compliant, business-driven identity management using … · compliant, business-driven identity...
Post on 13-Apr-2018
221 Views
Preview:
TRANSCRIPT
Compliant, Business-Driven Identity Management
using
SAP NetWeaver Identity Management
and SBOP Access Control
February 2010
© SAP AG 2010. All rights reserved. / Page 2
Disclaimer
This presentation outlines our general product direction and should not be relied on in
making a purchase decision. This presentation is not subject to your license
agreement or any other agreement with SAP. SAP has no obligation to pursue any
course of business outlined in this presentation or to develop or release any
functionality mentioned in this presentation. This presentation and SAP's strategy and
possible future developments are subject to change and may be changed by SAP at
any time for any reason without notice. This document is provided without a warranty
of any kind, either express or implied, including but not limited to, the implied
warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP assumes no responsibility for errors or omissions in this document, except if
such damages were caused by SAP intentionally or grossly negligent.
© SAP AG 2010. All rights reserved. / Page 3
…I am worried
about the
compliance
program cost
…I am worried
about
simplifying user
access
Concerns
…I am worried
about minimizing
security risks
HomeHome
© SAP AG 2010. All rights reserved. / Page 4
Typical User Lifecycle
Challenges: Long time to become productive
Enormous costs and efforts
Security leaks if employee leaves
Hire date
Available: Temporary
accounts
Chuck Brown
joins company
3 weeks later
Available: E-Mail
Portal
Internet
Accounting
Chuck Brown is
able to work in
accounting
1 year later
Available: E-Mail
Portal
Internet
Accounting
CRM (west)
Marketing
data (west)
Chuck Brown
transfers
to sales
7 years later
Available: E-Mail
Portal
Internet
Accounting
CRM (global)
Marketing
data (global)
Chuck Brown
is promoted:
Vice President
Sales
8 years later
Chuck Brown
resigns
All known
accounts of
Chuck Brown
are deactivated
10 years later
Available: Accounting
Marketing
data (global)
Chuck Brown
still has access
to the system
© SAP AG 2010. All rights reserved. / Page 5
Agenda
1. What is Compliant Identity Management?
2. Technical Details
3. Best Practice
© SAP AG 2010. All rights reserved. / Page 6
Identity and Access Management:
Business Challenges
Constant changes in business processes to align with
changing business objectives
Market consolidation with mergers and acquisitions
Cross-enterprise transactions
Business
Transformation
Costly maintenance of multiple sources
Manual user maintenance by helpdesk
Regulatory compliance procedures and rules are
separate disjoint processes
Operational Costs
Identify and manage business & IT controls
Prevention of un-authorized access to sensitive data
Need to provide auditors with complete audit trail
No record of who has access to which IT resources
Compliance & Risk
© SAP AG 2010. All rights reserved. / Page 7
Identity and Access Management:
Benefits
Integrate business processes with compliance and IT
functions.
Ease impacts of mergers and acquisitions with bulk
risk analysis and provisioning tools.
Reduce risk associated with partner and contractor
access to networks and systems.
Business
Transformation
Reduced administration cost, through integrated
and automated compliance and IT processes
Simplify access request creation and approval
Operational Costs
Enable business users to manage both application
and IT compliance risks.
Reduce un-authorized access to sensitive data and
system capabilities
Reduced effort to meet compliance audits
Complete record of user assignment history
Compliance & Risk
© SAP AG 2010. All rights reserved. / Page 8
SAP NetWeaver Identity Management
Holistic Approach
IDM triggered by identity
business processes and data
e.g. on-boarding
e.g. Order2Cash
Business process relies on appropriate
user and role assignments in systems
SAP NetWeaver
Identity Management
Password management
Provisioning to SAP and non-SAP systems
Identity mgmt.monitoring & audit
Rule-based assignment of business roles
Identity virtualization and identity as service
Approval workflows
Central Identity Store
SAP BusinessObjects
Access Control (GRC)
Compliance checks through GRC
SAP Business Suite Integration
© SAP AG 2010. All rights reserved. / Page 9
SAP BusinessObjects Access Control:
Sustainable prevention of segregation of duties violations
Minimal time to compliance
Quick, effective and comprehensive
access risk identification
Elimination of existing access and
authorization risks is key
Continuous access management
Improve productivity of end users
Reduce cost of role maintenance
Avoid business obstructions with
faster emergency response
Ease compliance and avoid
authorization risk
Effective management oversight
Capabilities for Management
Oversight
Capabilities Internal Audit
IT Infrastructure
FIN SCM SRM MFG HR
Cro
ss-p
latf
orm
Cro
ss-f
un
ction
Acce
ss R
isk a
na
lysis
Rem
ed
iation Enterprise
role management
Risk analysis and
remediation
Compliant user provisioning
Au
dit
Ove
rsig
ht Identity Management
Periodic Access Review and Audit
Co
ntr
ol
En
viro
nm
ent
Cross-enterprise library of best practice segregation of duties rules
Regulations Rules Corporate Policies
Best Practices
Superuser privilege
management
SAP_ALL
© SAP AG 2010. All rights reserved. / Page 10
SAP BusinessObjects Access Control (GRC) &
SAP NetWeaver IDM – Integration
SAP NetWeaver
Identity Management
SAP NetWeaver Identity Management
Combined
Compliance checks
Business risk controls and mitigation
Rule-based business role assignment
Heterogeneous connectivity
Extended SAP Business Suite integration
Password self-service
Compliant, business-driven
Identity Management for the
entire system landscape!
SAP NetWeaver
Identity Management
SAP BusinessObjects Access Control (GRC)
SAP BusinessObjects
Access Control (GRC)
SAP BusinessObjects Access Control (GRC)
© SAP AG 2010. All rights reserved. / Page 11
Agenda
1. What is Compliant Identity Management?
2. Technical Details
3. Best Practice
© SAP AG 2010. All rights reserved. / Page 12
Compliant, Business-Driven
Identity Management
HCM SAP NetWeaver
Identity Management
SAP BusinessObjects
Access Control
Line Manager Landscape
Yes
No
Calculate entitlements
based on positionCompliance check
Remediation
Approve
assignments
New Hire
Reduce TCO by simplifying assignment of roles
and privileges to users, triggered by HCM events
Reduce risk through compliance checks and
remediation
Automate manual processes through integration
with SAP Business Suite
Create user
Assign roles
Create User
Assign roles
Requirement:
Provide automated, position-based role
management while ensuring compliance
Create User
Assign privileges
VDS IC
Compliant, Business-Driven Identity Management
Process Flow
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
RAR CUP
Re
qu
es
t Ro
le
As
sig
nm
en
t
1
Forward request
for risk analysis
3Manager
approval
2
Risk status6
Provisioning to
target systems
7
Risk
analysis
4
Risk
mitigation
5Notification to
User / Manager
8
© SAP AG 2010. All rights reserved. / Page 14
Component Usage
SAP NetWeaver Identity Management components are used in the following way:
The Virtual Directory Server:
Accepts requests from Identity Center.
Deals with all connection to/from SBOP Access Control through the web service API
exposed by SBOP Access Control.
The Identity Center:
Contains the workflow tasks and the necessary jobs that drive the provisioning to SBOP
Access Control based on the Provisioning Framework for SAP Systems.
Communicates with the Virtual Directory Server (VDS) using the LDAP protocol.
SAP BusinessObjects Access Control components are used in the following way:
Compliant User Provisioning (CUP):
Provides web services for compliance checks, status checks, etc.
Workflow for risk analysis and mitigating controls
Risk Analysis and Remediation (RAR):
Provides risk analysis services to detect SOD violations and critical permissions
CUP-RAR communication via internal web services
© SAP AG 2010. All rights reserved. / Page 15
Agenda
1. What is Compliant Identity Management?
2. Technical Details
3. Best Practice
© SAP AG 2010. All rights reserved. / Page 16
Centralized Provisioning
Customer Best Practice - General Recommendation
SAP NetWeaver Identity ManagementSAP BusinessObjects Access
Control (GRC)
Provisioning to SAP and non-SAP systems
© SAP AG 2010. All rights reserved. / Page 17
Centralized Provisioning
Details
Create role assignment request in Identity Management (Identity Center)
Automatic (using certain rules, e.g. department assignment) Manual (per user request)
Pre-process request in Identity Management (Identity Center)
Assignments require compliance check Assignments do not require compliance check
Request processing & risk analysis in Compliant User
ProvisioningRisk violations found
Request rerouted to
manual workflow
No Risk violations found
declined approved
Identity Management reads request status
No provisioning Identity Management starts provisioning
DEMO
© SAP AG 2010. All rights reserved. / Page 19
Summary
Key Take Aways
SAP BusinessObjects Access Control delivers best practice,
cross-enterprise compliance
Access Control and Identity Management integration allows
customers to implement business driven, compliant identity
management across the enterprise.
Real-time detective and preventive controls avoid cross-
enterprise violations before they occur
SAP leads the industry in helping our customers to
thrive in today`s business networks
Double the Value - Access Control delivers comprehensive risk
analysis for existing IdM deployments. IdM expands
provisioning for existing GRC AC deployments
© SAP AG 2010. All rights reserved. / Page 20
Virtual SAP TechEd :
Extend your SAP TechEd Year Round
Best of SAP TechEd at Your fingertips
View sessions that you missed
Replay and review sessions that you
attended
Quality SAP TechEd Training
Best Practices
Product Roadmaps
Learn at your own pace
Gain Access to sessions recorded in
2006, 2007, 2008 and
2009* (*available December 2009)
24/7 Access online/offline
Flexible Course Syllabus
Volume Licensing
Special Pricing for multiple subscribers
http://www.sdn.sap.com/irj/scn/virtualteched-allsessions
© SAP AG 2010. All rights reserved. / Page 21
Further Information
Related SAP Education and Certification Opportunities
http://www.sap.com/education/
TZNWIM - SAP NetWeaver Identity Management 7.1
SAP Public Web:
SAP Developer Network (SDN):
www.sdn.sap.com/irj/sdn/nw-identitymanagement
Business Process Expert (BPX) Community: www.bpx.sap.com
Thank You!
© SAP AG 2010. All rights reserved. / Page 23
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warrant.
Copyright 2010 SAP AG
All Rights Reserved
top related