SAP Identity Management And Provisioning Service – Roadmap
SAP Identity Management & Provisioning Service– RoadmapKristian Lehment, SAP SEChristian Cohrs, SAP SEJuly 2017PUBLIC
Legal disclaimerThe information in this presentation is confidential and proprietary to SAP and may not be disclosed without thepermission of SAP. This presentation is not subject to your license agreement or any other service or subscriptionagreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any relatedpresentation, or to develop or release any functionality mentioned therein. This document, or any related presentationand SAP's strategy and possible future developments, products and or platforms directions and functionality are allsubject to change and may be changed by SAP at any time for any reason without notice. The information in thisdocument is not a commitment, promise or legal obligation to deliver any material, code or functionality. This documentis provided without a warranty of any kind, either express or implied, including but not limited to, the implied warrantiesof merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposesand may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document,except if such damages were caused by SAP s willful misconduct or gross negligence.All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differmaterially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,which speak only as of their dates, and they should not be relied upon in making purchasing decisions. 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC2
Risk based security investmentsDo you also protect your data or only the underlying infrastructure?What data is critical to you?Where is that data mainly stored?Production processSpecificationsCustomer dataProduct compositionProcessesMarketing results Employee dataVendor informationLeadsFinancial dataContractSecurity measures on infrastructure level are mandatory. But the threatlandscapes changed and for most companies the SAP systems are ablack box related to security. MailsSAP systemsCloud drivesFilesSAP systemInfrastructureThe paradox: the black box contains often the most critical data 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC3
SAP helps protect your digital businessCybersecurity is a critical element in the DigitalTransformation journeyTransactions and data must be secured throughoutthe entire end-2-end business process 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC1.Customers and employees are hyper-connected,always on, with seamless access anywhere andanytime2.Cloud and hybrid cloud environments havebecome the norm, challenging traditional“Protect the 4 walls” security approaches3.Digitally connected supply chains are based onhigh trust and availability of all parties4.The Internet of Things and Big Data bringunprecedented data streams and volumes5.Confidentiality, integrity, and availability of datais the basis for secure operations and trustedrelationships4
SAP Identity Management and Access ControlIn the SAP security product portfolioSAP CloudApplicationsSAP CloudPlatform IdentityProvisioningSAP CloudPlatform IdentityAuthenticationManage access,users andcompliance in thecloudSAP Cloud IdentityAccessGovernance,access analysisserviceSAPS/4HANASAPBusinessSuite3rd PartySystemsSAP SingleSign-OnSAP IdentityManagementSAP AccessControlSAP EnterpriseThreat DetectionAdd-On for CodeVulnerabilityAnalysisMake it simple for users to dowhat they are allowed to doKnow your users and whatthey can doEnsure corporatecompliance toregulatory requirementsCounter possible threats andidentify attacksFind and correctvulnerabilities in customercodePlatformSecurity 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLICMake sure that SAPsolutions run securelySAP Cloud PlatformSAP HANASAP NetWeaverApplication Server5
SAP Identity Management
SAP Identity ManagementProduct descriptionUse centralized software to lower risk and manage the full identity lifecycle of users. Keep operations running efficiently andaffordably, while protecting applications and data. Provide user access according to current business roles. Workflows anduser interface are highly flexible and configurable without the need for development skills Lower IT support costs and reduce risk with centralized user identitymanagement across SAP, non-SAP, various IT and cloud solutions Improve productivity with self-services such as automatic password resetsand rules-driven workflows Improve insight and compliance with centralized, integrated logging andreporting Boost flexibility with standards-based functionality that integrates fully withcompany processes 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC7
Key capabilitiesEnables theefficient,secure andcompliantHolistic approachManage identities andpermissionsexecution of businessprocesses 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLICusers have theright access to theright systems at theright timerightAcrossConsistent userroles andprivilegesEnsures that theSAP IdentityManagementall systemsand applications8
Use cases in the identity lifecycleHow long does it take for newemployees to receive all permissionsand become productive in their newjob?How can you remove permissionsautomatically if employeeschange their position?Are permissions automaticallyadjusted if someone is promotedto a new position?How long does it take to remove ALLpermissions of an employee? And howcan you ensure that they were properlyremoved? 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLICWho has adequate permissionsto fill in for a co-worker?9
Strengths of SAP Identity Management (1/2)Centralized Identity Management and provisioning of user data and related permissions for the entireheterogeneous company landscape – both for SAP and non-SAP applications Fully automated synchronization and lifecycle ofemployee identities integrated with SAP HCM andSuccessFactorsIntegration with SAP Business SuiteSAP Identity Management Optional integration with SAP Access Control forexemplary compliancy and auditability IT systems connectivity and IT user provisioning SAP AccessControlSAP applicationsMany SAP and non-SAP connectors from SAP at no extracost and exemplary support for business applicationsAdditional non-SAP connectors are available via partners(separate pricing by partner)Connector Development Kit and Virtual Directory Server 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLICNon-SAP applicationsSAP SCMJavaDatabaseLotus NotesSAP ERP HCMSAP SuccessFactorsLegacyMS ExchangeSAP ERPPortalOSWeb AppsSAP HANA Active Directory 10
Strengths of SAP Identity Management (2/2)SAP IdM offers flexible and highly configurablecomprehensive workflows including a visual designer toolAs a highly functional central place for access request itsupports all the most important scenariosSelf-service capabilities for user related data and fullyautomated user provisioning with no manual steps lowersthe burden on IT and the call center and increases theROIIt manages multiple and complex hierarchies of businessrolesSAP IdM is equipped with strong capabilities for reportingSAP IdM is built on highly scalable platformsSAP is a strategic software partner 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC11
SAP Identity Management Connectivity – OverviewDatabases Business ApplicationsSAP HANA DatabaseSAP ASE (Sybase)Microsoft SQL ServerMicrosoft AccessOracle databaseIBM UDB (DB2)MySQLSAP IdentityManagementDirectory Servers Microsoft Active DirectoryIBM Tivoli DirectoryNovell eDirectoryOracle Directory (fka. SunOne)Oracle Internet DirectoryMicrosoft Active DirectoryApplication Mode (ADAM)Siemens DirXOpenLDAPeB2Bcom View500 Directory ServerCA eTrust DirectorySAP IDM Virtual Directory ServerAny LDAP v3 compliant directory server 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC SAP Business SuiteSuccessFactorsMicrosoft ExchangeSAP Access Control (GRC)Lotus Domino/Notes (C API)Lotus Domino/Notes (Java API) for IDM8.0RSA ClearTrustSAP Cloud Platform Identity Authentication serviceTechnicalOther Partner SAP Application Server Shell executeMicrosoft Windows Custom Java connector APIMS SharePoint Script-based connector APIUnix / Linux SPMLLDAPODBC / JDBC / OLE-DBRFCSCIMLDIF filesXML filesCSV files12
SAP Identity ManagementSAP ASE database support SAP Identity Management running on SAPsoftware Optimized performance Based on SAP’s acquisition of Sybase withmany years of relational databaseexperience License advantages running all SAPapplications on SAP databases (SAPHANA, SAP ASE, SAP IQ)SAP ASEDatabase 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLICIBM DB2Microsoft SQL ServerOracle13
SAP Identity Management Rapid-Deployment Solution (RDS)Solution components and service approachShort project timesStandard solutionReduced TCOSimplify assignment and management of roles and privileges tousers Implement best practices out-of-the-box with a fixed scope, mostimportant and common scenarios, e.g. defined set of customerspecific configuration, connection of source and target systems,provisioning, etc. Pre-configured functionality of SAP Identity Management in adevelopment system Step-by-step guide, describing each activity during deployment Solution can be extended with additional scope optionsScope option 1: Go-live supportScope option 2: Connection to one additional SAP target system –multiple scope options 2 for the connection of multiple additionSAP target systems can be selected. 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLICConnection of1 source- and2 target kflowsMass useradministrationjobsEnhanced errorhandlingE-mail notificationframeworkSupport ofsystem specificattributesPredefined HTMLbased reportsNew web UI tasksScope option 1:Additional Go-Live supportScope option 2:Connection to additional SAP systemsThis is the current state of planning and may be changed by SAP at any time.14
SAP Identity ManagementProduct road map overview – key themes and capabilitiesRecent innovations2017 – Planned innovations2018 – Product directionEclipse based developmentenvironmentIdentity, governance andadministration Harmonization of developmentinfrastructure Graphical workflow designer Configuration packaging andauthorization concept Enhanced integration with SAPGRC solutions to deliver an identity,governance and administration suiteNew SAP integrationcapabilitiesEnterprise readinessExtend integration with SAPCloud Platform services foridentity and accessmanagement Installation and upgrade using theSoftware Provisioning Manager(SWPM) IntegrationIntegration Full identity lifecycle covered withSAP SuccessFactors integration SAP HANA connector Available on SAP Adaptive ServerEnterprise (ASE) database SAP Cloud Platform IdentityAuthentication serviceRapid-Deployment SolutionpackageRelease 8.0 SP04 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLICUser Interface Extensions to the REST API Hybrid deployment model: SAPcloud services for identity andaccess management as extensionfor SAP Identity Management SAP S/4HANA connector SAP HANA connectorenhancements SAP SuccessFactors connectorenhancements Connector Development Kit 2.0Hybrid identity management SAP Cloud PlatformIdentity lifecycle across on premiseand cloudIdentity Authentication serviceIdentity Provisioning serviceAccess Analysis serviceSAP AribaSAP Hybris2019 – Product visionLower IT support costsFull support of Identity lifecycleacross on premise and cloudMake it easy to install, operateand enable newintegrations with additionalSAP and non-SAP solutionsCreate an integrated and hybriddeployed security suiteReporting enhancementsThis is the current state of planning and may be changed by SAP at any time.15
SAP Cloud Platform Identity Provisioning
Identity and Access Management as a Service from SAPSolution overviewSAP Cloud Platform offers an end-to-end Identity and Access Management (IAM) solution as a service thathelps companies improve the security of their cloud business processesSAP Cloud Platform Identity Provisioning Automatically sets up and manages user accounts andauthorizations in an end-to-end identity lifecycle Re-uses existing on-premise and cloud user stores Integrates with SAP Identity ManagementSAP Cloud Platform Identity Authentication Simple and secure access to web-based applications Enterprise features such as password policies and multifactor and risk-based authentication On-premise user store integration Easy consumer and partner on-boarding via self-services 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC17
SAP Cloud Platform Identity ProvisioningProduct descriptionIdentity Provisioning offers a comprehensive, low cost approach to identity lifecycle management in the cloudSolution overview Manage user accounts and authorizations in acloud-based serviceRetrieve cloud users and their attributes Provision identities from user stores in the cloudand on-premise Enable business applications to quickly supportsingle sign-on with Identity AuthenticationCreate accounts andassign authorizationsKey value proposition Fast and efficient administration of useronboarding Centralized end-to-end lifecycle managementof corporate identities in the cloud Automated provisioning of existing on-premiseidentities to cloud applications 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLICSAP Cloud PlatformIdentity ProvisioningCorporate networkRetrieve on–premise users and their attributes18
SAP Cloud Platform Identity ProvisioningExample: SAP SuccessFactors as the source for employee identity dataWhen an employee record is created in SAP SuccessFactors, IdentityProvisioning on-boards the new user to all cloud applications requiredfor the person’s roleOn-boarding Read the new employee’s identity data from SAP SuccessFactors Define the initial authorization profile based on authorization policies Create user accounts and assign authorizations for the new employeein the relevant business systemsManage Update user details and authorizations automatically to ensureconsistency between SAP SuccessFactors identity data and cloudapplicationsOff-boarding De-provision authorizations Off-board employees from the cloud applications 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC19
SAP Cloud Platform Identity ProvisioningSupported source and target systemsIdentity Provisioning supports multiple systems as sources of identity information and forwards identities toany of the listed target systemsSource SystemsTarget SystemsOn-premise: SAP NetWeaver ApplicationServer for ABAP Microsoft Active Directory Cloud: SAP SuccessFactors SAP Cloud Platform IdentityAuthentication Microsoft Azure Active DirectoryGeneric: SCIM-enabled solution LDAP Server 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLICSCIMSAP Cloud PlatformIdentity ProvisioningSAP Cloud PlatformSAP Cloud Platform Identity AuthenticationSAP Hybris Cloud for CustomerSAP JamConcurGoogle G SuiteMicrosoft Azure Active DirectorySCIM-enabled solutionCloud Foundry User Account andAuthentication Server20
SAP Cloud Platform Identity ProvisioningPolicy-based authorization managementAssign authorizations to business applications through policy-based mapping of user store attributesAuthorization policy management Simple and flexible policy definition Reuses existing user store data– Microsoft Active Directory:User attributes and groups– SAP NetWeaver AS ABAP:User attributes and roles– SAP Cloud Platform Identity Authentication:User attributes and groups Efficient authorization assignment with quickupdates 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC21
SAP Cloud Platform Identity ProvisioningData transformation modelingIntegrate identity data models of different applications by defining rules for data transformation Apply a filter to decide which identities are readfrom the source system and written to the target Map attributes between the source and targetsystems’ data models to handle differences in themodels Modify the format of the data taken from thesource system to make it compatible with thetarget system 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLICSCIMSAP CloudPlatformIdentityProvisioning22
SAP Cloud Platform Identity ProvisioningIntegration with SAP Identity ManagementExisting customers of SAP Identity Management can extend their identity lifecycle management to covercloud-based scenarios using Identity Provisioning and Identity Authentication Recommendations for on-premise landscapes– SAP Identity Management is optimized for on-premise expectations(customization, performance) Recommendations for cloud systems– Identity Provisioning offers a deployment model and simplicity suitable forcloud-based business applications.– Identity Provisioning is the platform for broad cloud integration, allowingcustomers to efficiently on-board new applications– SAP Identity Management includes a small set of connectors for cloudapplications,SAP Cloud PlatformIdentity Provisioning &Identity AuthenticationCloud Recommendations for hybrid scenariosOn-premise– Integration of SAP Identity Management with Identity Provisioning tobenefit from the advantages of both worldsSAP Identity Management 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC23
SAP Cloud Platform Identity ProvisioningProduct road map overview - key themes and capabilitiesRecent innovationsMicrosoft Office 365 Supported as source and targetsystem Integration with Microsoft AzureSimplification Simplified configuration of sourceand target systems Improved performance and reducednetwork load through deltamanagementTrial version Free version to test IdentityProvisioning service Fully functional with somerestrictions on resourceconsumptionPlanned Q2/2017Integration Hybrid identity management throughintegration with SAP IdentityManagement Integration with SAP Cloud IdentityAccess Governance, accessanalysis for automated accessrefinementSimplification Email notifications for the results ofprovisioning jobsPlanned Q3/2017Planned Q4/2017Additional connectors SAP NetWeaver AS for ABAP (onpremise) SAP S/4HANA (on-premise)Additional connectors SAP Ariba SAP FieldglassProvisioning Enable real-time provisioning, e.g.during self-registration ofconsumersExtended reporting capabilities Provisioning history Statistical reportsIntegration Integration of SAP Cloud IdentityAccess Governance, role designQ1 2017 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLICThis is the current state of planning and may be changed by SAP at any time.24
SummarySAP Identity Management and SAP Cloud Platform IdentityProvisioning are SAP’s offering for managing identities and accesson-premise and in the cloudSetup– Identity Provisioning is a subscription-based service on SAP Cloud Platform– Together with the SAP Cloud Platform Identity Authentication service, IdentityProvisioning enables customers to run identity and access management in acloud consumption model– SAP Identity Management is an on-premise productBenefits– Identity Provisioning provides a seamless integration of new cloudapplications into the identity lifecycle management– SAP Identity Management offers powerful and flexible configuration optionsStrategy– Identity Provisioning will not replace SAP Identity Management. Instead, bothproducts complement each other to enable seamless identity lifecyclemanagement for hybrid landscape 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC25
Key links for more information on SAP Identity Management and SAP CloudPlatform Identity Provisioning – For customers and partnersKey links SAP Road Mapshttp://www.sap.com/roadmaps SAP Security Community on y.html SAP Cloud Platform Identity urity/identity-provisioning.html SAP Community for Identity ity-management.html SAP Community for Identity Where to go to provide product feedback and ideas SAP Idea Placehttps://ideas.sap.com/SAPIDM Influence programshttp://service.sap.com/influence SAP User nt/user-groups.html 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC26
Thank you.Contact:Kristian LehmentProduct ManagerSAP Identity ManagementChristian CohrsProduct ManagerIdentity and Access SAP.COM
2017 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software componentsof other software vendors. National product specifications may vary.These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliatedcompanies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that areset forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this docume nt or any related presentation, or to develop or releaseany functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products,and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. Theinformation in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to variousrisks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,and they should not be relied upon in making purchasing decisions.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trade marks of SAP SE (or an SAP affiliate company)in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companie s.See /index.epx for additional trademark information and notices.
Oracle Directory (fka. SunOne) Oracle Internet Directory Microsoft Active Directory Application Mode (ADAM) Siemens DirX OpenLDAP eB2Bcom View500 Directory Server CA eTrust Directory SAP IDM Virtual Directory Server Any LDAP v3 compliant directory server SAP Busines
SAP ERP SAP HANA SAP CRM SAP HANA SAP BW SAP HANA SAP Runs SAP Internal HANA adoption roadmap SAP HANA as side-by-side scenario SAP BW powered by SAP HANA SAP Business Suite powered by SAP HANA Simple Finance 1.0 2011 2013 2014 2015 Simple Finance 2.0 S/4 HANA SAP ERP sFin Add-On 2.0
SAP Certification Material www.SAPmaterials4u.com SAP Certification Material for SAP Aspirants at Low cost Home Home SAP Business Objects SAP BPC CPM SAP BPC 7.0 SAP EWM SAP GTS SAP Public Sector SAP Real Estate SAP FSCM SAP FI/CO SAP AC - FI/CO SAP BI 7.0 SAP CRM 5.0
SAP Master Data Governance SAP Information Steward SAP HANA smart data integration SAP Data Hub SAP Cloud Platform Big Data Services SAP HANA, platform edition SAP Vora Customer Experience IoT Workforce Engagement SAP Cloud for Customer SAP Commerce SAP Marketing SAP Asset Intelligence Network SAP Predictive Maintenance and Service SAP .
SAP Business Suite SAP BW SAP Apps Partner Apps SAP HANA PLATFORM Planning and Calculation Engine Real-Time Replication Services Information Composer & Modeling Studio SAP UI HTML5 Mobile SAP BI 4 SAP ERP SAP CRM SAP SCM SAP PLM SAP SRM SAP Netweaver Predictive Analytics & Business Function Libraries In-Memory
SAP HANA Appliance SAP HANA DB In-Memory A io BI Client non-ABAP (SAP supported DBs) SAP Business Suite SAP Business Suite SAP Business Suite SAP Business Suite SAP Business Suite SAP Business Suite SAP Business Warehouse SAP HANA DB r In-Memory Source Systems SAP LT Replication Ser
ALE/RFC Setup 88 SAP System Type 88 SAP IDoc Version 88 Program ID (SAP to e*Gate) 88 SAP Load Balancing Usage (e*Gate to SAP) 89 SAP Application Server (e*Gate to SAP) 89 SAP Router String (e*Gate to SAP) 90 SAP System Number (e*Gate to SAP) 90 SAP Gateway Ho
Customer Roadmap to SAP Simple Finance - Example " Adopting SAP Simple Finance is a journey - start early" Side-by-side SAP HANA Acceleration SAP HANA accelerators, BW, BPC, GRC SAP Business Suite on SAP HANA SAP ERP on SAP HANA SAP ERP in SAP HANA Enterprise Cloud SAP Accounting Powered By SAP HANA Simple Finance add-on/
SAP SAP Data HANA SAP BW/4HANA SAP MDG Services SAP Information Steward. Key SAP Products. Identity Management GRC and IAG Event Threat Detection AVM by . SAP . Greenlight. Central Finance SAP S/4HANA SAP BPC SAP IBP SAP Process Mining . WHERE WE EXCEL. Protiviti is a leader in finance transformation, analytics and risk management. As a long .
