Identity Manager 9.1 - Administration Guide for the SAP R/3 Compliance Add-on

General main data of a function definition Function definition overview Creating authorization definitions in the Authorization Editor Checking authorization objects for completeness Authorization overview Creating working copi Enabling working copies Exporting function definitions Exporting working copies Assigning mitigating controls to SAP functions

Assigning mitigating controls to a function definition Creating mitigating controls for SAP functions

Defining function instances

Main data for a function instance Function instance overview Checking field variable definitions

Adding variable set for authorization objects

Main data for a variable set Variable set overview Copying variable sets Adding variables used in SAP functions

Exporting function definitions Importing function definitions

Compliance rules for SAP functions

Rule conditions for SAP functions More rule violation reports Mitigating controls for compliance rules with SAP functions

Mitigating controls for SAP functions

Entering main data for mitigating controls Mitigating controls overview Assigning function definitions to mitigating controls Calculating mitigating controls for SAP functions

Configuration parameters for SAP functions Default project template for the SAP R/3 Compliance Add-on Module Referenced SAP R/3 tables and BAPI calls

Assigning function definitions to mitigating controls

Use this task to specify the function definitions for which a mitigating control is valid. You can only assign function definitions that are enabled on the assignment form.

To assign SAP function definitions to mitigating controls

In the Manager, select the Risk index functions > Mitigating controls category.
Select the mitigating control in the result list.
Select the Assign function definitions task.

In the Add assignments pane, assign the function definitions.
TIP: In the Remove assignments pane, you can remove function definitions assignments.

To remove an assignment
- Select the mitigating control and double-click .
Save the changes.

Calculating mitigating controls for SAP functions

The reduction in significance of a mitigating control supplies the value by which the risk index of an SAP function is reduced when the control is implemented. One Identity Manager calculates a reduced risk index based on the risk index and the significance reduction. One Identity Manager supplies default functions for calculating reduced risk indexes. These functions cannot be edited with One Identity Manager tools.

The reduced risk index is calculated from the SAP function and the significance reduced sum of all assigned mitigating controls.

Risk index (reduced) = Risk index - sum significance reductions

If the significance reduction sum is greater than the risk index, the reduced risk index is set to 0.

Configuration parameters for SAP functions

The following configuration parameters are additionally available in One Identity Manager after the module has been installed.

Table 22: Configuration parameters for the module
Configuration parameter	Description
TargetSystem \| SAPR3 \| SAPRights	Preprocessor relevant configuration parameter for controlling component parts for testing authorizations in SAP R/3 using SAP functions. If the parameter is set, the components are available. Changes to the parameter require recompiling the database. If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.
TargetSystem \| SAPR3 \| SAPRights \| TestWithoutTCD	Checks SAP authorizations without taking SAP applications into account.

The following configuration parameters are also required.

Table 23: Configuration parameters for the module
Configuration parameter	Description
QER \| CalculateRiskIndex	Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database. If the parameter is enabled, values for the risk index can be entered and calculated. If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.
QER \| ComplianceCheck	Preprocessor relevant configuration parameter for controlling the database model components for checking the rule base. Changes to the parameter require recompiling the database. If the parameter is enabled, you can use the model components. If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

Default project template for the SAP R/3 Compliance Add-on Module

A default project template ensures that all required information is added in One Identity Manager. This includes mappings, workflows, and the synchronization base object. If you do not use a default project template you must declare the synchronization base object in One Identity Manager yourself.

Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the Synchronization Editor.

Use the SAP R/3 authorization objects project template to synchronize authorization objects and transactions. The project template uses mappings for the following schema types.

Table 24: Mapping SAP R/3 schema types to tables in the One Identity Manager schema
Schema type in the target system	Table in the One Identity Manager Schema
TOBJ	SAPAuthObject
ObjectClass	SAPAuthObjectClass
AUTHX	SAPField
Transactions	SAPTransaction
TACT	SAPActivity
ObjectHasField	SAPAuthObjectHasField
ObjectHasActivity	SAPAuthObjectHasSapActivity
FieldHasRcTable	SAPFieldHasSAPRCTable
TMENU01	SAPMenu
MenuHasTransaction	SAPMenuHasSAPTransaction
ProfileHasAuthObjectField	SAPProfileHasAuthObjectElem
RcTable	SAPRCTable
Variable	SAPRCVariable
TRANSACTIONHASTOBJ	SAPTransactionHasSAPAuthObject
RFCFUNCTION	SAPTransaction
USOBHASH	SAPTransaction

Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação

Selecione seu produto:

Para podermos atendê-lo melhor, informe o Propósito de seu chat:

Soluções recomendadas para seu problema

Identity Manager 9.1 - Administration Guide for the SAP R/3 Compliance Add-on

Assigning function definitions to mitigating controls

Related topics

Calculating mitigating controls for SAP functions

Configuration parameters for SAP functions

Default project template for the SAP R/3 Compliance Add-on Module