sapexperts _ make identity management sarbanes-oxley-compliant by leveraging int
DESCRIPTION
SAPexperts _ Make Identity Management Sarbanes-Oxley-Compliant by Leveraging IntTRANSCRIPT
7/17/2019 SAPexperts _ Make Identity Management Sarbanes-Oxley-Compliant by Leveraging Int
http://slidepdf.com/reader/full/sapexperts-make-identity-management-sarbanes-oxley-compliant-by-leveraging 1/17
Make Identity Management Sarbanes-
Oxley-Compliant by Leveraging
ntegrated SAP Solutions
y Frank Rambo, PhD, Director, Customer Solution Adoption
CSA), EMEA
uly 1, 2009
APexperts/GRC
fficient processes for identity management (IDM) are a
hallenge to many companies — in particular when
ccess- and authorization-related risks must be managed
nd taken under consideration prior to provisioning
ccess privileges. SAP BusinessObjects Access Control
.3 comes with a Web service-based interface intended to
rovide risk analysis and mitigation features to IDM
olutions. See how to integrate one such solution, SAP
etWeaver Identity Management 7.1, with SAP
usinessObjects Access Control 5.3 to obtain a highly
ost-efficient solution for compliant IDM.
Key Concept
SAP BusinessObjects Access Control 5.3 comes with a
product capability for approval workflows and access
provisioning called Compliant User Provisioning (CUP) and
a Web service-based interface. This interface allows for
the creation of access requests in CUP triggered by external
systems. IDM solutions can use this interface to forward
entitlements for ERP systems to CUP, where compliance
managers can perform detailed risk analysis and mitigation
before the entitlements are provisioned in the target
systems.
nterprises have to be highly flexible to adapt to change and
ake advantage of new business opportunities. This creates
ressure to rapidly deploy new applications and systems, and
xpose them internally and externally to employees, partners,
nd customers. In such an environment, information on
entities — employees, partners, and customers — relevant
or business processes and applications is spread across
eterogeneous and incompatible sources coming with different
ata formats and access protocols. This lack of a central
ource for identity information leads to inconsistent and out-of-
ate information, which in turn weakens overall information
ecurity and reduces efficiency of key processes, such as on-
oarding of employees or provisioning of required access
ermissions to customers and business partners.
he prime objective of identity management (IDM) is to
vercome these deficiencies, centrally manage all identity
ata, and ensure high data quality. Another important
equirement enterprises must meet is to comply withegulations such as the Sarbanes-Oxley Act, which deals with
entification and prevention of access- and authorization-
elated risks. These legal requirements directly affect
rovisioning of access privileges to business applications. You
7/17/2019 SAPexperts _ Make Identity Management Sarbanes-Oxley-Compliant by Leveraging Int
http://slidepdf.com/reader/full/sapexperts-make-identity-management-sarbanes-oxley-compliant-by-leveraging 2/17
eed to implement appropriate mechanisms to prevent access
o business transactions that in combination represent a
olation of segregation of duties (SoD) risks. These
mechanisms require complex and detailed rules for risk
entification in complex business applications from multiple
endors such that they remain beyond the scope of IDM
olutions. Consequently, there is currently no single product
or compliant IDM available in the market delivering efficient
rovisioning of identity data and access privileges as well as
arbanes-Oxley compliance across a heterogeneous system
ndscape.
owever, you can combine SAP BusinessObjects Access
ontrol 5.3 with IDM solutions to provide an efficient solution
or Sarbanes-Oxley-compliant IDM across a heterogeneous
ystem landscape. After an overview of the product capability
ompliant User Provisioning (CUP) and its Web service-based
terface to IDM solutions, I’ll continue with an introduction to
AP NetWeaver Identity Management 7.1, which represents a
owerful combination of the meta-directory and virtual
rectory concepts. Using the example of SAP NetWeaver dentity Management, I’ll describe a scenario in which you can
ombine these SAP products to create a highly automated and
AP ERP Human Capital Management (HCM)-integrated
olution for Sarbanes-Oxley-compliant IDM.
et’s start with a couple of technical concepts upon which
most IDM solutions are based.
DM Solution Technical
Possibilities
everal vendors have developed IDM solutions that have
eached a solid level of maturity. Two different technical
oncepts for IDM solutions are predominant in the market:
Meta-directory: Solutions based on the meta-directory
approach synchronize identity data from existing data
sources into a central repository, which is in many
cases a directory server accessible through the LDAP
protocol. Meta-directory solutions often support complex
operations to provision users and access privileges over
a heterogeneous system landscape. Disadvantages of
the meta-directory approach are additional costs for
implementation and ownership of a central repository
and the dependence of data actuality on the
synchronization frequency.
Virtual directory: Virtual directory-based solutions
provide real-time access to the existing data sources
without moving the data out of the original repository
and don’t require data synchronization. They provide a
single access point using a standard protocol such as
LDAP to heterogeneous data sources and present the
information in a virtual directory tree. They are capable
of providing different views to internal and externalclients based on their requirements, access
permissions, and data privacy policies. Virtual directory
solutions depend on the data sources to which they
connect.
7/17/2019 SAPexperts _ Make Identity Management Sarbanes-Oxley-Compliant by Leveraging Int
http://slidepdf.com/reader/full/sapexperts-make-identity-management-sarbanes-oxley-compliant-by-leveraging 3/17
Whether a meta-directory- or virtual directory-based solution is
he best choice depends on the requirements for service
uality, performance, network topology, and policies for
ecurity and data privacy. Combined solutions are also
vailable in the market and offer additional flexibility.
SAP BusinessObjects Access
Control 5.3AP BusinessObjects Access Control 5.3 is a solution for
entification, management and mitigation of access, and
uthorization-related risks in a system landscape that includes
AP and non-SAP solutions to ensure Sarbanes-Oxley
ompliance. SAP BusinessObjects Access Control 5.3 consists
f four application capabilities: Risk Analysis and Remediation
RAR), Enterprise Role Management (ERM), Superuser
rivilege Management (SPM), and CUP.
Note
Each component of SAP BusinessObjects Access Control
comes with a variety of features that can’t be covered in this
article. I covered each in articles that can be found in the
GRC Expert knowledgebase. Search Frank Rambo in the
search box on the main page to bring them all up.
elevant for the compliant identity management use case are
he RAR and CUP components in combination with the
ollowing Web services that come standard with SAP
usinessObjects Access Control:
SAPGRC_AC_IDM_SUBMITREQUEST
SAPGRC_AC_IDM_SELECTAPPLICATION
SAPGRC_AC_IDM_RISKANALYSIS
SAPGRC_AC_IDM_SEARCHROLES
SAPGRC_AC_IDM_ROLEDETAILS
SAPGRC_AC_IDM_AUDITTRAIL
SAPGRC_AC_IDM_REQUESTSTATUS
ny IDM product can consume these Web services to submit
equests into CUP, select applications connected to CUP,
earch and retrieve detail information of roles available in
UP, and request results of risk analysis, status, and audit
ail information of access requests submitted in CUP.
AP BusinessObjects Access Control 5.3 can also call Web
ervices offered by IDM solutions for request submission as
ng as they are Service Provisioning Markup Language
SPML) 1.0 compliant.
his Web service-based interface supports two different
cenarios:
IDM driven: Initial request creation in the IDM solution
and subsequent request submission in CUP for risk
analysis, approval, and auto-provisioning for ERP
access to SAP and non-SAP systems
CUP driven: Initial request creation in CUP and
7/17/2019 SAPexperts _ Make Identity Management Sarbanes-Oxley-Compliant by Leveraging Int
http://slidepdf.com/reader/full/sapexperts-make-identity-management-sarbanes-oxley-compliant-by-leveraging 4/17
Figure 1
subsequent request submission in IDM solution for non-
ERP access such as mail account or corporate network
oth scenarios involve submission of requests in CUP at a
ertain point. Scenarios with a direct interface between the
DM solution and RAR for risk analysis are currently not
upported by SAP BusinessObjects. In both scenarios, access
equests consist of a combination of entitlements in ERP (both
AP and non-SAP) systems and entitlements in non-ERP
ystems (e.g., Microsoft Active Directory, Microsoft Exchange,nd Sun ONE directory). The ERP entitlements contained in
he access request require a detailed risk analysis in CUP
efore they can be provisioned.
et’s drill a bit deeper into the IDM-driven scenario, where the
DM solution calls SAP BusinessObjects Access Control 5.3
or request submission (Figure 1). Here the request is
itiated in the IDM solution by an identity source, which can
e as simple as a request form filled in by a requester in a
elf-service scenario or more complex involving other systems
uch as SAP ERP HCM. Depending on the configuration inhe IDM solution the request is approved in IDM and the non-
RP entitlements are auto-provisioned whereas the ERP
ntitlements are submitted as new requests into CUP where
pprovers conduct a thorough risk analysis before they
pprove the request and CUP performs the auto-provisioning.
o support this scenario, the IDM solution has to be able to
all SAP BusinessObjects Access Control 5.3’s Web service
terface accordingly. If the IDM solution takes advantage of
l available Web services, then more advanced features, such
s request status tracking and holistic audit trails in IDM
ncluding audit information from CUP), are possible.
7/17/2019 SAPexperts _ Make Identity Management Sarbanes-Oxley-Compliant by Leveraging Int
http://slidepdf.com/reader/full/sapexperts-make-identity-management-sarbanes-oxley-compliant-by-leveraging 5/17
IDM-driven scenario
Figure 2
Note
The following vendors provide integration with SAP
BusinessObjects Access Control 5.3 either within their
standard identity management solution or as project
solution: SAP NetWeaver Identity Management, Sun Java
System Identity Management, IBM Tivoli Identity Manager,
and Novell Identity Manager.
n the alternative CUP-driven scenario it is CUP calling the
DM solution for request submission (Figure 2). In this
xample, the request is initiated in CUP. The non-ERP
ntitlements exist in CUP as roles belonging to the IDM
ystem connector that has to be configured in CUP. The ERP
oles undergo a risk analysis during their approval. Request
pproval in CUP triggers auto-provisioning of the ERP
ntitlements via the CUP system connectors. Non-ERP
ntitlements are submitted as requests into the IDM solution
a the IDM system connector, where they may need another
pproval before the IDM solution triggers their provisioning. A
echnical requirement for this scenario to work is an SPML
.0-compatible Web service on the IDM side that CUP can call
or request submission. At a first glance, the IDM-driven
cenario seems to be the more logical approach, but
xperience shows that the approach to IDM can be very
fferent in different companies. For organizational reasons,
ustomers may opt for a GRC-driven implementation
pproach.
7/17/2019 SAPexperts _ Make Identity Management Sarbanes-Oxley-Compliant by Leveraging Int
http://slidepdf.com/reader/full/sapexperts-make-identity-management-sarbanes-oxley-compliant-by-leveraging 6/17
CUP-driven scenario
Figure 3
SAP BusinessObjects Access Control versus
IDM solutions
Note
For detailed specifications of the Web service interface
coming with SAP BusinessObjects Access Control, refer to
chapter 7 in the standard configuration guide available in
the SAP Service Marketplace at
http://service.sap.com/instguides. For more details on how to
setup the GRC-driven scenario with SAP NetWeaver Identity Management, check out the following how-to guide
available in SDN:
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b0da2dba-
0480-2b10-a7ae-f055ab6e9355.
is important to understand that SAP BusinessObjects
ccess Control has a focus on delivering Sarbanes-Oxley
ompliance and cannot replace an IDM solution (Figure 3). It
an only provision to SAP and non-SAP systems, but not to
rectory servers, operation or email systems, or other system
omponents of a heterogeneous IT environment.
n the other hand, IDM solutions cannot deliver compliance
n a very granular level that includes detailed analysis of each
arget system’s authorization concept. Most IDM solutions
7/17/2019 SAPexperts _ Make Identity Management Sarbanes-Oxley-Compliant by Leveraging Int
http://slidepdf.com/reader/full/sapexperts-make-identity-management-sarbanes-oxley-compliant-by-leveraging 7/17
Figure 4
SAP NetWeaver Identity Management in
combination with SAP BusinessObjects
Access Control
eep references to entitlements in their target systems (e.g.,
ole names and group names), but do not dig deeper into their
ontent in terms of detailed authorization field values and other
arameters.
SAP NetWeaver Identity
Management 7.1
AP NetWeaver Identity Management 7.1 is a full-fledged IDM
olution that, unlike former SAP Central User Administration
CUA), does not focus on SAP-only environments (Figure 4).
comes with a large variety of connectors to SAP and non-
AP target systems such as SAP ABAP as well as Java
tack-based business applications, diverse operation systems,atabases, email systems, and Web and legacy applications
Figure 5). It is also possible for customers to develop
dditional connectors that do not come with the product. A key
omponent of SAP NetWeaver Identity Management is a
entral identity store that contains all identity data pulled
ogether from and kept in synch with its source systems.
hanges of employee data in an SAP ERP HCM system, or
manually via self-service and automated workflows, can
utomatically trigger provisioning of users and access
rivileges. SAP NetWeaver Identity Management 7.1 also
lows for rule-based provisioning (e.g., the presence of
onfigurable attributes at a given identity object) to trigger
rovisioning of access privileges in one or multiple target
ystems. Another useful product capability is a password
7/17/2019 SAPexperts _ Make Identity Management Sarbanes-Oxley-Compliant by Leveraging Int
http://slidepdf.com/reader/full/sapexperts-make-identity-management-sarbanes-oxley-compliant-by-leveraging 8/17
Figure 5
Examples of connectors for diverse target
systems coming with SAP NetWeaver Identity Management 7.1
management component permitting end users in a self-service
cenario to reset their passwords. The solution also comes
ith user- friendly Web Dynpro-based UIs for access requests,
monitoring and accessing detailed audit trails.
s depicted in Figure 6, SAP NetWeaver Identity
Management 7.1 consists of two main components: Identity
enter (IC) and Virtual Directory Server (VDS). IC is a meta-
rectory-based component, whereas VDS is a virtual directory
olution. There are use cases in which only one of these two
omponents needs to be installed — they run independently
om each other. Each component can connect to a large
ariety of source systems via connectors depending on the
pecific use case.
7/17/2019 SAPexperts _ Make Identity Management Sarbanes-Oxley-Compliant by Leveraging Int
http://slidepdf.com/reader/full/sapexperts-make-identity-management-sarbanes-oxley-compliant-by-leveraging 9/17
Figure 6
Architecture o f SAP NetWeaver Identi ty
Management 7.1
he VDS can expose IDM functionality to external clients or
pplications through identity services. Identity services,
ccessible via the LDAP or SPML protocol, provide a
tandards-based single access point for querying and
managing identity information across the system landscape. IC
ontains the identity store, which is either an MS SQL server
r an Oracle database, and controls the provisioning
perations. VDS can connect to the identity store via the
DBC interface to retrieve or update identity data as requested
y external clients or business applications through identityervices. The opposite connectivity is also possible: VDS can
ake the role of a target system for provisioning controlled by
C and allow at the same time real-time access to the data in
he source systems that are connected to the VDS.
dentity Center C is the primary component used for IDM. It includes
unctions for identity provisioning, workflow, password
management, logging, and reporting (Figure 7). IC retrieves
he data from various repositories, consolidates it, transforms it
to the necessary formats, and publishes it back to thearious decentralized repositories when synchronization is
ecessary. IC uses a database called the identity store to
tore all data related to identity objects, configuration, and
udit trails.
7/17/2019 SAPexperts _ Make Identity Management Sarbanes-Oxley-Compliant by Leveraging Int
http://slidepdf.com/reader/full/sapexperts-make-identity-management-sarbanes-oxley-compliant-by-leveraging 10/17
Figure 7
IC architecture
he workflow UI is based on Web Dynpro Java and is used by
equesters and approvers for request submission and
pproval. The monitoring UI is based on the same UI
echnology and provides administrators access to monitoring,udit trails, and status information of ongoing provisioning
rocesses in IC. Both the workflow UI and the monitoring UI
re deployed either on SAP NetWeaver 7.0 Application Server
ava or on SAP NetWeaver Composition Environment 7.1
7/17/2019 SAPexperts _ Make Identity Management Sarbanes-Oxley-Compliant by Leveraging Int
http://slidepdf.com/reader/full/sapexperts-make-identity-management-sarbanes-oxley-compliant-by-leveraging 11/17
nhancement package 1.
he management console is a snap-in for the Microsoft
Management Console and is used to connect target systems,
efine workflow processes, and configure processing logic of
C. By its nature, it requires a Microsoft Windows operating
ystem.
he dispatcher runs in a runtime engine that executes
rovisioning and synchronization tasks. You can use multipleairs of dispatcher/runtime engines to run specific types of
bs and allow for scalability of the solution.
ou can configure an event agent to take action based on
hanges performed directly in one of the target systems. The
vent agent detects changes and submits information to the
C. The dispatcher then executes a given job to react to the
etected change. This mechanism is optional and its only
urpose is to initiate synchronization based on changes in
epositories in addition to the scheduled operations.
he concept of business roles represents another important
eature of IC. Business roles can contain one or multiple
echnical roles and also other business roles (Figure 8).
echnical roles are references to roles or privileges in the
ource systems. They are uploaded from their source systems
nd represented in IC as privileges. In their source systems,
he roles contain bundles of authorizations or access
ermissions, but this role content is not available in IC.
usiness roles are usually defined in the context of a business
rocess and contain all privileges required to execute certain
usiness tasks of an employee in multiple systems. They
acilitate requesting and approving access by less-experienced
nd users.
7/17/2019 SAPexperts _ Make Identity Management Sarbanes-Oxley-Compliant by Leveraging Int
http://slidepdf.com/reader/full/sapexperts-make-identity-management-sarbanes-oxley-compliant-by-leveraging 12/17
Figure 8
Business roles are defined in IC to bund le
technical roles from multiple systems
Virtual Directory Server DS provides a single access point supporting standard
rotocols such as LDAP or SPML for clients retrieving or
pdating data in multiple data repositories coming with
fferent data formats or access protocols. It can represent the
ata in a virtual directory tree and supports different views of
he information based on the requirements and access
7/17/2019 SAPexperts _ Make Identity Management Sarbanes-Oxley-Compliant by Leveraging Int
http://slidepdf.com/reader/full/sapexperts-make-identity-management-sarbanes-oxley-compliant-by-leveraging 13/17
ermissions of the requesting user or application. In a very
mple case, VDS can represent data from a relational
atabase in a virtual directory tree and provide access to it via
he LDAP protocol.
single access point via a standard protocol facilitates
ccessibility of the data for applications and end users
onsiderably. It reduces configuration and administration
fforts and requires less specialized skills resulting in a lower
otal cost of ownership. Because data is kept in their sourceepositories rather than copied to other locations, data privacy
protected and real-time access to the data is ensured. The
ata owner continues keeping control over the data.
DS can perform schema adaptations such as attribute
mappings and attribute manipulations such that the data from
multiple sources is presented in a seamless fashion in a virtual
rectory tree. In a similar way, you can join data across
multiple sources and update it in a single operation. Many
fferent use cases exist for VDS.
ow I’ll show you a combined use case for VDS and IC,
hich is applicable to system landscapes containing an SAP
RP HCM system.
Use Case: Identity Life Cycle wi th
SAP ERP HCM Integrationparticular strength of SAP NetWeaver Identity Management
the capability for tight integration with SAP Business Suite
pplications. I’ll explain a scenario in which events in the
mployee life cycle taking place in a SAP ERP HCM system
an trigger provisioning and de-provisioning actions in SAP
etWeaver Identity Management. This increases automation in
DM for employees and saves costs.
nother example for the integration with SAP Business Suite
pplications is the capability for business partner creation and
rovisioning of assignments between users and business
artners in SAP Customer Relationship Management (CRM),
hich is required to fully enable new users in the SAP CRM
pplication context.
Note
For more use cases, integration scenarios with SAP
Business Suite, technical information, and configuration
guides for SAP NetWeaver Identity Management, refer to
http://www.sdn.sap.com/irj/sdn/nw-identitymanagement.
n the scenario shown in Figure 9, employee data is
maintained in SAP ERP HCM. SAP ERP HCM uses the build-
LDAP connector technology to replicate employee data as
eeded to the VDS using its identity services interface. IC, or
more precisely its identity store database, is connected with
he VDS as a data repository through the JDBC connector.
he VDS writes the employee data received through the
entity services interface into the identity store. This
eplication mechanism also supports a configurable delta
7/17/2019 SAPexperts _ Make Identity Management Sarbanes-Oxley-Compliant by Leveraging Int
http://slidepdf.com/reader/full/sapexperts-make-identity-management-sarbanes-oxley-compliant-by-leveraging 14/17
Figure 9
Identity life cyc le with SAP ERP HCM
integration
eplication: Only changes of relevant attributes of employees
re delivered through the VDS to the identity store. Also, time-
ependent values are supported and you can schedule
rovisioning actions to take place at a future date when a
articular change becomes effective (e.g., an internal transfer
r promotion).
C can now initiate rule-based provisioning of business roles.
or example, new entries tagged as employees can be
rovisioned automatically the business role Employee. In the
xample in Figure 9, this includes the creation of an entry in
he LDAP directory serving as a user source for SAP
pplications running on an SAP NetWeaver Application Server
ava such as the SAP NetWeaver Portal. The business role
mployee may contain further privileges in multiple SAP and
on-SAP target systems. These could be group memberships
the LDAP directory granting access to a portal role tailored
or employees, user IDs, and authorization roles in SAP ABAP
tack-based systems such as SAP ERP HCM or SAP ERP for
elf-services, access to the corporate network, and an email
ccount.
ommunication data created during the provisioning process
e.g., user ID, email account, or data entered later through
Web-based employee self-services) will be added as an
7/17/2019 SAPexperts _ Make Identity Management Sarbanes-Oxley-Compliant by Leveraging Int
http://slidepdf.com/reader/full/sapexperts-make-identity-management-sarbanes-oxley-compliant-by-leveraging 15/17
ttribute to the identity entry in the identity store. You can
ven write it back to the employee master record in SAP ERP
CM, if permitted by HR data owners.
A Solution for Compliant IDM
he integration of SAP BusinessObjects Access Control 5.3
nd SAP NetWeaver Identity Management 7.1 provides a
ghly integrated solution for HR-driven compliant IDM. It has
ecently been made available in SAP IDES demo systems and
an be booked by SAP sales contacts and presented live to
ustomers. Figure 10 shows the flow of this scenario in eight
teps, which runs in a highly automated fashion with minimal
uman interaction:
1. Employee actions executed by the HR department
trigger provisioning in SAP NetWeaver Identity
Management. The example shows the on-boarding of a
new employee, but you can support other employee
actions (e.g., position change or contract termination) in
a similar fashion.
2. The LDAP connector is scheduled to run once per day
and replicates changes to the employee master data to
VDS.
3. VDS connects to the identity store and creates a new
identity object for the new employee.
4. Attribute data identifies the new entry as an employee
working in the procurement department. This triggers
rule-based provisioning in SAP NetWeaver Identity
Management of the two business roles Employee and
Procurement – Default. The business roles contain
privileges for an email account in Microsoft Exchangeand an account in Microsoft Active Directory with group
memberships for the security groups Employee and
Procurement – Default, which lead to an allocation of
the corresponding roles in the SAP NetWeaver Portal.
They also contain privileges for a user ID in the SAP
ERP HCM and SAP ERP systems with authorization
roles for employee self-services and order
management, respectively. Because these systems are
both ERP-like systems, SAP NetWeaver Identity
Management creates through the Web service interface
a request in SAP BusinessObjects Access Control to
conduct a risk analysis prior to provisioning.
5. After SAP NetWeaver Identity Management creates a
user ID and email address for the new employee in
compliance with the applicable naming conventions, it
automatically connects via RFC back to SAP ERP HCM
and updates the master record of the new employee,
adding to the communication data infotype the user ID
(subtype 0001) and the email address (subtype 0010).
A correctly maintained communication infotype is a
prerequisite for many workflow-driven business
scenarios in SAP business solutions.
6. SAP NetWeaver Identity Management automatically
submits a request to CUP containing the authorization
roles for employee self-services in the SAP system and
for order management in the SAP ERP system,
respectively.
7. A compliance manager receives the CUP request and
performs a risk analysis before she or he approves it.
7/17/2019 SAPexperts _ Make Identity Management Sarbanes-Oxley-Compliant by Leveraging Int
http://slidepdf.com/reader/full/sapexperts-make-identity-management-sarbanes-oxley-compliant-by-leveraging 16/17
Figure 10
Highly integrated scenario for compliant IDM
with SAP BusinessObjects Access Control
5.3 and SAP NetWeaver Identity Management
7.1
8. Request approval triggers auto-provisioning in CUP: A
new user is created in the SAP ERP HCM and SAP
ERP systems and the authorization roles are assigned.
the SAP NetWeaver Portal is configured for single sign-on
SSO) with Windows Kerberos, then the new employee, Peter addler, finds a user-friendly system environment waiting for
m on this first day:
His manager provides him with the initial password to
log on to the Active Directory and the corporate
network
He has an email account in Microsoft Exchange
He has an icon on his desktop for the corporate portal
that does not require further authentication
He finds in his portal landing page all he needs:
Company information and employee self-services under
the Company tab, his workflow inbox, an IdentityManagement tab to request additional access, an Order
Management tab for the required transaction in the
procurement department (Figure 11), and collaboration
features
7/17/2019 SAPexperts _ Make Identity Management Sarbanes-Oxley-Compliant by Leveraging Int
http://slidepdf.com/reader/full/sapexperts-make-identity-management-sarbanes-oxley-compliant-by-leveraging 17/17
Figure 11
Portal page of the new employee as
provisioned by automated compliant IDM
with SAP NetWeaver Identity Management7.1 and SAP BusinessObjects Access
Control 5.3
Peter requires additional business roles, he can submit a
equest with additional business roles to SAP NetWeaver
dentity Management. Access privileges for ERP systems
ontained in the selected business roles again lead to creation
f a corresponding request for risk analysis and approval in
UP.