[MUSIC PLAYING] Now, how does the end users see the SAP environment in the Identity Manager? And how does he request objects from an SAP system like an account in an SAP target system, or an SAP role or profile in the Identity Manager? The end user uses the IT shop which is the business user interface, logs in, and requests objects in the IT shop.
So for the logged in user and the HR who wants to request an SAP user account, he goes to the access lifecycle service catalog and will see the available systems and accounts that he can request from. So in this end system, I'm going to request an SAP user account in the client 400 on that system ECC. So I will add that request into my shopping cart and will submit the request. Once I submit the request, the request will be sent to approval to my manager. I can review this by looking into the service request and will see that the approval has to be granted by Martin HR.
Now, I will lock into the system as Martin HR and will approve this request for a user account in the SAP environment. Martin HR has locked in and can see that there is one pending request. And that is the request for Andy HR's account in the SAP client system.
Now, I will just approve to run this example through. What the ASAP, the administrator or approver in this case can do is limit the date, validity date. But for the sake of the example we will continue with the approval. And we will see that the provisioning into the SAP target system will be executed and that the user account will be created in SAP.
Now the provisioning to the SAP target system has been executed by the One Identity Manager job server. And when I lock into the sub GUI again and go to the SU01 transaction, which is the user maintenance transaction, I can see that the HR user account has been created. The department information which has been derived from the employee's department is being set as it has been set previously for the count that has been created by assigning the account office.
The request is the same as assigning the account definition directly to the employee by an administrator in One Identity Manager. And in this case, the employee has requested the user account directly in the IT shop and the account has been assigned to him. And the provisioning has been executed into the target system after the approval has been granted.
Now that the user has an account in SAP, he can request permissions, SAP roles, profiles, or business roles in the IT shop to get specific permissions in the target system. In this case, we are going to request business roles in the IT shop to get access to SAP transactions and objects in the SAP system. In this case, I'm going to request two business roles, account administrators and banking administrators.
As you can see, these will be in conflict to each other so that when I request these two permissions in the IT shop, this will lead to a SoD violation. And the system will detect this SoD violation. So when I submit this request, the Identity Manager will detect a rule violation. And since the rule has been configured to Allow Exception approvals, the system is giving me a warning saying that this request will cause an SoD violation.
However, exceptions are possible. So I may submit this request for approval, which I did. So the approval will go first to an exception approver. And after the exception approval has been granted, I will see that the permissions will be assigned to the employee.
So when I go back to my request, I will see that the request workflow will show that there has been a violation detected. And in the compliance tap, I can see which SoD rule has been matched. And when I switch to the One Identity Manager to Manager, we will see how this SoD rule looks like.
As you can see, this is the SoD rule in its entirety with mitigating controls that have been assigned to Rule Violations that has been detected previously and the rule itself. So when I look into the rule details, I can see at the bottom the rule definition, so which criteria has to be met so the rule will be matching, and the information that exception approvals are possible for this rule.
When I switch back to my request, I can see that the workflow is showing that a violation has been detected and that the exception approver, in this case, C Tuthas, has to grant an exception approval before the manager can get to the approval and can prove this request. So I'm going to grant the exception approval. Now I'm logged in as the exception approver. And I can see that there are two pending requests that need to be granted.
So when I look into this request, I will see that the user and the HR is requesting two roles. And when I look into details of this request, I will see in the compliance tab the SoD rule that has matched. And I could assign a mitigating control, like if the user has attended a security briefing or security instructions, I could assign a mitigating control and approve this request. And after approval, this request will be further routed to the final approver which is the manager of this requesting user.
Now, the final approver has locked in, in this case manager HR. And he will see that two pending requests are in the queue. And these requests are these business roles requested by Andy HR. And he can look into the workflow, see that the exception approver has approved previously that the compliance violation has been detected and which compliance violation it is in this case. And now he can also approve these requests and save his approval which will lead to a provisioning of SAP permissions and roles in the client and that user account.
After a short while, the provisioning into the SAP target system will be executed. Once the provisioning has been done, we can review the user information in the SAP target system and review the paroles and profiles that has been assigned to that employee or to that user account in the SAP system.
Once again, we are in the SU01 transaction in the sub GUI. And we will look for the details of the Andy HR user account. In this case, we will look into the roles tab. The roles tab will contain the roles that have been assigned to that user account through the SAP or business or request in One Identity Manager web shop. As you can see, the list of SAP roles that have been assigned are three, containing banking, administrators, and account information roles. And the roles also contain profiles.
The profiles that have been assigned to the user account will be seen in the Profiles tab. Profiles are assigned directly without limitations. Roles, as you can see have a valid form and valid-to date. In this case, the valid form date has been derived from the IT shop request since the value is set to a mean date value. And the valid-to data is set to the max rate date value.