Chat now with support
Chat with Support

Identity Manager 9.3 - Administration Guide for the SAP R/3 Compliance Add-on

SAP functions and identity audit Setting up a synchronization project for synchronizing SAP authorization objects Basics of the authorization check Setting up SAP functions Compliance rules for SAP functions Mitigating controls for SAP functions Configuration parameters for SAP functions Default project template for the SAP R/3 Compliance Add-on Module Referenced SAP R/3 tables and BAPI calls

Importing function definitions from versions older than 9.3

The design of authorization definitions was fundamentally changed with One Identity Manager 9.3. Importing function definitions from versions older than 9.3 also updates the authorization definitions. The TargetSystem | SAPR3 | SAPRights | TestWithoutTCD configuration parameter setting is taken into account.

  • Create a function argument for each authorization object in a function definition. The properties of the authorization objects determine the names of the function arguments.

    You can rename the function arguments as required in the Manager.

  • There is a generated condition.

    • The configuration parameter is not set:

      In the condition, group all the function arguments that belong to an SAP application inside a pair of brackets and AND them with each other. All brackets are OR-ed together.

    • The configuration parameter is set:

      All function arguments AND-ed in the condition.

After importing older function definitions, check whether the authorization definition and the generated condition meet your requirements.

Related topics

Importing function definitions

Import CSV files with data from function definitions into the One Identity Manager database.

To import function definitions

  1. In the Manager, select the Identity Audit category.

  2. Select the Plugins > Import SAP function definitions menu item.

  3. Select the CSV file you want to import and click Open.

  4. Confirm the security prompt with Yes.

    The functions definitions are transferred to the database as working copies. If there is already a working copy with the same name in the database, it is overwritten by the import.

  5. Open the working copy and check whether the authorization definition and the condition meet your requirements.

Related topics

Compliance rules for SAP functions

In addition to the permissions assigned to an identity in an SAP R/3 system on the basis of its user accounts, group memberships, and role memberships, you can also check which write permissions are in effect using compliance rules. Effective write permissions are tested through SAP functions. To do this, SAP functions are added to rule conditions. By linking SAP user accounts to identities, combinations of SAP authorizations that an identity obtains through different SAP user accounts can be checked.

The validity period of role assignments is taken into account in the rule check.

For more information about compliance rules, see the One Identity Manager Compliance Rules Administration Guide.

Related topics

Rule conditions for SAP functions

Determine whether identities have invalid combinations of authorizations in an SAP R/3 system by including SAP functions in the rule conditions of compliance rules.

  • To find identities that have invalid authorizations across multiple user accounts, create different SAP functions. Create a separate rule block for each SAP function in the rule condition.

  • To find identities that have invalid authorizations through one user account, create just one rule block in the rule condition.

To define new rules for SAP functions

  1. In the Manager, select the Identity Audit > Rules category.

  2. Click in the result list.

  3. Enter the main data of the rule.

  4. Set the Rule for cyclical testing and risk analysis in IT Shop option.

  5. Limit the affected permissions with the at least one function option and select the SAP functions to test.

    1. If you have selected more than one SAP functions, under number of entitlements assigned, specify how many SAP functions must be matched to violate the rule.

    2. If SAP authorizations in combination result in a rule violation, enter a rule block for each SAP function.

  6. Save the changes.

    This adds a working copy.

  7. Select the Enable working copy task and confirm the security prompt with Yes.

  8. To enable the original rule, click Yes.

    This adds an enabled rule to the database.

    If you do not want the original rule to be enabled immediately, click No.

    This add a disabled rule to the database.

    The working copy is retained and can be used to make changes later.

Figure 6: Condition for SAP functions

When One Identity Manager tests rules, it finds all the identities whose assigned SAP users match the SAP functions that are given in the rule. An SAP user also matches an SAP function when:

  • A reference user matches the SAP function

    - AND -

  • The SAP user account is assigned this reference user

For more information about creating rule conditions, see the One Identity Manager Compliance Rules Administration Guide.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating