Effectiveness of structural profiles
Table 5: Configuration parameter for conditional inheritance
QER | Structures | Inherite | GroupExclusion |
Preprocessor relevant configuration parameter for controlling effectiveness of group memberships. If the parameter is set, memberships can be reduced on the basis of exclusion definitions. Changes to this parameter require the database to be recompiled.
If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide. |
If structural profiles are assigned to user accounts, an identity may obtain two or more structural profiles, which are not permitted in this combination. To prevent this, declare the structural profiles as mutually exclusive. To do this, you specify which of the two structural profiles should apply to the user accounts if both are assigned.
You can assign an excluded structural profile directly, indirectly, or by IT Shop request at anytime. One Identity Manager determines whether the assignment is effective.
NOTE:
- You cannot define a pair of mutually exclusive structural profiles. That means, the definition "Structural profile A excludes structural profile B" AND "Structural profile B excludes structural profile A" are not permitted.
- You must declare each structural profile to be excluded from a structural profile separately. Exclusion definitions cannot be inherited.
The effect of the assignments is mapped in the SAPUserInSAPHRP and BaseTreeHasSAPHRP tables through the XIsInEffect column.
Prerequisites
-
The QER | Structures | Inherite | GroupExclusion configuration parameter is set.
In the Designer, set the configuration parameter and compile the database.
NOTE: If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.
-
Mutually exclusive structural profiles belong to the same client.
To exclude structural profiles
- Select the SAP R/3 > Structural profiles category.
- Select a structural profile in the result list.
- Select the Exclude structural profiles task.
- In the Add assignments pane, Assign the structural profiles that are mutually exclusive to the selected location.
- OR -
In the Remove assignments pane, remove structural profiles that are no longer mutually exclusive.
- Save the changes.
For more information about the effectiveness of group memberships, see the One Identity Manager Administration Guide for Connecting to SAP R/3.
Inheriting structural profiles based on categories
In One Identity Manager, user accounts can selectively inherit structural profiles. To do this, structural profiles and user accounts are divided into categories. The categories can be freely selected and are specified using a mapping rule. Each category is given a specific position within the template. The mapping rule contains different tables. Use the user account table to specify categories for target system dependent user accounts. In the other tables, enter your categories for the structural profiles. Each table contains the category positions position 1 to position 63.
Every user account can be assigned to one or more categories. Every structural profile can be assigned to one or more categories as well. If at least one user account category position matches an assigned structural profile, the structural profile is inherited by the user account. The structural profile is also inherited by the user account if the structural profile or the user account is not put into categories.
NOTE: Inheritance through categories is only taken into account when structural profiles are assigned indirectly through hierarchical roles. Categories are not taken into account when structural profile are directly assigned to user accounts.
To use inheritance through categories
- Define the categories in the client.
NOTE: If central user administration is implemented, define the categories in the central system as well as in the child system. The same categories must be defined in the child system as in the central system so that structural profiles from a child system can be inherited by user accounts.
- Assign categories to user accounts through their main data.
- Assign categories to structural profiles through their main data.
To define a category
- Select the SAP R/3 > Clients category.
- Select the client in the result list. Select the Change main data task.
- Select the Categories tab.
- Open the member tree of the "SAP structural Profiles" table.
- To enable the category, double-click the icon in front of the item name.
- Enter a name for the category in the column for the respective One Identity Manager login language.
- Save the changes.
Detailed information about this topic
- One Identity Manager Administration Guide for Connecting to SAP R/3
- One Identity Manager Target System Base Module Administration Guide
Related topics
Assigning extended properties to structural profiles
Extended properties are meta objects, such as operating codes, cost codes, or cost accounting areas that cannot be mapped directly in One Identity Manager.
To specify extended properties for a structural profile
- In the Manager, select the SAP R/3 > Structural profiles category.
- Select a structural profile in the result list.
- Select Assign extended properties.
-
In the Add assignments pane, assign extended properties.
TIP: In the Remove assignments pane, you can remove assigned extended properties.
To remove an assignment
- Save the changes.
For more information about setting up extended properties, see the One Identity Manager Identity Management Base Module Administration Guide.
Assigning validity periods for profile assignments
You can enter a validity period for assigning structural profiles to user accounts. If no validity period is given to the profile assignments, they are allocated the following validity dates by default:
- Valid from: 1900-01-01
- Valid to : 9999-12-31
These profile assignments are therefore unlimited.
The SAPUserInSAPHRP table contains all profile assignments, limited, and unlimited.
The HelperSAPUserInSAPHRP table only contains profile assignments that are currently valid. The Daily calculation of SAP user accounts assignments to SAP roles schedule controls the calculation of this table.
Detailed information about this topic
Related topics