Chat now with support
Chat with Support

Identity Manager 9.0 LTS - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP objects Removing a Central User Administration Troubleshooting an SAP R/3 connection Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

Configuring the validity period of indirect role assignments

When the validity period is calculated, the following configuration parameters are taken into account. These configuration parameters are disabled by default.

  • TargetSystem | SAPR3 | ValidDateHandling | DoNotUsePWODate

    Specifies whether the request's validity period is transferred when role assignments are requested.

    Not set: The request's validity period is transferred. If there is no validity period given, the default values of 1900-01-01 and 9999-12-31 are set.

    Set: The role assignment is unlimited.

  • TargetSystem | SAPR3 | ValidDateHandling | ReuseInheritedDate

    Controls reuse of existing profile assignments if another assignment for the same combination of user account and SAP role is added.

    Set: Existing role assignments are reused if the same assignment is created by different means of inheritance. The following applies:

    • The Valid from date of the existing assignment is in the past.

    • The Valid until date of the existing assignment is 9999-12-31 or the new assignment has the same Valid until date as the existing assignment.

    Any other unlimited assignment or any other assignment with the same Valid until date does not generate a new entry in the SAPUserInSAPRole table. This can reduce the number of entries in the SAPUserInSAPRole table.

    Not set: An entry in the SAPUserInSAPRole table is created for every new role assignment. Existing assignments are not reused.

    NOTE: In databases that are migrated from versions older than 7.0, you may see assignments with a Valid until date of 9998-12-31. This is a valid date for unlimited role assignments, which means that these assignments can also be reused.

  • TargetSystem | SAPR3 | ValidDateHandling | ReuseInheritedDate | UseTodayForInheritedValidFrom

    Specifies the value that indirect role assignments' Valid from date contain when they are added.

    Not set: 1900-01-01

    Set: <today>

    IMPORTANT: Calculating indirect role assignments can become much slower depending on the amount of data to be processed.

    Do not set this configuration parameter if the information about when a role assignment's validity period starts is not absolutely necessary in SAP R/3.

To reuse an existing role assignment:

  • In the Designer, set the TargetSystem | SAPR3 | ValidDateHandling | ReuseInheritedDate configuration parameter.

To set the assignment's date as the first day of the role assignment's validity period

  • In the Designer, set the TargetSystem | SAPR3 | ValidDateHandling | ReuseInheritedDate | UseTodayForInheritedValidFrom configuration parameter.

To prevent the request's validity date being copied to the role assignment

  • In the Designer, set the TargetSystem | SAPR3 | ValidDateHandling | DoNotUsePWODate configuration parameter.

    This adds an unlimited role assignment.

Related topics

Determining the validity period of indirect role assignments

SAP roles that are assigned to departments, cost centers, locations, or business roles are indirectly assigned through them to user accounts. By default, indirect assignments are unlimited. The TargetSystem | SAPR3 | ValidDateHandling configuration parameter is used to determine the validity period of indirect assignments.

You can enter a valid from date if the requests are made in the IT Shop. An entry in SAPUserInSAPRole only exist between the first and last days of the request's validity period. The request's validity period is copied to role assignments under the following prerequisites:

  • The DoNotUsePWODate configuration parameter is not set (default).

  • The SAP role was requested directly.

    - OR -

  • The assignment was created through an assignment request and at the same time a role assignment was requested. BaseTreeHasSAPRole.XOrigin='8' is set for this.

By default, an entry in the SAPUserInSAPRole table is created for every new role assignment. If the same assignment is created by different means of inheritance, the number of entries in the SAPUserInSAPRole table grows rapidly. In this case, if the validity period is identical, the same entries can be reused. Existing role assignments can be reused under the following prerequisites:

  • The ReuseInheritedDate configuration parameter is set.

  • The Valid from date of the existing assignment is in the past.

  • The Valid until date of the existing assignment is 9999-12-31 or the new assignment has the same Valid until date as the existing assignment.

  • Another assignment for the same combination of user account and SAP role is added.

Any other unlimited assignment or any other assignment with the same Valid until date does not generate a new entry in the SAPUserInSAPRole table. The number of entries in the SAPUserInSAPRole table can be reduced in this way.

NOTE: In databases that are migrated from versions older than 7.0, you may see assignments with a Valid until date of 9998-12-31. This is a valid date for unlimited role assignments, which means that these assignments can also be reused.

By default, the first day that indirect assignments are valid is 1900-01-01. This does not tell us when the assignments were created. If you need this information, in the Valid from field, you can enter the date on which the SAP role will be assigned. The date of the assignment is set as the first valid day of the indirect role assignments under the following prerequisites:

  • The ReuseInheritedDate | UseTodayForInheritedValidFrom configuration parameter is set.

    Exception: the DoNotUsePWODate configuration parameter is not set and:

    • The assignment has been requested and the request has a Valid from date.
    • The assignment has been requested and the request has a Valid to date but no Valid from date.

IMPORTANT: Calculating indirect role assignments can become much slower depending on the amount of data to be processed.

Do not set the UseTodayForInheritedValidFrom configuration parameter if the information about the valid from date of the role assignment is not absolutely necessary in SAP R/3!

Detailed information about this topic
Related topics

SAP products

Installed modules: System Roles Module

You can define One Identity Manager products as a collection of different groups, roles, or profiles in SAP. SAP products are system roles with the system role type "SAP product". Employees can obtain SAP products directly, inherit them though hierarchical role, or request them in the IT Shop.

The employee’s user account is assigned the groups, roles, and profiles in the SAP product independent of the assignment method. If an SAP product changes by adding or removing a group, role, or a profile in One Identity Manager, user account memberships are changed accordingly.

To edit SAP products

  1. Select the SAP R/3 > Products category.
  2. Select an SAP product in the result list.

    – OR –

    Click in the result list.

    This opens the main data form for a system role.

  3. Edit the system role's main data.
  4. Save the changes.

For more information about system roles, see the One Identity Manager System Roles Administration Guide.

General main data of SAP products

Table 67: Configuration parameters for risk assessment of SAP user accounts
Configuration parameter Effect when set
QER | CalculateRiskIndex Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database.

If the parameter is enabled, values for the risk index can be entered and calculated.

Enter the following data for a system role.

Table 68: System role main data

Property

Description

Display name

Name for displaying the system roles in One Identity Manager tools.

System role

Unique identifier for the system role.

Internal product name

An additional internal name for the system role.

System role type

Specifies the type of company resources, which comprise the system role.

Service item

In order to use a service item within the IT Shop, assign a service item to it or add a new service item. For more information about service items, see the One Identity Manager IT Shop Administration Guide.

System role manager

Manager responsible for the system role. Assign any new employee. This employee can edit system role main data. They can be used as attestors for system role properties.

If the system role can be requested in the IT Shop, the manager will automatically be a member of the application role for product owners assigned the service item.

Share date

Specify a date for enabling the system role. If the date is in the future, the system role is considered to be disabled. If the date is reached, the system role is enabled. Employees inherit company resources that are assigned to the system role.

If the share date is exceeded or no date is entered, the system role is handled as an enabled system role. Company resource inheritance can be controlled with the Disabled option in these cases.

NOTE: Configure and enable the Share system roles schedule in the Designer to check the share date. For more information about schedules, see the One Identity Manager Operational Guide.

Risk index (calculated)

Maximum risk index values for all company resources. The property is only visible if the QER | CalculateRiskIndex configuration parameter is enabled. For more information about calculating the risk index, see the One Identity Manager Risk Assessment Administration Guide.

Comment

Text field for additional explanation.

Remarks

Text field for additional explanation.

Description

Text field for additional explanation.

Deactivated

Specifies whether employees and workdesks inherit the company resources contained in the system role.

If this option is set, the system role can be assigned to employees, workdesks, hierarchical roles, and IT Shop shelves. However they cannot inherit the company resources contained in the system role. The system role cannot be requested in the Web Portal.

If this option is not set, company resources assigned to the system role are inherited. If the option is enabled at a later date, existing assignments are removed.

IT Shop

Specifies whether the system role can be requested through the IT Shop. This system role can be requested by staff through the Web Portal and granted through a defined approval process. The system role can still be assigned directly to employees and hierarchical roles. For more information about IT Shop, see the One Identity Manager IT Shop Administration Guide.

Only for use in IT Shop

Specifies whether the system role can only be requested through the IT Shop. This system role can be requested by staff through the Web Portal and granted through a defined approval process. The system role may not be assigned directly to hierarchical roles.

Spare field no. 01 ... Spare field no. 10

Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

For more information about system roles, see the One Identity Manager System Roles Administration Guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating