Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for the SAP R/3 Compliance Add-on

SAP Functions and Identity Audit Setting up a Synchronization Project for Synchronizing SAP Authorization Objects Base Data for SAP Functions Finding Non-compliant Authorizations Setting up SAP Functions Compliance Rules for SAP Functions Mitigating Controls Appendix: Configuration Parameters for SAP Functions Appendix: Default Project Templates for the SAP R/3 Compliance Add-on Module Appendix: Referenced SAP R/3 Tables and BAPI Calls

Compliance Rules for SAP Functions

Compliance Rules for SAP Functions

Compliance rules can be checked through effective authorizations as well as through authorizations, which an employee has in an SAP R/3 system due to their user accounts and group and role memberships. Effective write permissions are tested through SAP functions. To do this, SAP functions are added to rule conditions.

The validity period of role assignments is taken into account in the rule check.

For more detailed information about compliance rules, see the One Identity Manager Compliance Rules Administration Guide.

Rule Conditions for SAP Functions

Rule Conditions for SAP Functions

To define new rules for SAP functions

  1. Select the category Identity Audit | Rules.
  2. Click in the result list toolbar.

  3. Enter the master data for the rule.
  4. Set the option Rule for cyclical testing and risk analysis in IT Shop.
  5. Limit the affected permissions with the option at least one function and select the SAP function to test.
    • If SAP authorizations in combination result in a rule violation, enter a rule block for each SAP function.
  6. Save the changes.

    This adds a working copy.

  7. Select Enable working copy from the task view. Confirm the security prompt with OK.

    This adds an enabled rule in the database. The working copy remains and can be used for making changes to the rule later.

Figure 4: Condition for SAP Functions

When the One Identity Manager tests rules, it finds all the employees whose assigned SAP users match the SAP functions that are given in the rule. An SAP user matches an SAP function when:

  • An SAP role assigned to the SAP user account matches the SAP function

    - OR -

  • An SAP role that is assigned a reference user matching an SAP function

    - AND -

  • The SAP user account is assigned this reference user.

Detailed information about this topic
  • One Identity Manager Compliance Rules Administration Guide

More Rule Violation Reports

Table 28: Reports about Rule Violations
Report Description
Rule violations with SAP transactions

This report groups together all rule violations for the selected rule. It supplies results for rules that verify SAP functions.

All function instances are listed with their transaction for each employee through which they violated the rule. SAP profiles and their authorization objects, which match the SAP function are displayed for each transaction.

Rule violations with SAP roles

This report groups together all rule violations for the selected rule. It supplies results for rules that verify SAP functions.

SAP groups, SAP roles and SAP profiles with their authorization objects are listed for each employee through which they violated the rule.

Mitigating Controls for Compliance Rules

Mitigating controls assigned to the function definitions to be tested are automatically copied to rules about SAP functions. Conditions:

  • Active rules are assigned to a functional area and a department.
  • The function definitions to be tested are assigned to the same functional area and to the variable set associated with the same department.
Related Documents