SCI261 SAP NetWeaver Identity Management 7.1 Workflow Configuration

Kre Indry, Product Expert, SAP NW IdM Matt Kangas, SAP Technology RIG Americas Nghia Nguyen, SAP Technology RIG Americas Oliver Nocon, SAP Technology RIG EMEA

October 2010

Disclaimer

This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent.

2010 SAP AG. All rights reserved. / Page 2

Agenda

1. SAP NetWeaver Identity Management Overview 2. SAP NetWeaver 7.1: UI Overview 3. Layout Configuration 4. Permission Configuration 5. Approvals 6. Provisioning Task Design 7. Approval Mechanisms 8. Hands-On

2010 SAP AG. All rights reserved. / Page 3

Identity Management Definition

SAP NetWeaver Identity Management

Enables the efficient, secure and compliant execution of business processes

By ensuring that the right users have the right access to the right systems at the right time

Consistent with their roles across all systems and applications

2010 SAP AG. All rights reserved. / Page 4

Typical User LifecycleChallenges:

Long time to become productive Enormous costs and efforts Security leaks if employee leaves 7 years later 1 year later 3 weeks later

8 years later

10 years later

Hire dateChuck Brown is promoted: Vice President Sales Chuck Brown resigns Chuck Brown still has access to the system

Chuck Brown joins company

Chuck Brown is able to work in accounting

Chuck Brown transfers to sales

Available: Available:

Available: Available:

Temporary accounts

E-Mail Portal Internet Accounting

E-Mail Portal Internet Accounting CRM (west) Marketing data (west)

E-Mail Portal Internet Accounting CRM (global) Marketing data (global)

All known accounts of Chuck Brown are deactivated

Available:

Accounting Marketing data (global)

2010 SAP AG. All rights reserved. / Page 5

SAP NetWeaver Identity Management Holistic Approach

e.g. on-boarding

Compliance checks through GRC

SAP Business Suite Integration

Identity virtualization and identity as service

Approval workflows Central Identity Store

SAP BusinessObjects Access Control (GRC)Identity mgmt. monitoring & audit

SAP NetWeaver Identity Management

Password management Rule-based assignment of business roles

Provisioning to SAP and non-SAP systems

2010 SAP AG. All rights reserved. / Page 6

Business Roles and Technical Roles

Business RolesAre defined in the Identity Center Represent the business tasks of an employee Are usually defined as part of a business process Can be set up in hierarchies Are a combination of technical roles and/or other business roles Are usually assigned to end users

Business RolesManager

Accounting

Employee

Technical RolesRepresent access information or technical authorizations (e.g. ABAP authorization roles, UME roles, Portal roles, AD groups, ) Are usually uploaded from the target system Are system-specific Are usually represented as privileges in the Identity Center 2010 SAP AG. All rights reserved. / Page 7

Technical RolesE-mail AD user End user(Portal role)

Accounting(ABAP role)

HR manager(ABAP role)

E-Mail System

Active Directory

SAP Portal

SAP FI

SAP HR

Role Definition and Provisioning

Role Definition (design, one-time task)

Read system access information (roles, groups, authorizations, etc.) from target systems Define a business role hierarchy Assign technical roles to business roles Develop rules for role assignments

Business RolesManager

Accounting

Provisioning (regularly)

Employee

Assign or remove roles to/from people

Through request/approval workflow Manually (administrator) Automatically, e.g. HR-driven

Technical RolesE-mail AD user End user(Portal role)

Automatic adjustment of master data and assignments of technical authorizations in target systems

Accounting(ABAP role)

HR manager(ABAP role)

E-Mail System

Active Directory

SAP Portal

SAP FI

SAP HR

2010 SAP AG. All rights reserved. / Page 8

Workflows OverviewOperates on entries in the identity storeManual interactions through Web interface Start provisioning tasks Approve requests Monitor statusRules Roles Identity Store Workflow Engine

Provisioning Engine

Workflows can be started from:

Web interface Event tasks Change of privilege assignments Meta directory operationsUser

ApplicationsBusiness Process Owner

Inform 5 1 Request Identity Center

Alert 2 3 Approve

Processing logic includes:

Sequential operation Parallel operation Conditional operation Approval operation

4

Provisioning

Applications 2010 SAP AG. All rights reserved. / Page 9

Agenda

1. SAP NetWeaver Identity Management Overview 2. SAP NetWeaver 7.1: UI Overview 3. Layout Configuration 4. Permission Configuration 5. Approvals 6. Provisioning Task Design 7. Approval Mechanisms 8. Hands-On

2010 SAP AG. All rights reserved. / Page 10

SAP NetWeaver Identity Management User InterfaceStandalone UI:

Accessible through http://:/idm

Through Portal:

Role: portal_content/com.sap.idm.identity_management_folder/com.sap.idm.identity_management_role

2010 SAP AG. All rights reserved. / Page 11

Self Service Tasks

Self-services

Available through "Self Services" tab in the IdM UI Tasks which can be executed on the user's behalf List only shows tasks which a user has permissions for

2010 SAP AG. All rights reserved. / Page 12

Approvals

To Dos / Approvals

Available through "To Do" tab in the IdM UI Request items which require actions List only shows items which are assigned to the logged in user

2010 SAP AG. All rights reserved. / Page 13

Manage Tasks

Manage

Available through "Manage" tab in the IdM UI Tasks which can be executed on entries (e.g. Persons, Roles) Task list only shows tasks which a user has permissions for

2010 SAP AG. All rights reserved. / Page 14

Favorites for Managing Entries

Users can set their personal favorites for quick access to specific tasks

Favorites appear as "quick link" buttons

Favorites can be added through the task selection by "Add to Favorites" Favorites are stored in user attribute "MX_USER_PREFS"

2010 SAP AG. All rights reserved. / Page 15

Agenda

1. SAP NetWeaver Identity Management Overview 2. SAP NetWeaver 7.1: UI Overview 3. Layout Configuration 4. Permission Configuration 5. Approvals 6. Provisioning Task Design 7. Approval Mechanisms 8. Hands-On

2010 SAP AG. All rights reserved. / Page 16

Structuring Tasks

You can structure tasks using folders this will be reflected in the UI

No access permissions set

Visibility can be controlled on folder level Important: sub-folders can also serve as entry points by disabling parent folders

2010 SAP AG. All rights reserved. / Page 17

Search & Display Tasks

Advanced Search

2010 SAP AG. All rights reserved. / Page 18

Configuring the Search Result

2010 SAP AG. All rights reserved. / Page 19

Additional Options for Display Attributes

Validity

Validity setting for assignments Valid from / valid to For MXREF_ attributes only

Reason

Displays assignment reason field Possible values

No Optional Mandatory

For MXREF-attributes only

Diagram

Enables display of hierarchy diagram For MXREF_MXROLE only

2010 SAP AG. All rights reserved. / Page 20

Attribute Presentation

2010 SAP AG. All rights reserved. / Page 21

Attribute PresentationExamples - 1 SingleLine MultiLine

SingleSelect MultiSelect

Boolean Referral File 2010 SAP AG. All rights reserved. / Page 22

Attribute PresentationExamples - 2 Lookup

Radio button Mail Date

2010 SAP AG. All rights reserved. / Page 23

Attribute PresentationExamples - 3 ObjectValueHelp

2010 SAP AG. All rights reserved. / Page 24

Layout Example

Personal Data Unique ID: Display Name: First Name: Last Name: Address: City: Country Key:

Account Information

Communication Data Primary E-Mail: Additional E-Mails:

Primary Telephone Number: Additional Telephone Numbers:

2010 SAP AG. All rights reserved. / Page 25

UI Task Configuration

Configure UI attributes & elements

Add UI elements

2010 SAP AG. All rights reserved. / Page 26

Resulting Screen

2010 SAP AG. All rights reserved. / Page 27

Additional Task Display Configurationb

a e d c

a b c g f

d

e f g 2010 SAP AG. All rights reserved. / Page 28

"" = internationalization

Displaying Additional Information

A UI task can be configured to show additional information:

Pending values (in a separate tab) Historic values (in a separate tab) All attributes and values of a user (in a separate tab)

This is especially useful for monitoring purposes

2010 SAP AG. All rights reserved. / Page 29

Agenda

1. SAP NetWeaver Identity Management Overview 2. SAP NetWeaver 7.1: UI Overview 3. Layout Configuration 4. Permission Configuration 5. Approvals 6. Provisioning Task Design 7. Approval Mechanisms 8. Hands-On

2010 SAP AG. All rights reserved. / Page 30

UI Permissions

Self Services Tab

UME action "idm_authenticated" this action controls general access to the IdM UI ( minimum requirement) IdM privilege "MX_PRIV:WD:TAB_TODO" Shows workflow items IdM privilege "MX_PRIV:WD:TAB_MANAGE" Allows entry administration

To Do Tab

Manage Tab

View Reports Tab

IdM privilege "MX_PRIV:WD:TAB_REPORT" Shows reports available IdM privilege "MX_PRIV:WD:TAB_HISTORY" Shows information about past approvals, self-service tasks and management tasks UME action "idm_monitoring_administration" Access to monitoring information

History Tab

Monitoring Tab

2010 SAP AG. All rights reserved. / Page 31

Task Access Control

Configure who is allowed to access a specific task

2010 SAP AG. All rights reserved. / Page 32

Access ControlDetails Possible options for "Allow access for"

Anonymous Logged-in user or identity store entry Referral

Possible options for "On behalf of"

Everybody administer everybody User or identity store entry self-service Filter administer only entries according to a SQL statement

This option is only available when "simplified access control" is disabled Usage of filter is discouraged since it could create performance problems

Relation Self self-service Relation Manager manager of the object (MX_MANAGER) Relation Owner owner of the object (MX_OWNER) Relation Manager owner of an assigned to object Relation Member member of an Relation Member of same role/privilege/ same role assigned

2010 SAP AG. All rights reserved. / Page 33

Anonymous Access to Tasks

Task must create a new entry Configuring anonymous access

Accessing the tasks

Access to anonymous tasks:http://:/webdynpro/dispatcher/sap.com/tc~idm~wd~workflow/AnonymousService

Direct task access:http://:/webdynpro/dispatcher/sap.com/tc~idm~wd~workflow/AnonymousEditTask?TaskId=

2010 SAP AG. All rights reserved. / Page 34

Access Limitations on Entries

Limit which users are allowed to see which information:

Search attribute attribute on the entry which is being searched User attribute attribute on the user performing the search

2010 SAP AG. All rights reserved. / Page 35

Access LimitationsExample Example configuration:

Search attribute: COMPANY_NAME User attribute: COMPANY_NAME

Result:

User A can see/search for user A, B and C User B can see/search for user A, B and C User C can see/search for user A, B, C and D User D can see/search for user C and D

A

B

D

Company 1C

Company 2

2010 SAP AG. All rights reserved. / Page 36

Agenda

1. SAP NetWeaver Identity Management Overview 2. SAP NetWeaver 7.1: UI Overview 3. Layout Configuration 4. Permission Configuration 5. Approvals 6. Provisioning Task Design 7. Approval Mechanisms 8. Hands-On

2010 SAP AG. All rights reserved. / Page 37

About Pending Value Objects (PVO)A pending value object is an entry with entry type MX_PENDING_VALUE. It holds an attribute value which will be set (or removed) on the entry in the future.

Always belongs to another entry (of any type) within the identity store A single pending value object holds only one attribute/value pair MX_ENTRY_REFERENCE attribute holds the reference to the owner entry

MX_ATTRIBUTE_NAME holds the attribute to be written MX_ATTRIBUTE_VALUE hold the values to be written

Used for:

Time limited attributes (primarily for roles). In this case the pending value object holds the valid from and valid to dates. Several time schedules for a time limited attributes (i.e. January 1 - January 15 and February 1 - February 14). This is achieved by having multiple pending value objects for the same attribute. General disabling of attributes. Approval of role and privilege assignments. In this case the pending value object holds the approvers and also the approval information. The approvers are automatically copied from the MX_OWNER attribute of the role or privilege (default).

2010 SAP AG. All rights reserved. / Page 38

PVO and ApprovalsApproval usage

MX_PENDING_VALUE is typically used for approvals of assignments (privileges/roles) Approval task is defined as MX_ADD_MEMBER_TASK / MX_DEL_MEMBER_TASK MX_PENDING_VALUE object is automatically created by the system

The pending value will only be applied after successful completion of the approval task

MX_VALIDFROM and MX_VALIDTO

Hold information about when the entry is valid (and thus enabled) and when the entry is no longer valid (and needs to be removed)

When the validFrom arrives, the attribute value will be added to the entry If validTo is defined, this sets the expiryTime which means that the attribute will be deleted at this time

The MX_PENDING_VALUE record that was holding the information is then deleted (but kept in old values)

The function uApplyPending is used to approve or decline a pending value.

2010 SAP AG. All rights reserved. / Page 39

PVO Example: Role Assignment with Approval

1 Role

3

User 3001

Request or Assignment

Role Owner

Approve Role Request (approves pending value object)

2 Pending value object created

4 Values written to entry

MX_PENDING_VALUE

MX_PERSON

MX_ENTRY_REFERENCE: 3001 MX_ATTRIBUTE_NAME: MX_REF_MXROLE MX_ATTRIBUTE_VALUE:

MSKEYVALUE: 3001

MX_REF_MXROLE:

2010 SAP AG. All rights reserved. / Page 40

Agenda

1. SAP NetWeaver Identity Management Overview 2. SAP NetWeaver 7.1: UI Overview 3. Layout Configuration 4. Permission Configuration 5. Approvals 6. Provisioning Task Design 7. Approval Mechanisms 8. Hands-On

2010 SAP AG. All rights reserved. / Page 41

Privileges Member Events and TasksMember events (defined as attributes on privilege or repository)

MX_ADD_MEMBER_TASK Task to execute when privilege is added to an entry Task will be executed on MX_PENDING_VALUE (which is automatically created) Subsequent steps (e.g. provisioning) wait for successful task execution (e.g. approval) MX_DEL_MEMBER_TASK Task to execute when privilege is removed from an entry Task will be executed on MX_PENDING_VALUE Subsequent steps (e.g. de-provisioning) wait for successful task execution

Event on Repository 2010 SAP AG. All rights reserved. / Page 42

Event on Privilege

Privileges Provision and Deprovision TasksTasks (defined as attributes on privilege or repository)

MX_MODIFYTASK Task executed on entry when entry having this privilege is modified Modify trigger attributes define attributes which kick of the modify task MX_PROVISIONTASK Task executed on entry when privilege is added to an entry Kicks off provisioning (once MX_ADD_MEMBER_TASK has successfully completed) MX_DEPROVISIONTASK Task executed on entry when privilege is removed from an entry Kicks off de-provisioning (once MX_DEL_MEMBER_TASK has successfully completed)

Tasks defined on the privilege overwrite the more general setting on the repository

Task on Repository 2010 SAP AG. All rights reserved. / Page 43

Task on Privilege

Provisioning of Technical Roles (Privileges)

Role Privilege 1 Repository A

Role Privilege 2 Repository A

Role Privilege 3 Repository B

Role Privilege n Repository B

Repository AProv Task De-prov Task

Repository BProv Task De-prov Task

Provision Task Repository A

De-provision Task Repository A

Provision Task Repository B

De-provision Task Repository B

Extended MX_PRIVILEGE functionality used: makes task assignment per privilege obsolete for many cases!

2010 SAP AG. All rights reserved. / Page 44

Agenda

1. SAP NetWeaver Identity Management Overview 2. SAP NetWeaver 7.1: UI Overview 3. Layout Configuration 4. Permission Configuration 5. Approvals 6. Provisioning Task Design 7. Approval Mechanisms 8. Hands-On

2010 SAP AG. All rights reserved. / Page 45

MX_APPROVERS

Attribute MX_APPROVERS is used for Approval

Multi-value Entry reference attribute Holds a list of legal approvers for an entry

Listed with MSKEY MX_PERSON MX_ROLE Members are approvers

Reference entry types:

MX_PRIVILEGE MX_DYNAMIC GROUP

2010 SAP AG. All rights reserved. / Page 46

Basic Example: Preprocessing Approvers

Action task that checks if there is an approver, and if not, a hardcoded approver is added.

2010 SAP AG. All rights reserved. / Page 47

Basic Example: Approval Task

No approver defined directly on the task retrieved from MX_PENDING_VALUE object.

Multiple approvals and further processing of the approval can be defined in more complex scenarios. 2010 SAP AG. All rights reserved. / Page 48

Commit Approval

The function uApplyPending is used to approve or decline a pending value (obsolete in 7.2). When this script is run, the pending value object that the approval operates on is closed and moved to historical values. The return value of the function (OutString) can have the following values:

0: OK -1: Not applied, validFrom -2: No such MSKEY

is not yet pending

2010 SAP AG. All rights reserved. / Page 49

Task Hierarchy

Ordered Task Group

Preprocessing approvers Approval task

uApplyPending 2010 SAP AG. All rights reserved. / Page 50

Further Information

SAP Public Web:SAP Developer Network (SDN): http://www.sdn.sap.com/irj/sdn/nw-identitymanagement

Related SAP Education and Certification Opportunitieshttp://www.sap.com/education/ Course: TZNWIM SAP NetWeaver Identity Management 7.1 (5 days)Related Workshops/Lectures at SAP TechEd 2010SCI101, SAP NetWeaver Identity Management - Highlights of the Next Release, 2hr lecture SCI104, How to Migrate from SAP CUA to SAP NetWeaver Identity Management 7.1, 1hr lecture SCI200, Best Practices for Implementing SAP NetWeaver Identity Management, 1hr lecture SCI201, SAP Business Suite Integration with SAP NetWeaver ID Management 7.1: Focusing on SAP CRM 7.0 Provisioning, 1hr lecture SCI208, Putting the "Business" Back in SAP NetWeaver Identity Management Business Roles, 1hr lecture SCI262, Compliant Identity Management with SAP NetWeaver ID Management and SAP BusinessObjects Access Control, 2hr hands-on 2010 SAP AG. All rights reserved. / Page 51

Agenda

1. SAP NetWeaver Identity Management Overview 2. SAP NetWeaver 7.1: UI Overview 3. Layout Configuration 4. Permission Configuration 5. Approvals 6. Provisioning Task Design 7. Approval Mechanisms 8. Hands-On

2010 SAP AG. All rights reserved. / Page 52

Contact FeedbackPlease complete your session evaluation. Be courteous deposit your trash, and do not take the handouts for the following session.

2010 SAP AG. All Rights ReservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POW ER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. in the United States and in other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages. 2010 SAP AG. All rights reserved. / Page 54