SCI104_HowtoMigrate From CUA to NtWvr IdM 71
Transcript of SCI104_HowtoMigrate From CUA to NtWvr IdM 71
1
SCI104
How to Migrate from SAP CUA to
SAP NetWeaver Identity
Management 7.1
Go Live Strategies and Case Study
Birger Tödtmann, SAP Consulting
Rene Feister, SAP Consulting
Frank Buchholz, Active Global Support
October 2010
© 2010 SAP AG. All rights reserved. / Page 2
Disclaimer
This presentation outlines our general product direction and should not be relied on in making a
purchase decision. This presentation is not subject to your license agreement or any other
agreement with SAP. SAP has no obligation to pursue any course of business outlined in this
presentation or to develop or release any functionality mentioned in this presentation. This
presentation and SAP's strategy and possible future developments are subject to change and
may be changed by SAP at any time for any reason without notice. This document is provided
without a warranty of any kind, either express or implied, including but not limited to, the implied
warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP
assumes no responsibility for errors or omissions in this document, except if such damages
were caused by SAP intentionally or grossly negligent.
2
© 2010 SAP AG. All rights reserved. / Page 3
Agenda
1. SAP CUA vs. SAP NW IDM
SAP Central User Administration
SAP NetWeaver Identity Management 7.1
Functional Comparison CUA vs. IDM 7.1
2. Replacement Challenges
Identifying CUA ―must haves‖
Implementing CUA features in IDM 7.1
3. Go Live Strategies
―Big bang‖
Smooth cut-over
4. Case study
5. Summary
© 2010 SAP AG. All rights reserved. / Page 4
SAP Central User Administration (CUA)
Benefits
DEV QA PRD
DEV QA PRD
CUA Central System
CUA Client Systems
CUA Client Systems
Create / delete users
Change global attributes
Assign / remove roles
Mass changes
Position based indirect
assignments
(CUA on HR system)
3
© 2010 SAP AG. All rights reserved. / Page 5
Home
Identity Management with CUA
Drawbacks
e.g. on-boarding
CUA
Provisioning for
ABAP-based systems
LDAP
Directory
3rd Party Identity
Management
Product
Synchronization
UME
data source
© 2010 SAP AG. All rights reserved. / Page 6
Home
SAP NetWeaver Identity Management
Benefits
e.g. on-boarding
SAP NetWeaver
Identity Management
Password management
Provisioning to SAP and non-SAP systems
Identity mgmt.monitoring & audit
Rule-based assignment of business roles
Identity virtualization and identity as service
Approval workflows
Central Identity Store
SAP BusinessObjects
Access Control (GRC)
Compliance checks through GRC
SAP Business Suite Integration
4
© 2010 SAP AG. All rights reserved. / Page 7
Functionality Central User
Administration (CUA)
SAP NetWeaver Identity
Management 7.1 (IdM)
Target Systems ABAP only SAP and non-SAP
Workflow Support No Yes
Rule based access
management
almost no (except the
rarely used HR org. rule
engine)
Yes
Modeling of role hierarchy No Yes
Cross system role
assignments
Manual Full support
LDAP directory integration LDAP synchronization Full support
Password management Management and
distribution of initial
passwords
Yes; including user
interface and workflow
support
Why Choosing SAP NW Identity Management?
High-Level Comparison of SAP CUA with SAP NW IdM
© 2010 SAP AG. All rights reserved. / Page 8
Functional Comparison –
SAP CUA vs. SAP NW IdM 7.1 (1/2)
Criteria SAP CUA SAP NW IdM Comments For SAP NW IdM
User Interface Clearly defined
standard SAP UI;
BUT very limited
flexibility to change
Standard UI tasks
existing; some with
limitations
Custom UI tasks can be created
Flexibility is limited to standard
WebDynpro for Java UI
Mass User Changes Transaction SU10 No standard tasks
or jobs existing
CSV based upload can be used in IdM
Required upload jobs have to be
created
Reporting Transaction SUIM No standard
reports existing
Custom reports can be created in IdM
Depending on the requirements this
can be a significant effort
Approach not as dynamic as the SUIM
approach
Ad-hoc approach: perform database
queries directly
E-Mail Notifications Not available in
standard
No standard tasks
or jobs existing
But: E-Mail notifications can be added
and linked quite easily in IdM
5
© 2010 SAP AG. All rights reserved. / Page 9
Functional Comparison –
SAP CUA vs. SAP NW IdM 7.1 (2/2)
Criteria SAP CUA SAP NW IdM Comments For SAP NW IdM
Business Role Model –
Role Hierarchy
Single roles /
composite roles,
no inheritance
model
Business roles that
can be organized
in a complex
hierarchy
Complex role hierarchy, inheritance of
role and privilege assignments
Role inheritance of AS ABAP roles not
visible in IdM (privileges are flat)
Backend System
Connectivity / Error
Handling
ALE distribution
model iDoc
Reprocessing
Standard
synchronization job
No standard
reprocessing
available
No standard
synchronization /
reconciliation jobs
available
Proper error handling / reprocessing
needs to be implemented on project
base
Job templates for SAP system
reconciliation jobs provided by RIG
can be used as starting point
User Interface –
Display Of Created At /
By; Last Modified At / By
Available in
standard UI
Data is available in
the database but
not easily visible in
the UI
Custom specific attributes have to be
created that store and display the data
in the UI
Support of local changes
on backend system
Complex
distribution model
(global, local,
proposal,
redistribution
Standard
implementation
supports only
central approach
IdM as leading system
To support local changes respective
synchronization mechanism have to
be designed and built in the project
© 2010 SAP AG. All rights reserved. / Page 10
Agenda
1. SAP CUA vs. SAP NW IDM
SAP Central User Administration
SAP NetWeaver Identity Management 7.1
Functional Comparison CUA vs. IDM 7.1
2. Replacement Challenges
Identifying CUA ―must haves‖
Implementing CUA features in IDM 7.1
3. Go Live Strategies
―Big bang‖
Smooth cut-over
4. Case study
5. Summary
6
© 2010 SAP AG. All rights reserved. / Page 11
IDM Requirements Analysis –
With CUA Operation as Source (1)
1. Conduct a workshop with personnel from
Helpdesk
User & authorization administration
2. Explain functional gap: mass changes, SUIM features
3. Determine mission critical the IDM replacement MUST have
4. Differ for ―nice to have’s‖
5. Estimate efforts, make a plan
6. Prepare a decision proposal based on efforts and drawbacks if not implemented
7. Get decision for plan and budget
© 2010 SAP AG. All rights reserved. / Page 12
IDM Requirements Analysis –
With CUA Operation as Source (2)
User provisioning limited to
SAP ABAP systems only.
No standard approval workflow
functionality in SAP CUA.
Limited number and content of
built-in reports in SAP NW IdM.
SAP NW IdM 7.1 does not fully
offer all key SAP CUA
functionality out of the box that
admins are used to.
One solution that can be used
for any SAP system (includes
SAP AS Java / Portal) plus
non-SAP.
Predefined approval workflows
processes for user changes
and authorization assignments.
Extended preconfigured
reports based on SAP Best
Practices.
Providing UI and framework for
SAP CUA operations like mass
operations and copy functions.
Connector framework
Build-in predefined WFs
Enhanced reports
Mass operations
As-Is Situation To-Be SituationApproach
7
© 2010 SAP AG. All rights reserved. / Page 13
Some Examples of UI Tasks to be Built (1/2)
Additional UI task that need to be created, some screenshots are shown here:
Extended UI task for changes of identity attributes
Advanced UI tasks for changes of business roles
© 2010 SAP AG. All rights reserved. / Page 14
Some Examples of UI tasks to be Built (2/2)
Additional UI task that need to be created, some screenshots are shown here:
Password reset (per backend system)
Copy identity / copy assignments of identity
Trigger for provisioning
8
© 2010 SAP AG. All rights reserved. / Page 15
Agenda
1. SAP CUA vs. SAP NW IDM
SAP Central User Administration
SAP NetWeaver Identity Management 7.1
Functional Comparison CUA vs. IDM 7.1
2. Replacement Challenges
Identifying CUA ―must haves‖
Implementing CUA features in IDM 7.1
3. Go Live Strategies
―Big bang‖
Smooth cut-over
4. Case study
5. Summary
© 2010 SAP AG. All rights reserved. / Page 16
Go Live Strategies
– “Big Bang” Approach (1/2)
12
Prep phase:
1. Backend systems are
connected to CUA
2. Connect IDM to backend
systems (no provisioning
possible as long as they
are CUA daughters)
9
© 2010 SAP AG. All rights reserved. / Page 17
Go Live Strategies
– “Big Bang” Approach (2/2)
3
―Big Bang‖ phase:
3. Decouple all daughter
systems from CUA
4. Make initial load of all
backend systems in IDM,
activate provisioning of
backend systems in IDM
4
Setup easy, change is
“at once” with high
consistency, but
complex Go Live event
© 2010 SAP AG. All rights reserved. / Page 18
Go Live Strategies
– “Smooth Cut-Over” Approach (1/2)
12
Prep phase:
1. Backend systems are
connected to CUA
2. Connect IDM to CUA and
backend systems
no direct provisioning to
back ends possible as
long as they are CUA
daughters
Use CUA as proxy,
indirect provisioning
10
© 2010 SAP AG. All rights reserved. / Page 19
Go Live Strategies
– “Smooth Cut-Over” Approach (2/2)
Step-by-Step Go Live:
One by one,
3. Pick a backend system,
make initial load in IDM
4. Decouple backend
system from CUA
5. Enable provisioning of
backend system in IDM
4
3
5
More complex setup, but
more simple Go Live scenario
– change goes over days,
more time
© 2010 SAP AG. All rights reserved. / Page 20
After Go Live
– Prevent Inconsistencies
CUA daughter systems disable changes in SU01 / PFCG
With IDM 7.1, connected backend systems still allow changes
Inconsistencies could possibly enter the systems when no reconciliation jobs
have been created in IDM
Disallow (by removing authorizations on S_USER_GRP) any changes in
all connected backend systems
- or
Create custom reconciliation report
11
© 2010 SAP AG. All rights reserved. / Page 21
Agenda
1. SAP CUA vs. SAP NW IDM
SAP Central User Administration
SAP NetWeaver Identity Management 7.1
Functional Comparison CUA vs. IDM 7.1
2. Replacement Challenges
Identifying CUA ―must haves‖
Implementing CUA features in IDM 7.1
3. Go Live Strategies
―Big bang‖
Smooth cut-over
4. Case study
5. Summary
© 2010 SAP AG. All rights reserved. / Page 22
Project Overview
Large SAP Retail project
SAP Central User Administration has been used as central user administration
tool for the system landscape of the project
Customer has been informed about SAP NW Identity Management 7.1 as the future tool to
replace the SAP CUA on a long term perspective
Customer has been interested in the additional capabilities of the SAP NW IdM product
such as:
Integration with SAP HCM
Integration with non-SAP systems such as MS Active Directory, Lotus Notes and LDAP
BUT: Focus of Release 1 of the SAP NW IdM project within the project was to replace the
existing SAP CUA system by the new software and get familiar with it
12
© 2010 SAP AG. All rights reserved. / Page 23
In Scope / Out Of Scope - Release 1
Main focus: replacement of the SAP CUA system with some little enhancements such as:
E-Mail notifications to end users for user creation and password reset
Creation of custom specific UI tasks
Creation of .csv upload jobs that can be used to perform mass user creation and changes
Addition of missing features such as Copy Identity, Copy Assignments (business roles,
privileges) and more
A lot of the core IdM functionality was out of scope for Release 1 of the project, such as:
User self services
Approval workflows
Password reset self service
Integration with SAP HCM
Integration with non-SAP systems (customer has not licensed the SAP NW IdM product
yet)
© 2010 SAP AG. All rights reserved. / Page 24
Main Implementations / Developments –
List (1/2)
Custom copy of the complete SAP Provisioning Framework folder created and adapted
Reason was to be independent from upgrades / patches
E-Mail notifications to end users for user creation and password reset
Specialty: Several systems in one combined E-Mail to the end user
Mass identity administration jobs based on .csv uploads
Possibility to trigger the job execution from a UI task
Identity Upload – Creation
Identity Upload – Role Assignment
Identity Upload – Reset Password
Identity Upload – Lock / Unlock
Business Role Upload – Creation
Business Role Upload – Privilege Assignment
13
© 2010 SAP AG. All rights reserved. / Page 25
Main Implementations / Developments –
List (2/2)
UI task for ―Copy Assignments Of Identity‖
To copy business role and privilege assignments
Possibility to define which repositories should be considered
Flags to decide if business role assignments or privileges or both should be copied
Definition of a procedure and creation of jobs to support a ―System Copy‖ /
―System Refresh‖ process which is done quite often in the current project phase
© 2010 SAP AG. All rights reserved. / Page 26
Project Plan
High level planning
Installation (DEV and PRD system, database: Oracle, OS: UNIX)
Blueprint workshops
Blueprint writing
Blueprint review / approval / corrections
Configuration / development
Staging (unit testing with sandbox clients)
Business role design
Testing
Documentation
Go-Live support / Ongoing activities
Coaching / Know-How transfer to customer
14
© 2010 SAP AG. All rights reserved. / Page 27
Chosen Go Live Option
As helpdesk assistance was granted and enough budget available for
this approach, ―smooth cut-over‖ was chosen, but without CUA as proxy.
Within two weeks, 20 clients had been disconnected from CUA and
were reconnected to IDM
As some emergency user
maintenance had to be done
in between, reconciliation reports
were used to synchronize
back ends and the IC database
Go Live was very successful,
CUA completely taken offline
afterwards
Initially, CUA load was done to
get all user data for prep purposes
DGI DGI
QGI
SGI
DGT DGT SGT
QGT
DG4 QG4
TG4 PG4
DGA QGA
PGAPGI
PGT
PG7
DGS PGS
DGF
DGS
© 2010 SAP AG. All rights reserved. / Page 28
Agenda
1. SAP CUA vs. SAP NW IDM
SAP Central User Administration
SAP NetWeaver Identity Management 7.1
Functional Comparison CUA vs. IDM 7.1
2. Replacement Challenges
Identifying CUA ―must haves‖
Implementing CUA features in IDM 7.1
3. Go Live Strategies
―Big bang‖
Smooth cut-over
4. Case study
5. Summary
15
© 2010 SAP AG. All rights reserved. / Page 29
Summary
Replacing CUA is a good strategic move in the long term and yields significant functional
enhancements CUA can’t offer in the short term
However, with NW-IDM 7.1 neither functionally nor operatively is a CUA replacement trivial
Functional gaps can be closed (with different grades of ―completeness‖) with either
Implementing CUA ―must haves‖ yourself
Getting up to speed with the CUA Replacement Pack – see next slide
Wait for availability of NW-IDM 7.2 and upgrade
Operationally, both big-bang and smooth cut-over are suitable options, depending on
environment / situation
Big-bang is a more complex Go Live scenario with more risks
Smooth cut-over requires more effort but yields less Go Live risks
*SAP AS ABAP, SAP AS java, SAP Dual Stack, **tbd
© 2010 SAP AG. All rights reserved. / Page 30
At One Glance – CUA Replacement Pack for
SAP NetWeaver Identity Management 7.1
Our Procedure / Duration
Your Situation Your Benefits
SAP Contact
You are running SAP CUA or you are planning to
implement a new central user administration.
You are uncertain if you should replace your existing
SAP CUA with SAP NetWeaver IdM 7.1, when to do it,
or whether you should start with the implementation of
SAP NetWeaver Identity Management for central user
administration today.
You are hesitating because you are not sure about the
migration path, nor the efforts for internal/external
consulting or the timeline for an implementation.
Get a ready-to-use implementation in your landscape
for a fixed price. Use SAP NetWeaver Identity
Management for managing your SAP and third party*
systems today. Replace your existing SAP CUA
system smoothly without disruptions in your productive
user administration. Benefit from enhancements to the
SAP standard based on SAP Best Practices including
reconciliation jobs, mass data administration
functionality, improved UI tasks and preconfigured
report templates. Get optimized user management
information from your SAP backend systems.
Starting point is a 1 day workshop to explain the solution, verify it against your already
existing implementation and plan the next steps. With the installation of the solution we do
a 1 day handover workshop to enable you to use the solution. Two instances of SAP or
third party* systems are connected.
Included are 3 additional days of consulting activities for implementation of additional
features or a requirements analysis for a more advanced Identity Management Solution.
Precondition: SAP NW IdM 7.1 customer license available
Florian Stolbrink
SAP Consulting
We help you to replace an existing or implement a new central user administration based on
SAPs recommended solution – SAP NetWeaver Identity Management 7.1.
*according to Product Availability Matrix for CUA Replacement Pack
16
© 2010 SAP AG. All rights reserved. / Page 31
Further Information
SAP Public Web:
SAP Developer Network (SDN): www.sdn.sap.com/irj/sdn/nw-identitymanagement
Business Process Expert (BPX) Community: www.bpx.sap.com
SAP BusinessObjects Community (BOC): boc.sap.com
Related SAP Education and Certification Opportunities
http://www.sap.com/education/
Related Workshops/Lectures at SAP TechEd 2010
See next slides…
© 2010 SAP AG. All rights reserved. / Page 32
Home
Further Information
Related Workshops/Lectures at SAP TechEd 2010
17
© 2010 SAP AG. All rights reserved. / Page 33
Home
Further Information
Related Workshops/Lectures at SAP TechEd 2010
© 2010 SAP AG. All rights reserved. / Page 34
Home
Further Information
Related Workshops/Lectures at SAP TechEd 2010
18
ContactFeedback
Please complete your session evaluation.
Be courteous — deposit your trash,
and do not take the handouts for the following session.
© 2010 SAP AG. All rights reserved. / Page 36
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. in the United States and in other countries.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.
© 2010 SAP AG. All Rights Reserved