Finding Non-compliant Authorizations
| Configuration Parameter | Description |
|---|---|
| TargetSystem\SAPR3\SAPRights\TestWithoutTCD | Checks SAP authorizations without taking SAP transactions into account. |
SAP authorizations are verified on the basis of the transactions permitted for an SAP user account and the associated authorization objects. Authorization objects and transactions are grouped into single profiles. In order to check whether there are potentially dangerous authorizations in the company, define authorization objects and transactions as SAP functions. The One Identity Manager compares all authorization objects and transactions assigned to single profiles with the authorization definition in the SAP function. This way, it determines all SAP roles and profiles that have exactly these authorization objects and transactions assigned through single roles.
The configuration parameter "TargetSystem\SAPR3\SAPRights\TestWithoutTCD" is evaluated by authorization checks. If the configuration parameter is not set (default case), the following rules apply to the authorization checks:
An SAP role or SAP profile matches an SAP function, when
- It contains at least one of the transaction defined in the SAP function
- It has all the authorization objects for this transaction
- It has all the different authorization object function elements
- At least one of the instances is defined exactly same function element.
An SAP role matches an SAP function if the SAP profile of this SAP role contains one the transactions defined in the SAP function. The SAP profile must have all this transaction's authorization objects to do this. If a list of different instances is defined for the the authorization object, the SAP profile matches the SAP function if it has at least one of these instances.
These transactions are not taken into accounts during authorizations check if the configuration parameter "TargetSystem\SAPR3\SAPRights\TestWithoutTCD" is set. In this case, the following rules apply for authorization checking:
An SAP role or SAP profile matches an SAP function, when
- It has all the authorization objects for all transactions
- It has all the different authorization object function elements
- At least one of the instances is defined exactly same function element.
Example of authorization checking
An SAP function is defined with the following transactions, authorization objects and function elements.
Figure 2: Authorization definition
All SAP roles and SAP profiles with the authorizations listed below are found with the SAP function shown if the configuration parameter is not set.
- Transaction 1 with authorization object 1 and function element 1 with the instance "02" OR "07" OR "21" AND Function elements 2
- OR -
- Transaction 2 with authorization object 2 and function element 3, 4 AND 5
- AND -
with authorization object 3 and function element 6 with the instance "01" OR "02"AND function element 7 with instance "SLH" OR "SLN"
All SAP roles and SAP profiles with the authorizations listed below are found through SAP functions when the configuration parameter is set.
- Authorization object 1 and function element 1 with the instance "02" OR "07" OR "21" AND Function elements 2
- AND -
- Authorization object 2 and function element 3, 4 AND 5
- AND -
- Authorization object 3 and function element 6 with the instance "01" OR "02"AND function element 7 with instance "SLH" OR "SLN"
Examples of SAP Functions
Examples of SAP Functions
If you create an authorization definition, you need to think about which authorization combinations are not compliant. You can differentiate between two use cases:
- Find all SAP roles and profiles with invalid combinations of authorizations.
Create an SAP function for authorizations that cannot occur together with an SAP role or an SAP profile. The authorization test identifies all SAP roles and profiles, which have this non-compliant combination of authorizations.
- Find all employees that have obtain non-compliant combinations of authorizations through their SAP user accounts.
Create SAP functions for compliant authorizations or combinations of authorizations. Create compliance rules for mutually exclusive SAP functions. The compliance check finds all employees that combine such non-compliant authorization combinations through their SAP user accounts.
Example for use case 1
A company has changed its policies on compliant SAP authorizations. Now the new policies must be tested to see if existing authorizations (SAP roles and profiles) comply. SAP roles and profiles with non-compliant combinations of authorizations must be identified so that they can be modified to meet the new requirements.
An SAP function is created for each non-compliant authorization combination.
| SAP function | Transaction | Authorization objects | Field | Value |
|---|---|---|---|---|
| A | T1 | BO2 | ACTVT | * |
| T1 | BO2 | Class | * | |
| T1 | BO3 | ACTVT | 01, 02 | |
| T2 | BO5 | ACTVT | * | |
| T2 | BO5 | Class | RST* | |
| B | T1 | BO3 | ACTVT | * |
| T1 | BO4 | ACTVT | 02, 03, 07 | |
| T1 | BO4 | Class | * |
The following SAP roles are available:
| SAP role | Transaction | Authorization objects | Field | Value |
|---|---|---|---|---|
| R1 | T1 | BO1 | ACTVT | * |
| T1 | BO1 | Class | * | |
| T1 | BO3 | ACTVT | * | |
| T1 | BO4 | ACTVT | 01, 02 | |
| T1 | BO4 | Class | DEF* | |
| R2 | T1 | BO2 | ACTVT | * |
| T1 | BO2 | Class | * | |
| T1 | BO3 | ACTVT | * | |
| R3 | T1 | BO4 | ACTVT | 03, 07 |
| T1 | BO4 | Class | * | |
| R4 | T2 | BO5 | ACTVT | 03 |
| T2 | BO5 | Class | * |
SAP roles are found that match the SAP function during authorization testing.
| SAP function | SAP role | Configuration parameter "TestWithoutTCD" | Reason |
|---|---|---|---|
| B | R1 | disabled | enabled | The role R1 has all the authorization objects and fields named in the SAP function and at least one field characteristic.
The role R2 is missing the authorization object BO4. Therefore it does not match the SAP function. The role R3 is missing authorization object BO3. Therefore it does not match the SAP function. The role R4 is missing authorization object BO3 and BO4. Therefore it does not match the SAP function. The configuration parameter does not have any effect on the result of the authorization test because there only one transaction is used in the SAP function. |
| A | R2, R4 | Disabled | The role R2 has all the authorization objects, fields and characteristics named in transaction T1.
The role R4 has all the authorization objects, fields and characteristics named in transaction T2. The role R1 is missing the authorization object BO2 or BO5. Therefore it does not match the SAP function. The role R3 does not have any of the named authorization objects. Therefore it does not match the SAP function. |
| A | Enabled | The role R1 is missing authorization object BO2 and BO5. Therefore it does not match the SAP function.
The role R2 is missing the authorization object BO5. Therefore it does not match the SAP function. The role R3 does not have any of the named authorization objects. Therefore it does not match the SAP function. The role R4 is missing authorization object BO2 and BO3. Therefore it does not match the SAP function. |
The SAP role R3 complies with the new policies and can still be used. The roles R1, R2 and R4 must be modified to comply to the new policies. If an authorization is compliant without taking the authorization test into account, only role R1 must be modified.
Example for use case 2
Now you need to run a test to ascertain which SAP user accounts do not conform to the new policies. To do this, you have to create compliance rules for the SAP functions.
| Employees | SAP User Accounts | SAP roles | Permissions |
|---|---|---|---|
| Clara Harris | K1 | R1 | BO1 | ACTVT {*}
BO1 | CLASS {*} BO3 | ACTVT {*} BO4 | ACTVT {01, 02} BO4 | CLASS {DEF*} |
| Ben King | K2 | R2, R3 | BO2 | ACTVT {*}
BO2 | CLASS {*} BO3 | ACTVT {*} BO4 | ACTVT {03, 07} BO4 | CLASS {*} |
| Jenny Basset | K3 | R2 | BO2 | ACTVT {*}
BO2 | CLASS {*} BO3 | ACTVT {*} |
| Jenny Basset | K4 | R3 |
BO4 | ACTVT {03, 07} BO4 | CLASS {*} |
| Jan Bloggs | K5 | R3 |
BO4 | ACTVT {03, 07} BO4 | CLASS {*} |
The SAP roles R2 and R3 are assigned to user account K2. The user account therefore, obtains all the authorizations from both these roles. However, according to the new policies, an employee cannot own the authorizations BO3 and BO4 (SAP function B) at the same time. A compliance rule is created for this, which finds all employees matching the SAP function B (rule C1). Since neither role R2 nor role R3 matches this SAP function, a rule violation is not found.
In order for One Identity Manager to acknowledge the rule violation, SAP functions must be created for the conflicting authorization objects. As a result. the SAP functions that cause a rule violation are combined into a compliance rule.
| SAP function | Transaction | Authorization objects | Field | Value |
|---|---|---|---|---|
| B | T1 | BO3 | ACTVT | * |
| T1 | BO4 | ACTVT | 02, 03, 07 | |
| T1 | BO4 | Class | * | |
| C | T1 | BO3 | ACTVT | * |
| d | T1 | BO4 | ACTVT | 02, 03, 07 |
| T1 | BO4 | Class | * |
| Rule | Rule condition | Employee who violate rules |
|---|---|---|
| CR1 | Employee owns SAP function B. | Clara Harris |
| CR2 | The employee owns the SAP function C AND the employee own the SAP function D. |
Clara Harris Ben King Jenny Basset |
Jan Bloggs does not violate the compliance rule. The SAP role R3 matches the SAP function D but this only leads to a rule violation in combination with the SAP function C.
Related Topics
Advice for Authorization Definitions
Take the following advice into account when you create an authorization definition in the authorization editor.
- Click + to add an additional value for the ACTVT element to an authorization object. You can also write several permitted values for ACTVT elements as a comma delimited list.
- To add an additional value for another function element (CLASS, for example) to an authorization object, click C next to this function element. The permitted values of this function element cannot be entered as a comma delimited list. They must always appear as separate entries in the authorization definition.
- Authorization objects cannot be added more than once to an authorization definition. if you want to run a function test on the same authorization object with different instances, create a separate SAP function for each instance. Combine these SAP function in a compliance rule.
Detailed information about this topic
Related Topics
Setting up SAP Functions
Setting up SAP Functions
You can create function definitions, function instances and variable sets for SAP functions. A function definition contains the authorization definition as well as general master data. An authorization definition consists of at least one transaction. A least one authorization objects belongs to a transaction. Each authorization object consists of at least one function element (activity or authorization field) with concrete instances. Instances are given as single values or as upper and lower scope boundaries. Function elements can be listed more than once per authorization object.
You can use an SAP function for different instances. Use variables in the authorization definition to do this. Fixed variable values are grouped in variable sets and used in the function instances.