Compliant, Business-Driven Identity Management

using

SAP NetWeaver Identity Management

and SBOP Access Control

February 2010

© SAP AG 2010. All rights reserved. / Page 2

Disclaimer

This presentation outlines our general product direction and should not be relied on in

making a purchase decision. This presentation is not subject to your license

agreement or any other agreement with SAP. SAP has no obligation to pursue any

course of business outlined in this presentation or to develop or release any

functionality mentioned in this presentation. This presentation and SAP's strategy and

possible future developments are subject to change and may be changed by SAP at

any time for any reason without notice. This document is provided without a warranty

of any kind, either express or implied, including but not limited to, the implied

warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP assumes no responsibility for errors or omissions in this document, except if

such damages were caused by SAP intentionally or grossly negligent.

© SAP AG 2010. All rights reserved. / Page 3

…I am worried

about the

compliance

program cost

…I am worried

about

simplifying user

access

Concerns

…I am worried

about minimizing

security risks

HomeHome

© SAP AG 2010. All rights reserved. / Page 4

Typical User Lifecycle

Challenges: Long time to become productive

Enormous costs and efforts

Security leaks if employee leaves

Hire date

Available: Temporary

accounts

Chuck Brown

joins company

3 weeks later

Available: E-Mail

Portal

Internet

Accounting

Chuck Brown is

able to work in

accounting

1 year later

Available: E-Mail

Portal

Internet

Accounting

CRM (west)

Marketing

data (west)

Chuck Brown

transfers

to sales

7 years later

Available: E-Mail

Portal

Internet

Accounting

CRM (global)

Marketing

data (global)

Chuck Brown

is promoted:

Vice President

Sales

8 years later

Chuck Brown

resigns

All known

accounts of

Chuck Brown

are deactivated

10 years later

Available: Accounting

Marketing

data (global)

Chuck Brown

still has access

to the system

© SAP AG 2010. All rights reserved. / Page 5

Agenda

1. What is Compliant Identity Management?

2. Technical Details

3. Best Practice

© SAP AG 2010. All rights reserved. / Page 6

Identity and Access Management:

Business Challenges

Constant changes in business processes to align with

changing business objectives

Market consolidation with mergers and acquisitions

Cross-enterprise transactions

Business

Transformation

Costly maintenance of multiple sources

Manual user maintenance by helpdesk

Regulatory compliance procedures and rules are

separate disjoint processes

Operational Costs

Identify and manage business & IT controls

Prevention of un-authorized access to sensitive data

Need to provide auditors with complete audit trail

No record of who has access to which IT resources

Compliance & Risk

© SAP AG 2010. All rights reserved. / Page 7

Identity and Access Management:

Benefits

Integrate business processes with compliance and IT

functions.

Ease impacts of mergers and acquisitions with bulk

risk analysis and provisioning tools.

Reduce risk associated with partner and contractor

access to networks and systems.

Business

Transformation

Reduced administration cost, through integrated

and automated compliance and IT processes

Simplify access request creation and approval

Operational Costs

Enable business users to manage both application

and IT compliance risks.

Reduce un-authorized access to sensitive data and

system capabilities

Reduced effort to meet compliance audits

Complete record of user assignment history

Compliance & Risk

© SAP AG 2010. All rights reserved. / Page 8

SAP NetWeaver Identity Management

Holistic Approach

IDM triggered by identity

business processes and data

e.g. on-boarding

e.g. Order2Cash

Business process relies on appropriate

user and role assignments in systems

SAP NetWeaver

Identity Management

Password management

Provisioning to SAP and non-SAP systems

Identity mgmt.monitoring & audit

Rule-based assignment of business roles

Identity virtualization and identity as service

Approval workflows

Central Identity Store

SAP BusinessObjects

Access Control (GRC)

Compliance checks through GRC

SAP Business Suite Integration

© SAP AG 2010. All rights reserved. / Page 9

SAP BusinessObjects Access Control:

Sustainable prevention of segregation of duties violations

Minimal time to compliance

Quick, effective and comprehensive

access risk identification

Elimination of existing access and

authorization risks is key

Continuous access management

Improve productivity of end users

Reduce cost of role maintenance

Avoid business obstructions with

faster emergency response

Ease compliance and avoid

authorization risk

Effective management oversight

Capabilities for Management

Oversight

Capabilities Internal Audit

IT Infrastructure

FIN SCM SRM MFG HR

Cro

ss-p

latf

orm

Cro

ss-f

un

ction

Acce

ss R

isk a

na

lysis

Rem

ed

iation Enterprise

role management

Risk analysis and

remediation

Compliant user provisioning

Au

dit

Ove

rsig

ht Identity Management

Periodic Access Review and Audit

Co

ntr

ol

En

viro

nm

ent

Cross-enterprise library of best practice segregation of duties rules

Regulations Rules Corporate Policies

Best Practices

Superuser privilege

management

SAP_ALL

© SAP AG 2010. All rights reserved. / Page 10

SAP BusinessObjects Access Control (GRC) &

SAP NetWeaver IDM – Integration

SAP NetWeaver

Identity Management

SAP NetWeaver Identity Management

Combined

Compliance checks

Business risk controls and mitigation

Rule-based business role assignment

Heterogeneous connectivity

Extended SAP Business Suite integration

Password self-service

Compliant, business-driven

Identity Management for the

entire system landscape!

SAP NetWeaver

Identity Management

SAP BusinessObjects Access Control (GRC)

SAP BusinessObjects

Access Control (GRC)

SAP BusinessObjects Access Control (GRC)

© SAP AG 2010. All rights reserved. / Page 11

Agenda

1. What is Compliant Identity Management?

2. Technical Details

3. Best Practice

© SAP AG 2010. All rights reserved. / Page 12

Compliant, Business-Driven

Identity Management

HCM SAP NetWeaver

Identity Management

SAP BusinessObjects

Access Control

Line Manager Landscape

Yes

No

Calculate entitlements

based on positionCompliance check

Remediation

Approve

assignments

New Hire

Reduce TCO by simplifying assignment of roles

and privileges to users, triggered by HCM events

Reduce risk through compliance checks and

remediation

Automate manual processes through integration

with SAP Business Suite

Create user

Assign roles

Create User

Assign roles

Requirement:

Provide automated, position-based role

management while ensuring compliance

Create User

Assign privileges

VDS IC

Compliant, Business-Driven Identity Management

Process Flow

SAP NetWeaver Identity ManagementSAP BusinessObjects Access

Control (GRC)

RAR CUP

Re

qu

es

t Ro

le

As

sig

nm

en

t

1

Forward request

for risk analysis

3Manager

approval

2

Risk status6

Provisioning to

target systems

7

Risk

analysis

4

Risk

mitigation

5Notification to

User / Manager

8

© SAP AG 2010. All rights reserved. / Page 14

Component Usage

SAP NetWeaver Identity Management components are used in the following way:

The Virtual Directory Server:

Accepts requests from Identity Center.

Deals with all connection to/from SBOP Access Control through the web service API

exposed by SBOP Access Control.

The Identity Center:

Contains the workflow tasks and the necessary jobs that drive the provisioning to SBOP

Access Control based on the Provisioning Framework for SAP Systems.

Communicates with the Virtual Directory Server (VDS) using the LDAP protocol.

SAP BusinessObjects Access Control components are used in the following way:

Compliant User Provisioning (CUP):

Provides web services for compliance checks, status checks, etc.

Workflow for risk analysis and mitigating controls

Risk Analysis and Remediation (RAR):

Provides risk analysis services to detect SOD violations and critical permissions

CUP-RAR communication via internal web services

© SAP AG 2010. All rights reserved. / Page 15

Agenda

1. What is Compliant Identity Management?

2. Technical Details

3. Best Practice

© SAP AG 2010. All rights reserved. / Page 16

Centralized Provisioning

Customer Best Practice - General Recommendation

SAP NetWeaver Identity ManagementSAP BusinessObjects Access

Control (GRC)

Provisioning to SAP and non-SAP systems

© SAP AG 2010. All rights reserved. / Page 17

Centralized Provisioning

Details

Create role assignment request in Identity Management (Identity Center)

Automatic (using certain rules, e.g. department assignment) Manual (per user request)

Pre-process request in Identity Management (Identity Center)

Assignments require compliance check Assignments do not require compliance check

Request processing & risk analysis in Compliant User

ProvisioningRisk violations found

Request rerouted to

manual workflow

No Risk violations found

declined approved

Identity Management reads request status

No provisioning Identity Management starts provisioning

DEMO

© SAP AG 2010. All rights reserved. / Page 19

Summary

Key Take Aways

SAP BusinessObjects Access Control delivers best practice,

cross-enterprise compliance

Access Control and Identity Management integration allows

customers to implement business driven, compliant identity

management across the enterprise.

Real-time detective and preventive controls avoid cross-

enterprise violations before they occur

SAP leads the industry in helping our customers to

thrive in today`s business networks

Double the Value - Access Control delivers comprehensive risk

analysis for existing IdM deployments. IdM expands

provisioning for existing GRC AC deployments

© SAP AG 2010. All rights reserved. / Page 20

Virtual SAP TechEd :

Extend your SAP TechEd Year Round

Best of SAP TechEd at Your fingertips

View sessions that you missed

Replay and review sessions that you

attended

Quality SAP TechEd Training

Best Practices

Product Roadmaps

Learn at your own pace

Gain Access to sessions recorded in

2006, 2007, 2008 and

2009* (*available December 2009)

24/7 Access online/offline

Flexible Course Syllabus

Volume Licensing

Special Pricing for multiple subscribers

http://www.sdn.sap.com/irj/scn/virtualteched-allsessions

© SAP AG 2010. All rights reserved. / Page 21

Further Information

Related SAP Education and Certification Opportunities

http://www.sap.com/education/

TZNWIM - SAP NetWeaver Identity Management 7.1

SAP Public Web:

SAP Developer Network (SDN):

www.sdn.sap.com/irj/sdn/nw-identitymanagement

Business Process Expert (BPX) Community: www.bpx.sap.com

Thank You!

© SAP AG 2010. All rights reserved. / Page 23

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warrant.

Copyright 2010 SAP AG

All Rights Reserved