Click here to load reader

Identity Management for SAP System Landscapes: Technical ...a248.g.akamai.net/n/248/420835/feb8f7e7938570925b08015ef3251… · SAP NetWeaver Identity Management 7.2 Identity Management

  • View
    1

  • Download
    0

Embed Size (px)

Text of Identity Management for SAP System Landscapes: Technical...

  • SAP NetWeaver Identity Management 7.2

    Identity Management for SAP System Landscapes: Technical Overview

    Document Version 7.2 Rev 4

    February 2013

  • © 2013 SAP AG or an SAP affiliate company. All rights reserved.

    No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

    Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

    Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and other countries.

    Apple, App Store, FaceTime, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc.

    Bluetooth is a registered trademark of Bluetooth SIG Inc.

    Citrix, ICA, Program Neighborhood, MetaFrame now XenApp, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems Inc.

    Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.

    Edgar Online is a registered trademark of EDGAR Online Inc., an R.R. Donnelley & Sons Company.

    Facebook, the Facebook and F logo, FB, Face, Poke, Wall, and 32665 are trademarks of Facebook.

    Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik, and Android are trademarks or registered trademarks of Google Inc.

    HP is a registered trademark of the Hewlett-Packard Development Company L.P.

    HTML, XML, XHTML, and W3C are trademarks, registered trademarks, or claimed as generic terms by the Massachusetts Institute of Technology (MIT), European Research Consortium for Informatics and Mathematics (ERCIM), or Keio University.

    IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation.

    Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Microsoft Corporation.

    INTERMEC is a registered trademark of Intermec Technologies Corporation.

    IOS is a registered trademark of Cisco Systems Inc.

    The Klout name and logos are trademarks of Klout Inc.

    Linux is the registered trademark of Linus Torvalds in the United States and other countries.

    Motorola is a registered trademark of Motorola Trademark Holdings LLC.

    Mozilla and Firefox and their logos are registered trademarks of the Mozilla Foundation.

    Novell and SUSE Linux Enterprise Server are registered trademarks of Novell Inc.

    OpenText is a registered trademark of OpenText Corporation.

    Oracle and Java are registered trademarks of Oracle and its affiliates.

    QR Code is a registered trademark of Denso Wave Incorporated.

    RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry AppWorld are trademarks or registered trademarks of Research in Motion Limited.

    SAVO is a registered trademark of The Savo Group Ltd.

    SAP AG Neurottstraße 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com

  • The Skype name is a trademark of Skype or related entities.

    Twitter and Tweet are trademarks or registered trademarks of Twitter.

    UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

    Wi-Fi is a registered trademark of Wi-Fi Alliance.

    SAP, R/3, ABAP, BAPI, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, Sybase, Adaptive Server, Adaptive Server Enterprise, iAnywhere, Sybase 365, SQL Anywhere, Crossgate, B2B 360° and B2B 360° Services, [email protected] EDDY, Ariba, the Ariba logo, Quadrem, b-process, Ariba Discovery, SuccessFactors, Execution is the Difference, BizX Mobile Touchbase, It's time to love work again, SuccessFactors Jam and BadAss SaaS, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany or an SAP affiliate company.

    All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

    Documentation on SAP Service Marketplace You can find this documentation at service.sap.com/security

  • Typographic Conventions Type Style Represents

    Example Text Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths and options.

    Cross-references to other documentation

    Example text Emphasized words or phrases in body text, titles of graphics and tables

    EXAMPLE TEXT Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example, SELECT and INCLUDE.

    Example text Screen output. This includes file and directory names and their paths, messages, names of variables and parameters, source code as well as names of installation, upgrade and database tools.

    Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

    Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries.

    EXAMPLE TEXT Keys on the keyboard, for example, function keys (such as F2) or the ENTER key.

    Icons

    Icon Meaning

    Caution

    Example

    Note

    Recommendation

    Syntax

  • Identity Management for SAP System Landscapes: Technical Overview

    2013-02 5

    History of Changes

    Version Change

    7.2 Rev 4 Added Active Directory connector function for activating users for Exchange and Business Suite AS ABAP connector to the standard connector table.

    7.2 Rev 3 Added connector table.

  • Identity Management for SAP System Landscapes: Technical Overview

    6 2013-02

    Contents 1 Introduction .............................................................................. 7 2 SAP Provisioning Framework Overview ............................... 8

    2.1 Task Structure ......................................................................... 8 2.2 Standard Connectors of the Provisioning Framework ........ 9

    3 Attribute Overview ................................................................. 10 3.1 Attributes for MX_PERSON .................................................. 10

    3.1.1 SAP_CHANGENUMBER ........................................................... 10 3.1.2 ACCOUNT ......................................................... 10 3.1.3 MX_DISABLED .......................................................................... 10 3.1.4 MX_ENCRYPTED_PASSWORD ............................................... 10

    3.2 Attributes for MX_PRIVILEGE .............................................. 10 3.2.1 MX_IS_ACCOUNT ..................................................................... 10

    4 Privilege Overview ................................................................. 11 4.1 Account Privilege .................................................................. 11 4.2 Authorization Privilege ......................................................... 11 4.3 System Privilege ................................................................... 11

    5 Task Overview ........................................................................ 11 5.1 1. Create User ........................................................................ 11 5.2 2. Modify User ........................................................................ 11 5.3 3. Delete User ........................................................................ 12 5.4 4. Assign User Membership ................................................. 12 5.5 5. Revoke User Membership ................................................ 12 5.6 6. Enable User ....................................................................... 12 5.7 7. Disable User ...................................................................... 12 5.8 8. Set User Password ............................................................ 12 5.9 10. Create Group ................................................................... 12 5.10 11. Delete Group .................................................................. 12

    6 Repository Configuration Overview .................................... 13 6.1 Connection Information ........................................................ 13 6.2 System Privilege ................................................................... 13 6.3 Hook Tasks ............................................................................ 13 6.4 Event Tasks ........................................................................... 13 6.5 Privilege Grouping ................................................................ 13

  • 1 Introduction

    2013-02 7

    1 Introduction You can use SAP NetWeaver Identity Management for processing identity information in a variety of ways, depending on your system landscape. You can use it in homogeneous or heterogeneous landscapes, either with or without SAP systems.

    In Identity Management for SAP System Landscapes: Architectural Overview, we described a number of use cases where you can use SAP NetWeaver Identity Management for identity provisioning with SAP systems.

    The document Identity Management for SAP System Landscapes: Configuration Guide describes how you install and configure the framework and implement the specified use cases.

    This document gives a technical overview of the framework, the task structure, the process flow and other important technical details to understand how the framework works.

    This document is based on the SAP provisioning framework delivered with SAP NetWeaver Identity Management 7.2.

  • 6 SAP Provisioning Framework Overview

    8 2013-02

    2 SAP Provisioning Framework Overview 2.1 Task Structure After importing the SAP provisioning framework as described in the document Identity Management for SAP System Landscapes: Configuration Guide a task structure is displayed.

    There are two main parts of the framework. The Core part contains the central logic and should never be modified. The Connector part contains a task structure for some of the most used systems that the SAP provisioning framework connects to.The connectors have plug-in tasks that are referenced from the repository constants.

    The framework has a version number that is visible on the General tab of the Provisioning Framework node. This version number shows date, time and version number of the installed version of the framework.

    For an overview of the connectors that are available for the SAP provisioning framework, see the table below.

  • 2 SAP Provisioning Framework Overview

    2013-02 9

    2.2 Standard Connectors of the Provisioning Framework Repository Type Supported Object

    Types Supported Provisioning Operations

    Availability

    AS ABAP (specific application server, load balanced connection)

    User, role, profile Managing user profile including password, company addresses, role and profile assignments

    7.1, 7.2

    Business Suite AS ABAP (load-balanced)

    User, role, profile, certain business partner types

    Managing user profile including password, company addresses, role and profile assignments , business partners (of certain types), assignments between users and business partners (of certain types)

    7.1, 7.2

    AS Java (UME DB only)

    User, UME role, J2EE role, PCD role, UME group

    Managing user profile including password, role and profile assignments

    7.1, 7.2

    AS Java (UME DB and LDAP)

    User, UME role, J2EE role, PCD role, LDAP group, UME group

    Managing user profile including password, role and profile assignments

    7.1, 7.2

    SAP HANA User, role Managing user profile including password, role assignments

    7.2 SP3

    SUN for SAP PF User, group Managing user profiles, group assignments, including password

    7.1, groups as of 7.2 SP3

    ADS for SAP PF User, group Managing user profiles, group assignments, including password

    Activating Microsoft Exchange Server user mailboxes during user creation.

    7.1,

    groups as of 7.2 SP3

    Microsoft Exchange Server user mailboxes as of 7.2 SP6

  • 6 Attribute Overview

    10 2013-02

    3 Attribute Overview This section describes some of the attributes that the SAP provisioning framework uses for various purposes. This is only a few attributes with specific meaning within the SAP Provisioning Framework. For more information on attributes in general, see SAP NetWeaver Identity Management Identity Store Schema - Technical Reference.

    3.1 Attributes for MX_PERSON This section describes attributes that relates to the MX_PERSON entry type.

    3.1.1 SAP_CHANGENUMBER This attribute is added to the entry type MX_PERSON (MX_COMPANY_ADDRESS, MX_ROLE and MX_GROUP) and is used to track changes on the entries of these entry types.

    All changes done in the same operation are identified with the same number to avoid more than one provisioning/deprovisioning being executed for each operation.

    3.1.2 ACCOUNT This attribute is added to the entry type MX_PERSON and contains the unique user ID for the user in the target repository. The user has one attribute for each repository the user is added to.

    3.1.3 MX_DISABLED This attribute is a default attribute of the MX_PERSON entry type. This Boolean attribute is used to disable and enable an account in all target systems. How this is implemented depends on the functionality of the target system (repository).

    3.1.4 MX_ENCRYPTED_PASSWORD This is a default attribute of the MX_PERSON entry type and contains the user's encrypted password. The same password is used in all connected systems, so the defined password policy must comply with all systems.

    3.2 Attributes for MX_PRIVILEGE The following attribute is added to the MX_PRIVILEGE entry type.

    3.2.1 MX_IS_ACCOUNT This attribute is added to the entry type MX_PRIVILEGE to identify account privileges. An account privilege is used to specify that a user has an account in a specific system. No other privileges can be assigned until the account privilege is present.

  • 4 Privilege Overview

    2013-02 11

    4 Privilege Overview This section gives an overview of some of the privileges that are used in the SAP Provisioning Framework.

    4.1 Account Privilege The privilege PRIV::ONLY is created by the initial load job. The privilege has the attribute MX_IS_ACCOUNT that indicates that this is an account privilege, which means that any operations on the repository depend on the presence of this privilege on the user. During the initial load, this privilege is assigned to the users read from the repository.

    4.2 Authorization Privilege During an initial load from a repository, a number of privileges on the form PRIV::: are created, one for each authorization in the repository. For instance PRIV:GROUP:AD:CN\=TelnetClients\,CN\=Users\,DC\=testtrdl\,DC\=local

    PRIV:PROFILE:ABAP:AUTHNAME

    During the initial load these privileges are assigned to the users read from the repository, depending on their authorizations.

    Assignment of these privileges depends on the presence of the account privilege.

    4.3 System Privilege The system privilege PRIV:SYSTEM: is created as part of the repository definition and must be unique for each repository and should never be changed. It is automatically assigned to each user or group when the assignment of the account privilege is done. It is handled internally and should never be assigned directly to any user.

    5 Task Overview The core part contains the logic to decide which plug-in tasks are called, while the connectors contain the plug-in tasks that are referenced from the repositories. Each connector has its own set of plug-in tasks, but the number in the task name identifies the core function of the task, so that a task with the same number will perform the same action. For instance a task name starting with 1 means that this task is responsible for creating the user in the repository.

    The following sections describe the plug-in tasks used by the connectors.

    5.1 1. Create User This task is triggered when a user is assigned an account privilege (with the attribute MX_IS_ACCOUNT). The task creates the user account with mandatory attributes in the repository.

    5.2 2. Modify User This task is triggered when an attribute on a user with the system privilege for the repository is modified. The task updates the repository with all changed attributes.

  • 6 Task Overview

    12 2013-02

    5.3 3. Delete User This task is triggered when the last account privilege is removed from a user. The user may have the account privilege in multiple ways, either via roles or directly assigned. The deprovisioning will only start when the last one removed.

    The account privilege can be removed in two cases. Either directly by removing the privilege from the user, or indirectly when setting the MX_INACTIVE attribute on the user. This removes all assignments, including the account privilege. The task inactivates the account in the repository. How this is done is system dependent.

    5.4 4. Assign User Membership This task is executed when an authorization privilege (without MX_IS_ACCOUNT) is assigned to a user. The user is assigned the corresponding authorization in the repository.

    5.5 5. Revoke User Membership This task is triggered when deassigning an authorization privilege from a user. The corresponding authorization in the repository is removed from the user.

    5.6 6. Enable User This task is called when the attribute MX_DISABLED is removed from the user. This will enable the user's account in the repository. The MX_DISABLED attribute is a global setting, affecting all systems.

    5.7 7. Disable User This task is triggered when the attribute MX_DISABLED is set on the user. This will disable the user's account in the repository. The MX_DISABLED attribute is a global setting, affecting all systems.

    How a user is actually disabled is system-specific. Some systems may have a disable flag, while others may for example change the password to prevent the user from logging in.

    5.8 8. Set User Password This task is triggered when the attribute MX_ENCRYPTED_PASSWORD is modified and updates the password in the repository. The MX_ENCRYPTED_PASSWORD attribute is a global setting, involving all systems.

    5.9 10. Create Group This task is triggered when a group is assigned an account privilege and creates the group in the repository.

    5.10 11. Delete Group This task is triggered when the account privilege is removed from a group. The group is removed from the repository.

  • 6 Repository Configuration Overview

    2013-02 13

    6 Repository Configuration Overview There are repository templates for a number of repository types corresponding to the connectors in the framework. When adding a repository, the wizard asks for the necessary connection information and creates a number of constants. The constants can be grouped in the following way:

    Connection information

    System privilege

    Hook tasks

    Event tasks

    6.1 Connection Information When adding a repository, the wizard asks for the connection information to your system. Supply the necessary information. The constants and values vary depending on the repository type.

    6.2 System Privilege This constant contains the repository's system privilege. See section 4.3 for details.

    6.3 Hook Tasks These constants reference the repository's plug-in tasks. See section 5 for details.

    You should never change these task numbers.

    6.4 Event Tasks The constants MX_ADD_MEMBER_TASK, MX_DEL_MEMBER_TASK and MX_MODIFYTASK references the event tasks in the core part of the framework. The privileges that belong to this repository inherit these event tasks that detect the changes and trigger the corresponding plug-in task. The event tasks are also available on the "Event tasks" tab of the repository properties.

    You should never change these task numbers.

    6.5 Privilege Grouping This constant contains the value for the privilege grouping. You find the configuration of privilege grouping on the Privilege tab of the repository properties. The grouping configuration is system specific, and depends on repository type. For more information on privilege grouping, see the online help system of the Identity Center.

    Normally, you should not change this.

    CopyrightTypographic ConventionsHistory of ChangesTable of Contents1 Introduction2 SAP Provisioning Framework Overview2.1 Task Structure2.2 Standard Connectors of the Provisioning Framework

    3 Attribute Overview3.1 Attributes for MX_PERSON3.1.1 SAP_CHANGENUMBER3.1.2 ACCOUNT3.1.3 MX_DISABLED3.1.4 MX_ENCRYPTED_PASSWORD

    3.2 Attributes for MX_PRIVILEGE3.2.1 MX_IS_ACCOUNT

    4 Privilege Overview4.1 Account Privilege4.2 Authorization Privilege4.3 System Privilege

    5 Task Overview5.1 1. Create User5.2 2. Modify User5.3 3. Delete User5.4 4. Assign User Membership5.5 5. Revoke User Membership5.6 6. Enable User5.7 7. Disable User5.8 8. Set User Password5.9 10. Create Group5.10 11. Delete Group

    6 Repository Configuration Overview6.1 Connection Information6.2 System Privilege6.3 Hook Tasks6.4 Event Tasks6.5 Privilege Grouping