SAP Solution in Detail SAP NetWeaver SAP NetWeaver Identity Management. Business-Driven, Compliant Identity Management



Similar documents
Business-Driven, Compliant Identity Management

Business-Driven, Compliant Identity Management

BUSINESS-DRIVEN, COMPLIANT IDENTITY MANAGEMENT USING SAP NetWeaver IDENTITY MANAGEMENT

Cybersecurity and Secure Authentication with SAP Single Sign-On

Simplify and Secure Cloud Access to Critical Business Data

Minimize Access Risk and Prevent Fraud With SAP Access Control

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions

SAP Identity Management Overview

Unlock the Value of Your Microsoft and SAP Software Investments

SAP ERP EMPLOYEE INTERACTION CENTER

First-hand Information about the Enhanced Functionality and Integration Options Within SAP NetWeaver Identity Management 7.2

Compliant, Business-Driven Identity Management using. SAP NetWeaver Identity Management and SBOP Access Control. February 2010

Outperform Financial Objectives and Enable Regulatory Compliance

Build an Advanced Incentive- Compensation Program That Meets Today s Sales Goals

Streamline HR Tasks with Centralized Document Access

SAP NetWeaver Identity

A Cloud-Based Foundation for Enterprise Mobility

An Enterprise Resource Planning Solution for Mill Products Companies

Extend Business Scope and Improve Governance with SAP Content Management

How To Make Your Software More Secure

Enterprise Information Management Services Managing Your Company Data Along Its Lifecycle

Transform Invoice Management with a Hybrid of Cloud and On-Premise Software

Securing Enterprise Mobility for Greater Competitive Advantage

SA Power Networks Powering South Australia Flexible Infrastructure for the Development of Mission-Critical Applications

Transform HR into a Best-Run Business Best People and Talent: Gain a Trusted Partner in the Business Transformation Services Group

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

Streamline Processes and Gain Business Insights in the Cloud

mysap ERP mysap ERP HUMAN CAPITAL MANAGEMENT

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public

Making Every Project Business a Best-Run Business

SAP ERP FINANCIALS ENABLING FINANCIAL EXCELLENCE. SAP Solution Overview SAP Business Suite

Integrate, Automate, and Personalize Business Communications with Greater Ease

Cut Costs and Improve Agility by Simplifying and Automating Common System Administration Tasks

Optimizing Asset Value and Performance with Enterprise Content Management

Increase Business Velocity with Connected, Insightful, Cloud-Based Software

SAP ERP E-Commerce and SAP CRM Web Channel Enablement versions available on the market

Transform Your SAP Applications Landscape to Meet Changing Business Requirements

Streamlined Planning and Consolidation for Finance Teams Running SAP Software

Infosys: Treating Governance and Compliance Strategically with SAP Access Control

Integration capabilities of SAP S/4HANA to SAP Cloud Solutions

Oracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007

An Enterprise Resource Planning Solution (ERP) for Mining Companies Driving Operational Excellence and Sustainable Growth

SAP Business One OnDemand. SAP Business One OnDemand Solution Overview

GR5 Access Request. Process Diagram

Improve Business Efficiency by Automating Intercompany Transactions

Automate Complex Pay Rules While Streamlining Time and Attendance Management

Provide access control with innovative solutions from IBM.

Compliance & SAP Security. Secure SAP applications based on state-of-the-art user & system concepts. Driving value with IT

Streamline Accounts Payable Processes with Cloud-Based Electronic Invoicing

Securing Mobile Apps in a BYOD World

secure user IDs and business processes Identity and Access Management solutions Your business technologists. Powering progress

Deliver Secure, User-Friendly Access to Mobile Business Apps

White Paper. SAP NetWeaver Landscape Virtualization Management on VCE Vblock System 300 Family

Power Smart Business Operations with Real-Time Process Intelligence

Strengthen security with intelligent identity and access management

HP Software as a Service. Federated SSO Guide

SAP BusinessObjects Edge BI, Standard Package Preferred Business Intelligence Choice for Growing Companies

Identity and Access Management

SAP Solution Manager: The IT Solution from SAP for IT Service Management and More

SAP BusinessObjects Business Intelligence 4.1 One Strategy for Enterprise BI. May 2013

White paper December Addressing single sign-on inside, outside, and between organizations

Increase the Efficiency and Value of Healthcare Contact Centers

Business Management Made Simpler

Centralize Supplier Information and Manage Performance

solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?

Drive Performance and Growth with Scalable Solutions for Midsize Companies

Driving Excellence in Implementation and Beyond The Underlying Quality Principles

B2B E-Commerce Solutions Empower Wholesale Distributors

ITM204 Post-Copy Automation for SAP NetWeaver Business Warehouse System Landscapes. October 2013

Sun Communities: Reducing Manual Processes for New Hires by 97% Using SuccessFactors Onboarding

SAP Identity Management Overview

Elevate Your Customer Engagement Strategy with Cloud Services

SAP NetWeaver. SAP NetWeaver

SAP Travel OnDemand Solution An Easier Way to Travel

MANAGEMENT AND ORCHESTRATION WORKFLOW AUTOMATION FOR VBLOCK INFRASTRUCTURE PLATFORMS

Patient Relationship Management

SAP ERP HUMAN CAPITAL MANAGEMENT SOLUTION OVERVIEW

Aditro: Increasing Contact Center Efficiency for Improved Customer Satisfaction

Get Invoice Processing That s Ready for the Digital Economy and Your IT Landscape

SAP HANA Enterprise Cloud

1 Introduction to Identity Management. 2 Identity and Access Needs are Ever-Changing

Measure Your Data and Achieve Information Governance Excellence

Optimize Retail Label and Poster Printing with SAP Software

Start Anywhere and Go Everywhere with Cloud Services for HR

Data Integration using Integration Gateway. SAP Mobile Platform 3.0 SP02

Vehicle Sales Management

How can Identity and Access Management help me to improve compliance and drive business performance?

Dell One Identity Manager Scalability and Performance

ENTERPRISE MANAGEMENT AND SUPPORT IN THE TELECOMMUNICATIONS INDUSTRY

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

Enhance Performance Management Reporting

TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management

Transcription:

Solution in Detail NetWeaver Business-Driven, Compliant Identity

Table of Contents 3 Quick Facts 4 Business Challenges Identity for the User Lifecycle 5 The Solution Supporting a Heterogeneous IT Landscape Providing Business-Driven Identity Identity Federation and Single Sign-On 8 Features and Functions 10 The Benefits For More Information

Quick Facts Summary Identity management is becoming a key challenge, as organizations must ensure that users have the right access to applications in a timely manner and that data is secure. The NetWeaver Identity component addresses this challenge by helping you align identity management with your organization s key business processes. Business Challenges Reduce operational costs in complex system landscapes Manage access to applications Comply with local and global regulations Key Features Business-driven, compliant identity management Align identity management with business processes running in applications; fulfill compliance requirements by integrating NetWeaver Identity with the Access Control application Provisioning, workflow, and approvals Assign and maintain user access rights across multiple systems; provision employees and business partners; audit all changes Password management Provide password self-service functionality and password synchronization across all connected target systems Roles and entitlements Align roles with business processes rather than technical directory structures Reporting and auditing Produce reports based on current access and past events Identity federation Enable crossenterprise identity management and single sign-on in on-premise and on-demand environments Business Benefits Lower costs and increased productivity due to tight integration with your business processes across heterogeneous systems Compliance with regulatory requirements for auditability of access to applications, minimizing segregation-of-duties risks For More Information Call your representative today, or visit us on the Web at www.sap.com /platform/netweaver/components/idm /index.epx. Solution in Detail Business-Driven, Compliant Identity 3

Business Challenges Managing Costs, Process Change, and Compliance With the NetWeaver Identity component, you can integrate identity management with the business processes within and beyond your enterprise. Identity federation facilitates joint authentication and single-sign-on solutions for secure identity management across company boundaries. This approach helps overcome the challenges involved in managing users in hetero geneous IT landscapes system complexity, constantly evolving user tasks, and mandates for tracking who had access to which applications when. Identity management solutions address several key business challenges. High operational costs and risks Complex system landscapes require that your IT department maintain multiple sources of identity data, entering data for each user as well as assigning permissions in multiple systems. Having to provision users in multiple systems trans lates into delays in making new employees productive. It also presents risks when employees who have changed roles or have left the organization continue to have access longer than they should. Paper-based approval processes further complicate this process, and users are dependent on help desk staff for password resets and changes in access or permissions. Changing business consumption models In today s complex business environment, organizations are increasingly interconnected. Business processes are extended across corporate boundaries with participants from multiple organizations, including partners and customers. As new consumption models are introduced in this context in response to competitive pressures, managing access to the applications by participants from within as well as across enterprise boundaries becomes a challenge. Increasing compliance requirements One of the key factors driving the adoption of identity management solutions in the past few years is compliance requirements. Laws such as the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act (for financial institutions), and Health Insurance Portability and Accountability Act require that your organization be able to state with certainty who had access to what system resources and when. Identity management solutions help you achieve compliance, provide needed audit trails, and prevent unauthorized access. Identity for the User Lifecycle A comprehensive identity management solution covers the entire lifecycle of a user, from the onboarding process of a new employee to the termination of an employment contract. If you don t have an identity management solution, the work required to provision and manage user access in a compliant and auditable way is labor intensive, repetitious, and error prone. This problem is compounded when you consider the typical user lifecycle within an organization. When an employee is hired, your organization gives him or her certain permissions in a variety of systems. Later, the employee may receive a promotion or change roles and so receive new, additional permissions. Furthermore, you may need to grant other temporary privileges for some year-end activity or while an employee is covering for a colleague on vacation. Thus, an employee typically tends to accrue privileges over time and often continues to have access that is no longer required for the current role. This is, of course, a security risk. But it is also a potential compliance violation. Adding a new role might cause conflicting authorizations for the user. Consider this example: A purchasing manager is authorized to issue orders to external vendors for example, to buy office supplies. To step in for a colleague who s on sick leave, this purchasing manager temporarily needs the authorization to create vendors in the system. The employee could now misuse his roles, create a new (fictitious) vendor, and issue an order. To minimize the risk that comes from such segregation-of-duties violations, a compliance check must be performed for all role assignments that apply to critical business processes, such as enterprise resource planning (ERP) system roles. Finally, when the employee leaves your company, the access that this user has may still not be revoked, perhaps even years later, which presents obvious and ongoing security risks to your organization. At each stage, you need to give the user access to the right set of applications according to his or her current role. NetWeaver Identity helps you manage this process centrally, across solutions as well as heterogeneous, non- applications. 4 Solution in Detail Business-Driven, Compliant Identity

The Solution How Can Help can help your organization grant and manage user access to heterogeneous applications securely and efficiently, in alignment with your business processes and in accordance with audit and compliance requirements. The solution provides a central mechanism for provisioning users and assigning the appropriate business roles. It also supports related processes such as password management, self-service, and approvals workflow. supports user provisioning by offering: One central place to manage users in and non- applications regardless of the individual data stores (for example, changing a phone number or e-mail address automatically updates all relevant systems) Tight integration with your company s business processes Centralized reporting functionality to address the pressing need for compliance and auditability using the NetWeaver Business Warehouse application, mapping of one user to identities in all systems, and fully auditable user access across the entire IT landscape Password-reset and lost-password management functionality for end users, alleviating help desk workload and reducing operational costs Built-in identity federation function ality for cross-company identity management processes and single sign-on Integration with the NetWeaver Single Sign-On application to support end-to-end single sign-on and encryption in distributed environments, including all GUIs as well as Web-based front ends Supporting a Heterogeneous IT Landscape enables you to streamline provisioning of users into all applications and third-party as well as operating systems, file systems, and databases via a comprehensive, constantly expanding connector framework (see Figure 1). The integration is based on open commu nica tion standards to enable the integration of virtually all applications, including Microsoft Active Directory, Microsoft Exchange, IBM Lotus Notes, and many others. The integration of NetWeaver Business Warehouse allows for highly customized, differentiated, state-of-the-art reporting. Providing Business-Driven Identity Identity management solutions evolved from the need for IT organizations to efficiently manage users across multiple applications. These solutions were essentially IT efficiency tools that streamlined the process of user management by providing a central mechanism to enable these processes. As organizations achieve these efficiencies and realize the value of these solutions, it is becoming apparent that you can accrue greater benefits. You can gain these benefits by aligning the user management functionalities more closely with the business processes that these users access. Figure 1: Support for Heterogeneous Landscapes in NetWeaver Identity Business processes Organizational management Role lifecycle management NetWeaver Identity Business Suite Other applications Heterogeneous environment Solution in Detail Business-Driven, Compliant Identity 5

is integrated with Business Suite software. This comprehensive support for user provisioning is driven by the business processes implemented by the various applications of Business Suite. For example, integration with the ERP Human Capital solution automates identity management processes on the basis of employee creation and status change events triggered by HR business processes, as shown in Figure 2. However, integration is not limited to employee processes. Identity management processes for business partners and students are also supported, such as the automated creation of users and corresponding business partners in the Customer Relationship and Supplier Relationship applications. offers a convenient but powerful role concept (see Figure 3). Business roles, which are defined as part of a business process, can be assigned to users. These business roles consist of one or more technical roles, which are system specific and represent access information or technical authorizations. These include authorization roles such as those for software systems that are based on the ABAP programming language or groups for Microsoft s Active Directory. By focusing on business processes and business roles, lets you start with business requirements and encapsulate the complexity of managing technical roles and access. When you assign a business role to a user, all technical roles for that business role and any role below it in the hierarchy are assigned to the user. In addition, workflow and provisioning is automatically triggered. Figure 2: Integration of HR Processes with ERP HCM ERP Human Capital Calculate entitlements based on position NetWeaver Identity Perform compliance check remediation Access Control New hire Figure 3: Business Roles and Technical Roles Business roles Technical roles E-mail E-mail system Employee Microsoft Active Directory user Microsoft Active Directory End user (portal role) NetWeaver Portal component Approve assignments Accounting No Line manager Yes Accounting (role for users of software based on ABAP programming language) ERP Financials solution CRM ERP NetWeaver Portal Third party Landscape Manager Create employee Assign roles Create employee Assign roles Create user Assign roles Update access rights HR manager (role for users of software based on ABAP programming language) ERP Human Capital solution 6 Solution in Detail Business-Driven, Compliant Identity

By complementing your identity management functionality with a solution for governance, risk, and compliance that manages access control, you can enable compliant identity management (see Figure 4). In other words, you can ensure that roles and authorizations assigned to a user do not contain conflicting rights. You re not only securing the identity man agement process but also making it com pletely compliant and auditable. NetWeaver Identity offers compliant user provisioning and full reporting and audit functionalities. By integrating with solutions for governance, risk, and compliance (GRC), you can prevent segregation-of-duties violations that can occur when roles with conflicting permissions are assigned to a user and put mitigating controls in place. Your organization can get clean, stay clean, and stay in control of access to all applications in the system landscape, from Business Suite to third-party applications. Identity Federation and Single Sign-On As business processes are no longer confined to corporate boundaries, and IT applications are increasingly moving from on-premise to on-demand or cloud processes, identity management is becoming an extremely important factor in a company s security strategy. The concept of identity federation describes the process of authenticating a user across multiple IT systems and organizations. An airline passenger, for example, could be a car rental customer as well. If the airline and the rental car provider have entered into a federation agreement, which means that they have agreed to mutually trust each other s authentication of their customers, customers must only authenticate themselves once. Their authenticated identity can then be transferred from the airline s system to the rental car provider s system or vice versa. Figure 4: How Business-Driven Compliant Identity Works NetWeaver Identity Identity Provides reduced total cost of ownership and increased security BusinessObjects Access Control Access Control application application Compliant identity management Provides compliant identity management across software and heterogeneous landscapes in one integrated solution Provides standards-based integration to create a tightly aligned, loosely coupled solution from complementary components Gives a consistent view of current and historic access rights, approvals, and policy violations Federation is enabled through the use of open industry standards, such as the Security Assertion Markup Language (SAML). contains the complete set of functionality needed to set up a fully integrated and secure identity federation process. Both an identity provider that issues SAML assertion tickets, which can be used for authentication in a browserbased federation process, and a security token service for Web service environments are included in the identity management solution. Integration with NetWeaver Single Sign-On offers comprehensive single sign-on and encryption across organizational and technical boundaries. NetWeaver Single Sign-On provides state-of-the art technologies for integrating heterogeneous system landscapes into one single-sign-on process, stretching from GUI front ends to Webbased applications. It protects your communication channels with sophisticated, standards-based encryption technologies and at the same time adds convenience in day-to-day business operations. The new ID service enables single signon across the software landscape, as well as centralized user information management taking a fragmented process and turning it into a streamlined user experience. This on-demand deployment bridges the gap between customers on-premise applications, on-demand applications from, and third-party on-demand applications by verifying user identities, granting authentication, and enabling secure single sign-on across the software landscape. Helps ensure that IT business application controls are compliant Solution in Detail Business-Driven, Compliant Identity 7

Features and Functions What You Can Do with NetWeaver Identity consists of two main components the identity center and the virtual directory server that combine to deliver the functions shown in Figure 5. Figure 5: Components of NetWeaver Identity NetWeaver Identity Password management Roles and entitlements Reporting and auditing Provisioning, workflow, and approvals Identity virtualization Data synchronization The main functions of NetWeaver Identity include: Business-driven identity management processes Tightly integrated into your Business Suite applications, offers a one-step approach to user administration for your entire and non- software landscape. Reporting and auditing Critical for compliance, extensive auditing functionality enables you to produce reports based on current access and past events. If questions come up, reports can conclusively state whether the person in question had entitlements to particular applications and associated features and functions. You can transparently maintain all changes to data, user access rights, and administrative permissions. Tight integration with the Access Control application, an solution for GRC, allows for the effective mitigation of segregation-of-duties risks and a fully compliant user-provisioning process. Provisioning, workflow, and approvals Business rules and policies drive assignment and maintenance of user access rights across multiple systems. You can quickly provision employees as well as business partners, and all changes and approvals are fully auditable. Identity virtualization NetWeaver Identity provides an integrated, unified view of the virtual identity of users, as well as identity services to let you leverage identity information and access rights across networks. Password management and employee self-service The software supports self-service password reset and password synchronization across all connected target systems, as well as the ability to perform self-service updates of personal information. These functions reduce the cost incurred by your help desk in servicing password resets. Roles and entitlements Roles align with business processes rather than technical directory structures. Users are assigned roles and given certain privileges, called entitlements, that enable access to various systems. Identity federation Standardsbased support for identity federation processes helps ensure convenient and secure interenterprise identity management. Integration with NetWeaver Single Sign-On enables comprehensive, standards-based single sign-on and encryption of communication channels across the enterprise. The ID service facilitates secure single sign-on in cloud environments. can help your organization grant and manage user access to heterogeneous applications securely and efficiently. 8 Solution in Detail Business-Driven, Compliant Identity

Migrating from CUA to NetWeaver Identity Do you use the central user administration (CUA) tool to manage users across multiple software systems that are based on the ABAP programming language? Moving to the NetWeaver Identity component from CUA provides the following advantages: Supports all relevant systems, including and third-party software Supports sophisticated business-roles definition and management Provides self-service password resets, removing the biggest headache for help desk staff Enables workflow-based requests for approvals, automating user provisioning in multiple back-end systems Supports standards such as Lightweight Directory Access Protocol (LDAP), Service Provisioning Markup Language (SPML), and Directory Service Markup Language (DSML) Furthermore, migration from CUA is intuitive. As shown in Figure 6, you install on top of CUA. Start con necting applications programmed in ABAP to and disconnecting them from CUA. After you disconnect the last application from CUA, the migration is complete. Figure 6: Migration from CUA to NetWeaver Identity CUA CUA NetWeaver Identity E-mail NetWeaver Portal ERP Supply Chain ( SCM) E-mail NetWeaver Portal ERP SCM E-mail NetWeaver Portal ERP Microsoft Active Directory Manage central user administration (CUA) from Migrate applications programmed in the ABAP programming language from CUA to Shut down CUA when all applications are migrated Solution in Detail Business-Driven, Compliant Identity 9

The Benefits Taking Identity to the Next Level takes identity management from the technical level to the business level. This business-oriented solution lifts identity management by focusing on managing the lifecycle of employees, partners, and customers rather than on technical account management; it moves the management responsibility from IT administrators to business process owners. With identity federation and singlesign-on functionality, NetWeaver Identity helps you take identity management to the next level and secure on-demand and cloud applications. Tight integration with NetWeaver Single Sign-On enables a smooth user experience, enhancing security across your system landscape. As organizations continue to allow more and more employees, customers, and business partners access to information and processes across their system landscapes, the need for advanced and flexible single sign-on across the enterprise becomes increasingly important. Leading organizations are also seeking to standardize and centralize security management to improve the overall security of their applications and to decrease costs. These factors reveal the need for centralized authentication, authorization, auditing, and single-sign-on experience across all applications. NetWeaver Single Sign-On provides support for many authentication systems including passwords, tokens, X.509 certificates, and smart cards. (See Figure 7.) The new ID service allows for secure single sign-on in cloud environments. It covers the processes for managing identities and their lifecycles within the cloud. Customers can set up one identity per user and leverage single sign-on when browsing Web sites, using on-demand software from, or accessing third-party on-demand applications. This saves time and resources by enabling users to update their profiles only once and requiring just one password to log on to various on-demand solutions from. Figure 7: Support for Compliance, Identity, and Single Sign-On NetWeaver Identity Compliant identity management and single sign-on Compliance governance Access Control Identity management NetWeaver Identity Authentication and single sign-on NetWeaver Single Sign-On offers a complete suite of compliance, governance, identity, and single-sign-on solutions By integrating with solutions for governance, risk, and compliance, you can prevent segregation-of-duties violations and put in place mitigating controls. 10 Solution in Detail Business-Driven, Compliant Identity

also lets you emphasize compliance by providing full audit and reporting functionalities and integrating with solutions for GRC in preventing segregationof-duties violations. Most important, supports software as well as the full heterogeneous landscape, including Lightweight Directory Access Protocol (LDAP) directories, third-party business applications, operating systems, e-mail systems, and databases. You can integrate across the entire system landscape and beyond, into the larger business network. By lowering total cost of ownership and increasing operational efficiency, helps meet your organization s objectives of lower cost, higher productivity, compliance, and auditability. For More Information For more information about how NetWeaver Identity can help your organization, call your representative today or visit us on the Web at www.sap.com/platform/netweaver /components/idm/index.epx. takes identity management from the technical level to the business level. It moves the management responsibility from IT administrators to business process owners. Solution in Detail Business-Driven, Compliant Identity 11

www.sap.com/contactsap CMP3796 (12/10) 2012 AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of AG. The information contained herein may be changed without prior notice. Some software products marketed by AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by AG and its affiliated companies ( Group ) for informational purposes only, without representation or warranty of any kind, and Group shall not be liable for errors or omissions with respect to the materials. The only warranties for Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. and other products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of AG in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information