Data Migration
Benefits of this course SAP HANA - Installation and Administration
What are the requirements and benefits of a modern identity management system (IDM) in the GRContext and what should be taken into account in application processes? Modern companies need to be able to effectively control their employees' access and system permissions to ensure optimal corporate control and monitoring. This need can also be inferred from legal requirements. IDM is the user and permission management within an organisation. These systems are an essential part of the internal control system. This includes the continuous monitoring and allocation of access possibilities as well as the systematic securing of functional separation (SoD - Segregation of Duties) in the IT systems. This is primarily intended to better manage relevant business and financial risks and to prevent criminal acts. The management of user and permission structures must ensure that, when the roles and responsibilities change, the privileges of the employees concerned in the systems are adjusted. Failure to do so will result in a multi-department employee having extensive privileges that can be critical in combination. Trust is good, control is better In order to avoid employees being entitled beyond your area of competence, user data and permissions must be continuously adjusted to the current requirements. It therefore makes sense to regularly carry out a recertification process in which the role owner and the manager sign off in compliance with the four-eye principle that the employee is entitled to the current privileges or may have to be deprived of rights from previous activities. Provisioning as a central function of the IDM Provisioning components form a central function of IDM systems, which provide users with individual access rights for the required IT resources according to their task.
If you now want to change the permission data, you will be asked for values for the appropriate organisation levels. First enter a tilde (~) and define the value later in the derived roles. Maintain the permissions you want and then generate the master role. Adding the organisational level to the master role Step 2: Define derived roles Create derived roles Assign the master role After you have created the master role, it is the derived roles that are in the process. To do this, re-enter a suitable role name via the PFCG. In our example, it is called "findepartment_d01". For a better overview, it is usually useful to name and number the derivatives after the master roles. You can also define the roles according to a different scheme. After you have created the role, you must then enter the master role in the Derive from Role field in the Description tab. Confirm the Auto Enquiries. Customise the Organisation Levels Now go to the "Menu" tab. There you can see that the data from the master role was automatically copied. Since the role has not yet been generated, the Permissions tab is currently highlighted in red. Therefore, call "Change Permissions Data". The first call should automatically open a dialogue to maintain the organisational levels, as they are still empty. If this is not the case, or if you would like to adjust the organisational levels again in a later case, you can also access them via the button Ordende (see screenshot). If everything worked well, you can now see that the permissions were also automatically taken from the master role. If you generate the role, the permission tab will also appear green. Congratulations, you have successfully created a derived role! Repeat step 2 with the additional derivatives to adjust the organisation levels accordingly.
Analyses Proactive measures for optimization
At best, for the time in which an emergency user is in service, a separate log of the activities undertaken is written, which can then be evaluated. In the following chapter I would like to explain our best practice approach to implementing an emergency user concept. Our approach to using an emergency user concept We have had good experience with the use of the Xiting Authorizations Management Suite (XAMS) in this area. This suite consists of various modules for creating role concepts, managing permissions including a permission concept, and also enables the implementation of an emergency user concept. XAMS works here with a limited time assignment of reference users with extended privileges to enable the emergency user concept. A self-service application may be made with a justification and a period for allocating special rights. The application window is illustrated in an example in the following screenshot: Evaluation of the use of the Emergency User Concept Once this request has been initiated, a new mode will be opened for the user, in which he can work with the extended rights. In addition, depending on the configuration, a stored workflow can be initiated as an approval process, or pre-defined controllers will be notified by email to verify activities. Once the session has ended with the emergency user, the responsible persons will receive another email with the logged activity of the user with the extended permissions. One of these logs is shown in the next screenshot: These logs can also be viewed in the system. Here you will get an overview of all the sessions that have been run. In addition, it is possible to approve activities with special rights after an evaluation. This allows the controller to get an overview of the activities undertaken with the emergency user. If you are using this Emergency User Concept and following these steps, you can ensure: Each user on the production system retains his or her original necessary rights.
Information technology plays an even more important role in the age of digitalisation. Innovation without IT is unimaginable. But it is not just technology itself, but also how it is delivered that matters. The SAP basis sees itself as a partner and contact for new SAP technologies. Further details on the recommendation can be found in the Master's thesis in chapters 7.5 and 9.3.
For administrators, a useful product - "Shortcut for SAP Systems" - is available in the SAP basis area.
SAP Basis is the foundation of any SAP system. You can find a lot of useful information about it on this page: www.sap-corner.de.
Download the requested support packages from SAPNet - R/3 Frontend into your SAPS system with Support Package.
So you can easily and quickly group your transactions in different folders.