SCI203

Compliant Identity Management with GRC AC 10.0 and NetWeaver ID Management 7.2
Frank Bannert / Customer Solution Adoption September 2011

Disclaimer
This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent.

© 2011 SAP AG. All rights reserved.

2

Agenda
Best Practice of Compliant Identity Management Architecture Overview Prerequisites Available Access Control 10.0 Web Services New Features Wrap-up

© 2011 SAP AG. All rights reserved.

3

2 combined .0 and SAP NetWeaver Identity Management 7.Best Practice of Compliant Identity Management Access Control 10.

Compliant Identity Management From SAP Integrated. innovative solutions Compliant identity management at reduced cost Increased visibility of identities and access risk across the enterprise © 2011 SAP AG. 5 . All rights reserved.

seamless integration to on-demand and on-premise SAP solutions Secure connectivity. All rights reserved. innovative solutions Compliant identity management at reduced cost Unparalleled. 6 . user privileges and access risk Comprehensive audit trail of system and process activities Integrated analytics. authentication and single sign-on Innovative enhancements for bestin-class solutions Self-service request process for SAP and heterogeneous data environments Automated workflow and approval process with embedded risk analysis Closed loop process for approving and reviewing emergency access for SAP applications © 2011 SAP AG.Business Value Increased visibility of identities and access risk across the enterprise Real-time visibility of request status. dashboards and reporting Integrated.

Manage user privileges centrally Automates and simplifies integration with Enterprise SSO and Web SSO Federated Identity © 2011 SAP AG.What Is the Role of SAP BusinessObjects Access Control vs. All rights reserved. SAP NetWeaver Identity Management? SAP BusinessObjects Access Control Access Risk Identification Access Analysis and Response Access Reviews Centralized. Simplifies integration with standardsupported Identity Federation 7 . Compliant Role Repository Define and understand access risks Analyze and mitigate access risks Periodic reviews of assignments. risk violations. and controls Define and manage compliant roles Compliant identity management for the entire system landscape SAP NetWeaver Identity Management Centralized user management Integration and synchronization of system authorization data Single Sign On Centralized management of identity information across multiple data source.

8 .Compliant Identity Management Example Customer Scenario Create User Assign Roles Calculate Entitlements Compliance Check Remediation Based on Position New Hire / Change Position No HR Application Approve Assignments Yes Create User Assign Roles Create User Assign Roles Identity Management SAP BusinessObjects Access Control Line Manager Create User Assign Privileges Heterogeneous Landscape  Reduce TCO by simplifying assignment of roles and privileges to users. All rights reserved. triggered by HR events  Reduce risk through compliance checks and remediation  Automate manual processes through integration © 2011 SAP AG.

All rights reserved. Request for • • • • Role Privileges User account … 9 © 2011 SAP AG. .Compliant Identity Management SAP NetWeaver Identity Management SAP Business Objects Access Control 1 User 1.

Compliant Identity Management SAP NetWeaver Identity Management 2 SAP Business Objects Access Control Approver 1 User 2. Request sent for approval to • • • • • © 2011 SAP AG. Manager Delegate Role owner Application owner … 10 . All rights reserved.

All rights reserved. Approval granted from • • • • • © 2011 SAP AG. Manager Delegate Role owner Application owner … 11 .Compliant Identity Management SAP NetWeaver Identity Management 2 SAP Business Objects Access Control 3 Approver 1 User 3.

Manager Delegate Role owner Application owner … 12 . Send for risk analysis to • • • • • © 2011 SAP AG.Compliant Identity Management SAP NetWeaver Identity Management 2 4 SAP Business Objects Access Control 3 Approver 1 User 4. All rights reserved.

Reject Approve Mitigate Modify request … 13 .Compliant Identity Management SAP NetWeaver Identity Management 2 4 SAP Business Objects Access Control 3 5 Approver 1 Compliance Team User 5. All rights reserved. Risk analysis and remediation • • • • • © 2011 SAP AG.

All rights reserved. Provision to • Business applications • non-SAP systems • … And send approval mail to User © 2011 SAP AG.Compliant Identity Management SAP NetWeaver Identity Management 2 4 SAP Business Objects Access Control 3 6 5 Approver 6 1 Compliance Team User 6. 14 .

Compliant Identity Management SAP NetWeaver Identity Management 2 4 SAP Business Objects Access Control 3 6 5 Approver 6 1 Compliance Team User Result: Compliant Identity Management © 2011 SAP AG. 15 . All rights reserved.

Architecture Overview .

monitoring & audit SAP NetWeaver Identity Management Password management Rule-based assignment of business roles © 2011 SAP AG. on-boarding Compliance checks through GRC SAP Business Suite Integration Identity virtualization and identity as service Approval workflows Central Identity Store Provisioning to SAP and non-SAP systems SAP Business Objects Access Control (GRC) Identity mgmt. 17 .g. All rights reserved.Compliant Identity Management e.

18 .2 – Architecture SAP NetWeaver ID Management 7.2 Virtual Directory Server Identity Center Workflow and Monitoring UI (AS Java) Identity Center Database Management Console SAP GRC Web service s … Dispatcher Runtime Engine Event Agent Service Read / write E-Mail System Active Directory SAP Portal SAP ERP Detect changes others © 2011 SAP AG.SAP NetWeaver Identity Management 7. All rights reserved.

0 © 2011 SAP AG.10 optional SAP NW Portal 7. All rights reserved.02 GTS Plug-in (Plug-in: SLL-PI) optional Web services optional Adapter Non-SAP Business Applications 19 SAP BusinessObjects 10.1) NW Function Modules Nota Fiscal Electronica (Software Component: SLL-NFE) SAP NW JAVA 7.0 – Architecture Front-End Client SAP CR Adapter Adobe Flash Player Web Browser SAP GUI 7.02 BI Content 7.SAP BusinessObjects GRC 10.0 http DIAG AC. . PC & RM RFC (Software Component: GRCFND_A) optional RFC GRC Search optional GTS (Software Component: SLL-LEG) SAP NW BW 7.6C – 7.02 http GRC Portal Content optional SAP NetWeaver® Enterprise Search 7.06 GRC BI Content optional SAP ERP (4.02 Adobe Document Services Required for Nota Fiscal E. RFC Content Lifecycle Management (CLM) RFC RFC (Plug-in: GRCPINW) HR Function Modules PC Automated Ctrls (Plug-in: GRCPIERP) SAP NetWeaver PI Nota Fiscal Content Identity Management Solutions (SAP or Non-SAP) SAP NetWeaver AS ABAP 7.

02 BI Content 7.0 – Architecture Front-End Client SAP CR Adapter Adobe Flash Player Web Browser SAP GUI 7.6C – 7. .10 optional SAP NW Portal 7. All rights reserved. PC & RM (Software Component: GRCFND_A) optional RFC SAP NW BW 7.02 Adobe Document Services optional RFC Content Lifecycle Management (CLM) SAP ERP (4.0 Adapter optional Non-SAP Business Applications 20 © 2011 SAP AG.1) NW Function Modules (Plug-in: GRCPINW) RFC HR Function Modules PC Automated Ctrls (Plug-in: GRCPIERP) optional Identity Management Solutions (SAP or Non-SAP) SAP NetWeaver Web services AS ABAP 7.06 GRC BI Content optional SAP NW JAVA 7.02 SAP BusinessObjects 10.SAP BusinessObjects Access Control 10.02 http GRC Portal Content http DIAG AC.

Prerequisites .

0 • SAP NetWeaver AS ABAP 7.Technical Prerequisites SAP BusinessObjects Access Control 10.2 • SAP NetWeaver AS Java 7.3) for Workflow and Monitoring UI • All NetWeaver Platforms supported • Management Console only supports Windows • Database support: MS SQL or Oracle © 2011 SAP AG.0 SP14 or higher (but not 7. 22 .3) • All NetWeaver Platforms supported SAP NetWeaver Identity Management 7. All rights reserved.02 SP6 or higher (but not 7.

2 • Identity Center and Virtual Directory Server is configured • Deploy and Configure GRC Provisioning Framework • Configure IdM Web Service Calls to GRC © 2011 SAP AG. All rights reserved.Configuration Prerequisites SAP BusinessObjects Access Control 10. 23 .0 • Configure all IDM system in GRC as resources • Configure Field Mapping and Parameter Mapping in GRC • Synchronize Non-SAP Roles maintained in IdM with GRC if needed SAP NetWeaver Identity Management 7.

Access Control 10.0 Web Services .

Example: Possible values for Request Status Enables search roles before submitting a request to GRC Technical Name GRAC_LOOKUP_WS GRAC_SEARCH_ROLES_WS GRAC_ROLE_DETAILS_WS Detailed role description and associated attributes of the selected role Returns a list of resources configured within GRC Returns list of firefighter Ids along with FF Owner details Returns the existing User Assignments This web service will be called by IdM for User Access Perform Segregation of Duty analysis on a request submitted to GRC or on the assignment of an existing user This service enables IdMs to assign roles to OM Objects like Job.Access Control Web Services No 1 2 3 Interface Lookup service Search roles Role Details Description Enables lookup for possible values for a use case. 4 5 6 7 8 9 Select Applications Firefighter User’s Existing Assignments User Access Request Risk analysis (with request Number) Organization Assignment Request GRAC_SELECT_APPL_WS GRAC_FIRE_FIGHTER_WS GRAC_USER_EXISTING_ASSGN_ WS GRAC_USER_ACCES_WS GRAC_RISK_ANALYSIS_WITH_NO _WS GRAC_ORG_ASSGN_REQUEST_ WS © 2011 SAP AG. 25 . Position and Organizational Unit. All rights reserved.

26 .Access Control Web Services (cont. changed or deleted. stage Approvers. Status of a request Returns the workflow information about the paths. stages. Or whether the role was added r removed.) No 10 Interface Exit – User Access Request (Outbound) Provisioning Log Description This service will be called by GRC to inform IdM about request closed result Returns all the provisioning information for a user. All rights reserved. And also returns the provisioning information Returns the request details along with Risk Analysis Performs SoD analysis for User Level and Role Level Technical Name GRC internal 11 GRAC_PROV_LOGS_WS 12 13 14 15 Request status Audit Logs Request Details Risk Analysis (With out request Number) GRAC_REQUEST_STATUS_WS GRAC_AUDIT_LOGS_WS GRAC_REQUEST_DETAILS_WS GRAC_RISK_ANALYSIS_WOUT_N O_WS 16 Exit – Provisioning by IdM This service will be called by IdM to inform GRC about provisioning result GRAC_EXIT_FROM_IDM_WS © 2011 SAP AG. It helps to determine if the user was created.

New Features .

All rights reserved.2 • The Request-Complete Task A request may consist of multiple assignments All assignments are tagged with the same request ID Global task is executed when all assignments are completed © 2011 SAP AG. 28 .New Features SAP BusinessObjects Access Control 10.0 • Risk Analysis (With out request Number) Performs SoD analysis for User Level and Role Level without the need of a request number in AC • Exit – User Access Request This service will be called by GRC to inform IdM about provisioning result SAP NetWeaver Identity Management 7.

Wrap-up .

30 .Key Benefits Increased visibility of identities and access risk across the enterprise Real-time insight for informed decision making Minimize audit time and auditrelated costs Comprehensive and standardized reporting for all levels of the organization Integrated. All rights reserved. innovative solutions with open and flexible ecosystem © 2011 SAP AG. innovative solutions Compliant identity management at Cost atReduced reduced cost Lower cost and optimized efficiency of user and role lifecycles Prevent segregation of duties and critical access Confidently manage and track emergency access for SAP applications Fast time to value with minimal business disruption Increase productivity and reduce administrative costs while securely granting access to systems Extendable.

Key Take – Aways • SAP provides Compliant Identity Management from one vendor combining Access Control and Identity Management Products are on General Availability and all features are available out-of-the box Compliant Identity Management is not focused on SAP products only but to support a heterogeneous landscape Integration has already proven in earlier releases • • • © 2011 SAP AG. All rights reserved. 31 .

All rights reserved.0 Integration can be found in the following TechEd session: SCI204. Integration of SAP Applications with SAP BusinessObjects GRC 10.More on GRC 10.0 © 2011 SAP AG.0 Integration Scenarios Another session GRC10. 32 .

Integration of SAP Applications with SAP BusinessObjects GRC 10. All rights reserved.Further Information SAP Public Web: SAP Developer Network (SDN): www.com SAP BusinessObjects Community (BOC): www.0 © 2011 SAP AG.sdn.sap.com Business Process Expert (BPX) Community: www.sap. 33 .boc.com/education/ Related Workshops/Lectures at SAP TechEd 2011 SCI204.sap.com Related SAP Education and Certification Opportunities http://www.sap.bpx.

Questions? .

Be courteous — deposit your trash. and do not take the handouts for the following session. .Feedback Session SCI203 Please complete your session evaluation.

com .bannert@sap.Thank You! Contact information: Frank Bannert Customer Solution Adoption frank.

Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. OS/400. PostScript. System z. MetaFrame. BladeCenter.S. RETAIN. System Storage. and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. OpenPower. X/Open. System x. National product specifications may vary. Microsoft. or transmitted in any form or for any purpose without the express prior written permission of SAP AG. and MultiWin are trademarks or registered trademarks of Citrix Systems. ICA. AS/400. Business Objects is an SAP company. Redbooks. DB2 Connect. SQL Anywhere. Inc. World Wide Web Consortium. Excel. POWER6. z10. Massachusetts Institute of Technology. S/390 Parallel Enterprise Server. the Adobe logo. OSF/1. iSeries. No part of this document may be reproduced.© 2011 SAP AG. Sybase is an SAP company. GPFS. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. OS/390. OS/2. PartnerEdge. VideoFrame. Sybase 365. Netfinity. Linux is the registered trademark of Linus Torvalds in the U. Duet. Sybase and Adaptive Server. 37 . Crystal Decisions. xSeries. StreamWork. Web Intelligence. XHTML and W3C are trademarks or registered trademarks of W3C . Intelligent Miner. System i. Parallel Sysplex. Crystal Reports. Outlook. and PowerPoint are registered trademarks of Microsoft Corporation. System p. ® Business Objects and the Business Objects logo. MVS/ESA. © 2011 SAP AG. System i5. i5/OS. POWER5. pSeries. POWER. SAP NetWeaver. Windows. System p5. and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase. The information contained herein may be changed without prior notice. copied. and Motif are registered trademarks of the Open Group. and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. HTML. PowerPC. POWER5+. Program Neighborhood. WebSphere. SAP BusinessObjects Explorer. Acrobat. SAP. z/VM. Data contained in this document serves informational purposes only. System z9. HACMP. Power Architecture. DB2 Universal Database. z9. AIX. R/3. All other product and service names mentioned are the trademarks of their respective companies. PowerVM. All rights reserved. iAnywhere. zSeries. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. Oracle and Java are registered trademarks of Oracle and/or its affiliates. DB2. System z10. RACF. and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. z/OS. UNIX. Xcelsius. POWER6+. eServer. BusinessObjects. IBM. Inc. S/390. ByDesign. Adobe. and other countries. XML. The information in this document is proprietary to SAP. WinFrame. Citrix. BatchPipes. All rights reserved.

Sign up to vote on this title
UsefulNot useful