Download pdf - IdM FinalVer

www.ibsolution.bg . © IBSolution Bulgaria EOOD

SAP NetWeaver Identity Management

Kiril Anastasov


AGENDA

1. SAP NetWeaver Identity Management

2. Use Cases

3. Access Control or Governance, risk and compliance (GRC)

4. Single Sign On (SSO)


What is SAP Identity Management ?

The whole idea of Identity management is the ability to take users information and

put it into a database, especially in SAP environment for being able to provision their

proper roles and access. What SAP modules in an organization they need to be able to

use. We do not want to reduce their access and we do not want to give them extended

access. IdM end up enforcing the rules, making sure that everything is set correctly.

Without IdM it is a manual process. When someone joins the company, HR

submits an assignment with the information about the Employee and put

everything to HCM, but where does it go after that. How do we get it to all

the various SAP Modules . IdM is a central repository and we can put workflows

so that we are able to put people exactly where they need to be in the organization

, where they are in the hierarchy and where they are geographically.

IdM

Slide 3


Why bother with IdM ?

What is the alternative for IdM ?

• A lot of spreadsheets.

• A lot of emails.

• A lot of printed forms.

Consequences of working without IdM

• Manual work prone to mistakes.

• Less efficient process.

• No audit reports.

• Security threats.

IdM

Slide 4


IdM History & Central User Administration

• SAP bought Norwegian company MaXware in 2007.

• MaXware and SAP had many shared Fortune 500 companies as customers and acquisition was natural.

• In 2014 SAP decided to move the IdM development from Norway to Bulgaria.

• The latest version is 8.0 which is Eclipse based.

Central User Administration

• CUA was designed to save money and resources managing large number of users.

• CUA is used for maintaining user master records centrally in one system.

• When the data is modified, then it is automatically updated in the other SAP systems.

• Data can be exchanged in a controlled way and kept consistent.

• CUA is used for authorization and role management of SAP systems.

• CUA can be used only with SAP systems.

• CUA will not evolve and SAP recommends using SAP IdM instead.

Background & CUA

Slide 5


SAP Identity Management Features

• IdM can be used for both SAP and non-SAP like Microsoft Active Directory (AD) heterogeneous systems and can be integrated with CUA on premise and in the cloud.

• Provisioning, workflow and approvals: Business rules define user access across different systems. Provisioning users is quickly and statistics are available on audits.

• Reporting and auditing: Extensive auditing functionalities enable you to produce statistics based on current access and past events. These reports can be used safely to find out if a person had access to the application.

• Identity virtualization: Centralized view of the users and identity services with VDS.

• Password management: self-service password reset and password synchronization across all systems.

• Business Roles: Users are assigned roles and given certain privileges.

• Integration with Access Control or Governance, risk and compliance (GRC).

• Integration with Single Sign On so users will need only one password.

Features

Slide 6


Business Roles

• High level descriptions of positions like HR or Manager.

• One Business Role can have multiple Technical roles/privileges attached to it.

• Business roles are defined in IdM.

There are three ways to provisioning roles to people.

1. Through request/approval workflow.

2. Manually (administrator).

3. Automatically, e.g. HR-driven.

Business Roles

Slide 7


Context-Based Role Assignments

Context-Based Role Assignments : is used to reduce the number of roles and privileges in the enterprise since IdM version 7.2. Using context-based role assignment, there is no need to duplicate these roles for each factory. Context-based role assignment is beneficial when the number of roles is low and the numbers of factories are big.

With 15 roles, and 20 factories you would have 300 roles in IdM version 7.1.

With 15 roles, and 20 factories you would have 35 roles + contexts in IdM version 7.2.

The difference with this data set is considerable, approximately 8.5 times and

when the number of entries is big, than the growth will be exponential in

IdM version 7.1. However, in IdM version 7.2 with context-based role

assignment the growth will not be considerable.

Figure 1: Context-based role assignment (SAP Identity Management Overview, 2014)

Role Assignments

Slide 8


Technical Roles/ Privileges

Technical Roles / Privileges

• Represent the technical access rights in different

systems (ABAP Roles, UME Roles, Portal Roles,

Active Directory).

• are loaded into IdM from the target systems.

• are system specific.

• can be granted via Self-service.

Privileges

Slide 9


SAP Identity Center

Identity Center

Slide 10

SAP NetWeaver Identity Management consists of two components:

• Identity Center (IC)

• Virtual Directory Server (VDS)

1. Identity Center

This is the primary component for identity management. Identity Center uses a centralized

repository, called the identity store, to provide a uniformed view of the data, regardless of

the data's original source. Identity Center enables you to control all identities within your

organization, not only for employees, but also for contractors, customers, partners, and

other identities that need to access your organization’s applications. Communicates with

the Virtual Directory Server using the LDAP protocol.

Figure 2: Identity Center (SAP Identity Management Overview, 2014)


SAP Virtual Directory Service

VDS

Slide 11

SAP NetWeaver Identity Management consists of two components:

• Identity Center (IC)

• Virtual Directory Server (VDS)

2. Virtual Directory Server (VDS)

VDS: can be connected to many systems such as LDAP directories or databases.

A template is delivered with the VDS in order to connect to the IDM database.

Using the LDAP protocol entries in the database can be viewed, updated and

created. As the VDS is a virtual directory you can easily use an external LDAP

client browser to connect to the VDS and obtain the same results.

Figure 3: VDS (SAP Identity Management Overview, 2014)


Use case 1

Figure 4: Typical employee lifecycle (SAP Identity Management Overview, 2014)

Example of typical employee lifecycle

Slide 12


Use case 2.1

Figure 5: Start work (SAP Identity Management Overview, 2014)

Start work

Slide 13


Use case 2.2

Figure 6: Position Change(SAP Identity Management Overview, 2014)

Position Change

Slide 14


Use case 2.3

Figure 7: Termination (SAP Identity Management Overview, 2014)

Termination

Slide 15


GRC

Access Control

Slide 16

Idm can be integrated with Access Control or Governance, risk and compliance (GRC)

Reduce the cost and effort of managing your GRC initiatives with governance, risk and compliance solutions from SAP. Embed risk and compliance activities into strategy, planning, and execution. Optimise business performance by accounting for risk and reputation.

• Manage risk and increase reliability.

• Respond more effectively with risk indicators, events and effects.

• Reduce the impact of losses through early mitigations.

• Reduce access risk – as well as levels of internal fraud and loss of revenue due to employee error.

• Enable efficient, cost-effective audits and ongoing compliance activities.


GRC

Access Control

Slide 17

Figure 8: GRC (SAP Identity Management Overview, 2014)


SAP NetWeaver Single Sign on

SSO

Slide 18

• Users need only one password for the entire landscape (AD, SAP).

• Enhanced security with Kerberos like authentication.

• Two factor authentication (password and fingerprint).

Two factor authentication(device and password)

Figure 9: SSO (SAP Identity Management Overview, 2014)


Summary

In this presentation we have covered the most important topics about SAP Netweaver

Identity Management including:

• What is SAP Identity Management ?

• IdM history & features.

• CUA.

• IC & VDS.

• GRC and SSO integration.

If you still maintain users manually in different systems like SAP, AD and Lotus Notes

SAP NetWeaver Identity Management can help you to automate the process and save

you time, money and a lot of nerves.

Finally

Slide 19


THE END

Identity Management

LinkedIn: https://bg.linkedin.com/in/kanastasov Email: [email protected]


References:

Policove, M. (2014), SAP Identity Management, Available at: https://www.youtube.com/watch?v=7jhSKJsnmq8 (Accessed: 29 July 2015).

Leonard, C. (2012), Virtual Directory Server – Accessing the Identity Store, Available at: http://wiki.scn.sap.com/wiki/display/Security/Virtual+Directory+Server+-+Accessing+the+Identity+Store (Accessed: 29 July 2015).

SAP (2014), SAP Identity Management Overview, Available at: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c050ee1b-3a55-3210-56b8-a390b2c80a5d?QuickLink=index&overridelayout=true&59661390715821 (Accessed: 29 July 2015).

SAP (2014), Central User Administration, Available at: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/bf/b0b13bb3acd607e10000000a11402f/content.htm (Accessed: 29 July 2015).

SAP (2014), SAP solutions for GRC, Available at: http://issuu.com/grcebook/docs/sap_solutions_for_grc_ebook (Accessed: 29 July 2015).

SAP (2013), Secure One-Time Systemwide Authentication with SAP NetWeaver® Single Sign-On, Available at: http://www.sap.com/bin/sapcom/en_us/downloadasset.2011-09-sep-22-14.sap-netweaver-single-sign-on-for-high-productivity-and-security-in-your-company-pdf.html (Accessed: 29 July 2015).

SAP (2012), Business-Driven, Compliant Identity Management, Available at: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/90c5aa16-1861-2e10-ae82-9e4a34f1c42d?QuickLink=index&overridelayout=true&59661390715881 (Accessed: 29 July 2015).

Slide 21