3.3 Implementing Approval Policies on Roles that Grant SAP Authorizations

To make sure the correct people are granted access to powerful SAP authorizations, you can define a role that requires a manager’s approval for all access requests to those authorizations.

To create a restricted SAP Access role:

  1. Launch Designer, and verify that your project is current.

    To verify that your project is current, see Using the Compare Feature When Importing in the Designer 3.0.1 for Identity Manager 3.6 Administration Guide.

  2. In the Designer toolbar, click Window > Show View > Provisioning to display the Provisioning view.

  3. In the Provisioning view, click User Application > Role Catalog > Roles > Business Role.

  4. Right-click the Business Role, then click New.

  5. Use the following information to create the role:

    Identifier: Specify a unique name for the role. In this example, it is Restrict SAP Access. The Display Name and Description are populated with this name.

    Category: Select the Default category.

    Trustees: Add the container that holds your user objects as a trustee of this role. When a user logs in to the Roles Based Provisioning Module, this role is displayed for them to access.

  6. Click Finish to create the role.

  7. Click the Advanced Options tab at the bottom of the new role.

  8. Select Standard to determine the type of approval process for granting access to the SAP resource.

  9. Select the approval type of Serial.

    When you select Serial, the request is sent to the approvers and the approvers must approve the request before it is granted. In this use case the approver is the users’ manager.

  10. Click the plus icon to add the approvers for the request. You can have one or more approvers.

To map the Restricted SAP Access role to the SAP resource:

  1. Log in to the Role Mapping Administrator.

  2. Select the Restricted SAP Access role.

  3. Access the SAP system that you want to restrict access to in the Authorizations panel.

  4. Select the roles in the SAP system that grant a user access to the resource and drag and drop them into the Mapping panel.

  5. Click Apply to save and deploy the changes.

The Restricted SAP access role is mapped to the SAP role, which is now available for the users to request through the Roles Based Provisioning Module. When the users request this resource, the manager is notified. The manager either approves or denies the request.