GRC
HR
SCM
CRM
BI


Article

 

Simplify Administration and Extend User Management into the Cloud with SAP Identity Management 8.0

by Thomas Wolfer and Regine Schimmer | SAPinsider, Volume 16, Issue 2

April 2, 2015

Managing digital access to user identity data is a security and regulatory imperative. Learn more about SAP Identity Management 8.0, which includes a new Eclipse-based development environment, a connector for SuccessFactors Employee Central, and several other enhanced features to make user management easier.

 

In the age of digital access across increasingly heterogeneous environments and diverse business solutions, maintaining control over user identities is not optional. Managing access is not only critical to the security and productivity of an organization — regulations require it. To help customers gain the control they need over identity data, SAP provides the SAP Identity Management (SAP ID Management) solution. SAP ID Management enables organizations to centrally manage user access according to roles and authorizations across heterogeneous landscapes — including SAP and non-SAP systems. It supports rule-driven workflow and approval processes, extensive logging and reporting functionality, and compliance through integration with solutions such as SAP Access Control.1

At the end of 2014, SAP released a new version of SAP ID Management to meet customers’ evolving needs. Release 8.0 contains a number of new features that make administrators’ lives easier — in particular, a completely revamped development environment for configuring the solution, and the ability to take your organization’s on-premise identity management processes to the cloud with a new connector for SuccessFactors Employee Central. Here, we take a closer look at these two key enhancements, and how they help organizations tackle their user management needs.

SAP ID Management Developer Studio

Release 8.0 of SAP ID Management introduces a new Eclipse-based development environment — SAP ID Management Developer Studio — for configuring user management. SAP ID Management Developer Studio replaces the Identity Center management console included in previous versions of SAP ID Management,2 and was designed in close collaboration with SAP customers to provide the functionality that users need most.

Using the Eclipse development environment enables SAP ID Management Developer Studio to work well with other major Eclipse-based SAP development tools,3 such as the SAP HANA studio, the ABAP development tools for SAP NetWeaver (known as ABAP in Eclipse),4 and SAP HANA Cloud Platform, as well as Eclipse-based tools from third-party vendors. Installation is easy — simply install a standard Eclipse IDE from eclipse.org (the minimum required version is currently Kepler), and then use its built-in plugin installation mechanism with SAP’s central Eclipse update site (https://tools.hana.ondemand.com)5 to install SAP ID Management Developer Studio. Deployment of patches, service packs, and new releases through the standard Eclipse update mechanism is also simple and straightforward.

Figure 1 shows the SAP ID Management Developer Studio perspective in the Eclipse development environment. It includes a content tree view, which contains all of the components of a user management configuration; a job content view and details view for displaying the properties of defined workflow tasks; an editor view for custom configuration development and modeling; and a job log view and details view for debugging purposes.

SAP ID Management Developer Studio includes several new features that enhance the security and usability of identity management, including a new concept for user access management, a configuration package approach, a graphical workflow modeler, and a dedicated JavaScript editor.

 

Figure 1 — SAP ID Management Developer Studio

 

Enhanced Security with User Access Management

To enhance security while managing multi-user environments, SAP ID Management Developer Studio introduces a new user authorization concept based on the user management engine (UME) included with SAP NetWeaver Application Server (SAP NetWeaver AS) Java.

Previous versions of SAP ID Management required developers to directly connect to the SAP ID Management database with a database user account to perform configuration tasks with the Identity Center management console. With SAP ID Management Developer Studio, developers no longer connect directly to the SAP ID Management database. Instead, a developer must have a valid user account for the UME. A service, deployed and configured as part of SAP NetWeaver AS Java, authenticates SAP ID Management Developer Studio users against the UME, which now controls access to all SAP ID Management configuration, management, and monitoring activities. This is a more secure approach, since the user does not have to directly authenticate with the underlying database.

Access to the configuration data is customizable on a fairly detailed level. This customization is enabled by a new concept that allows the grouping of configuration items into packages and supports separate access levels for read-only viewing, as well as modification by import, development, layout development, and ownership of a package.

Note: In addition to Eclipse, SAP ID Management Developer Studio requires an SAP ID Management backend running on SAP NetWeaver Application Server Java 7.30 or higher, and a configured SAP ID Management database. Detailed information on how to implement SAP ID Management 8.0 and its components is available from SAP’s online help portal at http://help.sap.com/nwidm80.

Simplified Configuration Management with Configuration Packages

SAP ID Management Developer Studio introduces a package concept that simplifies the management of the various elements that make up a user management configuration. Rather than maintaining a single global pool of variables and constants, for instance, for a user management configuration, developers manage the components of the configuration — including scripts, frameworks, and connectors — on the package level, defining and creating them to meet their particular needs.

To make any changes to the components within a configuration package, a developer must check out the package and then check it back in to activate the changes. This approach, together with the access control provided by the UME, eliminates potential conflicts between multiple users accessing and changing the configuration content in parallel. In addition, version control functionality enables you to easily revert to a previous version of a package to undo any changes to the configuration within that package.

Configuration packages also simplify the import and export of configuration changes across SAP ID Management systems and landscapes by enabling the distribution of multiple changes within a single package.

Visual Workflow Design with a Graphical Modeling Tool

To ease the task of building the process logic required for workflows such as approvals in a user management configuration, SAP ID Management Developer Studio includes a graphical workflow modeler for designing and visualizing the structure and sequence of the tasks and other processes that make up the workflow. 

Figure 2 shows the graphical process flow diagram design canvas open in the editor view in SAP ID Management Developer Studio. Previously, in the Identity Center management console, workflows were modeled using a tree view, which is still offered in read-only mode via a tab at the bottom of the design canvas for those who are accustomed to this view.

 

Security Strategies Column

Figure 2 — Adding a process to a process workflow with the graphical workflow modeling tool

 

To define a workflow process using the modeling tool, simply select a previously defined or imported process in the content tree (in the example, the process “DoIt”) and place it on the design canvas. Using the palette on the right, you then complete the process logic by adding tasks, such as conditional or switch tasks, or other processes to the flow diagram and setting their relationships. You can also easily add more processes from your configuration packages by dragging them from the content tree to the flow diagram canvas. The modeling tool also includes an auto layout function that will arrange and reformat the diagram while you are working on it.

Coding Support with a JavaScript Editor

For custom development content that you are implementing via the built-in JavaScript engine for SAP ID Management, SAP ID Management Developer Studio includes a dedicated JavaScript editor that offers a number of improvements over the Identity Center management console editor. These enhancements include a variety of utility functions to make development tasks easier, such as JavaScript syntax highlighting, auto-completion functionality, and automatic tooltips.

Figure 3 shows the development of a custom script for calculating an attribute of an entry in an identity store, which is a central repository for managing identity information with SAP ID Management. As you can see, upon entering the first characters of a JavaScript utility function for SAP ID Management, auto-completion suggestions are offered along with information on the function’s signature, which is shown as a tooltip.

 

Figure 3 — The JavaScript editor includes syntax highlighting, code completion, and tooltips to help make development tasks easier

 

Identity Management for the Cloud

In addition to the Eclipse-based development environment, release 8.0 of SAP ID Management extends its connectivity framework to the cloud with a new standard connector to SuccessFactors Employee Central, a software-as-a-service (SaaS) solution that enables companies to handle enterprise-grade HR processes in a cloud environment.

SuccessFactors Employee Central provides support for any combination of business units — from financials to analytics — and allows HR to model workforces and job structures without code or complicated manual processes. Designed for large numbers of cloud users, it features a user-friendly experience for every role in the company, including simple user interfaces, wizards, and self-services, as well as flexible workflows. Integration capabilities and connectors enable process flows between SuccessFactors Employee Central and related business applications, such as SAP ERP Financials, SAP Payroll, and SAP solutions for governance, risk, and compliance.

The new connector — delivered as a configuration package with SAP ID Management 8.0 — offers out-of-the box integration with the SuccessFactors Employee Central solution, extending your on-premise user administration to the cloud to enable identity management across corporate boundaries and to provide a single source of identity data. With this connector, your cloud-based users can benefit from the look and feel of SuccessFactors Employee Central while the organization ensures extensive and reliable control over user identities with SAP ID Management. Depending on your organization’s requirements, either SuccessFactors Employee Central or SAP ID Management can serve as the system from which user information is provisioned.

Additional Features Included in SAP Identity Management 8.0

In addition to its two major enhancements — the new Eclipse-based development environment and the connector for SuccessFactors Employee Central — release 8.0 of SAP ID Management includes more new features:

  • The administrator web user interface has been enhanced and adapted to the new configuration concepts. For example, to facilitate simple reuse of settings for a particular connector, release 8.0 introduces repository types, which are delivered as packages with the provisioning framework for standard connectors. These are configured in SAP ID Management Developer Studio and then managed from the web user interface.
  • A new dispatcher management tool has been introduced that simplifies starting, stopping, creating, and deleting SAP ID Management dispatchers to optimize the execution of queued SAP ID Management jobs, such as workflow and provisioning jobs.

More information on these and other enhancements is available at http://scn.sap.com/community/idm.

An Example Scenario

Let’s look at an example of how integrating SuccessFactors Employee Central and SAP ID Management might work. Figure 4 illustrates the onboarding of a newly hired employee, where SuccessFactors Employee Central is the leading system:

  1. Once a new user is registered in SuccessFactors Employee Central, the system can provision the information via a pull mechanism in delta mode to SAP ID Management, along with any preassigned roles and access rights.
  2. SAP ID Management then performs its own functions, such as calculating entitlements based on the user’s position.
  3. If SAP Access Control is integrated with SAP ID Management, the user’s relevant roles can next go through a segregation-of-duties check to ensure that there are no conflicting roles that could result in employee fraud.
  4. Built-in workflows in SAP ID Management ensure the necessary approvals from line managers or IT administrators.
  5. The user is then provisioned to the connected SAP and non-SAP target systems.

Note: The SuccessFactors connector is shipped as a separate package in the provisioning framework for SAP ID Management 8.0. To install it, simply import the package com.sap.idm.connector.sfsf - com.sap.idm.connector.sfsf.idmpck into your SAP ID Management database.

In an alternative scenario, SAP ID Management could be set up as the leading system where employee information is entered (step 1) and the user can be provisioned to SuccessFactors Employee Central (step 5).

 

Figure 4 — Employee onboarding with SuccessFactors Employee Central and SAP ID Management

 

A Comprehensive Solution for User Management

SAP ID Management has evolved into a comprehensive user administration solution for SAP and non-SAP applications within and beyond the enterprise — and by extending its functionality into the cloud, release 8.0 represents a step toward a truly holistic approach to identity management. Based on customer feedback, SAP has added features to the latest release that make identity administration more convenient and less error-prone, both in large and small ways (see the sidebar “Additional Enhancements Included in SAP Identity Management 8.0”). Going forward, SAP intends to continue along this path by investing its development resources into the capabilities its identity management customers need. 

To learn more, visit the SAP ID Management page at SAP Community Network (http://scn.sap.com/community/idm) along with the product roadmap at SAP Service Marketplace (https://websmp202.sap-ag.de/~sapidb/011000358700001087162013E.pdf).

 

 

1 For additional background information on SAP ID Management, see the SAPinsider articles “A Safe Harbor in a Rising Tide of Threats” by Gerlinde Zibulski and Gert Schroeter (October-December 2014) and “What’s New in SAP NetWeaver ID Management 7.2?” by Regine Schimmer and Gerlinde Zibulski (October-December 2011). [back]

2 Content that has been developed in the Identity Center management console can be imported into SAP ID Management Developer Studio. [back]

3 Additional information on SAP’s Eclipse-based development tools is available at https://tools.hana.ondemand.com. [back]

4 For more on ABAP in Eclipse, see Karl Kessler’s SAPinsider articles “Take Your SAP Solutions to New Heights with the Latest Release of SAP NetWeaver 7.4” (April-June 2014); “End-to-End Development Scenarios from SAP: Bridging the On-Demand and On-Premise Divide with SAP Tools for Eclipse” with Monika Kaiser (October-December 2013); and “Turbocharge Your ABAP Development with Innovation from Eclipse” (October-December 2012). [back]

5 Known as the SAP Release Train for Eclipse, SAP’s central Eclipse update site contains a delivery of Eclipse-based SAP tools that ensures compatibility among the tools and with a particular Eclipse release. [back]

An email has been sent to:





 

Thomas Wolfer
Thomas Wolfer

Thomas Wolfer (thomas.wolfer@sap.com) has been with SAP as part of its Technology team for more than 15 years. He is the product owner and program lead for SAP Identity Management.


Regine Schimmer
Regine Schimmer

Regine Schimmer (regine.schimmer@sap.com) is a Product Manager for SAP Identity Management and SAP Single Sign-On at SAP SE in Walldorf. She has more than 10 years of experience with SAP security solutions.



More from SAPinsider



COMMENTS

Please log in to post a comment.

SAPinsider
FAQ