Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 Environments Setting up SAP R/3 Synchronization Base Data for Managing SAP R/3 SAP Systems SAP Clients SAP User Accounts SAP Groups, SAP Roles and SAP Profiles SAP Products Providing System Measurement Data Reports about SAP Systems Appendix: Configuration Parameters for Managing an SAP R/3 Environment Appendix: Default Project Templates for Synchronizing an SAP R/3 Environment Appendix: Referenced SAP R/3 Tables and BAPI Calls Appendix: Example of a Schema Extension File

Assigning SAP User Accounts directly to an SAP Roles

Assigning SAP User Accounts directly to SAP Roles

To react quickly to special requests, you can assign roles directly to user accounts.

The following applies if user accounts are managed by CUAClosed:

  • The role is assigned to the central system, or
  • The role's client is assigned as a child system to the user accounts.

To assign a role directly to user accounts

  1. Select the category SAP R/3 | Roles.
  2. Select the role in the result list.
  3. Select Assign user accounts in the task view.

To assign a role to a user account

  1. Click Add.

    This inserts a new row in the table.

  2. Select the user account you want to assign to the role from the User account menu.
  3. Enter a validity period for the role assignment in Valid from and Valid until, if it applies.
  4. Enter another user account if required.
  5. Save the changes.

To edit a role assignment

  1. Select the role assignment you want to edit in the table. Edit the validity period.
  2. Save the changes.

To remove a role assignment.

  1. Select the role assignment you want to remove in the table.
  2. Click Delete.
  3. Save the changes.
Related Topics

Adding SAP Groups, SAP Roles and SAP Profiles to System Roles

Adding SAP Groups, SAP Roles and SAP Profiles to System Roles

Installed Module: System Roles Module

Groups, roles and profiles can be added to different system roles. When you assign a system role to an employee, the groups, roles and profiles are inherited by all SAP user accounts that these employees have. System roles that exclusively contain SAP groups, roles or profiles can be labeled with the system role type "SAP product". Groups, roles and profiles can also be added to system roles that are not SAP products.

NOTE: Only profiles that are not assigned to an SAP role can be assigned to system roles.

NOTE: Groups, roles and profiles with the option Only use in IT Shop can only be assigned to system roles that also have this option set. For more detailed information about providing system roles in the IT Shop, see the One Identity Manager System Roles Administration Guide.

To assign a group to system roles

  1. Select the category SAP R/3 | Groups.
  2. Select the group in the result list.
  3. Select Assign system roles in the task view.
  4. Assign system roles in Add assignments.

    - OR -

    Remove system roles from Remove assignments.

  5. Save the changes.

To assign a role to system roles

  1. Select the category SAP R/3 | Roles.
  2. Select the role in the result list.
  3. Select Assign system roles in the task view.
  4. Assign system roles in Add assignments.

    - OR -

    Remove system roles from Remove assignments.

  5. Save the changes.

To assign a profile to system roles

  1. Select the category SAP R/3 | Profiles.
  2. Select a profile in the result list.
  3. Select Assign system roles in the task view.
  4. Assign system roles in Add assignments.

    - OR -

    Remove system roles from Remove assignments.

  5. Save the changes.
Detailed information about this topic
Related Topics

Adding SAP Groups, SAP Roles and SAP Profiles to the IT Shop

Adding SAP Groups, SAP Roles and SAP Profiles to the IT Shop

NOTE: Only profiles that are not assigned to SAP roles can be assigned to IT Shop shelves.

Once a grouprole or profile has been assigned to an IT Shop shelf, it can be requested by the shop customers. To ensure it can be requested, further prerequisites need to be guaranteed.

  • The group, role or profile must be labeled with the option IT Shop.
  • The group, role or profile must be assigned to a service item.
  • The group, role or profile must be labeled with the option Only use in IT Shop if the group, role or profile can only be assigned to employees through IT Shop requests. Direct assignment to hierarchical roles may not be possible.

NOTE: IT Shop administrators can assign groups, roles and profiles to IT Shop shelves in the case of role-based login. Target system administrators are not authorized to add groups, roles and profiles in the IT Shop.

To add a group, role or profile to the IT Shop

  1. Select the category SAP R/3 | Groups or SAP R/3 | Roles or SAP R/3 | Profiles (non role-based login).

    - OR -

    Select the category Entitlements | SAP groups or Entitlements | SAP roles or Entitlements | SAP profiles (role-based login).

  2. Select the group, role or profile in the result list.
  3. Select Add to IT Shop in the task view.
  4. Assign the group, role or profile to the IT Shop shelves in Add assignments.
  5. Save the changes.

To remove a group, role or profile from individual IT Shop shelves.

  1. Select the category SAP R/3 | Groups or SAP R/3 | Roles or SAP R/3 | Profiles (non role-based login).

    - OR -

    Select the category Entitlements | SAP groups or Entitlements | SAP roles or Entitlements | SAP profiles (role-based login).

  2. Select the group, role or profile in the result list.
  3. Select Add to IT Shop in the task view.
  4. Remove the group, role or profile from the IT Shop shelves in Remove assignments.
  5. Save the changes.

To remove a group, role or profile from all IT Shop shelves.

  1. Select the category SAP R/3 | Groups or SAP R/3 | Roles or SAP R/3 | Profiles (non role-based login).

    - OR -

    Select the category Entitlements | SAP groups or Entitlements | SAP roles or Entitlements | SAP profiles (role-based login).

  2. Select the group, role or profile in the result list.
  3. Select Remove from all shelves (IT Shop) in the task view.
  4. Confirm the security prompt with Yes.
  5. Click OK.

    This removes the group, role or profile from all One Identity Manager Service shelves. All requests and assignment requests with this group, role or profile are canceled in the process.

For more detailed information about request from company resources through the IT Shop, see the One Identity Manager IT Shop Administration Guide.

Related Topics

Role Assignment Validity Period

Role Assignment Validity Period

Table 68: Configuration parameter for handling the Validity Period of requested SAP Roles
Configuration parameter Active Meaning
TargetSystem\SAPR3\ValidDateHandling Configuration parameter for handling the validity period in SAP user account assignments to SAP roles.
TargetSystem\SAPR3\ValidDateHandling\DoNotUsePWODate This configuration parameter specifies whether the validity dates from request procedure are copied from SAP user account assignments to SAP roles. If the configuration parameter is set, the dates, "Valid from" and "Valid to" from the request procedure, are not copied from SAP user account assignments to SAP roles.

Assignment of SAP roles to user accounts can be limited to set periods in your SAP R/3 environment. There are different ways of specifying time limits for role assignments in One Identity Manager.

  1. Synchronizing Role Assignments

    The columns "Valid from" and "Valid to" are taken into account in the default mapping. SynchronizationClosed writes the role assignment's validity period into the One Identity Manager database.

  2. Direct assignment of SAP roles to user accounts in the Manager

    A validity period can be entered for direct assignment of roles to user accounts. "Valid from" and "Valid to" dates are provisioned in the target system.

  3. Limited time period requests in the IT Shop

    A validity period for a request can be entered in the IT Shop. An entry in the table SAPUserInSAPRole only exist between the first and last days of the request's validity period.

    1. Directly requesting an SAP roles

      Once the request is approved and the "Valid from" date has been reached, the request recipient's SAP user account inherits the SAP role. The role assignments are automatically canceled and deleted when the validity period expires.

      The request's validity period is copied to the table SAPUserInSAPRole by default. This means that the data is provisioned in the SAP environment.

      To prevent the request's validity date is copied to the role assignment

      • Set the configuration parameter "TargetSystem\SAPR3\ValidDateHandling\DoNotUsePWODate" in the Designer.
    2. Membership request in a hierarchical role (a department, for example)
      • The hierarchical role is assigned to an SAP role.

      Once the request is approved and the "Valid from" date is reached, the employees becomes a member in the hierarchical role. The employee's SAP user account inherits the SAP role. The membership is automatically canceled and the role assignment deleted when the validity period expires.

    3. Request for assignment of an SAP role to a hierarchical role.
      • Employees with an SAP user account are members of this hierarchical role.

      Once the request is approved and the "Valid from" date is reached, the SAP role is assigned to the hierarchical role. The role member's SAP user accounts inherit the SAP role. The assignment is automatically canceled and the role assignment deleted when the validity period expires.

      The request's validity period is copied to the table SAPUserInSAPRole by default. This means that the data is provisioned in the SAP environment.

      To prevent the request's validity date is copied to the role assignment

      • Set the configuration parameter "TargetSystem\SAPR3\ValidDateHandling\DoNotUsePWODate" in the Designer.

The table SAPUserInSAPRole contains all role assignments, limited and unlimited. The table HelperSAPUserInSAPRole only contains current valid role assignments. Tables are calculated on a schedule.

Detailed information about this topic
Related Topics
Related Documents