Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for SAP R/3 Analysis Authorizations Add-on

Setting up a Synchronization Project for Synchronizing BI Analysis Authorizations

Setting up a Synchronization Project for Synchronizing BI Analysis Authorizations

Create your own custom synchronization project for synchronizing BI analysis authorizations. A separate project template is required for this. Use Synchronization Editor to configure synchronization between the One Identity Manager database and SAP R/3. The following describes the steps for initial configuration of a synchronization project.

To set up a synchronization project for BI analysis authorizations

  1. Set up an initial synchronization project as described in the One Identity Manager Administration Guide for Connecting to SAP R/3. The following anomalies apply:
    • Select the project template wizard the project template "SAP R/3 BI analysis authorizations" on the Select project template page.
  2. Configure and set a schedule to execute synchronization regularly.

NOTE: If not all clients in an SAP system are synchronized with the One Identity Manager database, assignments of BI analysis authorizations to user accounts may exist in the SAP R/3 environment for which there are no BI user accounts in the One Identity Manager database. These assignments cannot be saved when BI analysis authorizations are synchronized. The SAP connector writes an appropriate message in the synchronization log.
Detailed information about this topic
  • One Identity Manager Administration Guide for Connecting to SAP R/3
  • One Identity Manager Target System Synchronization Reference Guide
Related Topics

Managing BI Analysis Authorizations

BI analysis authorizations are managed across clients. By assigning BI analysis authorizations to a user account, an SAP user obtains analysis authorizations in all clients which have an SAP user account with the same name. User accounts with BI analysis authorizations are mapped to separate BI user accounts in the One Identity Manager. All user accounts within the same system and with the same name, obtain BI analysis authorizations, which are assigned to this BI user account. If the user accounts are linked to one employee, BI analysis authorizations can be requested through the IT Shop or by assignment to business roles or organizations which are inherited by BI user accounts.

A calculation task is queued in the DBQueue Processor to create BI user accounts. The task is queued when the SAP R/3 Analysis Authorizations Add-on Module is installed or as soon as an SAP user account is added to the One Identity Manager database or deleted or an SAP user account is linked to an employee.

NOTE: If not all clients in an SAP system are synchronized with the One Identity Manager database, assignments of BI analysis authorizations to user accounts may exist in the SAP R/3 environment for which there are no BI user accounts in the One Identity Manager database. These assignments cannot be saved when BI analysis authorizations are synchronized. The SAP connector writes an appropriate message in the synchronization log.

In One Identity Manager, you can edit the following data through BI analysis authorizations:

  • Assigned BI user accounts
  • Usage in the IT Shop
  • Risk Assessment
  • Inheritance through roles and inheritance restrictions

To display master data for analysis authorizations

  1. Select the category | BI analysis authorizationsSAP R/3.
  2. Select the BI analysis authorization in the result list. Select Change master data in the task view.
  3. Enter the required data on the master data form.
  4. Save the changes.

BI user accounts are displayed in the category <>\<BI user accounts>.

  1. Select the category SAP R/3 | BI user accounts.
  2. Select the BI user account in the result list. Select Change master data in the task view.

    This opens the master data form for the BI user account. You cannot edit the properties.

Detailed information about this topic

General Master Data for BI Analysis Authorizations

General Master Data for BI Analysis Authorizations

Table 2: Configuration Parameters for Risk Assessment of BI User Accounts
Configuration parameter Active Meaning
QER\CalculateRiskIndex Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database.

If the parameter is set, values can be entered and calculated for the risk index.

The following data is displayed for a BI analysis authorization.

Table 3: BI Analysis Authorization Master Data
Property Description
SAP BI analysis authorization Name of the BI analysis authorization.
Canonical name Canonical name of the BI analysis authorization. The canonical name is mapped through the SAP connector.
Distinguished name Distinguished name of the BI analysis authorization. The distinguished name is found using a template.
System Unique name for the system valid for the BI analysis authorization.
Service item Service item data for requesting the BI analysis authorization through the IT Shop.

For more detailed information, see the One Identity Manager IT Shop Administration Guide.

Risk index Value for evaluating the risk of assigning the BI analysis authorization to BI user accounts. Enter a value between 0 and 1. This property is only visible if the configuration parameter "QER\CalculateRiskIndex" is set.

For more detailed information, see the .One Identity Manager Risk Assessment Administration Guide

Description (short) Short description of the BI analysis authorization.
Description Description of the BI analysis authorization.
Description (long) Long description of the BI analysis authorization.
IT Shop Specifies whether the BI analysis authorization can be requested through the IT Shop. The BI analysis authorization can be requested by your staff employees through the Web Portal and distributed with a defined approval process. The BI analysis authorization can still be assigned directly to employees and hierarchical roles.

For more detailed information, see the One Identity Manager IT Shop Administration Guide.

Only for use in IT Shop Specifies whether the BI analysis authorization can only be requested through the IT Shop. These user account resources can be requested by the employees through the Web Portal and distributed with a defined approval process. The BI analysis authorization may not assigned directly to hierarchical roles.

For more detailed information, see the One Identity Manager IT Shop Administration Guide.

Assigning BI analysis authorization directly to BI User Accounts

Assigning BI analysis authorization directly to BI User Accounts

BI analysis authorizations can be directly and indirectly assigned to BI user accounts. In the case of indirect assignment employees and BI analysis authorizations are arranged in hierarchical roles. The number of BI analysis authorizations assigned to an employee is calculated from the position in the hierarchy and the direction of inheritance. If this employee owns an SAP user account and is in the same SAP system as a BI user account with the same name, the BI user account obtains the BI analysis authorizations.

Prerequisites for indirect assignment to BI user accounts are:

  • Employee and BI analysis authorization assignment is permitted for role classes (department, cost center, location or business roles). For detailed information about preparing hierarchical roles for indirect assignment, see the One Identity Manager Identity Management Base Module Administration Guide.
  • SAP user accounts are labeled with the option Groups can be inherited. For detailed information about user account master data, see the One Identity Manager Administration Guide for Connecting to SAP R/3.
  • SAP user accounts and BI analysis authorizations belong to the same system.
  • Employees have an SAP user account in this system with the same name as the BI user account (SAPUser.Accnt = SAPBWUser.Accnt).

Furthermore, structural profiles can be assigned to employees through IT Shop requests. Add employees to a shop as customers so that structural profiles can be assigned through IT Shop requests. All structural profiles assigned to this shop can be requested by the customers. Requested structural profiles are assigned to the employees after approval is granted.

Detailed information about this topic
Related Documents