Chat now with support
Chat with Support

Identity Manager 8.1.4 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP systems Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

Adding SAP groups, SAP roles, and SAP profiles to the IT Shop

NOTE: Only profiles that are not assigned to IT Shop roles can be assigned to SAP shelves.

When you assign a group, a role, or a profile to an IT Shop shelf, it can be requested by the shop customers. To ensure it can be requested, further prerequisites need to be guaranteed:

  • The group , the role, or the profile must be labeled with the IT Shop option.

  • The group , the role or profile must be assigned a service item.

    TIP: In the Web Portal, all products that can be requested are grouped together by service category. To make the group, the role, or profile easier to find in the Web Portal, assign a service category to the service item.

  • If you only want the group, the role or profile to be assigned to employees through IT Shop requests, the group, the role or the profile must also be labeled with the Use only in IT Shop option. Direct assignment to hierarchical roles or user accounts is no longer permitted.

NOTE: With role-based login, the IT Shop administrators can assign groups, roles, and profiles to IT Shop shelves. Target system administrators are not authorized to add groups, roles, and profiles to IT Shop.

To add a group, a role, or a profile to the IT Shop.

  1. In the Manager, select the SAP R/3 | Groups or SAP R/3 | Roles or SAP R/3 | Profiles (non role-based login) category.

    - OR -

    In the Manager, select the Entitlements | SAP Groups or Entitlements | SAP Roles or Entitlements | SAP Profiles (role-based login) category.

  2. In the result list, select the group, the role or the profile.
  3. Select the Add to IT Shop task.
  4. In the Add assignments pane, assign the group, the role or profile to the IT Shop shelves.
  5. Save the changes.

To remove a group, a role or profile from individual shelves of the IT Shop

  1. In the Manager, select the SAP R/3 | Groups or SAP R/3 | Roles or SAP R/3 | Profiles (non role-based login) category.

    - OR -

    In the Manager, select the Entitlements | SAP Groups or Entitlements | SAP Roles or Entitlements | SAP Profiles (role-based login) category.

  2. In the result list, select the group, the role or the profile.
  3. Select the Add to IT Shop task.
  4. In the Remove assignments pane, remove the group the role or profile from the IT Shop shelves.
  5. Save the changes.

To remove a group, a role or profile from all shelves of the IT Shop

  1. In the Manager, select the SAP R/3 | Groups or SAP R/3 | Roles or SAP R/3 | Profiles (non role-based login) category.

    - OR -

    In the Manager, select the Entitlements | SAP Groups or Entitlements | SAP Roles or Entitlements | SAP Profiles (role-based login) category.

  2. In the result list, select the group, the role or the profile.
  3. Select the Remove from all shelves (IT Shop) task.
  4. Confirm the security prompt with Yes.
  5. Click OK.

    The group, the role or profile is removed from all shelves by the One Identity Manager Service. All requests and assignment requests with this group, this role or profile are canceled.

For more detailed information about requesting company resources through the IT Shop, see the One Identity Manager IT Shop Administration Guide.

Related topics

Assignment and inheritance of SAP profiles and SAP roles to SAP user accounts

The following SAP sided limitation influence the user account assignment and inheritance of profiles and roles in One Identity Manager.

  • Composite profiles can be put together from 0...n profiles or composite profiles. If a user account is assigned a composite profile, the target system only returns the user account membership in the assigned composite profile and not the membership in subprofiles.
  • Single roles can put together from 0..n profiles. Only profiles that are not composite profiles can be assigned. Profiles that are assigned to a single role can no longer be assigned to a user account.
  • Collective roles can be made up of 0...n single roles. Assignment of profiles or composite profiles to collective roles is not possible.

These limitations result in the following:

In assignment:

  • Triggering prevents the assignment of roles which are assigned to single roles, to user accounts, products, roles, and employees.

In inheritance behavior:

  • If a user account is assigned a collective role that owns single roles, the single roles are not added to the SAPuserInSAPGroupTotal table.
  • If a user account is assigned a single role that owns profiles, the profiles are not added to the SAPUserInSAPProfile table.

  • If a user account is assigned a single role and this single role is part of a collective role that is also assigned to this user account, the single role is not added to the SAPUserInSAPRole table.

  • If a user account is assigned a composite profile with child profiles, the child profiles are not added to the SAPUserInSAPProfile table.

If a user account obtains additional roles or profiles through a reference user, these roles or profiles are only added in the SAPUserInSAPRole and SAPUserInSAPProfile tables for the reference user. When company resources assigned to an employee (PersonHasObject table) are calculated, the roles and profiles inherited by a user account through single roles, collective roles, composite profiles, and reference users are also taken into account.

Additional tasks for managing SAP groups, SAP roles, and SAP profiles

After you have entered the master data, you can run the following tasks.

Overview of SAP groups, SAP roles, and SAP profiles

To obtain an overview of a group

  1. Select the SAP R/3 | Groups category.
  2. Select the group in the result list.
  3. Select the SAP group overview task.

To obtain an overview of a profile

  1. Select the SAP R/3 | Profiles category.
  2. Select a profile in the result list.
  3. Select the SAP profile overview task.

To obtain an overview of a role

  1. Select the SAP R/3 | Roles category.
  2. Select the role in the result list.
  3. Select the SAP role overview task.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating