Setting up a synchronization project for synchronizing BI analysis authorizations
Create your own custom synchronization project for synchronizing BI analysis authorizations. A separate project template is required for this. Use the Synchronization Editor to configure synchronization between the One Identity Manager database and SAP R/3 environment. The following describes the steps for initial configuration of a synchronization project.
NOTE: Just one synchronization project can be created per target system and default project template used.
To set up a synchronization project for BI analysis authorizations
- Set up an initial synchronization project as described in the One Identity Manager Administration Guide for Connecting to SAP R/3. The following special features apply:
- In the project wizard on the Select project template page, select the "SAP R/3 BI analysis authorizations" project template.
- Configure and set a schedule to run synchronization on a regular basis.
NOTE: If not all clients in an SAP system are synchronized with the One Identity Manager database, assignments of BI analysis authorizations to user accounts may exist in the SAP R/3 environment for which there are no BI user accounts in the One Identity Manager database. These assignments cannot be saved when BI analysis authorizations are synchronized. The SAP connector writes an appropriate message in the synchronization log.
For detailed information about setting up synchronization, see the One Identity Manager Administration Guide for Connecting to SAP R/3 and the One Identity Manager Target System Synchronization Reference Guide.
Related topics
Managing BI analysis authorizations
BI analysis authorizations are managed across clients. By assigning BI analysis authorizations to a user account, an SAP user obtains analysis authorizations in all clients that have an SAP user account with the same name. User accounts with BI analysis authorizations are mapped to separate BI user accounts in One Identity Manager. All user accounts within the same system and with the same name obtain BI analysis authorizations, which are assigned to this BI user account. If the user accounts are linked to one employee, BI analysis authorizations can be requested through the IT Shop or by assignment to business roles or organizations which are inherited by BI user accounts.
A calculation task is queued in the DBQueue Processor to create BI user accounts. The task is queued when the SAP R/3 Analysis Authorizations Add-on Module is installed or as soon as an SAP user account is added to the One Identity Manager database or deleted or an SAP user account is linked to an employee.
NOTE: If not all clients in an SAP system are synchronized with the One Identity Manager database, assignments of BI analysis authorizations to user accounts may exist in the SAP R/3 environment for which there are no BI user accounts in the One Identity Manager database. These assignments cannot be saved when BI analysis authorizations are synchronized. The SAP connector writes an appropriate message in the synchronization log.
In One Identity Manager, you can edit the following data through BI analysis authorizations:
- Assigned BI user accounts
- Usage in the IT Shop
- Risk assessment
- Inheritance through roles and inheritance restrictions
To display main data of BI analysis authorizations
- Select the SAP R/3 > BI analysis authorizations category.
- Select the BI analysis authorization in the result list. Select the Change main data task.
- Enter the required data on the main data form.
- Save the changes.
To display the main data of a BI user account
- Select the SAP R/3 > BI user accounts category.
- Select the BI user account in the result list. Select the Change main data task.
This opens the main data form for the BI user account. You cannot edit the properties.
Detailed information about this topic
General main data of BI analysis authorizations
Table 2: Configuration parameters for risk assessment of BI user accounts
QER | CalculateRiskIndex |
Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database.
If the parameter is enabled, values for the risk index can be entered and calculated. |
The following data is displayed for a BI analysis authorization.
Table 3: BI analysis authorization main data
SAP BI analysis authorization |
Name of the BI analysis authorization. |
Canonical name |
Canonical name of the BI analysis authorization. The canonical name is mapped through the SAP connector. |
Distinguished name |
Distinguished name of the BI analysis authorization. The distinguished name is found using a template. |
System |
Unique name for the system valid for the BI analysis authorization. |
Service item |
Service item data for requesting the BI analysis authorization through the IT Shop.
For more information, see the One Identity Manager IT Shop Administration Guide. |
Risk index |
Value for evaluating the risk of assigning the BI analysis authorization to BI user accounts. Enter a value between 0 and 1. This property is only visible if the "QER | CalculateRiskIndex" configuration parameter is set.
For more information, see the One Identity Manager Risk Assessment Administration Guide. |
Description (short) |
Short description of the BI analysis authorization. |
Description |
Description of the BI analysis authorization. |
Description (long) |
Long description of the BI analysis authorization. |
IT Shop |
Specifies whether the BI analysis authorization can be requested through the IT Shop. These user account resources can be requested by the employees through the Web Portal and distributed with a defined approval process. The BI analysis authorization can still be assigned directly to employees and hierarchical roles.
For more information, see the One Identity Manager IT Shop Administration Guide. |
Only for use in IT Shop |
Specifies whether the BI analysis authorization can only be requested through the IT Shop. These user account resources can be requested by the employees through the Web Portal and distributed with a defined approval process. The BI analysis authorization may not be assigned directly to hierarchical roles.
For more information, see the One Identity Manager IT Shop Administration Guide. |
Assigning BI analysis authorization directly to BI user accounts
BI analysis authorizations can be directly and indirectly assigned to BI user accounts. In the case of indirect assignment employees and BI analysis authorizations are arranged in hierarchical roles. The number of BI analysis authorizations assigned to an employee is calculated from the position in the hierarchy and the direction of inheritance. If this employee owns an SAP user account and is in the same SAP system as a BI user account with the same name, the BI user account obtains the BI analysis authorizations.
Prerequisites for indirect assignment to BI user accounts are:
- Employee and BI analysis authorization assignment is permitted for role classes (department, cost center, location, or business roles). For detailed information about preparing hierarchical roles for indirect assignment, see the One Identity Manager Identity Management Base Module Administration Guide.
- SAP user accounts and BI analysis authorizations belong to the same system.
- Employees have an SAP user account in this system with the same name as the BI user account (SAPUser.Accnt = SAPBWUser.Accnt).
Furthermore, BI analysis authorizations can be assigned to employees through IT Shop requests. To enable the assignment of BI analysis authorizations using IT Shop requests, employees are added as customers in a shop. All BI analysis authorizations assigned to this shop as products can be requested by the customers. After approval is granted, requested BI analysis authorizations are assigned to the employees.
Detailed information about this topic