Chat now with support
Chat with Support

Identity Manager 9.2 - Administration Guide for the SAP R/3 Compliance Add-on

SAP functions and identity audit Setting up a synchronization project for synchronizing SAP authorization objects Setting up SAP functions Compliance rules for SAP functions Mitigating controls for SAP functions Configuration parameters for SAP functions Default project template for the SAP R/3 Compliance Add-on Module Referenced SAP R/3 tables and BAPI calls

Importing function definitions

To transfer SAP functions from a development environment to a production environment, for example, you can export function definitions to CSV files. These CSV files can be imported into other databases.

When importing SAP functions from an existing CSV file, the function definitions contained in the CSV file are transferred to the database as working copies. The following data fields must be in the CSV file so that function definitions can be imported.

Table 17: Data fields for importing function definitions

Data field in the CSV file.


Object properties in One Identity Manager


Function definition


Suggested authorization value


Authorization objects


Authorization field

Value From

Value/lower scope limit

Value To

Upper scope limit


No equivalent.

The import status controls which data records are imported into One Identity Manager.

1: Import

Process (optional)


Function description (optional)

Description of the function definition.

Risk level (optional)


Possible values are {Low|Medium|High|Critical}.

Transaction (optional)

Transaction code

AUTHPGMID (optional)

TADIR program ID

AUTHOBJTYP (optional)

TADIR object type

AUTHOBJNAM (optional)

TADIR object name

SRV_TYPE (optional)

Type of external service

SRV_NAME (optional)

Name of external service

RFC_TYPE (optional)

RFC object type

RFC_NAME (optional)

RFC object name

SAPHashValue (optional)

Hash value

Field description (optional)

Describes the authorization fields, authorization objects and SAP applications.


  • The order of the data fields is arbitrary.

  • All required data fields must be defined in the header and must be present in the data sets.

  • Mark data fields without values with two sequential delimiters.

  • Data sets with empty mandatory fields are not imported.

To import function definitions

  1. In the Manager, select the Identity Audit category.

  2. Select the Plugins > Import SAP function definitions menu item.

  3. Select the CSV file you want to import and click Open.

  4. Confirm the security prompt with Yes.

    The functions definitions are transferred to the database as working copies. If there is already a working copy with the same name in the database, it is overwritten by the import.

Related topics

Compliance rules for SAP functions

Compliance rules can be checked through effective authorizations as well as through authorizations, which an identity has in an SAP R/3 system due to their user accounts and group and role memberships. Effective write permissions are tested through SAP functions. To do this, SAP functions are added to rule conditions.

The validity period of role assignments is taken into account in the rule check.

For more information about compliance rules, see the One Identity Manager Compliance Rules Administration Guide.

Detailed information about this topic

Rule conditions for SAP functions

To define new rules for SAP functions

  1. In the Manager, select the Identity Audit > Rules category.

  2. Click in the result list.

  3. Enter the main data of the rule.

  4. Set the Rule for cyclical testing and risk analysis in IT Shop option.

  5. Limit the affected permissions with the at least one function option and select the SAP functions to test.

    1. If you have selected more than one SAP functions, under number of entitlements assigned, specify how many SAP functions must be matched to violate the rule.

    2. If SAP authorizations in combination result in a rule violation, enter a rule block for each SAP function.

  6. Save the changes.

    This adds a working copy.

  7. Select the Enable working copy task and confirm the security prompt with Yes.

    This adds an enabled rule in the database. The working copy is retained and can be used to make changes later.

Figure 5: Condition for SAP functions

When One Identity Manager tests rules, it finds all the identities whose assigned SAP users match the SAP functions that are given in the rule. An SAP user matches an SAP function when:

  • An SAP role assigned to the SAP user account matches the SAP function

    - OR -

  • An SAP role that is assigned a reference user matching an SAP function

    - AND -

  • The SAP user account is assigned this reference user.

For more information about creating rule conditions, see the One Identity Manager Compliance Rules Administration Guide.

Related topics

Mitigating controls for compliance rules with SAP functions

Mitigating controls assigned to the function definitions to be tested are automatically copied to rules about SAP functions. Conditions:

  • Active rules are assigned to a functional area and a department.
  • The function definitions to be tested are assigned to the same functional area and to the variable set associated with the same department.
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating