1copyright © 2012, oracle and/or its affiliates. all ... overview sap abap webs integration sap bo...

Timm Seitz Senior ArchitectOracle Solution Center SAP Competence

Oracle Identity Management

Oracle Identity Manager for SAP Oracle Identity Manager for SAP

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.3

Agenda

Identity Management Today (IdM)

Overview Oracle Identity Manager for SAP

Integration OIM with SAP BO AC V10

OSC4SAP/SAP Competence 4 OIM Support

Q&A


Identity

Management

Today


IdM (in the broader sense)

An entity can be everything with a distinct characterization (person, object, group, organization …..)Each entity can have more than one (1-n relationship) context based identities.

Main tasks:✔ Secure central administration of all identities✔ Reliable identification of each identity (authentication)✔ Context/attribute based identity authorization

Identity Management (Identitätsmanagement)


Digital Identity Management

✗ Entity scoping (within the organization and/or cross-organizational/federal)✗ Identity Life-Cycle-Management (Account creation, modification, suspension, termination or archiving)✗ Central administration and protection of identity information (attributes) over time (including all changes)✗ Assignment and administration of different roles to the various identites✗ Role-Linking with responsibilities, privileges/rights to be able access resources ✗ Account password synchronization✗ Handling of systems which are used to store identity information (directory services, databases, ...)✗ Handling of media which hold identity data (Token, cards …)✗ User-self services

Simplified view

Central administration of individuals and their digital identities (system user accounts) which typically represents a 1-n relationship.

Identity Management


Enterprise / Cross-Enterprise IAM

Compliance

Bring Your Own Device (BYOD)


Global IdM Market

2013 Global Enterprise Identity Management Market was 3 Mrd. Euros with a 10% growth from 2012

Identity Management is a necessary component of all new application initiatives


OIM Competence

• Every Cloud, Mobile or Social Application requires Identity Management

• Reducing the costs and risks of identifying who has access to what is a top priority for organizations

• Platform approach to identity management reduced costs by 48% and errors by 35%

• Oracle is the market leading provider of a complete Identity Management Platform

Oracle has 30,000 Identity Management Customers in 45 countries

MarketMarket

PerformancePerformance

User Provisioning Identity Governance


Identity Management by Oracle


Oracle Identity Manager

for SAP


Definition

Oracle Identity Manager for SAP

• Central user life-cycle-management

• Provisioning:

• Push model – an outward flow of user information from OIM to the target system

• Reconciliation:

• Push or Pull model – an inward flow of user information into OIM

Source OIMTargetSystem

Provisioning and ReconciliationProvisioning and Reconciliation

SSourceRReconciliation

RReconciliation

PProvisioning

SR

Oracle Identity Manager / WebLogic J2EE engine

Connector Connector

….....SAP Connector

Reporting

Audit

S

P

R

Identity Analytics

SoD Integration


Oracle Identity Manager – Baseline WebLogic based deployment

Oracle Identity Manager 4 SAP

• J2EE Server environment:

• A WebLogic Admin Server (shared)

• A Weblogic Managed Server instance for OIM 11g

• A Weblogic Managed Server instance for SOA, Web services security – to carry out approvals and workflow routing

• DB environment:

• Oracle DB instance for the various product schemas:

• OIM, SOA

• Fusion Middleware

• Web Server instance as proxy for OIM and SOA

WebS WebS

OIM AdminSOA


Oracle Identity Manager – Identity Connector Framework (ICF)


TrustedSource

OIM /OW

TargetSystem

Common Connectors Common Connectors

R

P

TSR

Oracle Identity Manager – ICF - Server

Connector Connector

Waveset OIM

API

SPI

• Available connector families:

• Oracle Waveset (Sun IdM)

• Oracle Identity Manager

• Converged into a single framework:

• Identity Connector Framework

• Feature parity and simplified deployment

• Independent Connector Server(s) instances:

• OIM Business logic separated from the Connector logic

• Independent Connector Server instances (if needed), e.g. Java, .Net, Native ….

• Backward compatibility: Any connector works with any ICF version + no dependency between the connector and the IDM server release cycle


OIM SAP Connectors as of May 2013


TrustedSource

OIM /OW

TargetSystem

Common Connectors Common Connectors

R

P

TSR

Oracle Identity Manager – ICF - Server

Connector SAP Connector

Waveset OIM

API

SPI

• Available SAP specific connectors:

• SAP UM Connector

• Including SAP CUA support

• Including SAP BO AC 5.3 support

• Including SAP BO AC V10 support

• SAP UME Connector

• Including SAP Federated Portal support

• Including SAP BO AC 5.3 support

• Including SAP BO AC V10 support

• SAP Employee Reconciliation Connector

• Specific SAP HCM/HR Connector


Oracle Identity Manager – SAP User Management Connector (May 2013)


• Basic mode/functions:

• account creation or modification provisioning requests to either SAP ERP (ABAP) or SAP CUA/ZBV

• Supported provisioning methods:

• Direct provisioning (OIM admin only driven)

• Request-based provisioning (OIM user driven)

• Access policy change provisioning (OIM automatic driven)

• Using official SAP BAPIs for all SAP target provisioning/account operations

SAPBAPIs

SAP UMConnector

ScheduledTasks

OIMSAP ERP

Recon.

Prov.

Create/update

Sync against OIM users

SAP direct changes

SU01

SAP Central User Administration = Zentral Benutzerverwaltung ABAP


Oracle Identity Manager – SAP User Management Connector (May 2013)



• account creation or modification provisioning requests to either SAP ERP (ABAP) or SAP CUA/ZBV





• SAP CUA point of view = indirect provisioning

SAPBAPIs

SAP UMConnector

ScheduledTasks

OIMSAP CUA

Recon.

Prov.

SAP ERP

SAPBAPIs

Prov.

ABAP only !

SAP Central User Administration = Zentral Benutzerverwaltung ABAP


Oracle Identity Manager – SAP User Management Engine Connector



• Account creation or modification provisioning requests to SAP AS Java based application components, e.g. SAP NW Enterprise Portal





• Using official SAP Web Services for all SAP target provisioning/account operations

SAPSPML

Service(WebS)

SAP UMEConnector(WS Client)

ScheduledTasks

OIMSAP AS Java

Recon.

Prov.

Create/update

Sync against OIM users

SAP direct changes

Admin Console


Oracle Identity Manager – SAP HCM/HR Connector



• OIM Connector for SAP Employee Reconciliation (HCM Active Sync)

• Retrieves employee records in real-time from SAP HCM and creates identities for them in OIM

• Typical use case: New hire

• Supported deployments

• Full Reconciliation (all source system users)

• Incremental Reconciliation – tRFC (Only changes or new user records)

• SAP Intermediate Document based data exchange process / ASCII-based flat files (Application Link Enabling interface)*

SAPIDoc

ScheduledTasks

OIMSAP ECC/HCM

FullRecon.

Create + UpdateOIM users

HCMDepartment

PA30

+

Leading/authoritative source

*The connector supports all IDoc types that are associated with the HRMD_A message type

No support for SAP system account

provisioning or reconciliationfor SAP HCM

HCM profile

HCM profile

SAP JavaConnector

tRFC

Manual copy

into OIM DIR

Listener based

+Inc.Recon.


Oracle Identity Manager

with SAP BO Access Control

V10


Oracle Enterprise Governance SuiteGovernance/Compliance Platform

Grant User Access Monitor User Access

Provision De-Provision

OS – 2 - AppS(Unix, MS, Linux … - eMail, ERP, LDAP, ADS, …...)

AccessRequest

PrivilegedAccountRequest

RoleLifecycle

Management

Check-in/Checkout

IdentityCertifications

IT AuditMonitoring

RogueDetection &

Reconciliation

Reporting &PrivilegedAccess

Monitoring

Connectors

Access Catalog Ownership, Risk & Audit Objectives

Catalog Management

Accounts

Roles

Glossaries

Entitlements

Heterogenous(non-Oracle)Integration !


Oracle Enterprise Governance SuiteRisk-based Certification and Segregation of Duties Analysis

Mainframe

DB

Identity Data Sources

Applications OIM + OIdA / AAccess CControls GGovernor (ESoD)

Roles Certification History

Entitlements Provisioning Events

Risk Aggregation

Resources Policy Violations

Low Risk User High Risk User

Bulk Certify Cert 360

Approve

RejectFocused

Sign-off

SoDs

Best Practice Libs for Oracle AppS

Operating System

SoD = Funktionstrennung ; OIdA = Oracle Identity Analytics Central Role Mgnt.


Definition / What is SAP BusinessObjects Access Control?

SAP BO AC V10

SAP solution for a centralizedcentralized SAP

compliantcompliant user management / SoD analysis:

- Taking care of SAP specific SoD checks- Who has received which SAP authorization and why?- Who has assigned compensating controls and why?

- Taking care of the SAP specific audit data

SoD = Funktionstrennung


Functional overview : SAP GRC Cornerstone Products

SAP BO AC V10

SAPSAPAAccess ccess CControlontrol

SAPSAPPProcess rocess CControlontrol

Fine Grained AuditingFine Grained AuditingSeparation of DutiesSeparation of DutiesPolicy EnforcementPolicy Enforcement

An enterprise An enterprise control frameworkcontrol frameworkfor bussiness proceccesfor bussiness procecces

Leverages RM and AC dataLeverages RM and AC data, , linking risks and controls to different linking risks and controls to different

security and control frameworks security and control frameworks (such as COSO and COBIT) (such as COSO and COBIT)

and legislation and legislation (such as Sarbanes-Oxley).(such as Sarbanes-Oxley).

SAPSAPRRisk isk MManagementanagement

Inform stakeholders and operationalInform stakeholders and operationalprocesses of processes of risks and controls that arerisks and controls that are

relevant to their business contextrelevant to their business context

Allows Allows assignment of risksassignment of risks to corporate to corporatepolicies and enables policies and enables procedures to beprocedures to be

assigned as risk mitigationsassigned as risk mitigations

SAP Unified GRC – powered by SAP Unified GRC – powered by SAP NW ABAPSAP NW ABAP

ABAPABAPABAPABAP ABAPABAP

SAP based internal control framework

e.g. SoX Compliance – COBIT - ICF


Technical overview

SAP BO AC V10

SAPSAP®® GRC Suite GRC Suite V10V10

SAP NetWeaverAS ABAPABAP7.02 onlyonly

AC-PC-RMAC-PC-RM(one component)(one component)

GTSGTS(one component)(one component)

CContent-ontent-LLifecycleifecycleMManagementanagement

http DIAG Basis ComponentsBasis Components

One deploymentpackage / Separateproduct activation

DIAG = SAPGUI specific communication protocol


Functional overview : The four pillars of Access Control

SAP BO AC V10


Bridging a business and a technology gap

Enterprise IT-Compliance


Technical overview SAP ABAP WebS integration

SAP BO AC V10

IdM Integration IdM Integration

SAPSAP®® GRC Suite GRC Suite V10V10

ACAC-PC-RM-PC-RM(one component)(one component)

SAPSAP®® ABAP ABAPWS FrameworkWS Framework

SOAP RuntimeSOAP Runtime

IInternetnternet C CommunicationommunicationManager/Manager/FFrameworkramework

eXtensible Markup Language (XML); Simple Object Access Protocol (SOAP);

Web Service Definition Language (WSDL); and

Universal Description, Discovery, and Integration (UDDI)

IdM IntegrationIdM Integration

Web ServicesWeb Services

HTTP, HTTP, HTTPS,HTTPS,(SMTP)(SMTP)

SAP/non-SAPsame technology

optionaloptional

SAP SOAP Framework


Oracle Identity Manager – Integration of SoD Engines


• OIM SIL Provider

• SoD Invocation Library

• Basis of the OIM-SoD implementation

• Acts as the interface between the SIL and a specific SoD engine like, e.g. SAP BO AC / SAP GRC SIL Provider

• SIL is a collection of Java-based adapters that enable integration with predefined OIM connectors

• Integration of almost any 3rd party SoD engine possible

• SIL-Provider represents a special adapter for a specific SoD engine, e.g. SAP BO AC

OIMSAP

BO AC

WebS

SAPSIL P.

CustomSIL P.

OAACG*SIL P.

SoD Invocation Lib (SIL and Adapters)

SIL Provider

*OAACG = Oracle Application Access Controls Governor



• OIM SAP AC SIL Provider

• Web Services based communication

• OIM SAP AC Web Service Client

• Based on SAP official AC - WSDL input

• Used by the OIM SAP Connectors during „Provisioning“ operations for SoD checks

OIMSAP

BO AC

AC Web Service Client

SAPSIL P.

CustomSIL P.

OAACG*SIL P.

SoD Invocation Lib (SIL and Adapters)

SIL Provider

*OAACG = Oracle Application Access Controls Governor

OIM as Consumer

Oracle Identity Manager – Integration of the SAP SoD Engine

WSDL = Web Service Definition Language


Oracle Identity Manager – Integration of the SAP SoD Engine


• OIM SAP Connectors

• To be used as interface between OIM and SAP BusinessObjects Access Control

• Provisioning requests can be validated by the SAP official SoD engine

• Supported connector types for SoD checking

• OIM SAP User Management Connector

• OIM SAP User Management Engine ConnectorSAPSAP®® BO BOAC V10AC V10

ACAC-PC-RM-PC-RM

NW AS ABAPNW AS ABAP

AS ABAP UMAS ABAP UM

OIM

SAPSIL Provider

OIM SAP

UM Connector

ICF

Pre-configured invocation of SAP SIL Provider

SoDs

WebSWebS

OIM SAP

UME Connector

11 22


SAP BO AC V10

IdM-Requestor

IdM-Approver

AC-System User

Create &SubmitAccessRequest

Review Request

Appropriate Access?

Perform Risk

Analysis

Risk

Violations?

Manage

Access Risks

Modify Request

Request Modified?

Approve

Request?

User Provisioning

YesNo

Yes Yes

No

No

Yes

Provisioning SAP Applications

Option

Perform SAPRisk Analysis

Synchronization SAP Applications

AC - SAPAccount

Reconcile

OIM Scenario 01: IdM with SoD


SAP BO AC V10OIM Scenario 01: IdM with SoD

Requestor (Clerk)Requestor (Clerk) Business line managerBusiness line manager IT departmentIT department

Risk Analysis / SoD Risk Analysis / SoD

Business approval Business approval ProvisioningProvisioning

New or New or Change request Change request

IT-ProvisioningIT-Provisioning

e.g. FI Managere.g. FI Manager

SAP SoD SAP SoD One One

workflowworkflow

Oracle IdM WFLOracle IdM WFL

SoD Risk Analysis onlySoD Risk Analysis only

Non-SAP SoD check

SAP specificSoD check


OIM Scenario 02: IdM with Access Request ManagementSAP BO AC V10

IdM-Requestor

AC-End Users

Create &SubmitAccessRequest

Review Request

Appropriate Access?

Perform Risk

Analysis

Risk

Violations?

Manage

Access Risks

Modify Request

Request Modified?

Approve

Request?

User Provisioning

YesNo

Yes Yes

No

No

Yes

Provisioning SAP Applications

Option

Synchronization SAP Applications

OIM - SAPAccount

Reconcile

Mitigaterisks

Request Status?

ApprovedDenied

Mitigation Controls = (frei) Risikoreduzierende Kontrollen


OIM Scenario 02: IdM with Access Request ManagementSAP BO AC V10

Requestor (Clerk)Requestor (Clerk) Business line managerBusiness line manager IT departmentIT department

Risk Analysis / SoD Risk Analysis / SoD

Business approval Business approval ProvisioningProvisioning

New or New or Change request Change request

IT-ProvisioningIT-Provisioning

e.g. FI Managere.g. FI Manager

SAP SoD SAP SoD TwoTwo

workflowsworkflows

SAP-ProvisioningSAP-Provisioning

SAP BO AC CUP WFLSAP BO AC CUP WFL

SAP Prov.SAP Prov.

SAP Admin.SAP Admin.

Oracle IdM WFLOracle IdM WFLNon-SAP

SoD check

SAP specificSoD check


OSC4SAP Services


OSC4SAP Pre-Sales Services

• Customer workshop/TOI 3-4 hours

• Focus: Customer SAP department

• Agenda:

• Official SAP Interface Technolgies

• SAP Interfaces used by OIM

• OIM SAP Connectors

• Intro SAP BO AC

• Integration OIM – SAP BO AC

OIM for SAP Sales Support

• Combined SAP/OIM know how

Personal skill set

• Customer workshop/TOI 4 hours

• Overall: 20 people

• Focus: Customer SAP department

– SAP Basis team

– SAP HR team

– SAP Security

– OIM team

e.g. Retailer / Austria / Sept. 2012

• Oracle described in depth the integration between OIM and SAP technology

Success factor


Open Questions


Oracle Release Support


SAP User Management (ABAP) Connector Release 11.1.1.5.0


• Supported OIM Releases

• Oracle Identity Manager 11g Release 1 (11.1.1.5.6) or later


• Supported SAP JCo release

• SAP JCo 3.0.2 or later

• Supported SAP BO AC Releases:

• SAP BO AC V5.3

• SAP BO AC V10


SAP User Management Engine (Java) Connector Release 11.1.1


• Supported OIM Releases



• Supported SAP JCo release

• SAP JCo 3.0.2 or later

• Supported SAP BO AC Releases:

• SAP BO AC V5.3

• SAP BO AC V10


Oracle Waveset (former Sun Identity Manager)


• Oracle Waveset support for BO AC

• Only supported for BO AC V5.3 (official SAP certified integration)

• No support for BO AC V10

1copyright © 2012, oracle and/or its affiliates. all ... overview sap abap webs integration sap bo...

Documents