Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 Environments Setting up SAP R/3 Synchronization Base Data for Managing SAP R/3 SAP Systems SAP Clients SAP User Accounts SAP Groups, SAP Roles and SAP Profiles SAP Products Providing System Measurement Data Reports about SAP Systems Appendix: Configuration Parameters for Managing an SAP R/3 Environment Appendix: Default Project Templates for Synchronizing an SAP R/3 Environment Appendix: Referenced SAP R/3 Tables and BAPI Calls Appendix: Example of a Schema Extension File

Inheriting SAP Groups, SAP Roles and SAP Profiles based on Categories

Inheriting SAP Groups, SAP Roles and SAP Profiles based on Categories

NOTE: In order to easy understanding the behavior is described with respect to SAP groups in this section. It applies in the same way to roles and profiles.

In One Identity Manager, groups can be selectively inherited by user accounts. For this, groups and user accounts are divided into categories. The categories can be freely selected and are specified by a template. Each category is given a specific position within the template. The mapping rule contains different tables. Use the user account table to specify categories for target system dependent user accounts. Enter your categories for the structural profiles, administrative roles, subscriptions and disabled service plans in the . Each table contains the category items "Position1" to "Position31".

Every user account can be assigned to one or more categories. Each group can also be assigned to one or more categories. The group is inherited by the user account when at least one user account category item matches an assigned group. The group is also inherited by the user account if the group or the user account is not put into categories.

NOTE: Inheritance through categories is only taken into account when groups are assigned indirectly through hierarchical roles. Categories are not taken into account when groups are directly assigned to user accounts.
Table 73: Category Examples
Category Position Categories for User Accounts Categories for Groups
1 Default user Default permissions
2 System user System user permissions
3 System administrator System administrator permissions

Figure 4: Example of inheriting through categories.

To use inheritance through categories

  • Define the categories in the client.

    NOTE: If central user administration is implemented, define the categories in the central system as well as in the child system. The same categories must be defined in the child system as in the central system so that groups from a child system can be inherited by user accounts.
  • Assign categories to user accounts through their master data.
  • Assign categories to groups, roles and profiles through their master data.
Related Topics

Assigning Extended Properties to SAP Groups, SAP Roles and SAP Profiles

Assigning Extended Properties to SAP Groups, SAP Roles and SAP Profiles

Extended properties are meta objects that cannot be mapped directly in the One Identity Manager, for example, operating codes, cost codes or cost accounting areas.

To specify extended properties for a group

  1. Select the category SAP R/3 | Groups.
  2. Select the group in the result list.
  3. Select Assign extended properties in the task view.
  4. Assign extended properties in Add assignments.

    - OR -

    Remove extended properties from Remove assignments.

  5. Save the changes.

To specify extended properties for a role

  1. Select the category SAP R/3 | Roles.
  2. Select the role in the result list.
  3. Select Assign extended properties in the task view.
  4. Assign extended properties in Add assignments.

    - OR -

    Remove extended properties from Remove assignments.

  5. Save the changes.

To specify extended properties for a profile

  1. Select the category SAP R/3 | Profiles.
  2. Select a profile in the result list.
  3. Select Assign extended properties in the task view.
  4. Assign extended properties in Add assignments.

    - OR -

    Remove extended properties from Remove assignments.

  5. Save the changes.

Showing SAP Authorizations

Showing SAP Authorizations

You can view authorization objects and authorizations of SAP roles and profiles in One Identity Manager. All single profiles with their associated authorization objects and fields are displayed in a hierarchical overview.

To display role authorizations

  1. Select the category SAP R/3 | Roles.
  2. Select the role in the result list.
  3. Select Show SAP authorizations in the task view.

To display profile authorizations

  1. Select the category SAP R/3 | Profiles.
  2. Select a profile in the result list.
  3. Select Show SAP authorizations in the task view.

Calculating the Validity Date of Inherited Role Assignments

Calculating the Validity Date of Inherited Role Assignments

Table 74: Configuration Parameters for handling for Validity Dates from indirectly assigned SAP Roles
Configuration parameter Active Meaning
TargetSystem\SAPR3\ValidDateHandling Configuration parameter for handling the validity period in SAP user account assignments to SAP roles.
TargetSystem\SAPR3\ValidDateHandling\
ReuseInheritedDate
This configuration parameter specifies whether the validity date's format of inherited SAP user account assignments to SAP roles remains intact. The configuration parameter is only relevant in systems that were migrated from a pre 7.0 version. If the configuration parameter is set, the format of the dates "Valid from" and "Valid to" stays the same if SAP user account assignments to roles are inherited.
TargetSystem\SAPR3\ValidDateHandling\
ReuseInheritedDate\UseTodayForInheritedValidFrom
This configuration parameter specifies whether the "Valid from" date in inherited SAP user accounts assignments to SAP roles is set to <Today> or to "1900-01-01".

The valid dates' indirectly assigned SAP roles have been saved in the One Identity Manager database in a different format since One Identity Manager version 7.0.

Table 75: Default Date Format for Validity Dates fr indirectly assigned SAP Roles (Table SAPUserInSAPRole)
One Identity Manager version Valid from (ValidFrom) Valid until (ValidUntil)
>= 7.0 1900-01-01 9999-12-31
< 7.0 Date on which the role assignment was created 9998-12-31

Existing validity dates in databases migrated from versions older that 7.0 remain as they are. Once a inheritance is recalculated for a user account, all indirectly assigned SAP roles are saved with new validity dates. These changes are immediately provisioned in SAP. This might result in a heavy load on the connected SAP system.

To prevent validity dates from adjusting to the new format when recalculating inheritance

  • Set the configuration parameter "TargetSystem\SAPR3\ValidDateHandling\ReuseInheritedDate" in the Designer.

    IMPORTANT: In order to ensure that the validity period is correctly calculated straight after migration, set the configuration parameter with a custom change in the migration package. For more detailed information about creating a custom migration package, see the One Identity One Identity Manager 7.0.2. Migration Guide to Upgrading Previous Versions of One Identity Manager.

If the configuration parameter is set, the validity date format stays the same for existing indirect role assignments meaning that no provisioning tasks are queued. These assignments are not reworked during synchronization with revision filtering.

The new date format is used for newly added indirect assignments. Therefore, it is not obvious when the assignment is valid in the SAP R/3 environment after provisioning. If this information is required, you can enter the actual date that the role assigned is created in the "Valid from" date.

To apply the current date as "Valid from" date for new indirect assignments

  • Set the configuration parameter "TargetSystem\SAPR3\ValidDateHandling\ReuseInheritedDate\UseTodayForInheritedValidFrom" in the Designer.

    The date the role assignment was created is entered in the "Valid from" date if it is an indirect assignment.

    IMPORTANT: Calculating indirect role assignments can become much slower depending on the amount of data to be processed.

    If it not really necessary to know since when the role assignment is valid in the SAP R/3 environment, do not set this configuration parameter.

Related Documents