Inheriting SAP Groups, SAP Roles and SAP Profiles based on Categories

Inheriting SAP Groups, SAP Roles and SAP Profiles based on Categories

In One Identity Manager, groups can be selectively inherited by user accounts. For this, groups and user accounts are divided into categories. The categories can be freely selected and are specified by a template. Each category is given a specific position within the template. The mapping rule contains different tables. Use the user account table to specify categories for target system dependent user accounts. Enter your categories for the structural profiles, administrative roles, subscriptions and disabled service plans in the . Each table contains the category items "Position1" to "Position31".

Every user account can be assigned to one or more categories. Each group can also be assigned to one or more categories. The group is inherited by the user account when at least one user account category item matches an assigned group. The group is also inherited by the user account if the group or the user account is not put into categories.

Figure 4: Example of inheriting through categories.

To use inheritance through categories

• Define the categories in the client.

  NOTE: If central user administration is implemented, define the categories in the central system as well as in the child system. The same categories must be defined in the child system as in the central system so that groups from a child system can be inherited by user accounts.

• Assign categories to user accounts through their master data.
• Assign categories to groups, roles and profiles through their master data.

Related Topics

• Specifying Categories for Inheriting SAP Groups, SAP Roles and SAP Profiles
• General Master Data for an SAP User Account
• General Master Data for SAP Groups
• General Master Data for SAP Roles
• General Master Data for SAP Profiles

Assigning Extended Properties to SAP Groups, SAP Roles and SAP Profiles

Assigning Extended Properties to SAP Groups, SAP Roles and SAP Profiles

Extended properties are meta objects that cannot be mapped directly in the One Identity Manager, for example, operating codes, cost codes or cost accounting areas.

To specify extended properties for a group

1. Select the category SAP R/3 | Groups.
2. Select the group in the result list.
3. Select Assign extended properties in the task view.
4. Assign extended properties in Add assignments.

   - OR -

   Remove extended properties from Remove assignments.

5. Save the changes.

To specify extended properties for a role

1. Select the category SAP R/3 | Roles.
2. Select the role in the result list.
3. Select Assign extended properties in the task view.
4. Assign extended properties in Add assignments.

   - OR -

   Remove extended properties from Remove assignments.

5. Save the changes.

To specify extended properties for a profile

1. Select the category SAP R/3 | Profiles.
2. Select a profile in the result list.
3. Select Assign extended properties in the task view.
4. Assign extended properties in Add assignments.

   - OR -

   Remove extended properties from Remove assignments.

5. Save the changes.

Showing SAP Authorizations

Showing SAP Authorizations

You can view authorization objects and authorizations of SAP roles and profiles in One Identity Manager. All single profiles with their associated authorization objects and fields are displayed in a hierarchical overview.

To display role authorizations

1. Select the category SAP R/3 | Roles.
2. Select the role in the result list.
3. Select Show SAP authorizations in the task view.

To display profile authorizations

1. Select the category SAP R/3 | Profiles.
2. Select a profile in the result list.
3. Select Show SAP authorizations in the task view.

Calculating the Validity Date of Inherited Role Assignments

Calculating the Validity Date of Inherited Role Assignments

The valid dates' indirectly assigned SAP roles have been saved in the One Identity Manager database in a different format since One Identity Manager version 7.0.

Existing validity dates in databases migrated from versions older that 7.0 remain as they are. Once a inheritance is recalculated for a user account, all indirectly assigned SAP roles are saved with new validity dates. These changes are immediately provisioned in SAP. This might result in a heavy load on the connected SAP system.

To prevent validity dates from adjusting to the new format when recalculating inheritance

• Set the configuration parameter "TargetSystem\SAPR3\ValidDateHandling\ReuseInheritedDate" in the Designer.

  IMPORTANT: In order to ensure that the validity period is correctly calculated straight after migration, set the configuration parameter with a custom change in the migration package. For more detailed information about creating a custom migration package, see the One Identity One Identity Manager 7.0.2. Migration Guide to Upgrading Previous Versions of One Identity Manager.

If the configuration parameter is set, the validity date format stays the same for existing indirect role assignments meaning that no provisioning tasks are queued. These assignments are not reworked during synchronization with revision filtering.

The new date format is used for newly added indirect assignments. Therefore, it is not obvious when the assignment is valid in the SAP R/3 environment after provisioning. If this information is required, you can enter the actual date that the role assigned is created in the "Valid from" date.

To apply the current date as "Valid from" date for new indirect assignments

• Set the configuration parameter "TargetSystem\SAPR3\ValidDateHandling\ReuseInheritedDate\UseTodayForInheritedValidFrom" in the Designer.

  The date the role assignment was created is entered in the "Valid from" date if it is an indirect assignment.

  IMPORTANT: Calculating indirect role assignments can become much slower depending on the amount of data to be processed. If it not really necessary to know since when the role assignment is valid in the SAP R/3 environment, do not set this configuration parameter.