One Identity Manager SAP Experience #16 SAP GRC mapping in Identity Manager

[MUSIC PLAYING] When we are building identity audit rules in One Identity Manager and want to integrate SAP deep analysis functionalities, we can go into the Identity Audit module of One Identity Manager and go to the SAP Functions section, select Function Definitions, and create function definitions. Function definitions are templates that are being configured, where we look for specific combination of transactions, authorization object fields, values, or limits for values on upper and lower limits. So when we create a function definition, this function definition is just the container that holds the information, and no further details are set in the function definition. The relevant information are being added by the authorization editor. The authorization editor will allow us to find our SAP objects, fields, values that are relevant for us to match the exact permission that we are going to look in a later step for finding violations or toxic combination of permissions. So when we go into the authorization editor, we will see in the Tasks section that we can add components to it, either via existing transactions, or via menu templates, or directly through authorization object, or by copying it from other authorization or other function definitions that are already configured in the One Identity Manager. So in this case, I have created a function instance, a function definition, by adding the function definition using a transaction, clicking the Add By Transaction, adding the transaction name into the filter box, and filtering the transactions will give me the list of transactions that are being matched. By selecting this and adding the transaction, all the contents of that transaction, which can be seen in SAP using transaction code SU24 to retrieve the information for a specific transaction, the content will be added, and I can see which components this transaction contains. In this case, this transaction contains several activities and one field called Chart of Accounts. And these are the values for the specific field. So for activities, activities 1 to 8 are configured. And for the Chart of Accounts field, I have put in a variable name. I will use this variable name later on by creating a variable definition and by using the variable definition in the creation of the function instance. And the content of the variable will be replaced, or the variable will be replaced with the content of the SAP variable definition. So this function definition is a template of attributes and fields and their values that I'm interested in to match a specific set of SAP roles and profiles. So the next step is activating this SAP function definition and creating a function instance. So in this case, when I look into the details, the function definition is being selected. The client that this function definition is going to be applied to is selected. So just consider, you have several SAP systems with several clients on each SAP system, and you have a function definition that is valid in each of these instance but slightly different configuration. So maybe one instance of your SAP requires a chart of accounts with the value of 25, and the other one requires a value of 49. Or think of this like regions that you're interested in. And in Germany, the region number is different than in France or in any other country. So for this, I am using the variable set that I had created earlier. The variable set contains the variable that was defined in the function definition. And the value from the variable set is replacing the value in the function instance. Once the function instance is being created, the system automatically starts calculating. When the system starts calculating, it will find all the SAP accounts that are being matched by this function instance, as well as so-called affected SAP groups. Affected SAP groups are SAP roles and profiles that are either single or composite roles or profiles that are somehow matching the definition of the function instance, meaning they have the activities, they have the field called Chart of Accounts with that specific value, or the value is a wild card, so that value is also being met. By this, we have pre-calculated the list of affected groups and the list of affected accounts. Now, you can use the specific function instance in an SoD rule. If you are looking for a specific permission that is a high-risk permission, and you want to check for the assignment of this permission to a specific user, you could you only use this function instance. And it will give you all the affected user accounts, and by that, all the employees that these user accounts belong to. Or you can go into the SoD rule and create a rule that contains several function instances and combine these together. So in this case, I have created a rule with two function instances. And any user account or any employee that has a user account with the permission that is matched by any of these or both of these function instances will lead to an SoD violation. So in this case, the SoD configuration says, if the employee has a user account or more user accounts, one or more user accounts, that have permission that is being matched by this function instance, and another user account or the same user account that has another permission matched by the second function instance, the combination of this will be regarded as an SoD violation. And the user will be put into a state of compliance rule violation, and the exception approver will be asked to provide an exception approval. Additionally, while configuring these things, there is always the possibility to look for employees that possibly would match this SoD violations. So as you can see, the first part here is being matched by three employees. The second part is matched by two employees. And the combined rule matches also two employees. And this can be seen in the rule overview as well. [MUSIC PLAYING]