SAP BusinessObjects Access Control 10 and SAP NetWeaver Identity ManagementImplementation Guide

Ankur Baishya Customer Solution Adoption

2011 SAP AG. All rights reserved. 2

Contents

Role of Access Control vs. IdM

Compliant Identity Management

Key Enhancements in AC10

Implementation Considerations

Available AC10 Web Services

Common Integration Scenarios

Available Documentation

2011 SAP AG. All rights reserved. 3

What Is the Role of Access Control vs. IdM?

CFO

Business Controls

CIO

Systems Access

Systems Connectors

Authentication and Single Sign-On

Identity Federation

Governance over identity data and authentication data

Access Governance

Access Risk Analysis

Compliance Reviews

Compliance Reporting

SAP

BusinessObjects

Access Control

Identity

Management

Compliant identity management for the entire system landscape.

Business Layer IT Infrastructure

2011 SAP AG. All rights reserved. 4

Compliant Identity ManagementExample - Customer Scenario

Reduce TCO by simplifying assignment of roles and privileges to users, triggered by HR events

Reduce risk through compliance checks and remediation

Automate manual processes through integration

Identity Management

Calculate Entitlements

Based on Position

HR Application

New Hire

/ Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles

Heterogeneous

Landscape

Yes

SAP BusinessObjects

Access Control

Compliance Check

Remediation

Create User

Assign Privileges

2011 SAP AG. All rights reserved. 5

Request Form and Request Submission

Automatic request creation from IdM integration (SAP or non-SAP)

Flexible and dynamic end-user request form, based on user and systems accessed

Create requests for position-based role assignment

End user features for viewing existing assignments, checking request history, viewing profiles

Request Approval Process and Provisioning

Support for additional system provisioning through IdM integration (SAP or non-SAP)

Improved navigation and usability including customization of approver view based on stage

Displays role risk and transaction information in request

Provisioning of additional entities such as business roles, PD profiles and groups, and system-specific custom fields

Access Control 10 User Provisioning

Key Enhancements

2011 SAP AG. All rights reserved. 6

Access Control 10 and IdM-Driven Integrated ProvisioningKey Enhancements

Improved communication between IdM and AC that enables a complete view of request approval process

IdM able to perform real-time access risk analysis, prior to submitting request for remediation

Improved infrastructure to support standard SPML1.0 protocol for all outbound communication from AC

In addition to SAPs own Identity Management solution, we are actively working with our Identity Management partners to ensure they have their corresponding releases ready, and take

advantage of the new functionality.

2011 SAP AG. All rights reserved. 7

Access Control 10 and IdM Integration Implementation Considerations

Request submission source

From where will the provisioning request be initiated (AC and/or IdM)?

Provisioning roles

Role source: Where will the roles for provisioning be maintained (AC and/or IdM)?

Preferred approach is to have one role source for SAP roles.

Approval workflow

Do you want to use approval workflow within AC and/or IdM?

Need to consider user notifications from AC and/or IdM

Risk analysis

When provisioning new users, the request does not have to be submitted to AC for risk analysis and no polling is required. IdM can retrieve the result by also polling the risk analysis web service with Request ID.

When provisioning existing users, risk analysis can be called by IdM.

Request status and audit trails

Consider requirements for request status and audit trails while defining the integration solution. (Web services can only pass certain fields while more details may be viewed natively in AC or IdM.)

Existing functionality and change control

IdMs change control policy and its impact on solution and implementation: Are changes to the current IdM process realistic?

2011 SAP AG. All rights reserved. 8

Sr

No

Interface Description Inbound/Outbound Mandatory/

Optional

1 Lookup service Enables lookup for possible values for a use case

Example: Possible values for Request Status

Inbound Optional

2 Search roles Enables search roles before submitting a request to

GRC

Inbound Optional

3 Role Details Returns detailed role description and associated

attributes of the selected role

Inbound Optional

4 Select Applications Returns a list of resources configured within GRC Inbound Optional

5 Firefighter Returns list of Firefighter IDs along with Firefighter

Owner details

Inbound Optional

6 Users Existing Assignments Returns the existing User Assignments Inbound Optional

7 User Access Request Defines the web service that will be called by IdM for

User Access

Inbound Manual

8 Risk analysis

(with request ID)

Performs segregation of duty (SoD) analysis on a

request submitted to GRC or on the assignment of an

existing user

Inbound Optional

9 Organization Assignment

Request

Enables IDMS to assign roles to OM Objects such as

Job, Position, and Organizational Unit.

Inbound Optional

Access Control 10Available Web Services

2011 SAP AG. All rights reserved. 9

Interface Description Inbound/Outbound Mandatory/

Optional

Provisioning by GRC after request approval

10 Exit User Access Request Defines the service that will be called by GRC to inform IdM about provisioning results

Outbound Mandatory

11 Provisioning Log Returns all the provisioning information for a user. It

helps to determine if the user was created, change, or

deleted or whether the role was added or removed.

Inbound Optional

12 Request status Returns the status of a request Inbound Optional

13 Audit Logs Returns workflow information about paths, stages,

and/or stage approvers. Also returns provisioning

information

Inbound Optional

14 Request Details Returns the request details along with Risk Analysis Inbound Optional

15 Risk Analysis (Without Request

Number)

Performs SoD analysis for User Level and Role Level Inbound Optional

16 End User Personalization

Configuration

Returns EUP configuration details for a user Inbound Optional

Access Control 10Available Web Services

2011 SAP AG. All rights reserved. 10

Access Control 10

Available Web Services (Technical Names)

Web Service Web Service Name

Inbound - Lookup GRAC_LOOKUP_WS

Inbound - Select Applications GRAC_SELECT_APPL_WS

Inbound - Firefighter GRAC_FIRE_FIGHTER_WS

Inbound - Search Roles GRAC_SEARCH_ROLES_WS

Inbound - Search Role Details GRAC_ROLE_DETAILS_WS

Inbound - User Existing Assignments GRAC_USER_EXISTING_ASSGN_WS

Inbound - User Access Request GRAC_USER_ACCES_WS

Inbound - User Access Request Status GRAC_REQUEST_STATUS_WS

Inbound - User Access Request Details GRAC_REQUEST_DETAILS_WS

Inbound - Provision Logs GRAC_PROV_LOGS_WS

Inbound - Audit Trails GRAC_AUDIT_LOGS_WS

Inbound - Risk Analysis with Request Number GRAC_RISK_ANALYSIS_WITH_NO_WS

Inbound - Risk Analysis without Request Number GRAC_RISK_ANALYSIS_WOUT_NO_WS

Inbound - Exit from IdM GRAC_EXIT_FROM_IDM_WS

Inbound - Org Assignments GRAC_ORG_ASSGN_REQUEST_WS

Inbound - EUP Configuration GRAC_EUP_CONFIG_DATA_WS

2011 SAP AG. All rights reserved. 11

Interface Description Type

[Inbound/Outbound]

Mandatory/Optional

IdM Prov/De-provisioning

requestProvisioning/De-provisioning

Request to IdM

Outbound Mandatory

IdM Prov/De-provisioning

request Status

Status of Provisioning/ De-

provisioning request

Outbound Mandatory

IdM Prov/De-provisioning

request

Exit service

Provisioning/De-provisioning

Request to IdM

Inbound Mandatory

Audit Log from IdM

(This web service will be

published by IdM to

provide audit log details on

the provisioning actions

performed in IdM)

Audit log details from IdM Outbound Optional

Provisioning Operations supported:

Create User Assign Roles Change User Lock/Unlock User Delete User Password Self-Service

Access Control 10Actions to/from IdM

2011 SAP AG. All rights reserved. 12

Business Process Legend

Business

Process Owner

Technical Team

Compliance /

Audit Team

Roles involved in process

Business process

Step 2

Step 3

Step 1

Alternate color indicates

connection to another

process

Dotted line indicates

optional step which can

be performed by two

separate process.

Step 4

Alternate color indicates

new integration step

Overlap of roles indicates

collaboration and/or process step

completed by either role

2011 SAP AG. All rights reserved. 13

Access Control 10 User Provisioning

Requestor

Approvers

Create &

Submit

Access

Request

Approve

Request?

Manage

Access RisksReview

Request

Modify Request

No

Perform Risk

Analysis

Yes

YesYes

Request

Modified?

Risk

Violations?

User

Provisioning

YesNo

Reject

Request

Request

Closed

No No

Appropriate

Access?

2011 SAP AG. All rights reserved. 14

Access Control 10-Driven User ProvisioningIdM Integration

AC

Requestor

AC

Approver

IdM Approver

Create an

Access

Request

Appropriate

Access?

Review

RequestPerform Risk

Analysis

Request

Modified?

Risk

Violations?

Approve

Request?User

Provisioning

Reject

Request

Request

Closed

Manage Risk

Update

Provisioning

Status

Yes

Yes

Yes

No

Yes

No

No

Request

Status and

Audit Log

Reporting

Provisioning

SAP/Non-SAP

Applications

Provisioning

SAP/Non-SAP

Applications

No

2011 SAP AG. All rights reserved. 15

IdM-Driven User ProvisioningAccess Control 10 Integration

AC Approver

IdM Approver

IdM Requestor

Approve

Request?

No

Yes

Create an

Access Request

Review

RequestAppropriate

Access?

Request

Modified?

Perform Risk

Analysis

Risk

Violations?Approve

Request?

User

Provisioning

Request

Closed

Reject

Request

Provisioning

SAP/Non-SAP

Applications

Provisioning

SAP/ Non-SAP

Applications

Perform Risk

Analysis

Create an

Access

Request

Manage Risk

User

Provisioning

Update

Provisioning

Status

Yes

No

No

No

No

Yes

Yes

Request

Status and

Audit Log

Reporting

2011 SAP AG. All rights reserved. 16

Further Information and Available Documentation

SAP Public Web

SAP Developer Network (SDN): www.sdn.sap.com

Business Process Expert (BPX) Community: www.bpx.sap.com

SAP BusinessObjects Community (BOC): www.boc.sap.com

SAP GRC: www.sap.com/grc

GRC-Related Documentation

SAP GRC Help: help.sap.com/content/bobj/grc/docu_bobj_grc_intro.htm

GRC How-to Guides: www.sdn.sap.com/irj/scn/articles-grc-all

NetWeaver IdM-Related Documentation

SAP NetWeaver Help:

help.sap.com/content/documentation/netweaver/docu_nw_idm_design.htm#idm72

2011 SAP AG. All rights reserved. 17

No part of this publication may be reproduced or transmitted in any form or for any

purpose without the express permission of SAP AG. The information contained

herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain

proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of

Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5,

System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries,

zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390

Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6,

POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter,

System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2,

Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and

Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or

registered trademarks of Adobe Systems Incorporated in the United States and/or

other countries.

Oracle and Java are registered trademarks of Oracle and/or its affiliates.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and

MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

2011 SAP AG. All rights reserved.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C,

World Wide Web Consortium, Massachusetts Institute of Technology.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects

Explorer, StreamWork, and other SAP products and services mentioned herein as

well as their respective logos are trademarks or registered trademarks of SAP AG in

Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal

Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects

products and services mentioned herein as well as their respective logos are

trademarks or registered trademarks of Business Objects Software Ltd. Business

Objects is an

SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other

Sybase products and services mentioned herein as well as their respective logos

are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP

company.

All other product and service names mentioned are the trademarks of their

respective companies. Data contained in this document serves informational

purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document

may be reproduced, copied, or transmitted in any form or for any purpose without

the express prior written permission of SAP AG.