NetWeaver Identity Management Überblick DI Johannes Kuch Consultant NetWeaver SAP Österreich GmbH
Agenda 1. Einführung 2. Betrachtung der Funktionen im Detail Rollenverwaltung Workflows BusinessSuite Integration Compliance und Audit Passwort-Management 3. Demo Zentrale Identitätsspeicherung und -virtualisierung 4. Releaseplanung 5. IdM vs. ZBV 2010 SAP AG. All rights reserved. / Page 2
Typical User Lifecycle Challenges: Long time to become productive Enormous costs and efforts Security leaks if employee leaves 7 years later 8 years later 10 years later 1 year later 3 weeks later Hire date Chuck Brown joins company Available: Temporary accounts Chuck Brown is able to work in accounting Available: E-Mail Portal Internet Accounting Chuck Brown transfers to sales Available: E-Mail Portal Internet Accounting CRM (west) Marketing data (west) Chuck Brown is promoted: Vice President Sales Available: E-Mail Portal Internet Accounting CRM (global) Marketing data (global) Chuck Brown resigns All known accounts of Chuck Brown are deactivated Chuck Brown still has access to the system Available: Accounting Marketing data (global) 2010 SAP AG. All rights reserved. / Page 3
SAP NetWeaver Identity Management Overview e.g. on-boarding Compliance checks through GRC SAP Business Suite Integration SAP BusinessObjects Access Control (GRC) Identity virtualization and identity as service SAP NetWeaver Identity Management Approval workflows Central Identity Store Identity mgmt. monitoring & audit Rule-based assignment of business roles Password management Provisioning to SAP and non-sap systems 2010 SAP AG. All rights reserved. / Page 4
Agenda 1. Einführung 2. Betrachtung der Funktionen im Detail Rollenverwaltung Workflows BusinessSuite Integration Compliance und Audit Passwort-Management Zentrale Identitätsspeicherung und -virtualisierung 3. Demo 4. Releaseplanung 5. IdM vs. ZBV 2010 SAP AG. All rights reserved. / Page 5
Business Roles and Technical Roles Business Roles Are defined in the Identity Center Represent the business tasks of an employee Are usually defined as part of a business process Can be set up in hierarchies Are a combination of technical roles and/or other business roles Are usually assigned to end users Business Roles Employee Accounting Manager Technical Roles Represent access information or technical authorizations (e.g. ABAP authorization roles, UME roles, Portal roles, AD groups, ) Are usually uploaded from the target system Are system-specific Are usually represented as privileges in the Identity Center Technical Roles E-mail E-Mail System AD user Active Directory End user (Portal role) SAP Portal Accounting (ABAP role) SAP FI HR manager (ABAP role) SAP HR 2010 SAP AG. All rights reserved. / Page 6
Agenda 1. Einführung 2. Betrachtung der Funktionen im Detail Rollenverwaltung Workflows BusinessSuite Integration Compliance und Audit Passwort-Management Zentrale Identitätsspeicherung und -virtualisierung 3. Demo 4. Releaseplanung 5. IdM vs. ZBV 2010 SAP AG. All rights reserved. / Page 7
Workflows Overview Operates on entries in the identity store Manual interactions through Web interface Start provisioning tasks Identity Store Rules Roles Workflow Engine Approve requests Provisioning Engine Monitor status Workflows can be started from: Web interface Event tasks Change of privilege assignments Meta directory operations Processing logic includes: Sequential operation Parallel operation Conditional operation Approval operation User Applications Inform Alert 5 2 3 1 Approve Request Identity Center Business Process Owner 4 Provisioning 2010 SAP AG. All rights reserved. / Page 8 Applications
Agenda 1. Einführung 2. Betrachtung der Funktionen im Detail Rollenverwaltung Workflows BusinessSuite Integration Compliance und Audit Passwort-Management Zentrale Identitätsspeicherung und -virtualisierung 3. Demo 4. Releaseplanung 5. IdM vs. ZBV 2010 SAP AG. All rights reserved. / Page 9
Assign automatically SAP NetWeaver IDM and SAP Business Suite: Increasing User Management Efficiency Automated User Account Maintenance for SAP Business Suite Applications Example: SAP CRM Sales representative Tom Peck needs access to SAP CRM. Creating a user account and role for Tom is not sufficient; you also have to create a Business Partner in CRM and assign the user account to this Business Partner. CRM Business Partner Automatic consideration of system- and applicationspecific aspects User Assign Role SAP NetWeaver IDM automates the Business Partner assignment in SAP CRM, eliminating the need for manual administration steps. 2010 SAP AG. All rights reserved. / Page 10
SAP Business Suite Integration Business-Driven Identity Management SAP Supplier Relationship Management SAP Human Capital Management Key Benefits Automated creation of Business Partner in SAP CRM, SAP SCM SAP Customer Relationship Management SAP Portfolio and Product Management SAP NetWeaver Identity Management SAP ERP Financials SAP Transportation Management Link from Business Partner to user SAP Product Lifecycle Management SAP Extended Warehouse Management SAP Service Parts Planning SAP Supply Network Collaboration 2010 SAP AG. All rights reserved. / Page 11
Business Process Driven Identity Management On-Boarding Kim Perkins joins the company as a marketing professional. From the first day with her new company, she is able to log on to all relevant systems, including access to the employee self-services, and access to SAP CRM to track the marketing activities she is responsible for. 1 Pre-hire phase HR ensures that all necessary employee data for Kim is available, such as position and entry date 3 Based on the position in 4 HCM the business role Marketing Professional is being assigned automatically Kim s manager approves the assignment First day at work User created Employee 2 HR Operations Event-based extraction of Personnel data Line Manager SAP NetWeaver Identity Management Business Partner created User created Marketing Professional User created Access to SAP ESS Access to SAP CRM 2010 SAP AG. All rights reserved. / Page 12
Business Process Driven Identity Management Organizational Change: Line Manager Promotion After two years as a marketing professional, Kim Perkins is promoted to take over personnel and budget responsibility for her marketing team. On the first day in her new role, she has access to the manager self-services. In her new position, she is responsible for budget approvals for all marketing campaigns - this requires immediate access to SAP ERP to view the marketing costs. 2 HR Operations Event-based extraction of Personnel data 1 HR ensures that all necessary employee data for Kim are available, such as position and entry date 3 SAP NetWeaver Identity Management recognizes the line manager information for Kim and automatically assigns the business role Marketing Manager SAP NetWeaver Identity Management Day of change User updated Employee Line Manager User created Marketing Controller User updated Marketing Controller User updated Access to SAP ESS Access to SAP MSS Access to SAP CRM 2010 SAP AG. All rights reserved. / Page 13
Business Process Driven Identity Management Termination After eight years, Kim Perkins leaves the company. On her last day, she finishes her tasks in the systems she used to work on. The day after her official assignment with the company ends, she is no longer able to access these systems. 1 HR ensures that all termination relevant data for Kim are available, such as last day with the company Day after termination date User disabled 3 SAP NetWeaver Identity Management recognizes the last day information for Kim and automatically un-assigns all access rights and disables her accounts User disabled 2 HR Operations Event-based extraction of Personnel data SAP NetWeaver Identity Management User disabled User disabled 2010 SAP AG. All rights reserved. / Page 14
Agenda 1. Einführung 2. Betrachtung der Funktionen im Detail Rollenverwaltung Workflows BusinessSuite Integration Compliance und Audit Passwort-Management Zentrale Identitätsspeicherung und -virtualisierung 3. Demo 4. Releaseplanung 5. IdM vs. ZBV 2010 SAP AG. All rights reserved. / Page 15
SAP NetWeaver Identity Management Auditing and Monitoring Application/Privilege-Centric Determination of system access User-Centric Determination of user privileges Entry data Current data, historical data, time stamps, modified by, audit flags Approval data Who approved what when? Who had what privilege at what time? Segregation of duties Attestation Task audit log Determination of tasks run on user / by user? General logs Off-the-shelf reporting tools can be used BW-Reporting (since IdM 7.1 SPS 5) 2010 SAP AG. All rights reserved. / Page 16
Compliant, Business-Driven Identity Management Requirement: Provide automated, position-based role management while ensuring compliance Reduce TCO by simplifying assignment of roles and privileges to users, triggered by HCM events Reduce risk through compliance checks and remediation Automate manual processes through integration with SAP Business Suite New Hire Calculate entitlements based on position Compliance check Remediation Approve assignments Create user Assign roles Yes Create User Assign roles No Create User Assign privileges HCM SAP NetWeaver Identity Management SAP BusinessObjects Access Control Line Manager Landscape 2010 SAP AG. All rights reserved. / Page 17
Compliant Identity Management: Process Flow 1 Request Role Assignment 4 SAP BusinessObjects Access Control (GRC) Risk analysis 5 Risk mitigation 6 Forward request for risk analysis Risk status SAP NetWeaver Identity Management 3 Manager approval 2 Notification to User / Manager 8 Provisioning to target systems 7 2010 SAP AG. All rights reserved. / Page 18
Agenda 1. Einführung 2. Betrachtung der Funktionen im Detail Rollenverwaltung Workflows BusinessSuite Integration Compliance und Audit Passwort-Management Zentrale Identitätsspeicherung und -virtualisierung 3. Demo 4. Releaseplanung 5. IdM vs. ZBV 2010 SAP AG. All rights reserved. / Page 19
Password Management Requirement: Centralized password management Reduce calls to help desk for password resets Enable password provisioning across heterogeneous landscape Reset password Recover lost password Set new password User Help Desk SAP NetWeaver Identity Management Landscape 2010 SAP AG. All rights reserved. / Page 20
Agenda 1. Einführung 2. Betrachtung der Funktionen im Detail Rollenverwaltung Workflows BusinessSuite Integration Compliance und Audit Passwort-Management 3. Demo Zentrale Identitätsspeicherung und -virtualisierung 4. Releaseplanung 5. IdM vs. ZBV 2010 SAP AG. All rights reserved. / Page 21
Central Identity Store Central Hub for All Identity Center Components Provisioning is based on identity data from the store Business roles and privileges are stored here Workflow processing is based on this data Meta directory operations keep the information up-to-date Identity Store Properties Keep historical data and full audit to support compliance Temporary attributes for tracking time-critical values Roles and privileges validity periods can be defined Events on attributes trigger workflow tasks Virtual attributes reference data in external sources Roll-back of identity data Identity Store HR Telephone System Object person Phone: + 47 73934649 Email: jensen@example.com E-mail CA 2010 SAP AG. All rights reserved. / Page 22
Identity Virtualization Virtual Directory Server (VDS) provides Single consistent view and entry point for multiple distributed identity data sources Identity information as a service for applications through standard protocols (LDAP, SPML) Abstraction layer for underlying data stores Consumer only sees one standard interface Transform incoming LDAP requests, and connect directly to the existing data repositories SPML LDAP Data stays within original data source Efficient caching Virtual Directory Server Properties Real-time access to data SPML LDAP JDBC No need to consolidate data sources No extra data store Quick LDAP deployment Easier and cheaper maintenance Attribute manipulation Directory Server Directory Server Database Application Name space modifications Complex operations on-the-fly 2010 SAP AG. All rights reserved. / Page 23
SAP NetWeaver Identity Management Connectivity Overview Other SAP Application Server Microsoft Windows NT Directory Unix/Linux Shell execute Servers Custom Java connector API Script-based connector API Applications SAP Business Suite SAP BusinessObjects Access Control (GRC) Lotus Domino / Notes Microsoft Exchange RSA ClearTrust RSA SecurID Databases Microsoft SQL Server Microsoft Access Oracle database IBM UDB (DB2) MySQL Sybase Technical SPML (Services Provisioning Markup Language) LDAP ODBC / JDBC / OLE-DB RFC LDIF files XML files CSV files Directory Servers Microsoft Active Directory IBM Tivoli Directory Novell edirectory SunONE Java Directory Oracle Internet Directory Microsoft Active Directory Application Mode (ADAM) Siemens DirX OpenLDAP eb2bcom View500 Directory Server CA etrust Directory SAP NetWeaver IDM Virtual Directory Server Any LDAP v3 compliant directory server 2010 SAP AG. All rights reserved. / Page 24
Agenda 1. Einführung 2. Betrachtung der Funktionen im Detail Rollenverwaltung Workflows BusinessSuite Integration Compliance und Audit Passwort-Management 3. Demo Zentrale Identitätsspeicherung und -virtualisierung 4. Releaseplanung 5. IdM vs. ZBV 2010 SAP AG. All rights reserved. / Page 25
NetWeaver Identity Management 7.1 Demo Überblick der Systemlandschaft HR-Mitarbeiter SAP NetWeaver Identity Management SAP Business Objects Access Control nwdemoidm1 Compliance Check Mitarbeiterstamm anlegen Personaldaten extrahieren Mitarbeiterstamm aktualisieren Virtual Directory Server (VDS) Identity Center (IC) Anträge zum Compliance Check weiterleiten & Status zurückgeben Identitäten auf Zielsysteme provisionieren Ziel-Systeme nwdemoidm1 Mitarbeiter-PC idesduetwts 2010 SAP AG. All rights reserved. / Page 26
DEMO
Agenda 1. Einführung 2. Betrachtung der Funktionen im Detail Rollenverwaltung Workflows BusinessSuite Integration Compliance und Audit Passwort-Management 3. Demo Zentrale Identitätsspeicherung und -virtualisierung 4. Releaseplanung 5. IdM vs. ZBV 2010 SAP AG. All rights reserved. / Page 28
Releaseplanung Versionen von NW Identity Management: Identity Management 7.1 ist die aktuelle Version Wartung verlängert bis 31.12.2013 (Quelle: http://weblogs.sdn.sap.com/pub/wlg/20857) Identity Management 7.2 ist die nächste Version Target Release to customer: 06.12.2010* Target Completion date Ramp-Up: 06.06.2011* Begriffe: Target Release to customer : Beginn des Ramp-Ups Target Completion date Ramp-Up : Generelle Verfügbarkeit ( General Availability ) * Quelle: service.sap.com/rampup per 9.11.2010 2010 SAP AG. All rights reserved. / Page 29
Agenda 1. Einführung 2. Betrachtung der Funktionen im Detail Rollenverwaltung Workflows BusinessSuite Integration Compliance und Audit Passwort-Management 3. Demo Zentrale Identitätsspeicherung und -virtualisierung 4. Releaseplanung 5. IdM vs. ZBV 2010 SAP AG. All rights reserved. / Page 30
ZBV vs. IdM Kurz: Totgesagte leben länger! ZBV ist integraler Bestandteil des SAP NetWeaver und unterliegt dessen Wartung IdM bietet mehr Funktionen als die ZBV Gründe auf IdM umzusteigen Siehe vorige Folie SAP empfiehlt statt Neueinführungen der ZBV sich IdM anzusehen IdM kann sich direkt an die ZBV andocken für die Benutzerverwaltung Mit IdM 7.2 ist ein voller ZBV-Ersatz geschaffen (alle notwendigen Attribute) Blog CUA will never die : http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/21565 2010 SAP AG. All rights reserved. / Page 31
High-Level Comparison of CUA with IdM Functionality Central User Administration (CUA) SAP NetWeaver Identity Management 7.1 (IdM) Target Systems ABAP only SAP and non-sap Workflow Support No Yes Rule based access management almost no (except the rarely used HR org. rule engine) Yes Modeling of role hierarchy No Yes Cross system role assignments Manual Full support LDAP directory integration LDAP synchronization Full support Password management Management and distribution of initial passwords Yes; including user interface and workflow support 2010 SAP AG. All rights reserved. / Page 32
Central User Administration (CUA) Migration Requirement: Extend support of identity management to non-sap environments and greater level of functionality Supports SAP and heterogeneous environments Self-service and delegated admin Workflow and approvals Business role management Identity Management Identity Management Manage CUA from SAP NetWeaver IDM Migrate ABAP systems from CUA to IDM Shut down CUA when all systems are migrated 2010 SAP AG. All rights reserved. / Page 33
Identity Management Community www.sdn.sap.com/irj/sdn/nw-identitymanagement 2010 SAP AG. All rights reserved. / Page 34
Weitere Informationen SAP Webseiten: SAP Developer Network (SDN): www.sdn.sap.com Business Process Expert (BPX) Community: www.bpx.sap.com SAP BusinessObjects Community (BOC): boc.sap.com Further technical information from the SAP Technology RIG Webinars: http://www.sdn.sap.com/irj/scn/ipnw-khnc How to Guides: http://www.sdn.sap.com/irj/scn/howtoguides. Podcasts: http://www.sdn.sap.com/irj/scn/sap-how-it-works-elearning. You can also follow SAP Technology RIG on Facebook and Twitter http://www.facebook.com/pages/sap-rig/119256894764191?ref=ts http://twitter.com/saprig 2010 SAP AG. All rights reserved. / Page 35
Thank you! DI Johannes Kuch Consultant NetWeaver CoE Platform/Technology SAP Österreich GmbH Lassallestraße 7b A-1021 Wien E johannes.kuch@sap.com 2010 SAP AG. All rights reserved. / Page 36
2010 SAP AG. All Rights Reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iseries, pseries, xseries, zseries, eserver, z/vm, z/os, i5/os, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. in the United States and in other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages. 2010 SAP AG. All rights reserved. / Page 37