1copyright © 2012, oracle and/or its affiliates. all ... overview sap abap webs integration sap bo...
TRANSCRIPT
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal1
Timm Seitz Senior ArchitectOracle Solution Center SAP Competence
Oracle Identity Management
Oracle Identity Manager for SAP Oracle Identity Manager for SAP
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.3
Agenda
Identity Management Today (IdM)
Overview Oracle Identity Manager for SAP
Integration OIM with SAP BO AC V10
OSC4SAP/SAP Competence 4 OIM Support
Q&A
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.5
IdM (in the broader sense)
An entity can be everything with a distinct characterization (person, object, group, organization …..)Each entity can have more than one (1-n relationship) context based identities.
Main tasks:✔ Secure central administration of all identities✔ Reliable identification of each identity (authentication)✔ Context/attribute based identity authorization
Identity Management (Identitätsmanagement)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.6
Digital Identity Management
✗ Entity scoping (within the organization and/or cross-organizational/federal)✗ Identity Life-Cycle-Management (Account creation, modification, suspension, termination or archiving)✗ Central administration and protection of identity information (attributes) over time (including all changes)✗ Assignment and administration of different roles to the various identites✗ Role-Linking with responsibilities, privileges/rights to be able access resources ✗ Account password synchronization✗ Handling of systems which are used to store identity information (directory services, databases, ...)✗ Handling of media which hold identity data (Token, cards …)✗ User-self services
Simplified view
Central administration of individuals and their digital identities (system user accounts) which typically represents a 1-n relationship.
Identity Management
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.7
Enterprise / Cross-Enterprise IAM
Compliance
Bring Your Own Device (BYOD)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.8
Global IdM Market
2013 Global Enterprise Identity Management Market was 3 Mrd. Euros with a 10% growth from 2012
Identity Management is a necessary component of all new application initiatives
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.9
OIM Competence
• Every Cloud, Mobile or Social Application requires Identity Management
• Reducing the costs and risks of identifying who has access to what is a top priority for organizations
• Platform approach to identity management reduced costs by 48% and errors by 35%
• Oracle is the market leading provider of a complete Identity Management Platform
Oracle has 30,000 Identity Management Customers in 45 countries
MarketMarket
PerformancePerformance
User Provisioning Identity Governance
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.10
Identity Management by Oracle
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.11
Oracle Identity Manager
for SAP
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.12
Definition
Oracle Identity Manager for SAP
• Central user life-cycle-management
• Provisioning:
• Push model – an outward flow of user information from OIM to the target system
• Reconciliation:
• Push or Pull model – an inward flow of user information into OIM
Source OIMTargetSystem
Provisioning and ReconciliationProvisioning and Reconciliation
SSourceRReconciliation
RReconciliation
PProvisioning
SR
Oracle Identity Manager / WebLogic J2EE engine
Connector Connector
….....SAP Connector
Reporting
Audit
S
P
R
Identity Analytics
SoD Integration
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13
Oracle Identity Manager – Baseline WebLogic based deployment
Oracle Identity Manager 4 SAP
• J2EE Server environment:
• A WebLogic Admin Server (shared)
• A Weblogic Managed Server instance for OIM 11g
• A Weblogic Managed Server instance for SOA, Web services security – to carry out approvals and workflow routing
• DB environment:
• Oracle DB instance for the various product schemas:
• OIM, SOA
• Fusion Middleware
• Web Server instance as proxy for OIM and SOA
WebS WebS
OIM AdminSOA
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.14
Oracle Identity Manager – Identity Connector Framework (ICF)
Oracle Identity Manager for SAP
TrustedSource
OIM /OW
TargetSystem
Common Connectors Common Connectors
R
P
TSR
Oracle Identity Manager – ICF - Server
Connector Connector
Waveset OIM
API
SPI
• Available connector families:
• Oracle Waveset (Sun IdM)
• Oracle Identity Manager
• Converged into a single framework:
• Identity Connector Framework
• Feature parity and simplified deployment
• Independent Connector Server(s) instances:
• OIM Business logic separated from the Connector logic
• Independent Connector Server instances (if needed), e.g. Java, .Net, Native ….
• Backward compatibility: Any connector works with any ICF version + no dependency between the connector and the IDM server release cycle
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.15
OIM SAP Connectors as of May 2013
Oracle Identity Manager for SAP
TrustedSource
OIM /OW
TargetSystem
Common Connectors Common Connectors
R
P
TSR
Oracle Identity Manager – ICF - Server
Connector SAP Connector
Waveset OIM
API
SPI
• Available SAP specific connectors:
• SAP UM Connector
• Including SAP CUA support
• Including SAP BO AC 5.3 support
• Including SAP BO AC V10 support
• SAP UME Connector
• Including SAP Federated Portal support
• Including SAP BO AC 5.3 support
• Including SAP BO AC V10 support
• SAP Employee Reconciliation Connector
• Specific SAP HCM/HR Connector
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.16
Oracle Identity Manager – SAP User Management Connector (May 2013)
Oracle Identity Manager for SAP
• Basic mode/functions:
• account creation or modification provisioning requests to either SAP ERP (ABAP) or SAP CUA/ZBV
• Supported provisioning methods:
• Direct provisioning (OIM admin only driven)
• Request-based provisioning (OIM user driven)
• Access policy change provisioning (OIM automatic driven)
• Using official SAP BAPIs for all SAP target provisioning/account operations
SAPBAPIs
SAP UMConnector
ScheduledTasks
OIMSAP ERP
Recon.
Prov.
Create/update
Sync against OIM users
SAP direct changes
SU01
SAP Central User Administration = Zentral Benutzerverwaltung ABAP
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.17
Oracle Identity Manager – SAP User Management Connector (May 2013)
Oracle Identity Manager for SAP
• Basic mode/functions:
• account creation or modification provisioning requests to either SAP ERP (ABAP) or SAP CUA/ZBV
• Supported provisioning methods:
• Direct provisioning (OIM admin only driven)
• Request-based provisioning (OIM user driven)
• Access policy change provisioning (OIM automatic driven)
• SAP CUA point of view = indirect provisioning
SAPBAPIs
SAP UMConnector
ScheduledTasks
OIMSAP CUA
Recon.
Prov.
SAP ERP
SAPBAPIs
Prov.
ABAP only !
SAP Central User Administration = Zentral Benutzerverwaltung ABAP
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.18
Oracle Identity Manager – SAP User Management Engine Connector
Oracle Identity Manager for SAP
• Basic mode/functions:
• Account creation or modification provisioning requests to SAP AS Java based application components, e.g. SAP NW Enterprise Portal
• Supported provisioning methods:
• Direct provisioning (OIM admin only driven)
• Request-based provisioning (OIM user driven)
• Access policy change provisioning (OIM automatic driven)
• Using official SAP Web Services for all SAP target provisioning/account operations
SAPSPML
Service(WebS)
SAP UMEConnector(WS Client)
ScheduledTasks
OIMSAP AS Java
Recon.
Prov.
Create/update
Sync against OIM users
SAP direct changes
Admin Console
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.19
Oracle Identity Manager – SAP HCM/HR Connector
Oracle Identity Manager for SAP
• Basic mode/functions:
• OIM Connector for SAP Employee Reconciliation (HCM Active Sync)
• Retrieves employee records in real-time from SAP HCM and creates identities for them in OIM
• Typical use case: New hire
• Supported deployments
• Full Reconciliation (all source system users)
• Incremental Reconciliation – tRFC (Only changes or new user records)
• SAP Intermediate Document based data exchange process / ASCII-based flat files (Application Link Enabling interface)*
SAPIDoc
ScheduledTasks
OIMSAP ECC/HCM
FullRecon.
Create + UpdateOIM users
HCMDepartment
PA30
+
Leading/authoritative source
*The connector supports all IDoc types that are associated with the HRMD_A message type
No support for SAP system account
provisioning or reconciliationfor SAP HCM
HCM profile
HCM profile
SAP JavaConnector
tRFC
Manual copy
into OIM DIR
Listener based
+Inc.Recon.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.20
Oracle Identity Manager
with SAP BO Access Control
V10
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.21
Oracle Enterprise Governance SuiteGovernance/Compliance Platform
Grant User Access Monitor User Access
Provision De-Provision
OS – 2 - AppS(Unix, MS, Linux … - eMail, ERP, LDAP, ADS, …...)
AccessRequest
PrivilegedAccountRequest
RoleLifecycle
Management
Check-in/Checkout
IdentityCertifications
IT AuditMonitoring
RogueDetection &
Reconciliation
Reporting &PrivilegedAccess
Monitoring
Connectors
Access Catalog Ownership, Risk & Audit Objectives
Catalog Management
Accounts
Roles
Glossaries
Entitlements
Heterogenous(non-Oracle)Integration !
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.22
Oracle Enterprise Governance SuiteRisk-based Certification and Segregation of Duties Analysis
Mainframe
DB
Identity Data Sources
Applications OIM + OIdA / AAccess CControls GGovernor (ESoD)
Roles Certification History
Entitlements Provisioning Events
Risk Aggregation
Resources Policy Violations
Low Risk User High Risk User
Bulk Certify Cert 360
Approve
RejectFocused
Sign-off
SoDs
Best Practice Libs for Oracle AppS
Operating System
SoD = Funktionstrennung ; OIdA = Oracle Identity Analytics Central Role Mgnt.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.23
Definition / What is SAP BusinessObjects Access Control?
SAP BO AC V10
SAP solution for a centralizedcentralized SAP
compliantcompliant user management / SoD analysis:
- Taking care of SAP specific SoD checks- Who has received which SAP authorization and why?- Who has assigned compensating controls and why?
- Taking care of the SAP specific audit data
SoD = Funktionstrennung
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.24
Functional overview : SAP GRC Cornerstone Products
SAP BO AC V10
SAPSAPAAccess ccess CControlontrol
SAPSAPPProcess rocess CControlontrol
Fine Grained AuditingFine Grained AuditingSeparation of DutiesSeparation of DutiesPolicy EnforcementPolicy Enforcement
An enterprise An enterprise control frameworkcontrol frameworkfor bussiness proceccesfor bussiness procecces
Leverages RM and AC dataLeverages RM and AC data, , linking risks and controls to different linking risks and controls to different
security and control frameworks security and control frameworks (such as COSO and COBIT) (such as COSO and COBIT)
and legislation and legislation (such as Sarbanes-Oxley).(such as Sarbanes-Oxley).
SAPSAPRRisk isk MManagementanagement
Inform stakeholders and operationalInform stakeholders and operationalprocesses of processes of risks and controls that arerisks and controls that are
relevant to their business contextrelevant to their business context
Allows Allows assignment of risksassignment of risks to corporate to corporatepolicies and enables policies and enables procedures to beprocedures to be
assigned as risk mitigationsassigned as risk mitigations
SAP Unified GRC – powered by SAP Unified GRC – powered by SAP NW ABAPSAP NW ABAP
ABAPABAPABAPABAP ABAPABAP
SAP based internal control framework
e.g. SoX Compliance – COBIT - ICF
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.25
Technical overview
SAP BO AC V10
SAPSAP®® GRC Suite GRC Suite V10V10
SAP NetWeaverAS ABAPABAP7.02 onlyonly
AC-PC-RMAC-PC-RM(one component)(one component)
GTSGTS(one component)(one component)
CContent-ontent-LLifecycleifecycleMManagementanagement
http DIAG Basis ComponentsBasis Components
One deploymentpackage / Separateproduct activation
DIAG = SAPGUI specific communication protocol
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.26
Functional overview : The four pillars of Access Control
SAP BO AC V10
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.27
Bridging a business and a technology gap
Enterprise IT-Compliance
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.28
Technical overview SAP ABAP WebS integration
SAP BO AC V10
IdM Integration IdM Integration
SAPSAP®® GRC Suite GRC Suite V10V10
ACAC-PC-RM-PC-RM(one component)(one component)
SAPSAP®® ABAP ABAPWS FrameworkWS Framework
SOAP RuntimeSOAP Runtime
IInternetnternet C CommunicationommunicationManager/Manager/FFrameworkramework
eXtensible Markup Language (XML); Simple Object Access Protocol (SOAP);
Web Service Definition Language (WSDL); and
Universal Description, Discovery, and Integration (UDDI)
IdM IntegrationIdM Integration
Web ServicesWeb Services
HTTP, HTTP, HTTPS,HTTPS,(SMTP)(SMTP)
SAP/non-SAPsame technology
optionaloptional
SAP SOAP Framework
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.29
Oracle Identity Manager – Integration of SoD Engines
Oracle Identity Manager for SAP
• OIM SIL Provider
• SoD Invocation Library
• Basis of the OIM-SoD implementation
• Acts as the interface between the SIL and a specific SoD engine like, e.g. SAP BO AC / SAP GRC SIL Provider
• SIL is a collection of Java-based adapters that enable integration with predefined OIM connectors
• Integration of almost any 3rd party SoD engine possible
• SIL-Provider represents a special adapter for a specific SoD engine, e.g. SAP BO AC
OIMSAP
BO AC
WebS
SAPSIL P.
CustomSIL P.
OAACG*SIL P.
SoD Invocation Lib (SIL and Adapters)
SIL Provider
*OAACG = Oracle Application Access Controls Governor
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.30
Oracle Identity Manager for SAP
• OIM SAP AC SIL Provider
• Web Services based communication
• OIM SAP AC Web Service Client
• Based on SAP official AC - WSDL input
• Used by the OIM SAP Connectors during „Provisioning“ operations for SoD checks
OIMSAP
BO AC
AC Web Service Client
SAPSIL P.
CustomSIL P.
OAACG*SIL P.
SoD Invocation Lib (SIL and Adapters)
SIL Provider
*OAACG = Oracle Application Access Controls Governor
OIM as Consumer
Oracle Identity Manager – Integration of the SAP SoD Engine
WSDL = Web Service Definition Language
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.31
Oracle Identity Manager – Integration of the SAP SoD Engine
Oracle Identity Manager for SAP
• OIM SAP Connectors
• To be used as interface between OIM and SAP BusinessObjects Access Control
• Provisioning requests can be validated by the SAP official SoD engine
• Supported connector types for SoD checking
• OIM SAP User Management Connector
• OIM SAP User Management Engine ConnectorSAPSAP®® BO BOAC V10AC V10
ACAC-PC-RM-PC-RM
NW AS ABAPNW AS ABAP
AS ABAP UMAS ABAP UM
OIM
SAPSIL Provider
OIM SAP
UM Connector
ICF
Pre-configured invocation of SAP SIL Provider
SoDs
WebSWebS
OIM SAP
UME Connector
11 22
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.32
SAP BO AC V10
IdM-Requestor
IdM-Approver
AC-System User
Create &SubmitAccessRequest
Review Request
Appropriate Access?
Perform Risk
Analysis
Risk
Violations?
Manage
Access Risks
Modify Request
Request Modified?
Approve
Request?
User Provisioning
YesNo
Yes Yes
No
No
Yes
Provisioning SAP Applications
Option
Perform SAPRisk Analysis
Synchronization SAP Applications
AC - SAPAccount
Reconcile
OIM Scenario 01: IdM with SoD
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.33
SAP BO AC V10OIM Scenario 01: IdM with SoD
Requestor (Clerk)Requestor (Clerk) Business line managerBusiness line manager IT departmentIT department
Risk Analysis / SoD Risk Analysis / SoD
Business approval Business approval ProvisioningProvisioning
New or New or Change request Change request
IT-ProvisioningIT-Provisioning
e.g. FI Managere.g. FI Manager
SAP SoD SAP SoD One One
workflowworkflow
Oracle IdM WFLOracle IdM WFL
SoD Risk Analysis onlySoD Risk Analysis only
Non-SAP SoD check
SAP specificSoD check
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.34
OIM Scenario 02: IdM with Access Request ManagementSAP BO AC V10
IdM-Requestor
AC-End Users
Create &SubmitAccessRequest
Review Request
Appropriate Access?
Perform Risk
Analysis
Risk
Violations?
Manage
Access Risks
Modify Request
Request Modified?
Approve
Request?
User Provisioning
YesNo
Yes Yes
No
No
Yes
Provisioning SAP Applications
Option
Synchronization SAP Applications
OIM - SAPAccount
Reconcile
Mitigaterisks
Request Status?
ApprovedDenied
Mitigation Controls = (frei) Risikoreduzierende Kontrollen
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.35
OIM Scenario 02: IdM with Access Request ManagementSAP BO AC V10
Requestor (Clerk)Requestor (Clerk) Business line managerBusiness line manager IT departmentIT department
Risk Analysis / SoD Risk Analysis / SoD
Business approval Business approval ProvisioningProvisioning
New or New or Change request Change request
IT-ProvisioningIT-Provisioning
e.g. FI Managere.g. FI Manager
SAP SoD SAP SoD TwoTwo
workflowsworkflows
SAP-ProvisioningSAP-Provisioning
SAP BO AC CUP WFLSAP BO AC CUP WFL
SAP Prov.SAP Prov.
SAP Admin.SAP Admin.
Oracle IdM WFLOracle IdM WFLNon-SAP
SoD check
SAP specificSoD check
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.37
OSC4SAP Pre-Sales Services
• Customer workshop/TOI 3-4 hours
• Focus: Customer SAP department
• Agenda:
• Official SAP Interface Technolgies
• SAP Interfaces used by OIM
• OIM SAP Connectors
• Intro SAP BO AC
• Integration OIM – SAP BO AC
OIM for SAP Sales Support
• Combined SAP/OIM know how
Personal skill set
• Customer workshop/TOI 4 hours
• Overall: 20 people
• Focus: Customer SAP department
– SAP Basis team
– SAP HR team
– SAP Security
– OIM team
e.g. Retailer / Austria / Sept. 2012
• Oracle described in depth the integration between OIM and SAP technology
Success factor
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal39
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.41
SAP User Management (ABAP) Connector Release 11.1.1.5.0
Oracle Identity Manager for SAP
• Supported OIM Releases
• Oracle Identity Manager 11g Release 1 (11.1.1.5.6) or later
• Oracle Identity Manager 11g Release 2 (11.1.2.0.1) or later
• Supported SAP JCo release
• SAP JCo 3.0.2 or later
• Supported SAP BO AC Releases:
• SAP BO AC V5.3
• SAP BO AC V10
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.42
SAP User Management Engine (Java) Connector Release 11.1.1
Oracle Identity Manager for SAP
• Supported OIM Releases
• Oracle Identity Manager 11g Release 1 (11.1.1.5.6) or later
• Oracle Identity Manager 11g Release 2 (11.1.2.0.1) or later
• Supported SAP JCo release
• SAP JCo 3.0.2 or later
• Supported SAP BO AC Releases:
• SAP BO AC V5.3
• SAP BO AC V10
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.43
Oracle Waveset (former Sun Identity Manager)
Oracle Identity Manager for SAP
• Oracle Waveset support for BO AC
• Only supported for BO AC V5.3 (official SAP certified integration)
• No support for BO AC V10