In the age of digital access across increasingly heterogeneous environments and diverse business solutions, maintaining control over user identities is not optional. Managing access is not only critical to the security and productivity of an organization — regulations require it. To help customers gain the control they need over identity data, SAP provides the SAP Identity Management (SAP ID Management) solution. SAP ID Management enables organizations to centrally manage user access according to roles and authorizations across heterogeneous landscapes — including SAP and non-SAP systems. It supports rule-driven workflow and approval processes, extensive logging and reporting functionality, and compliance through integration with solutions such as SAP Access Control.1
At the end of 2014, SAP released a new version of SAP ID Management to meet customers’ evolving needs. Release 8.0 contains a number of new features that make administrators’ lives easier — in particular, a completely revamped development environment for configuring the solution, and the ability to take your organization’s on-premise identity management processes to the cloud with a new connector for SuccessFactors Employee Central. Here, we take a closer look at these two key enhancements, and how they help organizations tackle their user management needs.
SAP ID Management Developer Studio
Release 8.0 of SAP ID Management introduces a new Eclipse-based development environment — SAP ID Management Developer Studio — for configuring user management. SAP ID Management Developer Studio replaces the Identity Center management console included in previous versions of SAP ID Management,2 and was designed in close collaboration with SAP customers to provide the functionality that users need most.
Using the Eclipse development environment enables SAP ID Management Developer Studio to work well with other major Eclipse-based SAP development tools,3 such as the SAP HANA studio, the ABAP development tools for SAP NetWeaver (known as ABAP in Eclipse),4 and SAP HANA Cloud Platform, as well as Eclipse-based tools from third-party vendors. Installation is easy — simply install a standard Eclipse IDE from eclipse.org (the minimum required version is currently Kepler), and then use its built-in plugin installation mechanism with SAP’s central Eclipse update site (https://tools.hana.ondemand.com)5 to install SAP ID Management Developer Studio. Deployment of patches, service packs, and new releases through the standard Eclipse update mechanism is also simple and straightforward.
Figure 1 shows the SAP ID Management Developer Studio perspective in the Eclipse development environment. It includes a content tree view, which contains all of the components of a user management configuration; a job content view and details view for displaying the properties of defined workflow tasks; an editor view for custom configuration development and modeling; and a job log view and details view for debugging purposes.
Enhanced Security with User Access Management
To enhance security while managing multi-user environments, SAP ID Management Developer Studio introduces a new user authorization concept based on the user management engine (UME) included with SAP NetWeaver Application Server (SAP NetWeaver AS) Java.
Previous versions of SAP ID Management required developers to directly connect to the SAP ID Management database with a database user account to perform configuration tasks with the Identity Center management console. With SAP ID Management Developer Studio, developers no longer connect directly to the SAP ID Management database. Instead, a developer must have a valid user account for the UME. A service, deployed and configured as part of SAP NetWeaver AS Java, authenticates SAP ID Management Developer Studio users against the UME, which now controls access to all SAP ID Management configuration, management, and monitoring activities. This is a more secure approach, since the user does not have to directly authenticate with the underlying database.
Access to the configuration data is customizable on a fairly detailed level. This customization is enabled by a new concept that allows the grouping of configuration items into packages and supports separate access levels for read-only viewing, as well as modification by import, development, layout development, and ownership of a package.
Note: In addition to Eclipse, SAP ID Management Developer Studio requires an SAP ID Management backend running on SAP NetWeaver Application Server Java 7.30 or higher, and a configured SAP ID Management database. Detailed information on how to implement SAP ID Management 8.0 and its components is available from SAP’s online help portal at http://help.sap.com/nwidm80.
Simplified Configuration Management with Configuration Packages
SAP ID Management Developer Studio introduces a package concept that simplifies the management of the various elements that make up a user management configuration. Rather than maintaining a single global pool of variables and constants, for instance, for a user management configuration, developers manage the components of the configuration — including scripts, frameworks, and connectors — on the package level, defining and creating them to meet their particular needs.
To make any changes to the components within a configuration package, a developer must check out the package and then check it back in to activate the changes. This approach, together with the access control provided by the UME, eliminates potential conflicts between multiple users accessing and changing the configuration content in parallel. In addition, version control functionality enables you to easily revert to a previous version of a package to undo any changes to the configuration within that package.
Configuration packages also simplify the import and export of configuration changes across SAP ID Management systems and landscapes by enabling the distribution of multiple changes within a single package.
Visual Workflow Design with a Graphical Modeling Tool
To ease the task of building the process logic required for workflows such as approvals in a user management configuration, SAP ID Management Developer Studio includes a graphical workflow modeler for designing and visualizing the structure and sequence of the tasks and other processes that make up the workflow.
Figure 2 shows the graphical process flow diagram design canvas open in the editor view in SAP ID Management Developer Studio. Previously, in the Identity Center management console, workflows were modeled using a tree view, which is still offered in read-only mode via a tab at the bottom of the design canvas for those who are accustomed to this view.
To define a workflow process using the modeling tool, simply select a previously defined or imported process in the content tree (in the example, the process “DoIt”) and place it on the design canvas. Using the palette on the right, you then complete the process logic by adding tasks, such as conditional or switch tasks, or other processes to the flow diagram and setting their relationships. You can also easily add more processes from your configuration packages by dragging them from the content tree to the flow diagram canvas. The modeling tool also includes an auto layout function that will arrange and reformat the diagram while you are working on it.
Identity Management for the Cloud
In addition to the Eclipse-based development environment, release 8.0 of SAP ID Management extends its connectivity framework to the cloud with a new standard connector to SuccessFactors Employee Central, a software-as-a-service (SaaS) solution that enables companies to handle enterprise-grade HR processes in a cloud environment.
SuccessFactors Employee Central provides support for any combination of business units — from financials to analytics — and allows HR to model workforces and job structures without code or complicated manual processes. Designed for large numbers of cloud users, it features a user-friendly experience for every role in the company, including simple user interfaces, wizards, and self-services, as well as flexible workflows. Integration capabilities and connectors enable process flows between SuccessFactors Employee Central and related business applications, such as SAP ERP Financials, SAP Payroll, and SAP solutions for governance, risk, and compliance.
The new connector — delivered as a configuration package with SAP ID Management 8.0 — offers out-of-the box integration with the SuccessFactors Employee Central solution, extending your on-premise user administration to the cloud to enable identity management across corporate boundaries and to provide a single source of identity data. With this connector, your cloud-based users can benefit from the look and feel of SuccessFactors Employee Central while the organization ensures extensive and reliable control over user identities with SAP ID Management. Depending on your organization’s requirements, either SuccessFactors Employee Central or SAP ID Management can serve as the system from which user information is provisioned.
An Example Scenario
Let’s look at an example of how integrating SuccessFactors Employee Central and SAP ID Management might work. Figure 4 illustrates the onboarding of a newly hired employee, where SuccessFactors Employee Central is the leading system:
- Once a new user is registered in SuccessFactors Employee Central, the system can provision the information via a pull mechanism in delta mode to SAP ID Management, along with any preassigned roles and access rights.
- SAP ID Management then performs its own functions, such as calculating entitlements based on the user’s position.
- If SAP Access Control is integrated with SAP ID Management, the user’s relevant roles can next go through a segregation-of-duties check to ensure that there are no conflicting roles that could result in employee fraud.
- Built-in workflows in SAP ID Management ensure the necessary approvals from line managers or IT administrators.
- The user is then provisioned to the connected SAP and non-SAP target systems.
Note: The SuccessFactors connector is shipped as a separate package in the provisioning framework for SAP ID Management 8.0. To install it, simply import the package com.sap.idm.connector.sfsf - com.sap.idm.connector.sfsf.idmpck into your SAP ID Management database.
In an alternative scenario, SAP ID Management could be set up as the leading system where employee information is entered (step 1) and the user can be provisioned to SuccessFactors Employee Central (step 5).
A Comprehensive Solution for User Management
SAP ID Management has evolved into a comprehensive user administration solution for SAP and non-SAP applications within and beyond the enterprise — and by extending its functionality into the cloud, release 8.0 represents a step toward a truly holistic approach to identity management. Based on customer feedback, SAP has added features to the latest release that make identity administration more convenient and less error-prone, both in large and small ways (see the sidebar “Additional Enhancements Included in SAP Identity Management 8.0”). Going forward, SAP intends to continue along this path by investing its development resources into the capabilities its identity management customers need.
To learn more, visit the SAP ID Management page at SAP Community Network (http://scn.sap.com/community/idm) along with the product roadmap at SAP Service Marketplace (https://websmp202.sap-ag.de/~sapidb/011000358700001087162013E.pdf).
1 For additional background information on SAP ID Management, see the SAPinsider articles “A Safe Harbor in a Rising Tide of Threats” by Gerlinde Zibulski and Gert Schroeter (October-December 2014) and “What’s New in SAP NetWeaver ID Management 7.2?” by Regine Schimmer and Gerlinde Zibulski (October-December 2011). [back]
2 Content that has been developed in the Identity Center management console can be imported into SAP ID Management Developer Studio. [back]
3 Additional information on SAP’s Eclipse-based development tools is available at https://tools.hana.ondemand.com. [back]
4 For more on ABAP in Eclipse, see Karl Kessler’s SAPinsider articles “Take Your SAP Solutions to New Heights with the Latest Release of SAP NetWeaver 7.4” (April-June 2014); “End-to-End Development Scenarios from SAP: Bridging the On-Demand and On-Premise Divide with SAP Tools for Eclipse” with Monika Kaiser (October-December 2013); and “Turbocharge Your ABAP Development with Innovation from Eclipse” (October-December 2012). [back]
5 Known as the SAP Release Train for Eclipse, SAP’s central Eclipse update site contains a delivery of Eclipse-based SAP tools that ensures compatibility among the tools and with a particular Eclipse release. [back]