You are on page 1of 42

Does you company have virus protection?

You should be more concerned about THEFT:

Technology Presentation
North America

The first SAP®-certified fingerprint authentication,
identity and risk management for SAP® systems

2.5 X the damage!

Article InformationWeek June 23, 2003

© realtime North America Inc., Tampa/Florida. All Rights Reserved.

realtime’s solution - bioLock

How does bioLock for SAP work:

Your biometric + Smart SAP

Finger Hardware … Card Software

- realtime makes the interface and protects logon to SAP

- bioLock can protect any transactions and fields in SAP
- protection with biometrics AND / OR Smart Card possible!
bioLock for ‘Multi Level Protection’

Compare the SAP Logon to the ‘front door’ of your company’s

corporate headquarters (Security Level I).

Once you have made it through the ‘front door’ (SAP Logon / Security
Level I), you have access to any room (Security Level II) and every
drawer (Security Level III) in the building.

bioLock will protect the logon, any transaction, fields and field values
such as Infotypes, execution of a program or function, a wire transfer
and more – completely independent from the SAP authorization –
securing every part of your SAP system!

bioLock will also uniquely identify the user based on biometrics and
log his or her activities in a log file – people can now be tracked and
made responsible for their actions.
Security Level Overview…

Level I
Level II
Level III

Access Authorization
and Identity Management
through Fingerprint
bioLock is hardware independent…

Put your
on the

Cherry Keyboard
Siemens ID Mouse
( Smart Card optional )

These are our recommended devices. Other

fingerprint devices or different biometric
devices such as iris, retina, voice or face-
recognition could be implemented on request.
SAP logon with bioLock


Logon bioLock checks bioLock

authentication rules user/

bioLock prompts you for fingerprint


Fingerprint comparison with table

Logon blocked Logon authorized

 
Please Our technology identifies unique points on your finger and creates an
Note: encrypted, digital template – we never take an actual image of the finger!!!
Let’s get started
with the bioLock Select your SAP
demo: system in the
SAP Logon.

Let’s start the old fashioned way and

use the SAP GUI to log on with User
Name and Password…
Type in your User
Name and Password.

Please NOTE:
We log on as SAP User ‘Neudenberger’!
In addition to the password the logon
is protected with the finger (Security
Level I) of Mr. Neudenberger.

The default password could always be ‘1234’ since you need

the right finger to log on …
User ‘Neudenberger’ selects the transaction
bioLock Administration…

…and successfully confirms

his identification with his
finger (biometric template).

Please NOTE:
This could be virtually any R/3
transaction (Security Level II)
User‘Neudenberger’ successfully
opens the transaction after fingerprint

For demo purposes User ‘Neudenberger’ will

now exit out of the transaction and another
user,‘April’, tries to open the transaction
again while logged in as ‘Neudenberger’.
April does not have permission and gets
rejected based on her biometric information!

Please NOTE:
Even though the identity of the User
‘April’ is known by the bioLock system,
this information is not displayed for
security purposes, but will be clearly
shown for the controller in the log file!

In fact the system could launch a ‘fake

transaction’ and automatically alert the security
team about April’s unauthorized attempt.
SAP User ‘Neudenberger’ is successfully
identified as ‘Neudenberger’ based on his
fingerprint and logs onto the SAP system.

SAP User ‘Neudenberger’ is opening

the bioLock transaction – uniquely
identified is Mr. Neudenberger.

April tries to open the bioLock transaction – still

being logged on as SAP User ‘Neudenberger’ - and
gets rejected due to bioLock (fingerprint) protection.
Mr. Neudenberger logs out of the SAP system…

Another User, Thomas, takes over the computer and

uses realtime’s SINGLE SIGN ON to log on to SAP.
No Logon and Password information is requested!

Thomas opens the Single Sign On menu

(above) and selects the desired SAP
system. He could select a different SAP-
system, Legacy System or even
Windows Applications.
Thomas selects the SAP Demo System…

Please NOTE:
The normal SAP log on is
skipped. You don’t need to enter
an SAP User or Password!

Thomas’s identity is verified via

fingerprint (biometrics).
The pre-defined SAP User for the demo system is
SAPALL. Normally the profile SAP_All would be
assigned to this role / person for demo purposes
we treat this like the Windows Administrator.

We could uniquely identify the person putting the finger on the sensor
based on the fingerprint – such as Thomas – and automatically use the
SAP User Thomas for the selected system!
Or automatically identify the SAP User / System based on the finger…
In this first example we protect the SAP System
down to the field level (Security Level III) by locking
the Infotype 167 to protect Health Plan Information.

If the field input

requires biometric
verification the
system will ask
for a fingerprint…

The Infotype 167 is protected with biometrics based on the value

(input) – all other Infotypes can be accessed as usual. Other
examples could be money transfers, that would be executed as
usual, until the entered amount is larger than a predefined value.
Brevard County Government won the prestigious ‘InfoWorld 100 Award’
protecting their Health Plans with bioLock to comply with HIPAA!

After a successful
biometric verification
the health plans will
be visible.
Any functions (Level I, II and III) can
be protected via biometrics AND/OR
Smart Card using bioLock

As long as the Smart Card is inserted in the reader,

protected functions can be accessed or executed
like any SAP system – but once the Smart Card is
removed the functions are locked down…

The access will be denied and the system will

request to insert a ‘valid card’.
In this example we hide ‘critical fields’ in a screen
that can be accessed by many different users (any
security clearance) based on their SAP permissions.

The red boxes point out the hidden

locations. An authorized user (with
top level security clearance) would
be able to view the content based
on a successful verification of the
biometric fingerprint template.

User Jeanette, not even enrolled with her

finger in the system, can access the general
screen, but she can not see the hidden fields..
Tampa, Florida
Nuclear Warhead

While any user can view this screen

(based on SAP permission) only
authorized users, like Thomas, can
view the hidden information in the
red boxes after the verification of
the correct biometric information.

User Thomas was assigned the permission in

the bioLock system to view the information
based on his high-level security clearance.
Independently from the SAP User who signed on to the SAP system –
in this demo ‘SAPALL’ - bioLock uniquely identifies the actual user…

Thomas executed ME21N.

April was rejected trying to

execute ME21N.

911 Emergency !!!

a different finger assigned as a 911
Emergency Finger.
executing If forced by a 3rd party Thomas
could use this finger to alert security – just like
pressing the red button (but invisible).
The presented functionality will help you in any situation, where
multiple people might have to share one workstation and is it not
possible to always switch the actual SAP USER or where you NEED to
uniquely identify the actual user for auditing and controlling purposes:

HR Department
Production Floor
Customer Service
Management (Assistant)
Administration (SAP All/SAP*)

Our bioLock will always identify and log the uniquely identified,
actual user – completely independent from the SAP User.
The execution of the balance sheet is protected with our
‘Dual Confirmation Group’
Now two different people have to authorize any activity.
Just like two signatures on a check!

The first person will be asked to

put the finger on the sensor…
The message below will ask the 1st user
to get a 2nd user for authorization. There is
‘no time out’ so the 1st user could get the
2nd person from a different location.

Instead of one biometric user being able to confirm

this task we define a ‘dual confirmation group’. This
‘group’ could include 2 or more people and two people
of the group will be required to confirm the task.
After two authorized users have put their fingers
on the sensor the balance sheet will be displayed:

The idea of the dual confirmation group could be compared to

two signatures on a check…
… and is nearly a ‘must’ for any financial and HR activity!
The log file shows, that Thomas requested
to display the balance sheet - which could
have been a One Million Dollar wire transfer
to the ‘Grand Cayman Islands’.

April confirms Thomas request.

Both are uniquely identified and will be held responsible!

Now we would like to
give you a quick
overview of the bioLock

The enrollment of any Biometric Info System (BIS

User) takes seconds and up to 10 fingers can be Add a Smart Card for
enrolled - so if one finger or a hand gets injured the ultimate ‘Two-
the user can easily choose another finger! Factor Authentication’!
For Auditing purposes realtime has created their own bioLock
log file. This log file clearly shows all biometric activities
including all relevant information. Of course the file can be
exported to different formats or emailed to the supervisor…
… or sorted by recognized status.

You can sort by any columns or

filter by any keyword like ‘THOMAS’
or display anybody that was
rejected. You can also export and
email different formats to the

Your auditors will love it!!!

This menu controls the definition of
protection system functions.
Define a new number for
your protected function.

Define the text that will be displayed.

Select, if you want the function to

Other exceptions, terminations,
be protected with biometrics,
log file entries and general
Smart Card or BOTH!
protections can be defined in
these columns…
It is recommended to enroll the biometric template for the BIS
User under the same name as the SAP User - for example
‘Neudenberger’. In this case the biometric template is
automatically assigned to the corresponding SAP template.

This table is to set exceptions. For example

the biometric template from ‘Assistant
INGA’ could be manually assigned to her
‘Superiors’ SAP User (NEUDENBERGER)
so she could still work with his profile.

Only 3 Users (Thomas, Amanda and

Watzinger) have permission to work
with the generic SAP Administrator
Profile ‘SAP All’ (SAP*).

Nobody else can sign on as ‘SAP All’ (SAP*)!!!

Most functions should be protected globally and
for all users by activating the ‘global check’. In
the protected system functions (2 slides back).

In this table we can define exceptions and

manual assign certain functions to certain
users, that are automatically protected with the
corresponding biometric users.

Here we can also define if the function for

a certain SAP User should be protected
with the ‘Dual Confirmation Group’ for an
extra measure of Security.
To create the dual
confirmation group we
define a number and give
the group a name…
… now we assign two or more
biometric users to the group.

0008 JOHN
Any number of users can be
0008 MIKE defined in the group, so there is
0008 APRIL
0008 LYNN
always a backup person, in
case somebody is not available.

Please note:
The system can be defined that any
member of the group can ‘request’ and any
other member can ‘confirm’ the function –
or there could be a MASTER to ‘request’
and the others can only ‘confirm’.
Assigning an Infotype is as
easy as entering the
transaction number, info type
and the user into the table…
This security menu can protect one or more transactions automatically:

Define or
upload a file
with all the
that you want to
protect and
bioLock will
remove the
from the SAP

A great time saver to protect dozen's of transactions!!!

Now the SAP User does not have
permission to access the original
transaction and they have to go to
our realtime Security Menu to
select the desired transaction…

bioLock is a very advanced

protection system that has been
installed in commercial as well as
government organizations.

SAP Public Sector is promoting

bioLock world wide through their
team and has presented bioLock …which of course is
on their Homeland Security protected with bioLock
Pavilion at the Sapphire Shows
the last two years…
Some last technical comments…

The bioLock software is installed and configured in hours.

Protection of transactions and the fingerprint registration

of bioLock users takes minutes.

Actual use is intuitive and requires no training.

bioLock is installed in it’s reserved ‘/realtime’ name space.

The software does not change your SAP configuration.

bioLock runs on SAP 4.0x and higher.

Inexpensive leasing programs are available.

bioLock is SAP- Certified

and runs on SAP 4.0

and higher.
bioLock is SAP

Complete packages start as

low as 30 licenses, to protect
key personal in the most
critical departments such as
finance, HR, management,
administration and more…
Contact us for a
personal demonstration
or a pilot installation:


realtime North America Inc.

WORLD TRADE CENTER 1101 Channelside Drive Tampa Florida 33602
Phone: 813-283-0070 Fax: 813-283-0071 Email: Web: