Chat now with support
Chat with Support

Identity Manager 8.1.4 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP systems Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

SAP products

Installed modules: System Roles Module

You can define One Identity Manager products as a collection of different groups, roles, or profiles in SAP. SAP products are system roles with the system role type "SAP product". Employees can obtain SAP products directly, inherit them though hierarchical role, or request them in the IT Shop.

The employee’s user account is assigned the groups, roles, and profiles in the SAP product independent of the assignment method. If an SAP product changes by adding or removing a group, role, or a profile in One Identity Manager, user account memberships are changed accordingly.

To edit SAP products

  1. Select the SAP R/3 | Products category.
  2. Select an SAP product in the result list.

    – OR –

    Click in the result list.

    This opens the master data form for a system role.

  3. Edit the system role's master data.
  4. Save the changes.
Detailed information about this topic
  • One Identity Manager System Roles Administration Guide

General master data for SAP products

Table 71: Configuration parameters for risk assessment of SAP user accounts
Configuration parameter Effect when set
QER | CalculateRiskIndex Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database.

If the parameter is enabled, values for the risk index can be entered and calculated.

Enter the following data for a system role.

Table 72: System role master data

Property

Description

Display name

Name for displaying the system roles in One Identity Manager tools.

System role

Unique identifier for the system role.

Internal product name

An additional internal name for the system role.

System role type

Specifies the type of company resources, which comprise the system role.

Service item

In order to use a service item within the IT Shop, assign a service item to it or add a new service item. For more information about service items, see the One Identity Manager IT Shop Administration Guide.

System role manager

Manager responsible for the system role. Assign any new employee. This employee can edit system role master data. They can be used as attestors for system role properties.

If the system role can be requested in the IT Shop, the manager will automatically be a member of the application role for product owners assigned the service item.

Share date

Specify a date for enabling the system role. If the date is in the future, the system role is considered to be disabled. If the date is reached, the system role is enabled. Employees inherit company resources that are assigned to the system role.

If the share date is exceeded or no date is entered, the system role is handled as an enabled system role. Company resource inheritance can be controlled with the Disabled option in these cases.

NOTE: Configure and enable the Share system roles schedule in the Designer to check the share date. For detailed information about schedules, see the One Identity Manager Operational Guide.

Risk index (calculated)

Maximum risk index values for all company resources. The property is only visible if the QER | CalculateRiskIndex configuration parameter is enabled. For detailed information about calculating the risk index, see the One Identity Manager Risk Assessment Administration Guide.

Comment

Text field for additional explanation.

Remarks

Text field for additional explanation.

Description

Text field for additional explanation.

Deactivated

Specifies whether employees and workdesks inherit the company resources contained in the system role.

If this option is set, the system role can be assigned to employees, workdesks, hierarchical roles, and IT Shop shelves. However they cannot inherit the company resources contained in the system role. The system role cannot be requested in the Web Portal.

If this option is not set, company resources assigned to the system role are inherited. If the option is enabled at a later date, existing assignments are removed.

IT Shop

Specifies whether the system role can be requested through the IT Shop. This system role can be requested by staff through the Web Portal and the request granted by a defined approval procedure. The system role can still be assigned directly to employees and hierarchical roles. For detailed information about IT Shop, see the One Identity Manager IT Shop Administration Guide.

Only for use in IT Shop

Specifies whether the system role can only be requested through the IT Shop. This system role can be requested by staff through the Web Portal and the request granted by a defined approval procedure. The system role may not be assigned directly to hierarchical roles.

Spare field no. 01 ... Spare field no. 10

Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

For detailed information about system roles, see the One Identity Manager System Roles Administration Guide

Assigning SAP products to employees

SAP products can be assigned directly or indirectly to employees. In the case of indirect assignment, employees, and SAP products are arranged in hierarchical roles. The number of SAP products assigned to an employee is calculated from the position in the hierarchy and the direction of inheritance.

If you add an employee to roles and that employee owns a user account, the user account is added to all groups, roles, or profiles included in the SAP products owned by the employee. The groups, roles, or profiles are not inherited if the SAP product is disabled or if the share date is still in the future.

Prerequisites for indirect assignment:

  • Assignment of system roles, employees, groups, roles, and profiles is permitted for role classes (departments, cost centers, locations, or business roles).
  • User accounts are marked with the Groups can be inherited option.
  • The user accounts, groups, roles, and profiles belong to the same SAP client.

Furthermore, SAP products can be assigned to employees through IT Shop requests. SAP products can be assigned through IT Shop requests by adding employees to a shop as customers. All SAP products are assigned to this shop can be requested by the customers. Requested SAP products are assigned to the employees after approval is granted.

Detailed information about this topic
Related topics

Assigning SAP products to organizations

Assign SAP products to departments, cost centers, and locations in order to assign employees to them through these organizations.

To assign an SAP product to departments, cost centers, or locations

  1. Select the SAP R/3 | Products category.
  2. Select the SAP product in the result list.
  3. Select the Assign organizations task.
  4. In the Add assignments pane, assign the organizations.
    • Assign departments on the Departments tab.
    • Assign locations on the Locations tab.
    • Assign cost centers on the Cost centers tab.

    - OR -

    Remove the organizations in the Remove assignments pane.

  5. Save the changes.
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating