지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager 9.3 - Administration Guide for the SAP R/3 Compliance Add-on

SAP functions and identity audit Setting up a synchronization project for synchronizing SAP authorization objects Basics of the authorization check Setting up SAP functions Compliance rules for SAP functions Mitigating controls for SAP functions Configuration parameters for SAP functions Default project template for the SAP R/3 Compliance Add-on Module Referenced SAP R/3 tables and BAPI calls

Authorization definition properties and their values

The functionality of the Authorization Editor is based on the SAPGUI Authorization Editor. The columns in the Authorization Editor have the following meaning.

Table 16: Properties of an authorization definition

Property

Description

Function definition/ Authorization object class /Authorization object / Function element

Function definition hierarchy. The authorization objects and function elements are mapped in a hierarchical structure.

Processing status

Processing status of hierarchy objects.

: No value is specified for the function element.

: A value is specified for the function element.

Add

Click +, to add more objects to the authorization definition. This adds a sub object.

Click C, to copy the function element.

Remove

Click -, to remove objects from the authorization definition.

Description

Object description.

Any

Click *, to define the value of a function element as * (any value).

Value / lower limit

Values permitted for the function element. For example, you can limit SAP authorizations to specific SAP groups. When you specify a range, enter the lower limit here.

Values can be added as variables. System variables can also be used.

Wildcards can be used in the values. For more information, see Syntax examples for values.

Upper scope limit

Upper limit for the range of a function element Values can be added as variables.

Values combined with , and * are not permitted.

If value / lower range limit contains values combined with , or *, no upper range limit can be entered.

Function argument

Name of the function argument for the authorization object. The name is formatted automatically according to the naming convention given in the TargetSystem | SAPR3 | SAPRights | AbilityNamePattern configuration parameter. You can change it manually.

 

Table 17: Syntax examples for values

Syntax (example)

SAP authorization is tested for

Input value examples

*

Any value

Only use as a single value. You cannot specify an upper scope limit.

ab or 1234

Any string (from)

Exact given value

abc

[*]

The value *

*

String[*] (abc[*])

Values that contain exactly this string and *.

from*

String* (abc[*])

Values beginning with the given string and ending with any string

Only use as a single value. You cannot specify an upper scope limit.

abcd or ab*

OR link (01,02,78)

One of the values contained in the list

Do not use OR combinations for the upper range limit.

Only use as a single value. You cannot specify an upper scope limit.

01 or 02 or 78

Variable ($Var$)

Value stored in the variable

System variable ($var)

Value stored in the system variable

To edit the properties of a function element

  • Double-click on a function element in the Authorization Editor.

    You can edit the description of the function element and the upper and lower limits.

Table 18: Function element properties

Property

Description

Type

Specifies whether the selected function element is an activity or a authorization field.

Name

Name of the function element.

Lower limit, upper limit

Values permitted for the function element. When you specify a range, enter a lower and an upper limit. Values can be added as variables.

Click to select variables from the existing variable sets.

Description

Detailed description of the function elements.

Detailed information about this topic

Using variables

You can set fixed values for function elements in authorization definitions. Otherwise, you can implement variables to use a function definition for different function instances. For this, the following is valid:

  • Variable name

    • Begins with a letter
    • Only contains letters, numbers, and underscore
    • Is enclosed in $ signs

    Example: $Var_01$

    NOTE: Variable names cannot begin with system variable names.
  • Value

     

    Syntax (example)

    SAP authorization is tested for

    Input value examples

    *

    Any value

    Only use as a single value. You cannot specify an upper scope limit.

    ab or 1234

    Any string (from)

    Exact given value

    abc

    [*]

    The value *

    *

    String[*] (abc[*])

    Values that contain exactly this string and *.

    from*

    String* (abc[*])

    Values beginning with the given string and ending with any string

    Only use as a single value. You cannot specify an upper scope limit.

    abcd or ab*

    OR link (01,02,78)

    One of the values contained in the list

    Do not use OR combinations for the upper range limit.

    Only use as a single value. You cannot specify an upper scope limit.

    01 or 02 or 78

You can also use system variables as well as self-defined variables in the authorization definition. System variables have the following syntax: ${character}+ (example: $AUFART).

Variables must be uniquely identifiable by the authorization check. Therefore, names of self-defined variables may not match system variables or begin with system variable name.

Related topics

Enabling working copies

SAP authorizations are only checked on the basis of active SAP functions. When you enable a new working copy, it adds an active function definition. Changes to an existing working copy are accepted by enabling the active function definition.

To transfer changes from a working copy to a function definition

  1. In the Manager, select the Identity Audit > SAP functions > Function definition working copies category.

  2. Select the function definition in the result list.

  3. Select the Enable working copy task.

  4. Confirm the security prompt with OK.

Related topics

Editing function definitions

A working copy is added to the database for every function definition. You can edit the working copies to change the function definitions. Enabling the working copy allows the function definition to be used productively. SAP authorizations are only checked on the basis of active function definitions.

NOTE: One Identity Manager users with the Identity & Access Governance | Identity Audit | Maintain SAP functions application role can edit existing working copies if they are entered as the manager in the main data.

To edit an existing function definition

  1. In the Manager, select the Identity Audit > SAP functions > Function definition working copies category.

    1. Select a working copy in the result list.

    2. Select the Change main data task.

    - OR -

    In the Manager, select the Identity Audit > SAP functions > Function definitions category.

    1. Select the function definition in the result list.

    2. Select the Create working copy task.

      The data from the existing working copy are overwritten with the data from the active function definition, after prompting. The working copy is opened and can be edited.

  2. Edit the working copy's main data.

  3. Save the changes.
  4. Select the Enable working copy task and confirm the security prompt with Yes.

    The changes to the working copy are transferred to the active function definition.

Related topics
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택