Beruflich Dokumente
Kultur Dokumente
Overview
October 2014
Public
Agenda
Introduction to Identity Management
Role Management and Workflows
Business-Driven Identity Management
Compliant Identity Management
Reporting
Password Management
Connectivity
Architecture
Identity Virtualization
Summary & Additional Information
Appendices
Public
Introduction to
SAP Identity Management
SAP Identity
Management
Code
vulnerabilities
Threat
management
Find
vulnerabilities
in customer
code
Detect cyber
crime attacks
based on user
behavior
SAP
NetWeaver AS,
add-on for
code
vulnerability
analysis
SAP
Enterprise
Threat
Detection
SAP Access
Control
Single sign-on
Secure network communication
Central access policies
2-factor authentication
SAP Single
Sign-On
SAP Cloud
Identity
Public
Key Capabilities
Holistic approach
Ensures that the right
Enables the
efficient,
secure and
compliant
execution of business
processes
Across
Consistent with user
roles and
privileges
all systems
SAP Identity
Management
and applications
Public
Operational
costs
Changing
business
processes
Compliance
challenges
Public
Identity Lifecycle
How long does it take for new
employees to receive all
permissions and become
productive in their new job?
Public
Solution in a Nutshell
SAP Access
Control
SAP Identity
Management
SAP applications
Non-SAP applications
SAP SCM
Java
Database
Portal
Legacy
Web app
SAP ERP
SuccessFactors
OS
Public
Success
Factors
SAP ERP
HCM
Integration with
SAP Business Suite
and SuccessFactors
Example: On-boarding
Identity virtualization and
identity as a service
Central
identity store
Compliance
checks
SAP Access
SAP BusinessObjects
Control
Access Control (GRC)
SAP Identity
Management
Approval
workflows
SAP applications
Rule-based assignment
of business roles
Non-SAP applications
Provisioning to SAP
and non-SAP systems
Password
management
Public
Solution in Detail
Role Management and Workflows
Business roles
Manager
Accounting
Employee
Technical roles
Provisioning (regularly)
E-mail
system
AD
user
Active
Directory
Portal
role
Accounting
(ABAP role)
HR manager
(ABAP role)
SAP
Portal
SAP
FI
SAP
HR
Public
11
Technical role A
Technical role C
Technical role B
Benefits
Reduced number of roles
Reduced complexity
Sufficient granularity
Improved data consistency
and governance
Managed System
User
Managed
System
Technical role A
Technical role B
Example:
20 roles in 1000 factories
Conventional method: 20.000 entries (roles)
Context-based: 1.020 entries (roles + contexts)
Public
12
Workflows
Request
Notification
User sends a
role request
Provisioning
Processing
Identity Center
processes request
Approval
Manager checks request
and approves/denies
Public
13
Solution in Detail
Business-Driven Identity Management
SAP Customer
Relationship
Management
SAP Supplier
Relationship
Management
SAP Supply
Network
Collaboration
Success
Factors
Employee
Central
SAP Extended
Warehouse
Management
SAP
Transportation
Management
SAP Identity
Management
SAP Product
Lifecycle
Management
SAP ERP
Financials
SAP HANA
SAP Service
Parts Planning
SAP ERP
Human Capital
Management
Public
15
1 Pre-hire phase
2
Event-based extraction
of personnel data
SAP
ERP
HCM
4 Kims manager
Success
Factors
approves the
assignment
SAP
ERP
HCM
User created
Employee
SAP
ERP
SAP
CRM
SAP
Portal
User created
Access to SAP ESS
Access to SAP CRM
Line Manager
Public
16
2
Event-based extraction
of personnel data
SAP
ERP
HCM
SAP
CRM
Success
Factors
SAP
Portal
User updated
Employee
Line Manager
User created
Marketing Controller
User updated
Marketing Controller
User updated
Access to SAP ESS
Access to SAP MSS
Access to SAP CRM
Public
17
2
Event-based extraction
of personnel data
SAP
ERP
HCM
SAP
ERP
HCM
User disabled
SAP
ERP
User disabled
SAP
CRM
User disabled
SAP
Portal
User disabled
Success
Factors
Public
18
Solution in Detail
Compliant Identity Management
Central
Manage identities
and permissions
rights, approvals
violations
Identify and
mitigate risks
management of
heterogeneous
environments
Compliance
checks
risk
controls and
mitigation
Business
Integration
based on standards
SAP Identity
Management
SAP Access
Control
Public
20
Risk
4 analysis
SAP BusinessObjects Forward
3 request for
Access Control (GRC)
risk analysis
Risk
mitigation
Request role
assignment
SAP
Identity Management
Manager
approval
Notification to
user and manager
Provisioning to
target systems
6 Risk status
SAP applications
Non-SAP applications
SAP SCM
Java
Database
Portal
Legacy
Web app
SAP ERP
OS
Public
21
Requirement:
Provide automated, position-based role management
while ensuring compliance
Solution:
Simplify and automate role assignment
Reduce risk through compliance checks and remediation
Automate manual processes through integration with SAP
Business Suite
New Hire
SAP
ERP
HCM
Compliance check
Remediation
Calculate entitlements
based on position
Approve
assignments
SAP
ERP
HCM
SAP
ERP
FI
Yes
Portal
No
NonSAP
Line Manager
Landscape
Public
22
Solution in Detail
Reporting
*SAP BW and SAP Lumira are not part of the SAP ID Mgmt license
2014 SAP SE or an SAP affiliate company. All rights reserved.
Public
24
Basic Reporting
Application/privilege-centric
Determination of system access
User-centric
Determination of user privileges
Entry data
Current data, historical data, time stamps,
modified by, audit flags
Approval data
Who approved what when?
General logs
Off-the-shelf reporting tools
can be used
Public
25
Change history
up to the time of
last synchronization
Flexibility
BEX reports
Public
26
Public
27
Solution in Detail
Password Management
Password Management
Requirement:
Reduce help desk calls related to password reset
inquiries
Enable password provisioning across heterogeneous
landscapes
Solution:
Centralize and automate password management
SAP
ERP
HCM
Reset password
Recover lost password
SAP
ERP
FI
Portal
User
Helpdesk
Landscape
Public
29
Solution in Detail
Connectivity
Connectivity Framework
Databases
On-Prem/Cloud Applications
SAP Business Suite
SuccessFactors
SAP Access Control
Lotus Domino / Notes
Microsoft Exchange
RSA ClearTrust
RSA SecurID
Directory Servers
Microsoft Active Directory
IBM Tivoli Directory
Novell eDirectory
SunONE Java Directory
Oracle Internet Directory
Microsoft ADAM
Siemens DirX
OpenLDAP
eB2Bcom View500 Directory Server
CA eTrust Directory
SAP IDM Virtual Directory Server
Any LDAP v3 compliant directory srv
SAP Identity
Management
Technical
Other
SAP Application Server
Microsoft Windows NT
Unix/Linux
SPML
LDAP
ODBC/JDBC/OLE-DB
RFC
LDIF files
XML files
CSV files
Shell execute
Custom Java connector API
Script-based connector API
Public
31
For general information about third party certifications with SAP products, please
refer to http://www.sdn.sap.com/irj/sdn/interface-certifications, or contact the SAP
Integration and Certification Center (ICC) directly at icc@sap.com
2014 SAP SE or an SAP affiliate company. All rights reserved.
Public
32
Solution in Detail
Architecture
Public
34
Solution in Detail
Identity Virtualization
SPML
LDAP
Properties
Real-time access to data
No need to consolidate data sources
No extra data store
Quick LDAP deployment
Easier and cheaper maintenance
Attribute manipulation
Name space modifications
Complex operations on-the-fly
SPML
Directory
Server
LDAP
Directory
Server
JDBC
Database
Application
Public
36
Summary
SAP Identity Management is part of a comprehensive SAP security suite that includes
access control as well as secure programming and compliance aspects.
The solution covers the entire identity lifecycle and automation capabilities based on
business processes.
A strong integration with SAP Access Control creates a holistic identity and access
governance solution.
Extensive connectivity with SAP and non-SAP applications extends identity
management to all areas of the enterprise.
Public
38
http://scn.sap.com/community/idm
2014 SAP SE or an SAP affiliate company. All rights reserved.
Public
39
Standard solution
Connection of
1 source- and
2 target
systems
Automatic
authorization
assignment
Mass user
administration
jobs
Support of
system specific
attributes
Predefined
HTML based
reports
Approval
workflows
E-mail
notification
framework
New Web UI
tasks
Add-On 1:
Connection to additional SAP systems
Add-On 2:
Additional Go-Live Support
Public
40
Public
43