Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for the SAP R/3 Compliance Add-on

SAP Functions and Identity Audit Setting up a Synchronization Project for Synchronizing SAP Authorization Objects Base Data for SAP Functions Finding Non-compliant Authorizations Setting up SAP Functions Compliance Rules for SAP Functions Mitigating Controls Appendix: Configuration Parameters for SAP Functions Appendix: Default Project Templates for the SAP R/3 Compliance Add-on Module Appendix: Referenced SAP R/3 Tables and BAPI Calls

Base Data for SAP Functions

Base Data for SAP Functions

The following base data is relevant for SAP Functions:

  • Configuration parameter

    Use configuration parameters to configure the behavior of the system's basic settings. One Identity Manager provides default settings for different configuration parameters. Check the configuration parameters and modify them as necessary to suit your requirements.

    Configuration parameters are defined in the One Identity Manager modules. Each One Identity Manager module can also install configuration parameters. You can find an overview of all configuration parameters in the category Base data | General | Configuration parameters in the Designer.

    For more information, see Appendix: Configuration Parameters for SAP Functions.

  • SAP function categories

    Use SAP function categories to group SAP functions by specific criteria. For more information, see SAP Function Categories.

  • Functional areas

    Functional areas can be used as an additional group characteristic for SAP functions. Furthermore, you can use functional areas to analyze rule violations in context of Identity Audit for different SAP functions. For more information, see Functional areas.

  • Maintaining SAP functions

    An SAP function can be assigned to employees that manage the SAP functions and there for can edit the working copies. For more information, see Maintaining SAP Functions.

SAP Function Categories

SAP Function Categories

Use function categories to group SAP functions by specific criteria.

To edit function categories

  1. Select the category Identity Audit | Basic configuration data | SAP function categories.
  2. Select the function category in the result list. Select Change master data in the task view.

    - OR -

    Click in the result list toolbar.

  3. Edit the function category's master data.
  4. Save the changes.

Enter the following master data for a function category.

Table 3: SAP Function Category Properties
Property Description
Category The category item’s name.
Parent category Parent category for organizing function categories hierarchically.
Description Spare text box for additional explanation.

Functional areas

Functional areas

You can use functional areas to analyze rule violations in context of Identity Audit for different SAP functions. You can enter criteria that provide information about risks from rule violations for functional areas and SAP functions.

To analyze rule checks for different areas of your company in the context of identity audit, you can set up functional areas. Functional areas can be assigned to hierarchical roles and service items. You can enter criteria that provide information about risks from rule violations for functional areas and hierarchical roles. To do this, you specify how man rule violations are permitted in a functional area or a role. You can enter separate assessment criteria for each role, such as a risk index or transparency index.

Example for using Functional Areas

The risk of rule violation should be analyzed for cost centers. Proceed as follows:

  1. Set up functional areas.
  2. Assign cost centers to the functional areas.
  3. Define assessment criteria for the cost centers.
  4. Define assessment criteria for the functional areas.
  5. Assign compliance rules required for the analysis to the functional area.
  6. Use the One Identity Manager report function to create a report that prepares the result of rule checking for the functional area by any criteria.

To edit functional areas

  1. Select the category Identity Audit | Basic configuration data | Functional areas.
  2. Select the functional area in the result list. Select Change master data in the task view.

    - OR -

    Click in the result list toolbar.

  3. Edit the function area master data.
  4. Save the changes.

Enter the following data for a functional area.

Table 4: Functional Area Properties
Property Description
Functional area Description of the functional area
Parent Functional area Parent functional area in a hierarchy.

Select a parent functional area from the list in order to organize your functional areas hierarchically.

Max. number of rule violations List of rule violation valid for this functional area. This value can be evaluated during the rule check.
Description Spare text box for additional explanation.

Mitigating controls assigned to the function definitions to be tested are automatically copied to rules about SAP functions. Conditions:

  • Active rules are assigned to a functional area and a department.
  • The function definitions to be tested are assigned to the same functional area and to the variable set associated with the same department.
Related Topics

Maintaining SAP Functions

Maintaining SAP Functions

You can assign SAP functions to employees that are responsible for the content of those SAP functions. A default application role exists for maintaining SAP functions in the One Identity Manager. Assign the employees that are authorized to enable and edit working copies of this SAP function and to define function instances to this application role. Create more application roles if required. For more detailed information about implementing and editing application roles, see the One Identity Manager Application Roles Administration Guide.

Table 5: Default Application Roles for Maintaining SAP Functions
User Task

Responsible for maintaining SAP functions.

Administrators must be assigned to the application role Identity & Access Governance | Identity Audit | Maintain SAP functions or to a child role.

Users with this application role:

  • Are responsible for SAP function contents.
  • Edit working copies of function definitions for which they are responsible.
  • Define function instances and variables sets for SAP functions.
  • Assign mitigating controls.

To specify a supervisor for maintaining SAP functions.

  1. Select the category Identity Audit | SAP functions | Function definition working copies.
  2. Select the function definition in the result list.
  3. Select Change master data in the task view.
  4. Select the application in Manager/supervisor.

    - OR -

    Click next to Manager/supervisor to create a new application role.

    • Enter the application role name and assign the parent application Identity & Access Governance | Identity Audit | Maintain SAP functions.
    • Click OK to add the new application role.
  5. Save the changes.
  6. Assign employees to this application role who are permitted to edit the function definition.

To add employees to an application role

  1. Select the application role in the category Identity Audit | Basic configuration data | SAP function categories.
  2. Select Assign employees in the task view.
  3. Assign the employees you want and save the changes.
Related Topics
Related Documents