General main data of SAP roles
Table 57: Configuration parameters for risk assessment of SAP user accounts
QER | CalculateRiskIndex |
Preprocessor relevant configuration parameter controlling system components for calculating the risk index. Changes to the parameter require recompiling the database.
If the parameter is enabled, values for the risk index can be entered and calculated. |
Edit the following main data of a role.
Table 58: SAP role main data
Display name |
Name of the role as displayed in One Identity Manager tools. Taken from the role identifier by default. |
Name |
Name of role in the target system. |
Client |
Client, in which the role is added. |
License |
Role license. This task is needed for finding system measurement for user accounts and is assigned once after synchronization. |
Role type |
Role type for differentiating between single and composite roles. |
Service item |
Service item data for requesting the role through the IT Shop. |
Risk index |
Value for evaluating the risk of assigning the role to user accounts. Enter a value between 0 and 1. This input field is only visible if the "QER | CalculateRiskIndex" configuration parameter is set. |
Category |
Categories for role inheritance. User accounts can inherit roles selectively. To do this, roles, and user accounts are divided into categories. Use this menu to allocate one or more categories to the role. |
Description |
Text field for additional explanation. |
Role description |
Text field for additional explanation. |
IT Shop |
Specifies whether the role can be requested through the IT Shop. This role can be requested by staff through the Web Portal and granted through a defined approval procedure. The role can still be assigned directly to user accounts and hierarchical roles. |
Only for use in IT Shop |
Specifies whether the role can only be requested through the IT Shop. This role can be requested by staff through the Web Portal and granted through a defined approval procedure. The role may not be assigned directly to hierarchical roles. |
Detailed information about this topic
General main data of SAP profiles
Table 59: Configuration parameters for risk assessment of SAP user accounts
QER | CalculateRiskIndex |
Preprocessor relevant configuration parameter controlling system components for calculating the risk index. Changes to the parameter require recompiling the database.
If the parameter is enabled, values for the risk index can be entered and calculated. |
Edit the following main data of a profile.
Table 60: SAP profile main data
Display name |
Name of the profile as displayed in One Identity Manager tools. The profile name is taken from the profile identifier by default. |
Name |
Name of profile in the target system. |
Client |
Client, in which the profile is added. |
License |
Profile license. This task is needed for finding system measurement for SAP user accounts and is assigned once after synchronization. |
Profile type |
Profile type for differentiating between single, composite, and generated profiles. |
Service item |
Service item data for requesting the profile through the IT Shop. |
Risk index |
Value for evaluating the risk of assigning the profile to account accounts. Enter a value between 0 and 1. This input field is only visible if the "QER | CalculateRiskIndex" configuration parameter is set. |
Category |
Category for profile inheritance. User accounts can selectively inherit profiles. To do this, profiles, and user accounts are divided into categories. Use this menu to allocate one or more categories to the profile. |
Description |
Text field for additional explanation. |
Profile is enabled |
Specifies whether the profile is enabled or a maintenance version. |
Limited assignment |
Specifies whether the profile is assigned to an SAP role. The profile then no longer be directly assigned to user accounts, business roles, organizations, or IT Shop shelves. |
IT Shop |
Specifies whether the profile can be requested through the IT Shop. This profile can be requested by staff through the Web Portal and granted through a defined approval procedure. The profile can still be assigned directly to hierarchical roles. This option cannot be enabled for generated profiles. |
Only for use in IT Shop |
Specifies whether the profile can only be requested through the IT Shop. This profile can be requested by staff through the Web Portal and granted through a defined approval procedure. The profile may not be assigned directly to hierarchical roles. This option cannot be enabled for generated profiles. |
Detailed information about this topic
Assigning SAP groups, SAP roles, and SAP profiles to SAP user accounts
Groups, roles, and profiles can be directly and indirectly assigned to user accounts. In the case of indirect assignment, identities, groups, roles, and profiles are arranged in hierarchical roles. The number of groups, roles, and profiles assigned to an identity is calculated from the position in the hierarchy and the direction of inheritance. If you add an identity to roles and that identity owns a user account, the user account is added to the group, role, or profile.
Furthermore, groups, roles, and profiles can be assigned to identities through IT Shop requests. Add identities to a shop as customers so that groups, roles, and profiles can be assigned through IT Shop requests. All groups, roles, and profiles are assigned to this shop can be requested by the customers. Requested groups, roles, and profiles are assigned to the identities after approval is granted.
Prerequisites for indirect assignment of SAP groups to identity user accounts
-
Assignment of identities and groups is permitted for role classes (departments, cost centers, locations, or business roles).
-
User accounts are marked with the Groups can be inherited option.
-
The user accounts and groups belong to the same SAP client.
Prerequisites for indirect assignment of SAP profiles to identity user accounts
-
Assignment of identities and profiles is permitted for role classes (departments, cost centers, locations, or business roles).
-
User accounts are labeled with the Profiles can be inherited option.
-
The user accounts and profiles belong to the same SAP client.
- OR -
If the user accounts are managed through the Central User Administration, the user accounts have access permissions in the SAP clients to which the profiles belong.
NOTE: Only profiles that are not assigned to an SAP role can be assigned to hierarchical roles.
Prerequisites for indirect assignment of SAP roles to identity user accounts
-
Assignment of identities and roles is permitted for role classes (departments, cost centers, locations, or business roles).
-
User accounts are labeled with the Roles can be inherited option.
-
The user accounts and roles belong to the same SAP client.
- OR -
If the user accounts are managed through the Central User Administration, the user accounts have access permissions in the SAP clients to which the roles belong.
For more information see the following guides:
Basic principles for assigning and inheriting company resources |
One Identity Manager Identity Management Base Module Administration Guide
One Identity Manager Business Roles Administration Guide |
Assigning company resources through IT Shop requests |
One Identity Manager IT Shop Administration Guide |
System roles |
One Identity Manager System Roles Administration Guide |
Detailed information about this topic
Assigning SAP groups, SAP roles, and SAP profiles to organizations
Assign groups, roles, and profiles to departments, cost centers, and locations in order to assign user accounts to them through these organizations.
To assign a group to departments, cost centers, or locations (non role-based login)
- Select the SAP R/3 > Groups category.
- Select the group in the result list.
- Select the Assign organizations task.
- In the Add assignments pane, assign the organizations.
- Assign departments on the Departments tab.
- Assign locations on the Locations tab.
- Assign cost centers on the Cost centers tab.
- OR -
Remove the organizations in the Remove assignments pane.
- Save the changes.
To assign a role to departments, cost centers, or locations (non role-based login)
- Select the SAP R/3 > Roles category.
- Select the role in the result list.
- Select the Assign organizations task.
- In the Add assignments pane, assign the organizations.
- Assign departments on the Departments tab.
- Assign locations on the Locations tab.
- Assign cost centers on the Cost centers tab.
- OR -
Remove the organizations in the Remove assignments pane.
- Save the changes.
To assign a profile to departments, cost centers, or locations (non role-based login)
- Select the SAP R/3 > Profiles category.
- Select a profile in the result list.
- Select the Assign organizations task.
- In the Add assignments pane, assign the organizations.
- Assign departments on the Departments tab.
- Assign locations on the Locations tab.
- Assign cost centers on the Cost centers tab.
- OR -
Remove the organizations in the Remove assignments pane.
- Save the changes.
To assign groups, roles, or profiles to departments, cost centers, or locations (non role-based login)
- Select the Organizations > Departments category.
- OR -
Select the Organizations > Cost centers category.
- OR -
Select the Organizations > Locations category.
- Select the department, cost center, or location in the result list.
- Select the Assign SAP groups task.
- OR -
Select the Assign SAP roles task.
- OR -
Select the Assign SAP profiles task.
- In the Add assignments pane, assign groups, roles, or profiles.
- OR -
In the Remove assignments pane, remove the groups, roles, or profiles.
- Save the changes.
Related topics