It’s a common scenario for companies that have implemented SAP NetWeaver Identity Management (SAP NetWeaver ID Management): The business asks IT administrators to provide reporting on users, roles, and system assignments. To do so, the administrator had to log on to each SAP and non-SAP back end separately and look up user master records and their role assignments, a time-consuming and tedious task, especially when coupled with the effort needed to aggregate the data. But now, with the right reporting capabilities hooked into your identity management functionality, you can more quickly and easily pull detailed reports to help determine who provisioned users and roles, into which systems, and when it all happened.
SAP NetWeaver ID Management, SAP’s offering for central user provisioning and management, has been continuously evolving to meet companies’ identity management needs (see sidebar). To help our customers improve their identity management reporting, the latest SAP NetWeaver ID Management release, 7.1, support package 5, now offers dynamic reporting capabilities through the SAP NetWeaver 7.0 BI Content Add-on 7.05 to SAP NetWeaver Business Warehouse (SAP NetWeaver BW) 7.0. In this article, we’ll delve into these capabilities and the insights they can bring.
Getting Started: Data Extraction 101
To run identity management reports in SAP NetWeaver BW, you first need to extract data from the SAP NetWeaver ID Management Identity Center. This data extraction includes all attribute data from the Identity Center (rather than just the attribute data needed for SAP Netweaver BW’s templated reports), which means that customers can extend and modify the current BW templates or define entirely new ones to run reports on additional entry types. This data extraction process involves several steps:1
- A job in the Identity Center reads all attribute data that has been changed since its last run and sends that data to the Virtual Directory Server.2 Users usually schedule these jobs to run regularly — once per night, for example — to keep the data in SAP NetWeaver BW current (see Figure 1).
- The Virtual Directory Server, acting as a proxy in this scenario, forwards the data to the respective identity management web service in SAP NetWeaver BW, where it is stored in the persistent staging area.
- After all data has been transferred, the Virtual Directory Server uses an additional SAP NetWeaver BW web service to trigger further preparation of the data so that it will be available for your reports.
Once these steps are complete, you can start running your reports just as you would any other SAP NetWeaver BW report. For more detailed implementation instructions, visit www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f02d16da-1856-2d10-b2ad-bccaff798e97.
||A scheduled job in the Identity Center set to extract data to SAP NetWeaver BW
What Kinds of Details Can You Get from These Reports?
The SAP NetWeaver 7.0 BI Content Add-on comes with predefined templates that report on:
- Persons: Users or identities
- Roles: The business roles maintained in the Identity Center
- Privileges: Any kind of permission object from connected systems, such as AS ABAP roles and profiles, AS Java roles, or LDAP groups, as well as the technical privileges related to the Identity Center itself
The reporting templates also allow for further reporting on the details of these entities or their assignments. Such details include:
- The role assignments of a certain user; these help determine which business roles are assigned to which users.
- The privilege assignments of certain users; these show which users exist in which systems and which permissions they have there.
- The role assignments attached to a certain privilege; these show which business roles contain which permissions in the Identity Center itself and in any connected systems.
With this kind of reporting, for all assignments and attributes displayed in the reports, you will see which user was responsible for any respective change in the Identity Center, as well as when that change was made. Also, since the SAP NetWeaver BW reports offer a level of dynamic flexibility, users can further narrow their reports, drilling down into the details of these templated reports. For example, if you want to check information from a certain time period, you can report on:
- A given date, if you want to know which user had access to a specific system on a certain day. This would be useful during an incident-based reporting scenario when you are aware that something happened in your system and you are trying to find the culprit.
- A range of dates to determine, for example, which users had which role assignments over the past six months. This is useful during a regular access rights review scenario when you want to find out which access privilege changes, and how many, happened over the past six months.
Viewing Your Reports: A Flexible, Dynamic Process
The output of these reports is provided through the highly flexible SAP Business Explorer (SAP BEx) web tool (see Figure 2), which allows for advanced filtering and sorting, as well as export to Microsoft Excel, Adobe PDF, CSV, and other formats. This means you can email the report to stakeholders who need to see it, or you can publish it in SAP NetWeaver Enterprise Portal.
||A change history report for a person’s attributes
When accessing a predefined identity management report (as with any typical SAP NetWeaver BW report), you will first need to specify which information you would like to see. This includes determining which selections of information — such as the identity store or the person, role, or privilege — you’d like to look at, as well as the specific date or time periods that you are interested in.
The role assignment reports will often be used with a set of entries instead of only a single entry; for example, if you want to analyze the distribution of user role assignments in the Identity Center (see Figure 3), you’ll see that the assignment reports are displayed in a hierarchical structure, with a list of business roles and the number of users assigned to them. You can then expand the role you are interested in to see the individual users assigned to it.
||A business role assignment report, including details about the number of users assigned to individual business roles
Companies can also use these reports to regularly check user access rights, ensuring that users can only access what they need and are authorized to see. In addition, to facilitate dynamic analysis of identity management data, the predefined reports contained in SAP NetWeaver 7.0 BI Content Add-on 7.05 are linked to each other to present commonly needed results.
For example, when analyzing the list of users assigned to a specific role, you might want to display the details of one of these users, or the complete list of role assignments for that user. To use this navigation feature, simply use the context menu of the report and, under “Goto,” select the related report you would like to display (see Figure 4).
||Drilling down into the results of a predefined report
As you can see, these predefined reports give customers extensive dynamic insight into their data. If you need further insights than those defined by these reports, you can also enhance the current templates or develop your own via SAP’s standard BW reporting capabilities.3
Conclusion and Outlook
With the addition of SAP NetWeaver Business Warehouse reporting capabilities to the SAP NetWeaver ID Management solution, users will be able to run more dynamic, insightful identity management reports than ever before. And it doesn’t end there. Pending customer feedback, SAP will also look into enhancing these reporting capabilities to, for example, track the status of a workflow request, perform joint reporting with SAP BusinessObjects Access Control, or provide additional content for predefined reports.
To learn more about these new reporting capabilities and their role in ID management, read the implementation guide on the SAP Developer Network at www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f02d16da-1856-2d10-b2ad-bccaff798e97.
Gerlinde Zibulski (firstname.lastname@example.org) has been with SAP for more than 11 years. She brings to the table her experience in consulting, product management, executive assistance, and product strategy. Since 2001, Gerlinde has specialized in the security features and functions of SAP and is now the Head of the Product Management Team for Security and Identity Management. Gerlinde holds a master’s degree in economics from the Private University Witten/Herdecke.
Heiko Ettelbrück (email@example.com) is a Senior Developer for SAP NetWeaver ID Management at SAP AG. After studying Business Informatics with SAP AG and the University of Cooperative Education, Mannheim, Heiko first joined the user management development team for SAP NetWeaver AS Java.
1 Note that you can secure all data transfers between the involved components with SSL/TLS encryption. [back]
2 To learn more about the Identity Center and the Virtual Directory Server, see “Make Compliance a Seamless Part of Your Security Workflow” by Regine Schimmer and Jens Koster in the April-June 2010 issue of SAPinsider. [back]
3 Learn more about these BW capabilities at http://help.sap.com/saphelp_nw70/helpdata/en/57/fe785a8047433abd4c8ac707adec99/frameset.htm. [back]