Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for the SAP R/3 Compliance Add-on

SAP Functions and Identity Audit Setting up a Synchronization Project for Synchronizing SAP Authorization Objects Base Data for SAP Functions Finding Non-compliant Authorizations Setting up SAP Functions Compliance Rules for SAP Functions Mitigating Controls Appendix: Configuration Parameters for SAP Functions Appendix: Default Project Templates for the SAP R/3 Compliance Add-on Module Appendix: Referenced SAP R/3 Tables and BAPI Calls

Overview of the Function Definition

Overview of the Function Definition

You can see the most important information about a working copy on the overview form.

To obtain an overview of a working copy

  1. Select the category Identity Audit | SAP functions | Function definition working copies.
  2. Select the function definition in the result list.
  3. Select Function definition in the task view.

Authorization Editor

Authorization Editor

Use the Authorization Editor to set up the SAP function authorization definition. To do this, group transactions and authorization objects together that should be covered by the SAP function.

To compile an authorization definition

  1. Select the category Identity Audit | SAP functions | Function definition working copies.
  2. Select the function definition in the result list.
  3. Select Authorization Editor in the task view.
  4. Select one of the following tasks.
    • 1. Add via menu template...
      Table 16: Menu Template Properties
      Property Description
      Display SAP menu Menu items from the SAP GUI SAP menu.
      All other menus Menu items from all other SAP menus.
      System SAP system to be used to display the menu tree .
      Menu Menu tree for selecting menu items. All the transaction and authorization objects are loaded that can be called from the selected menu items. Transaction codes that are linked to a menu item are shown in brackets in the menu tree as additional information.

    - OR -

    • 2. Add via transaction....
      Table 17: Transaction Properties
      Property Description
      FilterClosed Filter for list of available transactions.
      Transaction Transactions whose authorization objects are to be loaded into the Authorization Editor. All authorization object are added that are linked with the selected transaction.

    - OR -

    • 3. Add via authorization object.... Property
      Table 18: Authorization Object Properties
      Description
      Filter Filter for list of available transactions.
      Authorization object Authorization object to be loaded in to the Authorization Editor. All transactions to which the authorization object is linked, are added.

    - OR -

    • 4. Adding via existing function definition....

      Select an existing function definition whose authorization definition is to be loaded into the Authorization Editor.

  5. Specify details for each element in the Authorization Editor.
  6. Save the changes.

Figure 3: Authorization Editor for SAP Functions

The functionality of the Authorization Editor is based on the SAPGUI Authorization Editor. The columns in the Authorization Editor have the following meaning.

Table 19: Properties of an Authorization Definition
Property Description
Function definition / transaction / authorization / function element Function definition hierarchy. Transactions, their associated authorization objects and function elements are mapped in a tree structure.
Processing status Processing status of tree structure objects:

... no value is specified for the function element.

... a value is specified for the function element.

Add Click +, to add more objects to the authorization definition. This adds a sub object.

Click C, to copy the function element.

Remove Click -, to remove objects from the authorization definition.
Description Object description.
Any Click *, to define the value of a function element as "*" (any value).
Value / lower limit

Values permitted for the function element. For example, you can limit SAP authorizations to specific SAP groups. When you specify a range, enter the lower limit here.

Values can be added as variables. System variables can also be used. Wildcards can be used in the values.

Syntax (example) SAP authorization is tested for Example for value in the SAP system
* Any value abc | 1234
Any string (from) Exact given value abc
[*] The value * *
String[*] (abc[*]) Value from*
String* (abc[*]) Values beginning with the given string and ending with any string abc* | abcd
Comma delimited list (abc, 1234, d*) A value contained in the list

Comma delimited lists can only be used with ACTVT elements. This list is used like a string on other function elements.

ab | 1234 | c* | cde
Variable ($Var$) Value stored in the variable
System variable ($var) Value stored in the system variable
Upper scope boundary Upper limit for the range of a function element Values can be added as variables.

All function elements in a transaction that are defined in a separate row must be fulfilled for the SAP function to match. If the SAP functions should only match when an SAP profile has one of several possible instances of one and the same function element, define this instance as a comma delimited list of values for this function element.

To edit the properties of the selected object

  • Double-click on a function element in the Authorization Editor.

    You can edit the description of the function element and the upper and lower limits.

Table 20: Function Element Properties
Property Description
Type Specifies whether the selected function element is an activity or a authorization field.
Name Name of the function element.
Lower limit, upper limit Values permitted for the function element. When you specify a range, enter a lower and an upper limit. Values can be added as variables. Click to select variables from the variable definitions available.
Description Detailed description of the function elements.
Detailed information about this topic
Related Topics

Checking Authorization Objects for Completeness

The One Identity Manager uses this task to test whether all authorization objects that belong to a transaction occur in the authorization definition.

To test an authorization definition for completeness

  1. Select the category Identity Audit | SAP functions | Function definition working copies.
  2. Select the function definition in the result list.
  3. Select Authorization Editor in the task view.
  4. Select the task Check authorization objects for completeness.

    Missing authorization objects are displayed in a separate window.

  5. Enable the Add option on the authorization object you want to add to the authorization definition.
  6. Close the window using the OK button.

    The authorization objects can now be edited in the authorizations editor.

Authorization Overview

Function elements are displayed in a flat structure in the authorization overview. You can edit all the object properties here.

To display an overview of all function elements

  1. Select the category Identity Audit | SAP functions | Function definition working copies.
  2. Select the function definition in the result list.
  3. Select Authorization overview in the task view.
Related Documents