One of the buzz words you might have come across lately in Enterprise Security Management is Identity Management. This Weblog post will explain, what is meant by that, what you should take into consideration, when thinking about an Identity Management project, what benefits you can gain from it and how SAP helps you support an Identity Management within your system landscape. This Weblog post will be split into two parts.
Well, what is Identity Management? Identity Management talks about managing the whole lifecycle of a user, also known as an Identity. This begins with creating the user account, moves on to provisioning the user to the different back-end systems including giving the user the corresponding access rights. Change management accompanies the process whenever a user changes jobs or positions which usually results in different system access as well as different access rights. The user management lifecycle ends when a user no longer works with or for the company and thus all of his/her accounts have to be terminated or de-provisioned.
Usually this lifecycle is accompanied by a more or less complex workflow support starting with user self registration, approvals by managers and key users for roles and system access, administrators being notified to create or change a user, as well as user information roll-out to the new or changed user.
But user lifecycle management and in specific the provisioning of user accounts and attributes is only one piece of Identity Management. The second, often forgotten side is Access Management. How do you authenticate users? What mechanisms do you use to have users provide credentials? How does this change in B2B/collaborative scenarios? Do you want to set up a company own PKI or do you want to rely on a Trust Center Service? What Single Sign-On mechanisms are available? Do you have rules or policies that define the users access?
Access Management talks about authentication mechanisms and their management as well as authorization management. This will be dealt with in more detail in the second part of this Weblog post. This first part will talk in detail about the User Management Lifecycle.
What are the main points to consider when referring to the User Management piece within Identity Management?
One of the bigger points if not the biggest at all is a central repository usually in the form of a Directory Service. Advantages of holding all users in a central repository are that you reduce maintenance significantly and increase data quality and consistency. Instead of maintaining user master data separately in each of the various back-end systems (Try to come up with a list of how many different systems you have that need user master data!), resulting in a high administrative effort and data inconsistency, you maintain the user master data only once and use the provisioning mechanisms to an from the repository. This will ensure that user master data across your entire landscape is consistent and thus increase security.
Directory Services are the most widespread repository as they support an accepted and developed standard to access the Directory called LDAP (Lightweight Directory Access Protocol). Loads of back-end systems support LDAP so you can use user synchronization or provisioning to and from the Directory Service. Not only allow central repositories in the form of a Directory Service to store and provision users, you can also hold user credentials in the form of User ID and Password or X.509 Certificates for authentication. In addition you can store group or even role assignments which often represent the corresponding back-end system access. More will be explained about this in my next Weblog post.
SAP supports the mass synchronization between SAP systems and a Directory Service with the Web Application Server 6.10 and higher releases. For a list of certified Directory Vendors take a look here: SAP Securitypartner List directory integration. You will find cookbooks on how to configure the directory integration here: SAP Security Homepage” – security in detail identity management directory integration. Not only does SAP help you to synchronize users between an SAP system and a Directory Service, but you can also upload HR master data from an SAP HR system into a directory. A cookbook on how to configure this can be found under the above mentioned link as well. In addition the Enterprise Portal 6.0 allows the Directory to be the user store for the Portal. Thus no user mass synchronization is needed between the Portal and the Directory, but the Portals user management the so-called User Management Engine (UME) will read and write user master directly from the LDAP Server.
What are recommended landscapes for Identity Management including SAP systems?
If you have back-end systems on 4.6c and lower releases, we recommend that you configure a Central User Administration (CUA) central in an SAP Web Application Server (highest release you can get) stand-alone. Gather all your user master data for central administration for SAP back-ends here and use this to minimize administration and keep user master data consistent. This link points you to cookbooks on how to configure CUA: SAP Security Homepage” – security in detail identity management centralized administration. Use the mass synchronization between the SAP Web Application Server (your CUA central) and a Directory Service to make your SAP user master data available for provisioning to other non-SAP back-ends via the LDAP server or for user access to the Enterprise Portal 6.0 (also for the Enterprise Portal 5.0).
If all your SAP back-ends are based on SAP Web Application Servers 6.10 or higher releases you can use the mass synchronization to an LDAP Server directly without CUA although we strongly recommend that you use a CUA too.
If you wish to keep user master data at separate stores (We often find this, when user master and security administration is spread organizationally across a company for the sacrifice of high user administration.), we recommend that you use a Central User Administration to minimize user administration for your SAP systems in an SAP Web Application Server 6.20 or higher releases. For your non-SAP systems you can then have one or multiple Directory Servers for instance. The advantage you gain from this landscape is when you implement the Enterprise Portal 6.0 the User Management Engine of the Portal will leverage your different user stores. The EP 6.0 allows for multiple user stores in parallel. These can be an SAP ABAP stack for user management on an SAP Web Application Server 6.20 or higher releases, a Directory and a database. The list of certified repositories can be found in the Product Availability Matrix (PAM): Product Availability Matrix” . So in short, the Enterprise Portal 6.0 allows for what is known as user partitioning. Parts of your user master data can reside in an SAP ABAP stack 6.20 or higher, parts in one or more LDAP servers. You can immediately start implementing and using your Portal without first putting together a project to centralize all users.
What about workflow support?
The Enterprise Portal 6.0 offers a simple user self-registration that allows users to self-register and informs an administrator that user maintenance has to be performed on a new user. The ad-hoc workflow capabilities on the Portal allow you to configure more complex and sophisticated workflows that can support you in user management and approval/rejection of users and system access and/or role assignment.
To sum it up SAP supports you with various options for user persistence stores, a Directory Integration and Workflow.