Rule conditions for SAP functions
To define new rules for SAP functions
- 
In the Manager, select the Identity Audit > Rules category. 
- 
Click  in the result list. in the result list.
 
- 
Enter the main data of the rule. 
- 
Set the Rule for cyclical testing and risk analysis in IT Shop option. 
- 
Limit the affected permissions with the at least one function option and select the SAP functions to test. 
- 
If you have selected more than one SAP functions, under number of entitlements assigned, specify how many SAP functions must be matched to violate the rule. 
- 
If SAP authorizations in combination result in a rule violation, enter a rule block for each SAP function. 
 
- 
Save the changes. This adds a working copy. 
- 
Select the Enable working copy task and confirm the security prompt with Yes. This adds an enabled rule in the database. The working copy is retained and can be used to make changes later. 
Figure 5: Condition for SAP functions
 
 
When One Identity Manager tests rules, it finds all the identities whose assigned SAP users match the SAP functions that are given in the rule. An SAP user matches an SAP function when:
- 
An SAP role assigned to the SAP user account matches the SAP function - OR - 
- 
An SAP role that is assigned a reference user matching an SAP function - AND - 
- 
The SAP user account is assigned this reference user. 
For more information about creating rule conditions, see the One Identity Manager Compliance Rules Administration Guide.
Related topics
 
    Mitigating controls for compliance rules with SAP functions
Mitigating controls assigned to the function definitions to be tested are automatically copied to rules about SAP functions. Conditions:
- Active rules are assigned to a functional area and a department. 
- The function definitions to be tested are assigned to the same functional area and to the variable set associated with the same department. 
Related topics
 
    More rule violation reports
One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. Additional reports can be created for enabled compliance rules for SAP functions.
Table 18: Reports about rule violations with SAP functions
| Rule violations with SAP applications | This report groups together all rule violations for the selected rule. It supplies results for rules that verify SAP functions. All function instances are listed with their SAP applications for each identity through which they violated the rule. SAP profiles and their authorization objects that match the SAP function are displayed for each SAP function. | 
| Rule violations with SAP roles | This report groups together all rule violations for the selected rule. It supplies results for rules that verify SAP functions. SAP groups, SAP roles, and SAP profiles with their authorization objects are listed for each identity through which they violated the rule. | 
| SAP roles and profiles with rule violations | The report shows all SAP roles and profiles that match SAP functions and thereby violate the selected rule. | 
 
    Mitigating controls for SAP functions
Violation of regulatory requirements can harbor different risks for companies. To evaluate these risks, you can apply risk indexes to SAP functions. These risk indexes provide information about the risk involved for the company if this particular SAP function is violated. Once the risks have been identified and evaluated, mitigating controls can be implemented.
Mitigating controls are independent on One Identity Manager’s functionality. They are not monitored through One Identity Manager.
Mitigating controls describe controls that are implemented if an SAP function was violated. The next calculation should not find any invalid authorizations for this SAP function once the controls have been applied.
To edit mitigating controls
- In the Designer, set the QER | CalculateRiskIndex configuration parameter and compile the database. 
If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.
For more information about mitigating controls, see the One Identity Manager Risk Assessment Administration Guide.
Detailed information about this topic