Professional Documents
Culture Documents
Overview
SAP
NetWeaver AS, SAP
SAP Access SAP Cloud
SAP Identity SAP Single add-on for Enterprise
Control Identity
Management Sign-On code Threat
vulnerability Detection
analysis
Holistic approach
Enables the Ensures that the right
efficient, Manage identities and users have the
permissions
secure and right access to the
right systems at the
compliant
execution of business right time
processes
Across
Consistent with user all systems
roles and and applications
SAP Identity
privileges Management
SAP Access Control SAP ERP HCM Portal Legacy Web app
Success
Factors Integration with
SAP Business Suite
SAP ERP and SuccessFactors
HCM Example: On-boarding
Compliance
checks Approval
workflows
SAP Access SAP Identity
SAP BusinessObjects
Control Management
Access Control (GRC)
Web-based single sign-on
and identity federation
Reporting
SAP applications Non-SAP applications
Rule-based assignment
of business roles Provisioning to SAP Password
and non-SAP systems management
Business roles
Manager
Define a business role hierarchy
Assign technical roles to business roles
Develop rules for role assignments Employee Accounting
Provisioning (regularly)
Technical roles
Assign or remove roles to/from people
Through request/approval workflow
Manually (administrator) AD Portal Accounting HR manager
E-mail user (ABAP role)
role (ABAP role)
Automatically, e.g. HR-driven
Automatic adjustment of master data and
assignments of technical authorizations in E-mail Active SAP SAP SAP
target systems system Directory Portal FI HR
Benefits
Reduced number of roles
Managed System
Reduced complexity
User
Sufficient granularity Managed System
Technical role A
and governance
Example:
20 roles in 1000 factories
Conventional method: 20.000 entries (roles)
Context-based: 1.020 entries (roles + contexts)
Notification Request
Provisioning Processing
Identity Center
Identity Center provisions
processes request
new roles and privileges to
respective systems Sends alert to manager /
administrator
Approval
SAP Product
SAP ERP
Lifecycle
Financials
Management
SAP HANA
After two years as a marketing specialist, Kim is promoted and takes over personnel and
budget responsibility for her marketing team.
On the first day in her new role, she has access to the manager self-services. In her new
position, she is responsible for budget approvals for all marketing campaigns - this requires
immediate access to SAP ERP to view the marketing costs.
SAP
ERP User disabled
HCM
2 3 SAP Identity Management
recognizes the last day information
Event-based extraction SAP
for Kim; it automatically takes away ERP
of personnel data User disabled
all access rights and disables her
SAP accounts
ERP
SAP
HCM
CRM User disabled
Success
Factors
SAP
SAP Identity Management Portal User disabled
HR Operations
risk
Business
Integration SAP Identity SAP Access controls and
Management Control
based on standards mitigation
Request role
assignment 1
Risk
4 analysis
SAP BusinessObjects Forward
3 request for
Access Control (GRC)
risk analysis Manager
SAP 2 approval
SAP Access Control
Identity Management
Notification to
8 user and manager
Risk
5 6 Risk status
mitigation Provisioning to
7 target systems
SAP applications Non-SAP applications
SAP ERP OS
Solution:
Requirement:
Simplify and automate role assignment
Provide automated, position-based role management
while ensuring compliance Reduce risk through compliance checks and remediation
Automate manual processes through integration with SAP
Business Suite
1
New Hire 5 SAP
ERP
HCM
Portal
No
Non-
SAP
SAP ERP HCM SAP Identity Management SAP Access Control Line Manager Landscape
Basic Reporting
Focus: Static, printable reports
Report creation on database level
*SAP BW and SAP Lumira are not part of the SAP ID Mgmt license
2014 SAP SE or an SAP affiliate company. All rights reserved. Public 24
Basic Reporting
Application/privilege-centric
Determination of system access
User-centric
Determination of user privileges
Entry data
Current data, historical data, time stamps,
modified by, audit flags
Approval data
Who approved what when?
Who had which privilege when?
Segregation of duties, Attestation
Task audit log
Determination of tasks run on
user / by user
General logs
Off-the-shelf reporting tools
can be used
Flexibility
BEX reports
Easy extension
Requirement:
Reduce help desk calls related to password reset
inquiries Solution:
Enable password provisioning across heterogeneous Centralize and automate password management
landscapes
SAP
ERP
HCM
Reset password
Recover lost password SAP
ERP
FI
Portal
Set new password
Non-
SAP
SAP Identity
Management
Technical
Directory Servers SPML
Microsoft Active Directory LDAP
IBM Tivoli Directory ODBC/JDBC/OLE-DB
Novell eDirectory RFC
SunONE Java Directory LDIF files
Oracle Internet Directory XML files
Microsoft ADAM CSV files
Siemens DirX
Other
OpenLDAP
SAP Application Server Shell execute
eB2Bcom View500 Directory Server
CA eTrust Directory Microsoft Windows NT Custom Java connector API
SAP IDM Virtual Directory Server Unix/Linux Script-based connector API
Any LDAP v3 compliant directory srv
The SAP Integration and Certification Center (ICC) offers a certification for
the integration scenario NW-IDM-CON.
For general information about third party certifications with SAP products, please
refer to http://www.sdn.sap.com/irj/sdn/interface-certifications, or contact the SAP
Integration and Certification Center (ICC) directly at icc@sap.com
Properties
Real-time access to data SPML LDAP JDBC
No need to consolidate data sources
No extra data store
Quick LDAP deployment
Easier and cheaper maintenance
Attribute manipulation Directory Directory Database Application
Server Server
Name space modifications
Complex operations on-the-fly
SAP Identity Management is part of a comprehensive SAP security suite that includes
access control as well as secure programming and compliance aspects.
The solution covers the entire identity lifecycle and automation capabilities based on
business processes.
A strong integration with SAP Access Control creates a holistic identity and access
governance solution.
Discussion forum,
product information,
documentation, training,
and support information
Articles, blogs, WIKI,
FAQs, and newsletters
Downloads
http://scn.sap.com/community/idm
2014 SAP SE or an SAP affiliate company. All rights reserved. Public 39
SAP Identity Management
Rapid deployment solution
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an
SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE
(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional
trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind,
and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or
SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated
companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be
changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment,
promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties
that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking
statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.