www.ibsolution.bg . © IBSolution Bulgaria EOOD
AGENDA
1. SAP NetWeaver Identity Management
2. Use Cases
3. Access Control or Governance, risk and compliance (GRC)
4. Single Sign On (SSO)
www.ibsolution.bg . © IBSolution Bulgaria EOOD
What is SAP Identity Management ?
The whole idea of Identity management is the ability to take users information and
put it into a database, especially in SAP environment for being able to provision their
proper roles and access. What SAP modules in an organization they need to be able to
use. We do not want to reduce their access and we do not want to give them extended
access. IdM end up enforcing the rules, making sure that everything is set correctly.
Without IdM it is a manual process. When someone joins the company, HR
submits an assignment with the information about the Employee and put
everything to HCM, but where does it go after that. How do we get it to all
the various SAP Modules . IdM is a central repository and we can put workflows
so that we are able to put people exactly where they need to be in the organization
, where they are in the hierarchy and where they are geographically.
IdM
Slide 3
www.ibsolution.bg . © IBSolution Bulgaria EOOD
Why bother with IdM ?
What is the alternative for IdM ?
• A lot of spreadsheets.
• A lot of emails.
• A lot of printed forms.
Consequences of working without IdM
• Manual work prone to mistakes.
• Less efficient process.
• No audit reports.
• Security threats.
IdM
Slide 4
www.ibsolution.bg . © IBSolution Bulgaria EOOD
IdM History & Central User Administration
• SAP bought Norwegian company MaXware in 2007.
• MaXware and SAP had many shared Fortune 500 companies as customers and acquisition was natural.
• In 2014 SAP decided to move the IdM development from Norway to Bulgaria.
• The latest version is 8.0 which is Eclipse based.
Central User Administration
• CUA was designed to save money and resources managing large number of users.
• CUA is used for maintaining user master records centrally in one system.
• When the data is modified, then it is automatically updated in the other SAP systems.
• Data can be exchanged in a controlled way and kept consistent.
• CUA is used for authorization and role management of SAP systems.
• CUA can be used only with SAP systems.
• CUA will not evolve and SAP recommends using SAP IdM instead.
Background & CUA
Slide 5
www.ibsolution.bg . © IBSolution Bulgaria EOOD
SAP Identity Management Features
• IdM can be used for both SAP and non-SAP like Microsoft Active Directory (AD) heterogeneous systems and can be integrated with CUA on premise and in the cloud.
• Provisioning, workflow and approvals: Business rules define user access across different systems. Provisioning users is quickly and statistics are available on audits.
• Reporting and auditing: Extensive auditing functionalities enable you to produce statistics based on current access and past events. These reports can be used safely to find out if a person had access to the application.
• Identity virtualization: Centralized view of the users and identity services with VDS.
• Password management: self-service password reset and password synchronization across all systems.
• Business Roles: Users are assigned roles and given certain privileges.
• Integration with Access Control or Governance, risk and compliance (GRC).
• Integration with Single Sign On so users will need only one password.
Features
Slide 6
www.ibsolution.bg . © IBSolution Bulgaria EOOD
Business Roles
• High level descriptions of positions like HR or Manager.
• One Business Role can have multiple Technical roles/privileges attached to it.
• Business roles are defined in IdM.
There are three ways to provisioning roles to people.
1. Through request/approval workflow.
2. Manually (administrator).
3. Automatically, e.g. HR-driven.
Business Roles
Slide 7
www.ibsolution.bg . © IBSolution Bulgaria EOOD
Context-Based Role Assignments
Context-Based Role Assignments : is used to reduce the number of roles and privileges in the enterprise since IdM version 7.2. Using context-based role assignment, there is no need to duplicate these roles for each factory. Context-based role assignment is beneficial when the number of roles is low and the numbers of factories are big.
With 15 roles, and 20 factories you would have 300 roles in IdM version 7.1.
With 15 roles, and 20 factories you would have 35 roles + contexts in IdM version 7.2.
The difference with this data set is considerable, approximately 8.5 times and
when the number of entries is big, than the growth will be exponential in
IdM version 7.1. However, in IdM version 7.2 with context-based role
assignment the growth will not be considerable.
Figure 1: Context-based role assignment (SAP Identity Management Overview, 2014)
Role Assignments
Slide 8
www.ibsolution.bg . © IBSolution Bulgaria EOOD
Technical Roles/ Privileges
Technical Roles / Privileges
• Represent the technical access rights in different
systems (ABAP Roles, UME Roles, Portal Roles,
Active Directory).
• are loaded into IdM from the target systems.
• are system specific.
• can be granted via Self-service.
Privileges
Slide 9
www.ibsolution.bg . © IBSolution Bulgaria EOOD
SAP Identity Center
Identity Center
Slide 10
SAP NetWeaver Identity Management consists of two components:
• Identity Center (IC)
• Virtual Directory Server (VDS)
1. Identity Center
This is the primary component for identity management. Identity Center uses a centralized
repository, called the identity store, to provide a uniformed view of the data, regardless of
the data's original source. Identity Center enables you to control all identities within your
organization, not only for employees, but also for contractors, customers, partners, and
other identities that need to access your organization’s applications. Communicates with
the Virtual Directory Server using the LDAP protocol.
Figure 2: Identity Center (SAP Identity Management Overview, 2014)
www.ibsolution.bg . © IBSolution Bulgaria EOOD
SAP Virtual Directory Service
VDS
Slide 11
SAP NetWeaver Identity Management consists of two components:
• Identity Center (IC)
• Virtual Directory Server (VDS)
2. Virtual Directory Server (VDS)
VDS: can be connected to many systems such as LDAP directories or databases.
A template is delivered with the VDS in order to connect to the IDM database.
Using the LDAP protocol entries in the database can be viewed, updated and
created. As the VDS is a virtual directory you can easily use an external LDAP
client browser to connect to the VDS and obtain the same results.
Figure 3: VDS (SAP Identity Management Overview, 2014)
www.ibsolution.bg . © IBSolution Bulgaria EOOD
Use case 1
Figure 4: Typical employee lifecycle (SAP Identity Management Overview, 2014)
Example of typical employee lifecycle
Slide 12
www.ibsolution.bg . © IBSolution Bulgaria EOOD
Use case 2.1
Figure 5: Start work (SAP Identity Management Overview, 2014)
Start work
Slide 13
www.ibsolution.bg . © IBSolution Bulgaria EOOD
Use case 2.2
Figure 6: Position Change(SAP Identity Management Overview, 2014)
Position Change
Slide 14
www.ibsolution.bg . © IBSolution Bulgaria EOOD
Use case 2.3
Figure 7: Termination (SAP Identity Management Overview, 2014)
Termination
Slide 15
www.ibsolution.bg . © IBSolution Bulgaria EOOD
GRC
Access Control
Slide 16
Idm can be integrated with Access Control or Governance, risk and compliance (GRC)
Reduce the cost and effort of managing your GRC initiatives with governance, risk and compliance solutions from SAP. Embed risk and compliance activities into strategy, planning, and execution. Optimise business performance by accounting for risk and reputation.
• Manage risk and increase reliability.
• Respond more effectively with risk indicators, events and effects.
• Reduce the impact of losses through early mitigations.
• Reduce access risk – as well as levels of internal fraud and loss of revenue due to employee error.
• Enable efficient, cost-effective audits and ongoing compliance activities.
www.ibsolution.bg . © IBSolution Bulgaria EOOD
GRC
Access Control
Slide 17
Figure 8: GRC (SAP Identity Management Overview, 2014)
www.ibsolution.bg . © IBSolution Bulgaria EOOD
SAP NetWeaver Single Sign on
SSO
Slide 18
• Users need only one password for the entire landscape (AD, SAP).
• Enhanced security with Kerberos like authentication.
• Two factor authentication (password and fingerprint).
Two factor authentication(device and password)
Figure 9: SSO (SAP Identity Management Overview, 2014)
www.ibsolution.bg . © IBSolution Bulgaria EOOD
Summary
In this presentation we have covered the most important topics about SAP Netweaver
Identity Management including:
• What is SAP Identity Management ?
• IdM history & features.
• CUA.
• IC & VDS.
• GRC and SSO integration.
If you still maintain users manually in different systems like SAP, AD and Lotus Notes
SAP NetWeaver Identity Management can help you to automate the process and save
you time, money and a lot of nerves.
Finally
Slide 19
www.ibsolution.bg . © IBSolution Bulgaria EOOD
THE END
Identity Management
LinkedIn: https://bg.linkedin.com/in/kanastasov Email: [email protected]
www.ibsolution.bg . © IBSolution Bulgaria EOOD
References:
Policove, M. (2014), SAP Identity Management, Available at: https://www.youtube.com/watch?v=7jhSKJsnmq8 (Accessed: 29 July 2015).
Leonard, C. (2012), Virtual Directory Server – Accessing the Identity Store, Available at: http://wiki.scn.sap.com/wiki/display/Security/Virtual+Directory+Server+-+Accessing+the+Identity+Store (Accessed: 29 July 2015).
SAP (2014), SAP Identity Management Overview, Available at: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c050ee1b-3a55-3210-56b8-a390b2c80a5d?QuickLink=index&overridelayout=true&59661390715821 (Accessed: 29 July 2015).
SAP (2014), Central User Administration, Available at: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/bf/b0b13bb3acd607e10000000a11402f/content.htm (Accessed: 29 July 2015).
SAP (2014), SAP solutions for GRC, Available at: http://issuu.com/grcebook/docs/sap_solutions_for_grc_ebook (Accessed: 29 July 2015).
SAP (2013), Secure One-Time Systemwide Authentication with SAP NetWeaver® Single Sign-On, Available at: http://www.sap.com/bin/sapcom/en_us/downloadasset.2011-09-sep-22-14.sap-netweaver-single-sign-on-for-high-productivity-and-security-in-your-company-pdf.html (Accessed: 29 July 2015).
SAP (2012), Business-Driven, Compliant Identity Management, Available at: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/90c5aa16-1861-2e10-ae82-9e4a34f1c42d?QuickLink=index&overridelayout=true&59661390715881 (Accessed: 29 July 2015).
Slide 21