For customers who need to securely and efficiently manage users’ access to applications while also meeting audit and compliance requirements, SAP NetWeaver Identity Management (SAP NetWeaver ID Management) has proven crucial. SAP NetWeaver ID Management has been constantly evolving since its launch, with the addition of new functionality — including identity federation and reporting tools — to help meet users’ changing needs. The 7.2 release of SAP NetWeaver ID Management continues that trend, introducing new features and improvements. What can you expect in the 7.2 release? Let’s take a closer look.
Improved Identity Federation and Single Sign-On Capabilities
For some time, SAP NetWeaver ID Management has included identity federation capabilities to enable single sign-on (SSO) among federation partners across company boundaries. In previous releases, SAP offered identity provider (IdP) and service provider (SP) functionality, as well as improved SAML 2.0 capabilities.1
Now, with the 7.2 release, SAP will also offer a security token service (STS). This new functionality enhances identity federation, enabling companies to implement SSO in a web-service environment. This means customers can implement SAML 2.0 for business-to-business scenarios in which no user interaction is involved and all interoperability is based on web services. This solution passed the Kantara Initiative’s interoperability tests at the beginning of the year.2
New Reporting and Analytics Capabilities
SAP NetWeaver ID Management 7.2, when used in conjunction with SAP NetWeaver Business Intelligence (SAP NetWeaver BI), now offers valuable reporting capabilities.3 Some of these features, such as the new analytics functionality, were released in SAP NetWeaver ID Management 7.1, support package 5, and SAP NetWeaver BI 7.0, support package 5.4
The latest version of this analytics functionality allows users to create their own reports or run one of 18 predefined reports. Users can then analyze data for a date range or a specific date, or analyze all historic data for a given entity.
Context-Based Role Management
Context-based role management is one of the major innovations available with SAP NetWeaver ID Management 7.2. This involves adding a “context” attribute — such as a region, project, or organizational unit — to a specific role to reduce the number of roles (or privileges) required to map user authorizations or rights in the back-end system. This context manages granularity, while keeping the number of needed roles at a minimum. It also requires administrators to maintain a smaller number of roles, which comes in handy if you later change the company’s organizational structure since it saves a lot of clean-up work.
To illustrate how useful and time-saving this functionality is, just imagine that you are part of a major retail chain, with multiple locations in a country. You want to set up an authorization concept that grants users access to certain systems but limits the number of a given type of role. In standard role and authorization concepts, your security administrator would have to create a “Store Manager” role for every store. Since your company has more than one store in each city, you’d have to create a large number of roles, which means more work for administrators who have to maintain, update, and manage these roles.
With new, context-based role management functionality available in SAP NetWeaver ID Management 7.2, you would be able to assign a context to the Store Manager role. In this case, the context would be store location. This allows you to create the Store Manager business role only once. Thus, you can handle complexity using the context to reflect the multitude of locations and limit the number of roles. It is far easier to manage a multitude of contexts than a multitude of roles and authorizations.
The added context can then be used through set rules to map and provision the right ABAP back-end roles or non-SAP privileges to the user. Since the context is a multi-value attribute, it can also contain a combination of data, including ranges of cost centers, single entries for company codes, and personnel areas.
Technically, companies with ABAP-based back ends will still require a greater number of roles due to the ABAP authorization concept, but users can still leverage the context assignation in combination with configured rules on the identity management system to automate the ABAP role assignment to one or a few business roles.
Improved Enterprise Readiness
In SAP NetWeaver ID Management 7.2, SAP has worked to improve several areas to make the solution more enterprise-ready.5 For example:
- Customers can upload and download configuration data with updated transport management functionality, rather than having to make manual changes or import scripts. This configuration data originates from the Microsoft Management Console, which configures the Identity Center tasks and jobs, includes constants, and can optionally include the configuration data of the Virtual Directory Server.
- The 7.2 release ships with predefined user interfaces (UIs) for users and administrators. These UIs come in the form of guided tasks. A new extension framework also adds to UI enhancements, allowing users to set default values or value checks within the UIs. For flexibility, we also offer a web services API that allows customers to develop their own UIs for special end-user scenarios. The API uses web standards and supports a number of programming languages.6
- The assignment of roles to users has been enhanced. Users can now set a workflow status and have it take effect without waiting for a valid “from date” that might lie in the future. New task request functionality also helps users report on the final status of a workflow that got split into multiple assignments.
The new release provides a configuration analyzer in the job management console to help customers determine their system status and change needs for upgrading from SAP NetWeaver ID Management 7.1 to 7.2.
Centralized User Management for All SAP Environments
For years, SAP customers used SAP’s Central User Administration (CUA) tool to enable centralized user management within their ABAP-based SAP environments. This meant that, instead of having to administrate users in every individual SAP system, administrators can now change global user attributes, more easily assign and remove roles, and make mass user changes within a single system. The CUA is, of course, a useful tool, but it is limited to the ABAP world, a severe restriction in today’s heterogeneous IT landscapes.
SAP NetWeaver ID Management, as of release 7.2, is now the successor of the CUA. This release adds support for non-ABAP systems, as well as rule-based role assignment and role hierarchy modeling, cross-system role assignment, workflow support, and more comprehensive password management capabilities.
A migration from CUA to SAP NetWeaver ID Management can be planned as a “big-bang” implementation approach, in which the former CUA systems are decoupled from the CUA central system and connected to SAP NetWeaver ID Management to transport a load of identity data in one step (see Figure 1). Alternatively, companies can handle the migration using a smooth cutover approach, in which SAP NetWeaver ID Management is connected both to the central system and the CUA daughter systems. Then, one by one, the administrator can move a back-end system’s data load into SAP NetWeaver ID Management, decouple the back end from the CUA central system, and enable provisioning for the system in SAP NetWeaver ID Management.
Enhanced Integration with the SAP Product Family
SAP NetWeaver ID Management 7.2 is rooted even more deeply within the SAP portfolio. For example, with SAP NetWeaver ID Management 7.1 and SAP BusinessObjects Access Control 5.3, SAP has ensured compatibility between these products to help make identity management an integral part of a company’s governance, risk, and compliance (GRC) processes.7 The solutions’ latest releases (7.2 for the identity management solution and 10.0 for the access control solution), offer new scenarios for the integrated creation and distribution of business roles.
Additionally, the ties between SAP NetWeaver ID Management and the SAP Business Suite are being continuously developed and extended to eliminate even more manual user administration steps within SAP business applications.
SAP NetWeaver Identity Management 7.2 offers valuable new features that provide innovative, future-proof technologies. In addition, we have improved a number of existing functions to help companies ensure their identity management processes run effectively and efficiently. SAP NetWeaver ID Management is a flexible and dynamic tool that can be highly customized to meet your exact requirements, and will continue to evolve in future releases.
For more information, visit www.sdn.sap.com/irj/sdn/nw-identitymanagement?rid=/webcontent/uuid/50877d57-a9ae-2d10-e7ae-915169263d49.
Regine Schimmer (firstname.lastname@example.org) is a Solution Manager for SAP NetWeaver Identity Management. She has several years of experience with SAP security solutions and has worked on SAP Security Product Management teams at SAP AG in Walldorf and SAP Labs in Palo Alto, California.
Gerlinde Zibulski (email@example.com) has been with SAP for more than 11 years. Since 2001, Gerlinde has specialized in the security features and functions of SAP and is now Head of the Product Management Team for Security and Identity Management.
1See “Taking SSO to the Next Level” by Dimitar Mihaylov and Yonko Yonchev in the July-September 2010 issue of SAPinsider. [back]
2See http://kantarainitiative.org for more information. [back]
3SAP will continue to support the more static reporting capabilities that are available when using SAP Crystal Reports with SAP NetWeaver ID Management. [back]
4See “Run Dynamic Reports on Your SAP NetWeaver ID Management Data for Quicker, Easier Identity Management Insight” by Gerlinde Zibulski and Heiko Ettelbrück in the January-March 2011 issue of SAPinsider. [back]
5More information on these topics can be found at www.sdn.sap.com/irj/scn/index?rid=/media/uuid/30c33268-83ac-2d10-3699-896f727115fc. [back]
6Customers interested in this API can visit www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/24322 to learn more. [back]
7To learn more about this integration, see Jens Koster and Regine Schimmer’s articles, “Identity Management That’s Integrated into Your Current Business Processes” in the July-September 2009 issue of SAPinsider and “Make Compliance a Seamless Part of Your Security Workflow” in the April-June 2010 issue. [back]