[MUSIC PLAYING] [MUSIC PLAYING]
SAP connector-specific configuration parameters can be set in the Designer Tool of the One Identity Manager the designer tool has an option called Edit Confid Parameters. And when you jump into the configuration parameter settings, under Target Systems, SAPR3, the SAP-specific configuration parameters are located. Although the item is called SAPR3, the configuration parameters are valid for R3, ECC, and as S/4HANA as well. These specific configuration parameters can be changed accordingly, and will affect the complete SAP connector for all instances.
Specifically relevant in this case, or important, is this configuration parameter TestWithoutTCD, which will allow to change the specifics of how ESD violations of memberships or rules will match different SAP roles in sub-function definitions. When this parameter is being set, the transaction code will not be taken into consideration while finding matches for the configured function definition. Please keep in mind, if a checkbox is set in this column, this will require a recompilation of the database of One Identity Manager.
Another relevant configuration parameter-- in this case, not system-wide or connector-wide configuration parameter, but a configuration parameter that affects the synchronized client in SAP-- is client-specific configuration, which can be set in the One Identity Manager tool Manager where you can select the company that will be assigned to each and every account that will be created on this SAP client. The list of clients will be shown in the dropdown list, and the client or the company information-- that is, the default company that should be set for each user account-- can be selected on the instance here.
Additionally, further configuration parameters are available in the Designer, and these configuration parameters are concerning referring to the validity period for role assignments in One Identity Manager. In One Identity Manager, we have different validity periods-- or assignment dates for role assignments-- to user accounts in SAP. If the configuration parameter DoNotUsePWODate is not set, dates are not copied from the order, but are copied from-- the min date value 1st of January, 1900 will be set, and the date max value will be taken as well. If the ReuseInheritedDate configuration parameter has been set, the validities will start from the assignment of the order in the IT shop.
This is particularly relevant if you are migrating from a version prior to version 7, where the handling of the validity from and validity to dates were different in One Identity Manager as it is now. This will affect the number of assigned roles in SAP environment, because different to other target systems in SAP, a user account can be assigned to the same profile or role more than once. So if the inheritance is derived from the IT shop order, and an additional assignment is done manually, and the confusion whether to use the ReuseInheritedDate or DoNotUsePWODate is being set will lead to multiple assignments, and the system will probably remove or change an assignment that is not assigned to this order.
Additional requests for SAP roles or profiles or user accounts in SAP system are subject to approval workflows and approval policies. Approval workflows, which are all combined in approval policies for specific shelves or shops, consist of approval procedures. Approval procedures are specific steps that will allow you to determine who will be the approver in this specific step.
One Identity Manager delivers a number of approval procedures out of the box in the One Identity Manager solution. Additional approval procedures can be created, and approval procedures can contain more than one query to determine who is going to be the approver in this approval procedure step.
So if an SAP-specific approval is required, and the approver is being determined from an SAP-related information synchronize from the SAP system, we can easily query that information from our database in an approval procedure, use the approval procedure in an approved workflow, assign that approval workflow to an approval policy. That will be configured to be the default policy for specific shelves, shops, or single products.
As you can see, this is one example for an approval procedure called Recipients Manager. This approval procedure will determine who is the manager of that recipient, and will ask the selected person to fulfill an approval process. If additional information or additional approvers are required, additional approval queries can be configured, and additional approvers can be determined by this approval procedure.
One Identity Manager's support for SAP available in different modules of the One Identity Manager SAP connector. The One Identity Manager SAP Basis Module supports users and roles and provisioning, and the content data from SAP in One Identity Manager. Additionally, modules are available for SAP R/3 Compliance add-on, which will synchronize information about authorizations, transactions, and the combination of the content in the profiles previous to synchronize or managed by the basis module. The SAP R/3 Analysis Authorization add-on is responsible for synchronizing BI analysis data. And the SAP R/3 Structural Profiles add-on is for the SAP structural, which are structural profiles, which are specific permissions in the SAP HR module.
Additionally to that, we also have the SAP HANA connector, which is not directly a component of the SAP connector, but is a component that is part of the One Identity Manager suite to support SAP systems in a customer environment.
Now, what is available in these specific modules? The SAP Basis module is containing procedures and synchronization configurations as well as One Identity Manager internal databases. As you can see, the SAP Basis module has specific database tables that are relevant only for the SAP Basis add-on of the SAP connector.
All database tables for SAP are starting with the module name SAP and with the specific object type from SAP. So SAP Basis synchronization will pre-fill or fill objects or fill tables in the One Identity Manager database, like SAPSystem, which is a system representation of an SAP. SAPMandant is a client on an SAP system. SAPUser is the user account, SAPRole is a role, et cetera.
Additionally, if the synchronized client is a CUA system, we will have additional tables to maintain information about SAP users in specific clients that are managed through the SAP CUA master client. We have licenses information which is also available in the SAP Basis synchronization, but also used in the CUA add-on part as well as the Compliance and HR Structural Profiles component.
The Compliance add-on uses tables that hold information about SAP rights, like subtransactions or authorization object field. SAP HR does not have specific SAP-relevant tables, but in the HR case, the information is being directly synchronized into One Identity Manager's tables for persons, departments, and manager relation. Additionally, the HR Structural Profile component is being synchronized into specific tables that are available for structural profiles.