Sci261- Sap Netweaver Identity Management - Workflow Configuration

  • View
    493

  • Download
    36

Embed Size (px)

Text of Sci261- Sap Netweaver Identity Management - Workflow Configuration

SCI261 SAP NetWeaver Identity Management 7.1 Workflow Configuration

Kre Indry, Product Expert, SAP NW IdM Matt Kangas, SAP Technology RIG Americas Nghia Nguyen, SAP Technology RIG Americas Oliver Nocon, SAP Technology RIG EMEA

October 2010

Disclaimer

This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent.

2010 SAP AG. All rights reserved. / Page 2

Agenda

1. SAP NetWeaver Identity Management Overview 2. SAP NetWeaver 7.1: UI Overview 3. Layout Configuration 4. Permission Configuration 5. Approvals 6. Provisioning Task Design 7. Approval Mechanisms 8. Hands-On

2010 SAP AG. All rights reserved. / Page 3

Identity Management Definition

SAP NetWeaver Identity Management

Enables the efficient, secure and compliant execution of business processes

By ensuring that the right users have the right access to the right systems at the right time

Consistent with their roles across all systems and applications

2010 SAP AG. All rights reserved. / Page 4

Typical User LifecycleChallenges:

Long time to become productive Enormous costs and efforts Security leaks if employee leaves 7 years later 1 year later 3 weeks later

8 years later

10 years later

Hire dateChuck Brown is promoted: Vice President Sales Chuck Brown resigns Chuck Brown still has access to the system

Chuck Brown joins company

Chuck Brown is able to work in accounting

Chuck Brown transfers to sales

Available: Available:

Available: Available:

Temporary accounts

E-Mail Portal Internet Accounting

E-Mail Portal Internet Accounting CRM (west) Marketing data (west)

E-Mail Portal Internet Accounting CRM (global) Marketing data (global)

All known accounts of Chuck Brown are deactivated

Available:

Accounting Marketing data (global)

2010 SAP AG. All rights reserved. / Page 5

SAP NetWeaver Identity Management Holistic Approach

e.g. on-boarding

Compliance checks through GRC

SAP Business Suite Integration

Identity virtualization and identity as service

Approval workflows Central Identity Store

SAP BusinessObjects Access Control (GRC)Identity mgmt. monitoring & audit

SAP NetWeaver Identity Management

Password management Rule-based assignment of business roles

Provisioning to SAP and non-SAP systems

2010 SAP AG. All rights reserved. / Page 6

Business Roles and Technical Roles

Business RolesAre defined in the Identity Center Represent the business tasks of an employee Are usually defined as part of a business process Can be set up in hierarchies Are a combination of technical roles and/or other business roles Are usually assigned to end users

Business RolesManager

Accounting

Employee

Technical RolesRepresent access information or technical authorizations (e.g. ABAP authorization roles, UME roles, Portal roles, AD groups, ) Are usually uploaded from the target system Are system-specific Are usually represented as privileges in the Identity Center 2010 SAP AG. All rights reserved. / Page 7

Technical RolesE-mail AD user End user(Portal role)

Accounting(ABAP role)

HR manager(ABAP role)

E-Mail System

Active Directory

SAP Portal

SAP FI

SAP HR

Role Definition and Provisioning

Role Definition (design, one-time task)

Read system access information (roles, groups, authorizations, etc.) from target systems Define a business role hierarchy Assign technical roles to business roles Develop rules for role assignments

Business RolesManager

Accounting

Provisioning (regularly)

Employee

Assign or remove roles to/from people

Through request/approval workflow Manually (administrator) Automatically, e.g. HR-driven

Technical RolesE-mail AD user End user(Portal role)

Automatic adjustment of master data and assignments of technical authorizations in target systems

Accounting(ABAP role)

HR manager(ABAP role)

E-Mail System

Active Directory

SAP Portal

SAP FI

SAP HR

2010 SAP AG. All rights reserved. / Page 8

Workflows OverviewOperates on entries in the identity storeManual interactions through Web interface Start provisioning tasks Approve requests Monitor statusRules Roles Identity Store Workflow Engine

Provisioning Engine

Workflows can be started from:

Web interface Event tasks Change of privilege assignments Meta directory operationsUser

ApplicationsBusiness Process Owner

Inform 5 1 Request Identity Center

Alert 2 3 Approve

Processing logic includes:

Sequential operation Parallel operation Conditional operation Approval operation

4

Provisioning

Applications 2010 SAP AG. All rights reserved. / Page 9

Agenda

1. SAP NetWeaver Identity Management Overview 2. SAP NetWeaver 7.1: UI Overview 3. Layout Configuration 4. Permission Configuration 5. Approvals 6. Provisioning Task Design 7. Approval Mechanisms 8. Hands-On

2010 SAP AG. All rights reserved. / Page 10

SAP NetWeaver Identity Management User InterfaceStandalone UI:

Accessible through http://:/idm

Through Portal:

Role: portal_content/com.sap.idm.identity_management_folder/com.sap.idm.identity_management_role

2010 SAP AG. All rights reserved. / Page 11

Self Service Tasks

Self-services

Available through "Self Services" tab in the IdM UI Tasks which can be executed on the user's behalf List only shows tasks which a user has permissions for

2010 SAP AG. All rights reserved. / Page 12

Approvals

To Dos / Approvals

Available through "To Do" tab in the IdM UI Request items which require actions List only shows items which are assigned to the logged in user

2010 SAP AG. All rights reserved. / Page 13

Manage Tasks

Manage

Available through "Manage" tab in the IdM UI Tasks which can be executed on entries (e.g. Persons, Roles) Task list only shows tasks which a user has permissions for

2010 SAP AG. All rights reserved. / Page 14

Favorites for Managing Entries

Users can set their personal favorites for quick access to specific tasks

Favorites appear as "quick link" buttons

Favorites can be added through the task selection by "Add to Favorites" Favorites are stored in user attribute "MX_USER_PREFS"

2010 SAP AG. All rights reserved. / Page 15

Agenda

1. SAP NetWeaver Identity Management Overview 2. SAP NetWeaver 7.1: UI Overview 3. Layout Configuration 4. Permission Configuration 5. Approvals 6. Provisioning Task Design 7. Approval Mechanisms 8. Hands-On

2010 SAP AG. All rights reserved. / Page 16

Structuring Tasks

You can structure tasks using folders this will be reflected in the UI

No access permissions set

Visibility can be controlled on folder level Important: sub-folders can also serve as entry points by disabling parent folders

2010 SAP AG. All rights reserved. / Page 17

Search & Display Tasks

Advanced Search

2010 SAP AG. All rights reserved. / Page 18

Configuring the Search Result

2010 SAP AG. All rights reserved. / Page 19

Additional Options for Display Attributes

Validity

Validity setting for assignments Valid from / valid to For MXREF_ attributes only

Reason

Displays assignment reason field Possible values

No Optional Mandatory

For MXREF-attributes only

Diagram

Enables display of hierarchy diagram For MXREF_MXROLE only

2010 SAP AG. All rights reserved. / Page 20

Attribute Presentation

2010 SAP AG. All rights reserved. / Page 21

Attribute PresentationExamples - 1 SingleLine MultiLine

SingleSelect MultiSelect

Boolean Referral File 2010 SAP AG. All rights reserved. / Page 22

Attribute PresentationExamples - 2 Lookup

Radio button Mail Date

2010 SAP AG. All rights reserved. / Page 23

Attribute PresentationExamples - 3 ObjectValueHelp

2010 SAP AG. All rights reserved. / Page 24

Layout Example

Personal Data Unique ID: Display Name: First Name: Last Name: Address: City: Country Key:

Account Information

Communication Data Primary E-Mail: Additional E-Mails:

Primary Telephone Number: Additional Telephone Numbers:

2010 SAP AG. All rights reserved. / Page 25

UI Task Configuration

Configure UI attributes & elements

Add UI elements

2010 SAP AG. All rights reserved. / Page 26

Resulting Screen

2010 SAP AG. All rights reserved. / Page 27