지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager 9.2.1 - Administration Guide for the SAP R/3 Compliance Add-on

SAP functions and identity audit Setting up a synchronization project for synchronizing SAP authorization objects Setting up SAP functions Compliance rules for SAP functions Mitigating controls for SAP functions Configuration parameters for SAP functions Default project template for the SAP R/3 Compliance Add-on Module Referenced SAP R/3 tables and BAPI calls

Notes on authorization definitions

Take the following advice into account when you create an authorization definition in the authorization editor.

  • To add an additional activity value to an authorization object, click +. You can enter more than one activity value by OR-ing them together.

  • To add an additional value for an authorization field to an authorization object, click C next to the authorization field.

  • The same authorization object cannot be added more than once to an authorization definition.

Detailed information about this topic
Related topics

Authorization definition properties and their values

The functionality of the Authorization Editor is based on the SAPGUI Authorization Editor. The columns in the Authorization Editor have the following meaning.

Table 3: Properties of an authorization definition

Property

Description

Function definition / SAP application / authorization / function element

Function definition hierarchy. SAP applications, their associated authorization objects and function elements are mapped in a hierarchy.

Processing status

Processing status of hierarchy objects.

: No value is specified for the function element.

: A value is specified for the function element.

Add

Click +, to add more objects to the authorization definition. This adds a sub object.

Click C, to copy the function element.

Remove

Click -, to remove objects from the authorization definition.

Description

Object description.

Any

Click *, to define the value of a function element as * (any value).

Value / lower limit

Values permitted for the function element. For example, you can limit SAP authorizations to specific SAP groups. When you specify a range, enter the lower limit here.

Values can be added as variables. System variables can also be used.

Wildcards can be used in the values. For more information, see Syntax examples for values.

Upper scope limit

Upper limit for the range of a function element Values can be added as variables.

Values concatenated with , and * are not permitted.

If Lower limit contains values concatenated with , or *, you cannot enter an upper limit.

 

Table 4: Syntax examples for values

Syntax (example)

SAP authorization is tested for

Input value examples

*

Any value

Can only be used as a single value. An upper scope limit cannot be specified.

ab or 1234

Any string (from)

Exact given value

abc

[*]

The value *

*

String[*] (abc[*])

Values that contain exactly this string and *.

from*

String* (abc[*])

Values beginning with the given string and ending with any string

Can only be used as a single value. An upper scope limit cannot be specified.

abcd or ab*

OR (01,02,78)

One of the values contained in the list

ORing cannot be used for the upper scope limit.

Can only be used as a single value. An upper scope limit cannot be specified.

01 or 02 or 78

[*],[,],[+]
(FM[+]7)

Values that contain special characters

FM+7

Variable ($Var$)

Value stored in the variable

System variable ($var)

Value stored in the system variable

All function elements in an SAP application that are defined in a separate row must be fulfilled for the SAP function to match. If the SAP function can only match when an SAP profile has one of several possible characteristics of a function element, define these instances by ORing them.

To edit the properties of the selected object

  • Double-click on a function element in the Authorization Editor.

    You can edit the description of the function element and the upper and lower limits.

Table 5: Function element properties

Property

Description

Type

Specifies whether the selected function element is an activity or a authorization field.

Name

Name of the function element.

Lower limit, upper limit

Values permitted for the function element. When you specify a range, enter a lower and an upper limit. Values can be added as variables.

Click to select variables from the variable definitions available.

Description

Detailed description of the function elements.

Detailed information about this topic

Using variables

You can set fixed values for function elements in authorization definitions. Otherwise, you can implement variables to use a function definition for different function instances. For this, the following is valid:

  • Variable name

    • Begins with a letter
    • Only contains letters, numbers, and underscore
    • Is enclosed in $ signs

    Example: $Var_01$

    NOTE: Variable names cannot begin with system variable names.
  • Value

     

    Syntax (example)

    SAP authorization is tested for

    Input value examples

    *

    Any value

    Can only be used as a single value. An upper scope limit cannot be specified.

    ab or 1234

    Any string (from)

    Exact given value

    abc

    [*]

    The value *

    *

    String[*] (abc[*])

    Values that contain exactly this string and *.

    from*

    String* (abc[*])

    Values beginning with the given string and ending with any string

    Can only be used as a single value. An upper scope limit cannot be specified.

    abcd or ab*

    OR (01,02,78)

    One of the values contained in the list

    ORing cannot be used for the upper scope limit.

    Can only be used as a single value. An upper scope limit cannot be specified.

    01 or 02 or 78

    [*],[,],[+]
    (FM[+]7)

    Values that contain special characters

    FM+7

You can also use system variables as well as self-defined variables in the authorization definition. System variables have the following syntax: ${character}+ (example: $AUFART).

Variables must be uniquely identifiable by the authorization check. Therefore, names of self-defined variables may not match system variables or begin with system variable name.

Related topics

Checking authorization objects for completeness

One Identity Manager uses this task to test whether all authorization objects that belong to an SAP application occur in the authorization definition.

To test an authorization definition for completeness

  1. In the Manager, select the Identity Audit > SAP functions > Function definition working copies category.

  2. Select the function definition in the result list.

  3. Select the Authorization Editor task.

  4. Select the Check authorization objects for completeness task.

    Missing authorization objects are displayed in a separate window.

  5. Enable the Add option on the authorization object you want to add to the authorization definition.

  6. When all missing authorization objects are edited, click OK.

    The authorization objects can now be edited in the authorizations editor.

Related topics
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택