Compliance rules can be checked through effective authorizations as well as through authorizations, which an employee has in an SAP R/3 system due to their user accounts and group and role memberships. Effective write permissions are tested through SAP functions. To do this, SAP functions are added to rule conditions.
The validity period of role assignments is taken into account in the rule check.
For more detailed information about compliance rules, see the One Identity Manager Compliance Rules Administration Guide.
To define new rules for SAP functions
- Select the Identity Audit | Rules category.
-
Click 
in the result list.
- Enter the master data for the rule.
- Set the Rule for cyclical testing and risk analysis in IT Shop option.
- Limit the affected permissions with the at least one function option and select the SAP function to test.
- If SAP authorizations in combination result in a rule violation, enter a rule block for each SAP function.
- Save the changes.
This adds a working copy.
- Select the Enable working copy task. Confirm the security prompt with OK.
This adds an enabled rule in the database. The working copy remains and can be used for making changes to the rule later.
Figure 4: Condition for SAP functions
When One Identity Manager tests rules, it finds all the employees whose assigned SAP users match the SAP functions that are given in the rule. An SAP user matches an SAP function when:
Detailed information about this topic
- One Identity Manager Compliance Rules Administration Guide
Mitigating controls assigned to the function definitions to be tested are automatically copied to rules about SAP functions. Conditions:
- Active rules are assigned to a functional area and a department.
- The function definitions to be tested are assigned to the same functional area and to the variable set associated with the same department.
