Chat now with support
Chat with Support

Identity Manager 8.2.1 - Administration Guide for the SAP R/3 Compliance Add-on

SAP functions and identity audit Setting up a synchronization project for synchronizing SAP authorization objects Base data for SAP functions Finding non-compliant authorizations Setting up SAP functions Compliance rules for SAP functions Mitigating controls for SAP functions Configuration parameters for SAP functions Default project template for the SAP R/3 Compliance Add-on Module Referenced SAP R/3 tables and BAPI calls

Importing function definitions

To transfer SAP functions from a development environment to a production environment, for example, you can export function definitions to CSV files. These CSV files can be imported into other databases.

When importing SAP functions from an existing CSV file, the function definitions contained in the CSV file are transferred to the database as working copies. The following data fields must be in the CSV file so that function definitions can be imported.

Table 19: Data fields for importing function definitions

Data field in the CSV file.


Object properties in One Identity Manager


Function definition


Suggested authorization value


Authorization objects


Authorization field

Value From

Value/lower scope limit

Value To

Upper scope limit


No equivalent.

The import status controls which data records are imported into One Identity Manager.

1: Import

Process (optional)


Function description (optional)

Description of the function definition.

Risk evel (optional)


Possible values are {Low|Medium|High|Critical}.

Transaction (optional)

Transaction code

AUTHPGMID (optional)

TADIR program ID

AUTHOBJTYP (optional)

TADIR object type

AUTHOBJNAM (optional)

TADIR object name

SRV_TYPE (optional)

Type of external service

SRV_NAME (optional)

Name of external service

RFC_TYPE (optional)

RFC object type

RFC_NAME (optional)

RFC object name

SAPHashValue (optional)

Hash value

Field description (optional)

Describes the authorization fields, authorization objects and SAP applications.


  • The order of the data fields is arbitrary.

  • All required data fields must be defined in the header and must be present in the data sets.

  • Mark data fields without values with two sequential delimiters.

  • Data sets with empty mandatory fields are not imported.

To import function definitions

  1. In the Manager, select the Identity Audit category.

  2. Select the Plugins > Import SAP function definitions menu item.

  3. Select the CSV file you want to import and click Open.

  4. Confirm the security prompt with Yes.

    The functions definitions are transferred to the database as working copies. If there is already a working copy with the same name in the database, it is overwritten by the import.

Related topics

Compliance rules for SAP functions

Compliance rules can be checked through effective authorizations as well as through authorizations, which an employee has in an SAP R/3 system due to their user accounts and group and role memberships. Effective write permissions are tested through SAP functions. To do this, SAP functions are added to rule conditions.

The validity period of role assignments is taken into account in the rule check.

For more information about compliance rules, see the .One Identity Manager Compliance Rules Administration Guide

Rule conditions for SAP functions

To define new rules for SAP functions

  1. In the Manager, select the Identity Audit > Rules category.

  2. Click in the result list.

  3. Enter the main data of the rule.

  4. Set the Rule for cyclical testing and risk analysis in IT Shop option.

  5. Limit the affected permissions with the at least one function option and select the SAP function to test.

    • If SAP authorizations in combination result in a rule violation, enter a rule block for each SAP function.

  6. Save the changes.

    This adds a working copy.

  7. Select the Enable working copy task and confirm the security prompt with Yes.

    This adds an enabled rule in the database. The working copy is retained and can be used to make changes later.

Figure 3: Condition for SAP functions

When One Identity Manager tests rules, it finds all the employees whose assigned SAP users match the SAP functions that are given in the rule. An SAP user matches an SAP function when:

  • An SAP role assigned to the SAP user account matches the SAP function

    - OR -

  • An SAP role that is assigned a reference user matching an SAP function

    - AND -

  • The SAP user account is assigned this reference user.

For more information about creating rule conditions, see the One Identity Manager Compliance Rules Administration Guide.

More rule violation reports

One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. Additional reports can be created for enabled compliance rules for SAP functions.

Table 20: Reports about rule violations with SAP functions



Rule violations with SAP applications

This report groups together all rule violations for the selected rule. It supplies results for rules that verify SAP functions.

All function instances are listed with their SAP applications for each employee through which they violated the rule. SAP profiles and their authorization objects that match the SAP function are displayed for each SAP function.

Rule violations with SAP roles

This report groups together all rule violations for the selected rule. It supplies results for rules that verify SAP functions.

SAP groups, SAP roles, and SAP profiles with their authorization objects are listed for each employee through which they violated the rule.

SAP roles and profiles with rule violations

The report shows all SAP roles and profiles that match SAP functions and thereby violate the selected rule.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating