Authorization definition properties and their values
The functionality of the Authorization Editor is based on the SAPGUI Authorization Editor. The columns in the Authorization Editor have the following meaning.
Table 16: Properties of an authorization definition
|
Function definition/ Authorization object class /Authorization object / Function element |
Function definition hierarchy. The authorization objects and function elements are mapped in a hierarchical structure. |
|
Processing status |
Processing status of hierarchy objects.
 : No value is specified for the function element.
 : A value is specified for the function element.
|
|
Add |
Click +, to add more objects to the authorization definition. This adds a sub object.
Click C, to copy the function element. |
|
Remove |
Click -, to remove objects from the authorization definition. |
|
Description |
Object description. |
|
Any |
Click *, to define the value of a function element as * (any value). |
|
Value / lower limit |
Values permitted for the function element. For example, you can limit SAP authorizations to specific SAP groups. When you specify a range, enter the lower limit here.
Values can be added as variables. System variables can also be used.
Wildcards can be used in the values. For more information, see Syntax examples for values. |
|
Upper scope limit |
Upper limit for the range of a function element Values can be added as variables.
Values combined with , and * are not permitted.
If value / lower range limit contains values combined with , or *, no upper range limit can be entered. |
|
Function argument |
Name of the function argument for the authorization object. The name is formatted automatically according to the naming convention given in the TargetSystem | SAPR3 | SAPRights | AbilityNamePattern configuration parameter. You can change it manually. |
Table 17: Syntax examples for values
|
* |
Any value
Only use as a single value. You cannot specify an upper scope limit. |
ab or 1234 |
|
Any string (from) |
Exact given value |
abc |
|
[*] |
The value * |
* |
|
String[*] (abc[*]) |
Values that contain exactly this string and *. |
from* |
|
String* (abc[*]) |
Values beginning with the given string and ending with any string
Only use as a single value. You cannot specify an upper scope limit. |
abcd or ab* |
|
OR link (01,02,78) |
One of the values contained in the list
Do not use OR combinations for the upper range limit.
Only use as a single value. You cannot specify an upper scope limit. |
01 or 02 or 78 |
|
Variable ($Var$) |
Value stored in the variable |
|
|
System variable ($var) |
Value stored in the system variable |
|
To edit the properties of a function element
Table 18: Function element properties
|
Type |
Specifies whether the selected function element is an activity or a authorization field. |
|
Name |
Name of the function element. |
|
Lower limit, upper limit |
Values permitted for the function element. When you specify a range, enter a lower and an upper limit. Values can be added as variables.
Click  to select variables from the existing variable sets. |
|
Description |
Detailed description of the function elements. |
Detailed information about this topic
Using variables
You can set fixed values for function elements in authorization definitions. Otherwise, you can implement variables to use a function definition for different function instances. For this, the following is valid:
You can also use system variables as well as self-defined variables in the authorization definition. System variables have the following syntax: ${character}+ (example: $AUFART).
Variables must be uniquely identifiable by the authorization check. Therefore, names of self-defined variables may not match system variables or begin with system variable name.
Enabling working copies
SAP authorizations are only checked on the basis of active SAP functions. When you enable a new working copy, it adds an active function definition. Changes to an existing working copy are accepted by enabling the active function definition.
To transfer changes from a working copy to a function definition
-
In the Manager, select the Identity Audit > SAP functions > Function definition working copies category.
-
Select the function definition in the result list.
-
Select the Enable working copy task.
-
Confirm the security prompt with OK.
Editing function definitions
A working copy is added to the database for every function definition. You can edit the working copies to change the function definitions. Enabling the working copy allows the function definition to be used productively. SAP authorizations are only checked on the basis of active function definitions.
NOTE: One Identity Manager users with the Identity & Access Governance | Identity Audit | Maintain SAP functions application role can edit existing working copies if they are entered as the manager in the main data.
To edit an existing function definition
-
In the Manager, select the Identity Audit > SAP functions > Function definition working copies category.
-
Select a working copy in the result list.
-
Select the Change main data task.
- OR -
In the Manager, select the Identity Audit > SAP functions > Function definitions category.
-
Select the function definition in the result list.
-
Select the Create working copy task.
The data from the existing working copy are overwritten with the data from the active function definition, after prompting. The working copy is opened and can be edited.
-
Edit the working copy's main data.
- Save the changes.
-
Select the Enable working copy task and confirm the security prompt with Yes.
The changes to the working copy are transferred to the active function definition.
