sap identity management overviewdbmanagement.info/books/mix/sap-identity-management-overview... ·...

SAP Identity ManagementOverview

October 2014 Public

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 2Public

Agenda

Introduction to Identity Management

Role Management and Workflows

Business-Driven Identity Management

Compliant Identity Management

Reporting

Password Management

Connectivity

Architecture

Identity Virtualization

Summary & Additional Information

Appendices

Introduction toSAP Identity Management


IT Application Security – SAP Portfolio

• Manage identity lifecycle• Segregation of duties• Emergency access• Role management• Reporting• …

• Single sign-on• Secure network communication• Central access policies• 2-factor authentication• …

Findvulnerabilitiesin customercode

Detect cybercrime attacksbased on userbehavior

Identity and access management (IAM)Code

vulnerabilitiesThreat

managementIdentity, governance and

administration Authentication and single sign-on

SAP IdentityManagement

SAP AccessControl SAP Single

Sign-On

SAP CloudIdentity

SAPNetWeaver AS,

add-on forcode

vulnerabilityanalysis

SAPEnterprise

ThreatDetection

SAP Security PortfolioIT Application Security


Key Capabilities

Enables the

efficient,

secure and

compliantexecution of businessprocesses

Manage identities andpermissions


Ensures that the right

users have the

right access to theright systems at the

right time

Consistent with user

roles and

privileges

Across

all systemsand applications

Holistic approach


Business Drivers for Identity Management

Compliancechallenges

Changingbusinessprocesses

Operationalcosts

Multiple sources of identity dataManual user provisioningLabor-intensive, paper-based approval systemsManual password reset processes

Transactions involve multiple enterprisesPartners participate in business processesCompany-specific requirements for user provisioning solutions

No record of who has access to which IT resourcesInability to deprovision user access rights upon terminationNo complete audit trail availablePrevention of unauthorized access in multi-enterpriseenvironments


Identity Lifecycle

How long does it take for newemployees to receive allpermissions and become

productive in their new job?

How long does it take for newemployees to receive allpermissions and become

productive in their new job?

Are permissions automaticallyadjusted if someone is

promoted to a new position?

Are permissions automaticallyadjusted if someone is

promoted to a new position?

Who has adequatepermissions to fill in for a co-

worker?

Who has adequatepermissions to fill in for a co-

worker?How long does it take to remove ALLpermissions of an employee? Andhow can you ensure that they were

properly removed?

How long does it take to remove ALLpermissions of an employee? Andhow can you ensure that they were

properly removed?

How can you removepermissions automatically if

employees change theirposition?

How can you removepermissions automatically if

employees change theirposition?


Solution in a Nutshell

Central management of identitiesthroughout the system landscapeRule-driven workflow and approvalprocessExtensive audit trail, logging, andreporting functionalityGovernance through centralized andauditable identity dataCompliance through integration withSAP Access ControlCompliant and integrated identitymanagement solution to mitigatesegregation-of-duties risks

SAP SCM

SAP ERP HCM

SAP ERP

Java

Portal

Database

Legacy

OS

E-mail

Web app

SAP applications Non-SAP applications


SAP AccessControl

SuccessFactors …


A Holistic Approach to Compliant Identity Management

Example: On-boardingSAP ERP

HCM

Passwordmanagement

Provisioning to SAPand non-SAP systems

Reporting

Rule-based assignmentof business roles

Identity virtualization andidentity as a serviceCentral

identity store

SAP BusinessObjectsAccess Control (GRC)

Web-based single sign-onand identity federation


Approvalworkflows


Integration withSAP Business Suiteand SuccessFactors

SAP AccessControl

Compliancechecks

SuccessFactors

Solution in DetailRole Management and Workflows


Role Definition and Provisioning

Role Definition (design, one-time task)Read system access information (roles,groups, authorizations, etc.) from targetsystemsDefine a business role hierarchyAssign technical roles to business rolesDevelop rules for role assignments

Provisioning (regularly)Assign or remove roles to/from people

Through request/approval workflowManually (administrator)Automatically, e.g. HR-driven

Automatic adjustment of master data andassignments of technical authorizations intarget systems

Portalrole

Accounting(ABAP role)

HR manager(ABAP role)E-mail

Manager

Employee Accounting

ADuser

E-mailsystem

ActiveDirectory

SAPPortal

SAPFI

SAPHR

Bus

ines

sro

les

Tech

nica

lrol

es


SAP NetWeaver Identity Management

Context-Based Role Management: Reducing Complexity

Business RoleTechnical role A Technical role C

Technical role B

UserPositionLocation…

Managed SystemUser

Technical role A

Technical role B

Context-based role management simplifiesthe structure of roles through dynamicrole assignment based on user contextinformation.

BenefitsReduced number of rolesReduced complexitySufficient granularityImproved data consistencyand governance

Example:20 roles in 1000 factories

Conventional method: 20.000 entries (roles)Context-based: 1.020 entries (roles + contexts)

SAP Identity Management

Managed System


Workflows

Approval

Identity Center sends anotification to user/manager

Notification

Identity Center provisionsnew roles and privileges torespective systems

Provisioning

User sends arole request

Request

Identity Centerprocesses request– Sends alert to manager /

administrator

Processing

Manager checks requestand approves/denies

Solution in DetailBusiness-Driven Identity Management


Integration with SAP Business Applications


SuccessFactors

EmployeeCentral

SAP ERPFinancials

SAPTransportationManagement

SAP ProductLifecycle

Management

SAP HANA

SAP SupplierRelationshipManagement

SAP CustomerRelationshipManagement

SAP ExtendedWarehouse

Management

SAP ServiceParts Planning

SAP ERPHuman CapitalManagement

SAP Portfolioand ProductManagement

SAP SupplyNetwork

Collaboration


Business Process Driven Identity ManagementOn-Boarding

Line Manager

HR ensures that all necessaryemployee data for Kim isavailable, such as position andentry date

Pre-hire phase

Event-based extractionof personnel data

First day at work

Based on the position inHCM, IDM automaticallyassigns the businessrole “MarketingSpecialist”

Kim’s managerapproves theassignment

HR Operations

Business Partner createdUser created “MarketingProfessional”

User created“Employee”

User createdAccess to SAP ESSAccess to SAP CRM

Kim Perkins joins the company as a marketing specialist.From the first day with her new company, she is able to log on to all relevant systems,including access to the employee self-services, and access to SAP CRM to track themarketing activities she is responsible for.


1

SAPERPHCM

2 3 4

SAPERPHCM

SAPERP

SAPCRM

SAPPortal

Provisioning of role andauthorization information torelevant target systems

5

SuccessFactors


Business Process Driven Identity ManagementPosition Change

HR ensures that all necessaryemployee data for Kim isavailable

Day of position change

SAP Identity Managementrecognizes the line managerinformation for Kim andautomatically assigns the businessrole “Marketing Manager”

After two years as a marketing specialist, Kim is promoted and takes over personnel andbudget responsibility for her marketing team.On the first day in her new role, she has access to the manager self-services. In her newposition, she is responsible for budget approvals for all marketing campaigns - this requiresimmediate access to SAP ERP to view the marketing costs.


3

SAPERPHCM

SAPERP

SAPCRM

SAPPortal

Provisioning of role andauthorization information torelevant target systems

4

User updated“Employee”“Line Manager”

User created“Marketing Controller”

User updated“Marketing Controller”

User updatedAccess to SAP ESSAccess to SAP MSSAccess to SAP CRMHR Operations

1

SAPERPHCM

2

SuccessFactors



Business Process Driven Identity ManagementTermination

HR ensures that all data relevantfor the employment contracttermination is available, such aslast day of work

Day after termination of employment

SAP Identity Managementrecognizes the last day informationfor Kim; it automatically takes awayall access rights and disables heraccounts

After eight years, Kim leaves the company.The day after her official assignment with the company ends, she is no longer able to accessany corporate systems.


3

SAPERPHCM

SAPERP

SAPCRM

SAPPortal

4

User disabled

User disabled

User disabled

User disabled


HR Operations

1

SAPERPHCM

2

SuccessFactors

Solution in DetailCompliant Identity Management


Compliant Identity Management: Capabilities

Manage identitiesand permissions


Identify andmitigate risks

SAP AccessControl

Compliant identity management across SAP and heterogeneouslandscapes in one integrated solution

Integrationbased on standards

Consistent view on current and historic access rights, approvals

and policy violations

Compliance

checks

Business riskcontrols and

mitigation

Centralmanagement ofheterogeneousenvironments


Compliant Identity Management: Process View

SAP BusinessObjectsAccess Control (GRC)

SAPIdentity Management

SAP Access Control

Request roleassignment 1

Forwardrequest forrisk analysis

3

Risk status6

Managerapproval2

Notification touser and manager8

Provisioning totarget systems7

5 Riskmitigation

4 Riskanalysis

SAP SCM

SAP ERP HCM

SAP ERP

Java

Portal

Database

Legacy

OS

E-mail

Web app


… …


Compliant, Business-Driven Identity Management

SAP ERP HCM SAP Identity Management SAP Access Control Line Manager Landscape

Yes

No

Calculate entitlementsbased on position

Compliance checkRemediation

Approveassignments

New Hire

SAPERPHCM

SAPERPHCM

SAPERP

FI

Portal

Non-SAP

Requirement:Provide automated, position-based role management

while ensuring compliance

Solution:Simplify and automate role assignment

Reduce risk through compliance checks and remediationAutomate manual processes through integration with SAP

Business Suite

1

2 3 4

5

Solution in DetailReporting


Reporting Options at a Glance

Basic ReportingFocus: Static, printable reportsReport creation on database level

Extended Reporting with SAP Business Warehouse (SAP BW)*Focus: Dynamic reports, offering more, highly detailed, and customizable reporting optionsData is extracted from SAP Identity Management on a regular basis (as per defined job)Predefined report templates available, custom reports can be freely definedfiltering, sorting, export to MS Excel, CSV, PDF, send via e-mail, etc.

Reporting with SAP LumiraFocus: Customer-specific reposts/analyses for identity managementRich graphical capabilities for visualizing and utilizing reported dataLow integration and maintenance effortsEasy extension

*SAP BW and SAP Lumira are not part of the SAP ID Mgmt license


Basic Reporting

Application/privilege-centricDetermination of system accessUser-centricDetermination of user privilegesEntry dataCurrent data, historical data, time stamps,modified by, audit flagsApproval dataWho approved what when?Who had which privilege when?Segregation of duties, AttestationTask audit logDetermination of tasks run onuser / by userGeneral logsOff-the-shelf reporting toolscan be used


Extended Reporting with SAP Business Warehouse

SAP BW report templatesPersons, privileges, roles and their assignmentsover time and for specific datesContent-based and time-based reporting

Advanced filtering and sorting options

Access controlRoles for reporting user(administrator, manager, owner)

Basic audit dataWho changed what

FlexibilityBEX reports

Change historyup to the time of

last synchronization


Reporting with SAP Lumira

Customer-specific reposts/analyses foridentity management

Rich graphical capabilities forvisualizing and utilizing reported data

Low integration and maintenance efforts

Easy extension

Solution in DetailPassword Management


Password Management

SAP Identity Management Landscape

SAPERPHCM

SAPERP

FI

Portal

Non-SAP

Requirement:Reduce help desk calls related to password reset

inquiriesEnable password provisioning across heterogeneous

landscapes

Solution:Centralize and automate password management

Reset passwordRecover lost password

Set new password

HelpdeskUser

Solution in DetailConnectivity


Connectivity Framework

Technical

Other

On-Prem/Cloud Applications

Directory Servers

DatabasesMicrosoft SQL ServerMicrosoft AccessOracle databaseIBM UDB (DB2)MySQLSybaseSAP HANA

Microsoft Active DirectoryIBM Tivoli DirectoryNovell eDirectorySunONE Java DirectoryOracle Internet DirectoryMicrosoft ADAMSiemens DirXOpenLDAPeB2Bcom View500 Directory ServerCA eTrust DirectorySAP IDM Virtual Directory ServerAny LDAP v3 compliant directory srv

SAP Business SuiteSuccessFactorsSAP Access ControlLotus Domino / NotesMicrosoft ExchangeRSA ClearTrustRSA SecurID

SPMLLDAPODBC/JDBC/OLE-DBRFCLDIF filesXML filesCSV files

SAP Application ServerMicrosoft Windows NTUnix/Linux

Shell executeCustom Java connector APIScript-based connector API



SAP Identity Management Integration Scenario NW-IDM-CON

The SAP Integration and Certification Center (ICC) offers a certification forthe integration scenario NW-IDM-CON.

SAP partners as well as potential partners and independent softwarevendors (ISVs) are invited to use the Connector Development Kit (CDK) tocreate an SAP Identity Management connector for their application, and tointegrate the application into the identity management landscape. Thisconnector can then be certified by the SAP ICC.

For general information about third party certifications with SAP products, pleaserefer to http://www.sdn.sap.com/irj/sdn/interface-certifications, or contact the SAPIntegration and Certification Center (ICC) directly at [email protected]

Third Party Connector CertificationSAP ICC Integration Scenario NW-IDM-CON

http://www.sdn.sap.com/irj/sdn/interface-certifications

mailto:[email protected]

Solution in DetailArchitecture


SAP Identity Management Architecture

Solution in DetailIdentity Virtualization


Virtual Directory Server

Virtual Directory Server (VDS) providesSingle consistent view and entry point for multipledistributed identity data sourcesIdentity information as a service for applicationsthrough standard protocols (LDAP, SPML)Abstraction layer for underlying data stores

Consumer only sees one standard interfaceTransform incoming LDAP requests, and connectdirectly to the existing data repositories

Data stays within original data sourceEfficient caching

PropertiesReal-time access to dataNo need to consolidate data sourcesNo extra data store

Quick LDAP deploymentEasier and cheaper maintenance

Attribute manipulationName space modificationsComplex operations on-the-fly

SPML

Database

SPML LDAP

LDAP JDBC

ApplicationDirectoryServer

DirectoryServer

Virtual Directory Server

Summary & AdditionalInformation


Summary

SAP Identity Management is part of a comprehensive SAP security suite that includesaccess control as well as secure programming and compliance aspects.

The solution covers the entire identity lifecycle and automation capabilities based onbusiness processes.

A strong integration with SAP Access Control creates a holistic identity and accessgovernance solution.

Extensive connectivity with SAP and non-SAP applications extends identitymanagement to all areas of the enterprise.


Find More InformationSAP Community Network

Visit the SAP Community Network (SCN) for comprehensive information onSAP Identity Management, such as

Discussion forum,product information,documentation, training,and support informationArticles, blogs, WIKI,FAQs, and newslettersDownloads

http://scn.sap.com/community/idm

http://scn.sap.com/community/idm


Short project times and reduced TCO by simplifyingassignment and management of roles and privileges tousers

Implementation of best practice processes out of thebox with a fixed scope and most important andcommon scenarios, e.g. defined set of customerspecific configuration, connection of source- andtarget-systems, provisioning etc

Pre-configured functionality of SAP IdentityManagement in a development system

Step-by-step guide, describing each activity duringdeployment

Solution can be extended with additional add-onoptions

SAP Identity ManagementRapid deployment solution

Add-On 1:Connection to additional SAP systems

Add-On 2:Additional Go-Live Support

Standard solutionConnection of1 source- and

2 targetsystems

Approvalworkflows

Automaticauthorizationassignment

Mass useradministration

jobs

E-mailnotificationframework

Support ofsystem specific

attributes

New Web UItasks

PredefinedHTML based

reports

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 43 Public

© 2014 SAP SE or an SAP affiliate company.

All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an

SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE

(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional

trademark information and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind,

and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or

SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and

services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related

presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated

companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be

changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment,

promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties

that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking

statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

http://global12.sap.com/corporate-en/legal/copyright/index.epx



sap identity management overviewdbmanagement.info/books/mix/sap-identity-management-overview... ·...

Documents