We announced today, September 15th, 2016 the release of the SAP HANA Cloud Platform Identity Provisioning – a new service in the SAP HANA Cloud Platform family that will help companies to push their technology easier into the cloud
Most of the cloud-driven companies extend their existing IT infrastructure rather than starting from scratch. This is why they need a reliable identity and access management solution, capable to handle properly the identities and their authorizations across heterogeneous landscapes.
The new SAP HANA Cloud Platform Identity Provisioning service (shortly Identity Provisioning) offers a comprehensive, low cost approach to identity lifecycle management in the cloud. This new service together with the already existing SAP HANA Cloud Platform Identity Authentication service (formerly known as SAP Cloud Identity) offer an end-to-end solution for identity and access management as a service from SAP.
Now let us look into the supported scenarios and features with the first version of the Identity Provisioning service:
Provision on premise users to cloud applications
Customers, who currently manage their identities using an on premise user store like for example, Microsoft Active Directory or the Central User Administration (CUA) of the SAP Application Server ABAP can use the Identity Provisioning service to provision their users into the cloud applications like for example SAP Hybris Cloud for Customer.
Using policy based authorization management
Once the identities are created into the cloud applications, the users will need also proper authorizations in order to use the business scenarios that are relevant for their role, department, location, etc. This is where the access policies feature of the Identity Provisioning service comes into the play. It helps companies to define simple mappings between identity attributes and the authorization artifacts of the respective cloud business applications. A good example could be the mapping between Microsoft Active Directory groups and SAP Hybris Cloud for Customer roles. The access policies are considered during the provisioning process, and the authorizations of the individual user are determined and provisioned to the respective cloud applications.
Using a cloud user store
If the company is already using SAP SuccessFactors to manage employees, and if it is considered the central identity data store of the company, the SAP SuccessFactors system can be simply configured as a source system in the Identity Provisioning. These settings will push the SAP SuccessFactors users into the relevant cloud application with the respective for them policy-based authorizations when there are such configured.
There are two more scenarios supported when a cloud user store is used as a source and they are based on the integration between the Identity Provisioning service and the Identity Authentication service.
Easy consumer and partner provisioning
The first scenario concerns the external for the company users like for example, consumers and partners that are easy to handle using the cloud user store of the Identity Authentication service. When the Identity Authentication service is configured as a source system in the Identity Provisioning, it will be possible to provision existing or newly registered cloud users into the relevant for them, cloud applications like for example, SAP JAM or even systems that simply support the System for Cross-domain Identity Management (SCIM) open standard.
Writing into the cloud user store
The other supported scenario that relates to the Identity Authentication service is the following: A company wants to integrate an existing on premise authentication solution with a simple and low cost strong authentication service (two-factor authentication, risk-based authentication, etc.) or to introduce to the business users Mobile SSO as a service. This is necessary to the companies in order to achieve better control over the authentication for the cloud business processes, and to keep the corporate security on a very high level while offering at the same time more flexibility to the business users to do their job. This scenario is possible because the integration with the Identity Authentication allows also provisioning in the other direction, when the on premise users are created into the cloud user store of the Identity Authentication service. This way companies will be able to manage an additional level of authentication security for the cloud applications like SAP Hybris Cloud for Customer and to offer to their business users simple and secure access to such cloud application from anywhere and on any device, on a low and attractive service cost.
Flexible data transformations
Almost every system (SAP or non-SAP) comes with a unique data model design of its identity and authorization store. The mapping between the data models of a source and a target system is the key aspect of one provisioning solution. The new Identity Provisioning service offers flexible transformations management that allow companies to extend the default transformation settings provided by the service for every integrated source or target system. Using the transformation configurations companies can configure different simple or complicated data transformation logic based on their business and security needs. For example, to filter the list with identities that have to be provisioned to SAP Hybris Cloud for Customer in the way that only users who have a certain group assigned as an attribute to get an identity created in the SAP Hybris Cloud for Customer.
Comprehensive job scheduler
The frequency of the provisioning processes, that have to be performed on a regular basis, can be configured using the comprehensive job scheduler of the service. The operations related to the job management include activities like scheduling jobs, starting and stopping jobs, jobs monitoring, etc. The status of the jobs can be monitored using a Job Execution Log.
Where to find more data
More details about the currently integrated source and target systems and also information how to configure different scenarios you will be able to find in the SAP documentation of the Identity Provisioning solution.
As part of the roadmap for the service, it is planned to integrate further with more and more SAP solutions and also with the important for our customers non-SAP solutions like for example, Microsoft Office 365, etc. The solution will offer also new features related to the identity management and provisioning processes.
Using the SAP HANA Cloud Platform Identity Provisioning companies best leverage existing corporate infrastructure while also benefiting from the agility, flexibility, and simplicity provided by the cloud.
See also the SAP Insider Article: End-to-end identity and access management in the Cloud (October 2016)