Identity Management with SAP NetWeaver IdM Andreas Müller, BT Global Services 24.04.2008
Agenda Introduction SAP NetWeaver IdM Project IdM@BT Project ISP Background and Motivation Functionality Lessons Learned Summary
SAP NetWeaver Identity Management IDM should be triggered by identity business processes and data Data e.g. on-boarding HCM Definition and rulebased assignment of meta roles HCM Integration Identity Mgmt. monitoring & Audit e.g. Order2Cash Identity virtualization and identity as service through standard interfaces SAP NetWeaver Identity Management Password Management Approval Workflows Business process relies on appropriate user and role assignments in systems Central Identity store Distribution of users and role assignments for SAP and non-sap systems SAP FI ABAP @ SAP BT 2008 SAP XI ABAP Java SAP HR ABAP SAP ERP ABAP SAP Java SAP Portal Java Legacy App. Databases Web App. MS Exchange Operating Systems
System Components Workflow Web Front-End for end users Approvals Self-Service Adminstrator Monitoring Front-End User/ Manager Worflow Front-End Administrator Developer Management Console Delegated Administration Monitoring Web Front-End for operations Analyse system activity Management Console for administrators and developers Database System configuration Database holds Identity store Event Event Agent Agent Dispatcher Dispatcher Process configuration Dispatchers execute processes Identity Center Batch synchronization User initiated tasks Provisioning tasks Event Agents Virtual directory Virtual Directory Detect changes in connected systems Virtual Directory Provides additional connectors Target systems Source systems
Management Console Example: Request a SAP-Role
Monitoring
Agenda Introduction SAP NetWeaver IdM Project IdM@BT Project ISP Background and Motivation Functionality Lessons Learned Summary
Use of Identity Center at BT Synchronization of 230.000 Identities from Corporate Directory into Active Directory Provisioning of personal and functional email accounts Additional attributes joined from import files Built-in delta mechanism reduces updates to Active Directory to the absolute minimum. Performance Corporate Directory Files Data Synchonization Engine Database Active Directory Delta import once a day Duration 1.5h Full import once a month Duration ca. 5h Source systems Identity Center Target systems Benefits Efficient Delta Mechanism Highly customizable connectors
Agenda Introduction SAP NetWeaver IdM Project IdM@BT Project ISP Background and Motivation Functionality Lessons Learned Summary
Customer: Internet Service Provider Project Scope Consulting IdM project setup and definition Requirements analysis Detailed vendor selection Longlist, RFI, Shortlist, POC Establish standards for the definition of roles and entitlements Process optimization for IdM administration processes Prepare data protection concepts and works council agreements Quality assurance concept Data cleansing support Implementation Design based on selected IdM-tool (MaXware IC / SAP NetWeaver IDM) Implementation Data model IdM processses Provisioning interfaces to target systems IdM data synchronization Project management Test Migration of existing accounts and entitlements Operations Change und incident management
Customer: Internet Service Provider Motivation Project goals Creation of a central identity repository for all non-customer identities accessing computing center applications Implementation of standardized administration processes for entitlements Creation of a central repository for entitlements Increasing data quality of identity and entitlement data Effective demonstration of SOXcompliance Delegation of administrative tasks Increase degree of automation Primary goals: Increase usability, security and audit capabilities Secondary goals: Cost reduction and ROI considerations Tool selection RFI with >10 major IdM vendors Presentations and Proof of Concept Criteria Support for non-standard applications Flexibility, high degree of customization possible Expected implementation effort Match with skills available internally Support for roles and delegated administration Traceability of system and user actions
Source and Target Systems Target System Types SAP ISP Test Accounts Building Access Secure VPN LDAP Active Directory Samba SSH Key Management / Key Distribution ARS Remedy Sun Access Manager User groups Employees Group employees Consultants Partner Source Systems HR Group directory Asset database
Project History and Milestones Nov. 2004 Requirements analysis Mai 2005 Tool selection July 2005 Design and start of implementation Feb. 2006 Go-Live Release 1.0 including Source-system connectivity (HR/Org Master data) Standard request and approval process Internal administrative entitlement model, delegation of admin privileges Target Systems SAP/LDAP June 2007 Release 1.5 Sept. 2007 Release 1.6 Jan. 2008 Release 1.7 April 2008 Release 1.8
Agenda Introduction SAP NetWeaver IdM Project IdM@BT Project ISP Background and Motivation Functionality Identity Management Entitlement Management Account Management Self-Service Lessons Learned Summary
UseCases (1) Identity Management (Re-) Enter company OU change Location change leave company inactive (re-)enter company Position change Sabaticals/maternity leave Leave company Entitlement Management Account Management Self-Service activate active suspended active change location change company change organization change name change position suspend (i.e. maternity leave)
Manage Master Data Task Menu
Create Person
Create Location
UseCases (2) Identity Management Entitlement Management Assign (temporary) permissions Revoke permissions Automated role assignement Documentation / Audit Account Management Assign account (De-) Activate Account Delete Account Password management Self-Service Permission VPN-Access Location Hans Mustermann Account Active Directory Company OU Funktional Role Employee Permission AD-Group Employees-MUC
Create Permissions Creates permission within the IdM-system as well as in the target system
Assign/Revoke Permissions Delegated administration for permission owners
UseCases (3) Identity Management Entitlement Management Request Account Management Self-Service Password reset Denial 1. Approval? 2. Approval Data protection requirements Self-Service for certain person attributes? Nofiy Denial Request permissions Provision
Request Permissions Users may request permissions for themselves or others. Approval process configurable for each permission. Approver roles: Line Manager Permission Owner Target System Owner HR
Approval XXXXXXXX XXXXXXXX
Agenda Introduction SAP NetWeaver IdM Project IdM@BT Project ISP Background and Motivation Functionality Lessons Learned Summary
Lessons Learned Implementation Expectations concerning adaptability were fulfilled Tool supports change and redesign very well in the course of extensions and additions Short implementation cycles achieved System behavior is transparent and follows a consistent paradigm Number of processes (approx. 150 processes, 1300 steps) makes system complex Framework developed on top of built-in functionality (Regression-) Testing indispensable Processes Flexibility (data model, user interface, processes) brings the temptation of relaxing initial standards as the system evolves over time End user help crucial to reduce helpdesk call volume Complexity multiplies (user types x identity states x data sources) General issues Data cleansing and migration may take up to 50% of target system implementation effort Development, Integration and Production environments required to manage changes Pragmatic approach to the use of roles allows for sufficient degree of automation without complex role modeling processes
Summary SAP NetWeaver Identity Management fulfilled the expectations regarding the speed and flexibility of a tool-box, but requires thorough design and planning for large deployments. Agile implementation possible Quick reaction to changed requirements High degree of flexibility concerning Data model Process adaptation Front-end extension Comprehensive monitoring tools to diagnose system behavior Flexibility requires Experienced IdM-developers and Designers Mature project and software development organization Comprehensive QA measures appropriate for IdM (i.e. automated regression tests)
Thank You Andreas Müller Solutions Architect Global Professional Services BT (Germany) GmbH & Co. ohg Tel:+49 (0)69 3307-8074 andreas.mueller@bt.com