Importing function definitions
To transfer SAP functions from a development environment to a production environment, for example, you can export function definitions to CSV files. These CSV files can be imported into other databases.
When importing SAP functions from an existing CSV file, the function definitions contained in the CSV file are transferred to the database as working copies. The following data fields must be in the CSV file so that function definitions can be imported.
Table 19: Data fields for importing function definitions
Function |
Function definition |
TransactionType |
Suggested authorization value |
Object |
Authorization objects |
Field |
Authorization field |
Value From |
Value/lower scope limit |
Value To |
Upper scope limit |
State |
No equivalent.
The import status controls which data records are imported into One Identity Manager.
1: Import |
Process (optional) |
Category |
Function description (optional) |
Description of the function definition. |
Risk evel (optional) |
Significance
Possible values are {Low|Medium|High|Critical}. |
Transaction (optional) |
Transaction code |
AUTHPGMID (optional) |
TADIR program ID |
AUTHOBJTYP (optional) |
TADIR object type |
AUTHOBJNAM (optional) |
TADIR object name |
SRV_TYPE (optional) |
Type of external service |
SRV_NAME (optional) |
Name of external service |
RFC_TYPE (optional) |
RFC object type |
RFC_NAME (optional) |
RFC object name |
SAPHashValue (optional) |
Hash value |
Field description (optional) |
Describes the authorization fields, authorization objects and SAP applications. |
NOTE:
-
The order of the data fields is arbitrary.
-
All required data fields must be defined in the header and must be present in the data sets.
-
Mark data fields without values with two sequential delimiters.
-
Data sets with empty mandatory fields are not imported.
To import function definitions
-
In the Manager, select the Identity Audit category.
-
Select the Plugins > Import SAP function definitions menu item.
-
Select the CSV file you want to import and click Open.
-
Confirm the security prompt with Yes.
The functions definitions are transferred to the database as working copies. If there is already a working copy with the same name in the database, it is overwritten by the import.
Related topics
Compliance rules for SAP functions
Compliance rules can be checked through effective authorizations as well as through authorizations, which an employee has in an SAP R/3 system due to their user accounts and group and role memberships. Effective write permissions are tested through SAP functions. To do this, SAP functions are added to rule conditions.
The validity period of role assignments is taken into account in the rule check.
For more information about compliance rules, see the One Identity Manager Compliance Rules Administration Guide.
Rule conditions for SAP functions
To define new rules for SAP functions
-
In the Manager, select the Identity Audit > Rules category.
-
Click in the result list.
-
Enter the main data of the rule.
-
Set the Rule for cyclical testing and risk analysis in IT Shop option.
-
Limit the affected permissions with the at least one function option and select the SAP function to test.
-
Save the changes.
This adds a working copy.
-
Select the Enable working copy task and confirm the security prompt with Yes.
This adds an enabled rule in the database. The working copy is retained and can be used to make changes later.
Figure 3: Condition for SAP functions
When One Identity Manager tests rules, it finds all the employees whose assigned SAP users match the SAP functions that are given in the rule. An SAP user matches an SAP function when:
-
An SAP role assigned to the SAP user account matches the SAP function
- OR -
-
An SAP role that is assigned a reference user matching an SAP function
- AND -
-
The SAP user account is assigned this reference user.
For more information about creating rule conditions, see the One Identity Manager Compliance Rules Administration Guide.
More rule violation reports
One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. Additional reports can be created for enabled compliance rules for SAP functions.
Table 20: Reports about rule violations with SAP functions
Rule violations with SAP applications |
This report groups together all rule violations for the selected rule. It supplies results for rules that verify SAP functions.
All function instances are listed with their SAP applications for each employee through which they violated the rule. SAP profiles and their authorization objects that match the SAP function are displayed for each SAP function. |
Rule violations with SAP roles |
This report groups together all rule violations for the selected rule. It supplies results for rules that verify SAP functions.
SAP groups, SAP roles, and SAP profiles with their authorization objects are listed for each employee through which they violated the rule. |
SAP roles and profiles with rule violations |
The report shows all SAP roles and profiles that match SAP functions and thereby violate the selected rule. |