To react quickly to special requests, you can assign roles directly to user accounts.
The following applies if user accounts are managed by CUACentral user administration.:
To assign a role directly to user accounts
To assign a role to a user account
This inserts a new row in the table.
To edit a role assignment
To remove a role assignment.
Installed Module: | System Roles Module |
Groups, roles and profiles can be added to different system roles. When you assign a system role to an employee, the groups, roles and profiles are inherited by all SAP user accounts that these employees have. System roles that exclusively contain SAP groups, roles or profiles can be labeled with the system role type "SAP product". Groups, roles and profiles can also be added to system roles that are not SAP products.
|
NOTE: Only profiles that are not assigned to an SAP role can be assigned to system roles. |
|
NOTE: Groups, roles and profiles with the option Only use in IT Shop can only be assigned to system roles that also have this option set. For more detailed information about providing system roles in the IT Shop, see the One Identity Manager System Roles Administration Guide. |
To assign a group to system roles
Assign system roles in Add assignments.
- OR -
Remove system roles from Remove assignments.
To assign a role to system roles
Assign system roles in Add assignments.
- OR -
Remove system roles from Remove assignments.
To assign a profile to system roles
Assign system roles in Add assignments.
- OR -
Remove system roles from Remove assignments.
|
NOTE: Only profiles that are not assigned to SAP roles can be assigned to IT Shop shelves. |
Once a
|
NOTE: IT Shop administrators can assign |
To add a
- OR -
Select the category Entitlements | SAP groups or Entitlements | SAP roles or Entitlements | SAP profiles (role-based login).
To remove a
- OR -
Select the category Entitlements | SAP groups or Entitlements | SAP roles or Entitlements | SAP profiles (role-based login).
To remove a
- OR -
Select the category Entitlements | SAP groups or Entitlements | SAP roles or Entitlements | SAP profiles (role-based login).
This removes the
For more detailed information about request from company resources through the IT Shop, see the One Identity Manager IT Shop Administration Guide.
Configuration parameter | Active Meaning |
---|---|
TargetSystem\SAPR3\ValidDateHandling | Configuration parameter for handling the validity period in SAP user account assignments to SAP roles. |
TargetSystem\SAPR3\ValidDateHandling\DoNotUsePWODate | This configuration parameter specifies whether the validity dates from request procedure are copied from SAP user account assignments to SAP roles. If the configuration parameter is set, the dates, "Valid from" and "Valid to" from the request procedure, are not copied from SAP user account assignments to SAP roles. |
Assignment of SAP roles to user accounts can be limited to set periods in your SAP R/3 environment. There are different ways of specifying time limits for role assignments in One Identity Manager.
The columns "Valid from" and "Valid to" are taken into account in the default mapping. SynchronizationThe process of comparing data between One Identity Manager and a target system. Objects and their properties are compared by fixed rules. Synchronization results in the identical data situation in the target system and One Identity Manager database. writes the role assignment's validity period into the One Identity Manager database.
A validity period can be entered for direct assignment of roles to user accounts. "Valid from" and "Valid to" dates are provisioned in the target system.
A validity period for a request can be entered in the IT Shop. An entry in the table SAPUserInSAPRole only exist between the first and last days of the request's validity period.
Once the request is approved and the "Valid from" date has been reached, the request recipient's SAP user account inherits the SAP role. The role assignments are automatically canceled and deleted when the validity period expires.
The request's validity period is copied to the table SAPUserInSAPRole by default. This means that the data is provisioned in the SAP environment.
To prevent the request's validity date is copied to the role assignment
Once the request is approved and the "Valid from" date is reached, the employees becomes a member in the hierarchical role. The employee's SAP user account inherits the SAP role. The membership is automatically canceled and the role assignment deleted when the validity period expires.
Once the request is approved and the "Valid from" date is reached, the SAP role is assigned to the hierarchical role. The role member's SAP user accounts inherit the SAP role. The assignment is automatically canceled and the role assignment deleted when the validity period expires.
The request's validity period is copied to the table SAPUserInSAPRole by default. This means that the data is provisioned in the SAP environment.
To prevent the request's validity date is copied to the role assignment
The table SAPUserInSAPRole contains all role assignments, limited and unlimited. The table HelperSAPUserInSAPRole only contains current valid role assignments. Tables are calculated on a schedule.
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy