Click here to load reader

SAP Identity Management · PDF fileSAP Identity Management Overview ... Compliant, Business-Driven Identity Management SAP ERP HCM SAP Identity Management SAP Access Control Line Manager

  • View
    222

  • Download
    0

Embed Size (px)

Text of SAP Identity Management · PDF fileSAP Identity Management Overview ... Compliant,...

  • SAP Identity ManagementOverview

    October 2014 Public

  • 2014 SAP SE or an SAP affiliate company. All rights reserved. 2Public

    Agenda

    Introduction to Identity Management

    Role Management and Workflows

    Business-Driven Identity Management

    Compliant Identity Management

    Reporting

    Password Management

    Connectivity

    Architecture

    Identity Virtualization

    Summary & Additional Information

    Appendices

  • Introduction toSAP Identity Management

  • 2014 SAP SE or an SAP affiliate company. All rights reserved. 4Public

    IT Application Security SAP Portfolio

    Manage identity lifecycle Segregation of duties Emergency access Role management Reporting

    Single sign-on Secure network communication Central access policies 2-factor authentication

    Findvulnerabilitiesin customercode

    Detect cybercrime attacksbased on userbehavior

    Identity and access management (IAM)Code

    vulnerabilitiesThreat

    managementIdentity, governance and

    administration Authentication and single sign-on

    SAP IdentityManagement

    SAP AccessControl SAP SingleSign-On

    SAP CloudIdentity

    SAPNetWeaver AS,

    add-on forcode

    vulnerabilityanalysis

    SAPEnterprise

    ThreatDetection

    SAP Security PortfolioIT Application Security

  • 2014 SAP SE or an SAP affiliate company. All rights reserved. 5Public

    Key Capabilities

    Enables the

    efficient,secure andcompliantexecution of businessprocesses

    Manage identities andpermissions

    SAP IdentityManagement

    Ensures that the right

    users have theright access to theright systems at the

    right time

    Consistent with user

    roles andprivileges

    Across

    all systemsand applications

    Holistic approach

  • 2014 SAP SE or an SAP affiliate company. All rights reserved. 6Public

    Business Drivers for Identity Management

    Compliancechallenges

    Changingbusinessprocesses

    Operationalcosts

    Multiple sources of identity dataManual user provisioningLabor-intensive, paper-based approval systemsManual password reset processes

    Transactions involve multiple enterprisesPartners participate in business processesCompany-specific requirements for user provisioning solutions

    No record of who has access to which IT resourcesInability to deprovision user access rights upon terminationNo complete audit trail availablePrevention of unauthorized access in multi-enterpriseenvironments

  • 2014 SAP SE or an SAP affiliate company. All rights reserved. 7Public

    Identity Lifecycle

    How long does it take for newemployees to receive allpermissions and become

    productive in their new job?

    How long does it take for newemployees to receive allpermissions and become

    productive in their new job?

    Are permissions automaticallyadjusted if someone is

    promoted to a new position?

    Are permissions automaticallyadjusted if someone is

    promoted to a new position?

    Who has adequatepermissions to fill in for a co-

    worker?

    Who has adequatepermissions to fill in for a co-

    worker?How long does it take to remove ALLpermissions of an employee? Andhow can you ensure that they were

    properly removed?

    How long does it take to remove ALLpermissions of an employee? Andhow can you ensure that they were

    properly removed?

    How can you removepermissions automatically if

    employees change theirposition?

    How can you removepermissions automatically if

    employees change theirposition?

  • 2014 SAP SE or an SAP affiliate company. All rights reserved. 8Public

    Solution in a Nutshell

    Central management of identitiesthroughout the system landscapeRule-driven workflow and approvalprocessExtensive audit trail, logging, andreporting functionalityGovernance through centralized andauditable identity dataCompliance through integration withSAP Access ControlCompliant and integrated identitymanagement solution to mitigatesegregation-of-duties risks

    SAP SCM

    SAP ERP HCM

    SAP ERP

    Java

    Portal

    Database

    Legacy

    OS

    E-mail

    Web app

    SAP applications Non-SAP applications

    SAP IdentityManagement

    SAP AccessControl

    SuccessFactors

  • 2014 SAP SE or an SAP affiliate company. All rights reserved. 9Public

    A Holistic Approach to Compliant Identity Management

    Example: On-boardingSAP ERP

    HCM

    Passwordmanagement

    Provisioning to SAPand non-SAP systems

    Reporting

    Rule-based assignmentof business roles

    Identity virtualization andidentity as a serviceCentral

    identity store

    SAP BusinessObjectsAccess Control (GRC)

    Web-based single sign-onand identity federation

    SAP IdentityManagement

    Approvalworkflows

    SAP applications Non-SAP applications

    Integration withSAP Business Suiteand SuccessFactors

    SAP AccessControl

    Compliancechecks

    SuccessFactors

  • Solution in DetailRole Management and Workflows

  • 2014 SAP SE or an SAP affiliate company. All rights reserved. 11Public

    Role Definition and Provisioning

    Role Definition (design, one-time task)Read system access information (roles,groups, authorizations, etc.) from targetsystemsDefine a business role hierarchyAssign technical roles to business rolesDevelop rules for role assignments

    Provisioning (regularly)Assign or remove roles to/from people

    Through request/approval workflowManually (administrator)Automatically, e.g. HR-driven

    Automatic adjustment of master data andassignments of technical authorizations intarget systems

    Portalrole

    Accounting(ABAP role)

    HR manager(ABAP role)E-mail

    Manager

    Employee Accounting

    ADuser

    E-mailsystem

    ActiveDirectory

    SAPPortal

    SAPFI

    SAPHR

    Bus

    ines

    sro

    les

    Tech

    nica

    lrol

    es

  • 2014 SAP SE or an SAP affiliate company. All rights reserved. 12Public

    SAP NetWeaver Identity Management

    Context-Based Role Management: Reducing Complexity

    Business RoleTechnical role A Technical role C

    Technical role B

    UserPositionLocation

    Managed SystemUser

    Technical role A

    Technical role B

    Context-based role management simplifiesthe structure of roles through dynamicrole assignment based on user contextinformation.

    BenefitsReduced number of rolesReduced complexitySufficient granularityImproved data consistencyand governance

    Example:20 roles in 1000 factories

    Conventional method: 20.000 entries (roles)Context-based: 1.020 entries (roles + contexts)

    SAP Identity Management

    Managed System

  • 2014 SAP SE or an SAP affiliate company. All rights reserved. 13Public

    Workflows

    Approval

    Identity Center sends anotification to user/manager

    Notification

    Identity Center provisionsnew roles and privileges torespective systems

    Provisioning

    User sends arole request

    Request

    Identity Centerprocesses request Sends alert to manager /

    administrator

    Processing

    Manager checks requestand approves/denies

  • Solution in DetailBusiness-Driven Identity Management

  • 2014 SAP SE or an SAP affiliate company. All rights reserved. 15Public

    Integration with SAP Business Applications

    SAP IdentityManagement

    SuccessFactors

    EmployeeCentral

    SAP ERPFinancials

    SAPTransportationManagement

    SAP ProductLifecycle

    Management

    SAP HANA

    SAP SupplierRelationshipManagement

    SAP CustomerRelationshipManagement

    SAP ExtendedWarehouse

    Management

    SAP ServiceParts Planning

    SAP ERPHuman CapitalManagement

    SAP Portfolioand ProductManagement

    SAP SupplyNetwork

    Collaboration

  • 2014 SAP SE or an SAP affiliate company. All rights reserved. 16Public

    Business Process Driven Identity ManagementOn-Boarding

    Line Manager

    HR ensures that all necessaryemployee data for Kim isavailable, such as position andentry date

    Pre-hire phase

    Event-based extractionof personnel data

    First day at work

    Based on the position inHCM, IDM automaticallyassigns the businessrole MarketingSpecialist

    Kims managerapproves theassignment

    HR Operations

    Business Partner createdUser created MarketingProfessional

    User createdEmployee

    User createdAccess to SAP ESSAccess to SAP CRM

    Kim Perkins joins the company as a marketing specialist.From the first day with her new company, she is able to log on to all relevant systems,including access to the employee self-services, and access to SAP CRM to track themarketing activities she is responsible for.

    SAP Identity Management

    1

    SAPERPHCM

    2 3 4

    SAPERPHCM

    SAPERP

    SAPCRM

    SAPPortal

    Provisioning of role andauthorization information torelevant target systems

    5

    SuccessFactors

  • 2014 SAP SE or an SAP affiliate company. All rights reserved. 17Public

    Business Process Driven Identity ManagementPosition Change

    HR ensures that all necessaryemployee data for Kim isavailable

    Day of position change

    SAP Identity Managementrecognizes the line managerinformation for Kim andautomatically assigns the businessrole Marketing Manager

    After two years as a marketing specialist, Kim is promoted and takes over personnel andbudget responsibility for her marketing team.On the first day in her new role, she has access to the manager self-services. In her newposition, she is responsible for budget approvals for all marketing campaigns - this re

Search related