Sap Identity Management 8.0 Understanding

SAP Identity Management [email protected]

Identity Management Purpose 

A central place for managing all identities



Granting and revoking authorizations in applications



Synchronizing data between applications



Attestation, i.e. confirming that the assignments are still valid



Segregation of Duties (SoD)



Auditing –Who had which authorizations at which time

[email protected]

Identity Management Purpose 

Manage user life-cycle



Ensure that the right people have the right authorizations



Keeping identity data updated across the organization



Setting the (same) password in all applications

[email protected]

Typical User Lifecycle

[email protected]

Holistic Identity Management Approach 

Integration with heterogeneous system



Central Identity Store



Approval Workflow



Identity Virtualization/Identity as a Service



SAP Business suite Integration



Compliance Check/GRC



Rule based assignment of business role



Monitoring & Audit



Password Management



Distribution of Users and Role Assignment



SSO – Single Sign On

[email protected]

Application data and Challenges Each application stores user information 

Authentication data User ID –Often different for different applications for the same user

Password –Some applications use an authentication server (and do not store passwords themselves) 

Authorization data Access levels to the application data

High complexity Difficult/impossible to get an overview of all employees Errors when entering the information Duplicate entries for the same person Misspellings [email protected]

Application data and Challenges Disconnected Systems 

Applications are unaware of each other

Security risks 

Employees leaving –Access rights not revoked in all systems



People moving –Granted new access rights, Previous access rights are not revoked



Manual procedures involved –Human errors may cause security flaws



Lack of audit –Who had access to what when

High maintenance cost 

Many manual operations, Resources could be put to better use



Time-consuming , Employees must wait

Compliance 

SOX - Sarbanes-Oxley, HIPAA - Health Insurance Portability and Accountability Act



Internal audits, Risk assessments etc

[email protected]

Identity data Personal data 

Normally short data elements like Name, phone, email, picture, certificate

Pointer data 

Pointer or reference data points or link an Identity to other objects such as Web page, document archive, group memberships

Assignments Data 

Roles, privileges, authorizations

Read-mostly data 

High read/write ratio

[email protected]

Identity Store 

Central Storage for Identities



Contains selected attributes from connected applications based on attribute quality



A superset of all the identity Information within the organization



Data Ownership challenges



Data Quality and Cleansing



Role Structure – Normalize, Simplify, Reduce



Joining Identity Data – Finding a common Identifier

[email protected]

SAP IdM – Components 

Core Component – Database



Runtime Component – Dispatcher and Runtime engine



IDM UI and IDM Admin UI



IdM Developer Studio – Service and Eclipse Plugins



Virtual Directory Services (VDS) -Data access -External communication -Exposing the identity store

[email protected]

[email protected]