Take the following advice into account when you create an authorization definition in the authorization editor.
To add an additional activity value to an authorization object, click +. You can enter more than one activity value by OR-ing them together.
To add an additional value for an authorization field to an authorization object, click C next to the authorization field.
The same authorization object cannot be added more than once to an authorization definition.
The functionality of the Authorization Editor is based on the SAPGUI Authorization Editor. The columns in the Authorization Editor have the following meaning.
|
Property |
Description |
|---|---|
|
Function definition / SAP application / authorization / function element |
Function definition hierarchy. SAP applications, their associated authorization objects and function elements are mapped in a hierarchy. |
|
Processing status |
Processing status of hierarchy objects.
|
|
Add |
Click +, to add more objects to the authorization definition. This adds a sub object. Click C, to copy the function element. |
|
Remove |
Click -, to remove objects from the authorization definition. |
|
Description |
Object description. |
|
Any |
Click *, to define the value of a function element as * (any value). |
|
Value / lower limit |
Values permitted for the function element. For example, you can limit SAP authorizations to specific SAP groups. When you specify a range, enter the lower limit here. Values can be added as variables. System variables can also be used. Wildcards can be used in the values. For more information, see Syntax examples for values. |
|
Upper scope limit |
Upper limit for the range of a function element Values can be added as variables. Values concatenated with , and * are not permitted. If Lower limit contains values concatenated with , or *, you cannot enter an upper limit. |
All function elements in an SAP application that are defined in a separate row must be fulfilled for the SAP function to match. If the SAP function can only match when an SAP profile has one of several possible characteristics of a function element, define these instances by ORing them.
To edit the properties of the selected object
Double-click on a function element in the Authorization Editor.
You can edit the description of the function element and the upper and lower limits.
|
Property |
Description |
|---|---|
|
Type |
Specifies whether the selected function element is an activity or a authorization field. |
|
Name |
Name of the function element. |
|
Lower limit, upper limit |
Values permitted for the function element. When you specify a range, enter a lower and an upper limit. Values can be added as variables. Click |
|
Description |
Detailed description of the function elements. |
You can set fixed values for function elements in authorization definitions. Otherwise, you can implement variables to use a function definition for different function instances. For this, the following is valid:
Variable name
Example: $Var_01$
Value
|
Syntax (example) |
SAP authorization is tested for |
Input value examples |
|---|---|---|
|
* |
Any value Can only be used as a single value. An upper scope limit cannot be specified. |
ab or 1234 |
|
Any string (from) |
Exact given value |
abc |
|
[*] |
The value * |
* |
|
String[*] (abc[*]) |
Values that contain exactly this string and *. |
from* |
|
String* (abc[*]) |
Values beginning with the given string and ending with any string Can only be used as a single value. An upper scope limit cannot be specified. |
abcd or ab* |
|
OR (01,02,78) |
One of the values contained in the list ORing cannot be used for the upper scope limit. Can only be used as a single value. An upper scope limit cannot be specified. |
01 or 02 or 78 |
|
[*],[,],[+] |
Values that contain special characters |
FM+7 |
You can also use system variables as well as self-defined variables in the authorization definition. System variables have the following syntax: ${character}+ (example: $AUFART).
Variables must be uniquely identifiable by the authorization check. Therefore, names of self-defined variables may not match system variables or begin with system variable name.
One Identity Manager uses this task to test whether all authorization objects that belong to an SAP application occur in the authorization definition.
To test an authorization definition for completeness
In the Manager, select the Identity Audit > SAP functions > Function definition working copies category.
Select the function definition in the result list.
Select the Authorization Editor task.
Select the Check authorization objects for completeness task.
Missing authorization objects are displayed in a separate window.
Enable the Add option on the authorization object you want to add to the authorization definition.
When all missing authorization objects are edited, click OK.
The authorization objects can now be edited in the authorizations editor.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center
: No value is specified for the function element.
: A value is specified for the function element.
to select variables from the variable definitions available.