SAP Identity Management Overview -...
Transcript of SAP Identity Management Overview -...
SAP Identity ManagementOverview
October 2014 Public
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 2Public
Agenda
Introduction to Identity Management
Role Management and Workflows
Business-Driven Identity Management
Compliant Identity Management
Reporting
Password Management
Connectivity
Architecture
Identity Virtualization
Summary & Additional Information
Appendices
Introduction toSAP Identity Management
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 4Public
IT Application Security – SAP Portfolio
• Manage identity lifecycle• Segregation of duties• Emergency access• Role management• Reporting• …
• Single sign-on• Secure network communication• Central access policies• 2-factor authentication• …
Findvulnerabilitiesin customercode
Detect cybercrime attacksbased on userbehavior
Identity and access management (IAM)Code
vulnerabilitiesThreat
managementIdentity, governance and
administration Authentication and single sign-on
SAP IdentityManagement
SAP AccessControl SAP Single
Sign-On
SAP CloudIdentity
SAPNetWeaver AS,
add-on forcode
vulnerabilityanalysis
SAPEnterprise
ThreatDetection
SAP Security PortfolioIT Application Security
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 5Public
Key Capabilities
Enables the
efficient,
secure and
compliantexecution of businessprocesses
Manage identities andpermissions
SAP IdentityManagement
Ensures that the right
users have the
right access to theright systems at the
right time
Consistent with user
roles and
privileges
Across
all systemsand applications
Holistic approach
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 6Public
Business Drivers for Identity Management
Compliancechallenges
Changingbusinessprocesses
Operationalcosts
Multiple sources of identity dataManual user provisioningLabor-intensive, paper-based approval systemsManual password reset processes
Transactions involve multiple enterprisesPartners participate in business processesCompany-specific requirements for user provisioning solutions
No record of who has access to which IT resourcesInability to deprovision user access rights upon terminationNo complete audit trail availablePrevention of unauthorized access in multi-enterpriseenvironments
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 7Public
Identity Lifecycle
How long does it take for newemployees to receive allpermissions and become
productive in their new job?
How long does it take for newemployees to receive allpermissions and become
productive in their new job?
Are permissions automaticallyadjusted if someone is
promoted to a new position?
Are permissions automaticallyadjusted if someone is
promoted to a new position?
Who has adequatepermissions to fill in for a co-
worker?
Who has adequatepermissions to fill in for a co-
worker?How long does it take to remove ALLpermissions of an employee? Andhow can you ensure that they were
properly removed?
How long does it take to remove ALLpermissions of an employee? Andhow can you ensure that they were
properly removed?
How can you removepermissions automatically if
employees change theirposition?
How can you removepermissions automatically if
employees change theirposition?
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 8Public
Solution in a Nutshell
Central management of identitiesthroughout the system landscapeRule-driven workflow and approvalprocessExtensive audit trail, logging, andreporting functionalityGovernance through centralized andauditable identity dataCompliance through integration withSAP Access ControlCompliant and integrated identitymanagement solution to mitigatesegregation-of-duties risks
SAP SCM
SAP ERP HCM
SAP ERP
Java
Portal
Database
Legacy
OS
Web app
SAP applications Non-SAP applications
SAP IdentityManagement
SAP AccessControl
SuccessFactors …
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 9Public
A Holistic Approach to Compliant Identity Management
Example: On-boardingSAP ERP
HCM
Passwordmanagement
Provisioning to SAPand non-SAP systems
Reporting
Rule-based assignmentof business roles
Identity virtualization andidentity as a serviceCentral
identity store
SAP BusinessObjectsAccess Control (GRC)
Web-based single sign-onand identity federation
SAP IdentityManagement
Approvalworkflows
SAP applications Non-SAP applications
Integration withSAP Business Suiteand SuccessFactors
SAP AccessControl
Compliancechecks
SuccessFactors
Solution in DetailRole Management and Workflows
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 11Public
Role Definition and Provisioning
Role Definition (design, one-time task)Read system access information (roles,groups, authorizations, etc.) from targetsystemsDefine a business role hierarchyAssign technical roles to business rolesDevelop rules for role assignments
Provisioning (regularly)Assign or remove roles to/from people
Through request/approval workflowManually (administrator)Automatically, e.g. HR-driven
Automatic adjustment of master data andassignments of technical authorizations intarget systems
Portalrole
Accounting(ABAP role)
HR manager(ABAP role)E-mail
Manager
Employee Accounting
ADuser
E-mailsystem
ActiveDirectory
SAPPortal
SAPFI
SAPHR
Bus
ines
sro
les
Tech
nica
lrol
es
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 12Public
SAP NetWeaver Identity Management
Context-Based Role Management: Reducing Complexity
Business RoleTechnical role A Technical role C
Technical role B
UserPositionLocation…
Managed SystemUser
Technical role A
Technical role B
Context-based role management simplifiesthe structure of roles through dynamicrole assignment based on user contextinformation.
BenefitsReduced number of rolesReduced complexitySufficient granularityImproved data consistencyand governance
Example:20 roles in 1000 factories
Conventional method: 20.000 entries (roles)Context-based: 1.020 entries (roles + contexts)
SAP Identity Management
Managed System
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 13Public
Workflows
Approval
Identity Center sends anotification to user/manager
Notification
Identity Center provisionsnew roles and privileges torespective systems
Provisioning
User sends arole request
Request
Identity Centerprocesses request– Sends alert to manager /
administrator
Processing
Manager checks requestand approves/denies
Solution in DetailBusiness-Driven Identity Management
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 15Public
Integration with SAP Business Applications
SAP IdentityManagement
SuccessFactors
EmployeeCentral
SAP ERPFinancials
SAPTransportationManagement
SAP ProductLifecycle
Management
SAP HANA
SAP SupplierRelationshipManagement
SAP CustomerRelationshipManagement
SAP ExtendedWarehouse
Management
SAP ServiceParts Planning
SAP ERPHuman CapitalManagement
SAP Portfolioand ProductManagement
SAP SupplyNetwork
Collaboration
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 16Public
Business Process Driven Identity ManagementOn-Boarding
Line Manager
HR ensures that all necessaryemployee data for Kim isavailable, such as position andentry date
Pre-hire phase
Event-based extractionof personnel data
First day at work
Based on the position inHCM, IDM automaticallyassigns the businessrole “MarketingSpecialist”
Kim’s managerapproves theassignment
HR Operations
Business Partner createdUser created “MarketingProfessional”
User created“Employee”
User createdAccess to SAP ESSAccess to SAP CRM
Kim Perkins joins the company as a marketing specialist.From the first day with her new company, she is able to log on to all relevant systems,including access to the employee self-services, and access to SAP CRM to track themarketing activities she is responsible for.
SAP Identity Management
1
SAPERPHCM
2 3 4
SAPERPHCM
SAPERP
SAPCRM
SAPPortal
Provisioning of role andauthorization information torelevant target systems
5
SuccessFactors
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 17Public
Business Process Driven Identity ManagementPosition Change
HR ensures that all necessaryemployee data for Kim isavailable
Day of position change
SAP Identity Managementrecognizes the line managerinformation for Kim andautomatically assigns the businessrole “Marketing Manager”
After two years as a marketing specialist, Kim is promoted and takes over personnel andbudget responsibility for her marketing team.On the first day in her new role, she has access to the manager self-services. In her newposition, she is responsible for budget approvals for all marketing campaigns - this requiresimmediate access to SAP ERP to view the marketing costs.
SAP Identity Management
3
SAPERPHCM
SAPERP
SAPCRM
SAPPortal
Provisioning of role andauthorization information torelevant target systems
4
User updated“Employee”“Line Manager”
User created“Marketing Controller”
User updated“Marketing Controller”
User updatedAccess to SAP ESSAccess to SAP MSSAccess to SAP CRMHR Operations
1
SAPERPHCM
2
SuccessFactors
Event-based extractionof personnel data
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 18Public
Business Process Driven Identity ManagementTermination
HR ensures that all data relevantfor the employment contracttermination is available, such aslast day of work
Day after termination of employment
SAP Identity Managementrecognizes the last day informationfor Kim; it automatically takes awayall access rights and disables heraccounts
After eight years, Kim leaves the company.The day after her official assignment with the company ends, she is no longer able to accessany corporate systems.
SAP Identity Management
3
SAPERPHCM
SAPERP
SAPCRM
SAPPortal
4
User disabled
User disabled
User disabled
User disabled
Event-based extractionof personnel data
HR Operations
1
SAPERPHCM
2
SuccessFactors
Solution in DetailCompliant Identity Management
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 20Public
Compliant Identity Management: Capabilities
Manage identitiesand permissions
SAP IdentityManagement
Identify andmitigate risks
SAP AccessControl
Compliant identity management across SAP and heterogeneouslandscapes in one integrated solution
Integrationbased on standards
Consistent view on current and historic access rights, approvals
and policy violations
Compliance
checks
Business riskcontrols and
mitigation
Centralmanagement ofheterogeneousenvironments
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 21Public
Compliant Identity Management: Process View
SAP BusinessObjectsAccess Control (GRC)
SAPIdentity Management
SAP Access Control
Request roleassignment 1
Forwardrequest forrisk analysis
3
Risk status6
Managerapproval2
Notification touser and manager8
Provisioning totarget systems7
5 Riskmitigation
4 Riskanalysis
SAP SCM
SAP ERP HCM
SAP ERP
Java
Portal
Database
Legacy
OS
Web app
SAP applications Non-SAP applications
… …
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 22Public
Compliant, Business-Driven Identity Management
SAP ERP HCM SAP Identity Management SAP Access Control Line Manager Landscape
Yes
No
Calculate entitlementsbased on position
Compliance checkRemediation
Approveassignments
New Hire
SAPERPHCM
SAPERPHCM
SAPERP
FI
Portal
Non-SAP
Requirement:Provide automated, position-based role management
while ensuring compliance
Solution:Simplify and automate role assignment
Reduce risk through compliance checks and remediationAutomate manual processes through integration with SAP
Business Suite
1
2 3 4
5
Solution in DetailReporting
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 24Public
Reporting Options at a Glance
Basic ReportingFocus: Static, printable reportsReport creation on database level
Extended Reporting with SAP Business Warehouse (SAP BW)*Focus: Dynamic reports, offering more, highly detailed, and customizable reporting optionsData is extracted from SAP Identity Management on a regular basis (as per defined job)Predefined report templates available, custom reports can be freely definedfiltering, sorting, export to MS Excel, CSV, PDF, send via e-mail, etc.
Reporting with SAP LumiraFocus: Customer-specific reposts/analyses for identity managementRich graphical capabilities for visualizing and utilizing reported dataLow integration and maintenance effortsEasy extension
*SAP BW and SAP Lumira are not part of the SAP ID Mgmt license
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 25Public
Basic Reporting
Application/privilege-centricDetermination of system accessUser-centricDetermination of user privilegesEntry dataCurrent data, historical data, time stamps,modified by, audit flagsApproval dataWho approved what when?Who had which privilege when?Segregation of duties, AttestationTask audit logDetermination of tasks run onuser / by userGeneral logsOff-the-shelf reporting toolscan be used
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 26Public
Extended Reporting with SAP Business Warehouse
SAP BW report templatesPersons, privileges, roles and their assignmentsover time and for specific datesContent-based and time-based reporting
Advanced filtering and sorting options
Access controlRoles for reporting user(administrator, manager, owner)
Basic audit dataWho changed what
FlexibilityBEX reports
Change historyup to the time of
last synchronization
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 27Public
Reporting with SAP Lumira
Customer-specific reposts/analyses foridentity management
Rich graphical capabilities forvisualizing and utilizing reported data
Low integration and maintenance efforts
Easy extension
Solution in DetailPassword Management
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 29Public
Password Management
SAP Identity Management Landscape
SAPERPHCM
SAPERP
FI
Portal
Non-SAP
Requirement:Reduce help desk calls related to password reset
inquiriesEnable password provisioning across heterogeneous
landscapes
Solution:Centralize and automate password management
Reset passwordRecover lost password
Set new password
HelpdeskUser
Solution in DetailConnectivity
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 31Public
Connectivity Framework
Technical
Other
On-Prem/Cloud Applications
Directory Servers
DatabasesMicrosoft SQL ServerMicrosoft AccessOracle databaseIBM UDB (DB2)MySQLSybaseSAP HANA
Microsoft Active DirectoryIBM Tivoli DirectoryNovell eDirectorySunONE Java DirectoryOracle Internet DirectoryMicrosoft ADAMSiemens DirXOpenLDAPeB2Bcom View500 Directory ServerCA eTrust DirectorySAP IDM Virtual Directory ServerAny LDAP v3 compliant directory srv
SAP Business SuiteSuccessFactorsSAP Access ControlLotus Domino / NotesMicrosoft ExchangeRSA ClearTrustRSA SecurID
SPMLLDAPODBC/JDBC/OLE-DBRFCLDIF filesXML filesCSV files
SAP Application ServerMicrosoft Windows NTUnix/Linux
Shell executeCustom Java connector APIScript-based connector API
SAP IdentityManagement
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 32Public
SAP Identity Management Integration Scenario NW-IDM-CON
The SAP Integration and Certification Center (ICC) offers a certification forthe integration scenario NW-IDM-CON.
SAP partners as well as potential partners and independent softwarevendors (ISVs) are invited to use the Connector Development Kit (CDK) tocreate an SAP Identity Management connector for their application, and tointegrate the application into the identity management landscape. Thisconnector can then be certified by the SAP ICC.
For general information about third party certifications with SAP products, pleaserefer to http://www.sdn.sap.com/irj/sdn/interface-certifications, or contact the SAPIntegration and Certification Center (ICC) directly at [email protected]
Third Party Connector CertificationSAP ICC Integration Scenario NW-IDM-CON
Solution in DetailArchitecture
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 34Public
SAP Identity Management Architecture
Solution in DetailIdentity Virtualization
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 36Public
Virtual Directory Server
Virtual Directory Server (VDS) providesSingle consistent view and entry point for multipledistributed identity data sourcesIdentity information as a service for applicationsthrough standard protocols (LDAP, SPML)Abstraction layer for underlying data stores
Consumer only sees one standard interfaceTransform incoming LDAP requests, and connectdirectly to the existing data repositories
Data stays within original data sourceEfficient caching
PropertiesReal-time access to dataNo need to consolidate data sourcesNo extra data store
Quick LDAP deploymentEasier and cheaper maintenance
Attribute manipulationName space modificationsComplex operations on-the-fly
SPML
Database
SPML LDAP
LDAP JDBC
ApplicationDirectoryServer
DirectoryServer
Virtual Directory Server
Summary & AdditionalInformation
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 38Public
Summary
SAP Identity Management is part of a comprehensive SAP security suite that includesaccess control as well as secure programming and compliance aspects.
The solution covers the entire identity lifecycle and automation capabilities based onbusiness processes.
A strong integration with SAP Access Control creates a holistic identity and accessgovernance solution.
Extensive connectivity with SAP and non-SAP applications extends identitymanagement to all areas of the enterprise.
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 39Public
Find More InformationSAP Community Network
Visit the SAP Community Network (SCN) for comprehensive information onSAP Identity Management, such as
Discussion forum,product information,documentation, training,and support informationArticles, blogs, WIKI,FAQs, and newslettersDownloads
http://scn.sap.com/community/idm
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 40Public
Short project times and reduced TCO by simplifyingassignment and management of roles and privileges tousers
Implementation of best practice processes out of thebox with a fixed scope and most important andcommon scenarios, e.g. defined set of customerspecific configuration, connection of source- andtarget-systems, provisioning etc
Pre-configured functionality of SAP IdentityManagement in a development system
Step-by-step guide, describing each activity duringdeployment
Solution can be extended with additional add-onoptions
SAP Identity ManagementRapid deployment solution
Add-On 1:Connection to additional SAP systems
Add-On 2:Additional Go-Live Support
Standard solutionConnection of1 source- and
2 targetsystems
Approvalworkflows
Automaticauthorizationassignment
Mass useradministration
jobs
E-mailnotificationframework
Support ofsystem specific
attributes
New Web UItasks
PredefinedHTML based
reports
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 43 Public
© 2014 SAP SE or an SAP affiliate company.
All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an
SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE
(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional
trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind,
and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or
SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated
companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be
changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment,
promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties
that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking
statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.