Expand +



The Three C's of SAP Identity Management - Centralization, Certified Partners, and Compliance

by Frank Buchholz | SAPinsider

October 1, 2006

by Frank Buchholz, SAP AG; Jens Koster, SAP AG; Gerlinde Zibulski, SAP Labs SAPinsider - 2006 (Volume 7), October (Issue 4)

One of the fundamentals of securing an SAP system landscape is user identity management. Maintaining strict control over the creation, authorization, and deletion of user identities is imperative for securing company data — but the benefits don’t stop at security. User management also helps ensure compliance with regulations like Sarbanes-Oxley and its segregation of duties requirements.

The key to controlling user identities is centralization. Without centralized user management, administrators must create and maintain user data in each SAP system manually — a costly and error-prone task. Moreover, administrators have no visibility into each user’s level of authorization across systems; if one user needs to be removed from all systems, an administrator is burdened with manually checking every system for that user.

The First “C”: Taking Steps Toward Centralization

SAP NetWeaver provides a central user administration (CUA) system for centralizing and maintaining user records within ABAP-based applications and distributing them to other SAP client systems. The CUA is free of charge, does not require additional installations, and can run in a productive ABAP system such as SAP Solution Manager, or in a standalone SAP NetWeaver Application Server, which eases upgrades or patch imports.1 The CUA can also centralize Java-based SAP applications, such as SAP NetWeaver Portal, through mass synchronization with a directory server using the Lightweight Directory Access Protocol (LDAP).2

Centralization is not complete, however, if it applies only to SAP applications. As it becomes more common for customers to implement Java-based, third-party systems in their SAP landscapes, it’s time for certified partner user management products. These partner products can not only manage and centralize identity information from both SAP and non-SAP systems, but they also automate the centralization process, eliminating the need for system administrators to manually assign user roles and authorizations in every system.

What, then, are SAP customers’ options for centralizing user management in a heterogeneous system environment? We will begin by looking at a sample SAP landscape to cover the SAP NetWeaver user management tools.3 We will then explain the part that certified partner solutions play in extending the SAP system’s user management functions. Finally, we will delve into the role of user management in complying with regulations like Sarbanes-Oxley.

To illustrate the user management functions, Figure 1 shows an example of a generic SAP landscape in which ABAP- and Java-based SAP applications are running. This sample landscape will likely deviate from your own installation, but it should cover the basics.

Figure 1
Sample SAP landscape illustrating the relationship between Java-based SAP applications, the CUA, and ABAP-based applications

As you can see in Figure 1, our sample SAP landscape includes ABAP-based mySAP ERP applications , as well as the Java-based SAP NetWeaver Portal . As has been the case for years, user authorizations for ABAP-based back ends are centrally created and maintained via the CUA , whereas the users are still stored in the CUA client systems (which, in this case, are the ABAP stack of the SAP NetWeaver Exchange Infrastructure4 and other ABAP-based SAP systems ).

Because the customer is also using a Java-based back end, however, it is necessary to create users elsewhere and employ a third-party directory for storing those users. So how are the users of both the ABAP- and Java-based systems managed in this scenario?

Managing SAP Users in Both ABAP and Java Environments

On the ABAP side, users are created and user master data is maintained in the CUA. From the CUA, the administrator can view the user role assignments of the entire system landscape and centrally maintain user data and assign roles. (Note that role maintenance is still performed locally.) As of SAP R/3 4.5, the CUA uses application link enabling (ALE) technology to synchronize these users between the CUA and its user stores — such as mySAP Business Suite, mySAP ERP, and SAP R/3 — thus reducing administrative effort and ensuring consistent user master data.

Depending on your system setup and security requirements, you can either have one CUA for all of your ABAP-based systems — development, quality assurance (QA), and production — or you can have multiple CUAs, one for each system set. With a single CUA, all users are maintained in one place; with multiple CUAs, you can physically separate the system sets, which is helpful if you have high security demands. For the migration of users and company addresses, SAP offers the transaction SCUG (“Migrate users”) to easily upload existing ABAP-based user data into the CUA central system. (Please note, though, that by implementing CUA you do not automatically achieve single sign-on or password synchronization.5)

On the Java side, user administrators create and maintain users in SAP NetWeaver Portal through the browser-based GUI of the portal’s flexible User Management Engine (UME). The UME allows for multiple user stores, called data sources (see sidebar for UME user store options on the next page). All users’ credentials are verified against the data source. You can use multiple user stores in parallel, as long as one store is defined as the read-and-write data source and all others are read-only.

The UME allows for the partitioning of user data. You might want to store your internal users in one corporate directory or ABAP system while external, self-registered users are stored in an internal directory.

In Figure 1, SAP NetWeaver Portal’s data source is the LDAP directory (a third-party product, such as Microsoft Active Directory), so by default all users’ credentials are checked against it when they log on to the portal. The next step is getting users in the LDAP directory into the CUA system.

The LDAP Connector for User Synchronization

Since the goal is centralization, users from the LDAP directory must be consolidated and synchronized with the CUA system.6 The CUA performs user account provisioning for mySAP Business Suite applications, and SAP NetWeaver Portal’s UME enables the cross-system definition and maintenance of user accounts. Both components are integrated to allow central identity and access management for SAP systems. Administrators can manually conduct a mass synchronization of users from the LDAP directory into the CUA system, or they can schedule this as a regular batch job.

UME User Store Options

For the data source in the UME, you can choose a local database, a directory server (also called the LDAP server), or, as of release 6.20 of SAP NetWeaver Application Server, an ABAP-based application server. Here’s a closer look at the three options:

UME-Database — Here, the local database of SAP NetWeaver Application Server Java stores the user data and user credentials. This database is not connected to any other system and is typically used only for some standalone test or demo systems.

UME-LDAP — Here, the UME does not synchronize the user master data between the LDAP server and SAP NetWeaver Application Server Java, but instead stores the data directly in the LDAP server. This option makes the most sense if you already have a directory server installed in your system landscape, or if most of your users reside in an LDAP directory.

UME-ABAP — When the ABAP stack is leveraged as the user store for the UME, the credentials in the UME are already verified against the ABAP stack, so there is no need for synchronization.

Note that if the SAP NetWeaver Application Server is installed as an add-in or dual stack (with both ABAP
and Java), the only data source option for the UME is ABAP. In this case, it’s not possible to change the
user store.

To conduct the mass synchronization, you can employ a directory server7 using the LDAP protocol. LDAP is a vastly accepted standard protocol for the synchronization of user master data supported by hundreds of applications.

You can use the LDAP Connector (supplied by SAP) to synchronize the user master data between the LDAP directory server and ABAP-based SAP system. The data can be synchronized from the directory into the SAP system or vice versa, and it can also be synchronized with multiple directory servers. You can also synchronize different attributes of a user in different directions; for example, you can use the directory as the source for the user’s address data and the SAP system as the source for the SAP user name.

The LDAP Connector can also be used to extract employee master data from the HR system into a directory server.8 You can reuse extracted employee data as user data in both SAP and non-SAP systems. Note that administrators can also assign SAP backend roles (that is, authorization roles created with the profile generator via transaction PFCG) via the CUA central system. They will still have to manually maintain all authorization roles in every ABAP backend system and transport these roles from the development system through QA and into the productive system. They can, however, centrally manage the role assignment in the CUA and assign backend roles per logical system.9

The Second “C”: Incorporating Certified Partner Offerings in Heterogeneous Landscapes

SAP NetWeaver contains all functionality needed for identity management in SAP solutions. The CUA and the portal’s UME, however, are geared toward SAP-only systems and the LDAP directory, and therefore all third-party applications that use the directory as the user store. To link SAP and external components, you need solutions that enable the flow of information across SAP and non-SAP systems, as well as central administration of identities and permissions for all parties and persons involved.

Central identity management solutions that cover all components of a heterogeneous IT environment must come from a certified SAP partner. With SAP NetWeaver’s open and flexible nature, certified identity management tools integrate easily.10

A number of partner products are certified by SAP to provide user management for landscapes involving SAP and non-SAP systems. These solutions must administer identity information to all SAP systems, including those not integrated with CUA, as well as all third-party systems. For the complete list of partners with SAP-certified identity management products, check out the security partner directory on the SAP Service Marketplace at > Partners for user management.

One example is HiPath SIcurity DirX Identity from SAP’s strategic partner Siemens. Through integration with SAP NetWeaver, HiPath SIcurity DirX Identity helps companies automatically centralize and manage the identity access rights of employees using both SAP and non-SAP applications.

With the integration of such a solution, managers need not send system administrators requests for user authorizations; rather, the solution automates the process for granting and controlling permissions for all SAP solutions and third-party applications in SAP NetWeaver Portal. The solution is integrated with the SAP NetWeaver platform, mySAP Business Suite, mySAP ERP, and SAP R/3, and it can also integrate with solutions like Microsoft .NET and IBM WebSphere.

Figure 2 illustrates the relationship between SAP NetWeaver Portal and an external user identity management solution like HiPath SIcurity DirX Identity. SAP NetWeaver Portal (in green) acts as the integration point for applications, personalization, collaboration, and knowledge management. The Siemens HiPath SIcurity DirX Identity (in orange) acts as the integration point for provisioning, workflow-based self-services, and cross-system audits concerning identities and authorizations. The LDAP directory (in blue) forms the central identity and policy configuration store. All the applications, both SAP and non-SAP, are connected to the HiPath SIcurity DirX Identity, which runs process-based workflows to read user data from source systems, assigns system access and authorizations automatically, and provisions user data to target systems.

Figure 2
An overview of a Siemens HiPath SIcurity DirX Identity installation landscape

The Third “C”: User Management Tools to Support Compliance Efforts

Centralizing user identity management not only automates the manual processes required for maintaining user identities, but it also helps companies with the regulatory and compliance issues of user management. To comply with regulations such as Sarbanes-Oxley, companies have to pay close attention to user management and IT security.

The financial reporting aspects of the Sarbanes-Oxley Act are especially strict, and with enterprises using more and more open architectures and integrating processes across company boundaries, Sarbanes-Oxley requirements are difficult to meet. In terms of user management, Sarbanes-Oxley compliance can be reduced to three core questions:

  • Who is allowed to do what?

  • Who assigned the permissions for this?

  • Who did what and when?

The relevant applications’ change documents or audit trails must answer the last question, whereas an identity management solution must clarify the first and second questions.

SAP NetWeaver’s built-in tools help answer these questions through the use of logs, change documents, and the user information system (transaction SUIM). Because these tools primarily show only current data, SAP offers the Virsa Compliance Calibrator to extend the capabilities for analysis concerning segregation of duties (SoD).11 Virsa Compliance Calibrator stops security and controls violations and prevents SoD violations by performing an offline analysis of production system data (see sidebar).

SAP also offers the Virsa Access Enforcer to provide automatic workflow capabilities, enabling compliance checks as part of an approval process. As a result, you can act on the access requests resulting from Virsa Compliance Calibrator’s compliance checks. Virsa Access Enforcer also supports real-time compliance around the clock and prevents violations before they occur. It leverages SAP NetWeaver services to provision identities and role assignments, and it prevents SoD violations by performing a real-time simulation of the data in a production system.

Use an External System in Tandem with Virsa Compliance Calibrator for Stronger SoD Analysis

If you are managing a heterogeneous system landscape using an external identity management system, you might want to combine the benefits of the identity management system with those of Virsa Compliance Calibrator (see figure below).12 External identity management systems allow a comprehensive view
of identities and their access rights in different applications, and enable a cross-platform SoD analysis based on business roles. Virsa Compliance Calibrator offers detailed SoD analysis and other authorization risk assessments to help you comply with regulatory mandates. By using both solutions together, you achieve compliant provisioning of your user identities.

Sample workflow scenario showing how Siemens HiPath SIcurity DirX and Virsa Compliance Calibrator analyze a user role assignment request for possible SoD violations


Centralization of user identity management is critical for maintaining a secure and compliant landscape, but without the proper tools, administrators are left with the overwhelming burden of manually managing user identities. With the growing use of Java-based applications and the expansion of core systems to include numerous third-party components, companies simply cannot ignore this user management challenge.

The CUA, UME, and LDAP Connector are the key SAP tools for user management. To account for the proliferation of third-party solutions in customers’ SAP landscapes, SAP has certified third-party products for managing user authorizations. These products automate the process of granting and maintaining all user authorizations within SAP and non-SAP systems, reducing the risk of errors and segregation of duties violations. Virsa Access Enforcer and Virsa Compliance Calibrator further guard against such compliance shortfalls.

SAP provides comprehensive resources for selecting the appropriate third-party user identity management vendor. For more information on certified partners, please visit For more on SAP’s offerings for user identity management, please visit > Security in Detail > Secure User Access > Identity Management.

1 To easily import patches or upgrade the CUA, we recommend configuring the CUA on a separate SAP NetWeaver Application Server ABAP stack and not in a production system. You can also combine the CUA with other system management functions like Transport Management System (TMS) or Computer Center Management System (CCMS), in which case we recommend using a system such as SAP Solution Manager, which centralizes several cross-system management functions.

2 For more information on mass synchronization, see the section “The LDAP Connector for User Synchronization.”

3 For a look at user management tools pre-SAP NetWeaver, see “Central User Administration with LDAP Directories” by Dr. Jürgen Schneider in the January-March 2002 issue of SAP Insider (

4 In the graphic, SAP NetWeaver Exchange Infrastructure is running on a dual-stack SAP NetWeaver Application Server, meaning it has personalities in both ABAP and Java.

5 For more on single sign-on, please see Sarah Maidstone’s article, “Are Your Single Sign-On Options Keeping Pace with Your SAP System?” in the April-June 2005 issue of SAP Insider (

6 You can configure a mass synchronization from SAP ABAP stacks to an LDAP directory (or vice versa) as of SAP NetWeaver Application Server 6.10.

7 SAP does not offer a directory server, but you can connect your SAP system to products of all major directory players in the market. See > Partners for directory services (Interface to LDAP enabled directories) for the complete list of partners.

8 For HR systems lower than release 6.10 (R/3 4.0, 4.5, or 4.6), you must use a separate SAP NetWeaver Application Server ABAP with minimum 6.10 release as middleware.

9 A logical system is a client in an SAP system. For example, in a productive mySAP ERP system called TWS, the client 100 is usually named TWSCLNT100.

10 SAP continues to support open interfaces in the area of security, for example, by supporting open Internet standards like Service Provisioning Markup Language (SPML), Security Assertion Markup Language (SAML), and Java Authentication and Authorization Service (JAAS).

11 For more information on Virsa Compliance Calibrator’s, please see Virsa’s article in the “Corporate Governance and Compliance” special feature in SAP Insider’s July-September 2005 issue (

12 SAP offers interfaces for identity management partners to connect to Virsa Compliance Calibrator and Virsa Access Enforcer. Currently the identity management systems of Siemens and Sun support this integration.

An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!