The following SAP sided limitation influence the user account assignment and inheritance of profiles and roles in One Identity Manager.
These limitations result in the following:
In inheritance behavior:
If a user account is assigned a single role and this single role is part of a collective role that is also assigned to this user account, the single role is not added to the table SAPUserInSAPRole.
If a user account obtains additional roles or profiles through a reference user, these roles or profiles are only added in tables SAPUserInSAPRole and SAPUserInSAPProfile for the reference user. When company resources assigned to an employee (table PersonHasObject) are calculated, the roles and profiles inherited by a user account through single roles, collective roles, collective profiles and reference users are also taken into account.
After you have entered the master data, you can apply different tasks to it. The task view contains different forms with which you can run the following tasks.
To obtain an overview of a group
To obtain an overview of a profile
To obtain an overview of a role
|NOTE: In order to easy understanding the behavior is described with respect to SAP groups in this section. It applies in the same way to roles and profiles.|
|Configuration parameter||Active Meaning|
Preprocessor relevant configuration parameter for controlling effectiveness of group memberships. If the parameter is set, memberships can be reduced on the basis of exclusion definitions. The database has to be recompiled after changes have been made to the parameter.
When groups are assigned to user accounts an employee may obtain two or more groups, which are not permitted in this combination. To prevent this, you can declare mutually exclusive groups. To do this, you specify which of the two groups should apply to the user accounts if both are assigned.
It is possible to assign an excluded group directly, indirectly or by IT Shop request at any time. One Identity Manager determines whether the assignment is effective.
The effect of the assignments is mapped in the tables
Clara Harris has a user account in this
By using suitable controls, you want to prevent an employee from
|Effective Group||Excluded Group|
|Group B||Group A|
|Group C||Group B|
|Employee||Member in Role||Effective Group|
|Ben King||Marketing||Group A|
|Jan Bloggs||Marketing, finance||Group B|
|Clara Harris||Marketing, finance, control group||Group C|
|Jenny Basset||Marketing, control group||Group A, Group C|
Only the group C assignment is in effect for Clara Harris. It is published in the target system. If Clara Harris leaves the business role "control group" at a later date, group B also takes effect.
The groups A and C are in effect for Jenny Basset because the groups are not defined as mutually exclusive. If this should not be allowed, define further exclusion for group C.
|Employee||Member in Role||Assigned Group||Excluded Group||Effective Group|
|Control group||Group C||Group B
To exclude a group
- OR -
Remove the conflicting groups that are no longer mutually exclusive in Remove assignments.
To exclude roles
- OR -
Remove roles that are no longer mutually exclusive in Remove assignments.
To exclude profiles
- OR -
Remove profiles that are no longer mutually exclusive in Remove assignments.