1
SCI200
Best Practices for Implementing
SAP NetWeaver Identity Management
Oliver Nocon, SAP Technology RIG EMEA
Serge Muts, SAP Technology RIG Americas
October 2010
© 2010 SAP AG. All rights reserved. / Page 2
Disclaimer
This presentation outlines our general product direction and should not be relied on in making a
purchase decision. This presentation is not subject to your license agreement or any other
agreement with SAP. SAP has no obligation to pursue any course of business outlined in this
presentation or to develop or release any functionality mentioned in this presentation. This
presentation and SAP's strategy and possible future developments are subject to change and
may be changed by SAP at any time for any reason without notice. This document is provided
without a warranty of any kind, either express or implied, including but not limited to, the implied
warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP
assumes no responsibility for errors or omissions in this document, except if such damages
were caused by SAP intentionally or grossly negligent.
2
© 2010 SAP AG. All rights reserved. / Page 3
Agenda
1. Project
2. Design
3. Implementation
4. Operation
© 2010 SAP AG. All rights reserved. / Page 4
Identity Management Architecture
Identity Center Database
Identity store
Configuration
Processing logic
Workflow User Interface
Main interface for users and managers
Monitoring User Interface
Monitoring and audit interface for administrators
Management Console
Visual development and configuration UI
Runtime Engine and Dispatcher
Processing and provisioning logic
including connectors
Event Agent
Monitors connected systems
and initiates synchronization
Virtual Directory Server
Virtualization layer
SAP NetWeaver
Identity Management 7.1
Identity Center
Workflow and Monitoring UI
(AS Java)
ManagementConsole
DispatcherRuntime Engine
Event AgentService
Detect changesRead / write
SA
P
GR
CW
eb
serv
ices
…
Virtu
al D
irecto
ry Serv
er
Identity Center
Database
System
Active
Directory
SAP
Portal
SAP
ERPothers
…
3
© 2010 SAP AG. All rights reserved. / Page 5
SAP ERP
HCM
System
Identity Center
(IC)
Virtual Directory
Server (VDS)
SAP NetWeaver
Identity Management
SAP NetWeaver IDM: Communication Paths
SAP
BusinessObjects
Access Control
(GRC)
Transfer employee data to IDM
(LDAP)
Update employee record with
communication details
(RFC)
Forward request for risk analysis
& poll status
(Web Service Call)
Provision identity to target system
(Protocol dependant on target system)
© 2010 SAP AG. All rights reserved. / Page 6
Enables the efficient, secure and
compliant execution of business
processes
By ensuring that the right users have the
right access to the right systems at the
right time
Consistent with their roles across all
systems and applications
Identity Management Definition
SAP NetWeaver Identity Management
4
© 2010 SAP AG. All rights reserved. / Page 7
Customer Lessons Learned
A business process oriented approach makes it easier to engagethe LOBs
The tight integration with SAP BusinessObjects Access Control presents a comprehensive solution for embedding compliance
Don’t underestimate and under sell the hidden opportunities to establish and solidify identity and access processes
Scope manageable pieces but lay a solid foundation and start demonstrating long-term benefits early
Integration with SAP applications combined with industry standard connectors makes SAP NetWeaver IDM a compelling solution for many companies
Identity and Access Management represents a culture change for many organizations and should be addressed as a program
© 2010 SAP AG. All rights reserved. / Page 8
Project Lessons Learned I
Define business case based on cost savings
reduction in lost productivity
reduction in manual role management tasks
increase in provisioning efficiency
reduction in number of helpdesk calls and queue length
time savings for workflow approvals
Improved end user experience through self administration
Consider opportunities and productivity gains like
Improved integration for identity and security information
Eliminate questionable approvals due to lack of quality information
Provide single version of the truth (audit)
Availability of a complete identity
Ability to base access rights on current/complete information
Enlist executive sponsorship as well as sponsorship per functional area
Account for growth during sizing, IDM solutions can grow quickly with Mergers & Acquisitions
and scope changes
5
© 2010 SAP AG. All rights reserved. / Page 9
Project Lessons Learned II
Work with the business, - IT cannot implement IDM by itself
Decide on ownership of Business Roles
Decide on definition of Business Roles
Prioritize initiatives
determine leading systems
distinguish building blocks
Identify stakeholders
Select decision makers and those who are impacted
Examples: architecture, application development/admins, HR, Compliance & Audit, LOBs,
Help Desk, Suppliers, Customers, Contractors, Legal (for SLA’s)
Organize scoping workshop to estimate cost and timelines, there is no out-of-the-box answer
Start your design based on commonality, not exceptions
Keep roles and role structure as simple as possible
Do you need all the roles?
Cleanup unused roles when you have the opportunity
© 2010 SAP AG. All rights reserved. / Page 10
Project Documentation Map
Leverage Project Documentation Map provided by SAP on SDN
http://wiki.sdn.sap.com/wiki/display/Security/Planning
6
© 2010 SAP AG. All rights reserved. / Page 11
Stages of IDM Deployment
Start with Limited Scope and Gradually Increase
Consolidate
• Collect and streamline access control mechanisms
• Build and publish role-based access
• Password Self-service
Automate
• Provisioning – basic account management with IDM
• Setup rules engine to manage automatic role-based provisioning
• Setup reporting mechanisms to validate control
Streamline
• Workflow enable approval process and attribute change mechanisms
• Further enable self-service features for Identity and provisioning
Manage & Optimize
• Build and deploy on-going role management process
• Design perpetual roles and rules review mechanism
• Automated Provisioning of user accounts, SAP HCM driven
Initial implementation On-going
© 2010 SAP AG. All rights reserved. / Page 12
Project Metrics
Suggestions for Metrics
IT Security
Metrics
User Satisfaction
Metrics
Audit &
Compliance
Metrics
Business Process
& Agility Metrics
Time/Cost to manage
identity and account
lifecycle events
Number of
passwords and
logons
Number of
anomalies detected
Process flow SLAs
Reduction in Identity
& Access related
support calls
Improved time to get
productive
Reduction in
violations
Costs/time to onboard
partner/supplier
Time to
develop/integrate new
applications
Impact of self service
usage
Costs of information
gathering in audits
Measuring key performance indicators will help you proof the project worth to the organization
7
© 2010 SAP AG. All rights reserved. / Page 13
Traps to Avoid
“We have pretty clean data”
Data cleansing is often a bigger issue than expected
“We have to define all roles and positions”
Design according to ―bang for your buck‖. Design for critical and most
impacting roles.
“We cannot go live without this feature”
Focus on stability and security over individual features.
“We don’t need outside help”
IDM will have a far reach in your company, external consulting can be a
tremendous asset.
© 2010 SAP AG. All rights reserved. / Page 14
SAP NetWeaver Identity Management
Example Profile of an SAP NW IDM Administrator
Knowledge of SAP NetWeaver Identity Management
SAP and non-SAP Authorization Concepts to create and maintain Business Roles
LDAP
Databases
SQL Queries
Java Script and/or VB Script
Optional: SPML & SAML
Optional: DB Stored Procedures
Optional: Java Development for custom connectors
8
© 2010 SAP AG. All rights reserved. / Page 15
Agenda
1. Project
2. Design
3. Implementation
4. Operation
© 2010 SAP AG. All rights reserved. / Page 16
SAP NetWeaver Identity Management
Landscape - Provisioning
HCMERP PRD
ERP QA
ERP DEV
SRM PRD
SRM QA
SRM DEV
PRD
DEV
QA
Test ID’s only
Test ID’s only
Test ID’s only
Export/Import
Export/Import
9
© 2010 SAP AG. All rights reserved. / Page 17
SAP NetWeaver Identity Management
Landscape – SAP System Refresh
HCMERP PRD
ERP QA
PRD
Provisioning
System
Copy
Use IDM after system refresh? -> No
Use general SAP Security practice for SAP System refresh
Preserve user master of the QA client by creating transport (SAP_USER profile)
Stop IDM provisioning to QA system
Perform client refresh by copying PRD to overlay QA
Import the transport to recreate the user master for the client
Resume use of IDM
© 2010 SAP AG. All rights reserved. / Page 18
Possible Web Infrastructure Layout Example
Note: Only for External Facing Scenarios!
DS0
S1
AS1
IDM RT
AG LB
LDAP
AG: Application Gateway
ASn: Application Server n
BEn: Back-end System n
DB: Database
D/Sn: Dispatcher / Server n
Frontend DMZ Infrastructure DMZ High Security AreaInternet
BE1
DBBE1
BE2
DBBE1
DBAS1
IDM
IDM
ICM D
WWW
AS IDM UI
DBAS2
IDM UI: IDM UI deployed on AS Java
IDM RT: IDM Runtime (optional)
IDM: IDM instance incl. MMC, Runtime, DB schema
LB: Load Balancer
TS: Terminal Server
WAn: Web Application n
WC: Web Cache
Note: for internal only IDM
deployments all IDM
components will be in the
internal company network
10
© 2010 SAP AG. All rights reserved. / Page 19
HR System
3rd Party
System
Primary 3rd
Party IDM
solution
Virtual Directory
Server (VDS)
Compliance
Checks
Compliance
Response
Execute
Provisioning
Provision to
AD
Self Service
Entry Access
Points
Send
Request
LDAP/WS
Close Audit
Loop
Start Events
in NW IDM
Event
Completion
ECC CRM BI SRM
Integration of SAP NW IDM with 3rd Party
Primary IAM System – Logical Architecture
© 2010 SAP AG. All rights reserved. / Page 20
Recommended Building Blocks
Define a naming convention and rules around unique identifiers
E.g. employees= Ixxxxxx, contractors=Cxxxxxx
Define a consistent business role naming convention
E.g. Company_VendorMasterVerification
Define Business Roles and provisioning rules
Assign Business Roles to users for better control
Include approvals and routing when defining provisioning rules
Define meta information for roles to allow users to easily identify the roles they need
Defining and entering ownership, role area, etc will assist in finding the role
Define workflows as part of business process discussions, agree on the workflows before
starting implementation
Note: Good quality of data is a prerequisite for the successful implementation of an identity
management system. Before you start implementing SAP NetWeaver Identity Management, we
recommend you clean up the identity data in those systems you want to integrate.
11
© 2010 SAP AG. All rights reserved. / Page 21
Leading and Consuming Systems
Definitions
Leading system:
Source system from an IdM perspective
Provides master data for either a complete identity or a subset (attributes)
Consuming system:
Target system from an IdM perspective
Consumes all or at least a subset of the identity data stored in the IdM system
+1 999 9999
HCM Tel
John Doe
HCM
Important: One system can either be the source or the target of a defined attribute
ERP CRM LDAP MAIL …
only userId & tel #
JDoe
© 2010 SAP AG. All rights reserved. / Page 22
Source & Target Map for Attributes
Example
SourceInternal
SourceExternal
User Attribute TargetERP
TargetHCM
TargetCRM
TargetLDAP
TargetMail
IdM E-Shop Unique ID
IdM E-Shop User Id X X X X
HCM E-Shop Salutation X X X X
HCM E-Shop First Name X X X X
HCM E-Shop Middle Name X X X X
HCM E-Shop Last Name X X X X
IdM E-Shop E-Mail Address X X X X X
Tel. Sys. n/a Telephone X X X X
HCM n/a Department X X X
LDAP n/a Building X X
LDAP n/a Room X X
HCM E-Shop Country X X X
… … … … … … … …
12
© 2010 SAP AG. All rights reserved. / Page 23
Agenda
1. Project
2. Design
3. Implementation
4. Operation
© 2010 SAP AG. All rights reserved. / Page 24
Custom Modifications/Extensions
Do not modify tasks provided by SAP
a new import of SAP's framework will overwrite your changes
Recommended procedure
Create new area, e.g. "Custom Tasks"
Create substructure
Structure according to repository name
for repository specific tasks
Structure according to SAP Framework for
– Global event tasks
– System type specific tasks
– Generic tasks
Create a copy of the required SAP tasks
in the customer structure
Adapt tasks according to your needs
Using the recommended structure will ease support in case of problems
13
© 2010 SAP AG. All rights reserved. / Page 25
Example Job Structure
Jobs related to ID Store "SAP_HR_Staging_Area"
Jobs related to ID Store "SAP_Master"
Jobs for repository "JR9000"
Jobs for repository "NSP000"
Jobs for repository "ON1000"
Jobs for repository "SUNONE"
Jobs for repository "HR"
Or: Use the logical system <SID>CLNT<clientnumber>
© 2010 SAP AG. All rights reserved. / Page 26
General Procedure
1. System setup Phase
2. Data Cleansing Phase
3. System Operation
Initial Load Reset Delta
Initial Provisioning
Update Reconciliation
Data Cleansing
14
© 2010 SAP AG. All rights reserved. / Page 27
Initial Load – Preparation Steps for Non-
Productive Systems
Switch off provisioning for Dispatcher(s) before executing initial load
Go to your Dispatcher configuration
Un-check "Run provisioning jobs" for both
runtime engines
After final initial load empty provisioning queue
Execute job "Clean Provisioning Queue MS-SQL"
or Execute job "Clean Provisioning Queue Oracle"
Enable "Run provisioning jobs" again on Dispatcher(s)
© 2010 SAP AG. All rights reserved. / Page 28
Initial Load – Adding Repositories to
Productive System
Adding new repositories to a productive landscape can be done as follows
1. Ensure there are no tasks on repository level:
2. Execute your initial load jobs
New privileges and user assignments will be created without triggering any tasks
3. Maintain the tasks on repository level as required
15
© 2010 SAP AG. All rights reserved. / Page 29
Important Remarks
– SAP Provisioning Framework
All user attributes are provisioned to the selected back-end systems not only the changed attributes
All role, profile, and group assignments are provisioned not only the delta for the affected roles, profiles, or groups
When performing the initial loads, consolidation occurs based on user IDs one identity per user ID
The users used for the connections should be technical users that do not have to change their passwords, for example, service users in AS ABAP
When performing the initial load, the script custom_initializePassword is called
Script generates initial passwords for the users
Script must be modified in order to create passwords according to the needs
No delta load from source system
No source system event-triggered updates
Full load from source system delta handling from staging area to Identity Store
From Identity Management for SAP System Landscapes: Configuration Guide
© 2010 SAP AG. All rights reserved. / Page 30
Recommended Tasks
Don’t reinvent the wheel. Use provided templates, jobs and passes.
For AS ABAP version 7.X and newer, use the tasks under Business Suite:
16
© 2010 SAP AG. All rights reserved. / Page 31
Security
Leverage existing UI authentication
Predefined roles for BW integration (SP5)
Secure connections with Transport Security (TLS/SSL, JDBCS, LDAPS, SNC) –
especially when sending passwords
Set ―Encryption Algorithm‖ (Tools – options) to 3DES (default is standard)
Protect keys.ini file:
Use file system security to access to the dispatcher and UI service user
Generate a new key on a regular basis (security policy)
Copy the new keys.ini file to IDM servers where the Runtime, UI, MMC are installed
Change the current key indicator to the newly generated key
Do NOT remove old keys! (historical values)
Check SAP NetWeaver Identity Management Security Guide
© 2010 SAP AG. All rights reserved. / Page 32
Identity Center – SQL Performance
General recommendations
Use the available Identity Center DB views instead of the tables directly
Use view mxiv_sentries instead of view mxiv_entries
Use SearchValue instead of aValue in SQL "where" clauses
Specific recommendation
Use SQL joins instead of where in (…) clauses
Example:
SELECT DISTINCT A.mskey
FROM mxiv_sentries AS A INNER JOIN mxiv_sentries AS B
ON A.mskey = B.mskey
WHERE A.is_id=1 AND
A.attrname='MSKEYVALUE' AND A.searchvalue LIKE '%ADMIN%' AND
B.attrname='MX_ENTRYTYPE' AND B.searchvalue = 'MX_PERSON'
instead of
SELECT DISTINCT mskey FROM MXIV_SENTRIES WHERE is_id=1 AND
attrname='MSKEYVALUE' AND searchvalue LIKE '%ADMIN%'
AND (mskey IN (SELECT mskey FROM MXIV_SENTRIES WHERE
attrname='MX_ENTRYTYPE' AND searchvalue = 'MX_PERSON'))
17
© 2010 SAP AG. All rights reserved. / Page 33
Agenda
1. Project
2. Design
3. Implementation
4. Operation
© 2010 SAP AG. All rights reserved. / Page 34
Operations
Use a dedicated dispatcher with higher log lever to troubleshoot jobs
IDM Script Debugging Podcast: http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/17641
Check detailed job logs on file system
Configure e-mail notification on critical job/passes using ―On Chain Failed‖ functionality to get early warning
Preserve historical data by creating a job to copy data to offline storage
Regularly clean up table job_execution, AuditTrail
Rebuild database indexes on a regular basis
Register IDM instance with the System Landscape Directory
For details check SAP NetWeaver Identity Management Operations Guide
18
© 2010 SAP AG. All rights reserved. / Page 35
Patches
Applying patches:
Install SAP Provisioning Framework that comes with SP level for IDM
Avoid mismatches within an IDM instance (UI, SAP Framework, MMC, etc)
If you have multiple IDM installations keep them at the same SP level
Note: A number of performance improvements were made in IDM 7.1 SP5
© 2010 SAP AG. All rights reserved. / Page 36
Further Information
SAP Public Web:
SAP Developer Network (SDN): www.sdn.sap.com/irj/sdn/nw-identitymanagement
Business Process Expert (BPX) Community: www.bpx.sap.com
SAP BusinessObjects Community (BOC): boc.sap.com
Further technical information from the SAP Technology RIG
Webinars: http://www.sdn.sap.com/irj/scn/ipnw-khnc
How to Guides: http://www.sdn.sap.com/irj/scn/howtoguides.
Podcasts: http://www.sdn.sap.com/irj/scn/sap-how-it-works-elearning.
You can also follow SAP Technology RIG on Facebook and Twitter
http://www.facebook.com/pages/SAP-RIG/119256894764191?ref=ts
http://twitter.com/saprig
19
© 2010 SAP AG. All rights reserved. / Page 37
Further Information
SAP Public Web:
SAP Developer Network (SDN):
http://www.sdn.sap.com/irj/sdn/nw-identitymanagement
Related SAP Education and Certification Opportunities
http://www.sap.com/education/ - Course ID: TZNWIM
Related Workshops/Lectures at SAP TechEd 2010
SCI101, SAP NetWeaver Identity Management 7.2: Highlights of the Next Release, Lecture
SCI261, SAP NetWeaver Identity Management 7.1 – Workflow Configuration, Hands-On
SCI262, Compliant Identity Management with SAP NetWeaver IDM and SAP BusinessObjects Access
Control, Hands-On
SCI263, Identity Virtualization with SAP NetWeaver IDM Virtual Directory Server, Hands-On
SCI265, Managing Federated Identities for Service-Based Single Sign-On, Hands-On
ContactFeedback
Please complete your session evaluation.
Be courteous — deposit your trash,
and do not take the handouts for the following session.
20
© 2010 SAP AG. All rights reserved. / Page 39
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. in the United States and in other countries.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.
© 2010 SAP AG. All Rights Reserved