Chat now with support
Chat with Support

Identity Manager 9.3 - Administration Guide for the SAP R/3 Compliance Add-on

SAP functions and identity audit Setting up a synchronization project for synchronizing SAP authorization objects Basics of the authorization check Setting up SAP functions Compliance rules for SAP functions Mitigating controls for SAP functions Configuration parameters for SAP functions Default project template for the SAP R/3 Compliance Add-on Module Referenced SAP R/3 tables and BAPI calls

Creating function definitions

There is a working copy created for each new function definition. Enabling the working copy allows the function definition to be used productively. SAP authorizations are only checked on the basis of active function definitions.

To create a new function definition

  1. In the Manager, select the Identity Audit > SAP functions > Function definitions category.

  2. Click in the result list.

  3. Enter the function definition main data.

  4. Save the changes.

    This adds a working copy.

  5. Select the Authorization Editor task and set up the authorization definition.

  6. Select the Enable working copy task and confirm the security prompt with Yes.

    This adds an enabled function definition in the database. The working copy is retained and can be used to make changes later.

Related topics

General main data of a function definition

Enter the following main data of a function category.

Table 15: Main data for a function definition

Property

Description

Function definition

Name of the SAP function.

Functional area

The SAP function is valid for this functional area.

Function category

Grouping criteria for the SAP function. To create a new function categories, click . Enter the name and a description of the function category.

Manager/supervisor

Application role whose members are responsible for the function definition in terms of content.

To create a new application role, click . Enter the application role name and assign a parent application role.

Authorization object details

Spare text field for entering information about the authorization objects that are used in the function definitions.

Risk index

Defines the risk for the company if an SAP user account matches this SAP function. Use the slider to enter a value between 0 and 1.

0: No risk.

1: Every SAP user account that matches the SAP function poses a problem.

This field is only visible if the QER | CalculateRiskIndex configuration parameter is set.

Risk index (reduced)

Show the risk index taking mitigating controls into account. An SAP function’s risk index is reduced by the significance reduction of all mitigating controls assigned to it.

The risk index (reduced) is calculated only for the active SAP function.

This input field is only visible if the QER | CalculateRiskIndex configuration parameter is set and the active SAP function is shown. This field is not shown in working copies.

The value is calculated by One Identity Manager and cannot be edited.

Severity code

Specifies what it means to the company or the assigned functional area when an SAP user matches this SAP function. Enter a value between 0 and 1.

0: Just for information

1: Any SAP user account that matches the SAP function requires changes to the affected SAP authorizations.

Significance

Specifies a verbal description of the effects on the company or the assigned functional area if an SAP user account matches this SAP function. Select a value from the list.

Description

Text field for additional explanation.

Working copy

Specifies whether this is a working copy of the function definition.

Condition

Expression that defines how to logically combine the function arguments in the evaluation. Only the operators AND and OR as well as precedence brackets () are permitted.

When an authorization definition is created, a condition is automatically generated. Check the condition and adjust it to your requirements.

For more information about risk assessment, see the One Identity Manager Risk Assessment Administration Guide.

Detailed information about this topic

Creating authorization definitions in the Authorization Editor

Use the Authorization Editor to set up the SAP function authorization definition. To do this, compile the authorization objects to check with the SAP function.

To compile an authorization definition

  1. In the Manager, select the Identity Audit > SAP functions > Function definition working copies category.

  2. Select the function definition in the result list.

  3. Select the Authorization Editor task.

  4. Select one of the following tasks.

    • 1. Add via menu template

      Select from which menu you want to select the menu items and the SAP system whose menu tree should be displayed. Then select a menu item from the hierarchy.

      • Show SAP menu : Specifies whether you can select menu items from the SAP menu of the SAP GUI.

      • All other menus: Specifies whether you can select menu items from all other SAP menus.

      • System: SAP system to be used to display the menu tree.

      • Menu: Menu hierarchy for selecting menu items.

        Transaction codes that are linked to a menu item are shown in brackets in the menu tree as additional information.

      This loads all authorization objects that can be called via the selected menu item or its submenu items.

    • 2. Add using SAP application

      Select the Type of SAP application and the SAP application whose authorization objects should be loaded into the Authorization Editor. You can define a Filter to list the limit the number of SAP applications available.

      This adds all the authorization object that are linked to the selected SAP application.

    • 3. Add using existing function definition

      Select an existing Function definition with an authorization definition to load in the Authorization Editor.

      Only enabled function definitions can be selected.

    • 4. Add via authorization object

      Select an Authorization object to load into the Authorization Editor. You can define a Filter to list the limit the number of authorization objects available.

  5. Define properties of the individual function elements in the Authorization Editor.

  6. Save the changes.

  7. Select Change main data.

  8. Check the Condition and adjust it to your requirements.

  9. Save the changes.
Detailed information about this topic

Notes on authorization definitions

Take the following advice into account when you create an authorization definition in the authorization editor.

  • To add an additional function element to an authorization object, click + next to the authorization object. Select whether you want to insert an activity or an authorization field.

  • To add an additional value for an authorization field to an authorization object, click C next to the authorization field.

  • You can enter more than one activity value by ORing (OR) them together. Delimit individual values with commas.

  • The same authorization object added multiple times to an authorization definition if the function elements have different values.

  • All rows in the function definition that belong to the same function argument are ANDed together (AND).

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating