Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 Environments Setting up SAP R/3 Synchronization Base Data for Managing SAP R/3 SAP Systems SAP Clients SAP User Accounts SAP Groups, SAP Roles and SAP Profiles SAP Products Providing System Measurement Data Reports about SAP Systems Appendix: Configuration Parameters for Managing an SAP R/3 Environment Appendix: Default Project Templates for Synchronizing an SAP R/3 Environment Appendix: Referenced SAP R/3 Tables and BAPI Calls Appendix: Example of a Schema Extension File

Assigning and Passing on SAP Profiles and SAP Roles to SAP User Accounts

Assigning and Passing on SAP Profiles and SAP Roles to SAP User Accounts

The following SAP sided limitation influence the user account assignment and inheritance of profiles and roles in One Identity Manager.

  • Collective profiles can be put together from 0...n profiles or collective profiles. If a user account is assigned an collective profile, the target system only returns the user account membership in the assigned collective profile and not the membership in subprofiles.
  • Single roles can put together from 0..n profiles. Only profiles that are not collective profiles can be assigned. Profiles that are assigned to a single role can no longer be assigned to a user account.
  • Collective roles can be made up of 0...n single roles. Assignment of profiles or collective profiles to collective roles is not possible.

These limitations result in the following:

In assignment:

  • Triggering prevents the assignment of roles which are assigned to single roles, to user accounts, products, roles and employees.

In inheritance behavior:

  • If a user account is assigned a collective role that owns single roles, the single roles are not added to the table SAPuserInSAPGroupTotal.
  • If a user account is assigned a single role that owns profiles, the profiles are not added to the table SAPUserInSAPProfile
  • If a user account is assigned a single role and this single role is part of a collective role that is also assigned to this user account, the single role is not added to the table SAPUserInSAPRole.

  • If a user account is assigned a collective profile with child profiles, the child profiles are not added to the table SAPUserInSAPProfile.

If a user account obtains additional roles or profiles through a reference user, these roles or profiles are only added in tables SAPUserInSAPRole and SAPUserInSAPProfile for the reference user. When company resources assigned to an employee (table PersonHasObject) are calculated, the roles and profiles inherited by a user account through single roles, collective roles, collective profiles and reference users are also taken into account.

Additional Tasks for Managing SAP Groups, SAP Roles and SAP Profiles

Additional Tasks for Managing SAP Groups, SAP Roles and SAP Profiles

After you have entered the master data, you can apply different tasks to it. The task view contains different forms with which you can run the following tasks.

Overview of SAP Groups, SAP Roles and SAP Profiles

Overview of SAP Groups, SAP Roles and SAP Profiles

To obtain an overview of a group

  1. Select the category SAP R/3 | Groups.
  2. Select the group in the result list.
  3. Select SAP group overview in the task view.

To obtain an overview of a profile

  1. Select the category SAP R/3 | Profiles.
  2. Select a profile in the result list.
  3. Select SAP profile overview in the task view.

To obtain an overview of a role

  1. Select the category SAP R/3 | Roles.
  2. Select the role in the result list.
  3. Select SAP role overview in the task view.

Effectiveness of SAP Groups, SAP Roles and SAP Profiles

Effectiveness of SAP Groups, SAP Roles and SAP Profiles

NOTE: In order to easy understanding the behavior is described with respect to SAP groups in this section. It applies in the same way to roles and profiles.
Table 69: Configuration Parameter for Conditional Inheritance
Configuration parameter Active Meaning

QER\Structures\Inherite\GroupExclusion

Preprocessor relevant configuration parameter for controlling effectiveness of group memberships. If the parameter is set, memberships can be reduced on the basis of exclusion definitions. The database has to be recompiled after changes have been made to the parameter.

When groups are assigned to user accounts an employee may obtain two or more groups, which are not permitted in this combination. To prevent this, you can declare mutually exclusive groups. To do this, you specify which of the two groups should apply to the user accounts if both are assigned.

It is possible to assign an excluded group directly, indirectly or by IT Shop request at any time. One Identity Manager determines whether the assignment is effective.

NOTE:

  • You cannot define a pair of mutually exclusive groups. That means, the definition "Group A excludes group B" AND "Group B excludes groups A" is not permitted.
  • You must declare each group to be excluded from a group separately. Exclusion definitions cannot be inherited.

The effect of the assignments is mapped in the tables SAPUserInSAPGrp and BaseTreeHasSAPGrp through the column XIsInEffect.

Example of the effect of group memberships
  • Group A is defined with permissions for triggering requests in a client. A group B is authorized to make payments. A group C is authorized to check invoices.
  • Group A is assigned through the department "Marketing", group B through "Finance" and group C through the business role "Control group".

Clara Harris has a user account in this client. She primarily belongs to the department "marketing". The business role "Control group" and the department "Finance" are assigned to her secondarily. Without an exclusion definition, the user account obtains all the permissions of groups A, B and C.

By using suitable controls, you want to prevent an employee from being able to trigger a request and to pay invoices. That means, groups A, B and C are mutually exclusive. An employee that checks invoices may not be able to make invoice payments as well. That means, groups B and C are mutually exclusive.

Table 70: Specifying excluded groups (table SAPGrpExclusion)
Effective Group Excluded Group
Group A
Group B Group A
Group C Group B
Table 71: Effective Assignments
Employee Member in Role Effective Group
Ben King Marketing Group A
Jan Bloggs Marketing, finance Group B
Clara Harris Marketing, finance, control group Group C
Jenny Basset Marketing, control group Group A, Group C

Only the group C assignment is in effect for Clara Harris. It is published in the target system. If Clara Harris leaves the business role "control group" at a later date, group B also takes effect.

The groups A and C are in effect for Jenny Basset because the groups are not defined as mutually exclusive. If this should not be allowed, define further exclusion for group C.

Table 72: Excluded groups and effective assignments
Employee Member in Role Assigned Group Excluded Group Effective Group

Jenny Basset

 

Marketing Group A  

Group C

 

Control group Group C Group B

Group A

Prerequisites
  • The configuration parameter "QER\Inherite\GroupExclusion" is enabled.
  • Mutually exclusive groups, roles and profiles belong to the same client.

To exclude a group

  1. Select the category SAP R/3 | Groups.
  2. Select the group in the result list.
  3. Select Exclude groups in the task view.
  4. Assign the groups that are mutually exclusive to the selected group in Add assignments.

    - OR -

    Remove the conflicting groups that are no longer mutually exclusive in Remove assignments.

  5. Save the changes.

To exclude roles

  1. Select the category SAP R/3 | Roles.
  2. Select the role in the result list.
  3. Select Exclude SAP roles in the task view.
  4. Assign the roles that are mutually exclusive to the selected role in Add assignments.

    - OR -

    Remove roles that are no longer mutually exclusive in Remove assignments.

  5. Save the changes.

To exclude profiles

  1. Select the category SAP R/3 | Profiles.
  2. Select a profile in the result list.
  3. Select Exclude roles in the task view.
  4. Assign the profiles that are mutually exclusive to the selected profile in Add assignments.

    - OR -

    Remove profiles that are no longer mutually exclusive in Remove assignments.

  5. Save the changes.
Related Documents