立即与支持人员聊天
与支持团队交流

Identity Manager 9.2.1 - Administration Guide for the SAP R/3 Compliance Add-on

SAP functions and identity audit Setting up a synchronization project for synchronizing SAP authorization objects Setting up SAP functions Compliance rules for SAP functions Mitigating controls for SAP functions Configuration parameters for SAP functions Default project template for the SAP R/3 Compliance Add-on Module Referenced SAP R/3 tables and BAPI calls

Setting up SAP functions

You can create function definitions, function instances, and variable sets for SAP functions. A function definition contains the authorization definition as well as general main data. An authorization definition contains at least one SAP application. Each SAP application belongs to at least one authorization object. Each authorization object consists of at least one function element (activity or authorization field) with concrete instances. Instances are given as single values or as upper and lower scope limits. Function elements can be listed more than once per authorization object.

You can use an SAP function for different instances. To do this, use variables in the authorization definition. Fixed variable values are grouped in variable sets and used in the function instances.

Figure 2: Structure of an authorization definition

To set up an SAP function

  1. Create a function definition.

    • (Optional) If necessary, assign a function category or functional area to the managers.

  2. Create the authorization definition.

    • Consider the explanations for determining invalid authorizations.

    • Take the notes on authorization definitions into account.

    • Use variables for the values or scope limits if needed.

  3. Check the completeness of the authorization objects.

  4. (Optional) Assign mitigating controls to the function definition to be implemented when invalid authorizations are detected by the SAP function.

  5. To be able to use the function definition for authorization checking, enable the working copy of this function definition.

  6. Create at least one function instance for this function definition.

To find all the identities that match this SAP function through their SAP user accounts, apply the SAP function in compliance rules.

Detailed information about this topic

Creating function definitions

A working copy is added to the database for every new function definition. The changes are not passed on to the production function definition until the working copy is enabled. SAP authorizations are only checked on the basis of active function definitions.

To create a new function definition

  1. In the Manager, select the Identity Audit > SAP functions > Function definitions category.

  2. Click in the result list.

  3. Enter the function definition main data.

  4. Save the changes.

    This adds a working copy.

  5. Select the Authorization Editor task and set up the authorization definition.

  6. Select the Enable working copy task and confirm the security prompt with Yes.

    This adds an enabled function definition in the database. The working copy is retained and can be used to make changes later.

Related topics

General main data of a function definition

Enter the following main data of a function category.

Table 2: Main data for a function definition

Property

Description

Function definition

Name of the SAP function.

Functional area

The SAP function is valid for this functional area.

Function category

Grouping criteria for the SAP function. To create a new function categories, click . Enter the name and a description of the function category.

Manager/supervisor

Application role whose members are responsible for the function definition in terms of content.

To create a new application role, click . Enter the application role name and assign a parent application role.

Authorization objects

Spare text field for entering information about the authorization objects that are used in the function definitions.

Risk index

Defines the risk for the company if an SAP user account matches this SAP function. Use the slider to enter a value between 0 and 1.

0: No risk.

1: Every SAP user account that matches the SAP function poses a problem.

This field is only visible if the QER | CalculateRiskIndex configuration parameter is set.

Risk index (reduced)

Show the risk index taking mitigating controls into account. An SAP function’s risk index is reduced by the significance reduction of all mitigating controls assigned to it. The risk index (reduced) is calculated for the original SAP function. To copy the value to a working copy, run the Create working copy task.

This field is only visible if the QER | CalculateRiskIndex configuration parameter is set. The value is calculated by One Identity Manager and cannot be edited.

Severity code

Specifies what it means to the company or the assigned functional area when an SAP user matches this SAP function. Enter a value between 0 and 1.

0: Just for information

1: Any SAP user account that matches the SAP function requires changes to the affected SAP authorizations.

Significance

Specifies a verbal description of the effects on the company (or the functional area) when an SAP user account matches this SAP function. In the default installation, the value list displays {low, average, high, critical}.

Description

Text field for additional explanation.

working copy

Specifies whether this is a working copy of the function definition.

For more information about risk assessment, see the One Identity Manager Risk Assessment Administration Guide.

Detailed information about this topic

Creating authorization definitions in the Authorization Editor

Use the Authorization Editor to set up the SAP function authorization definition. To do this, group SAP applications and authorization objects together that should be covered by the SAP function.

To compile an authorization definition

  1. In the Manager, select the Identity Audit > SAP functions > Function definition working copies category.

  2. Select the function definition in the result list.

  3. Select the Authorization Editor task.

  4. Select one of the following tasks.

    • 1. Add via menu template

      Select from which menu you want to select the menu items and the SAP system whose menu tree should be displayed. Then select a menu item from the menu tree. Transaction codes that are linked to a menu item are shown in brackets in the menu tree as additional information.

      All the transactions and their authorization objects are loaded that can be called from the selected menu item or its submenu items.

    • 2. Add using SAP application

      Select the type of SAP application and the SAP application whose authorization objects should be loaded into the Authorization Editor. All authorization object are added that are linked with the selected SAP application. You can define a filter to list the limit the number of SAP applications available.

    • 3. Add using existing function definition

      Select an existing function definition whose authorization definition is to be loaded into the Authorization Editor.

      Only enabled function definitions can be selected.

  5. Specify details for each element in the Authorization Editor.

  6. Save the changes.
Detailed information about this topic
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级