Chat now with support
Chat with Support

Identity Manager 8.2 - Administration Guide for Connecting to SAP R/3

Managing SAP R/3 environments Setting up SAP R/3 synchronization Basic data for managing an SAP R/3 environment Basic data for user account administration SAP systems SAP clients SAP user accounts SAP groups, SAP roles, and SAP profiles SAP products Providing system measurement data Reports about SAP objects Removing a Central User Administration Configuration parameters for managing an SAP R/3 environment Default project templates for synchronizing an SAP R/3 environment Referenced SAP R/3 table and BAPI calls Example of a schema extension file

Inheriting SAP profiles and SAP roles in a central user administration

If user accounts are managed through the central user administration, SAP roles and profiles can only inherited by user accounts if the user accounts have access permission for the client that the role and profiles belong to. By default, roles and profiles can only be inherited by user account if access to the clients is guaranteed explicitly. Otherwise, the roles and profiles are not inherited.

User accounts can be granted the missing client access automatically as soon as a role or profile is inherited by the client.

To automatically grant missing access permission to user accounts

  • In the Designer, set the TargetSystem | SAPR3 | AutoFillSAPUserMandant configuration parameter.

The missing access permission is granted when inheritance is calculated (entry in the SAPUserMandant table) and the roles and profiles are assigned to the user accounts.

WARNING: As inheritance is an automated process, user accounts can therefore be given access permission to clients without the target system owners knowing about it.

Related topics

Additional tasks for managing SAP groups, SAP roles, and SAP profiles

After you have entered the main data, you can run the following tasks.

Overview of SAP groups, SAP roles, and SAP profiles

To obtain an overview of a group

  1. Select the SAP R/3 > Groups category.
  2. Select the group in the result list.
  3. Select the SAP group overview task.

To obtain an overview of a profile

  1. Select the SAP R/3 > Profiles category.
  2. Select a profile in the result list.
  3. Select the SAP profile overview task.

To obtain an overview of a role

  1. Select the SAP R/3 > Roles category.
  2. Select the role in the result list.
  3. Select the SAP role overview task.

Effectiveness of SAP groups, SAP roles, and SAP profiles

NOTE: In order to easy understanding the behavior is described with respect to SAP groups in this section. It applies in the same way to roles and profiles.
Table 62: Configuration parameter for conditional inheritance
Configuration parameter Effect when set

QER | Structures | Inherite | GroupExclusion

Preprocessor relevant configuration parameter for controlling effectiveness of group memberships. If the configuration parameter is set, memberships can be reduced on the basis of exclusion definitions. Changes to this configuration parameter require the database to be recompiled.

When groups are assigned to user accounts an employee may obtain two or more groups, which are not permitted in this combination. To prevent this, you can declare mutually exclusive groups. To do this, you specify which of the two groups should apply to the user accounts if both are assigned.

It is possible to assign an excluded group at any time either directly, indirectly, or with an IT Shop request. One Identity Manager determines whether the assignment is effective.

NOTE:

  • You cannot define a pair of mutually exclusive groups. That means, the definition "Group A excludes group B" AND "Group B excludes groups A" is not permitted.
  • You must declare each group to be excluded from a group separately. Exclusion definitions cannot be inherited.

The effectiveness of the assignments is mapped in the SAPUserInSAPGrp and BaseTreeHasSAPGrp tables by the XIsInEffect column.

Example: The effect of group memberships
  • Group A is defined with permissions for triggering requests in a client. A group B is authorized to make payments. A group C is authorized to check invoices.
  • Group A is assigned through the "Marketing" department, group B through "Finance", and group C through the "Control group" business role.

Clara Harris has a user account in this client. She primarily belongs to the "Marketing" department. The "Control group" business role and the "Finance" department are assigned to her secondarily. Without an exclusion definition, the user account obtains all the permissions of groups A, B, and C.

By using suitable controls, you want to prevent an employee from being able to trigger a request and to pay invoices. That means, groups A, B, and C are mutually exclusive. An employee that checks invoices may not be able to make invoice payments as well. That means, groups B and C are mutually exclusive.

Table 63: Specifying excluded groups (SAPGrpExclusion table)

Effective group

Excluded group

Group A

Group B

Group A

Group C

Group B

Table 64: Effective assignments

Employee

Member in role

Effective group

Ben King

Marketing

Group A

Jan Bloggs

Marketing, finance

Group B

Clara Harris

Marketing, finance, control group

Group C

Jenny Basset

Marketing, control group

Group A, Group C

Only the group C assignment is in effect for Clara Harris. It is published in the target system. If Clara Harris leaves the "control group" business role at a later date, group B also takes effect.

The groups A and C are in effect for Jenny Basset because the groups are not defined as mutually exclusive. If this should not be allowed, define further exclusion for group C.

Table 65: Excluded groups and effective assignments

Employee

Member in role

Assigned group

Excluded group

Effective group

Jenny Basset

 

Marketing

Group A

 

Group C

 

Control group

Group C

 Group B

Group A

Prerequisites

  • The QER | Structures | Inherite | GroupExclusion configuration parameter is set.

    In the Designer, set the configuration parameter and compile the database.

    NOTE: If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

  • Mutually exclusive groups, roles, and profiles belong to the same client.

To exclude a group

  1. In the Manager, select the SAP R/3 > Groups category.

  2. Select a group in the result list.

  3. Select the Exclude groups task.

  4. In the Add assignments pane, assign the groups that are mutually exclusive to the selected group.

    - OR -

    In the Remove assignments pane, remove the groups that are no longer mutually exclusive.

  5. Save the changes.

To exclude roles

  1. In Manager, select the category SAP R/3 > Roles.

  2. Select the role in the result list.

  3. Select the Exclude SAP roles task.

    - OR -

    In the Remove assignments pane, remove the roles that are no longer mutually exclusive.

  4. Save the changes.

To exclude profiles

  1. In the Manager, select the category SAP R/3 > Profiles.

  2. Select a profile in the result list.

  3. Select the Exclude roles task.

    - OR -

    In the Remove assignments pane, remove the profiles that are no longer mutually exclusive.

  4. Save the changes.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating