of 20/20
New Features and Functions in SAP NetWeaver Identity Management 7.2 SP 09 March 2014

New Features and Functions in SAP NetWeaver Identity ...a248.g.akamai.net/n/248/420835/51ecd02f24bbd947084c6aa6be27d3…New Features and Functions in SAP NetWeaver Identity Management

  • View
    226

  • Download
    1

Embed Size (px)

Text of New Features and Functions in SAP NetWeaver Identity...

  • New Features and Functions in

    SAP NetWeaver Identity Management 7.2 SP 09

    March 2014

  • Product Description SAP NetWeaver Identity Management

  • 2014 SAP AG or an SAP affiliate company. All rights reserved. 2

    SAP NetWeaver Identity Management Identity Lifecycle

    How long does it take for new

    employees to receive all

    permissions and become

    productive in their new job?

    Are permissions

    automatically adjusted if

    someone is promoted to a

    new position?

    Who has adequate

    permissions to fill in for a

    co-worker? How long does it take to remove

    ALL permissions of an employee?

    And how can you ensure that they

    were properly removed?

    How can you remove

    permissions automatically

    if employees change their

    position?

  • 2014 SAP AG or an SAP affiliate company. All rights reserved. 3

    SAP NetWeaver Identity Management In the SAP Security Portfolio

    Identity Management and Identity Federation SAP NetWeaver Identity Management

    Identity and Access Intelligence SAP Identity Analytics

    SAP NetWeaver Identity Management

    SAP Access Control

    Identity Access Governance SAP Access Control

    Authentication SAP NetWeaver Single Sign-On, SAP ID Service

    Risk and Compliance SAP GRC Suite

    Code Vulnerability Analysis Add-on for Code Vulnerability Analysis

    Analytic Foundation SAP HANA, SAP NetWeaver BW, SAP BusinessObjects

    Platform Security Capabilities SAP NetWeaver, SAP Mobile Platform, SAP Mobile Secure, SAP HANA, SAP HANA Cloud

    Secure Common Process Layer SAP NetWeaver Process Orchestration

    Central Policy Management for SAP SAP NetWeaver Technology Platform

    Web Access Management Partner

    SA

    P Im

    ple

    men

    tation S

    erv

    ices a

    nd

    Rap

    id D

    ep

    loym

    ent S

    olu

    tions

    SA

    P P

    art

    ne

    r S

    ecu

    rity

    So

    lutions

  • 2014 SAP AG or an SAP affiliate company. All rights reserved. 4

    SAP NetWeaver Identity Management Identity, Governance, and Administration (IGA)

    Identity, governance, and administration (IGA)

  • 2014 SAP AG or an SAP affiliate company. All rights reserved. 5

    SAP NetWeaver Identity Management Product Description

    Full identity lifecycle support

    Virtual directory server

    Context/rule-based permissions

    and roles

    Central workflows for permission

    requests

    Identity federation

    Analytics via SAP NetWeaver

    Business Warehouse and

    SAP BusinessObjects

    SCIM support

    SAP UI5 on different devices

    RESTful interfaces

    Support of new cloud-based

    applications

    Connector framework

    SAP NetWeaver Identity

    Management

    Non-SAP

    on-premise

    SAP

    on-premise Cloud

    User management

    SAP HANA

    Cloud

    SAP Access

    Control

    SAP Business Suite

    SCIM

    SOD check

    Governance

    Grant and manage user access to applications securely and efficiently

    while meeting audit and compliance requirements

  • 2014 SAP AG or an SAP affiliate company. All rights reserved. 6

    How to Connect Your Identity Management Solution

    SAP Business Suite

    SAP Access Control (GRC)

    Lotus Domino/Notes

    Microsoft Exchange

    RSA ClearTrust

    RSA SecurID

    SPML (Services Provisioning Markup

    Language)

    LDAP

    ODBC/JDBC/OLE-DB

    RFC

    LDIF files

    XML files

    CSV files

    SAP Application Server

    Microsoft Windows

    Unix/Linux shell execute

    Custom Java connector API

    Script-based connector API

    Microsoft SQL Server

    SAP HANA Database

    Microsoft Access

    Oracle database

    IBM UDB (DB2)

    MySQL

    Sybase

    Microsoft Active Directory

    IBM Tivoli Directory

    Novell eDirectory

    Sun ONE Java Directory

    Oracle Internet Directory

    Microsoft Active Directory Application Mode

    (ADAM)

    Siemens DirX

    OpenLDAP

    eB2Bcom View500 Directory Server

    CA eTrust Directory

    SAP NetWeaver ID Mgmt. Virtual Directory Server

    Any LDAP v3 compliant directory server

    More

    Note: Overview of available connectors: http://scn.sap.com/docs/DOC-4388

    Out-of-the-Box Connectors

    http://scn.sap.com/docs/DOC-4388http://scn.sap.com/docs/DOC-4388http://scn.sap.com/docs/DOC-4388

  • New Features & Functions Attestation

  • 2014 SAP AG or an SAP affiliate company. All rights reserved. 8

    Attestation Explained

    Additional Management Responsibilities:

    Keep business roles (aggregated roles) up to date

    Prevent the accumulation of permissions

    Maintain consistency in case of management changes

    Attestation (also known as re-certification) means that

    managers or administrators periodically check and attest

    that a person only has those access rights he or she should have

  • 2014 SAP AG or an SAP affiliate company. All rights reserved. 9

    How the Role Attestation Process Works

    The attestation process is initiated

    by a scheduled procedure. It

    checks for the specified next date

    for the defined attestations and

    starts the event task referenced

    from the role(s).

    The pre-processing task is optional

    The attesters are identified. The

    configuration on the attestation task

    determines how to find the

    attesters. They can be defined on

    the role/privilege, the attestation

    task. It can be the users managers

    or a user-defined person.

    1

    2

    3

  • 2014 SAP AG or an SAP affiliate company. All rights reserved. 10

    How the Role Attestation Process Works (cont.)

    The attestation requests will be

    added to the To do tab of each

    attester, waiting to be confirmed or

    rejected. If configured to do so, a

    mail is sent to the attester(s).

    Attesters go through their list of

    attestation requests: 1. Confirm: Attester confirms request

    2. Reject: Attester rejects request. The

    system checks whether an

    exception task is referenced from

    the attestation task.

    3. Delegate: If one of the attesters

    delegates (forwards) the attestation

    request, the request is removed

    from the original attesters To do

    list and added to the To do list of

    the second attester

    4

    5

  • 2014 SAP AG or an SAP affiliate company. All rights reserved. 11

    How the Role Attestation Process Works (cont.)

    System checks for any remaining

    attestation requests for this role

    (privilege). If so, it will continue to wait

    for events. If all requests are

    processed, it will continue to the post-

    process task.

    The task waits for the attesters to

    process all requests for the role

    (privilege) for a given period of time

    If the timeout is reached before all

    requests are processed, remaining

    requests will be marked as timed

    out

    The post-processing task is executed

    upon completion of all requests

    6

    7

    8

    9

  • 2014 SAP AG or an SAP affiliate company. All rights reserved. 12

    Attestation Use Case: Requirements

    Role owners periodically verify

    who is assigned to their roles

    Report on roles that have not been

    assigned for long periods of time

    (role deactivation after two years

    of non-assignment)

    Attestation activity needs to be

    logged to enable auditing

    Managers are required to periodically approve all existing permissions

    in their teams

    Managers need a precise overview of their teams and permissions

  • 2014 SAP AG or an SAP affiliate company. All rights reserved. 13

    Attestation Use Case: Requirements (cont.)

    User access review is a

    compliance control that needs to

    be triggered automatically in pre-

    defined intervals

    Approvers might not be frequent

    users of administrator UIs; they

    require a user-friendly Web UI

    with easy-to-use functions and

    processes

    SAP NetWeaver ID Mgmt

    provides a REST-based interface

    for customized approver UIs

  • Integration Enhancements

    New Features & Functions

  • 2014 SAP AG or an SAP affiliate company. All rights reserved. 15

    Enhancements for the SAP Provisioning Framework

    Contains

    Sample UI tasks

    Core processing tasks

    Framework for provisioning

    Purpose

    Providing a framework to get started with

    identity management

    Connect to various systems

    Enhancements

    Core Functional Tasks:

    o Big part of the task hierarchy is moved into java

    code

    Better performance

    Avoid unintentional changes

  • 2014 SAP AG or an SAP affiliate company. All rights reserved. 16

    Enhancements for the GRC Provisioning Framework

    GRC Provisioning Framework

    Improvements:

    Receded complexity

    Fewer task executions

    Fewer Java scripts

    Benefits:

    Simplified implementation

    Better stability

    Improved performance

    Better handling of upgrades

  • HANA Connector Enhancements

    New Features & Functions

  • 2014 SAP AG or an SAP affiliate company. All rights reserved. 18

    SAP HANA User and Access Management

    Initial Load Job (IDM)

    Template for loading available for

    users, roles / privileges

    User Management

    User create/delete

    User deactivate/re-activate

    Modify user

    Role Management

    Runtime role

    Design-time role

    Privilege Management

    System privileges

    Application privileges

    Package privileges

    Analytics privileges

    Object privileges (future)

  • 2014 SAP AG or an SAP affiliate company. All rights reserved. 19

    2014 SAP AG or an SAP affiliate company.

    All rights reserved.

    No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG or an

    SAP affiliate company.

    SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG

    (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional

    trademark information and notices.

    Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

    National product specifications may vary.

    These materials are provided by SAP AG or an SAP affiliate company for informational purposes only, without representation or warranty of any kind,

    and SAP AG or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP AG or

    SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and

    services, if any. Nothing herein should be construed as constituting an additional warranty.

    In particular, SAP AG or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related

    presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP AGs or its affiliated

    companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be

    changed by SAP AG or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment,

    promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties

    that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking

    statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

    http://global12.sap.com/corporate-en/legal/copyright/index.epxhttp://global12.sap.com/corporate-en/legal/copyright/index.epxhttp://global12.sap.com/corporate-en/legal/copyright/index.epx