PUBLIC
Kristian Lehment, SAP SE
Christian Cohrs, SAP SE
July 2017
SAP Identity Management & Provisioning Service – Roadmap
2PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the
permission of SAP. This presentation is not subject to your license agreement or any other service or subscription
agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation
and SAP's strategy and possible future developments, products and or platforms directions and functionality are all
subject to change and may be changed by SAP at any time for any reason without notice. The information in this
document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document
is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties
of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposes
and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document,
except if such damages were caused by SAP´s willful misconduct or gross negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,
which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
Legal disclaimer
3PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
What data is critical to you?
Risk based security investments
Do you also protect your data or only the underlying infrastructure?
Customer data
Employee data
Processes
ContractFinancial data Leads
Marketing results
Production process
Product composition
Vendor information
Specifications
Where is that data mainly stored?
SAP systems
Mails
Cloud drives
Files
…
Infrastructure
SAP systemSecurity measures on infrastructure level are mandatory. But the threat
landscapes changed and for most companies the SAP systems are a
black box related to security.
…
The paradox: the black box contains often the most critical data
4PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP helps protect your digital business
Transactions and data must be secured throughout the entire end-2-end business process
Cybersecurity is a critical element in the Digital Transformation journey
1. Customers and employees are hyper-connected, always on, with seamless access anywhere and anytime
2. Cloud and hybrid cloud environments have become the norm, challenging traditional “Protect the 4 walls” security approaches
3. Digitally connected supply chains are based on high trust and availability of all parties
4. The Internet of Things and Big Data bring unprecedented data streams and volumes
5. Confidentiality, integrity, and availability of data is the basis for secure operations and trusted relationships
5PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Identity Management
SAP Identity Management and Access Control
In the SAP security product portfolio
SAPBusiness
Suite
SAP Cloud PlatformSAP NetWeaver
Application Server
SAP Access Control
SAP Identity Management
Make it simple for users to do what they are allowed to do
Know your users and what they can do
SAP Single Sign-On
Ensure corporate compliance to
regulatory requirements
Platform Security
Make sure that SAP solutions run securely
SAP Enterprise Threat Detection
Counter possible threats and identify attacks
Add-On for Code Vulnerability
Analysis
Find and correct vulnerabilities in customer
code
SAP Cloud Platform Identity
Authentication
SAP Cloud Identity Access
Governance, access analysis
service
Manage access,
users and
compliance in the
cloud
SAP HANA
3rd Party Systems
SAP S/4HANA
SAP Cloud Applications SAP Cloud
Platform Identity Provisioning
SAP Cloud Platform Identity
Provisioning
7PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Use centralized software to lower risk and manage the full identity lifecycle of users. Keep operations running efficiently and
affordably, while protecting applications and data. Provide user access according to current business roles. Workflows and
user interface are highly flexible and configurable without the need for development skills
Lower IT support costs and reduce risk with centralized user identity
management across SAP, non-SAP, various IT and cloud solutions
Improve productivity with self-services such as automatic password resets
and rules-driven workflows
Improve insight and compliance with centralized, integrated logging and
reporting
Boost flexibility with standards-based functionality that integrates fully with
company processes
SAP Identity ManagementProduct description
8PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Enables the
efficient,
secure and
compliantexecution of business
processes
Key capabilities
Manage identities and
permissions
SAP Identity
Management
Ensures that the
right users have the
right access to the
right systems at the
right time
Consistent user
roles and
privileges
Across
all systems and applications
Holistic approach
9PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Use cases in the identity lifecycle
How long does it take for new
employees to receive all permissions
and become productive in their new
job?
Are permissions automatically
adjusted if someone is promoted
to a new position?
Who has adequate permissions
to fill in for a co-worker?How long does it take to remove ALL
permissions of an employee? And how
can you ensure that they were properly
removed?
How can you remove permissions
automatically if employees
change their position?
10PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Strengths of SAP Identity Management (1/2)
Centralized Identity Management and provisioning of user data and related permissions for the entire
heterogeneous company landscape – both for SAP and non-SAP applications
Fully automated synchronization and lifecycle of
employee identities integrated with SAP HCM and
SuccessFactors
Integration with SAP Business Suite
Optional integration with SAP Access Control for
exemplary compliancy and auditability
IT systems connectivity and IT user provisioning
Many SAP and non-SAP connectors from SAP at no extra
cost and exemplary support for business applications
Additional non-SAP connectors are available via partners
(separate pricing by partner)
Connector Development Kit and Virtual Directory Server
SAP SCM
SAP ERP HCM
SAP ERP
Java Database
Legacy
OS
Lotus Notes
MS Exchange
SAP applications Non-SAP applications
SAP Identity Management
SAP Access
Control
SAP SuccessFactors
Web Apps
SAP HANA …
Portal
Active Directory …
11PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Strengths of SAP Identity Management (2/2)
SAP IdM offers flexible and highly configurable
comprehensive workflows including a visual designer tool
As a highly functional central place for access request it
supports all the most important scenarios
Self-service capabilities for user related data and fully
automated user provisioning with no manual steps lowers
the burden on IT and the call center and increases the
ROI
It manages multiple and complex hierarchies of business
roles
SAP IdM is equipped with strong capabilities for reporting
SAP IdM is built on highly scalable platforms
SAP is a strategic software partner
12PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Identity Management Connectivity – Overview
Technical
Other + Partner
Business Applications
Directory Servers
Databases
• SAP HANA Database
• SAP ASE (Sybase)
• Microsoft SQL Server
• Microsoft Access
• Oracle database
• IBM UDB (DB2)
• MySQL
• Microsoft Active Directory
• IBM Tivoli Directory
• Novell eDirectory
• Oracle Directory (fka. SunOne)
• Oracle Internet Directory
• Microsoft Active Directory
Application Mode (ADAM)
• Siemens DirX
• OpenLDAP
• eB2Bcom View500 Directory Server
• CA eTrust Directory
• SAP IDM Virtual Directory Server
• Any LDAP v3 compliant directory server
• SAP Business Suite
• SuccessFactors
• Microsoft Exchange
• SAP Access Control (GRC)
• Lotus Domino/Notes (C API)
• Lotus Domino/Notes (Java API) for IDM8.0
• RSA ClearTrust
• SAP Cloud Platform Identity Authentication service
• SPML
• LDAP
• ODBC / JDBC / OLE-DB
• RFC
• SCIM
• LDIF files
• XML files
• CSV files• SAP Application Server
• Microsoft Windows
• MS SharePoint
• Unix / Linux
• Shell execute
• Custom Java connector API
• Script-based connector API
SAP Identity
Management
13PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Identity Management
SAP ASE database support
Database
SAP ASE IBM DB2
Microsoft SQL Server
Oracle
• SAP Identity Management running on SAP
software
• Optimized performance
• Based on SAP’s acquisition of Sybase with
many years of relational database
experience
• License advantages running all SAP
applications on SAP databases (SAP
HANA, SAP ASE, SAP IQ)
14PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Short project times
Reduced TCO
Simplify assignment and management of roles and privileges to
users
• Implement best practices out-of-the-box with a fixed scope, most
important and common scenarios, e.g. defined set of customer
specific configuration, connection of source and target systems,
provisioning, etc.
• Pre-configured functionality of SAP Identity Management in a
development system
• Step-by-step guide, describing each activity during deployment
• Solution can be extended with additional scope options
Scope option 1: Go-live support
Scope option 2: Connection to one additional SAP target system –
multiple scope options 2 for the connection of multiple addition
SAP target systems can be selected.
SAP Identity Management Rapid-Deployment Solution (RDS)
Solution components and service approach
Scope option 1:
Additional Go-Live support
Scope option 2:
Connection to additional SAP systems
Standard solution
Connection of
1 source- and
2 target systems
Approval
workflows
Automatic
authorization
assignment
Mass user
administration
jobs
E-mail notification
framework
Support of
system specific
attributes
New web UI tasksPredefined HTML
based reports
Enhanced error
handling
This is the current state of planning and may be changed by SAP at any time.
15PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
This is the current state of planning and may be changed by SAP at any time.
SAP Identity ManagementProduct road map overview – key themes and capabilities
2018 – Product direction 2019 – Product vision2017 – Planned innovationsRecent innovations
Eclipse based development
environment
Harmonization of development
infrastructure
Graphical workflow designer
Configuration packaging and
authorization concept
New SAP integration
capabilities
Full identity lifecycle covered with
SAP SuccessFactors integration
SAP HANA connector
Available on SAP Adaptive Server
Enterprise (ASE) database
SAP Cloud Platform Identity
Authentication service
Rapid-Deployment Solution
package
Identity, governance and
administration
Enhanced integration with SAP
GRC solutions to deliver an identity,
governance and administration suite
User Interface
Extensions to the REST API
Enterprise readiness
Installation and upgrade using the
Software Provisioning Manager
(SWPM)
Integration
Hybrid deployment model: SAP
cloud services for identity and
access management as extension
for SAP Identity Management
SAP S/4HANA connector
SAP HANA connector
enhancements
SAP SuccessFactors connector
enhancements
Connector Development Kit 2.0
Hybrid identity management
SAP Cloud Platform
Identity lifecycle across on premise
and cloud
Extend integration with SAP
Cloud Platform services for
identity and access
management
Identity Authentication service
Identity Provisioning service
Access Analysis service
Integration
SAP Ariba
SAP Hybris
Reporting enhancements
Lower IT support costs
Full support of Identity lifecycle
across on premise and cloud
Make it easy to install, operate
and enable new
integrations with additional
SAP and non-SAP solutions
Create an integrated and hybrid
deployed security suite
Release 8.0 SP04
17PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Identity and Access Management as a Service from SAPSolution overview
SAP Cloud Platform offers an end-to-end Identity and Access Management (IAM) solution as a service that
helps companies improve the security of their cloud business processes
SAP Cloud Platform Identity Authentication
Simple and secure access to web-based applications
Enterprise features such as password policies and multi-
factor and risk-based authentication
On-premise user store integration
Easy consumer and partner on-boarding via self-services
SAP Cloud Platform Identity Provisioning
Automatically sets up and manages user accounts and
authorizations in an end-to-end identity lifecycle
Re-uses existing on-premise and cloud user stores
Integrates with SAP Identity Management
18PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Cloud Platform Identity ProvisioningProduct description
Identity Provisioning offers a comprehensive, low cost approach to identity lifecycle management in the cloud
Solution overview
Manage user accounts and authorizations in a
cloud-based service
Provision identities from user stores in the cloud
and on-premise
Enable business applications to quickly support
single sign-on with Identity Authentication
Key value proposition
Fast and efficient administration of user
onboarding
Centralized end-to-end lifecycle management
of corporate identities in the cloud
Automated provisioning of existing on-premise
identities to cloud applications
SAP Cloud Platform
Identity Provisioning
Create accounts and
assign authorizations
Retrieve on–premise users and their attributes
Corporate network
Retrieve cloud users and their attributes
19PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Cloud Platform Identity ProvisioningExample: SAP SuccessFactors as the source for employee identity data
When an employee record is created in SAP SuccessFactors, Identity
Provisioning on-boards the new user to all cloud applications required
for the person’s role
On-boarding
Read the new employee’s identity data from SAP SuccessFactors
Define the initial authorization profile based on authorization policies
Create user accounts and assign authorizations for the new employee
in the relevant business systems
Manage
Update user details and authorizations automatically to ensure
consistency between SAP SuccessFactors identity data and cloud
applications
Off-boarding
De-provision authorizations
Off-board employees from the cloud applications
20PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Cloud Platform Identity ProvisioningSupported source and target systems
Identity Provisioning supports multiple systems as sources of identity information and forwards identities to
any of the listed target systems
Target Systems
SAP Cloud Platform
SAP Cloud Platform Identity Authentication
SAP Hybris Cloud for Customer
SAP Jam
Concur
Google G Suite
Microsoft Azure Active Directory
SCIM-enabled solution
Cloud Foundry User Account and
Authentication Server
Source Systems
On-premise:
SAP NetWeaver Application
Server for ABAP
Microsoft Active Directory
Cloud:
SAP SuccessFactors
SAP Cloud Platform Identity
Authentication
Microsoft Azure Active Directory
Generic:
SCIM-enabled solution
LDAP Server
SCIM
SAP Cloud Platform
Identity Provisioning
21PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Cloud Platform Identity ProvisioningPolicy-based authorization management
Assign authorizations to business applications through policy-based mapping of user store attributes
Authorization policy management
Simple and flexible policy definition
Reuses existing user store data
– Microsoft Active Directory:
User attributes and groups
– SAP NetWeaver AS ABAP:
User attributes and roles
– SAP Cloud Platform Identity Authentication:
User attributes and groups
Efficient authorization assignment with quick
updates
22PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Cloud
Platform
Identity
Provisioning
Integrate identity data models of different applications by defining rules for data transformation
SAP Cloud Platform Identity ProvisioningData transformation modeling
Apply a filter to decide which identities are read
from the source system and written to the target
Map attributes between the source and target
systems’ data models to handle differences in the
models
Modify the format of the data taken from the
source system to make it compatible with the
target system
SCIM
23PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Cloud Platform Identity ProvisioningIntegration with SAP Identity Management
Existing customers of SAP Identity Management can extend their identity lifecycle management to cover
cloud-based scenarios using Identity Provisioning and Identity Authentication
Recommendations for on-premise landscapes
– SAP Identity Management is optimized for on-premise expectations
(customization, performance)
Recommendations for cloud systems
– Identity Provisioning offers a deployment model and simplicity suitable for
cloud-based business applications.
– Identity Provisioning is the platform for broad cloud integration, allowing
customers to efficiently on-board new applications
– SAP Identity Management includes a small set of connectors for cloud
applications,
Recommendations for hybrid scenarios
– Integration of SAP Identity Management with Identity Provisioning to
benefit from the advantages of both worlds
SAP Identity Management
On-premise
Cloud
SAP Cloud Platform
Identity Provisioning &
Identity Authentication
24PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
This is the current state of planning and may be changed by SAP at any time.
Planned Q3/2017
SAP Cloud Platform Identity ProvisioningProduct road map overview - key themes and capabilities
Microsoft Office 365
Supported as source and target
system
Integration with Microsoft Azure
Simplification
Simplified configuration of source
and target systems
Improved performance and reduced
network load through delta
management
Trial version
Free version to test Identity
Provisioning service
Fully functional with some
restrictions on resource
consumption
Integration
Hybrid identity management through
integration with SAP Identity
Management
Integration with SAP Cloud Identity
Access Governance, access
analysis for automated access
refinement
Simplification
Email notifications for the results of
provisioning jobs
Additional connectors
SAP NetWeaver AS for ABAP (on-
premise)
SAP S/4HANA (on-premise)
Provisioning
Enable real-time provisioning, e.g.
during self-registration of
consumers
Integration
Integration of SAP Cloud Identity
Access Governance, role design
Additional connectors
SAP Ariba
SAP Fieldglass
Extended reporting capabilities
Provisioning history
Statistical reports
Planned Q4/2017Planned Q2/2017Recent innovations
Q1 2017
25PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Summary
SAP Identity Management and SAP Cloud Platform Identity
Provisioning are SAP’s offering for managing identities and access
on-premise and in the cloud
Setup
– Identity Provisioning is a subscription-based service on SAP Cloud Platform
– Together with the SAP Cloud Platform Identity Authentication service, Identity
Provisioning enables customers to run identity and access management in a
cloud consumption model
– SAP Identity Management is an on-premise product
Benefits
– Identity Provisioning provides a seamless integration of new cloud
applications into the identity lifecycle management
– SAP Identity Management offers powerful and flexible configuration options
Strategy
– Identity Provisioning will not replace SAP Identity Management. Instead, both
products complement each other to enable seamless identity lifecycle
management for hybrid landscape
26PUBLIC© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Key links for more information on SAP Identity Management and SAP Cloud
Platform Identity Provisioning – For customers and partners
Key links
SAP Road Maps
SAP Security Community on SAP.COM
SAP Cloud Platform Identity Provisioning
http://www.sap.com/roadmaps
https://www.sap.com/community/topic/security.html
cloudplatform.sap.com/capabilities/security/identity-provisioning.html
SAP Community for Identity Management https://go.sap.com/community/topic/identity-management.html
SAP Community for Identity Provisioning https://wiki.scn.sap.com/wiki/x/Eoj5Gg
Where to go to provide product feedback and ideas
SAP Idea Place https://ideas.sap.com/SAPIDM
Influence programs http://service.sap.com/influence
SAP User Groups https://www.sap.com/about/customer-involvement/user-groups.html
Thank you.
Contact:
Kristian Lehment
Product Manager
SAP Identity Management
Christian Cohrs
Product Manager
Identity and Access Management
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distr ibutors contain proprietary software components
of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated
companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affil iate company products and services are those that are
set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release
any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products,
and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The
information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various
risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,
and they should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company)
in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.
See http://global.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
© 2017 SAP SE or an SAP affiliate company. All rights reserved.