Identity Management With SAP NetWeaver IdM

  • View
    41

  • Download
    3

Embed Size (px)

DESCRIPTION

SAP

Text of Identity Management With SAP NetWeaver IdM

  • Identity Managementwith SAP NetWeaver IdM

    Andreas Mller,

    BT Global Services

    24.04.2008

  • @ BT 2008

    Agenda

    Introduction SAP NetWeaver IdM

    Project [email protected]

    Project ISP

    Background and Motivation

    Functionality

    Lessons Learned

    Summary

  • @ BT 2008

    SAP NetWeaver Identity Management

    WebApp. WebApp.

    Legacy App.

    Legacy App.

    MS Exchange

    MS Exchange

    DatabasesDatabasesOperating Systems

    Operating Systems

    Business process relies on appropriate userand role assignments in systems

    Data

    IDM should be triggered by identity business processes and data

    SAP NetWeaverIdentity

    ManagementDistribution of users and role assignments for SAP and non-SAP systems

    Definition and rule-based assignment of meta roles

    Central Identity store

    Approval Workflows

    Identity Mgmt.monitoring & Audit

    HCM Integration

    e.g. Order2Cash

    e.g. on-boarding

    HCM

    Identity virtualization and identity as service throughstandard interfaces

    SAP ERPABAP

    SAP XIABAP Java

    SAPJava

    SAP HRABAP

    SAP FIABAP

    SAPPortalJava

    Password Management

    @ SAP 2008

  • @ BT 2008

    System Components

    Workflow Web Front-End for end users

    Approvals

    Self-Service

    Delegated Administration

    Monitoring Web Front-End for operations

    Analyse system activity

    Management Console for administrators and developers

    System configuration

    Database holds

    Identity store

    Process configuration

    Dispatchers execute processes

    Batch synchronization

    User initiated tasks

    Provisioning tasks

    Event Agents

    Detect changes in connected systems

    Virtual Directory

    Provides additional connectors

    !

    Adminstrator User/Manager

    AdministratorDeveloper

    """"

  • @ BT 2008

    Management Console

    Example: Request a SAP-Role

  • @ BT 2008

    Monitoring

  • @ BT 2008

    Agenda

    Introduction SAP NetWeaver IdM

    Project [email protected]

    Project ISP

    Background and Motivation

    Functionality

    Lessons Learned

    Summary

  • @ BT 2008

    """"

    Use of Identity Center at BT

    Synchronization of 230.000 Identities from Corporate Directory into Active Directory

    Provisioning of personal and functional email accounts

    Additional attributes joined from import files

    Built-in delta mechanism reduces updates to Active Directory to the absolute minimum.

    Performance

    Delta import once a dayDuration 1.5h

    Full import once a monthDuration ca. 5h

    Benefits

    Efficient Delta Mechanism

    Highly customizable connectors

    CorporateDirectory

    "#

    Active

    Directory

    Files

  • @ BT 2008

    Agenda

    Introduction SAP NetWeaver IdM

    Project [email protected]

    Project ISP

    Background and Motivation

    Functionality

    Lessons Learned

    Summary

  • @ BT 2008

    Customer: Internet Service ProviderProject Scope

    Consulting

    IdM project setup and definition

    Requirements analysis

    Detailed vendor selection

    Longlist, RFI, Shortlist, POC

    Establish standards for the definition of roles and entitlements

    Process optimization for IdM administration processes

    Prepare data protection concepts and works council agreements

    Quality assurance concept

    Data cleansing support

    Implementation

    Design based on selected IdM-tool (MaXware IC / SAP NetWeaver IDM)

    Implementation

    Data model

    IdM processses

    Provisioning interfaces to target systems

    IdM data synchronization

    Project management

    Test

    Migration of existing accounts and entitlements

    Operations

    Change und incident management

  • @ BT 2008

    Customer: Internet Service ProviderMotivation

    Project goals

    Creation of a central identity repository for all non-customer identities accessing computing center applications

    Implementation of standardized administration processes for entitlements

    Creation of a central repository for entitlements

    Increasing data quality of identity and entitlement data

    Effective demonstration of SOX-compliance

    Delegation of administrative tasks

    Increase degree of automation

    Tool selection

    RFI with >10 major IdM vendors

    Presentations and Proof of Concept

    Criteria

    Support for non-standard applications

    Flexibility, high degree of customization possible

    Expected implementation effort

    Match with skills available internally

    Support for roles and delegated administration

    Traceability of system and user actionsPrimary goals: Increase usability, security

    and audit capabilitiesSecondary goals: Cost reduction and ROI

    considerations

  • @ BT 2008

    Source and Target Systems

    Source Systems

    HR

    Group directory

    Asset database

    Target System Types

    SAP

    ISP Test Accounts

    Building Access

    Secure VPN

    LDAP

    Active Directory

    Samba

    SSH Key Management / Key Distribution

    ARS Remedy

    Sun Access Manager

    User groups

    Employees

    Group employees

    Consultants

    Partner

  • @ BT 2008

    Project History and Milestones

    Nov. 2004 Requirements analysis

    Mai 2005 Tool selection

    July 2005 Design and start of implementation

    Feb. 2006 Go-Live Release 1.0 including

    Source-system connectivity (HR/Org Master data)

    Standard request and approval process

    Internal administrative entitlement model, delegation of admin privileges

    Target Systems SAP/LDAP

    June 2007 Release 1.5

    Sept. 2007 Release 1.6

    Jan. 2008 Release 1.7

    April 2008 Release 1.8

  • @ BT 2008

    Agenda

    Introduction SAP NetWeaver IdM

    Project [email protected]

    Project ISP

    Background and Motivation

    Functionality

    Identity Management

    Entitlement Management

    Account Management

    Self-Service

    Lessons Learned

    Summary

  • @ BT 2008

    UseCases (1)

    Identity Management

    (Re-) Enter company

    OU change

    Location change

    Position change

    Sabaticals/maternity leave

    Leave company

    Entitlement Management

    Account Management

    Self-Service

    $%

    #

    &

    $ %

  • @ BT 2008

    Manage Master Data

    Task Menu

  • @ BT 2008

    Create Person

  • @ BT 2008

    Create Location

  • @ BT 2008

    UseCases (2)

    Identity Management

    Entitlement Management

    Assign (temporary) permissions

    Revoke permissions

    Automated role assignement

    Documentation / Audit

    Account Management

    Assign account

    (De-) Activate Account

    Delete Account

    Password management

    Self-Service

    Funktional RoleEmployee

    AccountActive Directory

    PermissionVPN-Access

    Hans Mustermann

    PermissionAD-Group

    Employees-MUC

    Location

    Company

    OU

  • @ BT 2008

    Create Permissions

    Creates permission within the IdM-system as well as in the target system

  • @ BT 2008

    Assign/Revoke Permissions

    Delegated administrationfor permission owners

  • @ BT 2008

    UseCases (3)

    Identity Management

    Entitlement Management

    Account Management

    Self-Service

    Password reset

    Data protection requirements

    Self-Service for certain person attributes

    Request permissions

    ()()()()

    1. Approval

    Provision

    Nofiy

    2. Approval?

    Denial

    Denial

    ?

  • @ BT 2008

    Request Permissions

    Users may request permissions for themselves or others.

    Approval process configurable for each permission.

    Approver roles:

    Line Manager

    Permission Owner

    Target System Owner

    HR

  • @ BT 2008

    Approval

    XXXXXXXX

    XXXXXXXX

  • @ BT 2008

    Agenda

    Introduction SAP NetWeaver IdM

    Project [email protected]

    Project ISP

    Background and Motivation

    Functionality

    Lessons Learned

    Summary

  • @ BT 2008

    Lessons Learned

    Implementation

    Expectations concerning adaptability were fulfilled

    Tool supports change and redesign very well in the course of extensions and additions

    Short implementation cycles achieved

    System behavior is transparent and follows a consistent paradigm

    Number of processes (approx. 150 processes, 1300 steps) makes system complex

    Framework developed on top of built-in functionality

    (Regression-) Testing indispensable

    Processes

    Flexibility (data model, user interface, processes) brings the temptation of relaxing initial standards as the system evolves over time

    End user help crucial to reduce helpdesk call volume

    Complexity multiplies (user types x identity states x data sources)

    General issues

    Data cleansing and migration may take up to 50% of target system implementation effort

    Development, Integration and Production environments required to manage changes

    Pragmatic approach to the use of roles allows for sufficient degree of automation without complex role modeling processes

  • @ BT 2008

    Summary

    Agile implementation possible

    Quick reaction to changed requirements

    High degree of flexibility concerning

    Data model

    Process adaptation

    Front-e