Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for the SAP R/3 Compliance Add-on

SAP Functions and Identity Audit Setting up a Synchronization Project for Synchronizing SAP Authorization Objects Base Data for SAP Functions Finding Non-compliant Authorizations Setting up SAP Functions Compliance Rules for SAP Functions Mitigating Controls Appendix: Configuration Parameters for SAP Functions Appendix: Default Project Templates for the SAP R/3 Compliance Add-on Module Appendix: Referenced SAP R/3 Tables and BAPI Calls

Finding Non-compliant Authorizations

Table 6: Configuration Parameters for Authorization Checks
Configuration Parameter Description
TargetSystem\SAPR3\SAPRights\TestWithoutTCD Checks SAP authorizations without taking SAP transactions into account.

SAP authorizations are verified on the basis of the transactions permitted for an SAP user account and the associated authorization objects. Authorization objects and transactions are grouped into single profiles. In order to check whether there are potentially dangerous authorizations in the company, define authorization objects and transactions as SAP functions. The One Identity Manager compares all authorization objects and transactions assigned to single profiles with the authorization definition in the SAP function. This way, it determines all SAP roles and profiles that have exactly these authorization objects and transactions assigned through single roles.

The configuration parameter "TargetSystem\SAPR3\SAPRights\TestWithoutTCD" is evaluated by authorization checks. If the configuration parameter is not set (default case), the following rules apply to the authorization checks:

An SAP role or SAP profile matches an SAP function, when

  1. It contains at least one of the transaction defined in the SAP function
  2. It has all the authorization objects for this transaction
  3. It has all the different authorization object function elements
  4. At least one of the instances is defined exactly same function element.

An SAP role matches an SAP function if the SAP profile of this SAP role contains one the transactions defined in the SAP function. The SAP profile must have all this transaction's authorization objects to do this. If a list of different instances is defined for the the authorization object, the SAP profile matches the SAP function if it has at least one of these instances.

These transactions are not taken into accounts during authorizations check if the configuration parameter "TargetSystem\SAPR3\SAPRights\TestWithoutTCD" is set. In this case, the following rules apply for authorization checking:

An SAP role or SAP profile matches an SAP function, when

  1. It has all the authorization objects for all transactions
  2. It has all the different authorization object function elements
  3. At least one of the instances is defined exactly same function element.
Example of authorization checking

An SAP function is defined with the following transactions, authorization objects and function elements.

Figure 2: Authorization definition

All SAP roles and SAP profiles with the authorizations listed below are found with the SAP function shown if the configuration parameter is not set.

  • Transaction 1 with authorization object 1 and function element 1 with the instance "02" OR "07" OR "21" AND Function elements 2

    - OR -

  • Transaction 2 with authorization object 2 and function element 3, 4 AND 5

    - AND -

    with authorization object 3 and function element 6 with the instance "01" OR "02"AND function element 7 with instance "SLH" OR "SLN"

All SAP roles and SAP profiles with the authorizations listed below are found through SAP functions when the configuration parameter is set.

  • Authorization object 1 and function element 1 with the instance "02" OR "07" OR "21" AND Function elements 2

    - AND -

  • Authorization object 2 and function element 3, 4 AND 5

    - AND -

  • Authorization object 3 and function element 6 with the instance "01" OR "02"AND function element 7 with instance "SLH" OR "SLN"

Examples of SAP Functions

Examples of SAP Functions

If you create an authorization definition, you need to think about which authorization combinations are not compliant. You can differentiate between two use cases:

  1. Find all SAP roles and profiles with invalid combinations of authorizations.

    Create an SAP function for authorizations that cannot occur together with an SAP role or an SAP profile. The authorization test identifies all SAP roles and profiles, which have this non-compliant combination of authorizations.

  2. Find all employees that have obtain non-compliant combinations of authorizations through their SAP user accounts.

    Create SAP functions for compliant authorizations or combinations of authorizations. Create compliance rules for mutually exclusive SAP functions. The compliance check finds all employees that combine such non-compliant authorization combinations through their SAP user accounts.

Example for use case 1

A company has changed its policies on compliant SAP authorizations. Now the new policies must be tested to see if existing authorizations (SAP roles and profiles) comply. SAP roles and profiles with non-compliant combinations of authorizations must be identified so that they can be modified to meet the new requirements.

An SAP function is created for each non-compliant authorization combination.

Table 7: Example of an authorization definition
SAP function Transaction Authorization objects Field Value
A T1 BO2 ACTVT *
T1 BO2 Class *
T1 BO3 ACTVT 01, 02
T2 BO5 ACTVT *
T2 BO5 Class RST*
B T1 BO3 ACTVT *
T1 BO4 ACTVT 02, 03, 07
T1 BO4 Class *

The following SAP roles are available:

Table 8: Defined SAP roles
SAP role Transaction Authorization objects Field Value
R1 T1 BO1 ACTVT *
T1 BO1 Class *
T1 BO3 ACTVT *
T1 BO4 ACTVT 01, 02
T1 BO4 Class DEF*
R2 T1 BO2 ACTVT *
T1 BO2 Class *
T1 BO3 ACTVT *
R3 T1 BO4 ACTVT 03, 07
T1 BO4 Class *
R4 T2 BO5 ACTVT 03
T2 BO5 Class *

SAP roles are found that match the SAP function during authorization testing.

Table 9: Authorization test results
SAP function SAP role Configuration parameter "TestWithoutTCD" Reason
B R1 disabled | enabled The role R1 has all the authorization objects and fields named in the SAP function and at least one field characteristic.

The role R2 is missing the authorization object BO4. Therefore it does not match the SAP function.

The role R3 is missing authorization object BO3. Therefore it does not match the SAP function.

The role R4 is missing authorization object BO3 and BO4. Therefore it does not match the SAP function.

The configuration parameter does not have any effect on the result of the authorization test because there only one transaction is used in the SAP function.

A R2, R4 Disabled The role R2 has all the authorization objects, fields and characteristics named in transaction T1.

The role R4 has all the authorization objects, fields and characteristics named in transaction T2.

The role R1 is missing the authorization object BO2 or BO5. Therefore it does not match the SAP function.

The role R3 does not have any of the named authorization objects. Therefore it does not match the SAP function.

A   Enabled The role R1 is missing authorization object BO2 and BO5. Therefore it does not match the SAP function.

The role R2 is missing the authorization object BO5. Therefore it does not match the SAP function.

The role R3 does not have any of the named authorization objects. Therefore it does not match the SAP function.

The role R4 is missing authorization object BO2 and BO3. Therefore it does not match the SAP function.

The SAP role R3 complies with the new policies and can still be used. The roles R1, R2 and R4 must be modified to comply to the new policies. If an authorization is compliant without taking the authorization test into account, only role R1 must be modified.

Example for use case 2

Now you need to run a test to ascertain which SAP user accounts do not conform to the new policies. To do this, you have to create compliance rules for the SAP functions.

Table 10: SAP user accounts used
Employees SAP User Accounts SAP roles Permissions
Clara Harris K1 R1 BO1 | ACTVT {*}

BO1 | CLASS {*}

BO3 | ACTVT {*}

BO4 | ACTVT {01, 02}

BO4 | CLASS {DEF*}

Ben King K2 R2, R3 BO2 | ACTVT {*}

BO2 | CLASS {*}

BO3 | ACTVT {*}

BO4 | ACTVT {03, 07}

BO4 | CLASS {*}

Jenny Basset K3 R2 BO2 | ACTVT {*}

BO2 | CLASS {*}

BO3 | ACTVT {*}

Jenny Basset K4 R3

BO4 | ACTVT {03, 07}

BO4 | CLASS {*}

Jan Bloggs K5 R3

BO4 | ACTVT {03, 07}

BO4 | CLASS {*}

The SAP roles R2 and R3 are assigned to user account K2. The user account therefore, obtains all the authorizations from both these roles. However, according to the new policies, an employee cannot own the authorizations BO3 and BO4 (SAP function B) at the same time. A compliance rule is created for this, which finds all employees matching the SAP function B (rule C1). Since neither role R2 nor role R3 matches this SAP function, a rule violation is not found.

In order for One Identity Manager to acknowledge the rule violation, SAP functions must be created for the conflicting authorization objects. As a result. the SAP functions that cause a rule violation are combined into a compliance rule.

Table 11: More SAP functions
SAP function Transaction Authorization objects Field Value
B T1 BO3 ACTVT *
T1 BO4 ACTVT 02, 03, 07
T1 BO4 Class *
C T1 BO3 ACTVT *
d T1 BO4 ACTVT 02, 03, 07
T1 BO4 Class *
Table 12: Compliance rules
Rule Rule condition Employee who violate rules
CR1 Employee owns SAP function B. Clara Harris
CR2 The employee owns the SAP function C AND the employee own the SAP function D.

Clara Harris

Ben King

Jenny Basset

Jan Bloggs does not violate the compliance rule. The SAP role R3 matches the SAP function D but this only leads to a rule violation in combination with the SAP function C.

Related Topics

Advice for Authorization Definitions

Take the following advice into account when you create an authorization definition in the authorization editor.

  • Click + to add an additional value for the ACTVT element to an authorization object. You can also write several permitted values for ACTVT elements as a comma delimited list.
  • To add an additional value for another function element (CLASS, for example) to an authorization object, click C next to this function element. The permitted values of this function element cannot be entered as a comma delimited list. They must always appear as separate entries in the authorization definition.
  • Authorization objects cannot be added more than once to an authorization definition. if you want to run a function test on the same authorization object with different instances, create a separate SAP function for each instance. Combine these SAP function in a compliance rule.
Detailed information about this topic
Related Topics

Setting up SAP Functions

Setting up SAP Functions

You can create function definitions, function instances and variable sets for SAP functions. A function definition contains the authorization definition as well as general master data. An authorization definition consists of at least one transaction. A least one authorization objects belongs to a transaction. Each authorization object consists of at least one function element (activity or authorization field) with concrete instances. Instances are given as single values or as upper and lower scope boundaries. Function elements can be listed more than once per authorization object.

You can use an SAP function for different instances. Use variables in the authorization definition to do this. Fixed variable values are grouped in variable sets and used in the function instances.

Related Documents