SAP NetWeaver Identity Management
Content
SAP NetWeaver Identity Management Overview
Product Management, SAP NetWeaver Identity Management & Security November 2012
Agenda
Introduction to Identity Management SAP NetWeaver Identity Management Solution in Detail Role Management and Workflows Business-Driven Identity Management Compliance, Reporting, and Auditing Password Management Identity Virtualization Connectivity and Services Identity Federation and Web-Based Single Sign-On Database support SAP NetWeaver Identity Management Architecture Summary and Additional Information Sources
© 2011 SAP AG. All rights reserved. 2
Introduction to Identity Management
Identity Management Definition
Enables the efficient, secure and compliant execution of business processes
By ensuring that the right users have the right access to the right systems at the right time
Consistent with their roles across all systems and applications
© 2011 SAP AG. All rights reserved.
4
Challenges of a Typical Employee Lifecycle
Long time to become productive Enormous costs and efforts Security leaks if employee leaves
7 Years Later 8 Years Later 10 Years Later
1 Year Later
3 Weeks Later
Hire Date
Chuck Brown transfers to sales Chuck Brown is promoted: Vice President Sales Chuck Brown resigns Chuck Brown still has access to the system
Chuck Brown joins company
Chuck Brown is able to work in accounting
Available:
Available:
Available:
Available:
Temporary accounts
E-Mail Portal Internet Accounting
E-Mail Portal Internet Accounting CRM (west) Marketing data (west)
E-Mail Portal Internet Accounting CRM (global) Marketing data (global)
All known accounts of Chuck Brown are deactivated
Available:
Accounting Marketing data (global)
© 2011 SAP AG. All rights reserved.
5
Business Drivers for Identity Management
Increasing Operational Costs
Maintenance of multiple sources of identity data Manual user provisioning by help desk delays on/offboarding and change in positions Labor-intensive, paper-based approval systems Users dependent on help desk response times
Changing Business Processes
Multi-enterprise fulfillment transactions with increasing partner process participation Industry-specific user provisioning requirements Inconsistent and informal processes proliferate
Compliance Requirements
No record of who has access to which IT resources Inability to de-provision user access rights upon termination Identify and manage business & IT controls Provide auditors with complete audit trail Prevention of unauthorized access in multi-enterprise environments
6
© 2011 SAP AG. All rights reserved.
SAP NetWeaver Identity Management Value Proposition
Efficiency
Central management of user identities Lower cost of administration
Insight
Regulatory compliance Governance model for policy management
Flexibility
Business-driven identity management Responsive to business changes
Standards-based technology platform Leverage SAP NetWeaver management and administration capabilities Rule-driven workflow / approval process
© 2011 SAP AG. All rights reserved.
Extensive audit trail, logging and reporting capabilities Integration with SAP Business Suite and SAP BusinessObjects Access Control (GRC) for endto-end, compliant, rolebased control
Standards-based integration with SAP Business Suite Identity services enable tightly aligned, loosely coupled integration
7
SAP NetWeaver Identity Management Vision
Compliant Identity Management and Single Sign-On
Compliant Identity Management and Single Sign-On
Compliance Governance SAP Business Object Access Control Identity Management Authentication and Single Sign-On SAP NetWeaver Single Sign-On
SAP NetWeaver Identity Management
SAP offers a complete suite of compliance, governance, identity and single sign-on solutions
This presentation and SAP‘s strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. © 2011 SAP AG. All rights reserved. 8
Identity Management Yesterday
Localized User Administration
e.g. on-boarding
ABAP: Transaction SU01 for local user mgmt
Java: User Management Engine (UME) for local user mgmt
Local user mgmt
© 2011 SAP AG. All rights reserved.
9
Identity Management Yesterday
Partial Centralization
e.g. on-boarding
CUA
Synchronization
LDAP Directory
3rd Party Identity Management Product
Provisioning for ABAP-based systems
UME data source
© 2011 SAP AG. All rights reserved.
10
SAP NetWeaver Identity Management
Holistic Approach
e.g. on-boarding
Compliance checks
SAP Business Suite Integration
Identity virtualization and identity as service
Approval workflows Central Identity Store
SAP BusinessObjects Access Control
(GRC)
SAP NetWeaver Identity Management
Password management Web-based Single Sign-On & Identity Federation
Reporting Rule-based assignment of business roles
Provisioning to SAP and non-SAP systems
© 2011 SAP AG. All rights reserved.
11
SAP NetWeaver Identity Management
Within the Technology Platform
Identity management is an integral part of the SAP NetWeaver technology platform: It enables efficient and secure management of identity information. It supports both SAP-only and heterogeneous system landscapes. It integrates with the SAP NetWeaver platform and business applications. It complements integrated SAP NetWeaver security frameworks.
Compliance
Regulatory Compliance
Auditing
SAP Solutions for Governance, Risk Security Targets and Compliance Security Interoperability
Secure Collaboration Identity and Access Management Infrastructure Security Software Lifecycle Security
Web Services Security
Content Security
Identity Management
Authorization Concepts and Management Operating System and Database Security
Authentication and Single Sign-On
Network and Communications Security Secure Product Development Secure Delivery
Front-End Security
Secure Configuration
Secure Change Management
Security Governance
© 2011 SAP AG. All rights reserved.
12
Agenda
Introduction to Identity Management SAP NetWeaver Identity Management Solution in Detail Role Management and Workflows Business-Driven Identity Management Compliance, Reporting, and Auditing Password Management Identity Virtualization Connectivity and Services Identity Federation and Web-Based Single Sign-On Database support SAP NetWeaver Identity Management Architecture Summary and Additional Information Sources
© 2011 SAP AG. All rights reserved. 13
Solution in Detail: Role Management and Workflows
Role Definition and Provisioning
Role Definition (design, one-time task) Read system access information (roles, groups, authorizations, etc.) from target systems Define a business role hierarchy Assign technical roles to business roles Develop rules for role assignments Provisioning (regularly) Assign or remove roles to/from people Through request/approval workflow Manually (administrator) Automatically, e.g. HR-driven Automatic adjustment of master data and assignments of technical authorizations in target systems
Employee Accounting
Business Roles
Manager
Technical Roles
E-mail AD user End user
(Portal role)
Accounting
(ABAP role)
HR manager
(ABAP role)
E-Mail System
Active Directory
SAP Portal
SAP FI
SAP HR
© 2011 SAP AG. All rights reserved.
15
Role Management Based on Business Processes
Create order in SAP CRM Check pricing in SAP IPC Check availability in SAP SCM
Design Time
1 Create “Create Sales Order” business role SAP ERP HCM 2 Assign authorization needed for business process SAP NetWeaver Identity Management 3 Create rule to automatically link business role to employees with position sales clerk
Execution Time
© 2011 SAP AG. All rights reserved. 16
Context-Based Role Assignment
Available as of Release 7.2
As of Release 7.2, SAP NetWeaver ID Mgmt allows for the assignment between A person / a role or privilege And an optional context Context types are defined by the customer; examples include factory, store, project, location, etc. Use case: A person has a specific role in a given factory. Using context-based role assignment, there is no need to duplicate these roles for each factory. Example:
20 roles, 1000 factories – IDM 7.1: – IDM 7.2: 20.000 entries (roles) 1.020 entries (roles + contexts)
People
Factory
Roles
Benefit: Assigning a context reduces the number of roles (and privileges).
© 2011 SAP AG. All rights reserved. 17
Workflows in SAP NetWeaver Identity Management
Operates on entries in the identity store Manual interactions through Web interface Start provisioning tasks Approve requests Monitor status Workflows can be started from: Web interface Event tasks Change of privilege assignments Meta directory operations Processing logic includes: Sequential operation Parallel operation Conditional operation Approval operation
© 2011 SAP AG. All rights reserved.
Identity Store
Rules Roles
Workflow Engine
Provisioning Engine
Applications
Business Process Owner
User
Inform 5 1 Request Identity Center
Alert 2
3 Approve
4
Provisioning
Applications
18
Agenda
Introduction to Identity Management SAP NetWeaver Identity Management Solution in Detail Role Management and Workflows Business-Driven Identity Management Compliance, Reporting, and Auditing Password Management Identity Virtualization Connectivity and Services Identity Federation and Web-Based Single Sign-On Database support SAP NetWeaver Identity Management Architecture Summary and Additional Information Sources
© 2011 SAP AG. All rights reserved. 19
Solution in Detail: Business-Driven Identity Management
SAP NetWeaver ID Mgmt and SAP Business Suite: Increasing User Management Efficiency
Automated User Account Maintenance for SAP Business Suite Applications Example: SAP CRM Sales representative Tom Peck needs access to SAP CRM. Creating a user account and role for Tom is not sufficient; you also have to create a Business Partner in CRM and assign the user account to this Business Partner.
CRM Business Partner Assign automatically
Automatic consideration of system- and applicationspecific aspects
User
Assign
Role
SAP NetWeaver ID Mgmt automates the Business Partner assignment in SAP CRM, eliminating the need for manual administration steps.
© 2011 SAP AG. All rights reserved. 21
SAP NetWeaver ID Mgmt and SAP HCM: Synchronization of Organizational Information
Organizational Information upload from SAP HCM to Identity Center
Extract of Organizational information from HCM to Identity Center: Positionassignment / Organizational Unit Position Description / Organizational Key
HCM-Infotype 0001 contains Org-Info
Pre-requisite: SAP Organizational Management (OM) is used together with SAP HCM HCM stores Information from OM in Infotype 0001 All information that is stored in HCMInfotypes can be synchronized with Identity Center (highly configurable):
Last name, first name, address, start-date,… Organizational information like Org.-Unit and Org.-Key
HR-LDAP extract
Central Identity Store
No direct connection from HCM-OM with Identity Center is necessary
© 2011 SAP AG. All rights reserved.
22
SAP Business Suite Integration Business-Driven Identity Management
SAP Supplier Relationship Management SAP Human Capital Management
Key Benefits
Automated creation of Business Partner in SAP CRM, SAP SCM Link from Business Partner to user
SAP Customer Relationship Management SAP Portfolio and Product Management
SAP ERP Financials
SAP NetWeaver Identity Management
SAP Transportation Management SAP Extended Warehouse Management
SAP Product Lifecycle Management
SAP Service Parts Planning
SAP Supply Network Collaboration
© 2011 SAP AG. All rights reserved.
23
Business Process Driven Identity Management
On-Boarding
Kim Perkins joins the company as a marketing professional. From the first day with her new company, she is able to log on to all relevant systems, including access to the employee self-services, and access to SAP CRM to track the marketing activities she is responsible for. Pre-hire phase 1 HR ensures that all necessary employee data for Kim is available, such as position and entry date 3 Based on the position in HCM the business role “Marketing Professional” is being assigned automatically 2 Event-based extraction of Personnel data HR Operations 4 Kim’s manager approves the assignment
User created “Employee”
First day at work
Business Partner created User created “Marketing Professional”
Line Manager
SAP NetWeaver Identity Management
User created Access to SAP ESS Access to SAP CRM
24
© 2011 SAP AG. All rights reserved.
Business Process Driven Identity Management
Organizational Change: Line Manager Promotion
After two years as a marketing professional, Kim Perkins is promoted to take over personnel and budget responsibility for her marketing team. On the first day in her new role, she has access to the manager self-services. In her new position, she is responsible for budget approvals for all marketing campaigns - this requires immediate access to SAP ERP to view the marketing costs.
1 HR ensures that all necessary employee data for Kim are available, such as position and entry date
Day of change
User updated “Employee” “Line Manager”
3 SAP NetWeaver Identity Management recognizes the line manager information for Kim and automatically assigns the business role “Marketing Manager” 2 Event-based extraction of Personnel data HR Operations
User created “Marketing Controller”
User updated “Marketing Controller” User updated Access to SAP ESS Access to SAP MSS Access to SAP CRM
25
SAP NetWeaver Identity Management
© 2011 SAP AG. All rights reserved.
Business Process Driven Identity Management
Termination
After eight years, Kim Perkins leaves the company. On her last day, she finishes her tasks in the systems she used to work on. The day after her official assignment with the company ends, she is no longer able to access these systems.
1 HR ensures that all termination relevant data for Kim are available, such as last day with the company
Day after termination date
User disabled
3 SAP NetWeaver Identity Management recognizes the last day information for Kim and automatically un-assigns all access rights and disables her accounts 2 Event-based extraction of Personnel data HR Operations
User disabled
User disabled
SAP NetWeaver Identity Management
User disabled
© 2011 SAP AG. All rights reserved.
26
Agenda
Introduction to Identity Management SAP NetWeaver Identity Management Solution in Detail Role Management and Workflows Business-Driven Identity Management Compliance, Reporting, and Auditing Password Management Identity Virtualization Connectivity and Services Identity Federation and Web-Based Single Sign-On Database support SAP NetWeaver Identity Management Architecture Summary and Additional Information Sources
© 2011 SAP AG. All rights reserved. 27
Solution in Detail: Compliance, Reporting, and Auditing
Reporting Options in SAP NetWeaver Identity Mgmt
Basic Reporting, Reporting with Jasper Reports / Crystal Reports Focus: Static, printable reports Report creation on database level Extended Reporting with SAP Business Warehouse (SAP BW)* Focus: Dynamic reports, offering more, highly detailed, and customizable reporting options Report creation on semantic BW InfoProviders Data is extracted from SAP NetWeaver Identity Management on a regular basis (as per defined job) Predefined report templates available Custom reports can be freely defined based on individual customer requirements SAP BW features include filtering, sorting, export to MS Excel, CSV, PDF, send via e-mail, publishing in Portal, etc.
*SAP BW is not part of the SAP NetWeaver ID Mgmt license
© 2011 SAP AG. All rights reserved. 29
SAP NetWeaver Identity Management Basic Reporting Functionality
Application/Privilege-Centric
Determination of system access
User-Centric
Determination of user privileges
Entry data
Current data, historical data, time stamps, modified by, audit flags
Approval data
Who approved what when?
Who had what privilege at what time?
Segregation of duties, Attestation
Task audit log
Determination of tasks run on user / by user
General logs Off-the-shelf reporting tools can be used
© 2011 SAP AG. All rights reserved.
30
SAP NetWeaver ID Mgmt Extended Reporting Capabilities: Integration with SAP BW
SAP BW report templates delivered with persons, privileges, roles and their assignments over time and for specific dates Advanced filtering and sorting options Access control: Roles for Reporting User (Administrator, Manager, Owner) Flexibility (BEX reports are used)
Change history up to the time of last synchronization
Person(s)
Privilege(s)
Assignment
Role(s)
Implementation Guide: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f02d16da-1856-2d10-b2ad-bccaff798e97 BI Content Documentation: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/f6/436fcc95534cefbf621bc742cd13ff/frameset.htm
© 2011 SAP AG. All rights reserved. 31
SAP NetWeaver Identity Management Extended Reporting With SAP BW
Object types (can be extended) Person, privilege (aggregated by system), role Report types Content-based reporting (person-attributes or role memberships) Time-based reporting (state on given date or changes in period) Aggregations Number of assignments between object types Navigation between reports ("report-report interface") Person to assigned manager, role, etc. Basic auditing data: Who changed what Authorization concept with three roles Administrator, HR Manager, Object Owner Flexibility Use of BEx reports
© 2011 SAP AG. All rights reserved. 32
Reporting with SAP BW: Input Help
© 2011 SAP AG. All rights reserved.
33
Reporting With SAP BW: Person Details at a Given Date
© 2011 SAP AG. All rights reserved.
34
Reporting With SAP BW: Person History
© 2011 SAP AG. All rights reserved.
35
Reporting With SAP BW: Privilege Aggregations
© 2011 SAP AG. All rights reserved.
36
Compliant Identity Management: The Vision
CIO
SAP NetWeaver Identity Management
Compliant Identity Management
Provides compliant identity management across SAP and heterogeneous landscapes in one integrated solution Standards-based integration creates tightly aligned, loosely coupled solution from complementary components Gives a consistent view on current and historic access rights, approvals and policy violations
Provides the reduced TCO and increased security required by the CIO
CFO
GRC (SAP BusinessObjects Access Control)
Meets the requirements of the CFO to ensure that IT business application controls are compliant
© 2011 SAP AG. All rights reserved. 37
SAP BusinessObjects Access Control (GRC) and SAP NetWeaver Identity Mgmt: Integration Scenario
SAP NetWeaver Identity Management SAP NetWeaver Identity Management
Heterogeneous connectivity SAP Business Suite integration Powerful business role mapping Password management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects Access Control (GRC)
Compliance checks Business risk controls and mitigation
Combined SAP NetWeaver Identity Management
SAP BusinessObjects Access Control (GRC)
Compliant identity management for the entire system landscape!
© 2011 SAP AG. All rights reserved.
38
Compliant, Business-Driven Identity Management
Requirement: Provide automated, position-based role management while ensuring compliance
Reduce TCO by simplifying assignment of roles and privileges to users, triggered by HCM events Reduce risk through compliance checks and remediation Automate manual processes through integration with SAP Business Suite
New Hire
Calculate entitlements based on position
Compliance check Remediation
Approve assignments Yes
Create user Assign roles
Create User Assign roles No Create User Assign privileges HCM SAP NetWeaver Identity Management SAP BusinessObjects Access Control Line Manager Landscape
39
© 2011 SAP AG. All rights reserved.
SAP BusinessObjects Access Control: Solution Overview
Audit Oversight
Identity management Periodic access review and audit
Access Risk Analysis and Remediation
Risk analysis and remediation
Compliant user provisioning
Enterprise role management
Superuser privilege management
SAP_ALL
Minimal Time-to-Compliance Quick, effective, and comprehensive access risk identification Elimination of existing access and authorization risks is key Continuous Access Management Improve productivity of end users Reduce cost of role maintenance Avoid business obstructions with faster emergency response Ease compliance and avoid authorization risk Effective Management Oversight Capabilities for management oversight Capabilities for internal audit
40
Control Environment
Cross-enterprise library of best practice segregation of duties rules
Regulations Rules Corporate Policies Best Practices
Cross-Platform Cross-Function
FIN
SCM
SRM
MFG
HR
IT Infrastructure
© 2011 SAP AG. All rights reserved.
Compliant Identity Management Process Flow
Request Role Assignment
1
SAP BusinessObjects Access Control (GRC)
SAP NetWeaver Identity Management
4
Risk analysis
Forward request for risk analysis
3
Manager approval
2
5
Risk mitigation
6
Risk status
Notification to user / manager Provisioning to target systems
8
7
© 2011 SAP AG. All rights reserved.
41
Compliant Identity Management Component Usage
Usage of SAP NetWeaver Identity Management components:
Virtual Directory Server Accepts requests from Identity Center. Handles all connection to/from SBOP Access Control through the Web service API exposed by SBOP Access Control. Identity Center Contains the workflow tasks and necessary jobs that drive the provisioning to SBOP Access Control based on the Provisioning Framework for SAP Systems. Communicates with the Virtual Directory Server using the LDAP protocol. Usage of SAP BusinessObjects Access Control components: Compliant User Provisioning (CUP) Provides Web services for compliance checks, status checks, etc. Includes workflow for risk analysis and mitigating controls Risk Analysis and Remediation (RAR) Provides risk analysis services to detect SOD violations and critical permissions Handles CUP-RAR communication via internal Web services
© 2011 SAP AG. All rights reserved.
42
Compliant Identity Management Central User Provisioning
Create role assignment request in Identity Management (Identity Center)
Automatic (using rules, e.g. department assignment) Manual (per user request)
Pre-process request in Identity Management (Identity Center)
Assignments require compliance check Assignments do not require compliance check
Request processing & risk analysis in Compliant User Provisioning
Risk violations found No risk violations found
Request rerouted to manual workflow
Declined Approved
Identity Management reads request status
No provisioning
© 2011 SAP AG. All rights reserved.
Identity Management starts provisioning
43
Agenda
Introduction to Identity Management SAP NetWeaver Identity Management Solution in Detail Role Management and Workflows Business-Driven Identity Management Compliance, Reporting, and Auditing Password Management Identity Virtualization Connectivity and Services Identity Federation and Web-Based Single Sign-On Database support SAP NetWeaver Identity Management Architecture Summary and Additional Information Sources
© 2011 SAP AG. All rights reserved. 44
Solution in Detail: Password Management
Password Management
Requirement: Centralized password management Reduce calls to help desk for password resets Enable password provisioning across heterogeneous landscape
Reset password Recover lost password
Set new password
User
© 2011 SAP AG. All rights reserved.
Help Desk
SAP NetWeaver Identity Management
Landscape
46
Agenda
Introduction to Identity Management SAP NetWeaver Identity Management Solution in Detail Role Management and Workflows Business-Driven Identity Management Compliance, Reporting, and Auditing Password Management Identity Virtualization Connectivity and Services Identity Federation and Web-Based Single Sign-On Database support SAP NetWeaver Identity Management Architecture Summary and Additional Information Sources
© 2011 SAP AG. All rights reserved. 47
Solution in Detail: Identity Virtualization
Identity Virtualization
Virtual Directory Server (VDS) provides
Single consistent view and entry point for multiple distributed identity data sources Identity information as a service for applications through standard protocols (LDAP, SPML) Abstraction layer for underlying data stores
Consumer only sees one standard interface
Transform incoming LDAP requests, and connect directly to the existing data repositories Data stays within original data source Efficient caching
SPML
LDAP
Virtual Directory Server
Properties
Real-time access to data No need to consolidate data sources No extra data store Quick LDAP deployment Easier and cheaper maintenance Attribute manipulation Name space modifications Complex operations on-the-fly
SPML
LDAP
JDBC
Directory Server
Directory Server
Database
Application
© 2011 SAP AG. All rights reserved.
49
Agenda
Introduction to Identity Management SAP NetWeaver Identity Management Solution in Detail Role Management and Workflows Business-Driven Identity Management Compliance, Reporting, and Auditing Password Management Identity Virtualization Connectivity and Services Identity Federation and Web-Based Single Sign-On Database support SAP NetWeaver Identity Management Architecture Summary and Additional Information Sources
© 2011 SAP AG. All rights reserved. 50
Solution in Detail: Connectivity and Services
SAP Central User Administration and SAP NetWeaver Identity Management
What is the relationship between SAP NetWeaver Identity Management and the Central User Administration (CUA)?
SAP NetWeaver Identity Management is the strategic solution for managing identities in SAP and nonSAP environments. SAP recommends replacement of the CUA by SAP NetWeaver ID Mgmt. This is a valuable strategic move, as it yields significant benefits and functional enhancements SAP will continue to support SAP CUA in its current functionality according to SAP maintenance rules; however, the solution will no longer be enhanced with new functionality. Systems connected to CUA can be smoothly migrated to a SAP NetWeaver ID Mgmt solution without loss of functionality. Main benefits of SAP NetWeaver ID Mgmt compared to CUA include: Connectivity for a heterogeneous system landscape Automatic cross-system rule-based access management Workflow support
© 2011 SAP AG. All rights reserved.
52
Comparing SAP CUA and SAP NetWeaver Identity Management
Functionality Target Systems Workflow Support Rule based access management Modeling of role hierarchy Cross system role assignments LDAP directory integration Support of all user attributes Password management Central User Administration (CUA) ABAP only No almost no (except the rarely used HR Org rule engine) No Manual LDAP synchronization Yes Management and distribution of initial passwords SAP NetWeaver Identity Management (ID Mgmt) SAP and non-SAP Yes Yes
Yes Full support Full support Yes Yes; including user interface and workflow support
© 2011 SAP AG. All rights reserved.
53
Central User Administration: Gradual Migration to SAP NetWeaver ID Mgmt
Requirement: Extend identity management to non-SAP environments and increase level of functionality Supports SAP and heterogeneous environments Self-service and delegated administration Workflows and approvals Business role management
SAP NetWeaver ID Mgmt
SAP NetWeaver ID Mgmt
Manage CUA from SAP NetWeaver ID Mgmt
© 2011 SAP AG. All rights reserved.
Migrate ABAP systems from CUA to ID Mgmt
Shut down CUA when all systems are migrated
54
SAP NetWeaver Identity Management Connectivity Overview
Other
SAP Application Server Microsoft Windows NT Directory Unix/Linux Servers Shell execute Custom Java connector API Script-based connector API
Applications
SAP Business Suite SAP BusinessObjects Access Control (GRC) Lotus Domino / Notes Microsoft Exchange RSA ClearTrust RSA SecurID
Databases
Technical
Microsoft SQL Server Microsoft Access Oracle database IBM UDB (DB2) MySQL Sybase
SPML LDAP ODBC / JDBC / OLE-DB RFC LDIF files XML files CSV files
Directory Servers
Microsoft Active Directory IBM Tivoli Directory Novell eDirectory SunONE Java Directory
© 2011 SAP AG. All rights reserved.
Oracle Internet Directory Microsoft Active Directory Application Mode (ADAM) Siemens DirX OpenLDAP
eB2Bcom View500 Directory Server CA eTrust Directory SAP NetWeaver IDM Virtual Directory Server Any LDAP v3 compliant directory srv
55
Connector Framework: Purpose and Components
Purpose
To provide a development toolkit and guidelines for third party vendors to create an SAP NetWeaver Identity Management connector for non-SAP applications.
Components
Identity Center
Main functionality used here: Identity provisioning
Virtual Directory Server
Single access point for data updates in multiple repositories
© 2011 SAP AG. All rights reserved.
56
Connector Framework: Two Integration Steps
Identity Center Integration
The connector tasks integrate into the existing (common) provisioning framework in the Identity Center
A set of tasks has to be customized to work together with the target application utilizing VDS.
Identity Center
Provisioning Framework Connector tasks
Virtual Directory Server Integration
The generic VDS core functionality has to be extended
A code has to be created which will be used by VDS to connect to the target application.
Virtual Directory Server
Application Integration Code Application Java Library
Two parts that build the connector; to be created by 3rd party vendor Typically exists within 3rd party application
Target Application
© 2011 SAP AG. All rights reserved.
57
Connectivity Architecture
Provisioning Framework
Independent of repositories and back-ends Hooks into the partner’s set of IC connector tasks
IC Tasks (Set From Partner)
Hooked into the provisioning framework
…
Virtual Directory Server (VDS)
Connectors from Partners
Multiple connectors in a virtual tree
Back-Ends (Third-Party Applications)
© 2011 SAP AG. All rights reserved. 58
Third Party Connector Certification SAP ICC Integration Scenario NW-IDM-CON
SAP NetWeaver Identity Management Integration Scenario NW-IDM-CON The SAP Integration and Certification Center (ICC) offers a certification for the integration scenario NW-IDM-CON. SAP partners as well as potential partners and independent software vendors (ISVs) are invited to use the Connector Development Kit (CDK) to create an SAP NetWeaver Identity Management connector for their application, and to integrate the application into the identity management landscape. This connector can then be certified by the SAP ICC.
For general information about third party certifications with SAP products, please refer to http://www.sdn.sap.com/irj/sdn/interface-certifications, or contact the SAP Integration and Certification Center (ICC) directly at [email protected]
© 2011 SAP AG. All rights reserved. 59
Identity Services: SOA-Based Identity Management
Requirements: Create a tight integration with SAP applications Integrate third-party applications Identity services as a standards-based single access point for querying and managing identity information in the complete system landscape ‘Tightly aligned, loosely coupled’ integration with SAP and heterogeneous applications based on industry standards
Business Workflow
SAP Business Suite
SAP Business Suite
Identity Management
Other SAP Applications
IDM +++
© 2011 SAP AG. All rights reserved.
Heterogeneous Environment
60
Connectivity – SAP Hana connector
SAP Hana – SAP NetWeaver Identity Management connector
Available as of SAP Identity Management 7.2 Service Pack 3 Connection via the SQL interface User provisioning into SAP Hana: – Create/drop users – Create/drop roles – Assign roles to users – Revoke roles from users – Change passwords Enables synchronization of users in complex landscapes SAP Hana database user store push users
SAP NetWeaver Identity Management
© 2011 SAP AG. All rights reserved.
61
Agenda
Introduction to Identity Management SAP NetWeaver Identity Management Solution in Detail Role Management and Workflows Business-Driven Identity Management Compliance, Reporting, and Auditing Password Management Identity Virtualization Connectivity and Services Identity Federation and Web-Based Single Sign-On Database support SAP NetWeaver Identity Management Architecture Summary and Additional Information Sources
© 2011 SAP AG. All rights reserved. 62
Solution in Detail: Identity Federation and Web-Based Single Sign-On
What is Identity Federation?
Identity Federation
Describes the technologies, standards and use-cases which serve to enable the portability of identity information across otherwise autonomous security domains. Enables users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration. Comes in many flavors, including "user-controlled" or "user-centric" scenarios, as well as enterprise controlled or B2B scenarios Could involve user-to-user, user-to-application as well as application-toapplication use-case scenarios at both the browser tier as well as the web services tier.
© 2011 SAP AG. All rights reserved.
64
Identity Federation in SAP NetWeaver Identity Management 7.2
Identity Federation in SAP NetWeaver Identity Management 7.2
Identity federation provides the means to share identity information across company boundaries. User must be unambiguous and clearly identifiable, even though different user identifiers may exist across the landscape. The name identifier (name ID) is the means to establish a common identifier. Once the name ID has been established, the user is said to have a federated identity. Identity federation enables SSO for web browser based access (user-centric) and web services (system centric) across domains. SAP’s solution relies on standards for interoperability between SAP and non SAP systems For Web browser-based access, identity federation uses an identity provider that supports SAML 2.0. For Web services, identity federation uses a security token service (STS) that supports WS-Trust 1.3, supporting X.509, SAML 1.1, and SAML 2.0 tokens.
Home
© 2011 SAP AG. All rights reserved.
65
Home
Security Assertion Markup Language (SAML) 2.0
Security Assertion Markup Language (SAML) 2.0
The Security Assertion Markup Language (SAML) version 2.0 is a standard for the communication of assertions about principals, typically users. The assertion can include the means by which a subject was authenticated, attributes associated with the subject, and an authorization decision for a given resource. The main benefits of SAML 2.0 are:
SSO with SAML 2.0
SAML provides a standard for cross-domain Single Sign-On (SSO) SAML 2.0 supports identity-provider-initiated SSO as in SAML 1.x SAML 2.0 also supports service-provider-initiated SSO
SLO with SAML 2.0
Single Log-Out (SLO) enables users to cleanly close all their sessions in a SAML landscape, even across domains.
Identity federation
Identity federation provides the means to share identity information between partners.
© 2011 SAP AG. All rights reserved.
66
Home
Identity Federation Web Browser-Based Access
For Web browser-based access, identity federation uses an identity provider that supports SAML 2.0. SAML 2.0 also enables Single Log-Out (SLO). Identity federation can also be used to transport profile attributes to create or update temporary or permanent users between systems. Authorization attributes can be transported enabling to change user authorizations in target systems.
Web Browser-Based Access
© 2011 SAP AG. All rights reserved.
67
Home
Identity Federation Web Services-Based Access
For Web services, identity federation uses a security token service (STS) that supports WS-Trust 1.3. STS supports a number of authentication methods from a Web service consumer. It can convert these tokens into a security token that a Web service provider can use. STS supports X.509, SAML 1.1, and SAML 2.0 tokens. Like SAML 2.0 for Web-based access, the SAML 2.0 assertion can transport profile and authorization attributes to the target Web service provider.
Web Services-Based Access
© 2011 SAP AG. All rights reserved.
68
Solution in Detail: Database support
Enhanced database support
Database options for SAP NetWeaver Identity Management IBM DB2 supported as of SAP NetWeaver Identity Management 7.2 SP 6
SAP NetWeaver Identity Management
Microsoft SQL Server
IBM DB2 database
Oracle database
© 2011 SAP AG. All rights reserved.
70
Agenda
Introduction to Identity Management SAP NetWeaver Identity Management Solution in Detail Role Management and Workflows Business-Driven Identity Management Compliance, Reporting, and Auditing Password Management Identity Virtualization Connectivity and Services Identity Federation and Web-Based Single Sign-On Database support SAP NetWeaver Identity Management Architecture Summary and Additional Information Sources
© 2011 SAP AG. All rights reserved. 71
SAP NetWeaver Identity Management Architecture
SAP NetWeaver Identity Management Architecture
Identity Center Database
Identity store Configuration Processing logic
SAP NetWeaver Identity Management
SAP GRC
Workflow User Interface
Main interface for users and managers
Identity Center
Workflow and Monitoring UI (AS Java) Identity Center Database Management Console
Virtual Directory Server
Web services
Monitoring User Interface
Monitoring and audit interface for administrators
…
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic including connectors
…
Dispatcher Runtime Engine
Event Agent Service
Event Agent
Monitors connected systems and initiates synchronization
Read / write E-Mail System Active Directory SAP Portal SAP ERP Detect changes
Virtual Directory Server
Virtualization layer
© 2011 SAP AG. All rights reserved.
others
73
SAP NetWeaver Identity Management: Communication Paths
SAP NetWeaver Identity Management
Transfer employee data to IDM (LDAP) Update employee record with communication details (RFC)
SAP ERP HCM System
Virtual Directory Server (VDS) Identity Center (IC)
Forward request for risk analysis & poll status (Web Service Call)
SAP BusinessObjects Access Control (GRC)
Provision identity to target system (Protocol dependant on target system)
© 2011 SAP AG. All rights reserved.
74
Central Identity Store
Central Hub for All Identity Center Components
Provisioning is based on identity data from the store Business roles and privileges are stored here Workflow processing is based on this data Meta directory operations keep the information up-to-date Identity Store
Phone: + 47 73934649 Email: [email protected]
Object person
Identity Store Properties
Keep historical data and full audit to support compliance Temporary attributes for tracking time-critical values Roles and privileges – validity periods can be defined Events on attributes trigger workflow tasks Virtual attributes reference data in external sources Roll-back of identity data
© 2011 SAP AG. All rights reserved. 75
HR
Telephone System
E-mail
CA
Virtual Directory Server Architecture
Multiple Inbound Protocols
LDAP
Extensible Transformation Framework
Java GUI
Configuration management and version control
Virtual Directory Kernel In-Memory Cache Connector Framework
Protocol Connectors
LDAP DB API
Web Services Connectors
SPML DSML …
Application Connectors
SAP Sales … Force
© 2011 SAP AG. All rights reserved.
76
Sizing SAP NetWeaver Identity Management
Sizing SAP NetWeaver Identity Management
Sizing means determining the hardware requirements of an SAP application, such as the network bandwidth, physical memory, CPU processing power, and I/O capacity. The size of the hardware and database is influenced by both business aspects and technological aspects. The number of users using the various application components and the data load they put on the server must be taken into account. Usage patterns influences how to size SAP NetWeaver ID Mgmt. The main factors are: Number of entries (amount of data), number of lookups (searches), number of changes, number of simultaneous users
The SAP NetWeaver Identity Management 7.1 Sizing Guide
The Sizing Guide provides initial sizing information for the SAP NetWeaver Identity Management. Precise recommendations for each customer will be determined on a case-by-case basis for each customer’s specific requirements.
http://service.sap.com/sizing Sizing Guidelines Solutions & Platform SAP NetWeaver Identity Management 7.1
Download the SAP NetWeaver Identity Management Sizing Guide:
© 2011 SAP AG. All rights reserved.
77
Custom User Interfaces for SAP NetWeaver ID Mgmt With Open API (RESTful Web Services)
Architecture REST( Representational State Transfer) JSON (Java Script Object Notation) Schema Retrieve schema information Entries Search for entries Retrieve entries and attributes Change attribute values Resetting of passwords Approvals Retrieving open approvals Processing of approvals
WEB browser
Mobile device
RESTful web services AS Java
Identity Store
© 2011 SAP AG. All rights reserved. 78
Custom Role Request User Interface Based on REST API
© 2011 SAP AG. All rights reserved.
79
Custom User Display Based on REST API
© 2011 SAP AG. All rights reserved.
80
Agenda
Introduction to Identity Management SAP NetWeaver Identity Management Solution in Detail Role Management and Workflows Business-Driven Identity Management Compliance, Reporting, and Auditing Password Management Identity Virtualization Connectivity and Services Identity Federation and Web-Based Single Sign-On Database support SAP NetWeaver Identity Management Architecture Summary and Additional Information Sources
© 2011 SAP AG. All rights reserved. 81
Summary and Additional Information Sources
Highlights of SAP NetWeaver Identity Management 7.1
Event-Driven SAP ERP HCM Integration
In this release, the integration with SAP ERP HCM is extended to be event-based.
Further Integration With SAP Business Suite
A new framework enables product-specific extensions to be executed when identity provisioning operations are performed. This enables a deep integration with various applications in SAP Business Suite, including operations like updating employee master data or linking users to business partners.
Extended Integration With SAP’s GRC Solution (SAP BusinessObjects Access Control)
The integration with SAP’s GRC solution has been extended and covers current BusinessObjects Access Control releases.
WebDynpro-Based UIs
The PHP-based Web interfaces for workflow used by end users and managers for self-service, delegated administration, approval tasks, and monitoring are replaced by a WebDynpro-based user interface deployed on SAP NetWeaver AS Java 7.0 or 7.1. You can run the user interface as a stand-alone application or integrate it into the portal. New features are added for improving the task layout in the user interface, such as tabs and multiple columns.
Extended Platform Support Extended Identity Services
Extended support of operating systems (Windows, Unix, Linux, …)
Simplify management of deployed services and connectors Support for connector framework to enable partners to develop third-party connectors Improved deployment on SAP NetWeaver including logging
© 2011 SAP AG. All rights reserved. 83
Highlights of SAP NetWeaver Identity Management 7.2
Identity Federation
Use of Identity Provider (IdP) and Security Token Service (STS) for Web- and browser-based single sign-on scenarios.
Reporting with SAP Business Warehouse
Leverage SAP BW for dynamic, flexible reporting.
Context-Based Role Assignments
Use of context-based assignment to reduce the number of roles and privileges in the enterprise.
Custom User Interfaces with Open API
Use of a REST-based open API to develop custom user interfaces (for example for mobile devices) and/or extend the existing UIs.
Continuous Improvement in Various Areas
Examples include: Assignment improvements, context towards back-end systems, accessing assignment information from run time, guided tasks, approvals, configuration transport, request-complete task, dispatcher system tuning, extension framework, provisioning framework, etc.
© 2011 SAP AG. All rights reserved.
84
Rapid Deployment Solution (RDS)
IDM RDS available as of SAP NetWeaver Identity Management 7.2 SP04 patch 1. Implementation via SAP Security Consulting (recommended) or own custom implementation project
Content (available to all SAP NetWeaver Identity Management customers): • Connection between 2 SAP systems: SAP NetWeaver ABAP/Java, SAP ERP Human Capital Management (SAP ERP 6.0 EhP 4 or SP37) and an LDAP directory • Templates for mass user maintenance, copy user, delete user, multi step approval workflows, reset password system dependently, rule engine • Templates and functionality for CUA replacement • Pre-defined HTML based reporting
Software Service Enablement Content
Solution today
© 2011 SAP AG. All rights reserved. 85
Why SAP NetWeaver Identity Management
Offers close alignment with business processes Provides best value for business sponsors Re-uses SAP deployment experience and intellectual property Integrates with existing identity management infrastructure Combines tight SAP integration with heterogeneous IT Integrates roadmap and “blueprint” with SAP BusinessObjects Access Control (GRC) Provides the lowest-risk solution for SAP connectivity
© 2011 SAP AG. All rights reserved.
86
More Information
Visit the SAP Community Network (SCN) for comprehensive information on SAP NetWeaver Identity Management, such as Product information, documentation, training, and support information Articles, blogs, WIKI, FAQs, forum, and newsletters Downloads http://scn.sap.com/community/ netweaver-idm
© 2011 SAP AG. All rights reserved.
87
Thank You!
© 2012 SAP AG. All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.
© 2012 SAP AG. All rights reserved.
89
Change History Master Slide Deck SAP NetWeaver Identity Management
Nov 19 2012: (by Gerlinde)
Changes: New slides: database support, RDS and Hana connector
Nov. 2011:
New slide: added slide about “IDM-HR Integration – Organizational Information”
May 2011 (by Kristian):
Changes: repair of animation in some slides, and other visual changes
March 2011 (by Regine):
Changes: Transferred contents to new SAP template
December 2010 (by Regine)
Changes: Total rework – IDM to ID Mgmt.; news about 7.2 etc. New slides: BW reporting, federation, context-based role management, partner certification, a slide about what’s new with 7.2, and many other adjustments
© 2011 SAP AG. All rights reserved.
90
Change History Master Slide Deck SAP NetWeaver Identity Management
June/July 2010:
Changes: Agenda: Changed topic 2.3 into Compliance, Reporting, and Auditing Added topic 2.7: Identity Federation and Web-Based Single Sign-On Slide 12: Added Identity Federation and Web SSO functionality New slides: 26, 28, 29,30 (BW Reporting) 50, (Identity Federation and Web SSO)
April/May 2010:
Changes: N/A New slides: Slide 51 (Sizing + link to sizing guide)
March 2010:
Changes: Slide 9: Deleted “Vision of a” in the headline New slides:
Slides 30 - 33 including new notes (integration GRC and IDM) Slide 48 (SAP NetWeaver IDM: Communication Paths)
© 2011 SAP AG. All rights reserved.
91
Product Management, SAP NetWeaver Identity Management & Security November 2012
Agenda
Introduction to Identity Management SAP NetWeaver Identity Management Solution in Detail Role Management and Workflows Business-Driven Identity Management Compliance, Reporting, and Auditing Password Management Identity Virtualization Connectivity and Services Identity Federation and Web-Based Single Sign-On Database support SAP NetWeaver Identity Management Architecture Summary and Additional Information Sources
© 2011 SAP AG. All rights reserved. 2
Introduction to Identity Management
Identity Management Definition
Enables the efficient, secure and compliant execution of business processes
By ensuring that the right users have the right access to the right systems at the right time
Consistent with their roles across all systems and applications
© 2011 SAP AG. All rights reserved.
4
Challenges of a Typical Employee Lifecycle
Long time to become productive Enormous costs and efforts Security leaks if employee leaves
7 Years Later 8 Years Later 10 Years Later
1 Year Later
3 Weeks Later
Hire Date
Chuck Brown transfers to sales Chuck Brown is promoted: Vice President Sales Chuck Brown resigns Chuck Brown still has access to the system
Chuck Brown joins company
Chuck Brown is able to work in accounting
Available:
Available:
Available:
Available:
Temporary accounts
E-Mail Portal Internet Accounting
E-Mail Portal Internet Accounting CRM (west) Marketing data (west)
E-Mail Portal Internet Accounting CRM (global) Marketing data (global)
All known accounts of Chuck Brown are deactivated
Available:
Accounting Marketing data (global)
© 2011 SAP AG. All rights reserved.
5
Business Drivers for Identity Management
Increasing Operational Costs
Maintenance of multiple sources of identity data Manual user provisioning by help desk delays on/offboarding and change in positions Labor-intensive, paper-based approval systems Users dependent on help desk response times
Changing Business Processes
Multi-enterprise fulfillment transactions with increasing partner process participation Industry-specific user provisioning requirements Inconsistent and informal processes proliferate
Compliance Requirements
No record of who has access to which IT resources Inability to de-provision user access rights upon termination Identify and manage business & IT controls Provide auditors with complete audit trail Prevention of unauthorized access in multi-enterprise environments
6
© 2011 SAP AG. All rights reserved.
SAP NetWeaver Identity Management Value Proposition
Efficiency
Central management of user identities Lower cost of administration
Insight
Regulatory compliance Governance model for policy management
Flexibility
Business-driven identity management Responsive to business changes
Standards-based technology platform Leverage SAP NetWeaver management and administration capabilities Rule-driven workflow / approval process
© 2011 SAP AG. All rights reserved.
Extensive audit trail, logging and reporting capabilities Integration with SAP Business Suite and SAP BusinessObjects Access Control (GRC) for endto-end, compliant, rolebased control
Standards-based integration with SAP Business Suite Identity services enable tightly aligned, loosely coupled integration
7
SAP NetWeaver Identity Management Vision
Compliant Identity Management and Single Sign-On
Compliant Identity Management and Single Sign-On
Compliance Governance SAP Business Object Access Control Identity Management Authentication and Single Sign-On SAP NetWeaver Single Sign-On
SAP NetWeaver Identity Management
SAP offers a complete suite of compliance, governance, identity and single sign-on solutions
This presentation and SAP‘s strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. © 2011 SAP AG. All rights reserved. 8
Identity Management Yesterday
Localized User Administration
e.g. on-boarding
ABAP: Transaction SU01 for local user mgmt
Java: User Management Engine (UME) for local user mgmt
Local user mgmt
© 2011 SAP AG. All rights reserved.
9
Identity Management Yesterday
Partial Centralization
e.g. on-boarding
CUA
Synchronization
LDAP Directory
3rd Party Identity Management Product
Provisioning for ABAP-based systems
UME data source
© 2011 SAP AG. All rights reserved.
10
SAP NetWeaver Identity Management
Holistic Approach
e.g. on-boarding
Compliance checks
SAP Business Suite Integration
Identity virtualization and identity as service
Approval workflows Central Identity Store
SAP BusinessObjects Access Control
(GRC)
SAP NetWeaver Identity Management
Password management Web-based Single Sign-On & Identity Federation
Reporting Rule-based assignment of business roles
Provisioning to SAP and non-SAP systems
© 2011 SAP AG. All rights reserved.
11
SAP NetWeaver Identity Management
Within the Technology Platform
Identity management is an integral part of the SAP NetWeaver technology platform: It enables efficient and secure management of identity information. It supports both SAP-only and heterogeneous system landscapes. It integrates with the SAP NetWeaver platform and business applications. It complements integrated SAP NetWeaver security frameworks.
Compliance
Regulatory Compliance
Auditing
SAP Solutions for Governance, Risk Security Targets and Compliance Security Interoperability
Secure Collaboration Identity and Access Management Infrastructure Security Software Lifecycle Security
Web Services Security
Content Security
Identity Management
Authorization Concepts and Management Operating System and Database Security
Authentication and Single Sign-On
Network and Communications Security Secure Product Development Secure Delivery
Front-End Security
Secure Configuration
Secure Change Management
Security Governance
© 2011 SAP AG. All rights reserved.
12
Agenda
Introduction to Identity Management SAP NetWeaver Identity Management Solution in Detail Role Management and Workflows Business-Driven Identity Management Compliance, Reporting, and Auditing Password Management Identity Virtualization Connectivity and Services Identity Federation and Web-Based Single Sign-On Database support SAP NetWeaver Identity Management Architecture Summary and Additional Information Sources
© 2011 SAP AG. All rights reserved. 13
Solution in Detail: Role Management and Workflows
Role Definition and Provisioning
Role Definition (design, one-time task) Read system access information (roles, groups, authorizations, etc.) from target systems Define a business role hierarchy Assign technical roles to business roles Develop rules for role assignments Provisioning (regularly) Assign or remove roles to/from people Through request/approval workflow Manually (administrator) Automatically, e.g. HR-driven Automatic adjustment of master data and assignments of technical authorizations in target systems
Employee Accounting
Business Roles
Manager
Technical Roles
E-mail AD user End user
(Portal role)
Accounting
(ABAP role)
HR manager
(ABAP role)
E-Mail System
Active Directory
SAP Portal
SAP FI
SAP HR
© 2011 SAP AG. All rights reserved.
15
Role Management Based on Business Processes
Create order in SAP CRM Check pricing in SAP IPC Check availability in SAP SCM
Design Time
1 Create “Create Sales Order” business role SAP ERP HCM 2 Assign authorization needed for business process SAP NetWeaver Identity Management 3 Create rule to automatically link business role to employees with position sales clerk
Execution Time
© 2011 SAP AG. All rights reserved. 16
Context-Based Role Assignment
Available as of Release 7.2
As of Release 7.2, SAP NetWeaver ID Mgmt allows for the assignment between A person / a role or privilege And an optional context Context types are defined by the customer; examples include factory, store, project, location, etc. Use case: A person has a specific role in a given factory. Using context-based role assignment, there is no need to duplicate these roles for each factory. Example:
20 roles, 1000 factories – IDM 7.1: – IDM 7.2: 20.000 entries (roles) 1.020 entries (roles + contexts)
People
Factory
Roles
Benefit: Assigning a context reduces the number of roles (and privileges).
© 2011 SAP AG. All rights reserved. 17
Workflows in SAP NetWeaver Identity Management
Operates on entries in the identity store Manual interactions through Web interface Start provisioning tasks Approve requests Monitor status Workflows can be started from: Web interface Event tasks Change of privilege assignments Meta directory operations Processing logic includes: Sequential operation Parallel operation Conditional operation Approval operation
© 2011 SAP AG. All rights reserved.
Identity Store
Rules Roles
Workflow Engine
Provisioning Engine
Applications
Business Process Owner
User
Inform 5 1 Request Identity Center
Alert 2
3 Approve
4
Provisioning
Applications
18
Agenda
Introduction to Identity Management SAP NetWeaver Identity Management Solution in Detail Role Management and Workflows Business-Driven Identity Management Compliance, Reporting, and Auditing Password Management Identity Virtualization Connectivity and Services Identity Federation and Web-Based Single Sign-On Database support SAP NetWeaver Identity Management Architecture Summary and Additional Information Sources
© 2011 SAP AG. All rights reserved. 19
Solution in Detail: Business-Driven Identity Management
SAP NetWeaver ID Mgmt and SAP Business Suite: Increasing User Management Efficiency
Automated User Account Maintenance for SAP Business Suite Applications Example: SAP CRM Sales representative Tom Peck needs access to SAP CRM. Creating a user account and role for Tom is not sufficient; you also have to create a Business Partner in CRM and assign the user account to this Business Partner.
CRM Business Partner Assign automatically
Automatic consideration of system- and applicationspecific aspects
User
Assign
Role
SAP NetWeaver ID Mgmt automates the Business Partner assignment in SAP CRM, eliminating the need for manual administration steps.
© 2011 SAP AG. All rights reserved. 21
SAP NetWeaver ID Mgmt and SAP HCM: Synchronization of Organizational Information
Organizational Information upload from SAP HCM to Identity Center
Extract of Organizational information from HCM to Identity Center: Positionassignment / Organizational Unit Position Description / Organizational Key
HCM-Infotype 0001 contains Org-Info
Pre-requisite: SAP Organizational Management (OM) is used together with SAP HCM HCM stores Information from OM in Infotype 0001 All information that is stored in HCMInfotypes can be synchronized with Identity Center (highly configurable):
Last name, first name, address, start-date,… Organizational information like Org.-Unit and Org.-Key
HR-LDAP extract
Central Identity Store
No direct connection from HCM-OM with Identity Center is necessary
© 2011 SAP AG. All rights reserved.
22
SAP Business Suite Integration Business-Driven Identity Management
SAP Supplier Relationship Management SAP Human Capital Management
Key Benefits
Automated creation of Business Partner in SAP CRM, SAP SCM Link from Business Partner to user
SAP Customer Relationship Management SAP Portfolio and Product Management
SAP ERP Financials
SAP NetWeaver Identity Management
SAP Transportation Management SAP Extended Warehouse Management
SAP Product Lifecycle Management
SAP Service Parts Planning
SAP Supply Network Collaboration
© 2011 SAP AG. All rights reserved.
23
Business Process Driven Identity Management
On-Boarding
Kim Perkins joins the company as a marketing professional. From the first day with her new company, she is able to log on to all relevant systems, including access to the employee self-services, and access to SAP CRM to track the marketing activities she is responsible for. Pre-hire phase 1 HR ensures that all necessary employee data for Kim is available, such as position and entry date 3 Based on the position in HCM the business role “Marketing Professional” is being assigned automatically 2 Event-based extraction of Personnel data HR Operations 4 Kim’s manager approves the assignment
User created “Employee”
First day at work
Business Partner created User created “Marketing Professional”
Line Manager
SAP NetWeaver Identity Management
User created Access to SAP ESS Access to SAP CRM
24
© 2011 SAP AG. All rights reserved.
Business Process Driven Identity Management
Organizational Change: Line Manager Promotion
After two years as a marketing professional, Kim Perkins is promoted to take over personnel and budget responsibility for her marketing team. On the first day in her new role, she has access to the manager self-services. In her new position, she is responsible for budget approvals for all marketing campaigns - this requires immediate access to SAP ERP to view the marketing costs.
1 HR ensures that all necessary employee data for Kim are available, such as position and entry date
Day of change
User updated “Employee” “Line Manager”
3 SAP NetWeaver Identity Management recognizes the line manager information for Kim and automatically assigns the business role “Marketing Manager” 2 Event-based extraction of Personnel data HR Operations
User created “Marketing Controller”
User updated “Marketing Controller” User updated Access to SAP ESS Access to SAP MSS Access to SAP CRM
25
SAP NetWeaver Identity Management
© 2011 SAP AG. All rights reserved.
Business Process Driven Identity Management
Termination
After eight years, Kim Perkins leaves the company. On her last day, she finishes her tasks in the systems she used to work on. The day after her official assignment with the company ends, she is no longer able to access these systems.
1 HR ensures that all termination relevant data for Kim are available, such as last day with the company
Day after termination date
User disabled
3 SAP NetWeaver Identity Management recognizes the last day information for Kim and automatically un-assigns all access rights and disables her accounts 2 Event-based extraction of Personnel data HR Operations
User disabled
User disabled
SAP NetWeaver Identity Management
User disabled
© 2011 SAP AG. All rights reserved.
26
Agenda
Introduction to Identity Management SAP NetWeaver Identity Management Solution in Detail Role Management and Workflows Business-Driven Identity Management Compliance, Reporting, and Auditing Password Management Identity Virtualization Connectivity and Services Identity Federation and Web-Based Single Sign-On Database support SAP NetWeaver Identity Management Architecture Summary and Additional Information Sources
© 2011 SAP AG. All rights reserved. 27
Solution in Detail: Compliance, Reporting, and Auditing
Reporting Options in SAP NetWeaver Identity Mgmt
Basic Reporting, Reporting with Jasper Reports / Crystal Reports Focus: Static, printable reports Report creation on database level Extended Reporting with SAP Business Warehouse (SAP BW)* Focus: Dynamic reports, offering more, highly detailed, and customizable reporting options Report creation on semantic BW InfoProviders Data is extracted from SAP NetWeaver Identity Management on a regular basis (as per defined job) Predefined report templates available Custom reports can be freely defined based on individual customer requirements SAP BW features include filtering, sorting, export to MS Excel, CSV, PDF, send via e-mail, publishing in Portal, etc.
*SAP BW is not part of the SAP NetWeaver ID Mgmt license
© 2011 SAP AG. All rights reserved. 29
SAP NetWeaver Identity Management Basic Reporting Functionality
Application/Privilege-Centric
Determination of system access
User-Centric
Determination of user privileges
Entry data
Current data, historical data, time stamps, modified by, audit flags
Approval data
Who approved what when?
Who had what privilege at what time?
Segregation of duties, Attestation
Task audit log
Determination of tasks run on user / by user
General logs Off-the-shelf reporting tools can be used
© 2011 SAP AG. All rights reserved.
30
SAP NetWeaver ID Mgmt Extended Reporting Capabilities: Integration with SAP BW
SAP BW report templates delivered with persons, privileges, roles and their assignments over time and for specific dates Advanced filtering and sorting options Access control: Roles for Reporting User (Administrator, Manager, Owner) Flexibility (BEX reports are used)
Change history up to the time of last synchronization
Person(s)
Privilege(s)
Assignment
Role(s)
Implementation Guide: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f02d16da-1856-2d10-b2ad-bccaff798e97 BI Content Documentation: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/f6/436fcc95534cefbf621bc742cd13ff/frameset.htm
© 2011 SAP AG. All rights reserved. 31
SAP NetWeaver Identity Management Extended Reporting With SAP BW
Object types (can be extended) Person, privilege (aggregated by system), role Report types Content-based reporting (person-attributes or role memberships) Time-based reporting (state on given date or changes in period) Aggregations Number of assignments between object types Navigation between reports ("report-report interface") Person to assigned manager, role, etc. Basic auditing data: Who changed what Authorization concept with three roles Administrator, HR Manager, Object Owner Flexibility Use of BEx reports
© 2011 SAP AG. All rights reserved. 32
Reporting with SAP BW: Input Help
© 2011 SAP AG. All rights reserved.
33
Reporting With SAP BW: Person Details at a Given Date
© 2011 SAP AG. All rights reserved.
34
Reporting With SAP BW: Person History
© 2011 SAP AG. All rights reserved.
35
Reporting With SAP BW: Privilege Aggregations
© 2011 SAP AG. All rights reserved.
36
Compliant Identity Management: The Vision
CIO
SAP NetWeaver Identity Management
Compliant Identity Management
Provides compliant identity management across SAP and heterogeneous landscapes in one integrated solution Standards-based integration creates tightly aligned, loosely coupled solution from complementary components Gives a consistent view on current and historic access rights, approvals and policy violations
Provides the reduced TCO and increased security required by the CIO
CFO
GRC (SAP BusinessObjects Access Control)
Meets the requirements of the CFO to ensure that IT business application controls are compliant
© 2011 SAP AG. All rights reserved. 37
SAP BusinessObjects Access Control (GRC) and SAP NetWeaver Identity Mgmt: Integration Scenario
SAP NetWeaver Identity Management SAP NetWeaver Identity Management
Heterogeneous connectivity SAP Business Suite integration Powerful business role mapping Password management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects Access Control (GRC)
Compliance checks Business risk controls and mitigation
Combined SAP NetWeaver Identity Management
SAP BusinessObjects Access Control (GRC)
Compliant identity management for the entire system landscape!
© 2011 SAP AG. All rights reserved.
38
Compliant, Business-Driven Identity Management
Requirement: Provide automated, position-based role management while ensuring compliance
Reduce TCO by simplifying assignment of roles and privileges to users, triggered by HCM events Reduce risk through compliance checks and remediation Automate manual processes through integration with SAP Business Suite
New Hire
Calculate entitlements based on position
Compliance check Remediation
Approve assignments Yes
Create user Assign roles
Create User Assign roles No Create User Assign privileges HCM SAP NetWeaver Identity Management SAP BusinessObjects Access Control Line Manager Landscape
39
© 2011 SAP AG. All rights reserved.
SAP BusinessObjects Access Control: Solution Overview
Audit Oversight
Identity management Periodic access review and audit
Access Risk Analysis and Remediation
Risk analysis and remediation
Compliant user provisioning
Enterprise role management
Superuser privilege management
SAP_ALL
Minimal Time-to-Compliance Quick, effective, and comprehensive access risk identification Elimination of existing access and authorization risks is key Continuous Access Management Improve productivity of end users Reduce cost of role maintenance Avoid business obstructions with faster emergency response Ease compliance and avoid authorization risk Effective Management Oversight Capabilities for management oversight Capabilities for internal audit
40
Control Environment
Cross-enterprise library of best practice segregation of duties rules
Regulations Rules Corporate Policies Best Practices
Cross-Platform Cross-Function
FIN
SCM
SRM
MFG
HR
IT Infrastructure
© 2011 SAP AG. All rights reserved.
Compliant Identity Management Process Flow
Request Role Assignment
1
SAP BusinessObjects Access Control (GRC)
SAP NetWeaver Identity Management
4
Risk analysis
Forward request for risk analysis
3
Manager approval
2
5
Risk mitigation
6
Risk status
Notification to user / manager Provisioning to target systems
8
7
© 2011 SAP AG. All rights reserved.
41
Compliant Identity Management Component Usage
Usage of SAP NetWeaver Identity Management components:
Virtual Directory Server Accepts requests from Identity Center. Handles all connection to/from SBOP Access Control through the Web service API exposed by SBOP Access Control. Identity Center Contains the workflow tasks and necessary jobs that drive the provisioning to SBOP Access Control based on the Provisioning Framework for SAP Systems. Communicates with the Virtual Directory Server using the LDAP protocol. Usage of SAP BusinessObjects Access Control components: Compliant User Provisioning (CUP) Provides Web services for compliance checks, status checks, etc. Includes workflow for risk analysis and mitigating controls Risk Analysis and Remediation (RAR) Provides risk analysis services to detect SOD violations and critical permissions Handles CUP-RAR communication via internal Web services
© 2011 SAP AG. All rights reserved.
42
Compliant Identity Management Central User Provisioning
Create role assignment request in Identity Management (Identity Center)
Automatic (using rules, e.g. department assignment) Manual (per user request)
Pre-process request in Identity Management (Identity Center)
Assignments require compliance check Assignments do not require compliance check
Request processing & risk analysis in Compliant User Provisioning
Risk violations found No risk violations found
Request rerouted to manual workflow
Declined Approved
Identity Management reads request status
No provisioning
© 2011 SAP AG. All rights reserved.
Identity Management starts provisioning
43
Agenda
Introduction to Identity Management SAP NetWeaver Identity Management Solution in Detail Role Management and Workflows Business-Driven Identity Management Compliance, Reporting, and Auditing Password Management Identity Virtualization Connectivity and Services Identity Federation and Web-Based Single Sign-On Database support SAP NetWeaver Identity Management Architecture Summary and Additional Information Sources
© 2011 SAP AG. All rights reserved. 44
Solution in Detail: Password Management
Password Management
Requirement: Centralized password management Reduce calls to help desk for password resets Enable password provisioning across heterogeneous landscape
Reset password Recover lost password
Set new password
User
© 2011 SAP AG. All rights reserved.
Help Desk
SAP NetWeaver Identity Management
Landscape
46
Agenda
Introduction to Identity Management SAP NetWeaver Identity Management Solution in Detail Role Management and Workflows Business-Driven Identity Management Compliance, Reporting, and Auditing Password Management Identity Virtualization Connectivity and Services Identity Federation and Web-Based Single Sign-On Database support SAP NetWeaver Identity Management Architecture Summary and Additional Information Sources
© 2011 SAP AG. All rights reserved. 47
Solution in Detail: Identity Virtualization
Identity Virtualization
Virtual Directory Server (VDS) provides
Single consistent view and entry point for multiple distributed identity data sources Identity information as a service for applications through standard protocols (LDAP, SPML) Abstraction layer for underlying data stores
Consumer only sees one standard interface
Transform incoming LDAP requests, and connect directly to the existing data repositories Data stays within original data source Efficient caching
SPML
LDAP
Virtual Directory Server
Properties
Real-time access to data No need to consolidate data sources No extra data store Quick LDAP deployment Easier and cheaper maintenance Attribute manipulation Name space modifications Complex operations on-the-fly
SPML
LDAP
JDBC
Directory Server
Directory Server
Database
Application
© 2011 SAP AG. All rights reserved.
49
Agenda
Introduction to Identity Management SAP NetWeaver Identity Management Solution in Detail Role Management and Workflows Business-Driven Identity Management Compliance, Reporting, and Auditing Password Management Identity Virtualization Connectivity and Services Identity Federation and Web-Based Single Sign-On Database support SAP NetWeaver Identity Management Architecture Summary and Additional Information Sources
© 2011 SAP AG. All rights reserved. 50
Solution in Detail: Connectivity and Services
SAP Central User Administration and SAP NetWeaver Identity Management
What is the relationship between SAP NetWeaver Identity Management and the Central User Administration (CUA)?
SAP NetWeaver Identity Management is the strategic solution for managing identities in SAP and nonSAP environments. SAP recommends replacement of the CUA by SAP NetWeaver ID Mgmt. This is a valuable strategic move, as it yields significant benefits and functional enhancements SAP will continue to support SAP CUA in its current functionality according to SAP maintenance rules; however, the solution will no longer be enhanced with new functionality. Systems connected to CUA can be smoothly migrated to a SAP NetWeaver ID Mgmt solution without loss of functionality. Main benefits of SAP NetWeaver ID Mgmt compared to CUA include: Connectivity for a heterogeneous system landscape Automatic cross-system rule-based access management Workflow support
© 2011 SAP AG. All rights reserved.
52
Comparing SAP CUA and SAP NetWeaver Identity Management
Functionality Target Systems Workflow Support Rule based access management Modeling of role hierarchy Cross system role assignments LDAP directory integration Support of all user attributes Password management Central User Administration (CUA) ABAP only No almost no (except the rarely used HR Org rule engine) No Manual LDAP synchronization Yes Management and distribution of initial passwords SAP NetWeaver Identity Management (ID Mgmt) SAP and non-SAP Yes Yes
Yes Full support Full support Yes Yes; including user interface and workflow support
© 2011 SAP AG. All rights reserved.
53
Central User Administration: Gradual Migration to SAP NetWeaver ID Mgmt
Requirement: Extend identity management to non-SAP environments and increase level of functionality Supports SAP and heterogeneous environments Self-service and delegated administration Workflows and approvals Business role management
SAP NetWeaver ID Mgmt
SAP NetWeaver ID Mgmt
Manage CUA from SAP NetWeaver ID Mgmt
© 2011 SAP AG. All rights reserved.
Migrate ABAP systems from CUA to ID Mgmt
Shut down CUA when all systems are migrated
54
SAP NetWeaver Identity Management Connectivity Overview
Other
SAP Application Server Microsoft Windows NT Directory Unix/Linux Servers Shell execute Custom Java connector API Script-based connector API
Applications
SAP Business Suite SAP BusinessObjects Access Control (GRC) Lotus Domino / Notes Microsoft Exchange RSA ClearTrust RSA SecurID
Databases
Technical
Microsoft SQL Server Microsoft Access Oracle database IBM UDB (DB2) MySQL Sybase
SPML LDAP ODBC / JDBC / OLE-DB RFC LDIF files XML files CSV files
Directory Servers
Microsoft Active Directory IBM Tivoli Directory Novell eDirectory SunONE Java Directory
© 2011 SAP AG. All rights reserved.
Oracle Internet Directory Microsoft Active Directory Application Mode (ADAM) Siemens DirX OpenLDAP
eB2Bcom View500 Directory Server CA eTrust Directory SAP NetWeaver IDM Virtual Directory Server Any LDAP v3 compliant directory srv
55
Connector Framework: Purpose and Components
Purpose
To provide a development toolkit and guidelines for third party vendors to create an SAP NetWeaver Identity Management connector for non-SAP applications.
Components
Identity Center
Main functionality used here: Identity provisioning
Virtual Directory Server
Single access point for data updates in multiple repositories
© 2011 SAP AG. All rights reserved.
56
Connector Framework: Two Integration Steps
Identity Center Integration
The connector tasks integrate into the existing (common) provisioning framework in the Identity Center
A set of tasks has to be customized to work together with the target application utilizing VDS.
Identity Center
Provisioning Framework Connector tasks
Virtual Directory Server Integration
The generic VDS core functionality has to be extended
A code has to be created which will be used by VDS to connect to the target application.
Virtual Directory Server
Application Integration Code Application Java Library
Two parts that build the connector; to be created by 3rd party vendor Typically exists within 3rd party application
Target Application
© 2011 SAP AG. All rights reserved.
57
Connectivity Architecture
Provisioning Framework
Independent of repositories and back-ends Hooks into the partner’s set of IC connector tasks
IC Tasks (Set From Partner)
Hooked into the provisioning framework
…
Virtual Directory Server (VDS)
Connectors from Partners
Multiple connectors in a virtual tree
Back-Ends (Third-Party Applications)
© 2011 SAP AG. All rights reserved. 58
Third Party Connector Certification SAP ICC Integration Scenario NW-IDM-CON
SAP NetWeaver Identity Management Integration Scenario NW-IDM-CON The SAP Integration and Certification Center (ICC) offers a certification for the integration scenario NW-IDM-CON. SAP partners as well as potential partners and independent software vendors (ISVs) are invited to use the Connector Development Kit (CDK) to create an SAP NetWeaver Identity Management connector for their application, and to integrate the application into the identity management landscape. This connector can then be certified by the SAP ICC.
For general information about third party certifications with SAP products, please refer to http://www.sdn.sap.com/irj/sdn/interface-certifications, or contact the SAP Integration and Certification Center (ICC) directly at [email protected]
© 2011 SAP AG. All rights reserved. 59
Identity Services: SOA-Based Identity Management
Requirements: Create a tight integration with SAP applications Integrate third-party applications Identity services as a standards-based single access point for querying and managing identity information in the complete system landscape ‘Tightly aligned, loosely coupled’ integration with SAP and heterogeneous applications based on industry standards
Business Workflow
SAP Business Suite
SAP Business Suite
Identity Management
Other SAP Applications
IDM +++
© 2011 SAP AG. All rights reserved.
Heterogeneous Environment
60
Connectivity – SAP Hana connector
SAP Hana – SAP NetWeaver Identity Management connector
Available as of SAP Identity Management 7.2 Service Pack 3 Connection via the SQL interface User provisioning into SAP Hana: – Create/drop users – Create/drop roles – Assign roles to users – Revoke roles from users – Change passwords Enables synchronization of users in complex landscapes SAP Hana database user store push users
SAP NetWeaver Identity Management
© 2011 SAP AG. All rights reserved.
61
Agenda
Introduction to Identity Management SAP NetWeaver Identity Management Solution in Detail Role Management and Workflows Business-Driven Identity Management Compliance, Reporting, and Auditing Password Management Identity Virtualization Connectivity and Services Identity Federation and Web-Based Single Sign-On Database support SAP NetWeaver Identity Management Architecture Summary and Additional Information Sources
© 2011 SAP AG. All rights reserved. 62
Solution in Detail: Identity Federation and Web-Based Single Sign-On
What is Identity Federation?
Identity Federation
Describes the technologies, standards and use-cases which serve to enable the portability of identity information across otherwise autonomous security domains. Enables users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration. Comes in many flavors, including "user-controlled" or "user-centric" scenarios, as well as enterprise controlled or B2B scenarios Could involve user-to-user, user-to-application as well as application-toapplication use-case scenarios at both the browser tier as well as the web services tier.
© 2011 SAP AG. All rights reserved.
64
Identity Federation in SAP NetWeaver Identity Management 7.2
Identity Federation in SAP NetWeaver Identity Management 7.2
Identity federation provides the means to share identity information across company boundaries. User must be unambiguous and clearly identifiable, even though different user identifiers may exist across the landscape. The name identifier (name ID) is the means to establish a common identifier. Once the name ID has been established, the user is said to have a federated identity. Identity federation enables SSO for web browser based access (user-centric) and web services (system centric) across domains. SAP’s solution relies on standards for interoperability between SAP and non SAP systems For Web browser-based access, identity federation uses an identity provider that supports SAML 2.0. For Web services, identity federation uses a security token service (STS) that supports WS-Trust 1.3, supporting X.509, SAML 1.1, and SAML 2.0 tokens.
Home
© 2011 SAP AG. All rights reserved.
65
Home
Security Assertion Markup Language (SAML) 2.0
Security Assertion Markup Language (SAML) 2.0
The Security Assertion Markup Language (SAML) version 2.0 is a standard for the communication of assertions about principals, typically users. The assertion can include the means by which a subject was authenticated, attributes associated with the subject, and an authorization decision for a given resource. The main benefits of SAML 2.0 are:
SSO with SAML 2.0
SAML provides a standard for cross-domain Single Sign-On (SSO) SAML 2.0 supports identity-provider-initiated SSO as in SAML 1.x SAML 2.0 also supports service-provider-initiated SSO
SLO with SAML 2.0
Single Log-Out (SLO) enables users to cleanly close all their sessions in a SAML landscape, even across domains.
Identity federation
Identity federation provides the means to share identity information between partners.
© 2011 SAP AG. All rights reserved.
66
Home
Identity Federation Web Browser-Based Access
For Web browser-based access, identity federation uses an identity provider that supports SAML 2.0. SAML 2.0 also enables Single Log-Out (SLO). Identity federation can also be used to transport profile attributes to create or update temporary or permanent users between systems. Authorization attributes can be transported enabling to change user authorizations in target systems.
Web Browser-Based Access
© 2011 SAP AG. All rights reserved.
67
Home
Identity Federation Web Services-Based Access
For Web services, identity federation uses a security token service (STS) that supports WS-Trust 1.3. STS supports a number of authentication methods from a Web service consumer. It can convert these tokens into a security token that a Web service provider can use. STS supports X.509, SAML 1.1, and SAML 2.0 tokens. Like SAML 2.0 for Web-based access, the SAML 2.0 assertion can transport profile and authorization attributes to the target Web service provider.
Web Services-Based Access
© 2011 SAP AG. All rights reserved.
68
Solution in Detail: Database support
Enhanced database support
Database options for SAP NetWeaver Identity Management IBM DB2 supported as of SAP NetWeaver Identity Management 7.2 SP 6
SAP NetWeaver Identity Management
Microsoft SQL Server
IBM DB2 database
Oracle database
© 2011 SAP AG. All rights reserved.
70
Agenda
Introduction to Identity Management SAP NetWeaver Identity Management Solution in Detail Role Management and Workflows Business-Driven Identity Management Compliance, Reporting, and Auditing Password Management Identity Virtualization Connectivity and Services Identity Federation and Web-Based Single Sign-On Database support SAP NetWeaver Identity Management Architecture Summary and Additional Information Sources
© 2011 SAP AG. All rights reserved. 71
SAP NetWeaver Identity Management Architecture
SAP NetWeaver Identity Management Architecture
Identity Center Database
Identity store Configuration Processing logic
SAP NetWeaver Identity Management
SAP GRC
Workflow User Interface
Main interface for users and managers
Identity Center
Workflow and Monitoring UI (AS Java) Identity Center Database Management Console
Virtual Directory Server
Web services
Monitoring User Interface
Monitoring and audit interface for administrators
…
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic including connectors
…
Dispatcher Runtime Engine
Event Agent Service
Event Agent
Monitors connected systems and initiates synchronization
Read / write E-Mail System Active Directory SAP Portal SAP ERP Detect changes
Virtual Directory Server
Virtualization layer
© 2011 SAP AG. All rights reserved.
others
73
SAP NetWeaver Identity Management: Communication Paths
SAP NetWeaver Identity Management
Transfer employee data to IDM (LDAP) Update employee record with communication details (RFC)
SAP ERP HCM System
Virtual Directory Server (VDS) Identity Center (IC)
Forward request for risk analysis & poll status (Web Service Call)
SAP BusinessObjects Access Control (GRC)
Provision identity to target system (Protocol dependant on target system)
© 2011 SAP AG. All rights reserved.
74
Central Identity Store
Central Hub for All Identity Center Components
Provisioning is based on identity data from the store Business roles and privileges are stored here Workflow processing is based on this data Meta directory operations keep the information up-to-date Identity Store
Phone: + 47 73934649 Email: [email protected]
Object person
Identity Store Properties
Keep historical data and full audit to support compliance Temporary attributes for tracking time-critical values Roles and privileges – validity periods can be defined Events on attributes trigger workflow tasks Virtual attributes reference data in external sources Roll-back of identity data
© 2011 SAP AG. All rights reserved. 75
HR
Telephone System
CA
Virtual Directory Server Architecture
Multiple Inbound Protocols
LDAP
Extensible Transformation Framework
Java GUI
Configuration management and version control
Virtual Directory Kernel In-Memory Cache Connector Framework
Protocol Connectors
LDAP DB API
Web Services Connectors
SPML DSML …
Application Connectors
SAP Sales … Force
© 2011 SAP AG. All rights reserved.
76
Sizing SAP NetWeaver Identity Management
Sizing SAP NetWeaver Identity Management
Sizing means determining the hardware requirements of an SAP application, such as the network bandwidth, physical memory, CPU processing power, and I/O capacity. The size of the hardware and database is influenced by both business aspects and technological aspects. The number of users using the various application components and the data load they put on the server must be taken into account. Usage patterns influences how to size SAP NetWeaver ID Mgmt. The main factors are: Number of entries (amount of data), number of lookups (searches), number of changes, number of simultaneous users
The SAP NetWeaver Identity Management 7.1 Sizing Guide
The Sizing Guide provides initial sizing information for the SAP NetWeaver Identity Management. Precise recommendations for each customer will be determined on a case-by-case basis for each customer’s specific requirements.
http://service.sap.com/sizing Sizing Guidelines Solutions & Platform SAP NetWeaver Identity Management 7.1
Download the SAP NetWeaver Identity Management Sizing Guide:
© 2011 SAP AG. All rights reserved.
77
Custom User Interfaces for SAP NetWeaver ID Mgmt With Open API (RESTful Web Services)
Architecture REST( Representational State Transfer) JSON (Java Script Object Notation) Schema Retrieve schema information Entries Search for entries Retrieve entries and attributes Change attribute values Resetting of passwords Approvals Retrieving open approvals Processing of approvals
WEB browser
Mobile device
RESTful web services AS Java
Identity Store
© 2011 SAP AG. All rights reserved. 78
Custom Role Request User Interface Based on REST API
© 2011 SAP AG. All rights reserved.
79
Custom User Display Based on REST API
© 2011 SAP AG. All rights reserved.
80
Agenda
Introduction to Identity Management SAP NetWeaver Identity Management Solution in Detail Role Management and Workflows Business-Driven Identity Management Compliance, Reporting, and Auditing Password Management Identity Virtualization Connectivity and Services Identity Federation and Web-Based Single Sign-On Database support SAP NetWeaver Identity Management Architecture Summary and Additional Information Sources
© 2011 SAP AG. All rights reserved. 81
Summary and Additional Information Sources
Highlights of SAP NetWeaver Identity Management 7.1
Event-Driven SAP ERP HCM Integration
In this release, the integration with SAP ERP HCM is extended to be event-based.
Further Integration With SAP Business Suite
A new framework enables product-specific extensions to be executed when identity provisioning operations are performed. This enables a deep integration with various applications in SAP Business Suite, including operations like updating employee master data or linking users to business partners.
Extended Integration With SAP’s GRC Solution (SAP BusinessObjects Access Control)
The integration with SAP’s GRC solution has been extended and covers current BusinessObjects Access Control releases.
WebDynpro-Based UIs
The PHP-based Web interfaces for workflow used by end users and managers for self-service, delegated administration, approval tasks, and monitoring are replaced by a WebDynpro-based user interface deployed on SAP NetWeaver AS Java 7.0 or 7.1. You can run the user interface as a stand-alone application or integrate it into the portal. New features are added for improving the task layout in the user interface, such as tabs and multiple columns.
Extended Platform Support Extended Identity Services
Extended support of operating systems (Windows, Unix, Linux, …)
Simplify management of deployed services and connectors Support for connector framework to enable partners to develop third-party connectors Improved deployment on SAP NetWeaver including logging
© 2011 SAP AG. All rights reserved. 83
Highlights of SAP NetWeaver Identity Management 7.2
Identity Federation
Use of Identity Provider (IdP) and Security Token Service (STS) for Web- and browser-based single sign-on scenarios.
Reporting with SAP Business Warehouse
Leverage SAP BW for dynamic, flexible reporting.
Context-Based Role Assignments
Use of context-based assignment to reduce the number of roles and privileges in the enterprise.
Custom User Interfaces with Open API
Use of a REST-based open API to develop custom user interfaces (for example for mobile devices) and/or extend the existing UIs.
Continuous Improvement in Various Areas
Examples include: Assignment improvements, context towards back-end systems, accessing assignment information from run time, guided tasks, approvals, configuration transport, request-complete task, dispatcher system tuning, extension framework, provisioning framework, etc.
© 2011 SAP AG. All rights reserved.
84
Rapid Deployment Solution (RDS)
IDM RDS available as of SAP NetWeaver Identity Management 7.2 SP04 patch 1. Implementation via SAP Security Consulting (recommended) or own custom implementation project
Content (available to all SAP NetWeaver Identity Management customers): • Connection between 2 SAP systems: SAP NetWeaver ABAP/Java, SAP ERP Human Capital Management (SAP ERP 6.0 EhP 4 or SP37) and an LDAP directory • Templates for mass user maintenance, copy user, delete user, multi step approval workflows, reset password system dependently, rule engine • Templates and functionality for CUA replacement • Pre-defined HTML based reporting
Software Service Enablement Content
Solution today
© 2011 SAP AG. All rights reserved. 85
Why SAP NetWeaver Identity Management
Offers close alignment with business processes Provides best value for business sponsors Re-uses SAP deployment experience and intellectual property Integrates with existing identity management infrastructure Combines tight SAP integration with heterogeneous IT Integrates roadmap and “blueprint” with SAP BusinessObjects Access Control (GRC) Provides the lowest-risk solution for SAP connectivity
© 2011 SAP AG. All rights reserved.
86
More Information
Visit the SAP Community Network (SCN) for comprehensive information on SAP NetWeaver Identity Management, such as Product information, documentation, training, and support information Articles, blogs, WIKI, FAQs, forum, and newsletters Downloads http://scn.sap.com/community/ netweaver-idm
© 2011 SAP AG. All rights reserved.
87
Thank You!
© 2012 SAP AG. All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.
© 2012 SAP AG. All rights reserved.
89
Change History Master Slide Deck SAP NetWeaver Identity Management
Nov 19 2012: (by Gerlinde)
Changes: New slides: database support, RDS and Hana connector
Nov. 2011:
New slide: added slide about “IDM-HR Integration – Organizational Information”
May 2011 (by Kristian):
Changes: repair of animation in some slides, and other visual changes
March 2011 (by Regine):
Changes: Transferred contents to new SAP template
December 2010 (by Regine)
Changes: Total rework – IDM to ID Mgmt.; news about 7.2 etc. New slides: BW reporting, federation, context-based role management, partner certification, a slide about what’s new with 7.2, and many other adjustments
© 2011 SAP AG. All rights reserved.
90
Change History Master Slide Deck SAP NetWeaver Identity Management
June/July 2010:
Changes: Agenda: Changed topic 2.3 into Compliance, Reporting, and Auditing Added topic 2.7: Identity Federation and Web-Based Single Sign-On Slide 12: Added Identity Federation and Web SSO functionality New slides: 26, 28, 29,30 (BW Reporting) 50, (Identity Federation and Web SSO)
April/May 2010:
Changes: N/A New slides: Slide 51 (Sizing + link to sizing guide)
March 2010:
Changes: Slide 9: Deleted “Vision of a” in the headline New slides:
Slides 30 - 33 including new notes (integration GRC and IDM) Slide 48 (SAP NetWeaver IDM: Communication Paths)
© 2011 SAP AG. All rights reserved.
91
