Iam

IAM 2010

Ulrik [email protected]

2010

© 2010 IBM Corporation

Tivoli Security Focus Areas

Trusting Identities

Customers, partners, employees (known)

Managing Access

Securing Services

Protecting Data

IBM

H C R U6

IBM

Payroll

Online banking

Loan applications

Retail sales

Tivoli IAM #1 in this space

© 2010IBM Corporation2

Criminals, competitors, hackers (unknown)

Retail sales

Inventory

COMPLIANCE

Manage those you know.

Protect against those you don’t.

Prove that you’re in control.

ISS Threat Mitigation#1 in this space

Getting started with Identity and Access Assurance

Single Sign On

& Password Management

User Provisioning / Role Management

Tivoli Identity Manager

HR Systems/

Accounts on 70 different types of systems managed. Plus, In-House Systems &

portals


portals

Databases

OperatingSystems

DatabasesDatabases

OperatingSystemsOperatingSystems

ApplicationsApplications

Networks &Physical Access


HR Systems/


portals


portals

Databases

OperatingSystems

DatabasesDatabases





portals


portals

Databases

OperatingSystems

DatabasesDatabases




portals


portals

DatabasesDatabases


DatabasesDatabases




ID stores


Access Attestation Security log management & reporting

Cisco Secure

ACS

Cisco Secure

ACS

Business Applications

Authoritative Identity Source

(Human Resources, Customer Master, etc.)

TIM Trusted Identity Store

Accounts

jcd0895

jdoe03

doej

John C. Doe

Sarah K. Smith

smiths17

Sarah_s4

ackerh05

nbody

Sarah’s Manager

RecertificationRequest

Access Revalidated and Audited

11

22

33

44

55

ID stores

Typical Enterprise

Web

Security Policy

Repository

Identity Repository

(Person & Account)

HTTP (incl. SOAP/

HTTP) Connection

Web Services

Connection

HR

System

Desktop/Client

Connection

© 2010IBM Corporation

Windows

Apps

Windows

Apps

Web

App

Web

App

Web

App

Portal

HTTP Server

Internet

Enterprise

Dir

Windows

Apps

Other

Apps

WS

Gateway

Consumer

Business

Employee/

Staff

Portal

HTTP Server

ESB

(SOA)

Tivoli Identity Manager (TIM)

Web

Security Policy

Repository

Identity Repository

(Person & Account)

HTTP (incl. SOAP/

HTTP) Connection

Web Services

Connection

User

HR

System

Desktop/Client

Connection

Identity

Synchronisation

Provisioning

Reconciliation

Workflow & Lifecycle

Entitlement Policy

User Self-

service

Identity

StoreReporting

Provisioning Engine

Admin.

Admin

Auditor



Windows

Apps

Windows

Apps

Web

App

Web

App

Web

App

Portal

HTTP Server

Internet

Enterprise

Dir

Windows

Apps

Other

Apps

WS

Gateway

Consumer

Business

Employee/

Staff

Portal

HTTP Server

ESB

(SOA)

Tivoli Access Manager for e-business (TAMeb)

Web

Security Policy

Repository

Identity Repository

(Person & Account)

HTTP (incl. SOAP/

HTTP) Connection

Web Services

Connection

User

HR

System

Desktop/Client

Connection

Identity

Synchronisation

Provisioning

Reconciliation


Entitlement Policy

User Self-

service

Identity

StoreReporting

Provisioning Engine

Admin.

Admin

Auditor



Management Domain

Web

Policy

MgmtAdmin(s)


Windows

Apps

Windows

Apps

Web

App

Web

App

Web

App

Portal

HTTP Server

Internet

Enterprise

Dir

Windows

Apps

Other

Apps

WS

Gateway

Consumer

Business

Employee/

Staff

Portal

HTTP Server

Web Authentication and

Authorization

ESB

(SOA)


Authorization

Web Single Signon

Web Single Signon

Tivoli Federated Identity Manager (TFIM)

Web

Security Policy

Repository

Identity Repository

(Person & Account)

HTTP (incl. SOAP/

HTTP) Connection

Web Services

Connection

User

HR

System

Desktop/Client

Connection

Identity

Synchronisation

Provisioning

Reconciliation


Entitlement Policy

User Self-

service

Identity

StoreReporting

Provisioning Engine

Admin.

Admin

Auditor



Tivoli Federated Identity Manager (TFIM)Management Domain

Web

Policy

Mgmt

Fed

SSO

Conf.Admin(s)


Windows

Apps

Windows

Apps

Web

App

Web

App

Web

App

Portal

HTTP Server

Internet

Enterprise

Dir

Windows

Apps

Other

Apps

WS

Gateway

Consumer

Business

Employee/

Staff

Portal

HTTP Server


Authorization

ESB

(SOA)


Authorization

Web Single Signon

Web Single Signon

FedSSO

A&AFedSSO

A&A

Identity

Mapping

Tivoli Security Policy Manager (TSPM)

Web

Security Policy

Repository

Identity Repository

(Person & Account)

HTTP (incl. SOAP/

HTTP) Connection

Web Services

Connection

User

HR

System

Desktop/Client

Connection

Identity

Synchronisation

Provisioning

Reconciliation


Entitlement Policy

User Self-

service

Identity

StoreReporting

Provisioning Engine

Admin.

Admin

Auditor





Management Domain

Web

Policy

Mgmt

Fed

SSO

Conf.

WS

Policy

MgmtAdmin(s)

Policy

Enforce


Windows

Apps

Windows

Apps

Web

App

Web

App

Web

App

Portal

HTTP Server

Internet

Enterprise

Dir

Windows

Apps

Other

Apps

WS

Gateway

Consumer

Business

Employee/

Staff

Portal

HTTP Server


Authorization

ESB

(SOA)


Authorization

Web Single Signon

Web Single Signon

FedSSO

A&AFedSSO

A&A

Identity

Mapping

Policy

Enforce

Tivoli Access Manager for Enterprise Single Sign-on

Web

Security Policy

Repository

Identity Repository

(Person & Account)

HTTP (incl. SOAP/

HTTP) Connection

Web Services

Connection

User

HR

System

Desktop/Client

Connection

Identity

Synchronisation

Provisioning

Reconciliation


Entitlement Policy

User Self-

service

Identity

StoreReporting

Provisioning Engine

Admin.

Admin

Auditor




Tivoli Access Manager for Enterprise Single Signon (TAM E-SSO)


Management Domain

Web

Policy

Mgmt

Fed

SSO

Conf.

WS

Policy

MgmtAdmin(s)

SSO

Policy

Mgmt

Policy

Enforce


Windows

Apps

Windows

Apps

Web

App

Web

App

Web

App

Portal

HTTP Server

Internet

Enterprise

Dir

Windows

Apps

Other

Apps

WS

Gateway

Consumer

Business

Employee/

Staff

Portal

HTTP Server


Authorization

ESB

(SOA)


Authorization

Enterprise Single Signon

User Authentication

Web Single Signon

Web Single Signon

FedSSO

A&AFedSSO

A&A

Identity

Mapping

Policy

Enforce

Tivoli Compliance Insight Manager (TCIM)

Web

Security Policy

Repository

Identity Repository

(Person & Account)

HTTP (incl. SOAP/

HTTP) Connection

Web Services

Connection

User

HR

System

Desktop/Client

Connection

Identity

Synchronisation

Provisioning

Reconciliation


Entitlement Policy

User Self-

service

Identity

StoreReporting

Provisioning Engine

Admin.

Admin

Auditor




Tivoli Access Manager for Enterprise Single Signon (TAM E-SSO)

Tivoli Compliance Insight Manager (TCIM)


Management Domain

Web

Policy

Mgmt

Fed

SSO

Conf.

WS

Policy

MgmtAdmin(s)

SSO

Policy

Mgmt

Policy

Enforce


Windows

Apps

Windows

Apps

Web

App

Web

App

Web

App

Portal

HTTP Server

Internet

Enterprise

Dir

Windows

Apps

Other

Apps

WS

Gateway

Consumer

Business

Employee/

Staff

Portal

HTTP Server


Authorization

ESB

(SOA)


Authorization

Enterprise Single Signon

User Authentication

Web Single Signon

Web Single Signon

FedSSO

A&AFedSSO

A&A

Identity

Mapping

Audit Log Consolidation

Log

Collect

Log

Collect

Log

Collect

Log

Collect

Log

Collect

Log

Collect

Log

Collect

Log

Collect

Log

Collect

Audit Policy Compliance Reporting

Policy

Enforce

Auditor Auditor

Tivoli Identity Manager automates, audits, and corrects user access rights across your IT infrastructure


Identitychange

(add/del/mod)

Approvals gathered

Accounts updated


portals

DatabasesDatabasesDatabases


Access policy

evaluated

Detect and correct local privilege settings

Cost

Complexity

Reduce Costs

• Self-service password reset

• Automated user provisioning

Simplify Complexity


HR Systems/ Identity Stores

Databases

OperatingSystems

DatabasesDatabases



Compliance

• Consistent security policy

• Quickly integrate new users & apps

Address Compliance

• Closed-loop provisioning

• Access rights audit & reports

• Know the people behind the accounts and why they have the access they do

• Fix non-compliant accounts

• Automate user privileges lifecycle across entire IT infrastructure

• Match your workflow processes

A phased approach to automating user provisioning with TIM delivers increasing improvements in efficiency and control

Ongoing Operational

LaborPublish Service Catalog

User Initiates Access Request

Approvals Gathered

Periodic Recertification

Access Provisioned

Recertify

Investments

SimplifyComplexity


One Time Policy Design

Define Coarse Roles Plus

Optional Access

Define Role Based Access Control

Model & Policies

Update to User Attribute Initiates Access Change

Major Changes Automated, Minor Ones Requested

Access Auto Provisioned, Approvals for Exceptions

Recertify Exceptions

Only

Automatic Provisioning and Rights Verification

Improve security and compliance readiness through TIM automated security policy enforcement, audit, and reporting

30% or more of all accounts are ‘orphans’

Gartner Group


Authoritative

Accounts

jcd0895

jdoe03

John C. Doe

Sarah_s4

nbody1

EnsureCompliance


Web ApplicationsDatabases

Infrastructure




doej

Sarah K. Smith

smiths17

ackerh05

Flag/Alert/Correct/Suspend

User Entitlement• Policies• Approvals• Recertifications

Compare local privileges to policy

Eliminate orphan accounts

1

2

3

Audit Reports

TIM v5.x marks a major milestone in the evolution of identity management

TIM v4.6

TIM Express

v4.6

TIM for z/OS

v4.6

TIM “Quick

Start Tools”

TIM v5.0

TIM v5.1


2002 2008 +2003 2004 2005 2006 2007

Invest and Integrate

Ready for Primetime

Serve the

Segments

Simplification

for the Masses

Identity

Governance

Access360

Acquisition

TIM v4.5

What TIM provides


Oct 6, 2010

TIM Provides a User Based Console View

• Console designed with more than just system administrators in mind

– Predefined groups, views and security settings (ACIs) optimized for different

user types

– TIM administrators

– Help desk assistants

– Service owners

– Managers

– Auditors

– End Users

• Capability to customize default user views and security settings or to

create additional views unique for users in your organization


create additional views unique for users in your organization

– Intuitive user interface only shows users what they need to do their jobs

• Service owner dashboard provides quick overview of transaction and

adapter status for TIM managed resources

• Manager view is scoped to allow operations for subordinates (profiles,

accounts, accesses)

TIM – Examples of user type based views

The Service Owner sees a ‘Dashboard’


Manager’s view of their team

TIM – Support for an Auditor User Type

• Auditor user type

– Auditors are able to run and view reports

– Report ACIs provided to allow other non-

administrators, such as an auditor, to run reports that

access the audit trail

– “See all, do nothing”


Service Owner Dashboard provides one stop overview


Simplified Policy, Workflow, and Configuration reduces setup time and training

• Wizards helps users build:

– Approvals

– Request for Information Nodes

– Email Nodes

– Identity Policies

– Identity Feeds

– Service Definitions


• No need for programming or scripting for simple configuration options

– Defaults to “simple” configuration

– Toggle to “advanced” option to meet complex needs

Policy Simulation and Draft Mode Takes the Guesswork out of Role and Provisioning Policy Updates


Role hierarchy simplifies and expands automation of user access

Customer challengeAdministration of user access can be increasingly complex and time consuming through the direct user-permission

mapping

TIM capabilitiesEstablish parent/child role relationship and apply inheritance through role membership

Add or remove roles as members to other rolesParent roles can have multiple children

Physician = parent roleCardiologist, Radiologist = child roles

Child roles can have multiple parentsCardiologist = child rolePhysician, Health care practitioner, Employee = parent roles

Inheritance flows to all objects that use roles Provisioning policyApprovals


ApprovalsRole owners

Physician

Cardiologist Radiologist Oncologist

Open Patient Record

Record operations & procedures

View patient chronic condition & allergies

View patient procedure& medication history

IT/ Application Roles

Business Roles

Separation of duties enhance security and complianceCustomer challenge

Avoiding business conflicts that could heighten their risk exposuree.g. same person making purchases is also allowed to approve them

What is Separation of duties (SoD)?Ability to exclude users from having access rights that create a business conflict

TIM capabilitiesProvides preventative and detective control over role conflicts by creating/modifying/deleting SoD policies that exclude

users from having membership to conflicting rolesUser cannot be a member of Role A and Role BUser may not have membership to more than X roles within a accounts receivable process

Upon assigning or requesting access TIM will detect if a conflicting rule is in place and prevents a violation from occurringApproval workflow process allows for exemptions when a violation occurs Violation and exemptions auditing via reports, which helps prevent or highlight inappropriate use of privileges


Separation of duty policy status improves visibility to risk exposure

• Administrative Dashboard

– Provides status of number of Violations and approved Exceptions

• Violations can occur though assignment of role through non-interactive process such as an automated identity feed or when an exception is revoked.

• Violations can be approved/removed to accept/remove the risk

– Drill down to review SoD violation or exception status

– Trigger evaluation to re-examine current status – detective control


TIM access recertification facilitates complianceCustomer challenge

Compliance – enabling an access validation process to those who can responsibly and accurately make that decision

TIM capabilities3 types of recertification policies to validate continued need for resourcesAccount recertification policies

Account recertification policies target accounts on specific servicesAccess recertification policies

Access recertification policies target specific accesses (i.e. business translation of a group – AD group UK3g8saleww_R = sales pipeline portlet)

User recertification policies (new in v5.1)A type of certification process that combines recertification of a user's role, account and group membership into a

single activity


NEW

User recertification delivers consumable compliance

User recertification activity presents an approver with a single recertification approval activity for multiple resources associated with a given user:

Static role membershipAccountsGroups (whether defined as an Access or not)

Recertifier specifies a separate decision for each resource and submits a consolidated response

The impact of recertification decisions can be previewed prior to submission

Incremental progress can be saved as a draft

A User Recertification Policy defines a user population, schedule, resource targets, and workflow


schedule, resource targets, and workflowWorkflow can be defined using either Simple or

Advanced modesSimple workflow options include approval participant,

rejection notification recipient (if any), rejection action, due date, overdue behavior (new), and notification templates

Simplified management of recertification policies


Self Service Available Tasks / Flows

� Change Passwords

� Configure Forgotten Password Information

� Request Account / Request Account (Advanced)

� Delete Account

� View / Change Account

� Request Access

� View Access


� View Access

� Delete Access

� View / Change Profile

� View My Requests

� Approve and Review Requests (To-do List)

� Delegate Activities

� Change Expired Password

� Forgotten Password

Self Service Console Features

� The user interface can be customized / branded

– Integrate with View configuration to filter the list of tasks available to the user

– UI can be customized to better fit with the

� Provides Self Service functions for TIM Users– Users can work on their own accounts, their own profile, their own accesses, their own to-dos,

their own passwords


– UI can be customized to better fit with the theme of the exiting corporate look and feel

Manual Services support the same functions as a “non-manual” Serviceaccount add, delete, modify, suspend, restore, change password, adopt, reconcile,

account defaults, etc.

Manual Service Account requests generate a “To Do” Activity work item to a participantAdd/delete/modify/suspend/restore/change password

The “To Do” Activity Workflow is automatically defined for the Manual Service when it is

TIM Manual Services Overview


The “To Do” Activity Workflow is automatically defined for the Manual Service when it is created

The participant performs the necessary “work” and then responds to the work item (SUCCESS/FAIL/WARNING)

Quickly produce comprehensive audit reports

• Predefined reports with filtering and security

• Centralized view of people and privileges

EnsureCompliance


• Track access privileges by person

• Track access privileges by information resource

• Acrobat format for easy viewing

and CSV format for custom analysis

Achieve quick value without user provisioning in TIM today

Reconciliation

Who has access to what? Identify orphan and dormant accounts – big security exposures! 1Recertification

2


Recertification

Does this user still need this account or access entitlement? Establish an automated process for review and enforcement.

2

Reporting

Prove it. Show auditors who has access to what and how they got it.

3

Tivoli Identity Manager Information Resources

• IBM Tivoli Identity Manager Product Page

• IBM Tivoli Identity Manager Data Sheet

• TIM 5.1 Announcement Letter

• IBM Tivoli Identity Manager 5.1 Information Center


• IBM Tivoli Identity Manager 5.1 Information Center

• IBM IAM Governance Whitepaper

Deliver effective governance for identity and access management

Tivoli integration Breadth and Depth is key to achieving rapid customer value

Industry leading adapters accelerate time to value

HP/Compaq Tru64 Unix*HP-UX

HP-UX NIS*IBM AIXIBM i5/OS

OpenVMS*RedHat Enterprise LinuxSun Solaris

Sun Solaris NIS*SuSE Linux Enterprise ServerWindows Local 2000, 2003,

IBM RACF zOS*IBM Tivoli Access Manager* CA ACF2* CA Top Secret

Entrust PKI*RSA ACE/Server** CA SiteminderCisco ACS

Amdocs ClarifyCRM 12.0 on

AIX using DB2*Documentum eServer *Lotus Notes/DominoWindows AD/ Exchange 2000, 2003 Novell e-Directory (NDS)Novell GroupWiseOracle E-Business SuitePeopleSoft (People Tools) SAP UME 6 *SAP R/3 Siebel* Peregrine Service CenterRemedyQuickplace*

IBM DB2/UDB Informix Dynamic ServerOracleMicrosoft SQL Server 2000, 2005 Sybase* RDBMS Based Apps

Applications & Messaging

Relational Database

Ready for Tivoli

Authentication & Security

Operating Systems

SimplifyComplexitySimplifyComplexity

Easily Integrate with Homegrown and Niche Applications

� Effectively meet the need to integrate with any home grown applications

� Wizard based approach to quickly build custom TIM adapters

Select connector type and connect to the target system

Discover and map attributes to manage

Choose TIM operations and publish adapter to TIM

SimplifyComplexitySimplifyComplexity

Broadest Support for Prepackaged Adapters Fast, adaptable tooling for custom Adapters


Windows Local 2000, 2003, XP

Quickplace*LDAP-based Applications (IBM TDS, Sun One)* Command Line-based ApplicationsUniversal Provisioning * JDEdwards* Tandem•IBM Rational Clearcase

Citrix Password ManagerCyber-Ark Network Vault for PasswordsEncentuate TCI for EnterpriseProtocom SecureLogin Password

Management ActivIdentity Trinity Secure Sign-onPasslogix v-GO Provisioning ManagerEurekify Sage Discovery and AuditSecurIT R-Man

� Reduce development time by 75%

Requires fewer specialized skills

Based on Eclipse framework and leverages Tivoli Directory Integrator

Deepest support for critical infrastructure and business applications that go beyond a ‘check-box’

RACF

Operating systems

Series i

Series z (RACF)

Unix/Linux (AIX)

Unix/Linux (HP-UX)

Unix/Linux (RHEL)

Unix/Linux (Solaris)

Unix/Linux (SLES)

Windows AD

TIM standard adapters (not complete)Others

Exchange

Groupwise

Lotus Notes/Domino

Novell

Oracle eBS

PeopleTools

RSA AuthMan (ACE)

SAP R/3 (ABAP)


Windows (WinLocal)

Databases

DB2

Oracle

SQL Server

Sybase

Infrastructure

LDAP

SAP Netweaver

SAP GRC

TAM Combo

TopSecret

Cisco UCM

TAM ESSO

Siebel (JDB)

ITIM configuration import / export

Tivoli Identity Manager features an import / export capability for a number of configuration items

Promotion of configuration from one environment to anotherCan also be used for backing up configuration items


Quick Wins

Request-based User Provisioning with Approval WorkflowStreamline and accelerate the process of granting, modifying, and removing user accounts throughout your IT

infrastructure, while maintaining an effective audit trail for your internal controls. TIM automates the process of end users (or their managers, for example) requesting access to new accounts, notifying required approvers of the request, gathering necessary approvals and information, and provisioning the approved accounts. Supervisors or security administrators can immediately remove unneeded account access as a user switches jobs or unnecessary access can be automatically removed during the recertification process.


recertification process.

User Self-Care and Password ManagementDecrease help desk calls by providing Web self-care interfaces to perform password and personal information

changes. TIM’s intuitive Web interface provides users the opportunity to update personal information and synchronize their passwords across all their accounts, or reset a forgotten password by successfully answering challenge/response questions.

Quick Wins

Out-of-the-Box Reporting and Recertification of User Access RightsReduce the time and cost associated with preparing for audits and revalidating user accounts. Automate and streamline your process of validating that each user account is still needed for a valid business

purposeRecertification notification and approval events that can be sent to managers, application owners, or security

administrators.TIM offers the following reports to assist with audit and compliance demands:

Approval process reportRequest report


Request reportRejected requests reportPending request reportAccount reportSuspended person reportDormant account reportActive account reportServices reportReconciliation report

Suggested implementation projects

To be discussed, depends on customer priorities (ROI, compliance, automation)


Top 10 reasons to choose IBM Tivoli Identity Manager

ITIM provides a built-in, sophisticated workflow engine with drag and drop workflow capabilities within Web console, easy to customize workflows, highly customizable via scripts, API integration with other systems, etc.

ITIM supports millions of users in customers’ deployments, across thousands of managed systems.

IBM is the market leader in Access Management as well as Identity Management.

Comprehensive Administrative Control via industry-leading out-of-the-box Adapters

ITIM provides management efficiency through policy simulation and ‘what-if’ modelling of changes (that simulates the effect of policy changes before they are enacted), reporting errors, or potential problems, and enables these to be resolved before they affect live operations.

ITIM is the only product to definitively and proactively detect access rights compliance issues. ITIM has flexible, risk-based options (flag, suspend, alert, or correct) to meet compliance goals without impacting business productivity.


ITIM provides the ability to customize the language presented to both end users and administrators based on user preferences. This includes challenge and response questions, as well as email notifications.

ITIM is the only user provisioning product to have achieved Common Criteria Evaluation Assurance Level 3 (EAL 3) certification.

IBM supports a secure interface with RACF on z/OS. ITIM also runs as a server platform on native z/OS

This no need to learn any proprietary language to develop workflows in ITIM. TIM uses standard javascript.

Only vendor that delivers breadth of security and compliance capabilities to address

infrastructure, applications, information, people and identities

Integrates with all types of business data (structured, semi-structured, and unstructured) for

addressing information & data security needs and all major application types (web, legacy,

and ESB for SOA) for securing business process

Open security platform and leadership in Web Services security, policy management and

federated identity

Breadth and Depth of Solution

Extensive Integration

Open Standards

Product Leadership

Why IBM?


Analyst attested leadership in markets for user and infrastructure security and compliance

software and services.

Leadership in mainframe security with RACF, zOS security, identity & access and

compliance enabling clients to leverage System z as the enterprise security hub

Security integration with key ITIL processes out of the box: Incident, Problem, Change,

Release, SLA, Configuration, Availability.

IBM offers full breadth of end-to-end asset and service management solutions that

operate on a common web services infrastructure.

Product Leadership

Best in class System z security

A core element of IBM Service Management

Breadth of Service Management offering

IBM Security

– The only security vendor in the market with

end-to-end coverage of the security foundation

– 15,000 researchers, developers and SMEs on

security initiatives

– 3,000+ security & risk management patents

– 200+ security customer references and 50+


– 200+ security customer references and 50+

published case studies

– 40+ years of proven success securing the

zSeries environment

– 600+ security certified employees

(CISSP,CISM,CISA,..)

IPSIPS

AuditAudit•• SIEMSIEM

EnforceEnforce•• authenticationauthentication

•• authorizationauthorization

AdministerAdminister•• provision/manageprovision/manage

IBM Tivoli Access Manager

portfolio

IBM Tivoli Security Informationand Event Manager

IBM Internet Security Systems


SynchronizeSynchronize•• metameta--directorydirectory

StoreStore•• directorydirectory

•• LDAPLDAP

IBM Tivoli Directory Integrator

IBM Tivoli Identity Manager

IBM Tivoli Directory Server

SAP integration


SAP Architecture

ERP SCM CRM SRM PLM

SAP for Banking:• SAP Analytical Banking• SAP Transactional Banking (TRBK)• SAP Customer Centric Banking

SAP Retail

SAP NetWeaver™PEOPLE INTEGRATION

Business Solutions - Examples


Co

mp

os

ite

Ap

pli

ca

tio

n F

ram

ew

ork

PEOPLE INTEGRATION

Multichannel access

Portal Collaboration

INFORMATION INTEGRATION

Bus. Intelligence

Master Data Mgmt

Knowledge Mgmt

PROCESS INTEGRATIONIntegration Broker

BusinessProcess Mgmt

APPLICATION PLATFORMJAVA

DB and OS Abstraction

ABAP

Lif

ec

yc

le M

an

ag

em

en

t

Source: SAP (c)

SAP ERP

SAPEBP

SAP Pain Points

No central security functionality for SAP and non-SAP components to manage user identities and access

Lack of integration with security standards (authentication methods, etc.)

Security islands in managing access control, centralized rules and audits capabilities

Multiple Identity Account Problem

Each SAP System has its own user data store, Each application brings its own ID


SAPBW

SAPAPO

Each ID does not work with other IDs

Each ID adds cost and complexity

Each ID adds business risk to compliance with business, regulatory, legal and security requirements

SAP applications user repository not synchronized per default (e.g. NetWeaver vs R/3)

SAP…

Implementing SAP systems often means significant investment for a critical part of your business

SAP ERP

SAPEBP

Answering these questions helps to protect your investments:

Who has access to these systems?

How do you control access to critical data?

Do you know if authorized users are improperly exercising their access rights?

Are you able to efficiently provision user accounts not only to the SAP systems but across the entire enterprise with a single system?


SAPBW

SAPAPO

SAP…

How do you audit and administer access to critical mainframe resources?

By implementing processes for

Managing users,

their access to IT resources,

and being able to prove what they’re doing with that access.

Identity & Access Management for SAP

SAP Value Proposition

• Provisioning:

– Quickly setup and/or recertify

SAP user account access.

Quickly locate and manage

invalid SAP user accounts.





Accounts

jcd0895

jdoe03

John C. Doe

Sarah_s4

ackerh05

nbody

Sarah’s Manager

RecertificationRequest

11

22

33

44

e.g. SAP HCM/HR


• Productivity:

– Increase user productivity

through convenient yet secure

single sign-on support

• Access and Audit:

– Control access to SAP

consistently

Cisco Secure

ACS

Cisco Secure

ACS

doejSarah K. Smith

smiths17

ackerh05Sarah’s Manager

Access Revalidated and Audited

55

SAP HR HireITIM Approval Workflow and User Provisioning

SAP ERP Account

SAP – Tivoli Identity Management Integration

Tivoli Identity Manager provides extensive and compliant SAP User Provisioning capabilities for all SAP platforms

TIM integrates with business control solutions

Accounts on 70 Accounts on 70

TIM key features for SAP includeProvides SAP HR linkageSupports SAP CUAComplements SAP user administration with features

only provided by TIM like Closed Loop PolicyComplete SAP user attribute support (>200)Reconciliation of SAP accountsSAP ALE/IDoc support through TDI Integration


Accounts on 70 different types

of systems managed.

Accounts on 70 different types

of systems managed.

OperatingSystems

Databases

Applications

Reconciliation of SAP accountsSAP ALE/IDoc support through TDI Integration

Additional SAP User Management capabilities through integration via

Central user store (Tivoli Directory Server)Real-time data synch (Tivoli Directory Integrator)

Tivoli Identity Manager integrates with business control solutions to ensure compliant provisioning and monitoring

HR event or self-

service request

initiates provisioning

event

TIM determines access

rights needed across

systems and collects

approvals

Business Controls

check for fine-

grained SOD

violations

Block request or seek

mitigating controls1 2

4

3

Tivoli Compliance

Insight Manager

(TCIM) monitors and

report on compliance

across whole IT

infrastructure



Adapter

Compliant

provisioning

request

implemented

Periodic account

reconciliation for

continuous

compliance

5

6

Deep process-level

application

monitoring

SAP – Tivoli Access Management Integration

Tivoli Access Manager provides consistent secure access control

and security enforcement point to SAP resources and applications

TAMeb Key features inlcudepolicy-based, access control security solution for e-

business and enterprise applicationsSingle access control model for operating systems,

middleware, and applications including SAP


OperatingSystems

Databases

IBM Tivoli

Access Manager

IBM Tivoli

Access Manager

LDAP

Access Manager for e-businessAccess Manager for Business IntegrationAccess Manager for Operating Systems

Access Manager for e-businessAccess Manager for Business IntegrationAccess Manager for Operating Systems

Access Manager for Enterprise Single Sign-on

Applications

Single access control model for operating systems, middleware, and applications including SAP

Authentication and Single Sign-On to SAP using SAP Login Ticket and Kerberos technology

Tivoli Access Manager for Enterprise Single Sign-On inlcudes integration for SAPGUI SSO supporting client desktop security

SAP – Tivoli Federated Identity Management Integration

IBM Tivoli Federated Identity Manager provides Inter-Enterprise User Lifecycle Management including SAP systems and applications

TFIM extends SAP Identity and Access Management to Partner and Customer IT-Infrastructure (multi domain IAM)

SAML Integration: Single Sign-On via SAML Browser ArtifactIntegrates with SAP NetWeaver AS-Java based applications (SAP J2EE Engine, SAP Portal)SAP Token Trust Module (STS - Secure Token Service for SAP Login Ticket)


SAP Token Trust Module (STS - Secure Token Service for SAP Login Ticket)

FIM

Multi Protocol Federation Gateway

(TAM + TFIM)

Partners using WS-Federation

Partners using Liberty

Partners using SAML

Partners using WS-Security

SAP Platform

WebSphere Platform

MS .NET Platform

“Identity”

“Identity”

“Identity”

“Identity”

“Identity”

“Identity”

“Identity”IBM Tivoli is first vendor to receive SAP certification for SAP BC-AUTH-SAML interface.

SAP – Tivoli Compliance Management Integration

IBM Tivoli Compliance Insight Manager (TCIM)Watching users as they access systems and informationIntegrate SAP application security monitoring in an enterprise security compliance dashboard with in-depth

(privileged) user monitoring capabilities

SAP ERP and NetWeaver internal Security Audit Log data is read by an TCIM actuator, subsequently processed and standardized along with other enterprise wide security data (Firewalls, Operating Systems, database application, etc).

TCIM key features


TCIM key featuresUnique ability to monitor user behaviorSAP supported on various platforms through Transaction Audit and

Security and via SAP Security Audit LogMonitor SAP application and transaction activityMap SAP log and audit trail collection to compliance management

modules and regulation-specific reportsCompare SAP transaction behavior to regulatory and company

policies

FIDUCIA simplifies user control and enhances security for SAP solutions with IBM Tivoli

Business ChallengeFiducia needed effective and centralized user management. Their goal is cost savings,

transparent user administration workflow and single sign-on to their systems. Their major systems to manage are SAP CUA and SAP HR.

SolutionIBM Tivoli Identity ManagerIBM Tivoli Access Manager for e-business

Business Benefits: Reduce support effort by implementing an identity management solution that can serve


Reduce support effort by implementing an identity management solution that can serve on demand authorization requests

Eliminate user administration tasks effort on target systemsImplement provisioning workflow starting at SAP HR and include SAP target systems

Tivoli Security SAP Integrations

Tivoli Product Tivoli Security for SAP Integration Solution SAP Interface

Tivoli Access Manager for e-Business SAP Login Ticket, PAS, SNCAdapter for SAP NetWeaver AS JAVA (Portal)

Adapter for SAP Internet Transaction Server

Adapter for SAP NW AS ABAP (R/3, ERP, BW, etc)

Tivoli Access Manager for Enterprise Single Sign-On

Encentuate TAMESSO V8/Encentuate SAP SSO Profile SAPGUI

Tivoli Compliance Insight Manager Actuator for SAP NW AS ABAP (R/3, ERP, BW, etc) SAP Security Audit Log

Adapter for SAP Business Objects Enterprise XI


Tivoli Directory Integrator Function Component for SAP NW AS ABAP (R/3, ..)

Connector for SAP NW AS ABAP User Registry

Connector for SAP HCM/HR BOR

Connector for SAP NWAS ABAP ALE/IDoc

SPML Connector for SAP NW AS JAVA SPML (Prototype)

SAP NW AS ABAP defined RFC/BAPI

JCo

ALE/IDoc

SAP NW AS JAVA UME, SPML 1.0

Tivoli Directory Server SAP NetWeaver AS JAVA (UME, Portal)

SAP NetWeaver AS ABAP User Registry

BC-USR-LDAP

UME

SAP LDAP Connector

Tivoli Federated Identity ManagerAdapter for SAP NW AS JAVA (Portal) BC-AUTH-SAML, SAML 1.0/1.1

Tivoli Identity ManagerAdapter for SAP NW AS ABAP (CUA)

Adapter for SAP NW AS JAVA (UME, Portal)

Adapter for SAP GRC Access Control (Virsa)

RFC/customized BAPI (TIVSECTY namespace)

SAP Security API

SAP GRC Access Enforcer, Web Services

STS Trust Module SAP Login Ticket

Certified in four main SAP Partner categories

Awarded with multiple SAP Awards of Excellence and 13 SAP Pinnacle Awards

IBM and SAP Partnership - Qualified, Awarded, Proven.


IBM itself is one of the largest productive SAP users20.000+ SAP production users, mixed release levels, all on IBM hardwareImproved bookings efficiency by 40%Increase labor productivity by 15%Reduce server build cycle times by 30%

SAP Award of Excellence for IBM

2005: 2 awards for IBM 2006: 2 awards for IBM 2007: 3 awards for IBM 2008: 3 awards for IBM

Tivoli Directory Integrator


Tivoli Directory Integrator

� A real-time, event driven, general-purpose, data integration environment consisting of:

� A rapid development GUI for building and maintaining transformation and synchronization rules

� A multi-threaded server that executes rules and monitors events

AIX TDI


MQ

Directory

Main-frame

Linux

TDI

Directory

.net

WebServices Database

TDI

File

LotusDomino

Connecting data in systems

� Moves, copies and transforms data between systems

– Unique AssemblyLine methodology provides unparalleled speed of deployment, development and maintenance

– Maps between schemas and attributes of the connected systems

– The combined attribute flow and transformation rules create output for the target systems


– The combined attribute flow and transformation rules create output for the target systems

– Supports JavaScript as scripting language for business logic and exception handling

Technology Architecture

Parsers

Connectors

HTML

CSV

XML

LDIF

SOAP

Directory

Queuing

email

Databases

Web Services


TDI Rule Engine

Events AssemblyLines

Graphical Development and Testing Environment

SOAP

CustomIP protocols

email

Custom

Files

TDI as a bundled component

� Lotus Domino 8 & Lotus Connections

� WebSphere RFID Information Center

� Tivoli Identity Manager

� CCMDB & TADDM

� Tivoli Access Manager (TAMeb)


� Tivoli Access Manager (TAMeb)

� Tivoli Directory Server

� Federated Identity Manager

...and more...and more

comingcoming

TDI Deployed Scenarios

� Directory & Password synchronization– IBM (Blue Pages, w3 intranet, ibm.com) + numerous clients

� SOA & Enterprise Service Bus on-ramp/off-ramp

– TDI + MQ

� Portal & WebSeal authentication extension

– TAMeb bundle and custom Portal deployments

� Web Services– FIM deployments, integration to ERP systems

� Database integration


� Database integration

– Rational, CM/LM, WebSphere II at US Gov't Intel Agencies

� Custom Application Development– Dynamic Crisis Team Management (CWID) for US Home Security

� Service Desk integration

– CCMDB connection to Remedy and Peregrine

� Mail integration

� ...

Rapid Integration Development

XMLFile

XML

A collection of components

that form a continuous path

• Isolate a single data flow.

• Identify data access method(API, protocol, transport, format...)

• Click suitable components together(Quickly & easily create new ones as needed)


SQLDatabase

FileSystemConnector

JDBCConnector

AssemblyLine

continuous path from source(s)

to target(s) is called an

AssemblyLine

Target solution

<?xml version="1.0" >

<DocRoot>

<Entry>

<department>School Of Nursingt>

<Title>Adjunct Instructor</Title>

<Birthday>1958-12-23 y>


<Birthday>1958-12-23 y>

<affiliationcode>volunteere>

<degrees>BS</degrees>

<FullName>L Adowski, >

</Entry>

<Entry>

<department>FSA - Food And g

<Title>Service Employee</Title>

<Birthday>1977-02-08 >

<affiliationcode>staff>

<degrees>-</degrees>

<FullName>C Agocha, >

</Entry>

</DocRoot>

SQL Database LDAP Directory XML Document

Step1. Migrate SQL DB to XML

XMLDocument


SQL database

JDBC Connector

FileSystem Connector

w/ XML Parser

Step 2. Join from LDAP

XMLDocument


SQL database

JDBC Connector

FileSystem Connector

w/ XML Parser

LDAP directory

LDAP Connector

Axis Easy Web Service Server ConnectorAxis Easy Web Service Invoke

Axis Java-to-SoapInvoke Soap Web Service

Axis Soap-to-JavaComplex Types Generator

Wrap Soap

LDAP ConnectorLDAP Server Connector

Tivoli Access Manager ConnectorWindows Users and Groups Connector

Active Directory Changelog Connector v2IBM Directory Server Changelog Connector

Netscape/iPlanet Changelog ConnectorzOS LDAP Changelog Connector

BTree ConnectorJDBC Connector

Properties ConnectorSystemStore Connector

RDBMS Changelog Connector

AssemblyLine Connector

Active Correlation Technology ConnectorGeneric Log Adapter ConnectorRAC ConnectorEntry to CommonBaseEvent Function

TDI 6.1.1 Server

AssemblyLine

JMX ConnectorSNMP ConnectorSNMP Server ConnectorTCP ConnectorTCP Server Connector

Remedy/Peregrine /CCMDB tickets

Many Custom Components downloadablefrom OPAL or tdi-users.org or on request

PeopleSoft ConnectorSiebel ConnectorSAP ALE IDoc ConnectorSAP R/3 Business Object RepositorySAP R/3 User RegistrySAP R/3 RFC Functional Component

Script Connector

CCMDB

Netcool

RSS


AssemblyLine ConnectorServer Notifications Connector

AssemblyLine Function Component

Domino Change Detection ConnectorDomino Users Connector

Lotus Notes Connector

Exchange Changelog ConnectorMailbox Connector

SendEMail Function Component

TIM DSMLv2 ConnectorDSMLv2 SOAP Connector

DSML v2 SOAP Server ConnectorGeneric JNDI Connector

ITIM Agent Connector

EMF SDOToXML Function ComponentEMF XMLToSDO Function Component

Timer Connector

CSV ParserDSML v1 ParserDSML v2 ParserFixed Record ParserHTTP ParserLDIF ParserLine Reader/WriterSOAP ParserScript ParserSimple ParserXML ParserXML Sax ParserXSL based XML Parser

JVM on Windows, Linux, AIX, iSeries, zOS, Sun, HP

Script ConnectorGeneric Java MethodParser FCScripted Function Component

Remote Command Line Function Componentz/OS TSO/E Command Line Function ComponentCommand Line Connector

Memory Queue FCMemQ ConnectorMemory Stream Connector

File System ConnectorFTP Client ConnectorURL ConnectorHTTP ClientHTTP Server Connector

IBM MQ Series ConnectorJMS Pub/Sub ConnectorMQe Password Store ConnectorSystem Queue Connector

Drag-and-drop to build AssemblyLines


File to file, database, directory, or other target

TDI

File connector Any connector

Read data and changes from source

LDAP

File, any format

File, other format


TDI has the capability to detect changes in the source data each time it reads from it. For example, an HR report might not contain information about changes, only the entire snapshot of the entire employee database. TDI is able to determine the change from previous versions and only propagate added, changed and deleted records

RDBMS

Custom filtering, mapping, transformation, enrichment, augmenting BIRT’s own Javascript capabilities. Optionally adding in extra lookup connectors to add correlated data

As well as: HTTP, JMS/MQ, Web Services, SNMP, SMTP/email, TCP

Adapter framework for ITIM (Tivoli Identity Manager)

TDI

TDI logic and

connectors

Adapter AssemblyLines

Target system

The field and customers are enabled by being able to modify the adapters in the field

TIM services


TIM operations

handler

TIM manages life cycle of users in the enterprise IT systems

TDI logic and

connectors

TDI logic and

connectors

Target system

Target system

Community Resources

Udover standard IBM sites (produkt-, dokumentation-, support-hjemmeside) findes :

� TDI ”RabbitHole” website med

Eksempler, dokumentation, links til videoer (hvor der vises hvordan connector/integration dannes), step by step learning TDI og meget mere.

http://www.tdi-users.org

Se især

– http://www.tdi-users.org/twiki/bin/view/Integrator/WebHome

– http://www.tdi-users.org/twiki/bin/view/Integrator/LearningTDI

– http://www.tdi-users.org/twiki/bin/view/Integrator/IsmPage (Service Management Integration)

� TDI Redbooks

– http://www.redbooks.ibm.com/cgi-bin/searchsite.cgi?query=Directory+AND+Integrator

� OPAL (Open Process Automation Library), søg på Directory Integrator


Her lægges færdige connectorer og integrationer både af IBM, kunder og andre

– http://www-01.ibm.com/software/brandcatalog/portal/opal/

� TDI Newsgroup

– news://news.software.ibm.com/ibm.software.network.directory-integrator

� Discussions Google

– http://groups.google.com/group/ibm.software.network.directory-integrator/topics

– http://sites.google.com/site/tdi7islive/

TDI 90 day trial download

– https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?lang=en_US&source=swg-itdid

� !! Participate and Share !!

Backup


TIM 5.1 Server Support

• AIX V5.3, V6.1

• Sun Solaris 10 (SPARC)

• Windows Server 2003 R2 Standard Edition and Enterprise

Edition

• Windows Server 2008 R2 Standard Edition and Enterprise

Edition

• Red Hat Linux Enterprise 4 update 4 for Intel, System p,

and System z


and System z

• Red Hat Linux Enterprise 5 for Intel, System p and System

z

• SUSE Linux Enterprise Server 10.0, 11.0 for Intel, System

p and System z

TIM 5.1 Middleware Support

Database�IBM DB2 Enterprise V9.5, fix pack 3b, V9.7 (for all supported operating systems except 32 bit Linux and Linux on System p)�IBM DB2 Enterprise V9.1 fix pack 4 �Oracle Database 10g Release 2�Oracle Database 11g�Microsoft SQL Server 2005 Enterprise Edition

WebSphere�IBM WebSphere Application Server Network Deployment V6.1, fix pack 23, V7.0

Directory Servers�IBM Tivoli Directory Server V6.1 and V6.2 fix pack 1�Sun Java System Directory Server Enterprise Edition 6.3


�Sun Java System Directory Server Enterprise Edition 6.3

Upgrades TIM application upgrade from version 4.6 or 5.0 supported

Tivoli Directory Integrator�IBM Tivoli Directory Integrator V6.1.1 fix pack 6�IBM Tivoli Directory Integrator V7.0

TIM – Client support

Browsers Supported: Internet Explorer 7.0, 8.0Mozilla , Firefox 2.0, 3.0


Skalering/failover/HAI denne konfiguration er der to eller flere application server instanser, som hver servicerer en separatITIM applikation under kontrol af WebSphere Network Deployment Manager.Der kan også være separate servere til at køre Directory Server (LDAP) ogRelational Database (RDBMS) software, samt eventuelt separate servere til directory – og databasereplikering. Sådanne konfigurationer kan anvendes til at skalere ITIM i større organisationer og/eller tilfailover/HA. Hvis der ønskes HA, vil det være passende med to WAS servere og to database/directory servere


Desktop Password Reset Assistant for Identity Manager

DPRA Features:

• Provides Self Service Windows Password unlock

without a password change

• Provides Self Service password reset and password

synchronization with all accounts


• Authentication using secure challenge response

features of Identity Manager

• Integration with TAM ESSO through the TAM ESSO

provisioning adapter (updates passwords in users

wallet)

• Translated and double byte support

• Customizable for logos and backgrounds

Windows

Directory

The combination of ITIM and the DPRA provides a comprehensive password management solution for end users

Scenario: Susan forgets her Windows passwordJust using TIM self service she would need to access a browser on

another workstation as she can not login to the system. With TIM and DPR Adapter, she can reset her password directly from her

locked workstation

Result: Susan has a positive user experience and Acme’s security policy is followed

User accounts


SAP

Database

Mainframe

Custom

DPR Adapter ITIM

is followed

Tivoli Identity Manager – eksempel på et flow


Admin GUI End-user selvbetjening

En nyansat oprettes i HR-/lønsystem, hvorved denne automatisk detekteres og får basale adgange.�Den ansatte bestiller yderligere adgange i selvbetjenings interfacet, der efter godkendelse effektueres med det samme.

�Nye arbejdsopgaver: brugeren tildeles blot ny rolle

�Glemt Password : Brugeren requester selv nyt password. Ingen manuel håndtering


HR/Løn System (Custom)

RACF(Forhandler-

systemet)

ActiveDirectory

SAPDatabases

Custom

�Hver 3. måned får system administrator besked om adgange på systemer, hvor der ikke er logget ind i 90 dage.

�Hvert halve år skal leder/applikationsejer attestere brugerens roller/adgange

�Audit understøttes af rapporter

�Nye systemer : Adgang tilknyttes rolle, hvorved relevante brugere får adgang

�Afgang: Ved deaktivering i HR/løn-system inaktiveres brugeren

Dette system vil således understøtte såvel interne som eksterne brugere

Many other ITIM integrations are possible

The IBM Tivoli Open Process Automation Library site lists a number of published integrations with IBM and third-party products.

http://catalog.lotus.com/wps/portal/topal


ITIM References

Tivoli Identity Manager Information CentreContains all standard Tivoli Identity Manager documentationAlso contains the “Tivoli Identity Manager Tuning Guide”Available at the following URL:

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itim.doc/welcome.htm

Tivoli Identity Manager Design GuideAvailable at the following URL:

http://www.redbooks.ibm.com


Tivoli Identity Manager Advance Design GuideAvailable at the following URL:

http://www.redbooks.ibm.com

Tivoli User CommunityAn active and lively community for Clients, Business Partners, and IT professionals. Free membership provides you with valuable resources, tools and networking capability. Log on to www.tivoli-ug.org or visit the ped in the IBM Pulse Expo

Tivoli TrainingIBM offers technical training and education services to help you acquire, maintain and optimize your IT skills. For a complete Tivoli Course Catalog and Certification Exams visit www.ibm.com/software/tivoli/education

Tivoli Services

For More Information


Tivoli ServicesWith IBM Software Services for Tivoli, you get the most knowledgeable experts on Tivoli technology to accelerate your implementation. For a complete list of Services Offerings visit www.ibm.com/software/tivoli/services

Tivoli SupportIBM Software Premium Support provides an extra layer of proactive support, skills sharing and problem management, personalized to your environment.Visit www.ibm.com/software/support/premium/ps_enterprise.html

ITIM tools and utilities

There are a number of Identity Manager tools publicly available. They include:Adapter Development ToolDocumentation ToolGraphical Configuration EditorBusiness Intelligence and Reporting Tools (BIRT)


ITIM Adapter Development Tool

• The ITIM Adapter Development Tool facilitates the creation of custom adapters

– Feature a graphical user interface designed specifically for adapter customization

– Can also be used to modify exiting RMI-based adapters

• It can be downloaded at the following URL:


• It can be downloaded at the following URL: – http://catalog.lotus.com/wp

s/portal/topal/details?catalog.label=1TW10IM0H

Documentation Tool for ITIM

• The Documentation Tool for ITIM (also

known as DocTool) can produce instant

reports on ITIM configuration

– Can produce reports in HTML or XML


– http://catalog.lotus.com/wp



s/portal/topal/details?cata

log.label=1TW10IM0C

ITIM Graphical Configuration Editor

• The ITIM Graphical Configuration Editor

offers an alternative visual interface for

configuring ITIM

• It also features advance configuration

import/export features





s/portal/topal/details?cata

log.label=1TW10IM0G

Iam

Documents

Transcript of Iam