Chat now with support
Chat with Support

Identity Manager 9.3 - Administration Guide for the SAP R/3 Compliance Add-on

SAP functions and identity audit Setting up a synchronization project for synchronizing SAP authorization objects Basics of the authorization check Setting up SAP functions Compliance rules for SAP functions Mitigating controls for SAP functions Configuration parameters for SAP functions Default project template for the SAP R/3 Compliance Add-on Module Referenced SAP R/3 tables and BAPI calls

Setting up a synchronization project for synchronizing SAP authorization objects

SAP authorizations are verified on the basis of the SAP applications permitted for an SAP user account and the associated authorization objects. Authorization objects and SAP applications must be loaded into the One Identity Manager database first before you can create SAP functions. For each client, create a synchronization project for synchronizing the necessary schema types. A separate project template is required for this.

Use the Synchronization Editor to configure synchronization between the One Identity Manager database and SAP R/3 environment.

NOTE: Just one synchronization project can be created per target system and default project template used.

To set up a synchronization project for SAP authorization objects.

  1. Set up an initial synchronization project as described in the One Identity Manager Administration Guide for Connecting to SAP R/3. The following special features apply:

    NOTE: You cannot use SAP functions to check the authorizations in the central user administration client. Set up the synchronization project for one client only with the CUAClosed status None.

    1. In the project wizard on the Select project template page, select the SAP R/3 authorization objects project template.
    2. The Restrict target system access page is not displayed. The target system is only loaded.

    For more information, see the One Identity Manager Administration Guide for Connecting to SAP R/3.

  2. Configure and set a schedule to run synchronization regularly.

    For more information, see the One Identity Manager Target System Synchronization Reference Guide.

Related topics

Objects in USOBHASH table not completely loaded

When synchronizing SAP authorization objects, not all objects in the USOBHASH table are loaded into the One Identity Manager database.

Probable reason

Changed implementation of the ABAP function AUTH_TRACE_GET_USOBHASH as of SAP BASIS version 7.57 (SAP S/4HANA 2022).

Solution

  • Import the current SAPTRANSPORT_70.ZIP transport into the SAP R/3 system you want to synchronize.

    One Identity Manager version 9.1.3 or later provides an updated BAPI transport SAPTRANSPORT_70.ZIP. This uses the /VIAENET/LISTUSOBHASH function module instead of the AUTH_TRACE_GET_USOBHASH SAP module. When it accesses an SAP R/3 system, the SAP R/3 connector checks whether the /VIAENET/LISTUSOBHASH function module exists and uses that. This synchronizes all objects in the USOBHASH table.

If the function module is not available, the connector uses the AUTH_TRACE_GET_USOBHASH SAP module.

The synchronization log records whether the /VIAENET/LISTUSOBHASH function module is used.

Related topics

Synchronizing very large numbers of SAP authorizations

If your SAP R/3 environment contains a very large number of ProfileHasAuthObjectField authorizations (several million), synchronization might quit unexpectedly or just not complete.

Solution

If the total number of authorizations is too large for processing, synchronization can be divided into several synchronization steps.

To split synchronization of ProfileHasAuthObjectField into several steps

  1. In the Synchronization Editor, edit the synchronization workflow for synchronizing SAP authorization objects (default: Initial Synchronization).

  2. Enable the profileHasAuthObjectFieldPart1, profileHasAuthObjectFieldPart2, profileHasAuthObjectFieldPart3, and profileHasAuthObjectFieldPart4 synchronization steps.

    • If these synchronization steps are not available, first apply the VPR#37380 patch.

      This patch creates the synchronization steps in synchronization projects that were set up in versions of One Identity Manager older than 9.2.

  3. Disable the profileHasAuthObjectField synchronization step.

  4. Save the changes.

In subsequent synchronizations, all ProfileHasAuthObjectField objects are divided into four blocks and processed independently of each other.

For more information about editing synchronization steps and applying patches, see One Identity Manager Target System Synchronization Reference Guide.

Related topics

Basics of the authorization check

Apart from being able check rules, One Identity Manager offers detailed checking for SAP R/3 target systems of authorizations in effect for SAP users. To do this, One Identity Manager determines detailed authorizations of all SAP roles, profiles, and user accounts and checks whether they are permitted. You define the criteria for this check in the SAP function authorization definitions.

SAP authorizations are checked on the basis of the authorization objects permitted for a technical profile (AuthLevel). An authorization definition groups all the authorization objects to check together with specific values. One Identity Manager compares all authorization objects assigned to individual profiles against the authorization definition. This checks whether all function elements and their values defined for an authorization object occur within one technical profile. The single profiles that contain these technical profiles determine all the SAP roles, composite roles, and user accounts to which authorization objects are assigned.

An authorization definition can either contain a single authorization object or a complex combination of multiple authorization objects. Multiple authorization objects are linked together with logical operators. The function definition is used to save all the authorization object links as a condition. A function argument is generated for each authorization object to clearly identify the authorization objects in the condition. These function arguments are used to formulate the condition.

Figure 2: Example of an authorization definition with condition

The requirements and guidelines used for defining SAP profiles in your SAP R/3 environment determine which authorizations are checked by an authorization definition and how many authorization objects are combined in an authorization definition.

Linking SAP user accounts to identities allows combinations of SAP authorizations that an identity receives through different SAP user accounts to be checked. Invalid or potentially dangerous authorizations and combinations of them can easily be recognized this way and the necessary action taken. There are SAP functions included in the rule condition of compliance rules for this check. For more information, see Compliance rules for SAP functions.

Authorization checks with SAP functions can provide answers to the following questions:

  1. Are there SAP roles or user accounts with invalid authorization combinations?

  2. Are there identities that own invalid authorization combinations through their SAP user accounts.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating