Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SoD Function Objects

Miha
New Contributor III
New Contributor III

‎11/03/2023 06:28 AM

Hello,

We are working to configure SoD for SAP S4 Hana.

The roles in S4 are configured as follows:

  • There are composite roles, e.g., ZC:Accountant_Example. This entitlement type in Saviynt is SAP Role.
  • Each composite role contains multiple single roles, e.g., ZS_Cross_Finance_Example.  This entitlement type in Saviynt is SAP Role.
  • Each single role contains transactions, e.g., SU3. This entitlement type in Saviynt is TCODE.

I defined a function in SoD, in which I want to add an object. In the object I want to add a SAP Role, not the TCODE. Is this supported in Saviynt?

Can I have role-based SoD, instead of transaction (TCODE) based SoD?

Miha_1-1699017808405.png

I tried to add a SAP Role, e.g., ZC:Accountant_Example, but it is not found. If I try to add the TCODE that is inside the SAP Role, I am able to find it.

Thanks in advance for your help.

Mihaela

 

 

Labels:
0 Kudos
8 REPLIES 8

Dhruv_S
Saviynt Employee
Saviynt Employee

‎11/03/2023 07:07 AM

Hi @Miha 

  • Non-SAP ruleset allows you to perform SOD evaluation based on entitlements.

  • SAP ruleset allows you to perform SOD evaluation for SAP systems based on SAP entitlements (Tcodes).

For SAP functions, you have to select Tcode only.

Regards,
Dhruv Sharma
If this reply answered your question, please accept it as Solution to help others who may have a similar problem.

 

0 Kudos

Miha
New Contributor III
New Contributor III
In response to Dhruv_S

‎11/03/2023 08:35 AM

Hey @Dhruv_S ,

Thanks for the quick answer!

So if I use Saviynt Function Type SAP, I can only use TCODES in the function objects.

If I want to use SAP Roles (entitlements), instead of TCODES, I need to select non-SAP Saviynt Function Type, I understand correctly?

Miha_0-1699025638917.png

Thank you,

Mihaela

0 Kudos

SumathiSomala
All-Star
All-Star
In response to Miha

‎11/03/2023 10:13 AM - edited ‎11/03/2023 10:14 AM

@Miha You have to use Saviynt function type as SAP as you are using SAP s4 Hana application.

SAProles also TCODES.

To perform SOD evalution we use entitlements in Non-SAP system.

To perform SOD evalution we use TCODES in SAP or SAP GROUP system.

Creating Functions (saviyntcloud.com)

Regards,
Sumathi Somala
If this reply answered your question, please Accept As Solution and give Kudos.

rushikeshvartak
All-Star
All-Star
In response to Miha

‎11/03/2023 07:35 PM

Functions are logical grouping of entitlements (access) that defines a user’s ability to perform business tasks. EIC enables you to manage the business function definition as a conditioned group with multiple entitlements. Entitlements can be logically grouped within a function by using conditional operators.

  • For SAP Type, allowed conditions are AND/OR

  • For Non SAP type, allowed conditions are AND/OR/NOT

  • For SAPGROUP type allowed conditions are AND/OR

 

 

For SAPGROUP rulesets, following are the prerequisites:

  • Associate the relevant endpoint to an organization.

  • Upload the appropriate SAPGROUP ruleset.

  • Request for an application role to view the violations of an associated ruleset.

After uploading a ruleset, if you add or remove any endpoints associated to an organization, you must upload the ruleset again for the changes to reflect.

 

https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter16-Segregation-of-Duties/Man... 

 

https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter16-Segregation-of-Duties/SOD... 

 

https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter16-Segregation-of-Duties/SOD... 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Dhruv_S
Saviynt Employee
Saviynt Employee
In response to rushikeshvartak

‎11/05/2023 08:39 PM

Hi @Miha 

You have to use T codes for SAP/SAPGroup functions. Since your application is SAP S4HANA application, you should not use Non-SAP function also.

Regards,
Dhruv Sharma
If this reply answered your question, please accept it as Solution to help others who may have a similar problem.

Miha
New Contributor III
New Contributor III

‎11/06/2023 01:29 AM

@Dhruv_S  thanks for the answer.

I am using SAP Function, as my application is SAP S4 Hana, but i want to add SAP Roles, not T codes in the objects... I want the SoD to be evaluated on parent entitlement, which are SAP roles, instead of T codes. Is that possible or not? Is some additional license required?

Miha_0-1699262781532.png

Thanks,

Miha

0 Kudos

Dhruv_S
Saviynt Employee
Saviynt Employee
In response to Miha

‎11/06/2023 02:22 AM

Hi @Miha 

We will check and confirm on this.

Regards,

Dhruv Sharma

0 Kudos

Dhruv_S
Saviynt Employee
Saviynt Employee
In response to Dhruv_S

‎11/07/2023 07:53 AM

Hi @Miha 

Thanks for your patience. We checked internally with our team on this issue and got the below solution.

If you want to use the SAP Roles instead of T codes, you can use the non-sap function type and add the sap roles as entitlements. It is supported by Saviynt.

Please test the scenario with Non-SAP function and let us know if you have any further questions on this.

Regards,
Dhruv Sharma
If this reply answered your question, please accept it as Solution to help others who may have a similar problem.

Copyright © 2024 Khoros, LLC