sap grc basics
TRANSCRIPT
Frank Bannert / Customer Solution Adoption
September 2011
SCI203
Compliant Identity Management with GRC AC 10.0 and NetWeaver ID Management 7.2
© 2011 SAP AG. All rights reserved. 2
Disclaimer
This presentation outlines our general product direction and should not be relied on in making a
purchase decision. This presentation is not subject to your license agreement or any other agreement
with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to
develop or release any functionality mentioned in this presentation. This presentation and SAP's
strategy and possible future developments are subject to change and may be changed by SAP at any
time for any reason without notice. This document is provided without a warranty of any kind, either
express or implied, including but not limited to, the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAP intentionally or grossly negligent.
© 2011 SAP AG. All rights reserved. 3
Agenda
Best Practice of Compliant Identity Management
Architecture Overview
Prerequisites
Available Access Control 10.0 Web Services
New Features
Wrap-up
Best Practice of Compliant
Identity ManagementAccess Control 10.0 and SAP NetWeaver Identity Management 7.2 combined
© 2011 SAP AG. All rights reserved. 5
Compliant Identity Management From SAP
Integrated, innovative
solutions
Increased visibility of
identities and access
risk across the
enterprise
Compliant identity
management at
reduced cost
© 2011 SAP AG. All rights reserved. 6
Business Value
Unparalleled, seamless integration
to on-demand and on-premise SAP
solutions
Secure connectivity, authentication
and single sign-on
Innovative enhancements for best-
in-class solutions
Real-time visibility of request
status, user privileges and access
risk
Comprehensive audit trail of
system and process activities
Integrated analytics, dashboards
and reporting
Self-service request process for
SAP and heterogeneous data
environments
Automated workflow and approval
process with embedded risk
analysis
Closed loop process for approving
and reviewing emergency access
for SAP applications
Integrated, innovative solutionsCompliant identity management
at reduced cost
Increased visibility of identities
and access risk across the
enterprise
© 2011 SAP AG. All rights reserved. 7
What Is the Role of SAP BusinessObjects Access Control
vs. SAP NetWeaver Identity Management?
SAP NetWeaver Identity Management
Centralized user managementCentralized management of identity
information across multiple data source.
Integration and synchronization of
system authorization dataManage user privileges centrally
Single Sign OnAutomates and simplifies integration with
Enterprise SSO and Web SSO
Federated IdentitySimplifies integration with standard-
supported Identity Federation
SAP BusinessObjects Access Control
Access Risk Identification Define and understand access risks
Access Analysis and Response Analyze and mitigate access risks
Access ReviewsPeriodic reviews of assignments,
risk violations, and controls
Centralized, Compliant Role
RepositoryDefine and manage compliant roles
Compliant identity
management for the
entire system
landscape
© 2011 SAP AG. All rights reserved. 8
Compliant Identity ManagementExample Customer Scenario
Reduce TCO by simplifying assignment of roles and privileges to users, triggered by HR events
Reduce risk through compliance checks and remediation
Automate manual processes through integration
Identity
Management
Calculate Entitlements
Based on Position
HR Application
New Hire
/ Change
Position
Line Manager
No
Approve
Assignments
Create User
Assign Roles
Create User
Assign Roles
Create User
Assign Roles
Heterogeneous Landscape
Yes
SAP BusinessObjects
Access Control
Compliance Check
Remediation
Create User
Assign Privileges
© 2011 SAP AG. All rights reserved. 9
Compliant Identity Management
SAP NetWeaver
Identity Management
1
1. Request for
• Role
• Privileges
• User account
• …
SAP Business Objects
Access Control
User
© 2011 SAP AG. All rights reserved. 10
Compliant Identity Management
SAP NetWeaver
Identity Management
1
2. Request sent for approval to
• Manager
• Delegate
• Role owner
• Application owner
• …
SAP Business Objects
Access Control
Approver
2
User
© 2011 SAP AG. All rights reserved. 11
Compliant Identity Management
SAP NetWeaver
Identity Management
1
3. Approval granted from
• Manager
• Delegate
• Role owner
• Application owner
• …
SAP Business Objects
Access Control2
3
Approver
User
© 2011 SAP AG. All rights reserved. 12
Compliant Identity Management
SAP NetWeaver
Identity Management
1
4. Send for risk analysis to
• Manager
• Delegate
• Role owner
• Application owner
• …
SAP Business Objects
Access Control2
3
4
Approver
User
© 2011 SAP AG. All rights reserved. 13
Compliant Identity Management
SAP NetWeaver
Identity Management
1
5. Risk analysis and remediation
• Reject
• Approve
• Mitigate
• Modify request
• …
SAP Business Objects
Access Control2
3
4
5
Compliance
TeamApprover
User
© 2011 SAP AG. All rights reserved. 14
Compliant Identity Management
SAP NetWeaver
Identity Management
1
6. Provision to
• Business applications
• non-SAP systems
• …
And send approval mail to User
SAP Business Objects
Access Control2
3
4
5
Compliance
TeamApprover
User
6
6
© 2011 SAP AG. All rights reserved. 15
Compliant Identity Management
2
3
6
Result:
Compliant Identity Management
Approver
User
SAP NetWeaver
Identity Management
1
SAP Business Objects
Access Control4
5
Compliance
Team
6
Architecture Overview
© 2011 SAP AG. All rights reserved. 17
Compliant Identity Management
e.g. on-boarding
SAP NetWeaver
Identity Management
Password management
Provisioning to SAP and non-SAP systems
Identity mgmt.monitoring & audit
Rule-based assignment of business roles
Identity virtualization and identity as service
Approval workflows
Central Identity StoreSAP Business Objects
Access Control (GRC)
Compliance checks through GRC
SAP Business Suite Integration
© 2011 SAP AG. All rights reserved. 18
SAP NetWeaver Identity Management 7.2 – Architecture
SAP NetWeaver ID Management 7.2
Identity CenterWorkflow and
Monitoring UI
(AS Java)
Management
Console
Dispatcher
Runtime Engine
Event Agent
Service
othersActive
Directory
SAP
ERP
System
SAP
Portal
Detect changesRead / write
SA
P
GR
C
Web
se
rvic
e
s
…
Virtu
al D
irecto
ry S
erv
er
Identity
Center
Database
© 2011 SAP AG. All rights reserved. 19
Identity Management Solutions
(SAP or Non-SAP)
optional
Web
services
RFC
RFC
SAP NetWeaver®
Enterprise Search 7.0GRC Search
optional
SAP NW JAVA 7.02Adobe Document
Services
optional
SAP NW Portal 7.02
GRC Portal Content
SAP NW BW 7.02
BI Content 7.06GRC BI Content
optional
http
optional
RFC
SAP BusinessObjects GRC 10.0 – Architecture
Non-SAP Business
ApplicationsAdapter
optional
SAP ERP (4.6C – 7.1)NW Function Modules
(Plug-in: GRCPINW)
HR Function Modules
PC Automated Ctrls(Plug-in: GRCPIERP)
GTS Plug-in(Plug-in: SLL-PI)
RFC
optional
SAP NetWeaver
AS ABAP 7.02
AC, PC & RM(Software Component: GRCFND_A)
SAP BusinessObjects 10.0
GTS(Software Component: SLL-LEG)
Content Lifecycle
Management (CLM)
Front-End Client
DIAGhttp
SAP GUI
7.10Web Browser
Adobe Flash Player
SAP CR Adapter
RFCSAP NetWeaver PI Nota Fiscal Content
Required for Nota Fiscal E.
Nota Fiscal Electronica(Software Component: SLL-NFE)
© 2011 SAP AG. All rights reserved. 20
SAP BusinessObjects Access Control 10.0 – Architecture
SAP NetWeaver
AS ABAP 7.02
AC, PC & RM(Software Component: GRCFND_A)
SAP ERP (4.6C – 7.1)
Non-SAP Business
ApplicationsAdapter
NW Function Modules(Plug-in: GRCPINW)
HR Function Modules
PC Automated Ctrls(Plug-in: GRCPIERP)
SAP NW Portal 7.02
GRC Portal Content
SAP NW BW 7.02
BI Content 7.06
GRC BI Content
Identity Management Solutions
(SAP or Non-SAP)
optional
optional
optional
http
Web
services
RFC
optional
RFC
DIAGhttp
RFC
SAP NW JAVA 7.02Adobe Document
Services
optional optional
Front-End Client
SAP
GUI
7.10Web Browser
Adobe Flash Player
SAP CR Adapter
Content Lifecycle
Management (CLM)
SAP BusinessObjects 10.0
Prerequisites
© 2011 SAP AG. All rights reserved. 22
Technical Prerequisites
SAP BusinessObjects Access Control 10.0
• SAP NetWeaver AS ABAP 7.02 SP6 or higher (but not 7.3)
• All NetWeaver Platforms supported
SAP NetWeaver Identity Management 7.2
• SAP NetWeaver AS Java 7.0 SP14 or higher (but not 7.3) for Workflow and Monitoring UI
• All NetWeaver Platforms supported
• Management Console only supports Windows
• Database support: MS SQL or Oracle
© 2011 SAP AG. All rights reserved. 23
Configuration Prerequisites
SAP BusinessObjects Access Control 10.0
• Configure all IDM system in GRC as resources
• Configure Field Mapping and Parameter Mapping in GRC
• Synchronize Non-SAP Roles maintained in IdM with GRC if needed
SAP NetWeaver Identity Management 7.2
• Identity Center and Virtual Directory Server is configured
• Deploy and Configure GRC Provisioning Framework
• Configure IdM Web Service Calls to GRC
Access Control 10.0
Web Services
© 2011 SAP AG. All rights reserved. 25
No Interface Description Technical Name
1 Lookup service Enables lookup for possible values for a use case. Example:
Possible values for Request Status
GRAC_LOOKUP_WS
2 Search roles Enables search roles before submitting a request to GRC GRAC_SEARCH_ROLES_WS
3 Role Details Detailed role description and associated attributes of the
selected role
GRAC_ROLE_DETAILS_WS
4 Select Applications Returns a list of resources configured within GRC GRAC_SELECT_APPL_WS
5 Firefighter Returns list of firefighter Ids along with FF Owner details GRAC_FIRE_FIGHTER_WS
6 User’s Existing
Assignments
Returns the existing User Assignments GRAC_USER_EXISTING_ASSGN_
WS
7 User Access Request This web service will be called by IdM for User Access GRAC_USER_ACCES_WS
8 Risk analysis
(with request Number)
Perform Segregation of Duty analysis on a request submitted to
GRC or on the assignment of an existing user
GRAC_RISK_ANALYSIS_WITH_NO
_WS
9 Organization
Assignment Request
This service enables IdMs to assign roles to OM Objects like
Job, Position and Organizational Unit.
GRAC_ORG_ASSGN_REQUEST_
WS
Access Control Web Services
© 2011 SAP AG. All rights reserved. 26
No Interface Description Technical Name
10 Exit – User Access
Request
(Outbound)
This service will be called by GRC to inform IdM about request
closed result
GRC internal
11 Provisioning Log Returns all the provisioning information for a user, It helps to
determine if the user was created, changed or deleted. Or
whether the role was added r removed.
GRAC_PROV_LOGS_WS
12 Request status Status of a request GRAC_REQUEST_STATUS_WS
13 Audit Logs Returns the workflow information about the paths, stages, stage
Approvers. And also returns the provisioning information
GRAC_AUDIT_LOGS_WS
14 Request Details Returns the request details along with Risk Analysis GRAC_REQUEST_DETAILS_WS
15 Risk Analysis
(With out request
Number)
Performs SoD analysis for User Level and Role Level GRAC_RISK_ANALYSIS_WOUT_N
O_WS
16 Exit – Provisioning by
IdM
This service will be called by IdM to inform GRC about
provisioning result
GRAC_EXIT_FROM_IDM_WS
Access Control Web Services (cont.)
New Features
© 2011 SAP AG. All rights reserved. 28
New Features
SAP BusinessObjects Access Control 10.0
• Risk Analysis (With out request Number)
Performs SoD analysis for User Level and Role Level without the need of a request number in AC
• Exit – User Access Request
This service will be called by GRC to inform IdM about provisioning result
SAP NetWeaver Identity Management 7.2
• The Request-Complete Task
A request may consist of multiple assignments
All assignments are tagged with the same request ID
Global task is executed when all assignments are completed
Wrap-up
© 2011 SAP AG. All rights reserved. 30
Key Benefits
Fast time to value with minimal
business disruption
Increase productivity and reduce
administrative costs while securely
granting access to systems
Extendable, innovative solutions
with open and flexible ecosystem
Real-time insight for informed
decision making
Minimize audit time and audit-
related costs
Comprehensive and standardized
reporting for all levels of the
organization
Lower cost and optimized efficiency
of user and role lifecycles
Prevent segregation of duties and
critical access
Confidently manage and track
emergency access for SAP
applications
Integrated, innovative solutionsCompliant identity management
at Reduced Cost
Increased visibility of identities
and access risk across the
enterprise Integrated, innovative solutions
Compliant identity management
at reduced cost
© 2011 SAP AG. All rights reserved. 31
Key Take – Aways
• SAP provides Compliant Identity Management from one vendor combining Access Control and
Identity Management
• Products are on General Availability and all features are available out-of-the box
• Compliant Identity Management is not focused on SAP products only but to support a
heterogeneous landscape
• Integration has already proven in earlier releases
© 2011 SAP AG. All rights reserved. 32
More on GRC 10.0 Integration Scenarios
Another session GRC10.0 Integration can be found in the following TechEd session:
SCI204, Integration of SAP Applications with SAP BusinessObjects GRC 10.0
© 2011 SAP AG. All rights reserved. 33
Further Information
SAP Public Web:
SAP Developer Network (SDN): www.sdn.sap.com
Business Process Expert (BPX) Community: www.bpx.sap.com
SAP BusinessObjects Community (BOC): www.boc.sap.com
Related SAP Education and Certification Opportunities
http://www.sap.com/education/
Related Workshops/Lectures at SAP TechEd 2011
SCI204, Integration of SAP Applications with SAP BusinessObjects GRC 10.0
Questions?
Feedback Session SCI203Please complete your session evaluation.
Be courteous — deposit your trash,
and do not take the handouts for the following session.
Thank You!
Contact information:
Frank Bannert
Customer Solution Adoption
© 2011 SAP AG. All rights reserved. 37
No part of this publication may be reproduced or transmitted in any form or for any purpose
without the express permission of SAP AG. The information contained herein may be
changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary
software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft
Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,
System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer,
z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,
PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER,
OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP,
RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,
Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered
trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or
registered trademarks of Adobe Systems Incorporated in the United States and/or other
countries.
Oracle and Java are registered trademarks of Oracle and/or its affiliates.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are
trademarks or registered trademarks of Citrix Systems, Inc.
© 2011 SAP AG. All rights reserved.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World
Wide Web Consortium, Massachusetts Institute of Technology.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,
StreamWork, and other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP AG in Germany and other
countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports,
Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and
services mentioned herein as well as their respective logos are trademarks or registered
trademarks of Business Objects Software Ltd. Business Objects is an
SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase
products and services mentioned herein as well as their respective logos are trademarks or
registered trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective
companies. Data contained in this document serves informational purposes only. National
product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be
reproduced, copied, or transmitted in any form or for any purpose without the express prior
written permission of SAP AG.