Context is important.
And there is no exception when traversing the realm of cybersecurity, especially when dealing with Roles within SAP ABAP systems. In Identity Manager, Context-based requests come up frequently enough to require well-organized, air-tight configuration.
But what exactly are you configuring? And is it going to be hard to follow this road?
What is Context in SAP roles?
Organizations, especially large organizations utilizing SAP, will have lots of SAP roles to sort through. Sometimes, those roles will be strikingly similar, with only one small organizational value to differentiate them. In SAP, this one small organizational value is the Context, and Identity Manager needs to understand the Context for requests.
The Context can include such values as company codes, plants or sales organizations as the difference between one role and another, though all are derived from the master SAP role for management ease.
Distinguishing between such values allows for two or more employees with the same job description to have the same general access to required resources but restricted to their respective organizational unit. This way, one employee from “Materials Management” company code 0005 who needs access to “Goods Movement Information” will be restricted to the organizational their own organizational unit instead of sprawling his access to the resources allotted to an employee with company code 0027.
Thus, our fictional company code 0005 becomes the context of the Role. A Role contains SAP roles, and each SAP role requires Context and therefore each Role requires Context
What is a Context-based request?
In Identity Manager, a Role is a bundle of SAP roles, and each Role requires Context to streamline the request process.
Requesting an SAP role with Context is considered a Context-based request, and an end user has multiple options for creating a request – starting by creating either the Role, Context or Context Type first, followed by the others.
This process ensures that access is even further granulated throughout the organization, starting from the very creation of Roles and working toward their endpoint as either a Business Role or a System Role.
Is there a best way to create a Context-based request?
You can start your Context-based request for a Role multiple different ways, from multiple different starting points. But every request needs the following references:
- Role
- Context Type
- Context
But Identity Manager doesn’t leave you without context. Scripts exist within the program designed to get you where you need to go, with examples of how to create Context-based service items on the fly, and many other accelerators to frequently encountered roadblocks. Different parameters yield different results, and can be configured accordingly, but all allow for streamlined provisioning for the end user.
Ultimately, many roads exist that can get you to the same place: a Context-based SAP role from a Context-based request that aims to provide your organization with more… well… context.
Summary
Configuring the Roles in your organization to include Context will streamline your efforts to manage SAP systems. Plus, familiarity with the many ways to create these Roles with Context even streamlines the Context-based request process. And with the sprawl of data and Roles across your IT landscape, a yellow brick road that will get you where you need to go, while evading the obstacles for you, is a welcome road indeed.
Stephan Hausmann contributed to this blog.