Transcript

Identity Managementwith SAP NetWeaver IdM

Andreas Müller,

BT Global Services

24.04.2008

@ BT 2008

Agenda

Introduction SAP NetWeaver IdM

Project IdM@BT

Project ISP

Background and Motivation

Functionality

Lessons Learned

Summary

@ BT 2008

SAP NetWeaver Identity Management

WebApp.

WebApp.

Legacy App.

Legacy App.

MS

Exchange

MS

Exchange

DatabasesDatabasesOperating

Systems

Operating

Systems

Business process relies on appropriate userand role assignments in systems

Data

IDM should be triggered by identity business processes and data

SAP NetWeaver

Identity

ManagementDistribution of users and role assignments for SAP and non-SAP systems

Definition and rule-based assignment of meta roles

Central Identity store

Approval Workflows

Identity Mgmt.monitoring & Audit

HCM Integration

e.g. Order2Cash

e.g. on-boarding

HCM

Identity virtualization and identity as service throughstandard interfaces

SAP ERPABAP

SAP XIABAP

Java

SAPJava

SAP HRABAP

SAP FIABAP

SAPPortalJava

Password Management

@ SAP 2008

@ BT 2008

System Components

Workflow Web Front-End for end users

Approvals

Self-Service

Delegated Administration

Monitoring Web Front-End for operations

Analyse system activity

Management Console for administrators and developers

System configuration

Database holds

Identity store

Process configuration

Dispatchers execute processes

Batch synchronization

User initiated tasks

Provisioning tasks

Event Agents

Detect changes in connected systems

Virtual Directory

Provides additional connectors Target systemsTarget systemsTarget systemsTarget systems

VirtualVirtualVirtualVirtual directorydirectorydirectorydirectory

IdentityIdentityIdentityIdentity CenterCenterCenterCenter

Monitoring

Front-End

Event Event Event Event

AgentAgentAgentAgent

Database

DispatcherDispatcherDispatcherDispatcher

Worflow

Front-End

Management

Console

Virtual

Directory

Adminstrator User/Manager

AdministratorDeveloper

Source systemsSource systemsSource systemsSource systems

DispatcherEvent

Agent

@ BT 2008

Management Console

Example: Request a SAP-Role

@ BT 2008

Monitoring

@ BT 2008

Agenda

Introduction SAP NetWeaver IdM

Project IdM@BT

Project ISP

Background and Motivation

Functionality

Lessons Learned

Summary

@ BT 2008

Source systemsSource systemsSource systemsSource systems

Use of Identity Center at BT

Synchronization of 230.000 Identities from Corporate Directory into Active Directory

Provisioning of personal and functional email accounts

Additional attributes joined from import files

Built-in delta mechanism reduces updates to Active Directory to the absolute minimum.

Performance

Delta import once a dayDuration 1.5h

Full import once a monthDuration ca. 5h

Benefits

Efficient Delta Mechanism

Highly customizable connectors

Target systemsTarget systemsTarget systemsTarget systemsIdentityIdentityIdentityIdentity CenterCenterCenterCenter

Corporate

Directory

Data

Synchonization

Engine

Active

Directory

Database

Files ∆

@ BT 2008

Agenda

Introduction SAP NetWeaver IdM

Project IdM@BT

Project ISP

Background and Motivation

Functionality

Lessons Learned

Summary

@ BT 2008

Customer: Internet Service Provider

Project Scope

Consulting

IdM project setup and definition

Requirements analysis

Detailed vendor selection

Longlist, RFI, Shortlist, POC

Establish standards for the definition of roles and entitlements

Process optimization for IdM administration processes

Prepare data protection concepts and works council agreements

Quality assurance concept

Data cleansing support

Implementation

Design based on selected IdM-tool (MaXware IC / SAP NetWeaver IDM)

Implementation

Data model

IdM processses

Provisioning interfaces to target systems

IdM data synchronization

Project management

Test

Migration of existing accounts and entitlements

Operations

Change und incident management

@ BT 2008

Customer: Internet Service Provider

Motivation

Project goals

Creation of a central identity repository for all non-customer identities accessing computing center applications

Implementation of standardized administration processes for entitlements

Creation of a central repository for entitlements

Increasing data quality of identity and entitlement data

Effective demonstration of SOX-compliance

Delegation of administrative tasks

Increase degree of automation

Tool selection

RFI with >10 major IdM vendors

Presentations and Proof of Concept

Criteria

“Support” for non-standard applications

Flexibility, high degree of customization possible

Expected implementation effort

Match with skills available internally

Support for roles and delegated administration

Traceability of system and user actionsPrimary goals: Increase usability, security

and audit capabilitiesSecondary goals: Cost reduction and ROI

considerations

@ BT 2008

Source and Target Systems

Source Systems

HR

Group directory

Asset database

Target System Types

SAP

ISP Test Accounts

Building Access

Secure VPN

LDAP

Active Directory

Samba

SSH Key Management / Key Distribution

ARS Remedy

Sun Access Manager

User groups

Employees

Group employees

Consultants

Partner

@ BT 2008

Project History and Milestones

Nov. 2004 Requirements analysis

Mai 2005 Tool selection

July 2005 Design and start of implementation

Feb. 2006 Go-Live Release 1.0 including

Source-system connectivity (HR/Org – Master data)

Standard request and approval process

Internal administrative entitlement model, delegation of admin privileges

Target Systems SAP/LDAP

June 2007 Release 1.5

Sept. 2007 Release 1.6

Jan. 2008 Release 1.7

April 2008 Release 1.8

@ BT 2008

Agenda

Introduction SAP NetWeaver IdM

Project IdM@BT

Project ISP

Background and Motivation

Functionality

Identity Management

Entitlement Management

Account Management

Self-Service

Lessons Learned

Summary

@ BT 2008

UseCases (1)

Identity Management

(Re-) Enter company

OU change

Location change

Position change

Sabaticals/maternity leave

Leave company

Entitlement Management

Account Management

Self-Service

(re-)enter company

change location

change company

change organization

change name

change position…

leave company

activate

suspend (i.e. maternity leave)

active

suspended

inactive

active

@ BT 2008

Manage Master Data

Task Menu

@ BT 2008

Create Person

@ BT 2008

Create Location

@ BT 2008

UseCases (2)

Identity Management

Entitlement Management

Assign (temporary) permissions

Revoke permissions

Automated role assignement

Documentation / Audit

Account Management

Assign account

(De-) Activate Account

Delete Account

Password management

Self-Service

Funktional RoleEmployee

AccountActive Directory

PermissionVPN-Access

Hans Mustermann

PermissionAD-Group

Employees-MUC

Location

Company

OU

@ BT 2008

Create Permissions

Creates permission within

the IdM-system as well

as in the target system

@ BT 2008

Assign/Revoke Permissions

Delegated administration

for permission owners

@ BT 2008

UseCases (3)

Identity Management

Entitlement Management

Account Management

Self-Service

Password reset

Data protection requirements

Self-Service for certain person attributes

Request permissions

RequestRequestRequestRequest

1. Approval

Provision

Nofiy

2. Approval?

Denial

Denial

?

@ BT 2008

Request Permissions

Users may request

permissions for

themselves or others.

Approval process

configurable for each

permission.

Approver roles:

Line Manager

Permission Owner

Target System Owner

HR

@ BT 2008

Approval

XXXXXXXX

XXXXXXXX

@ BT 2008

Agenda

Introduction SAP NetWeaver IdM

Project IdM@BT

Project ISP

Background and Motivation

Functionality

Lessons Learned

Summary

@ BT 2008

Lessons Learned

Implementation

Expectations concerning adaptability were fulfilled

Tool supports change and redesign very well in the course of extensions and additions

Short implementation cycles achieved

System behavior is transparent and follows a consistent paradigm

Number of processes (approx. 150 processes, 1300 steps) makes system complex

Framework developed on top of built-in functionality

(Regression-) Testing indispensable

Processes

Flexibility (data model, user interface, processes) brings the temptation of relaxing initial standards as the system evolves over time

End user help crucial to reduce helpdesk call volume

Complexity multiplies (user types x identity states x data sources)

General issues

Data cleansing and migration may take up to 50% of target system implementation effort

Development, Integration and Production environments required to manage changes

Pragmatic approach to the use of roles allows for sufficient degree of automation without complex role modeling processes

@ BT 2008

Summary

Agile implementation possible

Quick reaction to changed requirements

High degree of flexibility concerning

Data model

Process adaptation

Front-end extension

Comprehensive monitoring tools to diagnose system behavior

Flexibility requires

Experienced IdM-developers and

Designers

Mature project and software development

organization

Comprehensive QA measures appropriate

for IdM (i.e. automated regression tests)

SAP NetWeaver Identity Management fulfilled the expectations regarding the speed and flexibility of a tool-box, but requires thorough design and planning for large deployments.

Thank You

Andreas Müller

Solutions Architect

Global Professional Services

BT (Germany) GmbH & Co. oHG

Tel:+49 (0)69 3307-8074

[email protected]