立即与支持人员聊天
与支持团队交流

Identity Manager 9.2.1 - Administration Guide for the SAP R/3 Compliance Add-on

SAP functions and identity audit Setting up a synchronization project for synchronizing SAP authorization objects Setting up SAP functions Compliance rules for SAP functions Mitigating controls for SAP functions Configuration parameters for SAP functions Default project template for the SAP R/3 Compliance Add-on Module Referenced SAP R/3 tables and BAPI calls

Setting up a synchronization project for synchronizing SAP authorization objects

SAP authorizations are verified on the basis of the SAP applications permitted for an SAP user account and the associated authorization objects. Authorization objects and SAP applications must be loaded into the One Identity Manager database first before you can create SAP functions. For each client, create a synchronization project for synchronizing the necessary schema types. A separate project template is required for this.

Use the Synchronization Editor to configure synchronization between the One Identity Manager database and SAP R/3 environment.

NOTE: Just one synchronization project can be created per target system and default project template used.

To set up a synchronization project for SAP authorization objects.

  1. Set up an initial synchronization project as described in the One Identity Manager Administration Guide for Connecting to SAP R/3. The following special features apply:

    NOTE: You cannot use SAP functions to check the authorizations in the child systems of a central user administration. Set up the synchronization project for one client only, which is not a CUAClosed system.

    1. In the project wizard on the Select project template page, select the SAP R/3 authorization objects project template.
    2. The Restrict target system access page is not displayed. The target system is only loaded.

    For more information, see the One Identity Manager Administration Guide for Connecting to SAP R/3.

  2. Configure and set a schedule to run synchronization regularly.

    For more information, see the One Identity Manager Target System Synchronization Reference Guide.

Related topics

Synchronizing SAP authorizations with overlapping values

In SAP R/3, if the same authorization is assigned to an SAP profile several times with overlapping value ranges, only one authorization assignment is read in by the synchronization. Therefore, the authorization check does not include all the values that user accounts with this profile can actually use.

Probable reason

When synchronizing the ProfileHasAuthObjectField schema type, the complete object list is loaded straight away. Only one data set is selected for each authorization assignment to an SAP profile. Other data sets are ignored.

Solution

If several authorization assignments with overlapping value ranges exist for one profile, the lowest lower value and the highest upper value must be read in by synchronization. To do this, the value ranges are evaluated separately by the synchronization. The objects must be loaded by single record access.

To enable single record access

  1. In the Synchronization Editor, edit the properties of the profileHasAuthObjectField synchronization step.

  2. Select the Extended tab.

  3. Select the Reload threshold property and disable Use start up configuration settings.

  4. Enter a value between 4 and 7.

  5. Save the changes.

NOTE: Changing the reload threshold may affect synchronization performance for this synchronization step.

For more about configuring the reload threshold, see the One Identity Manager Target System Synchronization Reference Guide.

Related topics

Objects in USOBHASH table not completely loaded

When synchronizing SAP authorization objects, not all objects in the USOBHASH table are loaded into the One Identity Manager database.

Probable reason

Changed implementation of the ABAP function AUTH_TRACE_GET_USOBHASH as of SAP BASIS version 7.57 (SAP S/4HANA 2022).

Solution
  • Import the current SAPTRANSPORT_70.ZIP transport into the SAP R/3 system you want to synchronize.

    One Identity Manager version 9.1.3 or later provides an updated BAPI transport SAPTRANSPORT_70.ZIP. This uses the /VIAENET/LISTUSOBHASH function module instead of the AUTH_TRACE_GET_USOBHASH SAP module. When it accesses an SAP R/3 system, the SAP R/3 connector checks whether the /VIAENET/LISTUSOBHASH function module exists and uses that. This synchronizes all objects in the USOBHASH table.

If the function module is not available, the connector uses the AUTH_TRACE_GET_USOBHASH SAP module.

The synchronization log records whether the /VIAENET/LISTUSOBHASH function module is used.

Synchronizing very large numbers of SAP authorizations

If your SAP R/3 environment contains a very large number of ProfileHasAuthObjectField authorizations (several million), synchronization might quit unexpectedly or just not complete.

Solution

If the total number of authorizations is too large for processing, synchronization can be divided into several synchronization steps.

To split synchronization of ProfileHasAuthObjectField into several steps

  1. In the Synchronization Editor, edit the synchronization workflow for synchronizing SAP authorization objects (default: Initial Synchronization).

  2. Enable the profileHasAuthObjectFieldPart1, profileHasAuthObjectFieldPart2, profileHasAuthObjectFieldPart3, and profileHasAuthObjectFieldPart4 synchronization steps.

    • If these synchronization steps are not available, first apply the VPR#37380 patch.

      This patch creates the synchronization steps in synchronization projects that were set up in versions of One Identity Manager older than 9.2.

  3. Disable the profileHasAuthObjectField synchronization step.

  4. Save the changes.

In subsequent synchronizations, all ProfileHasAuthObjectField objects are divided into four blocks and processed independently of each other.

For more information about editing synchronization steps and applying patches, see One Identity Manager Target System Synchronization Reference Guide.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级