SCI200- Best Practises for IDM Implementation

1

SCI200

Best Practices for Implementing

SAP NetWeaver Identity Management

Oliver Nocon, SAP Technology RIG EMEA

Serge Muts, SAP Technology RIG Americas

October 2010

© 2010 SAP AG. All rights reserved. / Page 2

Disclaimer

This presentation outlines our general product direction and should not be relied on in making a

purchase decision. This presentation is not subject to your license agreement or any other

agreement with SAP. SAP has no obligation to pursue any course of business outlined in this

presentation or to develop or release any functionality mentioned in this presentation. This

presentation and SAP's strategy and possible future developments are subject to change and

may be changed by SAP at any time for any reason without notice. This document is provided

without a warranty of any kind, either express or implied, including but not limited to, the implied

warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP

assumes no responsibility for errors or omissions in this document, except if such damages

were caused by SAP intentionally or grossly negligent.

2


Agenda

1. Project

2. Design

3. Implementation

4. Operation


Identity Management Architecture

Identity Center Database

Identity store

Configuration

Processing logic

Workflow User Interface

Main interface for users and managers

Monitoring User Interface

Monitoring and audit interface for administrators

Management Console

Visual development and configuration UI

Runtime Engine and Dispatcher

Processing and provisioning logic

including connectors

Event Agent

Monitors connected systems

and initiates synchronization

Virtual Directory Server

Virtualization layer

SAP NetWeaver

Identity Management 7.1

Identity Center

Workflow and Monitoring UI

(AS Java)

ManagementConsole

DispatcherRuntime Engine

Event AgentService

Detect changesRead / write

SA

P

GR

CW

eb

serv

ices

…

Virtu

al D

irecto

ry Serv

er

Identity Center

Database

E-Mail

System

Active

Directory

SAP

Portal

SAP

ERPothers

…

3


SAP ERP

HCM

System

Identity Center

(IC)

Virtual Directory

Server (VDS)

SAP NetWeaver

Identity Management

SAP NetWeaver IDM: Communication Paths

SAP

BusinessObjects

Access Control

(GRC)

Transfer employee data to IDM

(LDAP)

Update employee record with

communication details

(RFC)

Forward request for risk analysis

& poll status

(Web Service Call)

Provision identity to target system

(Protocol dependant on target system)


Enables the efficient, secure and

compliant execution of business

processes

By ensuring that the right users have the

right access to the right systems at the

right time

Consistent with their roles across all

systems and applications

Identity Management Definition


4


Customer Lessons Learned

A business process oriented approach makes it easier to engagethe LOBs

The tight integration with SAP BusinessObjects Access Control presents a comprehensive solution for embedding compliance

Don’t underestimate and under sell the hidden opportunities to establish and solidify identity and access processes

Scope manageable pieces but lay a solid foundation and start demonstrating long-term benefits early

Integration with SAP applications combined with industry standard connectors makes SAP NetWeaver IDM a compelling solution for many companies

Identity and Access Management represents a culture change for many organizations and should be addressed as a program


Project Lessons Learned I

Define business case based on cost savings

reduction in lost productivity

reduction in manual role management tasks

increase in provisioning efficiency

reduction in number of helpdesk calls and queue length

time savings for workflow approvals

Improved end user experience through self administration

Consider opportunities and productivity gains like

Improved integration for identity and security information

Eliminate questionable approvals due to lack of quality information

Provide single version of the truth (audit)

Availability of a complete identity

Ability to base access rights on current/complete information

Enlist executive sponsorship as well as sponsorship per functional area

Account for growth during sizing, IDM solutions can grow quickly with Mergers & Acquisitions

and scope changes

5


Project Lessons Learned II

Work with the business, - IT cannot implement IDM by itself

Decide on ownership of Business Roles

Decide on definition of Business Roles

Prioritize initiatives

determine leading systems

distinguish building blocks

Identify stakeholders

Select decision makers and those who are impacted

Examples: architecture, application development/admins, HR, Compliance & Audit, LOBs,

Help Desk, Suppliers, Customers, Contractors, Legal (for SLA’s)

Organize scoping workshop to estimate cost and timelines, there is no out-of-the-box answer

Start your design based on commonality, not exceptions

Keep roles and role structure as simple as possible

Do you need all the roles?

Cleanup unused roles when you have the opportunity


Project Documentation Map

Leverage Project Documentation Map provided by SAP on SDN

http://wiki.sdn.sap.com/wiki/display/Security/Planning

http://wiki.sdn.sap.com/wiki/display/Security/Planning

6


Stages of IDM Deployment

Start with Limited Scope and Gradually Increase

Consolidate

• Collect and streamline access control mechanisms

• Build and publish role-based access

• Password Self-service

Automate

• Provisioning – basic account management with IDM

• Setup rules engine to manage automatic role-based provisioning

• Setup reporting mechanisms to validate control

Streamline

• Workflow enable approval process and attribute change mechanisms

• Further enable self-service features for Identity and provisioning

Manage & Optimize

• Build and deploy on-going role management process

• Design perpetual roles and rules review mechanism

• Automated Provisioning of user accounts, SAP HCM driven

Initial implementation On-going


Project Metrics

Suggestions for Metrics

IT Security

Metrics

User Satisfaction

Metrics

Audit &

Compliance

Metrics

Business Process

& Agility Metrics

Time/Cost to manage

identity and account

lifecycle events

Number of

passwords and

logons

Number of

anomalies detected

Process flow SLAs

Reduction in Identity

& Access related

support calls

Improved time to get

productive

Reduction in

violations

Costs/time to onboard

partner/supplier

Time to

develop/integrate new

applications

Impact of self service

usage

Costs of information

gathering in audits

Measuring key performance indicators will help you proof the project worth to the organization

7


Traps to Avoid

“We have pretty clean data”

Data cleansing is often a bigger issue than expected

“We have to define all roles and positions”

Design according to ―bang for your buck‖. Design for critical and most

impacting roles.

“We cannot go live without this feature”

Focus on stability and security over individual features.

“We don’t need outside help”

IDM will have a far reach in your company, external consulting can be a

tremendous asset.



Example Profile of an SAP NW IDM Administrator

Knowledge of SAP NetWeaver Identity Management

SAP and non-SAP Authorization Concepts to create and maintain Business Roles

LDAP

Databases

SQL Queries

Java Script and/or VB Script

Optional: SPML & SAML

Optional: DB Stored Procedures

Optional: Java Development for custom connectors

8


Agenda

1. Project

2. Design

3. Implementation

4. Operation



Landscape - Provisioning

HCMERP PRD

ERP QA

ERP DEV

SRM PRD

SRM QA

SRM DEV

PRD

DEV

QA

Test ID’s only

Test ID’s only

Test ID’s only

Export/Import

Export/Import

9



Landscape – SAP System Refresh

HCMERP PRD

ERP QA

PRD

Provisioning

System

Copy

Use IDM after system refresh? -> No

Use general SAP Security practice for SAP System refresh

Preserve user master of the QA client by creating transport (SAP_USER profile)

Stop IDM provisioning to QA system

Perform client refresh by copying PRD to overlay QA

Import the transport to recreate the user master for the client

Resume use of IDM


Possible Web Infrastructure Layout Example

Note: Only for External Facing Scenarios!

DS0

S1

AS1

IDM RT

AG LB

LDAP

AG: Application Gateway

ASn: Application Server n

BEn: Back-end System n

DB: Database

D/Sn: Dispatcher / Server n

Frontend DMZ Infrastructure DMZ High Security AreaInternet

BE1

DBBE1

BE2

DBBE1

DBAS1

IDM

IDM

ICM D

WWW

AS IDM UI

DBAS2

IDM UI: IDM UI deployed on AS Java

IDM RT: IDM Runtime (optional)

IDM: IDM instance incl. MMC, Runtime, DB schema

LB: Load Balancer

TS: Terminal Server

WAn: Web Application n

WC: Web Cache

Note: for internal only IDM

deployments all IDM

components will be in the

internal company network

10


HR System

3rd Party

System

Primary 3rd

Party IDM

solution

Virtual Directory

Server (VDS)

Compliance

Checks

Compliance

Response

Execute

Provisioning

Provision to

AD

Self Service

Entry Access

Points

Send

Request

LDAP/WS

Close Audit

Loop

Start Events

in NW IDM

Event

Completion

ECC CRM BI SRM

Integration of SAP NW IDM with 3rd Party

Primary IAM System – Logical Architecture


Recommended Building Blocks

Define a naming convention and rules around unique identifiers

E.g. employees= Ixxxxxx, contractors=Cxxxxxx

Define a consistent business role naming convention

E.g. Company_VendorMasterVerification

Define Business Roles and provisioning rules

Assign Business Roles to users for better control

Include approvals and routing when defining provisioning rules

Define meta information for roles to allow users to easily identify the roles they need

Defining and entering ownership, role area, etc will assist in finding the role

Define workflows as part of business process discussions, agree on the workflows before

starting implementation

Note: Good quality of data is a prerequisite for the successful implementation of an identity

management system. Before you start implementing SAP NetWeaver Identity Management, we

recommend you clean up the identity data in those systems you want to integrate.

11


Leading and Consuming Systems

Definitions

Leading system:

Source system from an IdM perspective

Provides master data for either a complete identity or a subset (attributes)

Consuming system:

Target system from an IdM perspective

Consumes all or at least a subset of the identity data stored in the IdM system

+1 999 9999

HCM Tel

John Doe

[email protected]

HCM

Important: One system can either be the source or the target of a defined attribute

ERP CRM LDAP MAIL …

only userId & tel #

JDoe


Source & Target Map for Attributes

Example

SourceInternal

SourceExternal

User Attribute TargetERP

TargetHCM

TargetCRM

TargetLDAP

TargetMail

IdM E-Shop Unique ID

IdM E-Shop User Id X X X X

HCM E-Shop Salutation X X X X

HCM E-Shop First Name X X X X

HCM E-Shop Middle Name X X X X

HCM E-Shop Last Name X X X X

IdM E-Shop E-Mail Address X X X X X

Tel. Sys. n/a Telephone X X X X

HCM n/a Department X X X

LDAP n/a Building X X

LDAP n/a Room X X

HCM E-Shop Country X X X

… … … … … … … …

mailto:[email protected]

12


Agenda

1. Project

2. Design

3. Implementation

4. Operation


Custom Modifications/Extensions

Do not modify tasks provided by SAP

a new import of SAP's framework will overwrite your changes

Recommended procedure

Create new area, e.g. "Custom Tasks"

Create substructure

Structure according to repository name

for repository specific tasks

Structure according to SAP Framework for

– Global event tasks

– System type specific tasks

– Generic tasks

Create a copy of the required SAP tasks

in the customer structure

Adapt tasks according to your needs

Using the recommended structure will ease support in case of problems

13


Example Job Structure

Jobs related to ID Store "SAP_HR_Staging_Area"

Jobs related to ID Store "SAP_Master"

Jobs for repository "JR9000"

Jobs for repository "NSP000"

Jobs for repository "ON1000"

Jobs for repository "SUNONE"

Jobs for repository "HR"

Or: Use the logical system <SID>CLNT<clientnumber>


General Procedure

1. System setup Phase

2. Data Cleansing Phase

3. System Operation

Initial Load Reset Delta

Initial Provisioning

Update Reconciliation

Data Cleansing

14


Initial Load – Preparation Steps for Non-

Productive Systems

Switch off provisioning for Dispatcher(s) before executing initial load

Go to your Dispatcher configuration

Un-check "Run provisioning jobs" for both

runtime engines

After final initial load empty provisioning queue

Execute job "Clean Provisioning Queue MS-SQL"

or Execute job "Clean Provisioning Queue Oracle"

Enable "Run provisioning jobs" again on Dispatcher(s)


Initial Load – Adding Repositories to

Productive System

Adding new repositories to a productive landscape can be done as follows

1. Ensure there are no tasks on repository level:

2. Execute your initial load jobs

New privileges and user assignments will be created without triggering any tasks

3. Maintain the tasks on repository level as required

15


Important Remarks

– SAP Provisioning Framework

All user attributes are provisioned to the selected back-end systems not only the changed attributes

All role, profile, and group assignments are provisioned not only the delta for the affected roles, profiles, or groups

When performing the initial loads, consolidation occurs based on user IDs one identity per user ID

The users used for the connections should be technical users that do not have to change their passwords, for example, service users in AS ABAP

When performing the initial load, the script custom_initializePassword is called

Script generates initial passwords for the users

Script must be modified in order to create passwords according to the needs

No delta load from source system

No source system event-triggered updates

Full load from source system delta handling from staging area to Identity Store

From Identity Management for SAP System Landscapes: Configuration Guide


Recommended Tasks

Don’t reinvent the wheel. Use provided templates, jobs and passes.

For AS ABAP version 7.X and newer, use the tasks under Business Suite:

16


Security

Leverage existing UI authentication

Predefined roles for BW integration (SP5)

Secure connections with Transport Security (TLS/SSL, JDBCS, LDAPS, SNC) –

especially when sending passwords

Set ―Encryption Algorithm‖ (Tools – options) to 3DES (default is standard)

Protect keys.ini file:

Use file system security to access to the dispatcher and UI service user

Generate a new key on a regular basis (security policy)

Copy the new keys.ini file to IDM servers where the Runtime, UI, MMC are installed

Change the current key indicator to the newly generated key

Do NOT remove old keys! (historical values)

Check SAP NetWeaver Identity Management Security Guide


Identity Center – SQL Performance

General recommendations

Use the available Identity Center DB views instead of the tables directly

Use view mxiv_sentries instead of view mxiv_entries

Use SearchValue instead of aValue in SQL "where" clauses

Specific recommendation

Use SQL joins instead of where in (…) clauses

Example:

SELECT DISTINCT A.mskey

FROM mxiv_sentries AS A INNER JOIN mxiv_sentries AS B

ON A.mskey = B.mskey

WHERE A.is_id=1 AND

A.attrname='MSKEYVALUE' AND A.searchvalue LIKE '%ADMIN%' AND

B.attrname='MX_ENTRYTYPE' AND B.searchvalue = 'MX_PERSON'

instead of

SELECT DISTINCT mskey FROM MXIV_SENTRIES WHERE is_id=1 AND

attrname='MSKEYVALUE' AND searchvalue LIKE '%ADMIN%'

AND (mskey IN (SELECT mskey FROM MXIV_SENTRIES WHERE

attrname='MX_ENTRYTYPE' AND searchvalue = 'MX_PERSON'))

17


Agenda

1. Project

2. Design

3. Implementation

4. Operation


Operations

Use a dedicated dispatcher with higher log lever to troubleshoot jobs

IDM Script Debugging Podcast: http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/17641

Check detailed job logs on file system

Configure e-mail notification on critical job/passes using ―On Chain Failed‖ functionality to get early warning

Preserve historical data by creating a job to copy data to offline storage

Regularly clean up table job_execution, AuditTrail

Rebuild database indexes on a regular basis

Register IDM instance with the System Landscape Directory

For details check SAP NetWeaver Identity Management Operations Guide

http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/17641

18


Patches

Applying patches:

Install SAP Provisioning Framework that comes with SP level for IDM

Avoid mismatches within an IDM instance (UI, SAP Framework, MMC, etc)

If you have multiple IDM installations keep them at the same SP level

Note: A number of performance improvements were made in IDM 7.1 SP5


Further Information

SAP Public Web:

SAP Developer Network (SDN): www.sdn.sap.com/irj/sdn/nw-identitymanagement

Business Process Expert (BPX) Community: www.bpx.sap.com

SAP BusinessObjects Community (BOC): boc.sap.com

Further technical information from the SAP Technology RIG

Webinars: http://www.sdn.sap.com/irj/scn/ipnw-khnc

How to Guides: http://www.sdn.sap.com/irj/scn/howtoguides.

Podcasts: http://www.sdn.sap.com/irj/scn/sap-how-it-works-elearning.

You can also follow SAP Technology RIG on Facebook and Twitter

http://www.facebook.com/pages/SAP-RIG/119256894764191?ref=ts

http://twitter.com/saprig

http://www.sdn.sap.com/



http://www.bpx.sap.com/

http://boc.sap.com/

http://www.sdn.sap.com/irj/scn/ipnw-khnc



http://www.sdn.sap.com/irj/scn/howtoguides

http://www.sdn.sap.com/irj/scn/sap-how-it-works-elearning









19


Further Information

SAP Public Web:

SAP Developer Network (SDN):

http://www.sdn.sap.com/irj/sdn/nw-identitymanagement

Related SAP Education and Certification Opportunities

http://www.sap.com/education/ - Course ID: TZNWIM

Related Workshops/Lectures at SAP TechEd 2010

SCI101, SAP NetWeaver Identity Management 7.2: Highlights of the Next Release, Lecture

SCI261, SAP NetWeaver Identity Management 7.1 – Workflow Configuration, Hands-On

SCI262, Compliant Identity Management with SAP NetWeaver IDM and SAP BusinessObjects Access

Control, Hands-On

SCI263, Identity Virtualization with SAP NetWeaver IDM Virtual Directory Server, Hands-On

SCI265, Managing Federated Identities for Service-Based Single Sign-On, Hands-On

ContactFeedback

Please complete your session evaluation.

Be courteous — deposit your trash,

and do not take the handouts for the following session.




http://www.sap.com/education/

20


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. in the United States and in other countries.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.

This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.

SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.

The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

© 2010 SAP AG. All Rights Reserved

SCI200- Best Practises for IDM Implementation

Documents

Transcript of SCI200- Best Practises for IDM Implementation