Specifying Categories for Inheriting SAP Groups, SAP Roles and SAP Profiles

Specifying Categories for Inheriting SAP Groups, SAP Roles and SAP Profiles

In One Identity Manager, groups can be selectively inherited by user accounts. For this, groups and user accounts are divided into categories. The categories can be freely selected and are specified by a template. Each category is given a specific position within the template. The mapping rule contains different tables. Use the user account table to specify categories for target system dependent user accounts. Enter your categories for the structural profiles, administrative roles, subscriptions and disabled service plans in the . Each table contains the category items "Position1" to "Position31".

To define a category

1. Select the category SAP R/3 | Clients.
2. Select the client from the result list.
3. Select Change master data in the task view.
4. Switch to the MappingList of object matching rules and property mapping rules which map the schema properties of two connected systems to one another. rule category tab.
5. Expand the respective base node of a table.
6. Click to enable category.
7. Enter a name for the user account and group categories in the current language.
8. Save the changes.

Detailed information about this topic

• Inheriting SAP Groups, SAP Roles and SAP Profiles based on Categories
• One Identity Manager Target SystemAn instance of a target system in which the employees managed by One Identity Manager have access to network resources. Example: An Active Directory domain X for target system type "Active Directory", a directory Y for target system type "LDAP", a client Z for target system type "SAP R/3". Base Module Administration Guide

How to Edit a Synchronization Project

How to Edit a Synchronization Project

SynchronizationThe process of comparing data between One Identity Manager and a target system. Objects and their properties are compared by fixed rules. Synchronization results in the identical data situation in the target system and One Identity Manager database. projects, in which a client is already used as a base object, can also be opened using the Manager. You can, for example, check the configuration or view the synchronization log in this mode. The Synchronization EditorOne Identity Manager tool for configuring target system synchronization. is not started with its full functionality. You cannot run certain functions, such as, running synchronization or simulation, starting the target system browser and others.

To open an existing synchronization project in the Synchronization Editor

1. Select the category SAP R/3 | Clients.
2. Select the client from the result list. Select Change master data in the task view.
3. Select Edit synchronization project... from the task view.

Detailed information about this topic

• One Identity Manager Target SystemAn instance of a target system in which the employees managed by One Identity Manager have access to network resources. Example: An Active Directory domain X for target system type "Active Directory", a directory Y for target system type "LDAP", a client Z for target system type "SAP R/3". Synchronization Reference Guide

Related Topics

• Customizing Synchronization Configuration

SAP User Accounts

SAP User Accounts

You can manage the users of a One Identity Manager environment with the SAP R/3. One Identity Manager concentrates on setting up and editing SAP user accounts. Groups, roles and profiles are mapped in SAP, in order to provide the necessary permissions for One Identity Manager user accounts. The necessary data for system measurement is also mapped. The system measurement data is available in One Identity Manager, but the measurement itself takes place in the SAP R/3 environment.

If user accounts are managed through the central user administration (CUACentral user administration.) in SAP R/3, access to the child client can be guaranteed to or withdrawn from user accounts in One Identity Manager.

Detailed information about this topic

• Linking User Accounts to Employees
• Supported User Account Types
• Entering Master Data for SAP User Accounts

Linking User Accounts to Employees

The central component of the One Identity Manager is to map employees and their master data with permissions through which they have control over different target systems. For this purpose, information about user accounts and permissions can be read from the target system into the One Identity Manager database and linked to employees. This gives an overview of the permissions for each employees in all of the connected target systems. One Identity Manager provides the possibility to manage user accounts and their permissions. You can provision modifications in the target systems. Employees are supplied with the necessary permissions in the connected target systems according to their function in the company. Regular synchronization keeps data consistent between target systems and the One Identity Manager database.

Because requirements vary between companies, the One Identity Manager offers different methods for supplying user accounts to employees. One Identity Manager supports the following method for linking employees and their user accounts.

• Employees and user accounts can be entered manually and assigned to each other.

• Employees can automatically obtain their account definitions using user account resources. If an employee does not have a user account in a client, a new user account is created. This is done by assigning account definitions to an employee using the integrated inheritance mechanism followed by process handling.

  When you manage account definitions through user accounts, you can specify the way user accounts behave when employees are enabled or deleted.

  NOTE: If employees obtain their user accounts through account definitions, they have to have a central SAP user account.

• An existing employee is automatically assigned when a user account is added or a new employee is created if necessary. In this case, employee master data is created on the basis of the existing user account master data. This mechanism can be implemented if a new user account is created manually or by synchronization. This method, however, is not the One Identity Manager default method. Define criteria for finding employees for automatic employee assignment.

Related Topics

• Entering Master Data for SAP User Accounts
• Setting Up Account Definitions
• Automatic Assignment of Employees to SAP User Accounts

For more detailed information about employee handling and administration, see the One Identity Manager Target SystemAn instance of a target system in which the employees managed by One Identity Manager have access to network resources. Example: An Active Directory domain X for target system type "Active Directory", a directory Y for target system type "LDAP", a client Z for target system type "SAP R/3". Base Module Administration Guide.