Chat now with support
Chat with Support

Identity Manager 9.1.2 - Administration Guide for the SAP R/3 Compliance Add-on

SAP functions and identity audit Setting up a synchronization project for synchronizing SAP authorization objects Setting up SAP functions Compliance rules for SAP functions Mitigating controls for SAP functions Configuration parameters for SAP functions Default project template for the SAP R/3 Compliance Add-on Module Referenced SAP R/3 tables and BAPI calls

Examples of SAP functions

If you create an authorization definition, you need to think about which authorization combinations are not compliant. You can differentiate between two use cases:

  1. Find all SAP roles and profiles with invalid combinations of authorizations.

    Create an SAP function for authorizations that cannot occur together with an SAP role or an SAP profile. The authorization check identifies all SAP roles and profiles whose authorizations in total have this invalid combination of authorizations.

  2. Find all employees that have obtained invalid combinations of authorizations through their SAP user accounts.

    Create different SAP functions for authorizations that in combination are invalid. Create compliance rules that combine these SAP functions. The compliance check finds all employees who have such invalid authorization combinations over the sum of all authorizations of their SAP user accounts.

Example for use case 1

A company has changed its policies on compliant SAP authorizations. Now the new policies must be checked to see if existing authorizations comply. SAP roles and profiles with invalid combinations of authorizations must be identified so that they can be modified to meet the new requirements.

An SAP function is created for each invalid authorization combination.

Table 6: Example of an authorization definition

SAP function

SAP application

Authorization objects

Field

Value

F-A

TR1

AO2

ACTVT

*

TR1

AO2

Class

*

TR1

AO3

ACTVT

01+02

TR1

S_TCODE

TCD

TR1

RF

AO5

ACTVT

*

RF

AO5

RLTYP

R*

RF

S_RFC

RFC_NAME

RF

F-B

TR1

AO3

ACTVT

*

TR1

AO4

ACTVT

02,03,07

TR1

AO4

Class

DEF[*]

TR1

S_TCODE

TCD

TR1

The following SAP profiles are available:

Table 7: Defined SAP profiles

SAP profile

SAP application

Authorization objects

Field

Value

P1

TR1

AO1

ACTVT

*

TR1

AO1

Class

*

TR1

AO3

ACTVT

*

TR1

AO4

ACTVT

01, 02

TR1

AO4

Class

DEF*

TR1

S_TCODE

TCD

TR1

P2

TR1

AO2

ACTVT

*

TR1

AO2

Class

*

TR1

AO3

ACTVT

01

TR1

S_TCODE

TCD

TR1

P3

TR1

AO3

ACTVT

01, 02

TR1

AO4

Class

*

TR1

AO4

ACTVT

03, 07

P4

RF

AO5

ACTVT

03

RF

AO5

RLTYP

*

RF

S_RFC

RFC_NAME

RF

SAP profiles are found that match the SAP function during authorization checking.

Results of the authorization check: TestWithoutTCD is not set.

  • SAP function: F-A

    SAP profile affected: P4

    The profile P4 has all the authorization objects, fields, and values named in SAP application RF.

    The profile P1 is missing authorization objects AO2, S_TCODE, AO5, and S_RFC. Therefore it does not match the SAP function.

    The profile P2 is missing the value 02 for the authorization object AO3 as well as the authorization objects AO5 and S_RFC. Therefore it does not match the SAP function.

    The profile P3 is missing authorization objects AO2, S_TCODE, AO5, and S_RFC. Therefore it does not match the SAP function.

  • SAP function: F-B

    SAP profile affected: P1

    The profile P1 has all the authorization objects and fields named in the SAP function and at least one of the values.

    The profile P2 is missing authorization object AO4. Therefore it does not match the SAP function.

    The profile P3 is missing authorization object S_TCODE. Therefore it does not match the SAP function.

    Profile P4 is missing the authorization objects AO3, AO4, and S_TCODE. Therefore it does not match the SAP function.

If the TestWithoutTCD configuration parameter is set for authorization checking, then the SAP profiles P2 and P3 comply with the new guidelines and can continue to be used. The profiles P1 and P4 must be modified to comply with the new policies.

Results of the authorization check: TestWithoutTCD is set.

  • SAP function: F-A

    The authorization objects S_TCODE and S_RFC are ignored during the check.

    SAP profile affected: none

    The profile P1 is missing authorization objects AO2 and AO5. Therefore it does not match the SAP function.

    Profile P2 is missing authorization object AO5 and value 02 for authorization object AO3. Therefore it does not match the SAP function.

    The profile P3 is missing authorization objects AO2 and AO5. Therefore it does not match the SAP function.

    The profile P4 is missing authorization objects AO2 and AO3. Therefore it does not match the SAP function.

  • SAP function: F-B

    The authorization object S_TCODE is ignored during the check.

    SAP profiles affected: P1, P3

    The profile P1 has all the authorization objects and fields named in the SAP function and at least one of the values.

    The profile P3 has all the authorization objects and fields named in the SAP function and at least one of the values.

    The profile P2 is missing authorization object AO4. Therefore it does not match the SAP function.

    The profile P4 is missing authorization objects AO3 and AO4. Therefore it does not match the SAP function.

If the TestWithoutTCD configuration parameter is set for authorization checking, then the SAP profiles P2 and P4 comply with the new guidelines and can continue to be used. The P1 and P3 profiles must be adjusted.

Example for use case 2

SAP user accounts must be checked for guidelines violations. The following user accounts and employees are available:

  • User A with user account AC1 with the SAP profile P1

  • User B with user account AC2 with the SAP profiles P2 and P3

  • User C with user account AC3 with the SAP profile P2 and user account AC4 with the SAP profile P3

The SAP profiles have the following authorizations:

  • P1 with AO1 and AO2

  • P2 with AO1

  • P3 with AO2

An employee cannot have the two authorizations AO1 and AO2 at the same time. The SAP function SF-A is created for the check. A compliance rule CR-X finds all employees that match this SAP function.

  • SF-A checks AO1 AND AO2

  • CR-X: The employee has at least the SAP SF-A function.

Only the SAP profile P1 matches the SAP function. Therefore, the compliance rule finds a rule violation for just User A. To ensure that the combination of the SAP profiles P2 and P3 is also recognized as invalid, additional SAP functions and compliance rules must be created.

  • SF-B checks AO1

  • SF-C checks AO2

  • CR-Y: The employee has at least the SAP function SF-B AND they have at least the SAP function SF-C.

The SAP profiles P1 and P2 match the SAP function SF-B. The SAP profiles P1 and P3 match the SAP function SF-C. Thus, the compliance rule CR-Y can be used to determine all employees who are assigned the SAP profiles P1 or P2 and P3 though their user accounts and therefore have both authorizations AO1 and AO2.

Table 8: Result of the rule check

Rule

Rule condition

Employee who violate rules

CR-X

CR-X: The employee has at least the SAP function SF-A.

User A

CR-Y

The employee has at least the SAP function SF-B AND they have at least the SAP function SF-C.

User A

User B

User C

Related topics

Editing function definitions

A working copy is added to the database for every function definition. You can edit the working copies to change the function definitions. The changes are not passed on to the production function definition until the working copy is enabled. SAP authorizations are only checked on the basis of active function definitions.

NOTE: One Identity Manager users with the Identity & Access Governance | Identity Audit | Maintain SAP functions application role can edit existing working copies if they are entered as the manager in the main data.

To edit an existing function definition

  1. In the Manager, select the Identity Audit > SAP functions > Function definitions category.

    1. Select the function definition in the result list.

    2. Select the Create working copy task.

      The data from the existing working copy are overwritten with the data from the active function definition, after prompting. The working copy is opened and can be edited.

    - OR -

    In the Manager, select the Identity Audit > SAP functions > Function definition working copies category.

    1. Select a working copy in the result list.

    2. Select the Change main data task.

  2. Edit the working copy's main data.

  3. Save the changes.
  4. Select the Enable working copy task and confirm the security prompt with Yes.

    The changes to the working copy are transferred to the active function definition.

Related topics

Function definition overview

You can see the most important information about a function definition on the overview form.

To obtain an overview of a function definition

  1. In the Manager, select the Identity Audit > SAP functions > Function definitions category.

  2. Select the function definition in the result list.

  3. Select the Function definition task.

To obtain an overview of a working copy

  1. In the Manager, select the Identity Audit > SAP functions > Function definition working copies category.

  2. Select the function definition in the result list.

  3. Select the Function definition task.

Authorization overview

Function elements are displayed in a flat structure in the authorization overview.

To display an overview of all function elements for an active function definition

  1. In the Manager, select the Identity Audit > SAP functions > Function definitions category.

  2. Select the function definition in the result list.

  3. Select the Authorization overview task.

To display an overview of all function elements for a working copy

  1. In the Manager, select the Identity Audit > SAP functions > Function definition working copies category.

  2. Select the function definition in the result list.

  3. Select the Authorization overview task.

    You can edit all the object properties here.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating