Identity Management With SAP NetWeaver IdM - KuppingerCole

Identity Managementwith SAP NetWeaver IdMAndreas Müller,BT Global Services24.04.2008

AgendaIntroduction SAP NetWeaver IdMProject IdM@BTProject ISPBackground and MotivationFunctionalityLessons LearnedSummary@ BT 2008

SAP NetWeaver Identity ManagementIDM should be triggeredby identity businessprocesses and datae.g. Order2CashIdentity virtualization andidentity as service throughstandard interfacese.g. on-boardingDataBusiness process relieson appropriate userand role assignmentsin systemsHCMHCMIntegrationDefinition and rulebased assignmentof meta rolesSAP NetWeaverIdentityManagementCentral Identity storeDistribution of usersand role assignmentsfor SAP and non-SAPsystemsPasswordManagementIdentity Mgmt.monitoring & gacyApp.App.SAP FIABAPSAP HR SAP ERPABAPABAPSAP XIABAPJava@@SAPBT sDatabasesOperatingOperatingSystemsSystems

System eloperWorkflow Web Front-End for end owFront-EndManagementConsoleDelegated AdministrationMonitoring Web Front-End for operationsAnalyse system activityDatabaseManagement Console for administrators anddevelopersSystem configurationEventEventAgentAgentDatabase holdsIdentity storeProcess configurationDispatchers execute processesIdentity CenterBatch synchronizationVirtualDirectoryUser initiated tasksProvisioning tasksDispatcherDispatcherVirtual directoryEvent AgentsDetect changes in connected systemsVirtual DirectoryProvides additional connectors@ BT 2008Target systemsSource systems

Management ConsoleExample: Request a SAP-Role@ BT 2008

Monitoring@ BT 2008

AgendaIntroduction SAP NetWeaver IdMProject IdM@BTProject ISPBackground and MotivationFunctionalityLessons LearnedSummary@ BT 2008

Use of Identity Center at BTSynchronization of 230.000 Identitiesfrom Corporate Directory into ActiveDirectoryProvisioning of personal and functionalemail accountsAdditional attributes joined from importfilesCorporateDirectoryFilesBuilt-in delta mechanism reducesupdates to Active Directory to theabsolute minimum.DataSynchonizationEngine ActiveDirectoryDatabasePerformanceDelta import once a dayDuration 1.5hFull import once a monthDuration ca. 5hBenefitsEfficient Delta MechanismHighly customizable connectors@ BT 2008Source systemsIdentity CenterTarget systems

AgendaIntroduction SAP NetWeaver IdMProject IdM@BTProject ISPBackground and MotivationFunctionalityLessons LearnedSummary@ BT 2008

Customer: Internet Service ProviderProject ScopeConsultingIdM project setup and definitionRequirements analysisDetailed vendor selectionImplementationDesign based on selected IdM-tool(MaXware IC / SAP NetWeaver IDM)ImplementationData modelLonglist, RFI, Shortlist, POCIdM processsesEstablish standards for the definition ofroles and entitlementsProcess optimization forIdM administration processesPrepare data protection concepts andworks council agreementsQuality assurance conceptData cleansing supportProvisioning interfaces to target systemsIdM data synchronizationProject managementTestMigration of existing accounts andentitlementsOperationsChange und incident management@ BT 2008

Customer: Internet Service ProviderMotivationProject goalsCreation of a central identity repository forall non-customer identities accessingcomputing center applicationsImplementation of standardizedadministration processes for entitlementsTool selectionRFI with 10 major IdM vendorsPresentations and Proof of ConceptCriteriaCreation of a central repository forentitlements“Support” for non-standard applicationsIncreasing data quality of identity andentitlement dataFlexibility, high degree of customizationpossibleEffective demonstration of SOXcomplianceExpected implementation effortDelegation of administrative tasksIncrease degree of automationPrimary goals:Increase usability, securityand audit capabilitiesSecondary goals: Cost reduction and ROIconsiderations@ BT 2008Match with skills available internallySupport for roles and delegatedadministrationTraceability of system and user actions

Source and Target SystemsTarget System TypesUser groupsSource SystemsSAPEmployeesHRISP Test AccountsGroup employeesGroup directoryBuilding AccessConsultantsAsset databaseSecure VPNPartnerLDAPActive DirectorySambaSSH Key Management /Key DistributionARS RemedySun Access Manager@ BT 2008

Project History and MilestonesNov. 2004 Requirements analysisMai 2005Tool selectionJuly 2005Design and start of implementationFeb. 2006 Go-Live Release 1.0 includingSource-system connectivity (HR/Org – Master data)Standard request and approval processInternal administrative entitlement model, delegation of admin privilegesTarget Systems SAP/LDAP June 2007 Release 1.5Sept. 2007 Release 1.6Jan. 2008 Release 1.7April 2008 Release 1.8@ BT 2008

AgendaIntroduction SAP NetWeaver IdMProject IdM@BTProject ISPBackground and MotivationFunctionalityIdentity ManagementEntitlement ManagementAccount ManagementSelf-ServiceLessons LearnedSummary@ BT 2008

UseCases (1)Identity Management(Re-) Enter companyOU change(re-)enter companyleave companyLocation changeinactivePosition changeSabaticals/maternity leaveactiveactiveLeave companyEntitlement ManagementAccount Managementactivatechange locationchange companychange organizationchange namechange position suspendedSelf-Servicesuspend (i.e. maternity leave)@ BT 2008

Manage Master DataTask Menu@ BT 2008

Create Person@ BT 2008

Create Location@ BT 2008

UseCases (2)Identity ManagementLocationOUEntitlement ManagementCompanyAssign (temporary) permissionsRevoke permissionsAutomated role assignementHans MustermannDocumentation / AuditAccount ManagementAssign accountFunktional RoleEmployee(De-) Activate AccountDelete AccountPassword managementSelf-Service@ BT 2008PermissionVPN-AccessAccountActive DirectoryPermissionAD-GroupEmployees-MUC

Create PermissionsCreates permission withinthe IdM-system as wellas in the target system@ BT 2008

Assign/Revoke PermissionsDelegated administrationfor permission owners@ BT 2008

UseCases (3)Identity ManagementRequestEntitlement ManagementAccount ManagementSelf-Service1. ApprovalDenial?2. ApprovalPassword resetData protection requirementsNofiySelf-Service for certain person attributesRequest permissions@ BT 2008Denial?Provision

Request PermissionsUsers may requestpermissions forthemselves or others.Approval processconfigurable for eachpermission.Approver roles:Line ManagerPermission OwnerTarget System OwnerHR @ BT 2008

ApprovalXXXXXXXXXXXXXXXX@ BT 2008

AgendaIntroduction SAP NetWeaver IdMProject IdM@BTProject ISPBackground and MotivationFunctionalityLessons LearnedSummary@ BT 2008

Lessons LearnedImplementationExpectations concerning adaptability werefulfilledTool supports change and redesign verywell in the course of extensions andadditionsShort implementation cycles achievedSystem behavior is transparent andfollows a consistent paradigmNumber of processes (approx. 150processes, 1300 steps) makes systemcomplexFramework developed on top of built-infunctionality(Regression-) Testing indispensableProcessesFlexibility (data model, user interface,processes) brings the temptation ofrelaxing initial standards as the systemevolves over timeEnd user help crucial to reduce helpdeskcall volumeComplexity multiplies (user types x identitystates x data sources)General issuesData cleansing and migration may take upto 50% of target system implementationeffortDevelopment, Integration and Productionenvironments required to managechangesPragmatic approach to the use of rolesallows for sufficient degree of automationwithout complex role modeling processes@ BT 2008

SummarySAP NetWeaver Identity Management fulfilled the expectations regarding the speed and flexibilityof a tool-box, but requires thorough design and planning for large deployments.Agile implementation possibleQuick reaction to changed requirementsHigh degree of flexibility concerningData modelProcess adaptationFront-end extensionComprehensive monitoring tools todiagnose system behavior@ BT 2008Flexibility requiresExperienced IdM-developers andDesignersMature project and software developmentorganizationComprehensive QA measures appropriatefor IdM (i.e. automated regression tests)

Thank YouAndreas MüllerSolutions ArchitectGlobal Professional ServicesBT (Germany) GmbH & Co. oHGTel: 49 (0)69 3307-8074andreas.mueller@bt.com

SAP NetWeaver Identity Management Distribution of users and role assignments for SAP and non-SAP systems Definition and rule-based assignment of meta roles Central Identity store Approval Workflows Identity Mgmt. monitoring & Audit HCM Integration e.g. Order2Cash e.g. on-boarding HCM Identity virtualization and identity as service through .