When migrating to SAP HANA, businesses face a new challenge sooner or later: continue to use their current CUA with all its limitations or redesign the identity and password management vision by transitioning to SAP Identity Management (also known as SAP IdM). Most companies have a mixed landscape where each system has their own unique identities: a traditional ECC, HANA, other SAP systems but also some other non-SAP systems like Microsoft Active Directory. Managing all these identities can become a burdensome task that could have an enormous impact on profitability. Does this scenario sounds familiar? You are not alone.
Benefits of using SAP IdM with HANA
In a HANA landscape, SAP IdM enables you to manage identities in a more centralized manner, whether SAP ABAP, Java or non-SAP (MS Active Directory, Tivoli, etc..) systems are targeted. Moreover, with the great potential of high speed data analytics in HANA, SAP IdM can meet new reporting needs with the help of tools like SAP Lumira, HANA Live and others. IdM allows business to take advantage of the benefits of cloud computing, which was not possible at all with traditional tools or the Central User Administration (CUA). This is one of the many reasons why the good old CUA is being pushed away in SAP HANA.
Here is a breakdown of the main differences between the Central User Administration tool and SAP Identity Management:
CUA to IdM evolution
For a long period of time, the Central User Administration component has provided SAP clients with solid authorization and role management functions for SAP software landscapes based on ABAP.
Today, there is an evolution in SAP’s user management strategy thanks to SAP NetWeaver Identity Management. With this tool, businesses can benefit from centralized administration of their employees’ user accounts and authorizations across several SAP software environments. SAP IdM also offers a functional scope that surpasses that of CUA, by enabling new users to get started faster all over a system landscape, no matter whether it is a simple or complex landscape.
The image below showcases the migration process from a CUA to SAP IdM:
A clear enterprise business role concept and understanding is the foundation to a proper SAP IdM implementation. At first, the roles needs to be defined in SAP IdM. This can accomplished by reading system access information (roles, groups, authorizations, etc.) from target systems that will be provisioned by IdM. Once this is completed, the provisioning of business roles can be done manually (by an administrator), automatically (HR-driven for example) or through a request/approval workflow.
SAP IdM also supports context-based role management, which simplifies the structure of roles through dynamic role assignment based on user context information. In other words, if you have 30 roles in 100 factories, you would have:
- 3000 entries (roles) using a conventional method
- Only 130 entries (roles + contexts) using a context-based method
The main benefits that can be obtained from using context-based roles are a massive reduction in the number of roles, a reduced complexity, better granularity, improved data consistency and governance.
SAP IdM offers different options for password management. One of them is Single Sign-On (SSO), which provides the benefit for users to login only and gain access to all systems without being prompted to log in again at each of them. This is a separate SAP product that works conjointly with IdM. As always, this is performed with the highest security and encryption standards available. One of these standards used by SSO is SAML 2.0: an XML-based protocol that uses security tokens containing assertions to pass information about an end-user (like passwords) between SAP IdM and other target systems (HANA, MS AD, etc..).
To alleviate costs and improve performance of a Center of Excellence (CoE), a self-service password reset task can be implemented to avoid unnecessary assistance, e-mails and support calls to the CoE. When a password is changed, it can be automatically synced using the Password Synchronization functionalities of SAP IdM. In the case of a target system where the synchronization is not an option, a Password Hook can be implemented, which acts as an automatic trigger that “catches” when a password is modified and performs a determined action.
With SAP Identity Management you could boost the potential of your SAP HANA landscape by incorporating a centralized identity federation solution to manage all your SAP and non-SAP systems. Furthermore, SAP IdM can help you save time and money by reducing the effort needed in managing identities and access within your business. All of this, while taking advantage of the great potential that SAP HANA can deliver. So, what benefits is your business lacking by not adopting SAP IdM and keep using the CUA?.