Chat now with support
Chat with Support

Identity Manager 9.1.2 - Administration Guide for the SAP R/3 Compliance Add-on

SAP functions and identity audit Setting up a synchronization project for synchronizing SAP authorization objects Setting up SAP functions Compliance rules for SAP functions Mitigating controls for SAP functions Configuration parameters for SAP functions Default project template for the SAP R/3 Compliance Add-on Module Referenced SAP R/3 tables and BAPI calls

SAP function categories

Use function categories to group SAP functions by specific criteria.

To create or edit a function category

  1. In the Manager, select the Identity Audit > Basic configuration data > SAP function categories category.

  2. In the result list, select a function category and run the Change main data task.

    - OR -

    Click in the result list.

  3. Edit the function category's main data.

  4. Save the changes.

Enter the following main data of a function category.

Table 13: SAP function category properties

Property

Description

Category

The function category’s name.

Parent category

Parent category for organizing function categories hierarchically.

Description

Text field for additional explanation.

Related topics

Functional areas

You can use functional areas to analyze rule violations in context of Identity Audit for different SAP functions. You can enter criteria that provide information about risks from rule violations for functional areas and SAP functions.

To analyze rule checks for different areas of your company in the context of identity audit, you can set up functional areas. Functional areas can be assigned to hierarchical roles and service items. You can enter criteria that provide information about risks from rule violations for functional areas and hierarchical roles. To do this, you specify how many rule violations are permitted in a functional area or a role. You can enter separate assessment criteria for each role, such as a risk index or transparency index.

Moreover, functional areas can be replaced by peer group analysis during request approvals or attestation cases.

Example: Use of functional areas

To assess the risk of rule violations for cost centers. Proceed as follows:

  1. Set up functional areas.

  2. Assign cost centers to the functional areas.

  3. Define assessment criteria for the cost centers.

  4. Specify the number of rule violations allowed for the functional area.

  5. Assign compliance rules required for the analysis to the functional area.

  6. Use the One Identity Manager report function to create a report that prepares the result of rule checking for the functional area by any criteria.

To create or edit a functional area

  1. In the Manager, select the Identity Audit > Basic configuration data > Functional areas category.

  2. In the result list, select a function area and run the Change main data task.

    - OR -

    Click in the result list.

  3. Edit the function area main data.

  4. Save the changes.

Enter the following data for a functional area.

Table 14: Functional area properties

Property

Description

Functional area

Description of the functional area

Parent Functional area

Parent functional area in a hierarchy.

Select a parent functional area from the list for organizing your functional areas hierarchically.

Max. number of rule violations

List of rule violation valid for this functional area. This value can be evaluated during the rule check.

Description

Text field for additional explanation.

Mitigating controls assigned to the function definitions to be tested are automatically copied to rules about SAP functions. Conditions:

  • Active rules are assigned to a functional area and a department.
  • The function definitions to be tested are assigned to the same functional area and to the variable set associated with the same department.
Related topics

Maintaining SAP functions

You can assign SAP functions to employees that are responsible for the content of those SAP functions. To do this, assign the an application for maintaining SAP functions to an application role. Assign to this application role, the employees that are authorized to enable and edit working copies of this function definition and can define function instances.

A default application role exists for maintaining One Identity Manager functions in SAP. Create more application roles if required. For more information about implementing and editing application roles, see the One Identity Manager Authorization and Authentication Guide.

Table 15: Default application roles for maintaining SAP functions
User Tasks

Responsible for maintaining SAP functions.

Administrators must be assigned to the Identity & Access Governance | Identity Audit | Maintain SAP functions application role or a child application role.

Users with this application role:

  • Are responsible for SAP function contents.

  • Edit working copies of function definitions for which they are responsible.

  • Define function instances and variables sets for SAP functions.

  • Assign mitigating controls.

To add employees to the default application role for maintaining SAP functions

  1. In the Manager, select the Identity Audit > Basic configuration data > Maintain SAP functions category.

  2. Select the Assign employees task.

  3. In the Add assignments pane, add employees.

    TIP: In the Remove assignments pane, you can remove assigned employees.

    To remove an assignment

    • Select the employee and double-click .

  4. Save the changes.
Related topics

Exporting function definitions

To transfer SAP functions from a development environment to a production environment, for example, you can export function definitions to CSV files. These CSV files can be imported into other databases.

To export all function definitions to a CSV file

  1. In the Manager, select the Identity Audit category.

  2. Select the Plugins > Export all SAP function definitions menu item.

  3. To only export working copies, click Yes.

    - OR -

    To only export enabled SAP functions, click No.

  4. Specify the file name and storage location for the CSV file.

  5. Click Save.

    All function definitions are written to file in sequence.

The following properties are exported:

Table 16: Exported main data of a function definition

Property

Data field in the CSV file.

Name of the function definition

Function

Assigned function category

Process

Description

Function Description

Significance

Risk Level

Suggested authorization value

TransactionType

Transaction code

Transaction

TADIR program ID

AUTHPGMID

TADIR object type

AUTHOBJTYP

TADIR object name

AUTHOBJNAM

Type of external service

SRV_TYPE

Name of external service

SRV_NAME

RFC object type

RFC_TYPE

RFC object name

RFC_NAME

Hash value

SAPHashValue

Authorization objects

Object

Authorization fields

Field

Description of authorization field.

Field Description

Value/lower scope limit

Value From

Upper scope limit

Value To

The import status (State) is included with each data record in the CSV file as additional information. The import status is set to 1 by default on export. This data is evaluated when function definitions are imported.

NOTE: SAP function managers can only export those function definitions for which they are responsible, as entered in the main data.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating