One Identity Manager can be used to define rules that maintain and monitor regulatory requirements and automatically deal with rule violations. Define compliance rules to test entitlements or combinations of entitlements in the context of identity audit for employees in the company. On the one hand, existing rule violations can be found by checking rules. On the other hand, possible rule violations can be preemptively identified and this prevented.
Figure 1: Identity audit in One Identity Manager
In addition to rule checking, One Identity Manager offers a very detailed examination of effective authorization for SAP R/3 target systems for SAP user accounts. By linking SAP user accounts to employees, combinations of SAP authorizations that an employee obtains through different SAP user accounts can be checked. Potentially dangerous authorizations and combinations of them can easily be recognized this way and the necessary action taken.
SAP authorizations are verified on the basis of the SAP applications permitted for an user account and the associated authorization objects. To do this, in One Identity Manager, you define SAP functions that group together the SAP applications and authorization objects. One Identity Manager finds all the SAP roles and profiles that have exactly these authorization objects assigned to them. User accounts match the SAP functions if they are a member in the SAP roles and profiles that have been found.
In order to check whether there are potentially dangerous SAP authorizations in the company, define SAP functions that are critical for these authorizations. Find out which employees match these SAP functions by using compliance rules.
If employees are granted SAP authorizations through IT Shop requests, the authorizations that are not permitted can be detected and handled respectively when the request is made with the appropriate approval procedures. For more information about approval procedures in the IT Shop, see the One Identity Manager IT Shop Administration Guide.
Based on this information, you can made corrections to data in One Identity Manager and transfer them to the connected SAP R/3 systems. The integrated report function in One Identity Manager can be used to provide information for the appropriate tests.
NOTE: Compliance Rules Module and SAP R/3 Compliance Add-on Module must be installed in order to set up and analyze SAP functions.
NOTE: You cannot use SAP functions to check the authorizations in the child systems of a central user administration.
The following users are used for the administration of SAP functions.
Table 1: Users
Compliance rules administrators |
Administrators must be assigned to the Identity & Access Governance | Identity Audit | Administrators application role.
Users with this application role:
-
Enter base data for setting up company policies.
-
Create compliance rules and assign rule supervisors to them.
-
Can start rule checking and view rule violations as required.
-
Create reports about rule violations.
-
Define SAP functions and assign these to managers.
-
Define function instances and variables sets for SAP functions.
-
Enter mitigating controls.
-
Create and edit risk index functions.
-
Monitor Identity Audit functions.
-
Administer application roles for rule supervisors, exception approvers and attestors.
-
Set up other application roles as required. |
Responsible for maintaining SAP functions. |
Administrators must be assigned to the Identity & Access Governance | Identity Audit | Maintain SAP functions application role or a child application role.
Users with this application role:
-
Are responsible for SAP function contents.
-
Edit working copies of function definitions for which they are responsible.
-
Define function instances and variables sets for SAP functions.
-
Assign mitigating controls. |
One Identity Manager administrators |
administrator and administrative system users Administrative system users are not added to application roles.
administrators:
-
Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.
-
Create system users and permissions groups for non role-based login to administration tools in the Designer as required.
-
Enable or disable additional configuration parameters in the Designer as required.
-
Create custom processes in the Designer as required.
-
Create and configure schedules as required. |
Compliance and security officer |
Compliance and security officers must be assigned to the Identity & Access Governance | Compliance & Security Officer application role.
Users with this application role:
-
View all compliance relevant information and other analysis in the Web Portal. This includes attestation policies, company policies and policy violations, compliance rules, and rule violations, critical SAP functions and risk index functions.
-
Edit attestation polices. |
All the information regarding SAP authorizations, SAP users, SAP roles, and SAP profiles must be transferred to the One Identity Manager database so that One Identity Manager can test the effective SAP authorizations based on SAP functions.
Setting Up SAP Functions
-
In the Designer, set the QER | ComplianceCheck and the TargetSystem | SAPR3 | SAPRights configuration parameters.
NOTE: If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.
-
Set up a synchronization project for synchronizing the necessary SAP schema types and start synchronization.
Detailed information about this topic
SAP authorizations are verified on the basis of the SAP applications permitted for an SAP user account and the associated authorization objects. Authorization objects and SAP applications must be loaded into the One Identity Manager database first before you can create SAP functions. For each client, create a synchronization project for synchronizing the necessary schema types. A separate project template is required for this.
Use the Synchronization Editor to configure synchronization between the One Identity Manager database and SAP R/3 environment.
NOTE: Just one synchronization project can be created per target system and default project template used.
To set up a synchronization project for SAP authorization objects.
-
Set up an initial synchronization project as described in the One Identity Manager Administration Guide for Connecting to SAP R/3. The following special features apply:
NOTE: You cannot use SAP functions to check the authorizations in the child systems of a central user administration. Set up the synchronization project for one client only, which is not a system.
- In the project wizard on the Select project template page, select the SAP R/3 authorization objects project template.
- The Restrict target system access page is not displayed. The target system is only loaded.
For more information, see the One Identity Manager Administration Guide for Connecting to SAP R/3.
-
Configure and set a schedule to run synchronization regularly.
For more information, see the One Identity Manager Target System Synchronization Reference Guide.
Related topics