Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 Environments Setting up SAP R/3 Synchronization Base Data for Managing SAP R/3 SAP Systems SAP Clients SAP User Accounts SAP Groups, SAP Roles and SAP Profiles SAP Products Providing System Measurement Data Reports about SAP Systems Appendix: Configuration Parameters for Managing an SAP R/3 Environment Appendix: Default Project Templates for Synchronizing an SAP R/3 Environment Appendix: Referenced SAP R/3 Tables and BAPI Calls Appendix: Example of a Schema Extension File

SAP Products

SAP Products

Installed Module: System Roles Module

You can define One Identity Manager products as a collection of different groups, roles or profiles in SAP. SAP products are system roles with the system role type "SAP product". Employees can obtain SAP products directly, inherit them though hierarchical role or request them in the IT Shop.

The employee’s user account is assigned the groups, roles and profiles in the SAP product independent of the assignment method. If an SAP product changes by adding or removing a group, role or a profile in One Identity Manager, user account memberships are changed accordingly.

To edit SAP products

  1. Select the category SAP R/3 | Products.
  2. Select an SAP product in the result list.

    - OR -

    Click in the result list toolbar.

    This opens the master data form for a system role.

  3. Edit the system role's master data.
  4. Save the changes.
Detailed information about this topic
  • One Identity Manager System Roles Administration Guide

General Master Data for SAP Products

General Master Data for SAP Products

Table 76: Configuration Parameters for Risk Assessment of SAP User Accounts
Configuration parameter Active Meaning
QER\CalculateRiskIndex Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database.

If the parameter is set, values can be entered and calculated for the risk index.

Enter the following data for a system role.

Table 77: System Role Master Data

Property

Description

Display Name

Name for displaying the system roles in One Identity Manager tools.

System role

Unique identifier for the system role.

Internal product names

An additional internal name for the system role.

System role type

Specifies the type of company resources, which comprise the system role.

Service item

In order to use a service item within the IT Shop, assign a service item to it or add a new service item. For more information about service items, see the One Identity Manager IT Shop Administration Guide.

System role manager

You can assign any employee to be a manager for the system role. This employee can edit system role master data. They can be used as attestors for system role properties.

Share date

Specify a date for enabling the system role. If the date is in the future, the system role is considered to be disabled. If the date is reached, the system role is enabled. Employees inherit company resources that are assigned to the system role.

If the share date is exceeded or no date is entered, the system role is handled as an enabled system role. Company resource inheritance can be controlled with the option Disabled in these cases.

NOTE: Configure and set the schedule "Share system roles" in the Designer to check the share date. For more information about schedules, see the One Identity Manager Configuration Guide.

Risk index (calculated)

Maximum risk index values for all company resources. This property is only visible if the configuration parameter "QER\CalculateRiskIndex" is set. For more information about calculating risk indexes, see the One Identity Manager Risk Assessment Administration Guide.

Comment

Spare text box for additional explanation.

Remarks

Spare text box for additional explanation.

Description

Spare text box for additional explanation.

Disabled

Specifies whether employees inherit the company resources contained in the system role.

If the option is set, the system role can be assigned to employees. However they cannot inherit the company resources contained in the system role.

If the option is not set, the employees that are assigned the system role, immediately inherit company resources allocated to the system role.

If the option is enabled at a later date, existing assignments are removed.

IT Shop

Specifies whether the system role can be requested through the IT Shop. This system role can be requested by staff through the Web Portal and the request granted by a defined approval procedure. The system role can still be assigned directly to employees and hierarchical roles. For more information about the IT Shop, see the One Identity Manager IT Shop Administration Guide.

Only for use in IT Shop

Specifies whether the system role can only be requested through the IT Shop. This system role can be requested by staff through the Web Portal and the request granted by a defined approval procedure. The system role may not assigned directly to hierarchical roles.

Spare fields no. 01.....spare field no. 10

Additional company specific information. Use the Designer to customize display names, formats and templates for the input fields.

For more detailed information about system roles, see the One Identity Manager System Roles Administration Guide.

SAP Product Assignments to Employees

SAP Product Assignments to Employees

SAP products can be assigned directly or indirectly to employees. In the case of indirect assignment, employees and SAP products are arranged in hierarchical roles. The number of SAP products assigned to an employee is calculated from the position in the hierarchy and the direction of inheritance.

If you add an employee to roles and that employee owns a user account, the user account is added to all groups, roles or profiles included in the SAP products owned by the employee. The groups, roles or profiles are not inherited if the SAP product is disabled or if the share date is still in the future.

Prerequisites for indirect assignment:

  • Assignment of system roles, employees, groups, roles and profiles is permitted for role classes (department, cost center, location or business role).
  • The user accounts are marked with the option Groups can be inherited.
  • User accounts and groups, roles and profiles belong to the same SAP clients.

Furthermore, IT Shop products can be assigned to employees through SAP requests. SAP products can be assigned through IT Shop requests by adding employees to a shop as customers. All SAP products are assigned to this shop can be requested by the customers. Requested SAP products are assigned to the employees after approval is granted.

Detailed information about this topic
Related Topics

Assigning SAP Products to Organizations

Assigning SAP Products to Organizations

Assign SAP products to departments, cost centers and locations in order to assign employees to them through these organizations.

To assign an SAP product to departments, cost centers or locations

  1. Select the category SAP R/3 | Products.
  2. Select the SAP product in the result list.
  3. Select Assign organizations.
  4. Assign organizations in Add assignments.
    • Assign departments on the Departments tab.
    • Assign locations on the Locations tab.
    • Assign cost centers on the Cost center tab.

    - OR -

    Remove the organizations in Remove assignments.

  5. Save the changes.
Related Topics
Related Documents