Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for the SAP R/3 Compliance Add-on

SAP Functions and Identity Audit Setting up a Synchronization Project for Synchronizing SAP Authorization Objects Base Data for SAP Functions Finding Non-compliant Authorizations Setting up SAP Functions Compliance Rules for SAP Functions Mitigating Controls Appendix: Configuration Parameters for SAP Functions Appendix: Default Project Templates for the SAP R/3 Compliance Add-on Module Appendix: Referenced SAP R/3 Tables and BAPI Calls

Assigning Function Definitions

Assigning Function Definitions

Use this task to specify the function definitions for which a mitigating control is valid. You can only assign function definitions that are enabled on the assignment form.

To assign SAP function definitions to mitigating controls

  1. Select the category Risk index functions | Mitigating controls.
  2. Select the mitigating control in the result list.
  3. Select the task Assign function definitions.
  4. Double-click on the function definitions you want to assign in Add Assignments

    - OR -

    Double-click on the function definitions you want to remove in Remove Assignment.

  5. Save the changes.

Calculating Mitigation

Calculating Mitigation

The significance reduction of a mitigating control supplies the value by which to reduce an SAP function's risk index if the control is implemented. One Identity Manager calculates a reduced risk index based on the risk index and the significance reduction. One Identity Manager supplies default functions for calculating reduced risk indexes. These functions cannot be edited with One Identity Manager tools.

The reduced risk index is calculated from the SAP function and the significance reduced sum of all assigned mitigating controls.

Risk index (reduced) = Risk index - sum significance reductions

If the significance reduction sum is greater than the risk index, the reduced risk index is set to 0.

Appendix: Configuration Parameters for SAP Functions

Appendix: Configuration Parameters for SAP Functions

The following configuration parameters are additionally available in One Identity Manager after the module has been installed.

Table 31: Configuration Parameters for the Module
Configuration parameter Description


Preprocessor relevant configuration parameter for controlling component parts for testing authorizations in SAP R/3 using SAP functions. If the parameter is set, the components are available. Changes to the parameter require recompiling the database.

TargetSystem\SAPR3\SAPRights\TestWithoutTCD Checks SAP authorizations without taking SAP transactions into account.

Appendix: Default Project Templates for the SAP R/3 Compliance Add-on Module

Appendix: Default Project Templates for the SAP R/3 Compliance Add-on Module

A default project template ensures that all required information is added in the One Identity Manager. This includes mappings, workflows and the synchronization base object. If you do not use a default project template you must declare the synchronization base object in One Identity Manager yourself.

Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the .Synchronization EditorClosed

Use the project template "SAP® R/3® authorization objects" for synchronization of authorization packages and transactions. The template uses mappings for the following schema types.

Table 32: MappingClosed SAP R/3 schema types to tables in the One Identity Manager schema.
SchemaClosed Type in the Target SystemClosed Table in the One Identity Manager schema
TOBJ SAPAuthObject
ObjectClass SAPAuthObjectClass
Transaction SAPTransaction
TACT SAPActivity
objectHasField SAPAuthObjectHasField
ObjectHasActivity SAPAuthObjectHasSapActivity
FieldHasRcTable SAPFieldHasSAPRCTable
tMenu01 SAPMenu
menuHasTransaction SAPMenuHasSAPTransaction
ProfileHasAuthObjectField SAPProfileHasAuthObjectElem
RcTable SAPRCTable
RcVariable SAPRCVariable
Related Documents