© SAP AG 2005, SAP TechEd ’05 / AGS101 / 2
Contributing Speakers
TechEd Vienna
Frank BuchholzSecurity Product Manager, SAP AG
Jens KosterSecurity Product Manager, SAP AG
TechEd Boston
Gerlinde ZibulskiSecurity Product Manager, SAP Labs LLC
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 3
Agenda
Identity Management with SAPCentral User AdministrationDirectory IntegrationPortal User Management Engine
Role Management with SAP ABAP Authorization RolesJ2EE / UME Authorization RolesPortal RolesRole Integration Example
SAP’s strategy for Identity Management
Summary
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 4
Learning Objectives
As a result of this workshop, you will understand the concepts behind:
User Management with SAP including the Central User AdministrationDirectory IntegrationPortal User Management EnginePortal RolesRole Management in ABAP and Java based systems
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 5
Agenda
Identity Management with SAPCentral User AdministrationDirectory IntegrationPortal User Management Engine
Role Management with SAP ABAP Authorization RolesJ2EE / UME Authorization RolesPortal RolesRole Integration Example
SAP’s strategy for Identity Management
Summary
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 6
Decentralized User Maintenance
Each SAP System has its own user data store
Decentralized user maintenance
Inconsistencies can occur between address data
SAPBW
SAPAPO
SAP…
SAP R/3Enterprise
SAPEBP
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 7
Central User Administration
Users can be administrated in central SAP system
Automatic distribution to client SAP systems
Local administration still possible (redistribution)
No inconsistencies
Central locks possible
CUA central system SAP release as of 4.6C
ALE ALE
SAP 6.xCUA client
SAP 4.6CUA client
SAP 4.5CUA client
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 8
User Management – Directory Integration
HR
Telephony
Operatingsystem
Application 2
Meta-DirectoryApplication 1
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 9
LDAP Synchronization
LDAPsynchronization
SAP ABAP Systemrelease as of 6.10Directory
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 10
HR Data Replication from SAP in an LDAP Enabled Directory Service
SAP Web AS as of 6.10Directory
HR-system 4.0 and higherwith Plug-In System (PI 2001.2)4.5 with Plug-In System (Pl 2001.2)
Data Retrieval in Personnel Management via Query or ABAP-Report
Replication
As of 4.70 HR can be connected directly to the LDAP directory
RFC
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 11
Central User Administration & LDAP Synchronization
LDAPsynchronization
CUA central system SAP release as of 6.10
ALE ALE
SAP 6.xCUA client
SAP 4.6CUA client
SAP 4.5CUA client
Directory
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 12
CUA & LDAP Synchronization & Enterprise Portal
Enterprise Portalwith User Management
Engine (UME)
LDAPsynchronization
CUA central system SAP release as of 6.10
ALE ALE
SAP 4.6CUA client
SAP 4.5CUA client
Directory
SAP J2EE EnginePersistence
store
SAP ABAP + J2EE Engine
SAP NetWeaverCUA client
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 13
CUA & Enterprise Portal (no Directory)
Enterprise Portalwith User Management
Engine (UME) CUA central system SAP release as of 6.10
ALE ALE
SAP 4.6CUA client
SAP 4.5CUA client
Persistencestore
SAPCUA client
ALE
SAP J2EE Engine
SAP ABAP + J2EE Engine
SAP NetWeaverCUA client
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 14
SAP Identity Management and Siemens Identity Management
SAP HR
Telephony
Operatingsystem
Non-SAPapplications
Central UserAdministration
Enterprise Portalwith User Management
Engine (UME)
Provisioning incl.SPML integration*
Provisioning
load employee data
Prov
isio
ning
and
Syn
chro
niza
tion
Acc
ount
and
gro
up m
anag
emen
t, va
lidat
ion
and
reco
ncili
atio
n
DirX IdentityDirX Directory
ProvisioningPassword Management
Self-service Metadirectory
Audit
HiPath SIcurity DirXIdentity Management
*SPML integration available as of SAP NetWeaver NW 2004s SPS5 und NW 2004 SPS14
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 15
SAP Identity Management and Siemens Identity Management
Siemens HiPath SIcurity DirX and DirX Identity complement SAP NetWeaver with Identity Management for heterogeneous landscapes
The solution provides uniform identity provisioning for the SAP Enterprise Portal and all SAP applications as well as non-SAP applications
SAP ships Siemens HiPath SIcurity DirX and HiPath SIcurity DirXIdentity demo license starting with NetWeaver 2004s ramp-up phase
Customer BenefitsSecure and centralized management of user identities and their access rights for all enterprise applicationsRegulatory complianceIncreased operational efficiency and end user productivityReduced administration and help-desk costs
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 16
Agenda
Identity Management with SAPCentral User AdministrationDirectory IntegrationPortal User Management Engine
Role Management with SAP ABAP Authorization RolesJ2EE / UME Authorization RolesPortal RolesRole Integration Example
SAP’s strategy for Identity Management
Summary
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 17
SAP NetWeaver Enterprise Portal
Role-based, …
…and Web based…
…access to any kindof applications, information and
servicesERP CRM …
…secure…
SAP Enterprise Portal 6.0SAP Enterprise Portal 6.0
Authentication
Sales Manager
Line Manager
Business Developer
Docs*
*covered by KM
Single Sign On
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 18
Overview SAP Roles
Portal RolesPortal Roles
ABAP
… define, what is displayed in the
Portal
ABAP RolesABAP Roles
Java
UME RolesUME Roles
J2EE Security RolesJ2EE Security Roles
or… define, what Authorizations the
user has in the Backend System
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 19
ABAP Roles and Portal Roles: A Comparison
ABAP Authorization Roles Portal Roles
Roles (single roles) carry authorization information.
The Profile Generator is part of the role administration in transaction PFCG.
The content of Authorization Roles can be generated using the definition of Portal Roles.
Portal Roles carry the user interface information but (almost) no authorization information.
Authorizations must still be maintained in the backend system.
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 20
Scenarios for Role Integration
When using different SAP components, different scenarios for managing identities are possible.The following slides describe an example with the following components:
SAP Enterprise Portal ABAP based SAP SystemsDirectory Server
Scenario A:The administrators uses the UME to maintain users and portal role assignments Portal roles and related ABAP authorization roles are linked togetherThe system ensures that necessary ABAP authorization roles are assigned, too
Scenario B:The administrators uses the CUA to maintain users and role assignments Portal roles and related ABAP roles are linked togetherThe system ensures that necessary Portal roles are assigned, too
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 21
Scenario A: Role Maintenance
Enterprise Portal
Enterprise Portal
SAP ABAP + J2EE Engine
Development systems for customizing
Portal Role Maintenance
1
TransferRole Information
2
Transfer Role Information to CUA
5
Transport to productive systems
4
CUA
Authorization Role
Maintenance(using WP3R)
3
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 22
Scenario A: User Management based on a Directory
Directory
Enterprise Portal
CUA
SAP ABAP + J2EE Engine
User Maintenance
1
Portal Role Assignment
2
Authorization Role Assignment using transaction
WP3R
5Synchronize User Data
3
Publish Role Assignment
4
LDAPsynchronization
ALE ALE
Persistencestore
Users get roles in backend systems
6
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 23
Scenario B: Role Maintenance
Role - Group Assignment
5
SAP backend AuthorizationRole EQUALS Group in the
Enterprise Portal !
Enterprise Portal
Development systems for customizing
SAP ABAP + J2EE Engine
CUA
Authorization Role
Maintenance(using PFCG)
3
Transport to productive systems
4
Maintain auth. role templates for the Portal
2
Persistencestore
Portal Role Maintenance
1
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 24
Scenario B: User Management based on the CUA
Enterprise Portal
SAP ABAP + J2EE Engine
CUA
User Maintenance
1
Role Assignment
2
ALE ALE
Persistencestore
Users get authorization roles
in the backend systems
Users get groups and indirect roles
in the Portal
3
SAP backend AuthorizationRole EQUALS Group in the
Enterprise Portal !
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 25
Agenda
Identity Management with SAPCentral User AdministrationDirectory IntegrationPortal User Management Engine
Role Management with SAP ABAP Authorization RolesJ2EE / UME Authorization RolesPortal RolesRole Integration Example
SAP’s strategy for Identity Management
Summary
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 26
Central Person (ABAP)
CentralPerson
…
NameIdentificationAddresses
User Management
R/3 User Account
Portal User AccountAdd. Attributes
IdentityAdd. Attributes
Personnel Administration
Terms of Employment
Employee
Add. Attributes
CRM
Customer Data Sets
Account
Add. Attributes
CentralAttributes
Organizational Management
Position 1
Unit B /Faculty B
Position 2 Position 3
Unit A /Faculty A
Company/University
Holder
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 27
Identity Provisioning – Big Picture
SAP HR
SAP CRM
LDAPDirectory
J2EE Engine
ABAP System
ABAP System
SAP Web AS ABAP+Java
J2EEEngine
IdentityModel
Central Identity Management
Provisioning
OutboundInbound
Data Sources for Identities
Target Systems for Provisioning
Non-SAP SystemNon-SAP
System
Partner Provisioning
SystemProvisioning
Interface (SPML)
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 28
Agenda
Identity Management with SAPCentral User AdministrationDirectory IntegrationPortal User Management Engine
Role Management with SAP ABAP Authorization RolesJ2EE / UME Authorization RolesPortal RolesRole Integration Example
SAP’s strategy for Identity Management
Summary
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 29
Summary
SAP leverages various user persistence store options.
SAP allows for roles and authorizations with appropriate strength.
SAP further enhances its Identity Management features and functions.
SAP will develop its own solution for the external user account provisioning application (for SAP and non-SAP applications) based on NetWeaver.
The existing applications (User Management Engine / Central User Administration / Directory Integration) will be an integralpart of the new solution.
Customers who use these applications follow exactly the recommendation of SAP.
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 30
Public Webwww.sap.comNetWeaver Developer‘s Guide: www.sdn.sap.com/sdn/developersguide.sdnSAP Developer Network: www.sdn.sap.com SAP Netweaver Platform SecuritySAP Customer Services Network: www.sap.com/services/
Related Workshops/Lectures at SAP TechEd 2005AGS351, User Management and Authorizations – The Details AGS103, Identity Management – Streamlining the User Provisioning Process
Between HR, LDAP, and CUAAGS104, SAP MIC Tool – SAP NetWeaver in Support of Sarbanes-Oxley
RequirementsAGS105, Security PrimerAGS201, Sarbanes-Oxley Compliance – Challenges and BenefitsCD261, Using Authorizations in Java Application Development
Related SAP Education Training Opportunitieshttp://www.sap.com/education/ ADM940-960
Further Information (Boston)
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 31
Public Webwww.sap.comNetWeaver Developer‘s Guide: www.sdn.sap.com/sdn/developersguide.sdnSAP Developer Network: www.sdn.sap.com SAP Netweaver Platform SecuritySAP Customer Services Network: www.sap.com/services/
Related Workshops/Lectures at SAP TechEd 2005AGS104 SAP MIC Tool – SAP NetWeaver in Support of Sarbanes-Oxley RequirementsFri, 9:15 a.m. – 10:15 a.m., L3
AGS106 Virus Scanning of Documents in SAP Applications Thu, 6:00 p.m. – 7:00 p.m., L3
AGS200 Increasing Infrastructure Security by using Application GatewaysFri, 10:45 a.m. – 12:45 p.m., L4
AGS202, Security in SAP Internet Transaction Server (ITS) Landscapes Fri, 11:45 a.m. – 12:45 p.m., L3
AGS350, Configuring J2EE & SAP NetWeaver Portal UME Authentication Thu, 2:15 p.m. – 4:15 p.m., H2
Further Information (Vienna)
Related SAP Education Training Opportunitieshttp://www.sap.com/education/ ADM940-960
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 32
SAP Developer Network
http://www.sdn.sap.com/
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 33
Questions?
Q&A
URL: http://service.sap.com/security
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 34
Please complete your session evaluation.
Be courteous – deposit your trash, and do not take the handouts for the following session.
Feedback
Thank You !
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 36
Comparison of Authorization related Objects
Users
Collection of Users or
Authorizations
Collection of Authorizations
Authorizations
CompositeRole
CompositeRole User GroupUser Group User GroupUser Group
ABAP RoleABAP Role User GroupUser Group UME RoleUME Role
AuthorizationsAuthorizations J2EE SecurityRole
J2EE SecurityRole ActionsActions
ABAP J2EE J2EE
AuthorizationsAuthorizations J2EE SecurityRole
J2EE SecurityRole ActionsActions
ABAP RoleABAP Role User GroupUser Group UME RoleUME Role
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 37
SAP J2EE Security Security Models
J2EE supports two different security modelsDeclarative security (Standard J2EE Security Roles)
Access control linked to the resource (executables)Decouples access control from application logicEasy to implement and maintain
Programmatic security (SAP specific Permission, Action, UME Role)
Access control within Java codeMore flexible but linked to application logicMore work to implement
SAP adds its well known role concept to J2EE applications
Java programs reuse business services in ABAP and inherit the ABAP authorization concept
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 38
J2EE Role Concept (Example) – Declarative Security
EJBe.g. Java program to
display / maintain something
Method:change
Method:display
J2EE Security Role:Change
J2EE Security Role:Display
User1 User2
JAR
EAR
User Group:CHANGE
User Group:CHANGE
User Group:DISPLAY
User Group:DISPLAY
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 39
UME Role Concept – Programmatic Security
Permission1 Permission2 Permission3
Action1Action2
Permission4 Permission5 Permission6
Action3Action4
Application1 Application2
UME Role 1 UME Role 2
User or Group User or Group
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 40
Presentation Layer
Database Instance
Java Schema
ABAP Schema
recommendedConnectivity between ABAP and Java
EJB
Open SQL
Web Dynpro
Business Layer
Persistence
FunctionBAPI
Open SQL
Web Dynpro
JCo
ABAPJava
ABAP and Java together
Business relevant authority check based on ABAP roles
Business relevant authority check based on UME roles
Program flow with authorization checks in both ABAP and Java
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 41
Copyright 2005 SAP AG. All Rights Reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation.Oracle is a registered trademark of Oracle Corporation.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc.JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden.SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.