立即与支持人员聊天
与支持团队交流

Identity Manager 9.2.1 - Administration Guide for the SAP R/3 Compliance Add-on

SAP functions and identity audit Setting up a synchronization project for synchronizing SAP authorization objects Setting up SAP functions Compliance rules for SAP functions Mitigating controls for SAP functions Configuration parameters for SAP functions Default project template for the SAP R/3 Compliance Add-on Module Referenced SAP R/3 tables and BAPI calls

Rule conditions for SAP functions

To define new rules for SAP functions

  1. In the Manager, select the Identity Audit > Rules category.

  2. Click in the result list.

  3. Enter the main data of the rule.

  4. Set the Rule for cyclical testing and risk analysis in IT Shop option.

  5. Limit the affected permissions with the at least one function option and select the SAP functions to test.

    1. If you have selected more than one SAP functions, under number of entitlements assigned, specify how many SAP functions must be matched to violate the rule.

    2. If SAP authorizations in combination result in a rule violation, enter a rule block for each SAP function.

  6. Save the changes.

    This adds a working copy.

  7. Select the Enable working copy task and confirm the security prompt with Yes.

    This adds an enabled rule in the database. The working copy is retained and can be used to make changes later.

Figure 5: Condition for SAP functions

When One Identity Manager tests rules, it finds all the identities whose assigned SAP users match the SAP functions that are given in the rule. An SAP user matches an SAP function when:

  • An SAP role assigned to the SAP user account matches the SAP function

    - OR -

  • An SAP role that is assigned a reference user matching an SAP function

    - AND -

  • The SAP user account is assigned this reference user.

For more information about creating rule conditions, see the One Identity Manager Compliance Rules Administration Guide.

Related topics

Mitigating controls for compliance rules with SAP functions

Mitigating controls assigned to the function definitions to be tested are automatically copied to rules about SAP functions. Conditions:

  • Active rules are assigned to a functional area and a department.
  • The function definitions to be tested are assigned to the same functional area and to the variable set associated with the same department.
Related topics

More rule violation reports

One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. Additional reports can be created for enabled compliance rules for SAP functions.

Table 18: Reports about rule violations with SAP functions

Report

Description

Rule violations with SAP applications

This report groups together all rule violations for the selected rule. It supplies results for rules that verify SAP functions.

All function instances are listed with their SAP applications for each identity through which they violated the rule. SAP profiles and their authorization objects that match the SAP function are displayed for each SAP function.

Rule violations with SAP roles

This report groups together all rule violations for the selected rule. It supplies results for rules that verify SAP functions.

SAP groups, SAP roles, and SAP profiles with their authorization objects are listed for each identity through which they violated the rule.

SAP roles and profiles with rule violations

The report shows all SAP roles and profiles that match SAP functions and thereby violate the selected rule.

Mitigating controls for SAP functions

Violation of regulatory requirements can harbor different risks for companies. To evaluate these risks, you can apply risk indexes to SAP functions. These risk indexes provide information about the risk involved for the company if this particular SAP function is violated. Once the risks have been identified and evaluated, mitigating controls can be implemented.

Mitigating controls are independent on One Identity Manager’s functionality. They are not monitored through One Identity Manager.

Mitigating controls describe controls that are implemented if an SAP function was violated. The next calculation should not find any invalid authorizations for this SAP function once the controls have been applied.

To edit mitigating controls

  • In the Designer, set the QER | CalculateRiskIndex configuration parameter and compile the database.

If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

For more information about mitigating controls, see the One Identity Manager Risk Assessment Administration Guide.

Detailed information about this topic
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级