Chat now with support
Chat with Support

Identity Manager 9.2.1 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP objects Removing a Central User Administration Troubleshooting an SAP R/3 connection Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

Additional tasks for managing SAP groups, SAP roles, and SAP profiles

After you have entered the main data, you can run the following tasks.

Overview of SAP groups, SAP roles, and SAP profiles

To obtain an overview of a group

  1. Select the SAP R/3 > Groups category.
  2. Select the group in the result list.
  3. Select the SAP group overview task.

To obtain an overview of a profile

  1. Select the SAP R/3 > Profiles category.
  2. Select a profile in the result list.
  3. Select the SAP profile overview task.

To obtain an overview of a role

  1. Select the SAP R/3 > Roles category.
  2. Select the role in the result list.
  3. Select the SAP role overview task.

Effectiveness of SAP groups, SAP roles, and SAP profiles

NOTE: In order to easy understanding the behavior is described with respect to SAP groups in this section. It applies in the same way to roles and profiles.
Table 60: Configuration parameter for conditional inheritance
Configuration parameter Effect when set

QER | Structures | Inherite | GroupExclusion

Preprocessor relevant configuration parameter for controlling effectiveness of group memberships. If the configuration parameter is set, memberships can be reduced on the basis of exclusion definitions. Changes to this configuration parameter require the database to be recompiled.

When groups are assigned to user accounts an identity may obtain two or more groups, which are not permitted in this combination. To prevent this, you can declare mutually exclusive groups. To do this, you specify which of the two groups should apply to the user accounts if both are assigned.

It is possible to assign an excluded group at any time either directly, indirectly, or with an IT Shop request. One Identity Manager determines whether the assignment is effective.

NOTE:

  • You cannot define a pair of mutually exclusive groups. That means, the definition "Group A excludes group B" AND "Group B excludes groups A" is not permitted.
  • You must declare each group to be excluded from a group separately. Exclusion definitions cannot be inherited.

The effectiveness of the assignments is mapped in the SAPUserInSAPGrp and BaseTreeHasSAPGrp tables by the XIsInEffect column.

Example: The effect of group memberships
  • Group A is defined with permissions for triggering requests in a client. A group B is authorized to make payments. A group C is authorized to check invoices.
  • Group A is assigned through the "Marketing" department, group B through "Finance", and group C through the "Control group" business role.

Jo User1 has a user account in this client. They primarily belong to the "Marketing" department. The "Control group" business role and the "Finance" department are assigned to them secondarily. Without an exclusion definition, the user account obtains all the permissions of groups A, B, and C.

By using suitable controls, you want to prevent an identity from being able to trigger a request and to pay invoices. That means, groups A, B, and C are mutually exclusive. An identity that checks invoices may not be able to make invoice payments as well. That means, groups B and C are mutually exclusive.

Table 61: Specifying excluded groups (SAPGrpExclusion table)

Effective group

Excluded group

Group A

Group B

Group A

Group C

Group B

Table 62: Effective assignments

Identity

Member in role

Effective group

Pat Identity1

Marketing

Group A

Jan User3

Marketing, finance

Group B

Jo User1

Marketing, finance, control group

Group C

Chris User2

Marketing, control group

Group A, Group C

Only the group C assignment is in effect for Jo User1. It is published in the target system. If Jo User1 leaves the "control group" business role at a later date, group B also takes effect.

The groups A and C are in effect for Chris User2 because the groups are not defined as mutually exclusive. If this should not be allowed, define further exclusion for group C.

Table 63: Excluded groups and effective assignments

Identity

Member in role

Assigned group

Excluded group

Effective group

Chris User2

 

Marketing

Group A

 

Group C

 

Control group

Group C

Group B

Group A

Prerequisites
  • The QER | Structures | Inherite | GroupExclusion configuration parameter is set.

    In the Designer, set the configuration parameter and compile the database.

    NOTE: If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

  • Mutually exclusive groups, roles, and profiles belong to the same client.

To exclude a group

  1. In the Manager, select the SAP R/3 > Groups category.

  2. Select a group in the result list.

  3. Select the Exclude groups task.

  4. In the Add assignments pane, assign the groups that are mutually exclusive to the selected group.

    - OR -

    In the Remove assignments pane, remove the groups that are no longer mutually exclusive.

  5. Save the changes.

To exclude roles

  1. In the Manager, select the SAP R/3 > Roles category.

  2. Select the role in the result list.

  3. Select the Exclude SAP roles task.

    - OR -

    In the Remove assignments pane, remove the roles that are no longer mutually exclusive.

  4. Save the changes.

To exclude profiles

  1. In the Manager, select the SAP R/3 > Profiles category.

  2. Select a profile in the result list.

  3. Select the Exclude roles task.

    - OR -

    In the Remove assignments pane, remove the profiles that are no longer mutually exclusive.

  4. Save the changes.

SAP group, SAP role, and SAP profile inheritance based on categories

NOTE: In order to easy understanding the behavior is described with respect to SAP groups in this section. It applies in the same way to roles and profiles.

In One Identity Manager, user accounts can selectively inherit groups. To do this, groups and user accounts are divided into categories. The categories can be freely selected and are specified using a mapping rule. Each category is given a specific position within the template. The mapping rule contains different tables. Use the user account table to specify categories for target system dependent user accounts. Each table contains the category positions position 1 to position 63.

Every user account can be assigned to one or more categories. Each group can also be assigned to one or more categories. The group is inherited by the user account when at least one user account category items matches an assigned group. The group is also inherited by the user account if the group or the user account is not put into categories.

NOTE: Inheritance through categories is only taken into account when groups are assigned indirectly through hierarchical roles. Categories are not taken into account when groups are directly assigned to user accounts.

Table 64: Category examples
Category item Categories for user accounts Categories for groups
1 Default user Default permissions
2 System users System user permissions
3 System administrator System administrator permissions

Figure 5: Example of inheriting through categories.

To use inheritance through categories

  1. Define the categories in the client.

    NOTE: If central user administration is implemented, define the categories in the central system as well as in the child system. The same categories must be defined in the child system as in the central system so that groups from a child system can be inherited by user accounts.

  2. Assign categories to user accounts through their main data.

  3. Assign categories to groups, roles, and profiles through their main data.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating