A Quick Overview of SAP NetWeaver Identity Management Solution

May 30, 2012 2:47:04 PM | by navinkotianaujas

Is there a need for SAP Identity Management?

Author: Dr. Jagan Vaman, Chief Consulting Officer, SAP Security

Yes there is! I had covered this is detail in my last blog, "The Need for SAP Identity Management." To summarize quickly, the top 3 reasons are:

  1. To reduce Access risks and enhance Security!
  2. To reduce costs through automation and process optimization and
  3. To comply with regulations and compliance requirements

So let's look at what solution SAP provides for Identity Management.

The SAP NetWeaver Identity Management Solution

The SAP NetWeaver Identity Management products have evolved from MaXware AS.

The MaXware Data Synchronization Engine, which was released in 1996 and has grown into the identity management product MaXware Identity Center. The MaXware Identity Center includes provisioning, workflow and password management functionality.

SAP acquired the MaXware IdM product and smartly integrated it with SAP NetWeaver platform. (See http://identityblog.burtongroup.com/bgidps/sap/ ). SAP NetWeaver Identity Management consists of the following components:

Identity Center: The Identity Center is a high-end identity management solution. It uses a relational database for the configuration data and the logging and status information, as well as for the identity store and all provisioning and workflow states.

Data Synchronization Engine: The Data Synchronization Engine is responsible for any low-level operation on the applications and repositories. It runs as part of the Identity Center.

Virtual Directory Server: A virtual directory provides the organization with real-time access to the identity information, as well as to other critical information, by providing a single access point to all information. The Virtual Directory Server can also be used to control access to the identity data. It is able to present the same data in different ways to different groups of users. It can also be used to write-protect or hide certain attributes, for example when making information available externally.

How SAP IDM Enables a Digital User Lifecycle Approach?

A comprehensive identity management solution covers the entire lifecycle of a user from the on boarding process of a new employee to the termination of an employment contract. In absence of an identity management solution, the provisioning and user-access management in a compliant and auditable way becomes labor intensive, repetitious and error prone.

This problem is compounded when you consider the typical user lifecycle within an organization. When an employee is hired, your organization gives him or her certain permissions in a variety of systems. Later, the employee may receive a promotion or change roles and so receive new, additional permissions. Furthermore, you may need to grant other temporary privileges for some year-end activity or while an employee is covering for a colleague on vacation. Thus, an employee typically tends to accrue privileges over time and often continues to have access that is no longer required for the current role. This is, of course, a security risk. But it is also a potential compliance violation.

Adding a new role might cause conflicting authorizations for the user. Consider this example: A purchasing manager is authorized to issue orders to external vendors – for example, to buy office supplies. To step in for a colleague who's on sick leave, this purchasing manager temporarily needs the authorization to create vendors in the system. The employee could now misuse his roles, create a new (fictitious) vendor, and issue an order. To minimize the risk that comes from such segregation of duties violations, a compliance check must be performed for all role assignments that apply to critical business processes, such as enterprise resource planning (ERP) system roles.

Finally, when the employee leaves your company, the access that this user has may still not be revoked, perhaps even years later, which presents obvious and ongoing security risks to your organization. At each stage, you need to give the user access to the right set of applications according to his or her current role. The SAP NetWeaver® Identity Management component helps you manage this process centrally, across SAP® solutions.

What are the Advantages of SAP IdM?

SAP NetWeaver Identity Management helps organization manage user access securely and efficiently while aligning with business processes and in accordance with audit and compliance requirements.

The solution facilitates with a central user-provisioning mechanism to manage users and assigning appropriate business roles to them. It also supports various related processes such as password management, self-service, and approvals workflow. SAP NetWeaver Identity Management helps in user provisioning by offering:

  • One central place to manage users in SAP applications regardless of the individual data stores (for example, changing a phone number or e-mail address automatically updates all relevant systems)
  • Integrates tightly with company's business processes
  • Centralized reporting functionality to address the pressing need for compliance and audit ability using the SAP NetWeaver Business Warehouse component.
  • Mapping of one user to identities in all systems, and fully auditable user access across the entire IT landscape
  • Password-reset and lost-password management functionality for end users, alleviating help-desk workload and reducing operational costs
  • Integration with SAP NetWeaver Single Sign-On software to support end-to-end single sign-on and encryption in distributed environments, including all SAP graphical user interfaces (GUIs) as well as Web-based front ends

More Reading:

Topics: SAP