SAP

Identity Management
IDMCONSULTANT@hotmail.com
 Identity Management

Purpose
 A central place for managing all identities
 Granting and revoking authorizations in
applications
 Synchronizing data between applications
 Attestation, i.e. confirming that the
assignments are still valid
 Segregation of Duties (SoD)
 Auditing –Who had which authorizations at
which time

IDMCONSULTANT@hotmail.com
 Identity Management

Purpose
 Manage user life-cycle
 Ensure that the right people
have the right authorizations
 Keeping identity data updated
across the organization
 Setting the (same) password in
all applications

IDMCONSULTANT@hotmail.com
 Typical User Lifecycle

IDMCONSULTANT@hotmail.com
 Holistic Identity Management
Approach
 Integration with heterogeneous system
 Central Identity Store
 Approval Workflow
 Identity Virtualization/Identity as a Service
 SAP Business suite Integration
 Compliance Check/GRC
 Rule based assignment of business role
 Monitoring & Audit
 Password Management
 Distribution of Users and Role Assignment
 SSO – Single Sign On

IDMCONSULTANT@hotmail.com
 Application data and Challenges

Each application stores user information

 Authentication data
User ID –Often different for different applications for the same user
Password –Some applications use an authentication server (and
do not store passwords themselves)
 Authorization data
Access levels to the application data
High complexity
Difficult/impossible to get an overview of all employees
Errors when entering the information
Duplicate entries for the same person
Misspellings

IDMCONSULTANT@hotmail.com
 Application data and Challenges

Disconnected Systems
 Applications are unaware of each other
Security risks
 Employees leaving –Access rights not revoked in all systems
 People moving –Granted new access rights, Previous access rights are not revoked
 Manual procedures involved –Human errors may cause security flaws
 Lack of audit –Who had access to what when
High maintenance cost
 Many manual operations, Resources could be put to better use
 Time-consuming , Employees must wait
Compliance
 SOX - Sarbanes-Oxley, HIPAA - Health Insurance Portability and Accountability Act
 Internal audits, Risk assessments etc

IDMCONSULTANT@hotmail.com
 Identity data

Personal data
 Normally short data elements like Name, phone, email, picture, certificate
Pointer data
 Pointer or reference data points or link an Identity to other objects such as Web page,
document archive, group memberships
Assignments Data
 Roles, privileges, authorizations
Read-mostly data
 High read/write ratio

IDMCONSULTANT@hotmail.com
 Identity Store

 Central Storage for Identities

 Contains selected attributes from connected applications based on
attribute quality
 A superset of all the identity Information within the organization
 Data Ownership challenges
 Data Quality and Cleansing
 Role Structure – Normalize, Simplify, Reduce
 Joining Identity Data – Finding a common Identifier

IDMCONSULTANT@hotmail.com
 SAP IdM – Components

 Core Component – Database

 Runtime Component – Dispatcher
and Runtime engine
 IDM UI and IDM Admin UI
 IdM Developer Studio – Service
and Eclipse Plugins
 Virtual Directory Services (VDS)
-Data access
-External communication
-Exposing the identity store

IDMCONSULTANT@hotmail.com
IDMCONSULTANT@hotmail.com