Effectiveness of structural profiles
Table 5: Configuration parameter for conditional inheritance
|
QER | Structures | Inherite | GroupExclusion |
Preprocessor relevant configuration parameter for controlling effectiveness of group memberships. If the parameter is set, memberships can be reduced on the basis of exclusion definitions. Changes to this parameter require the database to be recompiled. |
If structural profiles are assigned to user accounts, an employee may obtain two or more structural profiles, which are not permitted in this combination. To prevent this, declare the structural profiles as mutually exclusive. To do this, you specify which of the two structural profiles should apply to the user accounts if both are assigned.
You can assign an excluded structural profile directly, indirectly, or by IT Shop request at anytime. One Identity Manager determines whether the assignment is effective.
NOTE:
- You cannot define a pair of mutually exclusive structural profiles. That means, the definition "Structural profile A excludes structural profile B" AND "Structural profile B excludes structural profile A" are not permitted.
- You must declare each structural profile to be excluded from a structural profile separately. Exclusion definitions cannot be inherited.
The effect of the assignments is mapped in the SAPUserInSAPHRP and BaseTreeHasSAPHRP tables through the XIsInEffect column.
Prerequisites
- The "QER | Structures | Inherite | GroupExclusion" configuration parameter is set.
- Mutually exclusive structural profiles belong to the same client.
To exclude structural profiles
- Select the SAP R/3 | Structural profiles category.
- Select a structural profile in the result list.
- Select the Exclude structural profiles task.
- In the Add assignments pane, Assign the structural profiles that are mutually exclusive to the selected location.
- OR -
In the Remove assignments pane, remove structural profiles that are no longer mutually exclusive.
- Save the changes.
For more information about the effectiveness of group memberships, see the One Identity Manager Administration Guide for Connecting to SAP R/3.
Inheriting structural profiles based on categories
In One Identity Manager, structural profiles can be selectively inherited by user accounts. For this purpose, the structural profiles and the user accounts are divided into categories. The categories can be freely selected and are specified using a mapping rule. Each category is given a specific position within the template. The mapping rule contains different tables. Use the user account table to specify categories for target system dependent user accounts. In the other tables enter your categories for the structural profiles. Each table contains the Position 1 to Position 31 category positions.
Every user account can be assigned to one or more categories. Every structural profile can be assigned to one or more categories as well. If at least one user account category position matches an assigned structural profile, the structural profile is inherited by the user account. The structural profile is also inherited by the user account if the structural profile or the user account is not put into categories.
NOTE: Inheritance through categories is only taken into account when structural profiles are assigned indirectly through hierarchical roles. Categories are not taken into account when structural profile are directly assigned to user accounts.
To use inheritance through categories
- Define the categories in the client.
NOTE: If central user administration is implemented, define the categories in the central system as well as in the child system. The same categories must be defined in the child system as in the central system so that structural profiles from a child system can be inherited by user accounts.
- Assign categories to user accounts through their master data.
- Assign categories to structural profiles through their master data.
To define a category
- Select the SAP R/3 | Clients category.
- Select the client in the result list. Select the Change master data task.
- Select the Categories tab.
- Open the member tree of the "SAP structural Profiles" table.
- To enable the category, double-click the icon in front of the item name.
- Enter a name for the category in the column for the respective One Identity Manager login language.
- Save the changes.
Detailed information about this topic
- One Identity Manager Administration Guide for Connecting to SAP R/3
- One Identity Manager Target System Base Module Administration Guide
Related topics
Assigning validity periods for profile assignments
You can enter a validity period for assigning structural profiles to user accounts. If no validity period is given to the profile assignments, they are allocated the following validity dates by default:
- Valid from: 1900-01-01
- Valid to : 9999-12-31
These profile assignments are therefore unlimited.
The SAPUserInSAPHRP table contains all profile assignments, limited, and unlimited.
The HelperSAPUserInSAPHRP table only contains profile assignments that are currently valid. The Daily calculation of SAP user accounts assignments to SAP roles schedule controls the calculation of this table.
Detailed information about this topic
Related topics
Assigning the validity period of direct profile assignments
Direct assignments can occur in two different ways:
-
Synchronizing profile assignments
The Valid from and Valid to columns are taken into account in the default mapping. Synchronization writes the validity period of profile assignments in the One Identity Manager database.
-
Direct assignment of structural profiles to user accounts in the Manager
If structural profiles are assigned directly to user accounts, you can add a validity period. Valid from and Valid to dates are provisioned in the target system.
Related topics
