Identity Managementwith SAP NetWeaver IdM
Andreas Mller,
BT Global Services
24.04.2008
@ BT 2008
Agenda
Introduction SAP NetWeaver IdM
Project [email protected]
Project ISP
Background and Motivation
Functionality
Lessons Learned
Summary
@ BT 2008
SAP NetWeaver Identity Management
WebApp.
WebApp.
Legacy App.
Legacy App.
MS
Exchange
MS
Exchange
DatabasesDatabasesOperating
Systems
Operating
Systems
Business process relies on appropriate userand role assignments in systems
Data
IDM should be triggered by identity business processes and data
SAP NetWeaver
Identity
ManagementDistribution of users and role assignments for SAP and non-SAP systems
Definition and rule-based assignment of meta roles
Central Identity store
Approval Workflows
Identity Mgmt.monitoring & Audit
HCM Integration
e.g. Order2Cash
e.g. on-boarding
HCM
Identity virtualization and identity as service throughstandard interfaces
SAP ERPABAP
SAP XIABAP
Java
SAPJava
SAP HRABAP
SAP FIABAP
SAPPortalJava
Password Management
@ SAP 2008
@ BT 2008
System Components
Workflow Web Front-End for end users
Approvals
Self-Service
Delegated Administration
Monitoring Web Front-End for operations
Analyse system activity
Management Console for administrators and developers
System configuration
Database holds
Identity store
Process configuration
Dispatchers execute processes
Batch synchronization
User initiated tasks
Provisioning tasks
Event Agents
Detect changes in connected systems
Virtual Directory
Provides additional connectors Target systemsTarget systemsTarget systemsTarget systems
VirtualVirtualVirtualVirtual directorydirectorydirectorydirectory
IdentityIdentityIdentityIdentity CenterCenterCenterCenter
Monitoring
Front-End
Event Event Event Event
AgentAgentAgentAgent
Database
DispatcherDispatcherDispatcherDispatcher
Worflow
Front-End
Management
Console
Virtual
Directory
Adminstrator User/Manager
AdministratorDeveloper
Source systemsSource systemsSource systemsSource systems
DispatcherEvent
Agent
@ BT 2008
Management Console
Example: Request a SAP-Role
@ BT 2008
Monitoring
@ BT 2008
Agenda
Introduction SAP NetWeaver IdM
Project [email protected]
Project ISP
Background and Motivation
Functionality
Lessons Learned
Summary
@ BT 2008
Source systemsSource systemsSource systemsSource systems
Use of Identity Center at BT
Synchronization of 230.000 Identities from Corporate Directory into Active Directory
Provisioning of personal and functional email accounts
Additional attributes joined from import files
Built-in delta mechanism reduces updates to Active Directory to the absolute minimum.
Performance
Delta import once a dayDuration 1.5h
Full import once a monthDuration ca. 5h
Benefits
Efficient Delta Mechanism
Highly customizable connectors
Target systemsTarget systemsTarget systemsTarget systemsIdentityIdentityIdentityIdentity CenterCenterCenterCenter
Corporate
Directory
Data
Synchonization
Engine
Active
Directory
Database
Files
@ BT 2008
Agenda
Introduction SAP NetWeaver IdM
Project [email protected]
Project ISP
Background and Motivation
Functionality
Lessons Learned
Summary
@ BT 2008
Customer: Internet Service Provider
Project Scope
Consulting
IdM project setup and definition
Requirements analysis
Detailed vendor selection
Longlist, RFI, Shortlist, POC
Establish standards for the definition of roles and entitlements
Process optimization for IdM administration processes
Prepare data protection concepts and works council agreements
Quality assurance concept
Data cleansing support
Implementation
Design based on selected IdM-tool (MaXware IC / SAP NetWeaver IDM)
Implementation
Data model
IdM processses
Provisioning interfaces to target systems
IdM data synchronization
Project management
Test
Migration of existing accounts and entitlements
Operations
Change und incident management
@ BT 2008
Customer: Internet Service Provider
Motivation
Project goals
Creation of a central identity repository for all non-customer identities accessing computing center applications
Implementation of standardized administration processes for entitlements
Creation of a central repository for entitlements
Increasing data quality of identity and entitlement data
Effective demonstration of SOX-compliance
Delegation of administrative tasks
Increase degree of automation
Tool selection
RFI with >10 major IdM vendors
Presentations and Proof of Concept
Criteria
Support for non-standard applications
Flexibility, high degree of customization possible
Expected implementation effort
Match with skills available internally
Support for roles and delegated administration
Traceability of system and user actionsPrimary goals: Increase usability, security
and audit capabilitiesSecondary goals: Cost reduction and ROI
considerations
@ BT 2008
Source and Target Systems
Source Systems
HR
Group directory
Asset database
Target System Types
SAP
ISP Test Accounts
Building Access
Secure VPN
LDAP
Active Directory
Samba
SSH Key Management / Key Distribution
ARS Remedy
Sun Access Manager
User groups
Employees
Group employees
Consultants
Partner
@ BT 2008
Project History and Milestones
Nov. 2004 Requirements analysis
Mai 2005 Tool selection
July 2005 Design and start of implementation
Feb. 2006 Go-Live Release 1.0 including
Source-system connectivity (HR/Org Master data)
Standard request and approval process
Internal administrative entitlement model, delegation of admin privileges
Target Systems SAP/LDAP
June 2007 Release 1.5
Sept. 2007 Release 1.6
Jan. 2008 Release 1.7
April 2008 Release 1.8
@ BT 2008
Agenda
Introduction SAP NetWeaver IdM
Project [email protected]
Project ISP
Background and Motivation
Functionality
Identity Management
Entitlement Management
Account Management
Self-Service
Lessons Learned
Summary
@ BT 2008
UseCases (1)
Identity Management
(Re-) Enter company
OU change
Location change
Position change
Sabaticals/maternity leave
Leave company
Entitlement Management
Account Management
Self-Service
(re-)enter company
change location
change company
change organization
change name
change position
leave company
activate
suspend (i.e. maternity leave)
active
suspended
inactive
active
@ BT 2008
Manage Master Data
Task Menu
@ BT 2008
Create Person
@ BT 2008
Create Location
@ BT 2008
UseCases (2)
Identity Management
Entitlement Management
Assign (temporary) permissions
Revoke permissions
Automated role assignement
Documentation / Audit
Account Management
Assign account
(De-) Activate Account
Delete Account
Password management
Self-Service
Funktional RoleEmployee
AccountActive Directory
PermissionVPN-Access
Hans Mustermann
PermissionAD-Group
Employees-MUC
Location
Company
OU
@ BT 2008
Create Permissions
Creates permission within
the IdM-system as well
as in the target system
@ BT 2008
Assign/Revoke Permissions
Delegated administration
for permission owners
@ BT 2008
UseCases (3)
Identity Management
Entitlement Management
Account Management
Self-Service
Password reset
Data protection requirements
Self-Service for certain person attributes
Request permissions
RequestRequestRequestRequest
1. Approval
Provision
Nofiy
2. Approval?
Denial
Denial
?
@ BT 2008
Request Permissions
Users may request
permissions for
themselves or others.
Approval process
configurable for each
permission.
Approver roles:
Line Manager
Permission Owner
Target System Owner
HR
@ BT 2008
Approval
XXXXXXXX
XXXXXXXX
@ BT 2008
Agenda
Introduction SAP NetWeaver IdM
Project [email protected]
Project ISP
Background and Motivation
Functionality
Lessons Learned
Summary
@ BT 2008
Lessons Learned
Implementation
Expectations concerning adaptability were fulfilled
Tool supports change and redesign very well in the course of extensions and additions
Short implementation cycles achieved
System behavior i
