Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 Environments Setting up SAP R/3 Synchronization Base Data for Managing SAP R/3 SAP Systems SAP Clients SAP User Accounts SAP Groups, SAP Roles and SAP Profiles SAP Products Providing System Measurement Data Reports about SAP Systems Appendix: Configuration Parameters for Managing an SAP R/3 Environment Appendix: Default Project Templates for Synchronizing an SAP R/3 Environment Appendix: Referenced SAP R/3 Tables and BAPI Calls Appendix: Example of a Schema Extension File

Editing Master Data for SAP Groups, SAP Roles and SAP Profiles

Editing Master Data for SAP Groups, SAP Roles and SAP Profiles

You can edit the following data about groups, roles and profiles in One Identity Manager:

  • Assigned SAP user accounts
  • Usage in the IT Shop
  • Risk Assessment
  • Inheritance through roles and inheritance restrictions
  • License information for system measurement

To edit group master data

  1. Select the category SAP R/3 | Groups.
  2. Select the group in the result list. Select Change master data in the task view.
  3. Enter the required data on the master data form.
  4. Save the changes.

To edit profile master data

  1. Select the category SAP R/3 | Profiles.
  2. Select a profile in the result list. Select Change master data in the task view.
  3. Enter the required data on the master data form.
  4. Save the changes.

To edit role master data

  1. Select the category SAP R/3 | Roles.
  2. Select the role in the result list. Select Change master data in the task view.
  3. Enter the required data on the master data form.
  4. Save the changes.
Detailed information about this topic

General Master Data for SAP Groups

General Master Data for SAP Groups

Table 62: Configuration Parameters for Risk Assessment of SAP User Accounts
Configuration parameter Active Meaning
QER\CalculateRiskIndex Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database.

If the parameter is set, values can be entered and calculated for the risk index.

Edit the following master data for a group.

Table 63: SAP Group Master Data
Property Description
Display name Name of the group as displayed in One Identity Manager tools. The group name is taken from the group identifier by default.
Name Name of group in the target system.
Client Client, in which the group is added.
Service item Service item data for requesting the group through the IT Shop.

Risk index

Value for evaluating the risk of assigning the group to user accounts. Enter a value between 0 and 1. This property is only visible when the configuration parameter QER\CalculateRiskIndex is set.

Category Categories for group inheritance. Groups can be selectively inherited by user accounts. To do this, groups and user accounts are divided into categories. Use this menu to allocate one or more categories to the group.
Description Spare text box for additional explanation.
IT Shop

Specifies whether the group can be requested through the IT Shop. This group can be requested by staff through the Web Portal and granted through a defined approval process. The group can still be assigned directly to hierarchical roles.

Only for use in IT Shop

Specifies whether the group can only be requested through the IT Shop. This group can be requested by staff through the Web Portal and granted through a defined approval process. The group may not be assigned directly to hierarchical roles.

Detailed information about this topic
  • Specifying Categories for Inheriting SAP Groups, SAP Roles and SAP Profiles
  • One Identity Manager IT Shop Administration Guide
  • One Identity Manager Identity Management Base Module Administration Guide
  • One Identity Manager Target SystemClosed Base Module Administration Guide
  • One Identity Manager Risk Assessment Administration Guide

General Master Data for SAP Roles

General Master Data for SAP Roles

Table 64: Configuration Parameters for Risk Assessment of SAP User Accounts
Configuration parameter Active Meaning
QER\CalculateRiskIndex Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database.

If the parameter is set, values can be entered and calculated for the risk index.

Edit the following master data for a role.

Table 65: SAP Role Master Data
Property Description
Display name Name of the role as displayed in One Identity Manager tools. Taken from the role identifier by default.
Name Name of role in the target system.
Client Client, in which the role is added.
License Role license. This task is needed for finding system measurement for user accounts and is assigned once after synchronization.
Role type Role type for differentiating between single and collective roles.
Service item Service item data for requesting the role through the IT Shop.
Risk index Value for evaluating the risk of assigning the role to user accounts. Enter a value between 0 and 1. This property is only visible if the configuration parameter "QER\CalculateRiskIndex" is set.
Category Categories for role inheritance. User accounts can inherit roles selectively. To do this, roles and user accounts are divided into categories. Use this menu to allocate one or more categories to the role.
Description Spare text box for additional explanation.
Role description Spare text box for additional explanation.
IT Shop Specifies whether the role can be requested through the IT Shop. This role can be requested by staff through the Web Portal and granted through a defined approval procedure. The role can still be assigned directly to employees and hierarchical roles.
Only for use in IT Shop Specifies whether the role can only be requested through the IT Shop. This role can be requested by staff through the Web Portal and granted through a defined approval procedure. The role may not assigned directly to hierarchical roles.
Detailed information about this topic
  • Licenses
  • Providing System Measurement Data
  • Specifying Categories for Inheriting SAP Groups, SAP Roles and SAP Profiles
  • One Identity Manager IT Shop Administration Guide
  • One Identity Manager Identity Management Base Module Administration Guide
  • One Identity Manager Target SystemClosed Base Module Administration Guide
  • One Identity Manager Risk Assessment Administration Guide

General Master Data for SAP Profiles

General Master Data for SAP Profiles

Table 66: Configuration Parameters for Risk Assessment of SAP User Accounts
Configuration parameter Active Meaning
QER\CalculateRiskIndex Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database.

If the parameter is set, values can be entered and calculated for the risk index.

Edit the following master data for a profile.

Table 67: SAP Profile Master Data
Property Description
Display name Name of the profile as displayed in One Identity Manager tools. The profile name is taken from the profile identifier by default.
Name Name of profile in the target system.
Client Client, in which the profile is added.
License Profile license. This task is needed for finding system measurement for SAP user accounts and is assigned once after synchronization.
Profile type Profile type for differentiating between single, collective and generated profiles.
Service item Service item data for requesting the profile through the IT Shop.
Risk index

Value for evaluating the risk of assigning the profile to account accounts. Enter a value between 0 and 1. This property is only visible if the configuration parameter "QER\CalculateRiskIndex" is set.

Category Category for profile inheritance. User accounts can selectively inherit profiles. To do this, profiles and user accounts are divided into categories. Use this menu to allocate one or more categories to the profile.
Description Spare text box for additional explanation.
Profile is enabled Specifies whether the profile is enabled or a maintenance version.
Limited assignment Specifies whether the profile is assigned to an SAP role. The profile then no longer be directly assigned to user accounts, business roles, organizations or IT Shop shelves.
IT Shop Specifies whether the profile can be requested through the IT Shop. This profile can be requested by staff through the Web Portal and granted through a defined approval procedure. The profile can still be assigned directly to hierarchical roles. This option cannot be enabled for generated profiles.
Only for use in IT Shop

Specifies whether the profile can only be requested through the IT Shop. This profile can be requested by staff through the Web Portal and granted through a defined approval procedure. The profile may not assigned directly to hierarchical roles. This option cannot be enabled for generated profiles.

Detailed information about this topic
  • Licenses
  • Providing System Measurement Data
  • Specifying Categories for Inheriting SAP Groups, SAP Roles and SAP Profiles
  • One Identity Manager IT Shop Administration Guide
  • One Identity Manager Identity Management Base Module Administration Guide
  • One Identity Manager Target SystemClosed Base Module Administration Guide
  • One Identity Manager Risk Assessment Administration Guide
Related Documents