|University of Basel
|Headquarters: Basel, Switzerland
- Established in 1460
- Over 18,000 student and employee accounts
- SAP NetWeaver Identity
- SAP ERP 6.0
- SAP for Higher Education & Research industry solution
- SAP NetWeaver Portal
- SAP ERP HCM
- SAP SRM
Every organization, whether it has hundreds or thousands of employees, needs a way to manage the identities of the individuals it hires. As companies grow, it becomes more and more difficult to keep track of these user roles, identities, and access rights. Truly managing a flux of individual identities now requires a much more complex system than just simple logins and passwords.
Switzerland’s University of Basel was founded in 1460, long before the Internet, email, and electronic identities. Currently, the university must track over 18,000 student and employee accounts. To accommodate this growing number of accounts and prepare for the future, the university realized it must improve and simplify its outdated identity management system. It needed a more consistent way of handling not only passwords, but more importantly, the identities of the individuals assigned to hold the keys to the university’s back-
office, IT, and operations systems.
The project that hoped to be the answer to the university’s upcoming identity crisis involved a migration to SAP NetWeaver Identity Management 7.0.
Motivators for the Project
“One of the main reasons for the project was to be fit for the future,” says Tobias Marquart, a developer and project leader of the University of Basel’s SAP NetWeaver Identity Management migration.
The previous system had grown so much over time that it had become literally unmanageable, and the inability to extend the old system was an inhibitor for the university to move forward.
The Risks and Limits of the Legacy System
The system that the university was replacing was inherently flawed for another reason: the knowledge of the system fell to one expert who had, over the years, created a custom system for handling employees, professors, and students.
“Our basic issue was that we had only one person familiar with the system so all the knowledge was in one place,” says Marquart.
What’s more, because this system had started growing years ago — before advances in security technology — no one could say for sure how tight or porous it actually was. “The system used self-designed protocols with weak security — there were passwords and access control lists but no encryption,” Marquart says.
There were also new business requirements the university wanted to support but either weren’t able to do with the old system at all or weren’t possible at a reasonable cost. “With the new system, we can now much more easily add other systems and features,” he says.
Turning to a Standard Solution
One lesson the university learned from its legacy identity management system is that it didn’t want to make the same mistake twice by creating a custom solution. SAP NetWeaver Identity Management was the standard solution the university was looking for, but it was new and unfamiliar.
We didn’t want to implement the tool without having contact with customers who were using it already, and this was really difficult,” Marquart says. As the university was evaluating the solutions, SAP had recently released SAP NetWeaver Identity Management.
Finding others who had been through a similar project — and who were willing to share their lessons learned — was certainly a challenge. “Identity management is more or less a security issue. So most customers implementing the systems have nondisclosure agreements and you can’t get information about it,” Marquart says.
To help with the project, the university turned to one of SAP’s partners, BT (Germany) GmbH, an IT services consulting company that already had several years of hands-on experience implementing SAP NetWeaver Identity Management. So the university selected BT as its implementation partner for the project.
What SAP NetWeaver Identity Management Connects
SAP NetWeaver Identity Management provides a central mechanism for managing user identities across multiple, heterogeneous applications using role-based controls that provide access only to the systems a user requires. When a user’s role changes, so does the user’s access. Once administrators set up the roles, SAP NetWeaver Identity Management synchronizes permissions across different systems and directories, even systems not based on SAP technologies.
Like any large business, the University of Basel has many departments, as well as different SAP and non-SAP solutions to run them. The university uses SAP ERP Human Capital Management (SAP ERP HCM) and the SAP Student Lifecycle Management application, part of the SAP for Higher Education & Research industry solution. An ideal identity management system would connect to these SAP systems — set up independently in a first-phase rollout — and then integrate more tightly with other university systems in future phases.
Successful Migration to the New System
SAP NetWeaver Identity Management now receives student data from SAP Student Lifecycle Management and automatically assigns resources — such as email accounts and VPN access — to new students. During the registration process, students choose their personal email address and then configure their mailbox settings using the system’s self-service features.
When students leave the university, their accounts are automatically deactivated according to the university’s IT usage policies. For faculty and staff, data is delivered to the new system from SAP ERP HCM, which holds the master data for employee identities. As with student data, employee accounts are automatically terminated when someone retires or leaves the university.
The new system also supports management of guest accounts. Guests simply register with the university’s computing center and are assigned accounts and privileges automatically. Only deviations from the standard access permissions have to be assigned by the staff now.
An Established Audit Trail
In addition to simply letting university staff more efficiently create and automatically change or deactivate accounts, the new SAP NetWeaver Identity Management system provides an audit trail, which clearly identifies all user access to the identity management system. “You can see and watch who’s doing what on the system right now, or has done, and see which processes have been called by a person. So you have a lot of control,” Marquart says.
The open WiFi channels across the university allow access to the Internet. However, to further lock down the university systems, all traffic is funneled through a client-based VPN program, which also provides secure access to inter-university shared resources.
“Everything in the new system is in a database where the passwords are encrypted. Because the server is secured, individuals without the appropriate permissions don’t get access to this data,” Marquart says. More importantly, you can actually see deep into an audit trail of identity management activity.
The Challenge of Managing Complex, Overlapping Roles
Most businesses have fairly straightforward roles: titles map directly to certain tasks that map directly to access requirements. In a university, there’s much more overlap. A student might also be a university employee — or, in more complex scenarios, a PhD student may also teach some lower-level courses and be an employee for one of the university’s research labs. The old system didn’t support multiple roles under a single account; students with more than one role in the university would require multiple accounts (student, teacher, and employee).
While SAP NetWeaver Identity Management offers a workaround for those types of complex situations, it does not support multiple roles for a single identity by default — a challenge when managing identity data across its entire lifecycle. “That was actually one of the tougher parts — getting these roles together and supporting an individual life cycle for each role,” says Andreas Müller, a solutions architect for BT’s Global Professional Services team that led the SAP NetWeaver Identity Management implementation for the University of Basel.
“Basically, each of those roles can end independently, and to have all those transitions correct, to revoke privileges and assign the correct ones, some attributes have to be deleted — that was challenging,” Müller explains. This required some technical and process design on the part of the project team.
Extending SAP NetWeaver Identity Management
When users enter the system through the Web interface, they are granted access based on their assigned roles. A standard user has limited service access, but an administrator has access to every single function that’s implemented. Creating a system that was able to distinguish these differences required a fair amount of customization. “We logically separated the front end into several front ends, more or less, and restricted the access to each of them,” says Müller.
Even before the implementation team created the correct business rules for handling changing roles and access rights, they had to puzzle out which individual accounts and identities from the previous system belonged to the correct employee record from SAP ERP HCM.
“You can extend the features of the SAP NetWeaver Identity Management tool through scripts,” Müller says. “So for many parts of the system, you can add custom logic. We wrote a short script that looks at the data that it gets from the source system — from SAP Student Lifecycle Management, for example, or from SAP ERP HCM — and compares it to and looks for matching entries in the identity database. That logic is basically custom coded for this purpose.”
While the data on identities and roles were imported and modified from the old system, the main challenge was not only to simplify the system’s processes and rules, but to clean the existing identity management data, too. The old system had experienced some significant sprawl, growing and spreading over the years, so that a single type of user access might have several different methods for creating or expiring it. Müller and Marquart’s goal, however, was a smooth switchover, one so transparent that people wouldn’t notice that the new identity management system had taken over.
Small Window of Opportunity
The optimal timeframe for the migration and start of the new system was a two-week window just after the end of a semester, when the system wouldn’t be required for student registration. If the implementation team missed the window, they would have to wait out an entire semester, all the while continuing to support the old identity management system.
The initial design and configuration process started in August 2008 and took three months to complete with a three-member team: two full-time developers and one person doing the testing. After the university conducted its own testing, the system was ready for the end-of-semester transition and go-live at the end of December 2008.
While the implementation team did a good job testing core functionality — so that account provisioning and de-provisioning worked well — in hindsight, Marquart says the team underestimated end-user administrator requirements and acceptance.
Working Through a Couple Snags
One potentially troublesome issue arose in December: When new staff members or guests register with the university, the registration office staff must enter all the data and generate a letter that contains the individual’s access details and password — email accounts, VPN information, and the like.
“This letter has to be printed out and handed immediately to the customer. Of course, they shouldn’t have to wait very long, so the response time should be very fast,” Müller explains. A slow response time would leave many people waiting in long lines.
“The system works in such a way that it has to process sequential steps, and there’s a latency between each step,” Müller says. “Because the registration process is complex, we just had too many steps.”
Fortunately, the implementation team was able to reduce the number of steps and meet the response-time requirement. “For this particular case, we didn’t change the front end or the tool itself — we just modified the implementation of the process, which is part of the customization anyway,” Müller notes.
Another issue occurred just after the team migrated all the data and was ready to activate the system. They discovered unexpected and apparently incorrect behavior of the system. Because they were part of the acquire-to-ship program, they had good access to the SAP developers who were working on the product and were able to get a solution to the problem within a couple of hours — a new feature that had been introduced in the latest version of SAP NetWeaver Identity Management had interfered with the migration process. “If we hadn’t had the solution, it would’ve been a show-stopper and we would’ve had to roll back,” says Müller.
The University of Basel worked through these setbacks and has not only upgraded to a smarter security system, it created the foundation for efficient identity management that’s capable of supporting new systems, far into the future.
With the new identity management system, future synchronization with additional SAP and non-SAP resources will be simplified and centralized. The university will also allow the capability to create SAP users from SAP NetWeaver Identity Management, meaning the approval process for granting access rights for individuals could be automated.
The basic goal is to reduce the number of occasions when students and employees have to come to the front desk and present themselves to get access. “At the moment, we have some paper-based, manual processes that we could do electronically,” Marquart says. “In the future, individuals can apply for access rights to special systems through SAP NetWeaver Identity Management.”
The university aims to create an automated process for account creation of new staff members. “We’re about to make this change, using the feed from SAP ERP HCM,” says Marquart. “So after the HR department enters employees into the system, the account is automatically generated and the individual is sent a letter with the credentials.”
Looking back, Müller is very impressed with how the team approached the identity management project. “The university just moved ahead and said, ‘We need a solution now,’ and I think this strategy has worked out,” he says. “And maybe that’s encouragement for other customers to stop hesitating as well.”
What Sorts of University Information Require Authentication?
SAP NetWeaver Identity Management manages individual access rights to various different data sources, each source with its own security concerns:
- Email. Students receive exam results and other important information to their email accounts.
- LDAP server. Each university department has an IT administrator with special access rights, such as allowing an individual to download licensed software. These access rights are granted by setting attributes in the LDAP server and managed automatically by the identity management system.
- VPN. If students are connected to the campus network, they can share work with university members and access outside resources whose access is controlled by IP address. Students and university staff working from a home office are also granted access by using VPN.
- Inter-university solution. Individuals can access resources from the entire research network of Swiss universities that participate in the country’s Authentication and Authorization Infrastructure for higher education (SWITCHaai), which is a shibboleth-based single sign-on federation. SWITCHaai lets a student from one university access e-learning systems at other universities.
|How the SAP NetWeaver Identity Management system’s interface appears in the front end to Web users
6 Lessons Learned
Identity management exists! Because so many companies remain shy about publicly discussing anything related to security, it’s hard to know what security solutions are really being used by customers in the field. Despite this, there are ways to learn more about how SAP NetWeaver Identity Management works with SAP and heterogeneous SAP customer systems.
System modifications are easy. While SAP NetWeaver Identity Management comes pre-configured out of the box, you’ll have to do some customization yourself. “If you can’t configure it directly by clicking in the design, you can write a script or even a stored procedure to do it for you,” says Marquart. He considers the fact that you can control each aspect of the system behavior and change it according to your needs to be a strong benefit.
Start now. If you’re considering an identity management project, don’t waste time wondering what must be done before you can start. Of course, there will be some inevitable data cleansing necessary, but that need not be a show-stopper. According to Müller, the university knew they needed a solution immediately and just moved ahead. “Sometimes hesitation means that forward progress halts,” he says. “We knew it wasn’t going to be perfect, but we wanted to start and use the system to improve things.”
Don’t underestimate user acceptance testing (UAT). It is imperative to get the people who mainly work with the tools involved early, get their feedback, and incorporate the changes that result from their feedback. According to Müller, the UAT wasn’t done until the beginning of December. “That was comparatively late, and the changes were quite challenging to complete before the go-live date,” he says.
Get core identities under control. Start with an appropriate data source — like SAP ERP HCM — to establish the core identities, and then enforce company-wide policies about how to manage these identities. “Don’t leave manual processes in place,” Müller says. “If someone sends an email saying this person has left the company and then leaves it up to someone to act on that, there’s no enforcement of policies in that case.”
Ask SAP for help. SAP has a vast number of referenceable partners that it works closely with. In this case, the university selected BT, which was a great fit for this particular project. Because SAP is always updating its software and releasing patches and fixes, look to SAP developers for support. During this project, SAP sent a patch prior to its release date that helped the university meet its project deadlines. “The support was very good and very fast,” says Marquart. “We were very happy that we got this pre-release version.”