sapexperts _ make identity management sarbanes-oxley-compliant by leveraging int

7/17/2019 SAPexperts _ Make Identity Management Sarbanes-Oxley-Compliant by Leveraging Int

http://slidepdf.com/reader/full/sapexperts-make-identity-management-sarbanes-oxley-compliant-by-leveraging 1/17

Make Identity Management Sarbanes-

Oxley-Compliant by Leveraging

ntegrated SAP Solutions

y Frank Rambo, PhD, Director, Customer Solution Adoption

CSA), EMEA

uly 1, 2009

APexperts/GRC

fficient processes for identity management (IDM) are a

hallenge to many companies — in particular when

ccess- and authorization-related risks must be managed

nd taken under consideration prior to provisioning

ccess privileges. SAP BusinessObjects Access Control

.3 comes with a Web service-based interface intended to

rovide risk analysis and mitigation features to IDM

olutions. See how to integrate one such solution, SAP

etWeaver Identity Management 7.1, with SAP

usinessObjects Access Control 5.3 to obtain a highly

ost-efficient solution for compliant IDM.

Key Concept

SAP BusinessObjects Access Control 5.3 comes with a

product capability for approval workflows and access

provisioning called Compliant User Provisioning (CUP) and

a Web service-based interface. This interface allows for

the creation of access requests in CUP triggered by external

systems. IDM solutions can use this interface to forward

entitlements for ERP systems to CUP, where compliance

managers can perform detailed risk analysis and mitigation

before the entitlements are provisioned in the target

systems.

nterprises have to be highly flexible to adapt to change and

ake advantage of new business opportunities. This creates

ressure to rapidly deploy new applications and systems, and

xpose them internally and externally to employees, partners,

nd customers. In such an environment, information on

entities — employees, partners, and customers — relevant

or business processes and applications is spread across

eterogeneous and incompatible sources coming with different

ata formats and access protocols. This lack of a central

ource for identity information leads to inconsistent and out-of-

ate information, which in turn weakens overall information

ecurity and reduces efficiency of key processes, such as on-

oarding of employees or provisioning of required access

ermissions to customers and business partners.

he prime objective of identity management (IDM) is to

vercome these deficiencies, centrally manage all identity

ata, and ensure high data quality. Another important

equirement enterprises must meet is to comply withegulations such as the Sarbanes-Oxley Act, which deals with

entification and prevention of access- and authorization-

elated risks. These legal requirements directly affect

rovisioning of access privileges to business applications. You



eed to implement appropriate mechanisms to prevent access

o business transactions that in combination represent a

olation of segregation of duties (SoD) risks. These

mechanisms require complex and detailed rules for risk

entification in complex business applications from multiple

endors such that they remain beyond the scope of IDM

olutions. Consequently, there is currently no single product

or compliant IDM available in the market delivering efficient

rovisioning of identity data and access privileges as well as

arbanes-Oxley compliance across a heterogeneous system

ndscape.

owever, you can combine SAP BusinessObjects Access

ontrol 5.3 with IDM solutions to provide an efficient solution

or Sarbanes-Oxley-compliant IDM across a heterogeneous

ystem landscape. After an overview of the product capability

ompliant User Provisioning (CUP) and its Web service-based

terface to IDM solutions, I’ll continue with an introduction to

AP NetWeaver Identity Management 7.1, which represents a

owerful combination of the meta-directory and virtual

rectory concepts. Using the example of SAP NetWeaver dentity Management, I’ll describe a scenario in which you can

ombine these SAP products to create a highly automated and

AP ERP Human Capital Management (HCM)-integrated

olution for Sarbanes-Oxley-compliant IDM.

et’s start with a couple of technical concepts upon which

most IDM solutions are based.

DM Solution Technical

Possibilities

everal vendors have developed IDM solutions that have

eached a solid level of maturity. Two different technical

oncepts for IDM solutions are predominant in the market:

Meta-directory: Solutions based on the meta-directory

approach synchronize identity data from existing data

sources into a central repository, which is in many

cases a directory server accessible through the LDAP

protocol. Meta-directory solutions often support complex

operations to provision users and access privileges over

a heterogeneous system landscape. Disadvantages of

the meta-directory approach are additional costs for

implementation and ownership of a central repository

and the dependence of data actuality on the

synchronization frequency.

Virtual directory: Virtual directory-based solutions

provide real-time access to the existing data sources

without moving the data out of the original repository

and don’t require data synchronization. They provide a

single access point using a standard protocol such as

LDAP to heterogeneous data sources and present the

information in a virtual directory tree. They are capable

of providing different views to internal and externalclients based on their requirements, access

permissions, and data privacy policies. Virtual directory

solutions depend on the data sources to which they

connect.



Whether a meta-directory- or virtual directory-based solution is

he best choice depends on the requirements for service

uality, performance, network topology, and policies for

ecurity and data privacy. Combined solutions are also

vailable in the market and offer additional flexibility.

SAP BusinessObjects Access

Control 5.3AP BusinessObjects Access Control 5.3 is a solution for

entification, management and mitigation of access, and

uthorization-related risks in a system landscape that includes

AP and non-SAP solutions to ensure Sarbanes-Oxley

ompliance. SAP BusinessObjects Access Control 5.3 consists

f four application capabilities: Risk Analysis and Remediation

RAR), Enterprise Role Management (ERM), Superuser

rivilege Management (SPM), and CUP.

Note

Each component of SAP BusinessObjects Access Control

comes with a variety of features that can’t be covered in this

article. I covered each in articles that can be found in the

GRC Expert knowledgebase. Search Frank Rambo in the

search box on the main page to bring them all up.

elevant for the compliant identity management use case are

he RAR and CUP components in combination with the

ollowing Web services that come standard with SAP

usinessObjects Access Control:

SAPGRC_AC_IDM_SUBMITREQUEST

SAPGRC_AC_IDM_SELECTAPPLICATION

SAPGRC_AC_IDM_RISKANALYSIS

SAPGRC_AC_IDM_SEARCHROLES

SAPGRC_AC_IDM_ROLEDETAILS

SAPGRC_AC_IDM_AUDITTRAIL

SAPGRC_AC_IDM_REQUESTSTATUS

ny IDM product can consume these Web services to submit

equests into CUP, select applications connected to CUP,

earch and retrieve detail information of roles available in

UP, and request results of risk analysis, status, and audit

ail information of access requests submitted in CUP.

AP BusinessObjects Access Control 5.3 can also call Web

ervices offered by IDM solutions for request submission as

ng as they are Service Provisioning Markup Language

SPML) 1.0 compliant.

his Web service-based interface supports two different

cenarios:

IDM driven: Initial request creation in the IDM solution

and subsequent request submission in CUP for risk

analysis, approval, and auto-provisioning for ERP

access to SAP and non-SAP systems

CUP driven: Initial request creation in CUP and



Figure 1

subsequent request submission in IDM solution for non-

ERP access such as mail account or corporate network

oth scenarios involve submission of requests in CUP at a

ertain point. Scenarios with a direct interface between the

DM solution and RAR for risk analysis are currently not

upported by SAP BusinessObjects. In both scenarios, access

equests consist of a combination of entitlements in ERP (both

AP and non-SAP) systems and entitlements in non-ERP

ystems (e.g., Microsoft Active Directory, Microsoft Exchange,nd Sun ONE directory). The ERP entitlements contained in

he access request require a detailed risk analysis in CUP

efore they can be provisioned.

et’s drill a bit deeper into the IDM-driven scenario, where the

DM solution calls SAP BusinessObjects Access Control 5.3

or request submission (Figure 1). Here the request is

itiated in the IDM solution by an identity source, which can

e as simple as a request form filled in by a requester in a

elf-service scenario or more complex involving other systems

uch as SAP ERP HCM. Depending on the configuration inhe IDM solution the request is approved in IDM and the non-

RP entitlements are auto-provisioned whereas the ERP

ntitlements are submitted as new requests into CUP where

pprovers conduct a thorough risk analysis before they

pprove the request and CUP performs the auto-provisioning.

o support this scenario, the IDM solution has to be able to

all SAP BusinessObjects Access Control 5.3’s Web service

terface accordingly. If the IDM solution takes advantage of

l available Web services, then more advanced features, such

s request status tracking and holistic audit trails in IDM

ncluding audit information from CUP), are possible.



IDM-driven scenario

Figure 2

Note

The following vendors provide integration with SAP

BusinessObjects Access Control 5.3 either within their

standard identity management solution or as project

solution: SAP NetWeaver Identity Management, Sun Java

System Identity Management, IBM Tivoli Identity Manager,

and Novell Identity Manager.

n the alternative CUP-driven scenario it is CUP calling the

DM solution for request submission (Figure 2). In this

xample, the request is initiated in CUP. The non-ERP

ntitlements exist in CUP as roles belonging to the IDM

ystem connector that has to be configured in CUP. The ERP

oles undergo a risk analysis during their approval. Request

pproval in CUP triggers auto-provisioning of the ERP

ntitlements via the CUP system connectors. Non-ERP

ntitlements are submitted as requests into the IDM solution

a the IDM system connector, where they may need another

pproval before the IDM solution triggers their provisioning. A

echnical requirement for this scenario to work is an SPML

.0-compatible Web service on the IDM side that CUP can call

or request submission. At a first glance, the IDM-driven

cenario seems to be the more logical approach, but

xperience shows that the approach to IDM can be very

fferent in different companies. For organizational reasons,

ustomers may opt for a GRC-driven implementation

pproach.



CUP-driven scenario

Figure 3

SAP BusinessObjects Access Control versus

IDM solutions

Note

For detailed specifications of the Web service interface

coming with SAP BusinessObjects Access Control, refer to

chapter 7 in the standard configuration guide available in

the SAP Service Marketplace at

http://service.sap.com/instguides. For more details on how to

setup the GRC-driven scenario with SAP NetWeaver Identity Management, check out the following how-to guide

available in SDN:

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b0da2dba-

0480-2b10-a7ae-f055ab6e9355.

is important to understand that SAP BusinessObjects

ccess Control has a focus on delivering Sarbanes-Oxley

ompliance and cannot replace an IDM solution (Figure 3). It

an only provision to SAP and non-SAP systems, but not to

rectory servers, operation or email systems, or other system

omponents of a heterogeneous IT environment.

n the other hand, IDM solutions cannot deliver compliance

n a very granular level that includes detailed analysis of each

arget system’s authorization concept. Most IDM solutions

http://service.sap.com/instguides


https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b0da2dba-0480-2b10-a7ae-f055ab6e9355








Figure 4

SAP NetWeaver Identity Management in

combination with SAP BusinessObjects

Access Control

eep references to entitlements in their target systems (e.g.,

ole names and group names), but do not dig deeper into their

ontent in terms of detailed authorization field values and other

arameters.

SAP NetWeaver Identity

Management 7.1

AP NetWeaver Identity Management 7.1 is a full-fledged IDM

olution that, unlike former SAP Central User Administration

CUA), does not focus on SAP-only environments (Figure 4).

comes with a large variety of connectors to SAP and non-

AP target systems such as SAP ABAP as well as Java

tack-based business applications, diverse operation systems,atabases, email systems, and Web and legacy applications

Figure 5). It is also possible for customers to develop

dditional connectors that do not come with the product. A key

omponent of SAP NetWeaver Identity Management is a

entral identity store that contains all identity data pulled

ogether from and kept in synch with its source systems.

hanges of employee data in an SAP ERP HCM system, or

manually via self-service and automated workflows, can

utomatically trigger provisioning of users and access

rivileges. SAP NetWeaver Identity Management 7.1 also

lows for rule-based provisioning (e.g., the presence of

onfigurable attributes at a given identity object) to trigger

rovisioning of access privileges in one or multiple target

ystems. Another useful product capability is a password



Figure 5

Examples of connectors for diverse target

systems coming with SAP NetWeaver Identity Management 7.1

management component permitting end users in a self-service

cenario to reset their passwords. The solution also comes

ith user- friendly Web Dynpro-based UIs for access requests,

monitoring and accessing detailed audit trails.

s depicted in Figure 6, SAP NetWeaver Identity

Management 7.1 consists of two main components: Identity

enter (IC) and Virtual Directory Server (VDS). IC is a meta-

rectory-based component, whereas VDS is a virtual directory

olution. There are use cases in which only one of these two

omponents needs to be installed — they run independently

om each other. Each component can connect to a large

ariety of source systems via connectors depending on the

pecific use case.



Figure 6

Architecture o f SAP NetWeaver Identi ty

Management 7.1

he VDS can expose IDM functionality to external clients or

pplications through identity services. Identity services,

ccessible via the LDAP or SPML protocol, provide a

tandards-based single access point for querying and

managing identity information across the system landscape. IC

ontains the identity store, which is either an MS SQL server

r an Oracle database, and controls the provisioning

perations. VDS can connect to the identity store via the

DBC interface to retrieve or update identity data as requested

y external clients or business applications through identityervices. The opposite connectivity is also possible: VDS can

ake the role of a target system for provisioning controlled by

C and allow at the same time real-time access to the data in

he source systems that are connected to the VDS.

dentity Center C is the primary component used for IDM. It includes

unctions for identity provisioning, workflow, password

management, logging, and reporting (Figure 7). IC retrieves

he data from various repositories, consolidates it, transforms it

to the necessary formats, and publishes it back to thearious decentralized repositories when synchronization is

ecessary. IC uses a database called the identity store to

tore all data related to identity objects, configuration, and

udit trails.



Figure 7

IC architecture

he workflow UI is based on Web Dynpro Java and is used by

equesters and approvers for request submission and

pproval. The monitoring UI is based on the same UI

echnology and provides administrators access to monitoring,udit trails, and status information of ongoing provisioning

rocesses in IC. Both the workflow UI and the monitoring UI

re deployed either on SAP NetWeaver 7.0 Application Server

ava or on SAP NetWeaver Composition Environment 7.1



nhancement package 1.

he management console is a snap-in for the Microsoft

Management Console and is used to connect target systems,

efine workflow processes, and configure processing logic of

C. By its nature, it requires a Microsoft Windows operating

ystem.

he dispatcher runs in a runtime engine that executes

rovisioning and synchronization tasks. You can use multipleairs of dispatcher/runtime engines to run specific types of

bs and allow for scalability of the solution.

ou can configure an event agent to take action based on

hanges performed directly in one of the target systems. The

vent agent detects changes and submits information to the

C. The dispatcher then executes a given job to react to the

etected change. This mechanism is optional and its only

urpose is to initiate synchronization based on changes in

epositories in addition to the scheduled operations.

he concept of business roles represents another important

eature of IC. Business roles can contain one or multiple

echnical roles and also other business roles (Figure 8).

echnical roles are references to roles or privileges in the

ource systems. They are uploaded from their source systems

nd represented in IC as privileges. In their source systems,

he roles contain bundles of authorizations or access

ermissions, but this role content is not available in IC.

usiness roles are usually defined in the context of a business

rocess and contain all privileges required to execute certain

usiness tasks of an employee in multiple systems. They

acilitate requesting and approving access by less-experienced

nd users.



Figure 8

Business roles are defined in IC to bund le

technical roles from multiple systems

Virtual Directory Server DS provides a single access point supporting standard

rotocols such as LDAP or SPML for clients retrieving or

pdating data in multiple data repositories coming with

fferent data formats or access protocols. It can represent the

ata in a virtual directory tree and supports different views of

he information based on the requirements and access



ermissions of the requesting user or application. In a very

mple case, VDS can represent data from a relational

atabase in a virtual directory tree and provide access to it via

he LDAP protocol.

single access point via a standard protocol facilitates

ccessibility of the data for applications and end users

onsiderably. It reduces configuration and administration

fforts and requires less specialized skills resulting in a lower

otal cost of ownership. Because data is kept in their sourceepositories rather than copied to other locations, data privacy

protected and real-time access to the data is ensured. The

ata owner continues keeping control over the data.

DS can perform schema adaptations such as attribute

mappings and attribute manipulations such that the data from

multiple sources is presented in a seamless fashion in a virtual

rectory tree. In a similar way, you can join data across

multiple sources and update it in a single operation. Many

fferent use cases exist for VDS.

ow I’ll show you a combined use case for VDS and IC,

hich is applicable to system landscapes containing an SAP

RP HCM system.

Use Case: Identity Life Cycle wi th

SAP ERP HCM Integrationparticular strength of SAP NetWeaver Identity Management

the capability for tight integration with SAP Business Suite

pplications. I’ll explain a scenario in which events in the

mployee life cycle taking place in a SAP ERP HCM system

an trigger provisioning and de-provisioning actions in SAP

etWeaver Identity Management. This increases automation in

DM for employees and saves costs.

nother example for the integration with SAP Business Suite

pplications is the capability for business partner creation and

rovisioning of assignments between users and business

artners in SAP Customer Relationship Management (CRM),

hich is required to fully enable new users in the SAP CRM

pplication context.

Note

For more use cases, integration scenarios with SAP

Business Suite, technical information, and configuration

guides for SAP NetWeaver Identity Management, refer to

http://www.sdn.sap.com/irj/sdn/nw-identitymanagement.

n the scenario shown in Figure 9, employee data is

maintained in SAP ERP HCM. SAP ERP HCM uses the build-

LDAP connector technology to replicate employee data as

eeded to the VDS using its identity services interface. IC, or

more precisely its identity store database, is connected with

he VDS as a data repository through the JDBC connector.

he VDS writes the employee data received through the

entity services interface into the identity store. This

eplication mechanism also supports a configurable delta

http://www.sdn.sap.com/irj/sdn/nw-identitymanagement





Figure 9

Identity life cyc le with SAP ERP HCM

integration

eplication: Only changes of relevant attributes of employees

re delivered through the VDS to the identity store. Also, time-

ependent values are supported and you can schedule

rovisioning actions to take place at a future date when a

articular change becomes effective (e.g., an internal transfer

r promotion).

C can now initiate rule-based provisioning of business roles.

or example, new entries tagged as employees can be

rovisioned automatically the business role Employee. In the

xample in Figure 9, this includes the creation of an entry in

he LDAP directory serving as a user source for SAP

pplications running on an SAP NetWeaver Application Server

ava such as the SAP NetWeaver Portal. The business role

mployee may contain further privileges in multiple SAP and

on-SAP target systems. These could be group memberships

the LDAP directory granting access to a portal role tailored

or employees, user IDs, and authorization roles in SAP ABAP

tack-based systems such as SAP ERP HCM or SAP ERP for

elf-services, access to the corporate network, and an email

ccount.

ommunication data created during the provisioning process

e.g., user ID, email account, or data entered later through

Web-based employee self-services) will be added as an



ttribute to the identity entry in the identity store. You can

ven write it back to the employee master record in SAP ERP

CM, if permitted by HR data owners.

A Solution for Compliant IDM

he integration of SAP BusinessObjects Access Control 5.3

nd SAP NetWeaver Identity Management 7.1 provides a

ghly integrated solution for HR-driven compliant IDM. It has

ecently been made available in SAP IDES demo systems and

an be booked by SAP sales contacts and presented live to

ustomers. Figure 10 shows the flow of this scenario in eight

teps, which runs in a highly automated fashion with minimal

uman interaction:

1. Employee actions executed by the HR department

trigger provisioning in SAP NetWeaver Identity

Management. The example shows the on-boarding of a

new employee, but you can support other employee

actions (e.g., position change or contract termination) in

a similar fashion.

2. The LDAP connector is scheduled to run once per day

and replicates changes to the employee master data to

VDS.

3. VDS connects to the identity store and creates a new

identity object for the new employee.

4. Attribute data identifies the new entry as an employee

working in the procurement department. This triggers

rule-based provisioning in SAP NetWeaver Identity

Management of the two business roles Employee and

Procurement – Default. The business roles contain

privileges for an email account in Microsoft Exchangeand an account in Microsoft Active Directory with group

memberships for the security groups Employee and

Procurement – Default, which lead to an allocation of

the corresponding roles in the SAP NetWeaver Portal.

They also contain privileges for a user ID in the SAP

ERP HCM and SAP ERP systems with authorization

roles for employee self-services and order

management, respectively. Because these systems are

both ERP-like systems, SAP NetWeaver Identity

Management creates through the Web service interface

a request in SAP BusinessObjects Access Control to

conduct a risk analysis prior to provisioning.

5. After SAP NetWeaver Identity Management creates a

user ID and email address for the new employee in

compliance with the applicable naming conventions, it

automatically connects via RFC back to SAP ERP HCM

and updates the master record of the new employee,

adding to the communication data infotype the user ID

(subtype 0001) and the email address (subtype 0010).

A correctly maintained communication infotype is a

prerequisite for many workflow-driven business

scenarios in SAP business solutions.

6. SAP NetWeaver Identity Management automatically

submits a request to CUP containing the authorization

roles for employee self-services in the SAP system and

for order management in the SAP ERP system,

respectively.

7. A compliance manager receives the CUP request and

performs a risk analysis before she or he approves it.



Figure 10

Highly integrated scenario for compliant IDM

with SAP BusinessObjects Access Control

5.3 and SAP NetWeaver Identity Management

7.1

8. Request approval triggers auto-provisioning in CUP: A

new user is created in the SAP ERP HCM and SAP

ERP systems and the authorization roles are assigned.

the SAP NetWeaver Portal is configured for single sign-on

SSO) with Windows Kerberos, then the new employee, Peter addler, finds a user-friendly system environment waiting for

m on this first day:

His manager provides him with the initial password to

log on to the Active Directory and the corporate

network

He has an email account in Microsoft Exchange

He has an icon on his desktop for the corporate portal

that does not require further authentication

He finds in his portal landing page all he needs:

Company information and employee self-services under

the Company tab, his workflow inbox, an IdentityManagement tab to request additional access, an Order

Management tab for the required transaction in the

procurement department (Figure 11), and collaboration

features



Figure 11

Portal page of the new employee as

provisioned by automated compliant IDM

with SAP NetWeaver Identity Management7.1 and SAP BusinessObjects Access

Control 5.3

Peter requires additional business roles, he can submit a

equest with additional business roles to SAP NetWeaver

dentity Management. Access privileges for ERP systems

ontained in the selected business roles again lead to creation

f a corresponding request for risk analysis and approval in

UP.

sapexperts _ make identity management sarbanes-oxley-compliant by leveraging int

Documents