SAP NetWeaver Identity Management 7.0 SPS 2. Identity Management for SAP System Landscapes: Architectural Overview

Transcription

1 SAP NetWeaver Identity Management 7.0 SPS 2 Identity Management for SAP System Landscapes: Architectural Overview Document Version 1.2 April 2008

2 SAP AG Dietmar-Hopp-Allee Walldorf Germany T +49/18 05/ F +49/18 05/ Copyright 2008 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iseries, pseries, xseries, zseries, z/os, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. SAP, R/3, mysap, mysap.com, xapps, xapp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Documentation on SAP Service Marketplace You can find this documentation at service.sap.com/security Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden.

3 Typographic Conventions Icons Type Style Example Text Example text EXAMPLE TEXT Example text Example text Represents Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation. Emphasized words or phrases in body text, graphic titles, and table titles. Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. <Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. EXAMPLE TEXT Keys on the keyboard, for example, F2 orenter. Icon Meaning Caution Example Note Recommendation Syntax

4 History of Changes Version Change 1.2 Included support for integrating a central user administration with SAP NetWeaver Identity Management. 1.1 Fixed the headings and the table of contents. 1.0 Original version Changed the title to reflect the content better. Previous title: Provisioning Framework for SAP Systems: Use Cases.

5 Contents 1 INTRODUCTION PREREQUISITES System Requirements Initial Load Defining a Role Model USE CASES SAP HCM Integration SAP NetWeaver Portal Environment Identity Lifecycle Management INTEGRATING A CENTRAL USER ADMINISTRATION SYSTEM... 14

6 Introduction April 2008 System Requirements Identity Management for SAP System Landscapes: Architectural Overview 1 Introduction Enterprises are under pressure to increase the speed of deploying new applications and systems across their global networks, both internally and in the context of e-business with partners and customers. One of the challenges involved in these processes is the difficulty in finding and bringing together information relating to identities and resources that are distributed across multiple and often incompatible information sources. The prime objective of identity management is to centrally manage and keep all identity data within the enterprise up-to-date. Identity data is often stored in many different applications throughout the enterprise and maintained manually in different locations. This is costly and, in addition to posing a security risk, can cause inconsistencies and low data quality. SAP NetWeaver Identity Management provides the functions and services needed to integrate distributed identity data in the system landscape to efficient, heterogeneous identity lifecycle management. Architecture SAP NetWeaver Identity Management consists of two components: Identity Center (IC) Virtual Directory Server (VDS) Identity Center The Identity Center is the primary component used for identity management. The Identity Center includes functions for identity provisioning, workflow, password management, logging, and reporting. It uses a centralized repository, called the identity store, to provide a uniformed view of the data, regardless of the data s original source. This architecture is shown in the figure below. Identity Management for SAP System Landscapes: Architectural Overview 1

7 Introduction April 2008 System Requirements The Identity Center retrieves the data from these various repositories, consolidates it, transforms it into the necessary formats, and publishes it back to the various decentralized repositories. Virtual Directory Server The Virtual Directory Server is a component provided by SAP NetWeaver Identity Management that acts as a single access point for clients retrieving or updating data in multiple data repositories, as it provides a uniformed view of the data in real-time. You can use it, for example, to consolidate multiple respositories and then as a data source for the Identity Center. You then use Identity Center for provisioning and performing identity management functions. Additional Information For more information on each of these components, see the following documents: SAP NetWeaver Identity Center - Whitepaper SAP NetWeaver Virtual Directory Server - Whitepaper You can find these documents on the SAP Developer Network at under the topic Overview Material. Identity Management for SAP System Landscapes: Architectural Overview 2

8 Introduction April 2008 System Requirements Use Cases You can use SAP NetWeaver Identity Management for processing identity information in a variety of ways, depending on your system landscape. You can use it in homogeneous or heterogeneous landscapes, either with or without SAP systems. This document shows a few sample use cases where you can use SAP NetWeaver Identity Management for identity provisioning with SAP systems. It is not meant as a complete covering of all options, however, you should be able to adapt the information provided as guidelines when setting up SAP NetWeaver Identity Management in your own system landscape. The use cases covered by this document are: SAP Human Capital Management (HCM) Integration This use case shows how to manage identities when the leading identity source is an SAP HCM system and the identites are provisioned to an LDAP directory server, an AS Java system running a portal, and an AS ABAP back-end system. SAP NetWeaver Portal Environment This use case shows how to manage identities in an SAP NetWeaver Portal environment. In this case, the leading identity source is a corporate directory, and the identities are provisioned to the portal s AS Java and the various back-end systems. In this example, we show how to provision to an AS ABAP back-end system. Identity Lifecycle Management This use case describes an integrated, heterogeneous landscape that includes the SAP HCM and portal use cases, as well as additional systems, for example, non-sap systems. For each of these use cases, we describe how you can use SAP NetWeaver Identity Management to manage and provision users, groups, role assignments, and other identity data. To implement these use cases, we provide a provisioning framework for SAP systems with SAP NetWeaver Identity Management 7.0 SPS 1. This framework provides templates for connecting SAP systems to SAP NetWeaver Identity Management and for setting up the corresponding provisioning jobs. Identity Management for SAP System Landscapes: Architectural Overview 3

9 Prerequisites April 2008 System Requirements 2 Prerequisites In this section, we describe the prerequisites for using these use cases, which include performing an initial load of the data and defining a role model. 2.1 System Requirements The provisioning framework for SAP systems is available for use with the following components: SAP NetWeaver Identity Management: Release 7.0 SPS 1 The following features require Release 7.0 SPS 2: Support for time-dependent privilege assignments Support for connecting a central user administration central system Support for connecting a dual-stack system AS ABAP: Release 4.6C or higher AS Java/Portal: Release 6.40, 7.00, or 7.10 In addition, SPML patches must be deployed on the AS Java as described in SAP Note The provisioning framework for SAP systems provides templates for both AS ABAP and AS Java systems. However, it does not provide templates for a combined AS ABAP + AS Java (dual-stack) system. 2.2 Initial Load Regardless of which use case you are focusing on, the first step that is required is to connect the various systems that contain identity data to the Identity Center and replicate the data by performing an initial load. Note the following: Before reading the data into the Identity Center, you can specify which system is the source system for each attribute. For example, you can specify that the SAP HCM system is the source system for an identity s first and last name, and the mail server is the source system for the identity s address. When reading the data, the user ID is the attribute used for consolidating identities from the various systems. This means that a user account is created in the Identity Center s database for each unique user ID that is read from the various data sources. Once the data is read into the Identity Center and consolidated, provision the data back to the connected systems. This overwrites any data that should be replaced with higher-quality data. The SAP HCM system is an exception to this rule. The templates provided with the SAP provisioning framework do not support provisioning to the SAP HCM system. Identity Management for SAP System Landscapes: Architectural Overview 4

10 Prerequisites April 2008 Initial Load In the SAP HCM use case, we assume that the identity data provided by the SAP HCM system is high-quality data that does not need to be overwritten by data provided by other systems. Identity Management for SAP System Landscapes: Architectural Overview 5

11 Prerequisites April 2008 Defining a Role Model 2.3 Defining a Role Model Before working with any of the use cases described in this document, you must have defined a role model. The role model states which roles you have in your company and how they are reflected in the various systems. When working with SAP NetWeaver Identity Management, we recommend defining the role model according to business roles and technical roles. These roles have the following characteristics: Business roles: Abstract description of the role Company-specific semantic Available in the Identity Center Can be organized in a hierarchy with inheritance Examples: MANAGER or EMPLOYEE Technical roles/privileges: Technical description of the business role for a particular system The technical roles are represented as privileges in the Identity Center. System-specific semantic Available in the originating system; replicated to the Identity Center Are organized in a flat structure and inherited through the role hierarchy Examples: ABAP roles, UME (user management engine) roles, portal roles, LDAP groups In the role model, map your business roles to the corresponding technical roles for each of these systems. Set up this role model and the mapping between the business roles and the technical roles in the Identity Center so that the Identity Center can provision the role assignments correctly based on this information. Example: Mapping a Business Role to Technical Roles For example, the business role EMPLOYEE has different a meaning in each of the various systems. In the SAP HCM system, the employee can maintain certain data, for example, his or her bank account or home address. Therefore, the business role EMPLOYEE is mapped to an ABAP role, for example, Z_HCM_EMPLOYEE_ROLE. In the portal system, the employee can access various services that are available to all employees. Therefore, the business role EMPLOYEE is mapped to a portal role, for example, eurole (standard user role). Identity Management for SAP System Landscapes: Architectural Overview 6

12 Use Cases April 2008 SAP HCM Integration In the mail system, the employee can send or receive mails under his or her user account. Therefore, the business role EMPLOYEE is mapped to the mail server s user account privileges. Role Maintenance Maintain the business roles in the Identity Center. In this step, assign the corresponding technical roles to the business role. Maintain the technical roles in each target system. Assign the user to the corresponding business role(s) in the identity center. The user s assignment to each techical role is then provisioned to the target systems. 3 Use Cases In this section, we provide an overview of each use case and how you can use it to provision identity data in your landscape. 3.1 SAP HCM Integration For the first use case, identities (employee master data) are primarily maintained in the SAP HCM system. Once identities are created in SAP HCM, they are replicated to the Identity Center. The role model in the Identity Center then determines the user/role or user/group assignments that are to be provisioned to the various target systems. The figure below shows this use case where the identity data retrieved from the SAP HCM system is provisioned to an LDAP directory server, an AS Java system that runs an SAP NetWeaver Portal, and an AS ABAP system. The AS Java system uses the LDAP directory server also as its user data source. Identity Management for SAP System Landscapes: Architectural Overview 7

13 Use Cases April 2008 SAP HCM Integration HCM Employee Data () IdM Virtual Directory Server Identity Center Identity Store Role Model Business Roles Privileges LDAP Java LDAP Users LDAP Groups UME Users UME Groups ABAP Roles ABAP Profiles User/Group Assignments UME Roles Portal Roles ABAP Users User/Role Assignments User/Role Assignments System Overview A summary of the systems used in this use case are shown in the table below. System Source Data Replicated/Provisioned Data SAP HCM (Employee Data) - Identity Center Role model /Users LDAP Directory Server - Users, groups and group assignments SAP NetWeaver AS Java (with Portal) Portal roles and UME roles Replicated from LDAP: UME users and UME groups Provisioned from Identity Center: User/role assignments SAP NetWeaver AS ABAP ABAP roles and profiles ABAP users and user/role assignments The Virtual Directory Server is used as the interface between the SAP HCM system and the Identity Center. Identity Management for SAP System Landscapes: Architectural Overview 8

14 Use Cases April 2008 SAP HCM Integration Notes and Recommendations When setting up this use case in the Identity Center, take the following points into consideration: In this use case, the SAP HCM is the leading system for maintaining identities. Local changes made to user master records in the target systems are not reflected in the Identity Center or provisioned back to the SAP HCM system. Local changes to other attributes with a different source system, for example, e- mail addresses where the source system is a mail server, or changes to role or role assignments can be provisioned back to the corresponding source system. Assign the business roles to identities in the Identity Center according to the role model. The meaning of the business roles are then mapped to the corresponding privileges and the corresponding user/role assignments are provisioned to the target systems. With the exeption of the UME users and groups on the AS Java, the provisioning process updates users, groups, and group memberships in the target systems. The AS Java uses the LDAP directory server directly as the source for the UME users and groups. You can use similar concepts to set up provisioning to additional AS Java and AS ABAP systems, or to non-sap systems. Identity Management for SAP System Landscapes: Architectural Overview 9

15 Use Cases April 2008 SAP NetWeaver Portal Environment Limitations The following limitations exist for this use case: When replicating the data to the Identity Center from SAP HCM over the Virtual Directory Server, you can only use scheduled synchonization. You can not synchronize the data based on events. The templates provided with the SAP provisioning framework do not use any delta mechanism when importing the data from the SAP HCM system into the Identity Center. A full load is always performed. When working with the identity data in the Identity Center, you can use delta mechanisms. The employee data in the SAP HCM system cannot be updated from the Identity Center. Additional Information For more information, see the document Provisioning Framework for SAP Systems: Connectivity, which is available on the SAP Developer Network at under the key topic Identity and Access Management. 3.2 SAP NetWeaver Portal Environment In the previous use case, we described how to set up SAP NetWeaver Identity Management for provisioning identities where the SAP HCM is the primary user management system. In this use case, we describe how to use SAP NetWeaver Identity Management in an SAP NetWeaver Portal environment where the leading system for user management is a corporate LDAP directory. The identity information contained in the LDAP directory, which consists of users and groups, is used as the data source for the portal and this data is also replicated from the LDAP directory to the Identity Center. In addition, to be able to derive the role assignments that are to be provisioned, the ABAP roles need to be read from the ABAP system into the Identity Center and the UME and portal roles need to be read from the AS Java where the portal runs. You can then manage the users and their role assignments from the Identity Center and provision them to the target systems. In this example, the identities are provisioned to the portal and its back-end ABAP system. Since the LDAP directory server is the data source for the portal, the portal can read the user and group information directly from it, and this information does not need to be provisioned from the Identity Center. The rest of the information is provisioned to the systems accordingly. For example, ABAP users and their role assignments are provisioned to the ABAP system and the role assignments for the portal are provisioned to the portal. Identity Management for SAP System Landscapes: Architectural Overview 10

16 Use Cases April 2008 SAP NetWeaver Portal Environment See the figure below. LDAP LDAP Groups LDAP Users IdM Identity Center Identity Store Role Model Business Roles Privileges Java UME Users UME Groups ABAP Roles ABAP Profiles UME Roles Portal Roles User/Role Assignments ABAP Users User/Role Assignments In this way, the users who log on to the portal are provided with the correct set of portal roles together with the corresponding ABAP roles that they need to access the back-end ABAP systems. System Overview A summary of the systems used in this use case are shown in the table below. System Source Data Replicated/Provisioned Data LDAP Directory Server Users and Groups - Identity Center Role model (Users) SAP NetWeaver AS Java (with Portal) Portal roles, UME roles Replicated from LDAP: UME users and UME groups Provisioned from IC: Role assignments SAP NetWeaver AS ABAP ABAP roles and profiles Users and role assignments Identity Management for SAP System Landscapes: Architectural Overview 11

17 Use Cases April 2008 SAP NetWeaver Portal Environment Notes and Recommendations When setting up this use case in the Identity Center, take the following points into consideration: In this use case, the corporate LDAP directory is the leading system for maintaining identities. If you maintain user master records locally in the target system after performing the initial load into the Identity Center, these changes are not reflected in the Identity Center and are not included in the provisioning process. Local changes to other attributes with a different source system, for example, e- mail addresses where the source system is a mail server, or changes to role or role assignments can be provisioned back to the corresponding source system. Assign the business roles to identities in the Identity Center according to the role model. The meaning of the business roles are then mapped to the corresponding privileges and the corresponding user role assignments are provisioned to the target systems. This use case shows how to set up identity management for the portal and AS Java system with one back-end AS ABAP system. You can use the same concepts to set up provisioning to further AS Java and AS ABAP systems. You can also provision to non- SAP systems. Additional Information For more information, see the document Identity Management for SAP System Landscapes: Configuration Guide, which is available on the SAP Developer Network at under the topic Information in Detail. Identity Management for SAP System Landscapes: Architectural Overview 12

18 Use Cases April 2008 Identity Lifecycle Management 3.3 Identity Lifecycle Management In the last sections, we showed how SAP NetWeaver Identity Management works in a couple of SAP system landscapes. You can also expand these concepts to include further SAP systems, or non-sap systems to further integrate identity management in your complete landscape. See the figure below. HCM Employee Data () IdM Virtual Directory Server Identity Center Identity Store Role Model Business Roles Privileges... LDAP Java Non- SAP... Priviliges Priviliges Priviliges Priviliges Use the same concepts as described for the SAP systems (SAP HCM, AS Java, AS ABAP) and the LDAP directory to add additional systems to your SAP NetWeaver Identity Management system. In this way, you can move to a holistic, heterogeneous identity management approach. Identity Management for SAP System Landscapes: Architectural Overview 13

19 Integrating a Central User Administration System April 2008 Identity Lifecycle Management 4 Integrating a Central User Administration System As of Release 7.0 SPS 2, SAP NetWeaver Identity Management supports the integration of a central user administration (CUA) system. In this case, connect the CUA central system to the Identity Center as a target system in the same way as any other ABAP-based SAP system. The Identity Center provisions the identity data to the CUA central system, which in turn provisions the data to its child systems. This model works regardless of what system is used as the leading system for the identity management landscape. See the figure below. Source IdM Identity Center Identity Store CUA CUA Central System (AS ABAP) CUA Child System (AS ABAP) Privileges CUA Child System (AS ABAP) Privileges CUA Child System (AS ABAP) Privileges This allows for a smooth installation of SAP NetWeaver Identity Management into an existing CUA landscape without any modifications, and at the same time, provides support for additional AS Java or other third-party systems. You can also continue with migration steps to remove the child systems from the CUA landscape and connect them directly to SAP NetWeaver Identity Management. Identity Management for SAP System Landscapes: Architectural Overview 14