sap grc basics

Frank Bannert / Customer Solution Adoption

September 2011

SCI203

Compliant Identity Management with GRC AC 10.0 and NetWeaver ID Management 7.2

© 2011 SAP AG. All rights reserved. 2

Disclaimer

This presentation outlines our general product direction and should not be relied on in making a

purchase decision. This presentation is not subject to your license agreement or any other agreement

with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to

develop or release any functionality mentioned in this presentation. This presentation and SAP's

strategy and possible future developments are subject to change and may be changed by SAP at any

time for any reason without notice. This document is provided without a warranty of any kind, either

express or implied, including but not limited to, the implied warranties of merchantability, fitness for a

particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this

document, except if such damages were caused by SAP intentionally or grossly negligent.


Agenda

Best Practice of Compliant Identity Management

Architecture Overview

Prerequisites

Available Access Control 10.0 Web Services

New Features

Wrap-up

Best Practice of Compliant

Identity ManagementAccess Control 10.0 and SAP NetWeaver Identity Management 7.2 combined


Compliant Identity Management From SAP

Integrated, innovative

solutions

Increased visibility of

identities and access

risk across the

enterprise

Compliant identity

management at

reduced cost


Business Value

Unparalleled, seamless integration

to on-demand and on-premise SAP

solutions

Secure connectivity, authentication

and single sign-on

Innovative enhancements for best-

in-class solutions

Real-time visibility of request

status, user privileges and access

risk

Comprehensive audit trail of

system and process activities

Integrated analytics, dashboards

and reporting

Self-service request process for

SAP and heterogeneous data

environments

Automated workflow and approval

process with embedded risk

analysis

Closed loop process for approving

and reviewing emergency access

for SAP applications

Integrated, innovative solutionsCompliant identity management

at reduced cost

Increased visibility of identities

and access risk across the

enterprise


What Is the Role of SAP BusinessObjects Access Control

vs. SAP NetWeaver Identity Management?

SAP NetWeaver Identity Management

Centralized user managementCentralized management of identity

information across multiple data source.

Integration and synchronization of

system authorization dataManage user privileges centrally

Single Sign OnAutomates and simplifies integration with

Enterprise SSO and Web SSO

Federated IdentitySimplifies integration with standard-

supported Identity Federation

SAP BusinessObjects Access Control

Access Risk Identification Define and understand access risks

Access Analysis and Response Analyze and mitigate access risks

Access ReviewsPeriodic reviews of assignments,

risk violations, and controls

Centralized, Compliant Role

RepositoryDefine and manage compliant roles

Compliant identity

management for the

entire system

landscape


Compliant Identity ManagementExample Customer Scenario

Reduce TCO by simplifying assignment of roles and privileges to users, triggered by HR events

Reduce risk through compliance checks and remediation

Automate manual processes through integration

Identity

Management

Calculate Entitlements

Based on Position

HR Application

New Hire

/ Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles

Heterogeneous Landscape

Yes

SAP BusinessObjects

Access Control

Compliance Check

Remediation

Create User

Assign Privileges


Compliant Identity Management

SAP NetWeaver

Identity Management

1

1. Request for

• Role

• Privileges

• User account

• …

SAP Business Objects

Access Control

User



SAP NetWeaver

Identity Management

1

2. Request sent for approval to

• Manager

• Delegate

• Role owner

• Application owner

• …


Access Control

Approver

2

User



SAP NetWeaver

Identity Management

1

3. Approval granted from

• Manager

• Delegate

• Role owner


• …


Access Control2

3

Approver

User



SAP NetWeaver

Identity Management

1

4. Send for risk analysis to

• Manager

• Delegate

• Role owner


• …


Access Control2

3

4

Approver

User



SAP NetWeaver

Identity Management

1

5. Risk analysis and remediation

• Reject

• Approve

• Mitigate

• Modify request

• …


Access Control2

3

4

5

Compliance

TeamApprover

User



SAP NetWeaver

Identity Management

1

6. Provision to

• Business applications

• non-SAP systems

• …

And send approval mail to User


Access Control2

3

4

5

Compliance

TeamApprover

User

6

6



2

3

6

Result:


Approver

User

SAP NetWeaver

Identity Management

1


Access Control4

5

Compliance

Team

6

Architecture Overview



e.g. on-boarding

SAP NetWeaver

Identity Management

Password management

Provisioning to SAP and non-SAP systems

Identity mgmt.monitoring & audit

Rule-based assignment of business roles

Identity virtualization and identity as service

Approval workflows

Central Identity StoreSAP Business Objects

Access Control (GRC)

Compliance checks through GRC

SAP Business Suite Integration


SAP NetWeaver Identity Management 7.2 – Architecture

SAP NetWeaver ID Management 7.2

Identity CenterWorkflow and

Monitoring UI

(AS Java)

Management

Console

Dispatcher

Runtime Engine

Event Agent

Service

othersActive

Directory

SAP

ERP

E-Mail

System

SAP

Portal

Detect changesRead / write

SA

P

GR

C

Web

se

rvic

e

s

…

Virtu

al D

irecto

ry S

erv

er

Identity

Center

Database


Identity Management Solutions

(SAP or Non-SAP)

optional

Web

services

RFC

RFC

SAP NetWeaver®

Enterprise Search 7.0GRC Search

optional

SAP NW JAVA 7.02Adobe Document

Services

optional

SAP NW Portal 7.02

GRC Portal Content

SAP NW BW 7.02

BI Content 7.06GRC BI Content

optional

http

optional

RFC

SAP BusinessObjects GRC 10.0 – Architecture

Non-SAP Business

ApplicationsAdapter

optional

SAP ERP (4.6C – 7.1)NW Function Modules

(Plug-in: GRCPINW)

HR Function Modules

PC Automated Ctrls(Plug-in: GRCPIERP)

GTS Plug-in(Plug-in: SLL-PI)

RFC

optional

SAP NetWeaver

AS ABAP 7.02

AC, PC & RM(Software Component: GRCFND_A)

SAP BusinessObjects 10.0

GTS(Software Component: SLL-LEG)

Content Lifecycle

Management (CLM)

Front-End Client

DIAGhttp

SAP GUI

7.10Web Browser

Adobe Flash Player

SAP CR Adapter

RFCSAP NetWeaver PI Nota Fiscal Content

Required for Nota Fiscal E.

Nota Fiscal Electronica(Software Component: SLL-NFE)


SAP BusinessObjects Access Control 10.0 – Architecture

SAP NetWeaver

AS ABAP 7.02

AC, PC & RM(Software Component: GRCFND_A)

SAP ERP (4.6C – 7.1)

Non-SAP Business

ApplicationsAdapter

NW Function Modules(Plug-in: GRCPINW)

HR Function Modules

PC Automated Ctrls(Plug-in: GRCPIERP)

SAP NW Portal 7.02

GRC Portal Content

SAP NW BW 7.02

BI Content 7.06

GRC BI Content

Identity Management Solutions

(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAGhttp

RFC

SAP NW JAVA 7.02Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

7.10Web Browser

Adobe Flash Player

SAP CR Adapter

Content Lifecycle

Management (CLM)

SAP BusinessObjects 10.0

Prerequisites


Technical Prerequisites

SAP BusinessObjects Access Control 10.0

• SAP NetWeaver AS ABAP 7.02 SP6 or higher (but not 7.3)

• All NetWeaver Platforms supported

SAP NetWeaver Identity Management 7.2

• SAP NetWeaver AS Java 7.0 SP14 or higher (but not 7.3) for Workflow and Monitoring UI

• All NetWeaver Platforms supported

• Management Console only supports Windows

• Database support: MS SQL or Oracle


Configuration Prerequisites


• Configure all IDM system in GRC as resources

• Configure Field Mapping and Parameter Mapping in GRC

• Synchronize Non-SAP Roles maintained in IdM with GRC if needed


• Identity Center and Virtual Directory Server is configured

• Deploy and Configure GRC Provisioning Framework

• Configure IdM Web Service Calls to GRC

Access Control 10.0

Web Services


No Interface Description Technical Name

1 Lookup service Enables lookup for possible values for a use case. Example:

Possible values for Request Status

GRAC_LOOKUP_WS

2 Search roles Enables search roles before submitting a request to GRC GRAC_SEARCH_ROLES_WS

3 Role Details Detailed role description and associated attributes of the

selected role

GRAC_ROLE_DETAILS_WS

4 Select Applications Returns a list of resources configured within GRC GRAC_SELECT_APPL_WS

5 Firefighter Returns list of firefighter Ids along with FF Owner details GRAC_FIRE_FIGHTER_WS

6 User’s Existing

Assignments

Returns the existing User Assignments GRAC_USER_EXISTING_ASSGN_

WS

7 User Access Request This web service will be called by IdM for User Access GRAC_USER_ACCES_WS

8 Risk analysis

(with request Number)

Perform Segregation of Duty analysis on a request submitted to

GRC or on the assignment of an existing user

GRAC_RISK_ANALYSIS_WITH_NO

_WS

9 Organization

Assignment Request

This service enables IdMs to assign roles to OM Objects like

Job, Position and Organizational Unit.

GRAC_ORG_ASSGN_REQUEST_

WS

Access Control Web Services


No Interface Description Technical Name

10 Exit – User Access

Request

(Outbound)

This service will be called by GRC to inform IdM about request

closed result

GRC internal

11 Provisioning Log Returns all the provisioning information for a user, It helps to

determine if the user was created, changed or deleted. Or

whether the role was added r removed.

GRAC_PROV_LOGS_WS

12 Request status Status of a request GRAC_REQUEST_STATUS_WS

13 Audit Logs Returns the workflow information about the paths, stages, stage

Approvers. And also returns the provisioning information

GRAC_AUDIT_LOGS_WS

14 Request Details Returns the request details along with Risk Analysis GRAC_REQUEST_DETAILS_WS

15 Risk Analysis

(With out request

Number)

Performs SoD analysis for User Level and Role Level GRAC_RISK_ANALYSIS_WOUT_N

O_WS

16 Exit – Provisioning by

IdM

This service will be called by IdM to inform GRC about

provisioning result

GRAC_EXIT_FROM_IDM_WS

Access Control Web Services (cont.)

New Features


New Features


• Risk Analysis (With out request Number)

Performs SoD analysis for User Level and Role Level without the need of a request number in AC

• Exit – User Access Request

This service will be called by GRC to inform IdM about provisioning result


• The Request-Complete Task

A request may consist of multiple assignments

All assignments are tagged with the same request ID

Global task is executed when all assignments are completed

Wrap-up


Key Benefits

Fast time to value with minimal

business disruption

Increase productivity and reduce

administrative costs while securely

granting access to systems

Extendable, innovative solutions

with open and flexible ecosystem

Real-time insight for informed

decision making

Minimize audit time and audit-

related costs

Comprehensive and standardized

reporting for all levels of the

organization

Lower cost and optimized efficiency

of user and role lifecycles

Prevent segregation of duties and

critical access

Confidently manage and track

emergency access for SAP

applications

Integrated, innovative solutionsCompliant identity management

at Reduced Cost

Increased visibility of identities

and access risk across the

enterprise Integrated, innovative solutions

Compliant identity management

at reduced cost


Key Take – Aways

• SAP provides Compliant Identity Management from one vendor combining Access Control and

Identity Management

• Products are on General Availability and all features are available out-of-the box

• Compliant Identity Management is not focused on SAP products only but to support a

heterogeneous landscape

• Integration has already proven in earlier releases


More on GRC 10.0 Integration Scenarios

Another session GRC10.0 Integration can be found in the following TechEd session:

SCI204, Integration of SAP Applications with SAP BusinessObjects GRC 10.0


Further Information

SAP Public Web:

SAP Developer Network (SDN): www.sdn.sap.com

Business Process Expert (BPX) Community: www.bpx.sap.com

SAP BusinessObjects Community (BOC): www.boc.sap.com

Related SAP Education and Certification Opportunities

http://www.sap.com/education/

Related Workshops/Lectures at SAP TechEd 2011

SCI204, Integration of SAP Applications with SAP BusinessObjects GRC 10.0

http://www.sdn.sap.com/

http://www.bpx.sap.com/

http://www.boc.sap.com/

http://www.sap.com/education/

Questions?

Feedback Session SCI203Please complete your session evaluation.

Be courteous — deposit your trash,

and do not take the handouts for the following session.

Thank You!

Contact information:

Frank Bannert

Customer Solution Adoption

[email protected]

mailto:[email protected]


No part of this publication may be reproduced or transmitted in any form or for any purpose

without the express permission of SAP AG. The information contained herein may be

changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary

software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft

Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,

System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer,

z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,

PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER,

OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP,

RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,

Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered

trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or

registered trademarks of Adobe Systems Incorporated in the United States and/or other

countries.

Oracle and Java are registered trademarks of Oracle and/or its affiliates.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are

trademarks or registered trademarks of Citrix Systems, Inc.

© 2011 SAP AG. All rights reserved.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World

Wide Web Consortium, Massachusetts Institute of Technology.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,

StreamWork, and other SAP products and services mentioned herein as well as their

respective logos are trademarks or registered trademarks of SAP AG in Germany and other

countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports,

Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and

services mentioned herein as well as their respective logos are trademarks or registered

trademarks of Business Objects Software Ltd. Business Objects is an

SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase

products and services mentioned herein as well as their respective logos are trademarks or

registered trademarks of Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of their respective

companies. Data contained in this document serves informational purposes only. National

product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be

reproduced, copied, or transmitted in any form or for any purpose without the express prior

written permission of SAP AG.

sap grc basics

Documents

sap ag

sap applicationsintegrated

emergency access

netweaver id management

access risksaccess analysis

risk violations

disclaimerthis presentation

approval process