Maintaining SAP functions
You can assign SAP functions to identities that are responsible for the content of those SAP functions. To do this, assign the an application for maintaining SAP functions to an application role. Assign to this application role, the identities that are authorized to enable and edit working copies of this function definition and can define function instances.
A default application role exists for maintaining One Identity Manager functions in SAP. Create more application roles if required. For more information about implementing and editing application roles, see the One Identity Manager Authorization and Authentication Guide.
Table 24: Default application roles for maintaining SAP functions
|
Responsible for maintaining SAP functions. |
Those responsible for maintaining the SAP functions must be assigned to the Identity & Access Governance | Identity Audit | Maintenance SAP Functions application role or a child application role.
Users with this application role:
-
Are responsible for SAP function contents.
-
Edit working copies of function definitions for which they are responsible.
-
Define function instances and variables sets for SAP functions.
-
Assign mitigating controls. |
To add identities to the default application role for maintaining SAP functions
-
In the Manager, select the Identity Audit > Basic configuration data > Maintain SAP functions category.
-
Select the Assign identities task.
-
In the Add assignments pane, add identities.
TIP: In the Remove assignments pane, you can remove assigned identities.
To remove an assignment
- Save the changes.
Exporting function definitions
To transfer SAP functions from a development environment to a production environment, for example, you can export function definitions to CSV files. These CSV files can be imported into other databases.
Export all function definitions to a single CSV file using a plugin.
To export all function definitions to a CSV file
-
In the Manager, select the Identity Audit category.
-
Select the Plugins > Export all SAP function definitions menu item.
-
To only export working copies, click Yes.
- OR -
To only export enabled SAP functions, click No.
-
Specify the file name and storage location for the CSV file.
-
Click Save.
All function definitions are written to file in sequence.
The following properties are exported:
Table 25: Exported main data of a function definition
|
Name of the function definition (SAPFunction.Ident_SAPFunction) |
Function |
|
Assigned function category (SAPFunctionCategory.Ident_SAPFunctionCategory) |
Process |
|
Description (SAPFunction.Description) |
Function Description |
|
Effect (SAPFunction.SignificancyClass) |
Risk Level |
|
Authorization object (SAPFunctionDetail.Ident_SAPAuthObject) |
Object |
|
Authorization fields (SAPFunctionDetail.ElementName) |
Field |
|
Description of the authorization fields (SAPFunctionDetail.Description) |
Field Description |
|
Value/Lower limit (SAPFunctionDetail.LowerLimit) |
Value From |
|
Upper limit (SAPFunctionDetail.UpperLimit) |
Value To |
|
Function argument (SACAbility.AbilityName) |
Ability Name |
|
Condition (SAPFunction.ConditionString) |
Condition String |
The import status (State) is included with each data record in the CSV file as additional information. The import status is set to 1 by default on export. This data is evaluated when function definitions are imported.
NOTE: SAP function managers can only export those function definitions for which they are responsible, as entered in the main data.
Importing function definitions
To transfer SAP functions from a development environment to a production environment, for example, you can export function definitions to CSV files. These CSV files can be imported into other databases.
When importing SAP functions from an existing CSV file, the function definitions contained in the CSV file are transferred to the database as working copies.
Requirements and notes for importing function definitions
The following data fields must be in the CSV file so that function definitions can be imported.
Table 26: Data fields for importing function definitions
|
Function |
Function definition (SAPFunction.Ident_SAPFunction) |
|
Object |
Authorization object (SAPFunctionDetail.Ident_SAPAuthObject) |
|
Field |
Authorization field (SAPFunctionDetail.ElementName) |
|
Value From |
Value/Lower limit (SAPFunctionDetail.LowerLimit) |
|
Value To |
Upper limit (SAPFunctionDetail.UpperLimit) |
|
State |
No equivalent.
The import status controls which data records are imported into One Identity Manager.
1: Import |
|
Ability Name (optional) |
Function argument (SACAbility.AbilityName) |
|
Condition String (optional) |
Condition (SAPFunction.ConditionString) |
|
Process (optional) |
Function category (SAPFunctionCategory.Ident_SAPFunctionCategory) |
|
Function Description (optional) |
Description of the function definition. (SAPFunction.Description) |
|
Risk Level (optional) |
Effect (SAPFunction.SignificancyClass)
Possible values:
-
0|<empty>|none
-
1|verylow|very low
-
2|low
-
3|medium
-
4|high
-
5|veryhigh|very high
-
6|critical |
|
Field description (optional) |
Description of the authorization fields and authorization objects. (SAPFunctionDetail.Description) |
NOTE:
-
The order of the data fields is arbitrary.
-
All required data fields must be defined in the header and must be present in the data sets.
-
Mark data fields without values with two sequential delimiters.
-
Data sets with empty mandatory fields are not imported.
.