Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for the SAP R/3 Compliance Add-on

SAP Functions and Identity Audit Setting up a Synchronization Project for Synchronizing SAP Authorization Objects Base Data for SAP Functions Finding Non-compliant Authorizations Setting up SAP Functions Compliance Rules for SAP Functions Mitigating Controls Appendix: Configuration Parameters for SAP Functions Appendix: Default Project Templates for the SAP R/3 Compliance Add-on Module Appendix: Referenced SAP R/3 Tables and BAPI Calls

Using Variables

Using Variables

You can set fixed values for function elements in authorization definitions. You can implement variables to use a function definition for different function instances. For this, the following is valid:

Table 13: Variables Specification
Property Specification

Variable name

  • Begins with a letter
  • Only contains letters, numbers and underscore
  • Is enclosed in $ signs

Example: $Var_01$

NOTE: Variable names cannot begin with system variable names.

Value

Syntax (example) SAP authorization is tested for Example for value in the SAP system
* Any value abc | 1234
Any string (from) Exact given value abc
[*] The value * *
String[*] (abc[*]) Value from*
String* (abc[*]) Values beginning with the given string and ending with any string abc* | abcd
Comma delimited list (abc, 1234, d*) A value contained in the list ab | 1234 | c* | cde

You can also use system variables as well as self-defined variables in the authorization definition. System variables have the following syntax: ${character}+ (example: $AUFART).

Variables must be uniquely identifiable by the authorization check. Therefore, names of self-defined variables may not match system variables or begin with system variable name.

Related Topics

Creating Function Definitions

Creating Function Definitions

A working copy is added to the database for every function definition. Edit the working copies to create function definitions and change them. The changes are not passed on to the production function definition until the working copy is enabled. SAP authorizations are only checked on the basis of active function definitions.

NOTE: One Identity Manager users with the application role Identity & Access Governance | Identity Audit | Maintain SAP functions can edit existing working copies that they are entered as being responsible for in the master data.

To create a new function definition

  1. Select the category Identity Audit | SAP functions | Function definitions.
  2. Click in the result list toolbar.
  3. Enter the function definition master data.
  4. Save the changes.

    This adds a working copy.

  5. Select Enable working copy from the task view. Confirm the security prompt with OK.

    This adds an enabled rule in the database. The working copy is retained and can be used to make changes later.

To edit an existing function definition

  1. Select the category Identity Audit | SAP functions | Function definitions.
    1. Select the function definition in the result list.
    2. Select Create copy in the task view.

      The data from the existing working copy are overwritten with the data from the active function definition, after prompting. The working copy is opened and can be edited.

    - OR -

    Select the category Identity Audit | SAP functions | Function definition working copies.

    1. Select the working copy in the result list.
    2. Select Change master data in the task view.
  2. Edit the working copy's master data.
  3. Save the changes.
  4. Select Enable working copy from the task view. Confirm the security prompt with OK.

    The changes to the working copy are transferred to the active function definition.

General Master Data for a Function Definition

General Master Data for a Function Definition

Table 14: Configuration Parameters for Risk Assessment of SAP Functions
Configuration parameter Active Meaning
QER\CalculateRiskIndex Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database.

If the parameter is set, values can be entered and calculated for the risk index.

Enter the following master data for a function category.

Table 15: Master Data for a Function Definition
Property Description
Function definition Name of the SAP function.
Functional area The SAP function is valid for this functional area.
Function category Grouping criteria for the SAP function. To create a new function categories, click . Enter the name and a description of the function category.
Managers Application role whose members are responsible for the function definition in terms of content.

To create a new application role, click . Enter the application role name and assign a parent application role.

Authorization objects Spare text field for entering information about the authorization objects that are used in the function definitions.
Risk index Defines the risk for the company if an SAP user account matches this SAP function. Use the slider to enter a value between 0 and 1.

0 ... no risk

1 ... every SAP user account that matches the SAP function poses a problem.

This property is only visible if the configuration parameter "QER\CalculateRiskIndex" is set.

Risk index (reduced)

Show the risk index taking mitigating controls into account. An SAP function’s risk index is reduced by the significance reduction of all mitigating controls assigned to it. The risk index (reduced) is calculated for the original SAP function. To copy the value to a working copy, run the task Create working copy.

This property is only visible when the configuration parameter QER\CalculateRiskIndex is set. The value is calculated by the One Identity Manager and cannot be edited.

Severity Specifies what it means to the company (or the assigned functional area) when an SAP user matches with this SAP function. Enter a value between 0 and 1.

0 ... only information

1 ... Every SAP user account that matches the SAP function, requires changes to the SAP authorizations that are effected.

Significance Enter a verbal description of the effects on the company (or the functional area) when an SAP user matches this SAP function. In the default installation value list is displayed with the entries {NONE, ‘low’, ‘average’, ‘high’, ‘critical’}.
Description Spare text box for additional explanation.
Working copy Specifies whether this is a working copy of the function definition.
Detailed information about this topic

Additional Tasks for Working Copies

After you have entered the master data, you can apply different tasks to it. The task view contains different forms with which you can run the following tasks.

Related Documents