SAP IDM & Why You Should Have It
First of all, if you read the title of this blog and clicked the link anyway, thank you! SAP has told me that I’m not allow to mention my name or place of employment in blog posts, for reasons that I can’t understand but if you want to know this information, look up! My name is right there at the top of this post and if you click it, you’ll find out who I work for and how to contact me. I’ve been an SAP IDM developer, systems administrator, consultant, technical team lead, along with a host of other titles for the last 7 years now. In that time, it has constantly amazed me how many companies run SAP and don’t also utilize SAP’s Identity Management solution! But at this stage of my career, I’ve kind of accepted this fact and I just do what I can to inform my fellow IT / SAP professionals about what SAP IDM is and why I believe, especially if you’re a current SAP client, you should have it.
Why am I sharing this with you? It seems like a lot of SCN blogs are geared towards the technical experts. In fact, every blog post I’ve written has been targeted to the same kind of crowd; people like me. However, I wanted to write something more geared towards IT decision makers. I hope this helps to answer some of the questions people in that role might have.
First, a little more about me. I started out life in SAP IDM v7.1 as a systems administrator. I was offered the position because I was next in line for a promotion from the help desk. I really wanted off the help desk so I took it even though I’d never heard of SAP IDM in my life. That said, I love a challenge, so once I had the job and some very minimal training, I grabbed every piece of SAP issued documentation I could find, asked a lot of questions, and over the course of about 18 months, became a pretty skilled developer. Seven years and two upgrade releases to version 8.0 later and I’m still here; still building and troubleshooting environments for new clients all over the globe, right from my basement office in Toledo, Ohio.
Anyway, enough about me. What is SAP IDM and why should you have it? First, if you’re considering an IDM solution and you run SAP, this option has to be at the top of your list. It goes without saying that SAP IDM is native to the rest of SAP’s ABAP and AS Java systems. There’s also connectors for SuccessFactors, HANA Database, Novell, the list goes on. If SAP ERP is at the core of you enterprise, do you really want another IDM product managing your SAP identities?
Second, there are connectors available for many Microsoft platforms like Active Directory, Office365, Azure and SharePoint. I haven’t worked in a corporate environment yet that doesn’t run a Windows domain so this is an absolute must have. You can customize what attributes you want IDM to manage. If you have custom attributes in your AD schema, IDM can populate those too.
Third, SAP IDM sits on top of SAP’s Netweaver server, which is a Java system. Due to this open framework, you can custom develop connectors to plug SAP IDM into virtually any target system you need to manage identities on. Everything from custom APIs, REST, SOAP, SQL based databases all the way down to simple CSV drop files, IDM can communicate with virtually any repository that stores identities, either purchased from third party vendors or in-house developed.
In addition to its limitless connection capabilities, its auditing and reporting capabilities are unmatched. Every time an action takes place on an identity or the privileges within a role change, who performed the action, what that action specifically was, what the data looked like prior to the action, and the date/time of the action are all recorded. Custom reporting can be set up to call this information to the table whenever needed. Are you a publicly traded company that has to answer to auditors? The information kept in IDM’s database will prove invaluable during your next security audit.
Finally, there’s the ability to establish Role Based Access Controls, or RBAC. Many times you’ll have several people who all do the same job. There might be many HR Generalist 1 or Warehouse Labor positions in your company and they all need the same rights across two, three or more systems. With SAP IDM, you can design a role containing these privileges in more than one system, so that when that person starts on day 1 of work, they have a Windows login ID, initial password delivered to their manager, an email box and the basic access rights they need. What happens when they change job functions? IDM switches from the old RBAC role to the new one; granting all the new rights they need, building accounts in the new systems they need access to but also removing all the rights from their old jobs they no longer need. This all happens the minute an HR profile is updated.
This article was meant to reviews over some of the most common features SAP IDM can accomplish. Its capabilities are much more! Have questions as to if this platform is right for your company? Contact me! Again, I can’t actually mention my email address in this blog post but just click my name above and check out my profile. I’d love to answer any questions you might have about SAP IDM and how much I’ve enjoyed working with it all these years. If you’ve made it this far, thanks for your time and I hope to hear from you!
If you found this blog post useful, check out these other great SAP Blogs. You may also find this site useful if you are looking for SAP IDM career opportunities.
Great to see someone blogging from a customer point of view.
I'm not surprised why many customers do not have IdM but it's getting harder to justify not having some form of IdM and Access Provisioning solution to meet complex landscapes as customers move further away from a 3-tier environment single ABAP system where CUA, LDAP and general script tools were enough to manage users (SU01 accounts only)
But times have changed and security automation and proper account management is needed. Implementing an IdM to manage your landscape is definitely a security product that needs to be include and invested in.
Thanks for reading Colleen! This was my thought as well. Every blog post on the SCN is very tech geared and, while that's helpful to us developers, sometimes we need to remember that we're here to get a job done for everyone, not just the IT department.
And yes, IDM is getting harder to ignore. As with any kind of security breach, be it digital or physical, inside jobs are the most prevalent. By using IDM to keep a company's identities restricted to only what they need to do their jobs and help prevent rights accumulation as employees move from job to job, we're just helping to keep people honest.
It is an interesting approach, normally one only sees this type of information in marketing materials, or maybe LinkedIn blogs. It's just as important to make sure the users and management see the value, otherwise the engineers are just building cool technology that no one uses. This is probably more of a "pre-requirements" step. Demonstrating a need and value is a key preliminary step.
Exactly and yes, as I was thinking about writing this blog, I was wondering if the SCN was the right place for it and then I thought, of course it's the right place. SCN means, "SAP Community Network". The network of SAP is users, developers, decision makers, everyone from the CIO to the help desk intern. While I definitely agree that the SCN tends to lean more towards helping users and developers solve technical problems, I feel that every once in awhile, we should perhaps address the questions that might be lurking out there that rarely get answers, especially for potential environments who are still considering if SAP IDM is right for their business.