With One Identity Manager, you can also manage BI analysis authorizations in SAP R/3. Through BI analysis authorizations, SAP users obtain authorization to analyze BI data of different clients within a system. For this reason, BI analysis authorizations are managed across clients. By assigning BI analysis authorizations to a user account, an SAP user obtains analysis authorizations in all clients that have an SAP user account with the same name. You can get an overview of all the employee's BI analysis authorizations for user accounts that are linked to an employee.
The user account properties including BI analysis authorizations such as system assignment, name, and assigned BI analysis authorizations, are mapped to separate user accounts in One Identity Manager. All SAP user accounts within the same system and with the same name, obtain BI analysis authorizations, which are assigned to this BI user account. If the SAP user accounts are linked to one employee, BI analysis authorizations can be requested through the IT Shop or by assignment to business roles or organizations which are inherited by BI user accounts. You can also assign BI analysis authorizations directly to BI user accounts. Existing assignments can be modified.
Figure 1: Mapping BI analysis authorizations in One Identity Manager
NOTE: BI analysis permissions are not mapped in One Identity Manager if they are indirectly assigned to SAP user accounts in SAP R/3 using SAP roles or SAP profiles. With appropriately formulated SAP functions for the S_RS_AUTH authorization object, it is still possible to check in Identity Audit whether these BI analysis authorization assignments are permitted.
The following users are used for setting up and administration of BI analysis authorizations.
Table 1: Users
Target system administrators |
Target system administrators must be assigned to the Target systems | Administrators application role.
Users with this application role:
-
Administer application roles for individual target system types.
-
Specify the target system manager.
-
Set up other application roles for target system managers if required.
-
Specify which application roles for target system managers are mutually exclusive.
-
Authorize other employees to be target system administrators.
-
Do not assume any administrative tasks within the target system. |
Target system managers |
Target system managers must be assigned to the Target systems | SAP R/3 application role or a child application role.
Users with this application role:
-
Assume administrative tasks for the target system.
-
Create, change, or delete target system objects.
-
Edit password policies for the target system.
-
Prepare system entitlements to add to the IT Shop.
-
Can add employees who have another identity than the Primary identity.
-
Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.
-
Edit the synchronization's target system types and outstanding objects.
-
Authorize other employees within their area of responsibility as target system managers and create child application roles if required. |
One Identity Manager administrators |
administrator and administrative system users Administrative system users are not added to application roles.
administrators:
-
Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.
-
Create system users and permissions groups for non role-based login to administration tools in the Designer as required.
-
Enable or disable additional configuration parameters in the Designer as required.
-
Create custom processes in the Designer as required.
-
Create and configure schedules as required. |
Administrators for the IT Shop |
Administrators must be assigned to the Request & Fulfillment | IT Shop | Administrators application role.
Users with this application role:
|
Administrators for organizations |
Administrators must be assigned to the Identity Management | Organizations | Administrators application role.
Users with this application role:
|
Business roles administrators |
Administrators must be assigned to the Identity Management | Business roles | Administrators application role.
Users with this application role:
|
You can set up BI analysis authorization synchronization as an add-on to the SAP R/3 User Management module Module. That means, before you can synchronize BI analysis authorizations, set up synchronization for SAP R/3 basic administration. Create the BI analysis authorization synchronization project after that. Follow the instructions in the One Identity Manager Administration Guide for Connecting to SAP R/3 to do this. Anomalies are described in this guide.
To load BI analysis authorizations into the One Identity Manager database for the first time
- Prepare a user account with sufficient permissions for synchronizing in SAP R/3.
-
One Identity Manager components for managing BI analysis authorizations are available if the TargetSystem | SAPR3 | BWProfile is set.
- Create a synchronization project with the Synchronization Editor.
Detailed information about this topic
To access the target system for synchronizing BI analysis authorizations, the user requires the same permissions as those required for synchronizing SAP R/3. For more information about the required authorizations, see the One Identity Manager Administration Guide for Connecting to SAP R/3.
Additionally required authorization objects and their attributes: