SAP Identity Management

Overview

October 2014 Public

Agenda

Introduction to Identity Management

Role Management and Workflows
Business-Driven Identity Management
Compliant Identity Management
Reporting
Password Management
Connectivity
Architecture
Identity Virtualization
Summary & Additional Information
Appendices

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 2

Introduction to
SAP Identity Management
SAP Security Portfolio
IT Application Security

IT Application Security SAP Portfolio

Identity and access management (IAM)

Code Threat
vulnerabilities management
Identity, governance and
Authentication and single sign-on
administration

Manage identity lifecycle Single sign-on Find Detect cyber

Segregation of duties Secure network communication vulnerabilities crime attacks
Emergency access Central access policies in customer based on user
Role management 2-factor authentication code behavior
Reporting

SAP
NetWeaver AS, SAP
SAP Access SAP Cloud
SAP Identity SAP Single add-on for Enterprise
Control Identity
Management Sign-On code Threat
vulnerability Detection
analysis

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 4

Key Capabilities

Holistic approach
Enables the Ensures that the right
efficient, Manage identities and users have the
permissions
secure and right access to the
right systems at the
compliant
execution of business right time
processes
Across
Consistent with user all systems
roles and and applications
SAP Identity
privileges Management

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 5

Business Drivers for Identity Management

Multiple sources of identity data

Operational Manual user provisioning
costs Labor-intensive, paper-based approval systems
Manual password reset processes

Changing Transactions involve multiple enterprises

business Partners participate in business processes
processes Company-specific requirements for user provisioning solutions

No record of who has access to which IT resources

Compliance Inability to deprovision user access rights upon termination
challenges No complete audit trail available
Prevention of unauthorized access in multi-enterprise
environments

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 6

Identity Lifecycle

How long does it take for new

employees to receive all
permissions and become
productive in their new job? How can you remove
permissions automatically if
employees change their
position?

Are permissions automatically

adjusted if someone is
promoted to a new position?

Who has adequate

permissions to fill in for a co-
How long does it take to remove ALL
worker?
permissions of an employee? And
how can you ensure that they were
properly removed?

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 7

Solution in a Nutshell

Central management of identities

throughout the system landscape SAP Access
Control
Rule-driven workflow and approval
process SAP Identity
Management
Extensive audit trail, logging, and
reporting functionality
Governance through centralized and
auditable identity data SAP applications Non-SAP applications

Compliance through integration with SAP SCM Java Database E-mail

SAP Access Control SAP ERP HCM Portal Legacy Web app

Compliant and integrated identity SAP ERP SuccessFactors OS

management solution to mitigate

segregation-of-duties risks

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 8

A Holistic Approach to Compliant Identity Management

Success
Factors Integration with
SAP Business Suite
SAP ERP and SuccessFactors
HCM Example: On-boarding

Identity virtualization and

Central identity as a service
identity store

Compliance
checks Approval
workflows
SAP Access SAP Identity
SAP BusinessObjects
Control Management
Access Control (GRC)
Web-based single sign-on
and identity federation
Reporting
SAP applications Non-SAP applications
Rule-based assignment
of business roles Provisioning to SAP Password
and non-SAP systems management

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 9

Solution in Detail
Role Management and Workflows
Role Definition and Provisioning

Role Definition (design, one-time task)

Read system access information (roles,
groups, authorizations, etc.) from target
systems

Business roles
Manager
Define a business role hierarchy
Assign technical roles to business roles
Develop rules for role assignments Employee Accounting

Provisioning (regularly)

Technical roles
Assign or remove roles to/from people
Through request/approval workflow
Manually (administrator) AD Portal Accounting HR manager
E-mail user (ABAP role)
role (ABAP role)
Automatically, e.g. HR-driven
Automatic adjustment of master data and
assignments of technical authorizations in E-mail Active SAP SAP SAP
target systems system Directory Portal FI HR

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 11

Context-Based Role Management: Reducing Complexity

Context-based role management simplifies SAP Identity Management

the structure of roles through dynamic
role assignment based on user context User Business Role
SAP NetWeaver Identity Management
information. Position Technical role A Technical role C
Location
Technical role B

Benefits
Reduced number of roles
Managed System
Reduced complexity
User
Sufficient granularity Managed System
Technical role A

Improved data consistency Technical role B

and governance

Example:
20 roles in 1000 factories
Conventional method: 20.000 entries (roles)
Context-based: 1.020 entries (roles + contexts)

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 12

Workflows

Notification Request

Identity Center sends a User sends a

notification to user/manager role request

Provisioning Processing

Identity Center
Identity Center provisions
processes request
new roles and privileges to
respective systems Sends alert to manager /
administrator

Approval

Manager checks request

and approves/denies

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 13

Solution in Detail
Business-Driven Identity Management
Integration with SAP Business Applications

SAP Portfolio SAP Supply

and Product Network
Management Collaboration
Success
Factors
Employee
Central
SAP Customer SAP Extended
Relationship Warehouse
Management Management

SAP Supplier SAP Identity SAP

Relationship Transportation
Management Management Management

SAP Product
SAP ERP
Lifecycle
Financials
Management

SAP HANA

SAP Service SAP ERP

Parts Planning Human Capital
Management

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 15

Business Process Driven Identity Management
On-Boarding

Kim Perkins joins the company as a marketing specialist.

From the first day with her new company, she is able to log on to all relevant systems,
including access to the employee self-services, and access to SAP CRM to track the
marketing activities she is responsible for.

1 Pre-hire phase 5 First day at work

Provisioning of role and
HR ensures that all necessary
authorization information to
employee data for Kim is
relevant target systems
available, such as position and
entry date
SAP
ERP User created
HCM Employee
2 3 Based on the position in 4 Kims manager
HCM, IDM automatically approves the
Event-based extraction SAP
assigns the business assignment ERP
of personnel data role Marketing
SAP Specialist
ERP
SAP Business Partner created
HCM
CRM User created Marketing
Professional
Success
Factors Line Manager
SAP User created
SAP Identity Management Portal Access to SAP ESS
HR Operations Access to SAP CRM

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 16

Business Process Driven Identity Management
Position Change

After two years as a marketing specialist, Kim is promoted and takes over personnel and
budget responsibility for her marketing team.
On the first day in her new role, she has access to the manager self-services. In her new
position, she is responsible for budget approvals for all marketing campaigns - this requires
immediate access to SAP ERP to view the marketing costs.

1 HR ensures that all necessary 4 Day of position change

employee data for Kim is
available Provisioning of role and
authorization information to
relevant target systems
SAP User updated
ERP Employee
HCM Line Manager
2 3 SAP Identity Management
recognizes the line manager
Event-based extraction SAP
information for Kim and ERP User created
of personnel data automatically assigns the business Marketing Controller
SAP role Marketing Manager
ERP User updated
SAP
HCM
CRM Marketing Controller
Success
Factors User updated
SAP
Portal
Access to SAP ESS
SAP Identity Management Access to SAP MSS
HR Operations Access to SAP CRM

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 17

Business Process Driven Identity Management
Termination

After eight years, Kim leaves the company.

The day after her official assignment with the company ends, she is no longer able to access
any corporate systems.

1 HR ensures that all data relevant 4 Day after termination of employment

for the employment contract
termination is available, such as
last day of work

SAP
ERP User disabled
HCM
2 3 SAP Identity Management
recognizes the last day information
Event-based extraction SAP
for Kim; it automatically takes away ERP
of personnel data User disabled
all access rights and disables her
SAP accounts
ERP
SAP
HCM
CRM User disabled
Success
Factors
SAP
SAP Identity Management Portal User disabled
HR Operations

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 18

Solution in Detail
Compliant Identity Management
Compliant Identity Management: Capabilities

Consistent view on current and historic access rights, approvals

and policy violations

Manage identities Identify and

Central and permissions mitigate risks Compliance
management of
heterogeneous
checks
environments

risk
Business
Integration SAP Identity SAP Access controls and
Management Control
based on standards mitigation

Compliant identity management across SAP and heterogeneous

landscapes in one integrated solution

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 20

Compliant Identity Management: Process View

Request role
assignment 1
Risk
4 analysis
SAP BusinessObjects Forward
3 request for
Access Control (GRC)
risk analysis Manager
SAP 2 approval
SAP Access Control
Identity Management
Notification to
8 user and manager
Risk
5 6 Risk status
mitigation Provisioning to
7 target systems
SAP applications Non-SAP applications

SAP SCM Java Database E-mail

SAP ERP HCM Portal Legacy Web app

SAP ERP OS

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 21

Compliant, Business-Driven Identity Management

Solution:
Requirement:
Simplify and automate role assignment
Provide automated, position-based role management
while ensuring compliance Reduce risk through compliance checks and remediation
Automate manual processes through integration with SAP
Business Suite

1
New Hire 5 SAP
ERP
HCM

Calculate entitlements Compliance check Approve

based on position Remediation assignments SAP
SAP ERP
ERP 2 3 4 FI
HCM Yes

Portal
No

Non-
SAP

SAP ERP HCM SAP Identity Management SAP Access Control Line Manager Landscape

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 22

Solution in Detail
Reporting
Reporting Options at a Glance

Basic Reporting
Focus: Static, printable reports
Report creation on database level

Extended Reporting with SAP Business Warehouse (SAP BW)*

Focus: Dynamic reports, offering more, highly detailed, and customizable reporting options
Data is extracted from SAP Identity Management on a regular basis (as per defined job)
Predefined report templates available, custom reports can be freely defined
filtering, sorting, export to MS Excel, CSV, PDF, send via e-mail, etc.

Reporting with SAP Lumira

Focus: Customer-specific reposts/analyses for identity management
Rich graphical capabilities for visualizing and utilizing reported data
Low integration and maintenance efforts
Easy extension

*SAP BW and SAP Lumira are not part of the SAP ID Mgmt license
2014 SAP SE or an SAP affiliate company. All rights reserved. Public 24
Basic Reporting

Application/privilege-centric
Determination of system access
User-centric
Determination of user privileges
Entry data
Current data, historical data, time stamps,
modified by, audit flags
Approval data
Who approved what when?
Who had which privilege when?
Segregation of duties, Attestation
Task audit log
Determination of tasks run on
user / by user
General logs
Off-the-shelf reporting tools
can be used

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 25

Extended Reporting with SAP Business Warehouse

SAP BW report templates

Persons, privileges, roles and their assignments
over time and for specific dates
Content-based and time-based reporting

Advanced filtering and sorting options

Access control
Roles for reporting user
(administrator, manager, owner) Change history
Basic audit data up to the time of
Who changed what last synchronization

Flexibility
BEX reports

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 26

Reporting with SAP Lumira

Customer-specific reposts/analyses for

identity management

Rich graphical capabilities for

visualizing and utilizing reported data

Low integration and maintenance efforts

Easy extension

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 27

Solution in Detail
Password Management
Password Management

Requirement:
Reduce help desk calls related to password reset
inquiries Solution:
Enable password provisioning across heterogeneous Centralize and automate password management
landscapes

SAP
ERP
HCM
Reset password
Recover lost password SAP
ERP
FI

Portal
Set new password

Non-
SAP

User Helpdesk SAP Identity Management Landscape

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 29

Solution in Detail
Connectivity
Connectivity Framework

Databases On-Prem/Cloud Applications

Microsoft SQL Server SAP Business Suite
Microsoft Access SuccessFactors
Oracle database SAP Access Control
IBM UDB (DB2) Lotus Domino / Notes
MySQL Microsoft Exchange
Sybase RSA ClearTrust
SAP HANA RSA SecurID

SAP Identity
Management
Technical
Directory Servers SPML
Microsoft Active Directory LDAP
IBM Tivoli Directory ODBC/JDBC/OLE-DB
Novell eDirectory RFC
SunONE Java Directory LDIF files
Oracle Internet Directory XML files
Microsoft ADAM CSV files
Siemens DirX
Other
OpenLDAP
SAP Application Server Shell execute
eB2Bcom View500 Directory Server
CA eTrust Directory Microsoft Windows NT Custom Java connector API
SAP IDM Virtual Directory Server Unix/Linux Script-based connector API
Any LDAP v3 compliant directory srv

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 31

Third Party Connector Certification
SAP ICC Integration Scenario NW-IDM-CON

SAP Identity Management Integration Scenario NW-IDM-CON

The SAP Integration and Certification Center (ICC) offers a certification for
the integration scenario NW-IDM-CON.

SAP partners as well as potential partners and independent software

vendors (ISVs) are invited to use the Connector Development Kit (CDK) to
create an SAP Identity Management connector for their application, and to
integrate the application into the identity management landscape. This
connector can then be certified by the SAP ICC.

For general information about third party certifications with SAP products, please
refer to http://www.sdn.sap.com/irj/sdn/interface-certifications, or contact the SAP
Integration and Certification Center (ICC) directly at icc@sap.com

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 32

Solution in Detail
Architecture
SAP Identity Management Architecture

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 34

Solution in Detail
Identity Virtualization
Virtual Directory Server

Virtual Directory Server (VDS) provides

Single consistent view and entry point for multiple
distributed identity data sources
Identity information as a service for applications
through standard protocols (LDAP, SPML)
Abstraction layer for underlying data stores

Consumer only sees one standard interface SPML LDAP

Transform incoming LDAP requests, and connect
directly to the existing data repositories
Data stays within original data source
Virtual Directory Server
Efficient caching

Properties
Real-time access to data SPML LDAP JDBC
No need to consolidate data sources
No extra data store
Quick LDAP deployment
Easier and cheaper maintenance
Attribute manipulation Directory Directory Database Application
Server Server
Name space modifications
Complex operations on-the-fly

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 36

Summary & Additional
Information
Summary

SAP Identity Management is part of a comprehensive SAP security suite that includes
access control as well as secure programming and compliance aspects.

The solution covers the entire identity lifecycle and automation capabilities based on
business processes.

A strong integration with SAP Access Control creates a holistic identity and access
governance solution.

Extensive connectivity with SAP and non-SAP applications extends identity

management to all areas of the enterprise.

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 38

Find More Information
SAP Community Network

Visit the SAP Community Network (SCN) for comprehensive information on

SAP Identity Management, such as

Discussion forum,
product information,
documentation, training,
and support information
Articles, blogs, WIKI,
FAQs, and newsletters
Downloads

http://scn.sap.com/community/idm
2014 SAP SE or an SAP affiliate company. All rights reserved. Public 39
SAP Identity Management
Rapid deployment solution

Short project times and reduced TCO by simplifying Standard solution

assignment and management of roles and privileges to
users Connection of
Automatic
1 source- and Approval
authorization
2 target workflows
assignment
Implementation of best practice processes out of the systems
box with a fixed scope and most important and
common scenarios, e.g. defined set of customer Mass user E-mail
administration notification
specific configuration, connection of source- and jobs framework
target-systems, provisioning etc
Support of Predefined
Pre-configured functionality of SAP Identity system specific HTML based
New Web UI
tasks
Management in a development system attributes reports

Step-by-step guide, describing each activity during

deployment
Add-On 1:
Solution can be extended with additional add-on Connection to additional SAP systems
options
Add-On 2:
Additional Go-Live Support

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 40

 2014 SAP SE or an SAP affiliate company.
All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an
SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE
(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional
trademark information and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind,
and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or
SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated
companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be
changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment,
promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties
that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking
statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

2014 SAP SE or an SAP affiliate company. All rights reserved. Public 43