|
NOTE: In order to easy understanding the behavior is described with respect to SAP groups in this section. It applies in the same way to roles and profiles. |
In One Identity Manager,
Every user account can be assigned to one or more categories. Each group can also be assigned to one or more categories. The group is inherited by the user account when at least one user account category item matches an assigned group. The group is also inherited by the user account if the group or the user account is not put into categories.
|
NOTE: Inheritance through categories is only taken into account when groups are assigned indirectly through hierarchical roles. Categories are not taken into account when groups are directly assigned to user accounts. |
Category Position | Categories for User Accounts | Categories for Groups |
---|---|---|
1 | Default user | Default permissions |
2 | System user | System user permissions |
3 | System administrator | System administrator permissions |
Figure 4: Example of inheriting through categories.
To use inheritance through categories
|
NOTE: If central user administration is implemented, define the categories in the central system as well as in the child system. The same categories must be defined in the child system as in the central system so that |
Extended properties are meta objects that cannot be mapped directly in the One Identity Manager, for example, operating codes, cost codes or cost accounting areas.
To specify extended properties for a group
- OR -
Remove extended properties from Remove assignments.
To specify extended properties for a role
- OR -
Remove extended properties from Remove assignments.
To specify extended properties for a profile
- OR -
Remove extended properties from Remove assignments.
You can view authorization objects and authorizations of SAP roles and profiles in One Identity Manager. All single profiles with their associated authorization objects and fields are displayed in a hierarchical overview.
To display role authorizations
To display profile authorizations
Configuration parameter | Active Meaning |
---|---|
TargetSystem\SAPR3\ValidDateHandling | Configuration parameter for handling the validity period in SAP user account assignments to SAP roles. |
TargetSystem\SAPR3\ValidDateHandling\ ReuseInheritedDate |
This configuration parameter specifies whether the validity date's format of inherited SAP user account assignments to SAP roles remains intact. The configuration parameter is only relevant in systems that were migrated from a pre 7.0 version. If the configuration parameter is set, the format of the dates "Valid from" and "Valid to" stays the same if SAP user account assignments to roles are inherited. |
TargetSystem\SAPR3\ValidDateHandling\ ReuseInheritedDate\UseTodayForInheritedValidFrom |
This configuration parameter specifies whether the "Valid from" date in inherited SAP user accounts assignments to SAP roles is set to <Today> or to "1900-01-01". |
The valid dates' indirectly assigned SAP roles have been saved in the One Identity Manager database in a different format since One Identity Manager version 7.0.
One Identity Manager version | Valid from (ValidFrom) | Valid until (ValidUntil) |
---|---|---|
>= 7.0 | 1900-01-01 | 9999-12-31 |
< 7.0 | Date on which the role assignment was created | 9998-12-31 |
Existing validity dates in databases migrated from versions older that 7.0 remain as they are. Once a inheritance is recalculated for a user account, all indirectly assigned SAP roles are saved with new validity dates. These changes are immediately provisioned in SAP. This might result in a heavy load on the connected SAP system.
To prevent validity dates from adjusting to the new format when recalculating inheritance
|
IMPORTANT: In order to ensure that the validity period is correctly calculated straight after migration, set the configuration parameter with a custom change in the migration package. For more detailed information about creating a custom migration package, see the One Identity One Identity Manager 7.0.2. Migration Guide to Upgrading Previous Versions of One Identity Manager. |
If the configuration parameter is set, the validity date format stays the same for existing indirect role assignments meaning that no provisioning tasks are queued. These assignments are not reworked during synchronization with revision filtering.
The new date format is used for newly added indirect assignments. Therefore, it is not obvious when the assignment is valid in the SAP R/3 environment after provisioning. If this information is required, you can enter the actual date that the role assigned is created in the "Valid from" date.
To apply the current date as "Valid from" date for new indirect assignments
The date the role assignment was created is entered in the "Valid from" date if it is an indirect assignment.
|
IMPORTANT: Calculating indirect role assignments can become much slower depending on the amount of data to be processed. If it not really necessary to know since when the role assignment is valid in the SAP R/3 environment, do not set this configuration parameter. |
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy