Identity Management with SAP NetWeaver IdM

Andreas Mller, BT Global Services

24.04.2008

Agenda

Introduction SAP NetWeaver IdM Project IdM@BT Project ISP

Background and Motivation Functionality Lessons Learned

Summary

@ BT 2008

SAP NetWeaver Identity Management

IDM should be triggered by identity business processes and data Business process relies on appropriate user and role assignments in systems Approval Workflows Central Identity store

e.g. Order2Cash Identity virtualization and identity as service through standard interfaces HCM Integration

Data

e.g. on-boarding

HCM

Definition and rulebased assignment of meta roles Identity Mgmt. monitoring & Audit

SAP NetWeaver Identity Management

Password Management
Legacy Legacy App. App.

Distribution of users and role assignments for SAP and non-SAP systems
MS MS Exchange Exchange Web Web App. App. Databases Databases Operating Operating Systems Systems

SAP FI ABAP

SAP HR SAP ERP ABAP ABAP

SAP Java

SAP Portal Java

SAP XI ABAP Java

@ @SAP BT 2008 2008

System Components

Adminstrator Workflow Web Front-End for end users

Approvals Self-Service Delegated Administration

User/ Manager

Administrator Developer

Monitoring Front-End

Worflow Front-End

Management Console

Monitoring Web Front-End for operations

Analyse system activity

Management Console for administrators and developers

System configuration

Database

Database holds
Identity store Process configuration

Event Event Agent Agent Identity Center

Dispatcher Dispatcher

Dispatchers execute processes

Batch synchronization User initiated tasks Provisioning tasks

Virtual Directory Virtual directory

Event Agents
Detect changes in connected systems

Virtual Directory
Provides additional connectors @ BT 2008

Target systems

Source systems

Management Console

Example: Request a SAP-Role

@ BT 2008

Monitoring

@ BT 2008

Agenda

Introduction SAP NetWeaver IdM Project IdM@BT Project ISP

Background and Motivation Functionality Lessons Learned

Summary

@ BT 2008

Use of Identity Center at BT

Synchronization of 230.000 Identities from Corporate Directory into Active Directory Provisioning of personal and functional email accounts Additional attributes joined from import files Built-in delta mechanism reduces updates to Active Directory to the absolute minimum. Performance
Delta import once a day Duration 1.5h Full import once a month Duration ca. 5h
Corporate Directory

Files

Data Synchonization Engine

Active Directory

Database

Source systems

Identity Center

Target systems

Benefits
Efficient Delta Mechanism Highly customizable connectors

@ BT 2008

Agenda

Introduction SAP NetWeaver IdM Project IdM@BT Project ISP

Background and Motivation Functionality Lessons Learned

Summary

@ BT 2008

Customer: Internet Service Provider Project Scope

Consulting IdM project setup and definition Requirements analysis Detailed vendor selection
Longlist, RFI, Shortlist, POC

Implementation Design based on selected IdM-tool (MaXware IC / SAP NetWeaver IDM) Implementation
Data model IdM processses Provisioning interfaces to target systems IdM data synchronization

Establish standards for the definition of roles and entitlements Process optimization for IdM administration processes Prepare data protection concepts and works council agreements Quality assurance concept Data cleansing support

Project management Test Migration of existing accounts and entitlements Operations Change und incident management

@ BT 2008

Customer: Internet Service Provider Motivation

Project goals Creation of a central identity repository for all non-customer identities accessing computing center applications Implementation of standardized administration processes for entitlements Creation of a central repository for entitlements Increasing data quality of identity and entitlement data Effective demonstration of SOXcompliance Delegation of administrative tasks Increase degree of automation Primary goals: Increase usability, security and audit capabilities Secondary goals: Cost reduction and ROI considerations
@ BT 2008

Tool selection RFI with >10 major IdM vendors Presentations and Proof of Concept

Criteria Support for non-standard applications Flexibility, high degree of customization possible Expected implementation effort Match with skills available internally Support for roles and delegated administration Traceability of system and user actions

Source and Target Systems

Target System Types SAP ISP Test Accounts Building Access Secure VPN LDAP Active Directory Samba SSH Key Management / Key Distribution ARS Remedy Sun Access Manager

User groups Employees Group employees Consultants Partner

Source Systems HR Group directory Asset database

@ BT 2008

Project History and Milestones

Nov. 2004 Requirements analysis Mai 2005 July 2005 Tool selection Design and start of implementation

Feb. 2006 Go-Live Release 1.0 including

Source-system connectivity (HR/Org Master data) Standard request and approval process Internal administrative entitlement model, delegation of admin privileges Target Systems SAP/LDAP

June 2007 Release 1.5 Sept. 2007 Release 1.6 Jan. 2008 Release 1.7 April 2008 Release 1.8

@ BT 2008

Agenda

Introduction SAP NetWeaver IdM Project IdM@BT Project ISP

Background and Motivation Functionality Identity Management Entitlement Management Account Management Self-Service Lessons Learned

Summary

@ BT 2008

UseCases (1)

Identity Management
(Re-) Enter company OU change Location change Position change Sabaticals/maternity leave Leave company
active active

(re-)enter company leave company

inactive

Entitlement Management Account Management Self-Service activate

suspended

change location change company change organization change name change position

suspend (i.e. maternity leave)

@ BT 2008

Manage Master Data

Task Menu

@ BT 2008

Create Person

@ BT 2008

Create Location

@ BT 2008

UseCases (2)

Identity Management Entitlement Management

Assign (temporary) permissions Revoke permissions Automated role assignement Documentation / Audit

Location

OU

Company

Hans Mustermann

Account Management
Assign account (De-) Activate Account Delete Account Password management Permission VPN-Access Account Active Directory Permission AD-Group Employees-MUC Funktional Role Employee

Self-Service

@ BT 2008

Create Permissions
Creates permission within the IdM-system as well as in the target system

@ BT 2008

Assign/Revoke Permissions
Delegated administration for permission owners

@ BT 2008

UseCases (3)

Identity Management
Request

Entitlement Management Account Management Self-Service

Password reset Data protection requirements Self-Service for certain person attributes Request permissions
Provision
?

1. Approval Denial
?

2. Approval Denial Nofiy

@ BT 2008

Request Permissions
Users may request permissions for themselves or others. Approval process configurable for each permission. Approver roles: Line Manager Permission Owner Target System Owner HR

@ BT 2008

Approval

XXXXXXXX XXXXXXXX

@ BT 2008

Agenda

Introduction SAP NetWeaver IdM Project IdM@BT Project ISP

Background and Motivation Functionality Lessons Learned

Summary

@ BT 2008

Lessons Learned

Implementation Expectations concerning adaptability were fulfilled Tool supports change and redesign very well in the course of extensions and additions Short implementation cycles achieved System behavior is transparent and follows a consistent paradigm Number of processes (approx. 150 processes, 1300 steps) makes system complex Framework developed on top of built-in functionality (Regression-) Testing indispensable

Processes Flexibility (data model, user interface, processes) brings the temptation of relaxing initial standards as the system evolves over time End user help crucial to reduce helpdesk call volume Complexity multiplies (user types x identity states x data sources) General issues Data cleansing and migration may take up to 50% of target system implementation effort Development, Integration and Production environments required to manage changes Pragmatic approach to the use of roles allows for sufficient degree of automation without complex role modeling processes

@ BT 2008

Summary
SAP NetWeaver Identity Management fulfilled the expectations regarding the speed and flexibility of a tool-box, but requires thorough design and planning for large deployments. Agile implementation possible Quick reaction to changed requirements High degree of flexibility concerning
Data model Process adaptation Front-end extension

Flexibility requires
Experienced IdM-developers and Designers Mature project and software development organization Comprehensive QA measures appropriate for IdM (i.e. automated regression tests)

Comprehensive monitoring tools to diagnose system behavior

@ BT 2008

Thank You
Andreas Mller Solutions Architect Global Professional Services BT (Germany) GmbH & Co. oHG Tel:+49 (0)69 3307-8074 andreas.mueller@bt.com