Expand +



Identity Management That’s Integrated into Your Current Business Processes: Enable Business Process Owners to Manage Access Rights and Roles

by Regine Brehm and Jens Koster | SAPinsider

July 1, 2009

See how SAP's identity management functionality can now be a connected, integrated part of your existing business processes. Walk through a helpful four-phase example of how to manage fictional employee Anna Smith's access rights and roles as she's hired, promoted, moved to another department, and ultimately terminated.

Employees work in numerous software systems — in a single day, they might check their email with IBM Lotus Notes or Microsoft Outlook, log in to an enterprise portal to manage their self-service applications and workflow processes, and access several SAP and non-SAP systems to execute business tasks. Enforcing security and authorization requirements across such a diverse system landscape is a responsibility that’s caused more than a few headaches for IT (see sidebar).

Fortunately, identity management solutions offer a variety of capabilities to enhance security and ensure authorization compliance, helping businesses streamline and automate the authorization process and giving administrators a centralized view of who in your company holds what kinds of authorization rights. Previous SAP Insider articles have introduced and explained these capabilities for SAP NetWeaver Identity Management1 — so let’s look beyond this centralized administration functionality and see how identity management functionality can now be a connected, integrated part of your existing business processes.

Identity Management That Responds to Your Existing Business Processes

SAP NetWeaver Identity Management allows companies to “attach” identity management functionality to their business processes. This means that your identity management solution will be triggered by the same events that make up your business process.

For example, when you hire a new employee, when you promote someone, or when a person changes jobs within your organization, that employee will require different sets of system access privileges or authorizations. Now, you can set up your identity management solution to automatically react to all of these events. And when an employee leaves your company, SAP’s identity management solution ensures that his or her access rights are revoked immediately.

Because SAP NetWeaver Identity Management builds its processes around the chain of identity- centered business events that happen in your company, it also enables business process owners — who know best which business processes require which kinds of roles and authorizations — to assign access rights and roles and define the scope of these user roles and authorizations.

Providing a Seamless End-User Experience Throughout the Employee Life Cycle

Most companies start their identity management initiative by linking their identity management solution to their SAP ERP Human Capital Management (SAP ERP HCM) system, which provides the identities, roles, and authorizations of all employees. This is a logical place to start, as the data can then be made available to SAP NetWeaver Identity Management, which then:

  • Distributes this information (including user accounts and role assignments for both SAP and non-SAP applications) across the IT landscape

  • Automatically recognizes changes to employee-related data and creates, changes, locks, or deletes corresponding user data within the connected applications

  • Uses sophisticated approval workflows to distribute the responsibility for authorization assignments to the relevant business process owners and managers

  • Uses its central identity store to consolidate this identity data into one system; it can then write employee-related data back into the SAP ERP HCM employee records, which is especially useful since employee identity information — such as email addresses or user IDs — might be generated in other systems

This all might sound a bit theoretical, so let’s look at these identity management capabilities in action.

Scenario #1: Onboarding a New Hire

You just hired Anna Smith to work in your global marketing department. Let’s assume that you are using the “Personnel Administration” component of SAP ERP HCM as your main source of employee data. Before Anna begins work, an HR representative enters her personnel data — including her start date and position — into this SAP ERP HCM component (see Figure 1, ).

Figure 1
Once an employee’s information is entered into the SAP ERP HCM system, SAP NetWeaver Identity Management uses that data to automatically set up access to all
of the systems the employee needs to use

The SAP ERP HCM system then passes this data over to SAP NetWeaver Identity Management , which creates an identity entry for Anna and then — based on the position the HR administrator assigned to Anna in SAP ERP HCM — automatically assigns that identity the business role of “marketing professional” . Based on this role and her manager’s approval , SAP NetWeaver Identity Management then creates user accounts and generates roles and authorizations for the systems that Anna will need to access — including an email client, an enterprise portal, and SAP Customer Relationship Management (SAP CRM).

All these steps happen in the background. To Anna (the business user) and the HR administrator who sets up the business roles, the experience is seamless. On her first day of work, Anna can simply log in to all of the applications she needs to do her job.

Scenario #2: Managing a Promotion

Two years later, Anna is promoted. She now has team and budget responsibility within marketing. When the HR administrator enters her promotion into SAP ERP HCM, the event triggers SAP NetWeaver Identity Management to extract that new data, assign a new business role — “marketing manager” — to Anna. Based on this role assignment, the system will then automatically match Anna’s system access rights to her new responsibilities. On the first day in her new position, Anna will be able to access the manager self-service application, as well as budget transactions in SAP ERP. Anna’s user information in SAP CRM is also updated to reflect her new tasks.

Scenario #3: Changing Departments

What if Anna decides to change departments within your organization? Perhaps she moves from marketing to the corporate communications team. Once again, the identity management system would set her up with access to any new systems she needed. In this case, however, Anna would also automatically lose her access rights and corresponding authorizations for SAP CRM. SAP NetWeaver Identity Management revokes privileges that no longer fall under the user’s defined role; this deprovisioning plays an important role in ensuring compliance within the enterprise. Too often companies keep adding employee privileges throughout the years without ever deleting unnecessary authorizations. This can lead to segregation of duties (SoD) violations or data misuse by employees.

By making the deprovisioning process an automatic part of the authorization process, SAP NetWeaver Identity Management helps ensure that this won’t happen. In addition, all changes made to Anna’s SAP ERP HCM profile will be extracted into SAP NetWeaver Identity Management and updated across the SAP Business Suite and any non-SAP systems the company may be running.

Scenario #4: Leaving the Company

After seven years with your company, Anna decides to pursue a job with a different employer. Anna’s most current HR data, including the date of her last day with the company, is extracted from SAP ERP HCM to SAP NetWeaver Identity Management, so the system automatically unassigns or deletes Anna’s accounts as soon as her employment is terminated.

Within all of these scenarios, basic administration tasks, like entering an employee’s new role within a company, trigger the identity management solution to act. Yet everything happens behind the scenes. To the average business user, the process is a smooth transition with little action needed on the user’s part — or on the part of IT.

SAP NetWeaver Identity Management streamlines provisioning to all target systems in your landscape

Setting Up SAP NetWeaver Identity Management and SAP Business Suite Scenarios: Prerequisites

So what do you need to get started with SAP NetWeaver Identity Management and the integration of your SAP Business Suite solutions? To use the capabilities we described in our Anna Smith example, customers must be running SAP Business Suite 7, enhancement package 4, and SAP NetWeaver Identity Management 7.1.2 Within the SAP NetWeaver Identity Management solution, you’ll also need to set up the Virtual Directory Server — a tool available in SAP NetWeaver Identity Management 7.1, so that the server can receive data from SAP ERP HCM — as well as a staging area for the employee data with a corresponding identity store. Once the data has been transferred to the identity store, IT will work with business users to decide which employee data to assign attributes in SAP NetWeaver Identity Management. This may involve mapping some or all of the relevant data fields of the SAP ERP HCM solution — including personnel number, position, hire date, personnel area, personal data, or telephone numbers — to SAP NetWeaver Identity Management.

Of course, your SAP ERP HCM system does not necessarily have to be the source for all identity attributes. Companies also have the option to set up SAP NetWeaver Identity Management so that the solution can take information like telephone numbers from other systems and then write them back to the employee record in your SAP ERP HCM system. SAP also allows IT to set up customized fields that meet their unique business needs.3 Once all this is done, the identity management process is turned over to the business process owners, who will then be responsible for setting up authorizations and roles.

Conclusion and Outlook

SAP NetWeaver Identity Management provides capabilities to help companies better secure their system landscape. And its integration with the SAP Business Suite and your company’s business processes further enable IT to automate and secure authorization across the board. SAP NetWeaver Identity Management moves the responsibility for managing these identity processes away from IT administrators to those who own — and know — the processes best.

In future releases of SAP NetWeaver Identity Management, SAP plans to enhance its integration efforts even further. For example, we’re working with partners to certify connectors to non-SAP landscapes to broaden the number of systems that the identity management solution manages. In addition to creating identities for employees, administrators will also be able to create user accounts for external contact persons in applications such as SAP CRM Partner Channel Management, and then trigger a data record export to SAP NetWeaver Identity Management, which creates identities for these external contacts.

For more information on SAP NetWeaver Identity Management, please visit

SAP NetWeaver Identity Management offers a high degree of flexibility regarding approval steps: The system can carry out all actions related to a role change automatically and without any further approvals. Or, you can choose to implement additional workflow approval steps.

Additional Resources

  • “SAP NetWeaver Identity Management: How Can You Leverage Its Benefits Now?” a Take Note! column by Dr. Franz-Josef Fritz and Torgeir Pedersen (SAP Insider, October-December 2008,

  • “Getting Started with Identity Management: A Roadmap for Automated, Regulated User Access to IT Resources,” a Security Strategies column by Keith Grayson (SAP Insider, April-June 2008,

  • The “Identity management, system administration, and SAP landscape optimization” track at the SAP NetWeaver BI and Portals 2010 event in Orlando, March 16-19, 2010 (

  • “Special Report: SAP Extends Functionality for Identity Management —
    A Harmonized Approach to Managing a Heterogeneous Landscape”
    (SAP NetWeaver Magazine, Spring 2008,

Regine Brehm ( is a Solution Manager for SAP NetWeaver Identity Management at SAP AG. She has several years of experience with SAP security solutions and has worked on SAP Security Product Management teams at SAP AG in Walldorf and SAP Labs in Palo Alto. Regine has also participated in creating security awareness campaigns, focusing on the human factor in IT and corporate security. She is currently part of the SAP NetWeaver Identity Management rollout team.

Jens Koster ( is a Solution Manager for SAP NetWeaver Identity Management at SAP AG. Since the acquisition of MaXware, Jens has been coordinating rollout activities around the SAP NetWeaver Identity Management solution. Since joining SAP as a Technical Security Consultant in 2000, he has designed customer solutions for SAP security architectures. Jens was also a trainer and course developer
for the SAP Training Center in Walldorf.

1 See “Getting Started with Identity Management: A Roadmap for Automated, Regulated User Access to IT Resources” by Keith Grayson in the April-June 2008 issue of SAP Insider and “SAP NetWeaver Identity Management: How Can You Leverage Its Benefits Now?” by Dr. Franz-Josef Fritz and Torgeir Pedersen in the October-December 2008 issue ( [back]

2 For more information on installing SAP NetWeaver Identity Management 7.1 and defining business roles within it, visit → SAP NetWeaver Identity Management 7.1 → Documentation. [back]

3 Using transaction LDAPMAP, IT can map your SAP data fields to attributes within your identity management directory. The actual data extraction is then handled by a report that can be scheduled as needed. This technical information goes beyond the scope of this article, but interested readers can access documentation at for more information. [back]


An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!