立即与支持人员聊天
与支持团队交流

Identity Manager 9.1 - Administration Guide for the SAP R/3 Compliance Add-on

SAP functions and identity audit Setting up a synchronization project for synchronizing SAP authorization objects Base data for SAP functions Finding non-compliant authorizations Setting up SAP functions Compliance rules for SAP functions Mitigating controls for SAP functions Configuration parameters for SAP functions Default project template for the SAP R/3 Compliance Add-on Module Referenced SAP R/3 tables and BAPI calls

Using variables

You can set fixed values for function elements in authorization definitions. You can implement variables to use a function definition for different function instances. For this, the following is valid:

  • Variable name

    • Begins with a letter
    • Only contains letters, numbers, and underscore
    • Is enclosed in $ signs

    Example: $Var_01$

    NOTE: Variable names cannot begin with system variable names.
  • Value

    Syntax (example) SAP authorization is tested for Example for value in the SAP system
    * Any value abc | 1234
    Any string (from) Exact given value abc
    [*] The value * *
    String[*] (abc[*]) Values beginning with the given string and ending with * from*
    String* (abc[*]) Values beginning with the given string and ending with any string abc* | abcd
    Comma delimited list (abc, 1234, d*) A value contained in the list ab | 1234 | c* | cde

You can also use system variables as well as self-defined variables in the authorization definition. System variables have the following syntax: ${character}+ (example: $AUFART).

Variables must be uniquely identifiable by the authorization check. Therefore, names of self-defined variables may not match system variables or begin with system variable name.

Related topics

Creating and editing function definitions

A working copy is added to the database for every function definition. Edit the working copies to create function definitions and change them. The changes are not passed on to the production function definition until the working copy is enabled. SAP authorizations are only checked on the basis of active function definitions.

NOTE: One Identity Manager users with the Identity & Access Governance | Identity Audit | Maintain SAP functions application role can edit existing working copies if they are entered as the manager in the main data.

To create a new function definition

  1. In the Manager, select the Identity Audit > SAP functions > Function definitions category.
  2. Click in the result list.
  3. Enter the function definition main data.
  4. Save the changes.

    This adds a working copy.

  5. Select the Enable working copy task and confirm the security prompt with Yes.

    This adds an enabled function definition in the database. The working copy is retained and can be used to make changes later.

To edit an existing function definition

  1. In the Manager, select the Identity Audit > SAP functions > Function definitions category.

    1. Select the function definition in the result list.
    2. Select the Create working copy task.

      The data from the existing working copy are overwritten with the data from the active function definition, after prompting. The working copy is opened and can be edited.

    - OR -

    In the Manager, select the Identity Audit > SAP functions > Function definition working copies category.

    1. Select a working copy in the result list.
    2. Select the Change main data task.

  2. Edit the working copy's main data.
  3. Save the changes.
  4. Select the Enable working copy task and confirm the security prompt with Yes.

    The changes to the working copy are transferred to the active function definition.

Related topics

General main data of a function definition

Enter the following main data of a function category.

Table 10: Main data for a function definition

Property

Description

Function definition

Name of the SAP function.

Functional area

The SAP function is valid for this functional area.

Function category

Grouping criteria for the SAP function. To create a new function categories, click . Enter the name and a description of the function category.

Manager/supervisor

Application role whose members are responsible for the function definition in terms of content.

To create a new application role, click . Enter the application role name and assign a parent application role.

Authorization objects

Spare text field for entering information about the authorization objects that are used in the function definitions.

Risk index

Defines the risk for the company if an SAP user account matches this SAP function. Use the slider to enter a value between 0 and 1.

0: No risk.

1: Every SAP user account that matches the SAP function poses a problem.

This field is only visible if the QER | CalculateRiskIndex configuration parameter is set.

Risk index (reduced)

Show the risk index taking mitigating controls into account. An SAP function’s risk index is reduced by the significance reduction of all mitigating controls assigned to it. The risk index (reduced) is calculated for the original SAP function. To copy the value to a working copy, run the Create working copy task.

This field is only visible if the QER | CalculateRiskIndex configuration parameter is set. The value is calculated by One Identity Manager and cannot be edited.

Severity code

Specifies what it means to the company or the assigned functional area when an SAP user matches this SAP function. Enter a value between 0 and 1.

0: Just for information

1: Any SAP user account that matches the SAP function requires changes to the affected SAP authorizations.

Significance

Specifies a verbal description of the effects on the company (or the functional area) when an SAP user account matches this SAP function. In the default installation, the value list displays {low, average, high, critical}.

Description

Text field for additional explanation.

working copy

Specifies whether this is a working copy of the function definition.

For more information about risk assessment, see the One Identity Manager Risk Assessment Administration Guide.

Detailed information about this topic

Function definition overview

You can see the most important information about a function definition on the overview form.

To obtain an overview of a function definition

  1. In the Manager, select the Identity Audit > SAP functions > Function definitions category.
  2. Select the function definition in the result list.
  3. Select the Function definition task.

To obtain an overview of a working copy

  1. In the Manager, select the Identity Audit > SAP functions > Function definition working copies category.
  2. Select the function definition in the result list.
  3. Select the Function definition task.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级