Chat now with support
Chat with Support

Identity Manager 9.1.2 - Administration Guide for the SAP R/3 Compliance Add-on

SAP functions and identity audit Setting up a synchronization project for synchronizing SAP authorization objects Setting up SAP functions Compliance rules for SAP functions Mitigating controls for SAP functions Configuration parameters for SAP functions Default project template for the SAP R/3 Compliance Add-on Module Referenced SAP R/3 tables and BAPI calls

General main data of a function definition

Enter the following main data of a function category.

Table 2: Main data for a function definition

Property

Description

Function definition

Name of the SAP function.

Functional area

The SAP function is valid for this functional area.

Function category

Grouping criteria for the SAP function. To create a new function categories, click . Enter the name and a description of the function category.

Manager/supervisor

Application role whose members are responsible for the function definition in terms of content.

To create a new application role, click . Enter the application role name and assign a parent application role.

Authorization objects

Spare text field for entering information about the authorization objects that are used in the function definitions.

Risk index

Defines the risk for the company if an SAP user account matches this SAP function. Use the slider to enter a value between 0 and 1.

0: No risk.

1: Every SAP user account that matches the SAP function poses a problem.

This field is only visible if the QER | CalculateRiskIndex configuration parameter is set.

Risk index (reduced)

Show the risk index taking mitigating controls into account. An SAP function’s risk index is reduced by the significance reduction of all mitigating controls assigned to it. The risk index (reduced) is calculated for the original SAP function. To copy the value to a working copy, run the Create working copy task.

This field is only visible if the QER | CalculateRiskIndex configuration parameter is set. The value is calculated by One Identity Manager and cannot be edited.

Severity code

Specifies what it means to the company or the assigned functional area when an SAP user matches this SAP function. Enter a value between 0 and 1.

0: Just for information

1: Any SAP user account that matches the SAP function requires changes to the affected SAP authorizations.

Significance

Specifies a verbal description of the effects on the company (or the functional area) when an SAP user account matches this SAP function. In the default installation, the value list displays {low, average, high, critical}.

Description

Text field for additional explanation.

working copy

Specifies whether this is a working copy of the function definition.

For more information about risk assessment, see the One Identity Manager Risk Assessment Administration Guide.

Detailed information about this topic

Creating authorization definitions in the Authorization Editor

Use the Authorization Editor to set up the SAP function authorization definition. To do this, group SAP applications and authorization objects together that should be covered by the SAP function.

To compile an authorization definition

  1. In the Manager, select the Identity Audit > SAP functions > Function definition working copies category.

  2. Select the function definition in the result list.

  3. Select the Authorization Editor task.

  4. Select one of the following tasks.

    • 1. Add via menu template

      Select from which menu you want to select the menu items and the SAP system whose menu tree should be displayed. Then select a menu item from the menu tree. Transaction codes that are linked to a menu item are shown in brackets in the menu tree as additional information.

      All the transactions and their authorization objects are loaded that can be called from the selected menu item or its submenu items.

    • 2. Add using SAP application

      Select the type of SAP application and the SAP application whose authorization objects should be loaded into the Authorization Editor. All authorization object are added that are linked with the selected SAP application. You can define a filter to list the limit the number of SAP applications available.

    • 3. Add using existing function definition

      Select an existing function definition whose authorization definition is to be loaded into the Authorization Editor.

      Only enabled function definitions can be selected.

  5. Specify details for each element in the Authorization Editor.

  6. Save the changes.
Detailed information about this topic

Notes on authorization definitions

Take the following information into account when you create an authorization definition in the authorization editor:

  • To add an additional activity value to an authorization object, click +. You can enter more than one activity value by ORing and ANDing them together.

  • To add an additional value for an authorization field to an authorization object, click C next to the authorization field.

  • The same authorization object cannot be added more than once to an authorization definition.

  • OR and AND operators cannot be combined for activities below an authorization object. If an activity contains an AND operator, no other activities may be defined below the same authorization object.

  • OR and AND operators cannot be combined for the same authorization field below an authorization object. If an authorization field contains an AND operator, this authorization field must not be defined again below the same authorization object.

Detailed information about this topic
Related topics

Authorization definition properties and their values

The functionality of the Authorization Editor is based on the SAPGUI Authorization Editor. The columns in the Authorization Editor have the following meaning.

Table 3: Properties of an authorization definition

Property

Description

Function definition / SAP application / authorization / function element

Function definition hierarchy. SAP applications, their associated authorization objects and function elements are mapped in a hierarchy.

Processing status

Processing status of hierarchy objects.

: No value is specified for the function element.

: A value is specified for the function element.

Add

Click +, to add more objects to the authorization definition. This adds a sub object.

Click C, to copy the function element.

Remove

Click -, to remove objects from the authorization definition.

Description

Object description.

Any

Click *, to define the value of a function element as * (any value).

Value / lower limit

Values permitted for the function element. For example, you can limit SAP authorizations to specific SAP groups. When you specify a range, enter the lower limit here.

Values can be added as variables. System variables can also be used.

Wildcards can be used in the values. For more information, see Syntax examples for values.

Upper scope limit

Upper limit for the range of a function element Values can be added as variables.

Values concatenated with , or + and * are not permitted.

If Lower limit contains values concatenated with + or , or *, you cannot enter an upper limit.

 

Table 4: Syntax examples for values

Syntax (example)

SAP authorization is tested for

Input value examples

*

Any value

Can only be used as a single value. An upper scope limit cannot be specified.

ab or 1234

Any string (from)

Exact given value

abc

[*]

The value *

*

String[*] (abc[*])

Values that contain exactly this string and *.

from*

String* (abc[*])

Values beginning with the given string and ending with any string

Can only be used as a single value. An upper scope limit cannot be specified.

abcd or ab*

OR (01,02,78)

One of the values contained in the list

ORing cannot be used for the upper scope limit.

Can only be used as a single value. An upper scope limit cannot be specified.

01 or 02 or 78

AND (01+02+78)

All the values contained in the list

ANDing cannot be used for the upper scope limit.

Can only be used as a single value. An upper scope limit cannot be specified.

01 and 02 and 78

[*],[,],[+]
(FM[+]7)

Values that contain special characters

FM+7

Variable ($Var$)

Value stored in the variable

System variable ($var)

Value stored in the system variable

All function elements in an SAP application that are defined in a separate row must be fulfilled for the SAP function to match. If the SAP function can only match when an SAP profile has one of several possible characteristics of a function element, define these instances by ORing them. If the SAP function can only match when an SAP profile has all the instances of a function element, define these instances by ANDing them.

To edit the properties of the selected object

  • Double-click on a function element in the Authorization Editor.

    You can edit the description of the function element and the upper and lower limits.

Table 5: Function element properties

Property

Description

Type

Specifies whether the selected function element is an activity or a authorization field.

Name

Name of the function element.

Lower limit, upper limit

Values permitted for the function element. When you specify a range, enter a lower and an upper limit. Values can be added as variables.

Click to select variables from the variable definitions available.

Description

Detailed description of the function elements.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating