the function elements.

Detailed information about this topic
Related topics

Checking authorization objects for completeness

One Identity Manager uses this task to test whether all authorization objects that belong to an SAP application occur in the authorization definition.

To test an authorization definition for completeness

  1. In the Manager, select the Identity Audit > SAP functions > Function definition working copies category.

  2. Select the function definition in the result list.

  3. Select the Authorization Editor task.

  4. Select the Check authorization objects for completeness task.

    Missing authorization objects are displayed in a separate window.

  5. Enable the Add option on the authorization object you want to add to the authorization definition.

  6. When all missing authorization objects are edited, click OK.

    The authorization objects can now be edited in the authorizations editor.

Related topics

Authorization overview

Function elements are displayed in a flat structure in the authorization overview.

To display an overview of all function elements

  1. In the Manager, select the Identity Audit > SAP functions > Function definitions category.

  2. Select the function definition in the result list.

  3. Select the Authorization overview task.

To display an overview of all function elements

  1. In the Manager, select the Identity Audit > SAP functions > Function definition working copies category.

  2. Select the function definition in the result list.

  3. Select the Authorization overview task.

    You can edit all the object properties here.

Related topics

Creating working copi

To modify an existing function definition, you required a working copy of the function definition. The working copy can be created from the active function definition. The data of an existing working copy are overwritten with the data from the active function definition, after prompting.

To create a working copy

  1. In the Manager, select the Identity Audit > SAP functions > Function definitions category.
  2. Select the function definition in the result list.
  3. Select the Create working copy task.
  4. Confirm the security prompt with Yes.
Related topics
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택