IdM FinalVer

  • View

  • Download

Embed Size (px)

Text of IdM FinalVer

  • . IBSolution Bulgaria EOOD

    SAP NetWeaver Identity Management

    Kiril Anastasov

  • . IBSolution Bulgaria EOOD


    1. SAP NetWeaver Identity Management

    2. Use Cases

    3. Access Control or Governance, risk and compliance (GRC)

    4. Single Sign On (SSO)

  • . IBSolution Bulgaria EOOD

    What is SAP Identity Management ?

    The whole idea of Identity management is the ability to take users information and

    put it into a database, especially in SAP environment for being able to provision their

    proper roles and access. What SAP modules in an organization they need to be able to

    use. We do not want to reduce their access and we do not want to give them extended

    access. IdM end up enforcing the rules, making sure that everything is set correctly.

    Without IdM it is a manual process. When someone joins the company, HR

    submits an assignment with the information about the Employee and put

    everything to HCM, but where does it go after that. How do we get it to all

    the various SAP Modules . IdM is a central repository and we can put workflows

    so that we are able to put people exactly where they need to be in the organization

    , where they are in the hierarchy and where they are geographically.


    Slide 3

  • . IBSolution Bulgaria EOOD

    Why bother with IdM ?

    What is the alternative for IdM ?

    A lot of spreadsheets.

    A lot of emails.

    A lot of printed forms.

    Consequences of working without IdM

    Manual work prone to mistakes.

    Less efficient process.

    No audit reports.

    Security threats.


    Slide 4

  • . IBSolution Bulgaria EOOD

    IdM History & Central User Administration

    SAP bought Norwegian company MaXware in 2007.

    MaXware and SAP had many shared Fortune 500 companies as customers and acquisition was natural.

    In 2014 SAP decided to move the IdM development from Norway to Bulgaria.

    The latest version is 8.0 which is Eclipse based.

    Central User Administration

    CUA was designed to save money and resources managing large number of users.

    CUA is used for maintaining user master records centrally in one system.

    When the data is modified, then it is automatically updated in the other SAP systems.

    Data can be exchanged in a controlled way and kept consistent.

    CUA is used for authorization and role management of SAP systems.

    CUA can be used only with SAP systems.

    CUA will not evolve and SAP recommends using SAP IdM instead.

    Background & CUA

    Slide 5

  • . IBSolution Bulgaria EOOD

    SAP Identity Management Features

    IdM can be used for both SAP and non-SAP like Microsoft Active Directory (AD) heterogeneous systems and can be integrated with CUA on premise and in the cloud.

    Provisioning, workflow and approvals: Business rules define user access across different systems. Provisioning users is quickly and statistics are available on audits.

    Reporting and auditing: Extensive auditing functionalities enable you to produce statistics based on current access and past events. These reports can be used safely to find out if a person had access to the application.

    Identity virtualization: Centralized view of the users and identity services with VDS.

    Password management: self-service password reset and password synchronization across all systems.

    Business Roles: Users are assigned roles and given certain privileges.

    Integration with Access Control or Governance, risk and compliance (GRC).

    Integration with Single Sign On so users will need only one password.


    Slide 6

  • . IBSolution Bulgaria EOOD

    Business Roles

    High level descriptions of positions like HR or Manager.

    One Business Role can have multiple Technical roles/privileges attached to it.

    Business roles are defined in IdM.

    There are three ways to provisioning roles to people.

    1. Through request/approval workflow.

    2. Manually (administrator).

    3. Automatically, e.g. HR-driven.

    Business Roles

    Slide 7

  • . IBSolution Bulgaria EOOD

    Context-Based Role Assignments

    Context-Based Role Assignments : is used to reduce the number of roles and privileges in the enterprise since IdM version 7.2. Using context-based role assignment, there is no need to duplicate these roles for each factory. Context-based role assignment is beneficial when the number of roles is low and the numbers of factories are big.

    With 15 roles, and 20 factories you would have 300 roles in IdM version 7.1.

    With 15 roles, and 20 factories you would have 35 roles + contexts in IdM version 7.2.

    The difference with this data set is considerable, approximately 8.5 times and

    when the number of entries is big, than the growth will be exponential in

    IdM version 7.1. However, in IdM version 7.2 with context-based role

    assignment the growth will not be considerable.

    Figure 1: Context-based role assignment (SAP Identity Management Overview, 2014)

    Role Assignments

    Slide 8

  • . IBSolution Bulgaria EOOD

    Technical Roles/ Privileges

    Technical Roles / Privileges

    Represent the technical access rights in different

    systems (ABAP Roles, UME Roles, Portal Roles,

    Active Directory).

    are loaded into IdM from the target systems.

    are system specific.

    can be granted via Self-service.


    Slide 9

  • . IBSolution Bulgaria EOOD

    SAP Identity Center

    Identity Center

    Slide 10

    SAP NetWeaver Identity Management consists of two components:

    Identity Center (IC)

    Virtual Directory Server (VDS)

    1. Identity Center

    This is the primary component for identity management. Identity Center uses a centralized

    repository, called the identity store, to provide a uniformed view of the data, regardless of

    the data's original source. Identity Center enables you to control all identities within your

    organization, not only for employees, but also for contractors, customers, partners, and

    other identities that need to access your organizations applications. Communicates with

    the Virtual Directory Server using the LDAP protocol.

    Figure 2: Identity Center (SAP Identity Management Overview, 2014)

  • . IBSolution Bulgaria EOOD

    SAP Virtual Directory Service


    Slide 11

    SAP NetWeaver Identity Management consists of two components:

    Identity Center (IC)

    Virtual Directory Server (VDS)

    2. Virtual Directory Server (VDS)

    VDS: can be connected to many systems such as LDAP directories or databases.

    A template is delivered with the VDS in order to connect to the IDM database.

    Using the LDAP protocol entries in the database can be viewed, updated and

    created. As the VDS is a virtual directory you can easily use an external LDAP

    client browser to connect to the VDS and obtain the same results.

    Figure 3: VDS (SAP Identity Management Overview, 2014)

  • . IBSolution Bulgaria EOOD

    Use case 1

    Figure 4: Typical employee lifecycle (SAP Identity Management Overview, 2014)

    Example of typical employee lifecycle

    Slide 12

  • . IBSolution Bulgaria EOOD

    Use case 2.1

    Figure 5: Start work (SAP Identity Management Overview, 2014)

    Start work

    Slide 13

  • . IBSolution Bulgaria EOOD

    Use case 2.2

    Figure 6: Position Change(SAP Identity Management Overview, 2014)

    Position Change

    Slide 14

  • . IBSolution Bulgaria EOOD

    Use case 2.3

    Figure 7: Termination (SAP Identity Management Overview, 2014)


    Slide 15

  • . IBSolution Bulgaria EOOD


    Access Control

    Slide 16

    Idm can be integrated with Access Control or Governance, risk and compliance (GRC)

    Reduce the cost and effort of managing your GRC initiatives with governance, risk and compliance solutions from SAP. Embed risk and compliance activities into strategy, planning, and execution. Optimise business performance by accounting for risk and reputation.

    Manage risk and increase reliability.

    Respond more effectively with risk indicators, events and effects.

    Reduce the impact of losses through early mitigations.

    Reduce access risk as well as levels of internal fraud and loss of revenue due to employee error.

    Enable efficient, cost-effective audits and ongoing compliance activities.

  • . IBSolution Bulgaria EOOD


    Access Control

    Slide 17

    Figure 8: GRC (SAP Identity Management Overview, 2014)

  • . IBSolution Bulgaria EOOD

    SAP NetWeaver Single Sign on


    Slide 18

    Users need only one password for the entire landscape (AD, SAP).

    Enhanced security with Kerberos like authentication.

    Two factor authentication (password and fingerprint).

    Two factor authen